We want the return value of pf_test_rule(), i.e. the result of the
evaluation of the new state, not the result of the evaluation of the
original packet/state.
MFC after: 1 week
Sponsored by: Orange Business Services
(cherry picked from commit b00dbe851c)
If we're evaluating a pfsync'd state (and have different rules on both
ends) our state may point to the default rule, which does not have
rpool.cur set. As a result we can end up dereferencing a NULL pointer.
Explicitly check for this when we try to re-construct the route-to interface.
Also add a test case which can trigger this issue.
MFC after: 3 days
See also: https://redmine.pfsense.org/issues/14804
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit 74c2461386)
If we've decided to drop the packet we shouldn't create additional
states based off it.
MFC after: 3 days
Sponsored by: Orange Business Services
(cherry picked from commit 480f62ccd8)
If we bail out early from pf_test(6)() we still need to clean up/finish
SCTP multihome work, which requires the 'off' value to be set. Set it
early enough.
MFC after: 3 days
Sponsored by: Orange Business Services
(cherry picked from commit aefda9c92d)
Parse IP removal in ASCONF chunks, find the affected state(s) and mark
them as shutting down. This will cause them to time out according to
PFTM_TCP_CLOSING timeouts, rather than waiting for the established
session timeout.
MFC after: 3 weeks
Sponsored by: Orange Business Services
(cherry picked from commit 4d3af82f78)
When we create a new state for an existing SCTP association inherit the
v_tag values from the original connection.
MFC after: 3 weeks
Sponsored by: Orange Business Services
(cherry picked from commit f1cc29af84)
Only create new states for INIT chunks, or when we're creating a
secondary state for a multihomed association.
Store and verify verification tag.
MFC after: 3 weeks
Sponsored by: Orange Business Services
(cherry picked from commit 51a78dd276)
SCTP may announce additional IP addresses it'll use in the INIT/INIT_ACK
chunks, or in ASCONF chunks at any time during the connection. Parse these
parameters, evaluate the ruleset for the new connection and if allowed
create the corresponding states.
MFC after: 3 weeks
Sponsored by: Orange Business Services
Differential Revision: https://reviews.freebsd.org/D41637
(cherry picked from commit 10aa9ddb4d)
The sysctl variable `net.inet.ipf.large_nat` is actually a loader
tunable. Add sysctl flag CTLFLAG_TUN to it so that `sysctl -T` will
report it correctly.
No functional change intended.
Reviewed by: cy (for #network)
Fixes: a805ffbcbc ipfilter: Make LARGE_NAT a tunable
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D42005
(cherry picked from commit ba883e7a5a)
The following sysctl variables are actually loader tunables. Add sysctl
flag CTLFLAG_TUN to them so that `sysctl -T` will report them correctly.
1. net.inet.ip.fw.enable
2. net.inet6.ip6.fw.enable
3. net.link.ether.ipfw
No functional change intended.
Reviewed by: glebius
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D41928
(cherry picked from commit 49197c391b)
Only allocate a new ipftoken_t if one cannot be found. This eliminates
allocating unnecessary token structures that will never be used when
performing simple lookups for existing token structures.
(cherry picked from commit 7f5e3b9fa3)
If we hit the csfailed case in pf_create_state() we may have allocated
a state, so we must also free it. While here reduce the amount of
duplicated cleanup code.
MFC after: 2 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D41772
(cherry picked from commit b6ce41118b)
If we receive a state with a route-to interface name set and we can't
find the interface we do not insert the state. However, in that case we
must still clean up the state (and state keys).
Do so, so we do not leak states.
Reviewed by: Kajetan Staszkiewicz <vegeta@tuxpowered.net>
MFC after: 3 days
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D41779
(cherry picked from commit f415a5c1bd)
pf_route() sends traffic to a specified next hop over a specific
interface. The next hop is obtained in pf_map_addr() but the interface
is obtained directly via r->rpool.cur->kif` outside of the lock held in
pf_map_addr() in multiple places around pf. The chosen interface is not
stored in source node.
Move the interface selection into pf_map_addr(), have the function
return it together with the chosen IP address and ensure its stored
in struct pf_ksrc_node, store it in the source node and use the stored
value when needed.
Sponsored by: InnoGames GmbH
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D41570
When syncookie support was added to pf the relevant work was only done
in pf_test(), not pf_test6(). Do this now.
