Page MenuHomeFreeBSD

pf: support 'return' for SCTP
ClosedPublic

Authored by kp on Jul 4 2023, 7:11 AM.
Tags
None
Referenced Files
Unknown Object (File)
Sat, Nov 9, 5:04 PM
Unknown Object (File)
Fri, Nov 8, 4:16 PM
Unknown Object (File)
Wed, Nov 6, 7:30 AM
Unknown Object (File)
Thu, Oct 17, 11:15 AM
Unknown Object (File)
Wed, Oct 16, 3:07 PM
Unknown Object (File)
Oct 12 2024, 7:35 PM
Unknown Object (File)
Oct 2 2024, 5:08 AM
Unknown Object (File)
Oct 1 2024, 10:23 PM

Details

Summary

Send an SCTP Abort message if we're refusing a connection, just like we
send a RST for TCP.

MFC after: 3 weeks
Sponsored by: Orange Business Services

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped
Build Status
Buildable 52414
Build 49305: arc lint + arc unit

Event Timeline

I think you need to add some checks here according to RFC 9260:

  • Don't send the ABORT, if the verification tag is not zero.
  • Don't send the ABORT, if the INIT chunk is not the only chunk in the packet.

I also would not send an ABORT, if the initiate tag is 0.

I think you need to add some checks here according to RFC 9260:

  • Don't send the ABORT, if the verification tag is not zero.

Okay, that's something I'll add to pf_scan_sctp() (and a different patch), as part of the normalisation code.
That'd also mean we do those checks (and drop packets violating them) even if there's no rule with 'return' in play.

  • Don't send the ABORT, if the INIT chunk is not the only chunk in the packet.

That too is one where I think we need to do in pf_scap_sctp().

I also would not send an ABORT, if the initiate tag is 0.

Same. And I may as well check inbound/outbound streams and initial window sizes too.

I've added those extra checks in D40862.

Re-add accidentally removed break

sys/netpfil/pf/pf.c
2952

Why should pf only support SCTP when running on a kernel with SCTP support? Isn't end point functionality and middlebox functionality independent of each other?

3038

You could use sctp_calculate_cksum(). That is always available. It is also used by ipfw...

3171

Why this #if? At least ipfw supports SCTP no matter SCTP is enabled in the kernel.

3173

Sorry for the question, I have no experience with pf. Is it possible the trigger the sending of an SCTP packet with an ABORT chunk in response to arbitrary packets? ipfw sort of support this, not yet at the level I want, but the basic functionality is there.
The reason I'm asking: If pf does support this, you need so set the T-bit in some cases and I don't see code for this right now.

sys/netpfil/pf/pf.c
2952

It is, but I followed the example of the existing SCTP checksum code in pf_route(), and didn't know about sctp_calculate_cksum(). I'll use that everywhere instead, because that's clearly better. Thanks!

3173

The ABORT will basically only be sent in response to an INIT packet on a port (or from a host or ... ) we don't want to allow traffic to. (And then only if 'return' is set on the relevant rule.)

This revision was not accepted when it landed; it landed in state Needs Review.Jul 21 2023, 10:35 AM
This revision was automatically updated to reflect the committed changes.