Page MenuHomeFreeBSD
Differential D40862

pf: initial SCTP support
ClosedPublic
Actions

Authored by kp on Jul 4 2023, 7:11 AM.
Tags
None
Referenced Files
F122678105: D40862.id.diff
Mon, Jul 7, 9:24 AM
Unknown Object (File)
Sat, Jul 5, 3:01 AM
Unknown Object (File)
Thu, Jul 3, 3:14 AM
Unknown Object (File)
Thu, Jun 26, 9:40 AM
Unknown Object (File)
Thu, Jun 26, 1:17 AM
Unknown Object (File)
Tue, Jun 24, 2:23 PM
Unknown Object (File)
Sun, Jun 22, 2:34 AM
Unknown Object (File)
Sat, Jun 21, 5:42 AM
View All Files
Subscribers
ae
farrokhi
glebius
imp
melifaro
tuexen

Details

Reviewers
None
Group Reviewers
network
Commits
rG9b60a37c1e9b: pf: initial SCTP support
rG010ee43f5673: pf: initial SCTP support
Summary

Basic state tracking for SCTP. This means we scan through the packet to
identify the different chunks (so we can identify state changes).

MFC after: 3 weeks
Sponsored by: Orange Business Services

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped
Build Status
Buildable 52446
Build 49337: arc lint + arc unit

Event Timeline

kp created this revision.Jul 4 2023, 7:11 AM
Herald added subscribers: glebius, melifaro, farrokhi and 2 others. · View Herald TranscriptJul 4 2023, 7:11 AM
kp requested review of this revision.Jul 4 2023, 7:11 AM
kp added a parent revision: D40861: pfctl: SCTP can have port numbers.
Harbormaster completed remote builds in B52412: Diff 124143.Jul 4 2023, 7:11 AM
kp added a child revision: D40863: pf tests: basic SCTP connection test.Jul 4 2023, 7:11 AM
tuexen added a subscriber: tuexen.Jul 4 2023, 4:39 PM
tuexen added inline comments.
sys/netpfil/pf/pf_norm.c
2040

Does this loop provide a way for a DOS attack? Assume an attacker sends a lot of packets containing, for example, (1500 - 12) / 4 = 372 chunks?

2046

If an attacker sends a chunk with chunk_length == 0, doesn't this results in an endless loop?

2146

The same applies to INIT ACK and SHUTDOWN COMPLETE chunks. Why is this not tested?

kp updated this revision to Diff 124220.Jul 6 2023, 4:31 PM

Improve validation of INIT chunks

initiate_tag, num_inbound_streams and num_outbound_streams may not be zero.
v_tag must be zero.

Ensure that the INIT chunk is the only chunk in the packet.

Harbormaster completed remote builds in B52446: Diff 124220.Jul 6 2023, 4:31 PM
kp updated this revision to Diff 124221.Jul 6 2023, 4:34 PM

Remove redundant check

Harbormaster completed remote builds in B52447: Diff 124221.Jul 6 2023, 4:35 PM
kp mentioned this in D40864: pf: support 'return' for SCTP.Jul 6 2023, 4:35 PM
kp updated this revision to Diff 124283.Jul 7 2023, 2:40 PM
  • rebase
  • use sctp_calculate_cksum() via pf_sctp_checksum()
Harbormaster completed remote builds in B52480: Diff 124283.Jul 7 2023, 2:40 PM
This revision was not accepted when it landed; it landed in state Needs Review.Jul 21 2023, 10:34 AM
Closed by commit rG010ee43f5673: pf: initial SCTP support (authored by kp). · Explain Why
This revision was automatically updated to reflect the committed changes.
kp added a commit: rG010ee43f5673: pf: initial SCTP support.
kp added a commit: rG9b60a37c1e9b: pf: initial SCTP support.Aug 11 2023, 12:13 PM

Revision Contents
Changeset List

PathSize
sbin/
pfctl/
34 lines
sys/
net/
12 lines
netpfil/
pf/
137 lines
163 lines

Diff 124220

View Options

sbin/pfctl/pf_print_state.c

Loading...
View Options

sys/net/pfvar.h

Loading...
View Options

sys/netpfil/pf/pf.c

Loading...
View Options

sys/netpfil/pf/pf_norm.c

Loading...