Page MenuHomeFreeBSD

pf: Skip firewall for refragmented ip6 packets
ClosedPublic

Authored by kp on Apr 1 2015, 1:14 PM.
Tags
None
Referenced Files
Unknown Object (File)
Wed, Dec 18, 4:11 AM
Unknown Object (File)
Wed, Dec 18, 3:21 AM
Unknown Object (File)
Oct 26 2024, 1:43 AM
Unknown Object (File)
Sep 27 2024, 4:22 PM
Unknown Object (File)
Sep 24 2024, 7:11 PM
Unknown Object (File)
Sep 23 2024, 6:20 PM
Unknown Object (File)
Sep 23 2024, 11:42 AM
Unknown Object (File)
Sep 19 2024, 5:29 PM
Subscribers
None

Details

Summary

In cases where we scrub (fragment reassemble) on both input and output
we risk ending up in infinite loops when forwarding packets.

Fragmented packets come in and get collected until we can defragment. At
that point the defragmented packet is handed back to the ip stack (at
the pfil point in ip6_input(). Normal processing continues.

Eventually we figure out that the packet has to be forwarded and we end
up at the pfil hook in ip6_forward(). After doing the inspection on the
defragmented packet we see that the packet has been defragmented and
because we're forwarding we have to refragment it.

In pf_refragment6() we split the packet up again and then ip6_forward()
the individual fragments. Those fragments hit the pfil hook on the way
out, so they're collected until we can reconstruct the full packet, at
which point we're right back where we left off and things continue until
we run out of stack.

Break that loop by marking the fragments generated by pf_refragment6()
as M_SKIP_FIREWALL. There's no point in processing those packets in the
firewall anyway. We've already filtered on the full packet.

Diff Detail

Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

kp retitled this revision from to pf: Skip firewall for refragmented ip6 packets.
kp updated this object.
kp edited the test plan for this revision. (Show Details)
kp added reviewers: allanjude, glebius, philip, gnn.
kp set the repository for this revision to rS FreeBSD src repository - subversion.

Gleb and Allan have already seen this patch. It's been pending for a while waiting for Allan to test it.
That hasn't happened yet (presumably because Allan doesn't want me to break his router *again*), but it's an important enough fix that I think it should go in soon-ish.

It'll probably start affecting more people after D1815 goes in (also really soon now!) and more people start actually having pf reassemble and refragment packets.

glebius edited edge metadata.

I wonder if that may or may not break NAT. Hope you investigated that.

This revision is now accepted and ready to land.Apr 1 2015, 2:10 PM

I've not explicitly tested IPv6 NAT, no.

I'd expect things to be fine, because all firewall processing has been done on the reassembled packet and if we end up fragmenting that should just copy the IPv6 header of the reassembled packet and pick up any changes we made there.

I'll play with NAT later in the week.

gnn edited edge metadata.

NAT still works with this patch.

kp updated this revision to Diff 4708.

Closed by commit rS281164 (authored by kp).