MFC after: 1 week
Reviewed by: kp
Sponsored by: InnoGames GmbH
Differential Revision: https://reviews.freebsd.org/D41502
With 'scrub fragment reassemble' if a packet contains multiple IPv6
fragment headers we would reassemble the packet and immediately
continue processing it.
That is, we'd remove the first fragment header and expect the next
header to be a final header (i.e. TCP, UDP, ICMPv6, ...). However, if
it's another fragment header we'd not treat the packet correctly.
That is, we'd fail to recognise the payload and treat it as if it were
an IPv6 fragment rather than as its actual payload.
Fix this by restarting the normalisation on the reassembled packet.
If there are multiple fragment headers drop the packet.
Reported by: Enrico Bassetti bassetti@di.uniroma1.it (NetSecurityLab @ Sapienza University of Rome)
MFC after: instant
Sponsored by: Rubicon Communications, LLC ("Netgate")
Support NAT-ing SCTP connections.
This is mostly similar to UDP and TCP, but we refuse to change ports for
SCTP, to avoid interfering with multihomed connections.
As a result we also never copy the SCTP header back or recalculate
checksums as we'd do for TCP or UDP (because we don't modify the header
for SCTP).
We do use the existing pf_change_ap() function to modify the packet,
because we may still need to update the IPv4 header checksum.
Reviewed by: tuexen
MFC after: 3 weeks
Sponsored by: Orange Business Services
Differential Revision: https://reviews.freebsd.org/D40866
Send an SCTP Abort message if we're refusing a connection, just like we
send a RST for TCP.
MFC after: 3 weeks
Sponsored by: Orange Business Services
Differential Revision: https://reviews.freebsd.org/D40864
Basic state tracking for SCTP. This means we scan through the packet to
identify the different chunks (so we can identify state changes).
MFC after: 3 weeks
Sponsored by: Orange Business Services
Differential Revision: https://reviews.freebsd.org/D40862
This function is always available, even if the SCTP or SCTP_SUPPORT options
are not set.
That lets us remove an ifdef, and also means we improve pf's SCTP handling
when the options are not set.
MFC after: 3 weeks
Sponsored by: Orange Business Services
Differential Revision: https://reviews.freebsd.org/D40911
Actions applied to a processed packet come in case of stateless
firewalling from a rule or in case of statefull firewalling from a
state. The state obtains the actions from a rule when it is created by a
rule or by pfsync. The logic for deciding if actions come from a rule or
a state is spread across many places in pf.
There already is struct pf_rule_actions in struct pf_pdesc and thus it
can be used as a central place for storing actions and their parameters.
OpenBSD does something similar: they also store the actions in struct
pf_pdesc and have no variables in pf_test() but they use separate
variables instead of a structure. By using struct pf_rule_actions we can
simplify the code even further. Applying of actions is done *only* in
pf_rule_to_actions() no matter if for the legacy scrub rules or for the
normal match / pass rules. The logic of choosing if rule or state
actions are used is applied only once in pf_test() by copying the whole
struct.
Reviewed by: kp
Sponsored by: InnoGames GmbH
Differential Revision: https://reviews.freebsd.org/D41009
The variable storing the direction of a processed packet is passed
around to many functions. Most of those functions already have a pointer
to struct pf_pdesc which also contains the direction. By using the one
in struct pf_pdesc we can reduce the amount of arguments passed around.
Reviewed by: kp
Sponsored by: InnGames GmbH
Differential Revision: https://reviews.freebsd.org/D41008
Explicitly add pfsync as a know upper layer protocol so we don't
automatically discard pfsync packets (carried over IPv6).
net.inet6.ip6.fw.deny_unknown_exthdrs defaults to 1, so even if
net.inet.ip.fw.default_to_accept is set to 1 we'd discard pfsync (over
IPv6).
Reviewed by: ae
Differential Revision: https://reviews.freebsd.org/D40973
This is disabled by default since it potentially changes the behavior of
existing filter rule sets. To enable this extra filter for packets being
delivered locally, use:
sysctl net.pf.filter_local=1
service pf restart
PR: 268717
Reviewed-by: kp
MFC-after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D40373
Remove the name conflict between the pfsync_defer_tmo variable and
function.
This worked fine in kernels with VIMAGE (the default), but not in those
without.
Reported by: des@
Sponsored by: Rubicon Communications, LLC ("Netgate")
Add the net.pfsync.defer_delay sysctl to allow the defer timeout (i.e.
how long pf holds onto packets waiting for the peer to ack the new
state) to be changed.
