From nobody Wed Nov 03 20:03:19 2021 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 37B48184A9ED; Wed, 3 Nov 2021 20:03:20 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4HkyPh12z7z3JXS; Wed, 3 Nov 2021 20:03:20 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id EFCF81ECF1; Wed, 3 Nov 2021 20:03:19 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 1A3K3JBR004906; Wed, 3 Nov 2021 20:03:19 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 1A3K3JWl004905; Wed, 3 Nov 2021 20:03:19 GMT (envelope-from git) Date: Wed, 3 Nov 2021 20:03:19 GMT Message-Id: <202111032003.1A3K3JWl004905@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Gleb Smirnoff Subject: git: 3ea9a7cf7b09 - main - blackhole(4): disable for locally originated TCP/UDP packets List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: glebius X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 3ea9a7cf7b09a355cde3a76824809402b99d0892 Auto-Submitted: auto-generated X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by glebius: URL: https://cgit.FreeBSD.org/src/commit/?id=3ea9a7cf7b09a355cde3a76824809402b99d0892 commit 3ea9a7cf7b09a355cde3a76824809402b99d0892 Author: Gleb Smirnoff AuthorDate: 2021-10-28 15:11:45 +0000 Commit: Gleb Smirnoff CommitDate: 2021-11-03 20:02:44 +0000 blackhole(4): disable for locally originated TCP/UDP packets In most cases blackholing for locally originated packets is undesired, leads to different kind of lags and delays. Provide sysctls to enforce it, e.g. for debugging purposes. Reviewed by: rrs Differential revision: https://reviews.freebsd.org/D32718 --- share/man/man4/blackhole.4 | 12 +++++++++++- sys/netinet/tcp_input.c | 19 +++++++++++++++++-- sys/netinet/udp_usrreq.c | 7 ++++++- sys/netinet/udp_var.h | 2 ++ sys/netinet6/udp6_usrreq.c | 3 ++- 5 files changed, 38 insertions(+), 5 deletions(-) diff --git a/share/man/man4/blackhole.4 b/share/man/man4/blackhole.4 index 0bd7d03bcb50..17d1286525e4 100644 --- a/share/man/man4/blackhole.4 +++ b/share/man/man4/blackhole.4 @@ -12,7 +12,7 @@ .\" .\" .\" $FreeBSD$ -.Dd September 6, 2015 +.Dd November 3, 2021 .Dt BLACKHOLE 4 .Os .Sh NAME @@ -24,7 +24,9 @@ attempts .Sh SYNOPSIS .Cd sysctl net.inet.sctp.blackhole Ns Op = Ns Brq "0 | 1 | 2" .Cd sysctl net.inet.tcp.blackhole Ns Op = Ns Brq "0 | 1 | 2" +.Cd sysctl net.inet.tcp.blackhole_local Ns Op = Ns Brq "0 | 1" .Cd sysctl net.inet.udp.blackhole Ns Op = Ns Brq "0 | 1" +.Cd sysctl net.inet.udp.blackhole_local Ns Op = Ns Brq "0 | 1" .Sh DESCRIPTION The .Nm @@ -35,6 +37,14 @@ are received on SCTP, TCP, or UDP ports where there is no socket listening. The blackhole behaviour is useful to slow down an attacker who is port-scanning a system in an attempt to detect vulnerable services. It might also slow down an attempted denial of service attack. +.Pp +The blackhole behaviour is disabled by default. +If enabled, the locally originated packets would still be responded to, +unless also +.Va net.inet.tcp.blackhole_local +(for TCP) and/or +.Va net.inet.udp.blackhole_local +(for UDP) are enforced. .Ss SCTP Setting the SCTP blackhole MIB to a numeric value of one will prevent sending an ABORT packet in response to an incoming INIT. diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c index a8fe6d9817d0..3ebac68c7c48 100644 --- a/sys/netinet/tcp_input.c +++ b/sys/netinet/tcp_input.c @@ -144,6 +144,12 @@ SYSCTL_INT(_net_inet_tcp, OID_AUTO, blackhole, CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(blackhole), 0, "Do not send RST on segments to closed ports"); +VNET_DEFINE(bool, blackhole_local) = false; +#define V_blackhole_local VNET(blackhole_local) +SYSCTL_BOOL(_net_inet_tcp, OID_AUTO, blackhole_local, CTLFLAG_VNET | + CTLFLAG_RW, &VNET_NAME(blackhole_local), false, + "Enforce net.inet.tcp.blackhole for locally originated packets"); + VNET_DEFINE(int, tcp_delack_enabled) = 1; SYSCTL_INT(_net_inet_tcp, OID_AUTO, delayed_ack, CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(tcp_delack_enabled), 0, @@ -935,8 +941,17 @@ findpcb: * When blackholing do not respond with a RST but * completely ignore the segment and drop it. */ - if ((V_blackhole == 1 && (thflags & TH_SYN)) || - V_blackhole == 2) + if (((V_blackhole == 1 && (thflags & TH_SYN)) || + V_blackhole == 2) && (V_blackhole_local || +#ifdef INET6 + isipv6 ? !in6_localaddr(&ip6->ip6_src) : +#endif +#ifdef INET + !in_localip(ip->ip_src) +#else + true +#endif + )) goto dropunlock; rstreason = BANDLIM_RST_CLOSEDPORT; diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c index 7c5a642da040..a9d534fbc8c0 100644 --- a/sys/netinet/udp_usrreq.c +++ b/sys/netinet/udp_usrreq.c @@ -127,6 +127,10 @@ VNET_DEFINE(int, udp_blackhole) = 0; SYSCTL_INT(_net_inet_udp, OID_AUTO, blackhole, CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(udp_blackhole), 0, "Do not send port unreachables for refused connects"); +VNET_DEFINE(bool, udp_blackhole_local) = false; +SYSCTL_BOOL(_net_inet_udp, OID_AUTO, blackhole_local, CTLFLAG_VNET | + CTLFLAG_RW, &VNET_NAME(udp_blackhole_local), false, + "Enforce net.inet.udp.blackhole for locally originated packets"); u_long udp_sendspace = 9216; /* really max datagram size */ SYSCTL_ULONG(_net_inet_udp, UDPCTL_MAXDGRAM, maxdgram, CTLFLAG_RW, @@ -701,7 +705,8 @@ udp_input(struct mbuf **mp, int *offp, int proto) UDPSTAT_INC(udps_noportbcast); goto badunlocked; } - if (V_udp_blackhole) + if (V_udp_blackhole && (V_udp_blackhole_local || + !in_localip(ip->ip_src))) goto badunlocked; if (badport_bandlim(BANDLIM_ICMP_UNREACH) < 0) goto badunlocked; diff --git a/sys/netinet/udp_var.h b/sys/netinet/udp_var.h index 37bc0c846d99..eaafdb299233 100644 --- a/sys/netinet/udp_var.h +++ b/sys/netinet/udp_var.h @@ -149,9 +149,11 @@ extern u_long udp_sendspace; extern u_long udp_recvspace; VNET_DECLARE(int, udp_cksum); VNET_DECLARE(int, udp_blackhole); +VNET_DECLARE(bool, udp_blackhole_local); VNET_DECLARE(int, udp_log_in_vain); #define V_udp_cksum VNET(udp_cksum) #define V_udp_blackhole VNET(udp_blackhole) +#define V_udp_blackhole_local VNET(udp_blackhole_local) #define V_udp_log_in_vain VNET(udp_log_in_vain) VNET_DECLARE(int, zero_checksum_port); diff --git a/sys/netinet6/udp6_usrreq.c b/sys/netinet6/udp6_usrreq.c index 6ee2abc4ea1b..5939b631a1ab 100644 --- a/sys/netinet6/udp6_usrreq.c +++ b/sys/netinet6/udp6_usrreq.c @@ -511,7 +511,8 @@ skip_checksum: UDPSTAT_INC(udps_noportmcast); goto badunlocked; } - if (V_udp_blackhole) + if (V_udp_blackhole && (V_udp_blackhole_local || + !in6_localaddr(&ip6->ip6_src))) goto badunlocked; icmp6_error(m, ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_NOPORT, 0); *mp = NULL;