Page MenuHomeFreeBSD
Differential D38586

pfsync: support deferring IPv6 packets
ClosedPublic
Actions

Authored by kp on Feb 14 2023, 10:57 AM.
Tags
None
Referenced Files
Unknown Object (File)
Wed, May 29, 8:28 PM
Unknown Object (File)
Wed, May 29, 8:28 PM
Unknown Object (File)
Wed, May 29, 8:28 PM
Unknown Object (File)
Apr 27 2024, 9:24 AM
Unknown Object (File)
Apr 27 2024, 9:24 AM
Unknown Object (File)
Apr 27 2024, 9:24 AM
Unknown Object (File)
Apr 27 2024, 9:24 AM
Unknown Object (File)
Apr 27 2024, 9:24 AM
View All 31 Files
Subscribers
farrokhi
glebius
imp
melifaro
zlei

Details

Reviewers
melifaro
zlei
Group Reviewers
network
Commits
rG3dec62eded04: pfsync: support deferring IPv6 packets
rGdacffdd4dc51: pfsync: support deferring IPv6 packets
rG9a1cab6d79b7: pfsync: support deferring IPv6 packets
Summary

When we send out a deferred packet we must make sure to call
ip6_output() for IPv6 packets. If not we might end up attempting to
ip_fragment() an IPv6 packet, which could lead to us reading outside of
the mbuf.

PR: 268246
MFC after: 2 weeks

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

kp created this revision.Feb 14 2023, 10:57 AM
Herald added subscribers: glebius, melifaro, farrokhi, imp. · View Herald TranscriptFeb 14 2023, 10:57 AM
kp requested review of this revision.Feb 14 2023, 10:57 AM
Harbormaster completed remote builds in B49769: Diff 117191.Feb 14 2023, 10:57 AM
melifaro added inline comments.Feb 14 2023, 12:01 PM
sys/netpfil/pf/if_pfsync.c
2403

From the readability POV, I'd vote for moving the mbuf handling and sending code into the dedicated function.

kp updated this revision to Diff 117278.Feb 15 2023, 5:20 AM

Factor out sending the mbuf into its own function.

Harbormaster completed remote builds in B49795: Diff 117278.Feb 15 2023, 5:20 AM
melifaro accepted this revision.Feb 15 2023, 9:41 AM
This revision is now accepted and ready to land.Feb 15 2023, 9:41 AM
zlei added a subscriber: zlei.Feb 15 2023, 10:15 AM
zlei added inline comments.
sys/netpfil/pf/if_pfsync.c
2404

A little confused by this check ip->ip_v == IPVERSION.

I see only two functions pfsync_sendout() and pf_test_rule() -> pfsync_defer() -> pfsync_undefer() are calling _IF_ENQUEUE(&b->b_snd, m);, and pf_test() and pf_test6() call pf_test_rule().

So is it possible that pf_test6() enqueues IPv6 packets without correct version ip6->ip6_vfc |= IPV6_VERSION ?

If in doubt then we want to assert the version.

(ip->ip_v == IPVERSION || ip->ip_v == IPV6_VERSION >> 4)
kp added inline comments.Feb 15 2023, 10:49 AM
sys/netpfil/pf/if_pfsync.c
2404

Your understanding is correct. We'd only expect to see IPv4 or IPv6 here. Right now the only path for IPv6 packets to end up here is via pf_test6() -> pfsync_defer(). That's the path that can cause panics (see 268246).
At some point we may also add support for pfsync over IPv6. Someone was working on that, but I've not seen updates in a while.

An assert is a reasonable suggestion. I'll see about adding that.

kp updated this revision to Diff 117286.Feb 15 2023, 11:32 AM

Assert that packets are IPv4 or IPv6.

This revision now requires review to proceed.Feb 15 2023, 11:32 AM
Harbormaster completed remote builds in B49800: Diff 117286.Feb 15 2023, 11:32 AM
kp updated this revision to Diff 117330.Feb 15 2023, 8:50 PM

Also fix the same issue in pfsync_defer_tmo()

Harbormaster completed remote builds in B49818: Diff 117330.Feb 15 2023, 8:50 PM
zlei accepted this revision as: zlei.Feb 16 2023, 12:57 AM

Looks good to me.

sys/netpfil/pf/if_pfsync.c
1840

Definitely this should be fixed ;)

2333

Style(9), remove extra blanks after >>

This revision is now accepted and ready to land.Feb 16 2023, 12:57 AM
Closed by commit rG9a1cab6d79b7: pfsync: support deferring IPv6 packets (authored by kp). · Explain WhyFeb 16 2023, 8:27 AM
This revision was automatically updated to reflect the committed changes.
kp added a commit: rG9a1cab6d79b7: pfsync: support deferring IPv6 packets.
kp added a commit: rG3dec62eded04: pfsync: support deferring IPv6 packets.Mar 2 2023, 4:26 PM
kp added a commit: rGdacffdd4dc51: pfsync: support deferring IPv6 packets.

Revision Contents
Changeset List

PathSize
sys/
netpfil/
pf/
91 lines

Diff 117365

View Options

sys/netpfil/pf/if_pfsync.c

Loading...