This is intended to make testing of the defer code more robust, by
allowing longer timeouts to mitigate scheduling/measurement jitter.
Sponsored by: Rubicon Communications, LLC ("Netgate")
The value stored in pf_mtag->tag comes from "tag" and "match tag"
keywords in pf.conf and must not be abused for storing other
information. A ruleset with enough tags could set or remove the bits
responsible for PF_TAG_SYNCOOKIE_RECREATED.
Move this syncookie status to pf_mtag->flags. Rename this and other
related constants in a way that will prevent such mistakes in the
future. Move PF_REASSEMBLED constant to mbuf.h and rename accordingly
because it's not a flag stored in pf_mtag, but an identifier of a
different m_tag. Change the value of the constant to avoid conflicts
with other m_tags using MTAG_ABI_COMPAT.
Rename the variables in pf_build_tcp() and pf_send_tcp() in to reduce
confusion.
Reviewed by: kp
Sponsored by: InnoGames GmbH
Differential Revision: https://reviews.freebsd.org/D40587
Use the already populated PFE_SKIP_DST_ADDR and extend the skip
infrastructure to also skip on IP source/destination addresses.
This should make evaluating the rules slightly faster.
Reported by: R. Christian McDonald <rcm@rcm.sh>
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D40567
When we clean up a wf2q+ queue we need to ensure that we remove it from
the correct heap. If we leave a queue pointer behind in an unexpected
heap we'll later write to it, causing a use-after-free and unpredictable
panics.
Teach the dummynet heap code to verify that we're removing the correct
object so we can safely attempt to remove objects not contained in the
heap.
Remove a to-be-removed queue from all heaps.
Also don't continue the enqueue function if we're not finding the queue
on the idle heap as we'd expect.
While here also remove the empty heap warning, because this is now
expected to happen.
See also: https://redmine.pfsense.org/issues/14433
Sponsored by: Rubicon Communications, LLC ("Netgate")
If we route-to (or dup-to/reply-to) we re-run pf_test(), which will also
create states for the connection.
This means that we may end up matching a different (i.e. not the state
that was created by the route-to rule) state, without the attributes
(such as dummynet pipes/queues) set by the route-to rule.
Address this by inheriting the pf_rule_actions from the route-to rule
while evaluating the connection again in pf_test(). That is, we set
default pf_rule_actions based on the route-to rule for the new
evaluation. The new rule may still overrule these, but if it does not
have such actions the route-to actions are applied.
Do the same for IPv6 rules in pf_test6()/pf_route6().
See also: https://redmine.pfsense.org/issues/14039
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D40340
Make struct pfsync_state contents configurable by sending out new
versions of the structure in separate subheader actions. Both old and
new version of struct pfsync_state can be understood, so replication of
states from a system running an older kernel is possible. The version
being sent out is configured using ifconfig pfsync0 … version XXXX. The
version is an user-friendly string - 1301 stands for FreeBSD 13.1 (I
have checked synchronization against a host running 13.1), 1400 stands
for 14.0.
A host running an older kernel will just ignore the messages and count
them as "packets discarded for bad action".
Reviewed by: kp
Sponsored by: InnoGames GmbH
Differential Revision: https://reviews.freebsd.org/D39392
In the Ethernet rules we held the PF_RULES lock while we called
ip_dn_io_ptr() (i.e. dummynet). That meant that we could end up back in
pf while still holding the PF_RULES lock.
That's not immediately fatal, because that lock is recursive, but still
not ideal.
There also appear to be scenarios where this can actually trigger
deadlocks.
We don't need to hold the PF_RULES lock, as long as we make a local copy
of the data we need from the rule (in this case, the action and
bridge_to target). It's safe to keep the struct ifnet pointer around,
because we remain in NET_EPOCH.
See also: https://redmine.pfsense.org/issues/14373
MFC after: 1 week
Reviewed by: mjg
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D40067
State deletions are sent over pfsync using struct pfsync_del_c.
Remove the code for receiving state deletions using struct pfsync_state
as such deletions are never sent. Rename functions and constants so that
only the "compressed" versions remain.
Reviewed by: kp
Sponsored by: InnoGames GmbH
Differential Revision: https://reviews.freebsd.org/D40004
The SPDX folks have obsoleted the BSD-2-Clause-FreeBSD identifier. Catch
up to that fact and revert to their recommended match of BSD-2-Clause.
Discussed with: pfg
MFC After: 3 days
Sponsored by: Netflix