From nobody Tue Nov 07 15:47:25 2023 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4SPszf1rGnz50Wqf; Tue, 7 Nov 2023 15:47:26 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4SPszd61Q6z3Jnh; Tue, 7 Nov 2023 15:47:25 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1699372045; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=WwpRyIMRYpsXZtMuWnlAgV4vO07+TMZ6QjA0nr0njTY=; b=yiDkpUwVtORnhPhss+UEaDejQLvxSvlj7t5FiI4CuPE2YG5bCip+wki8lvhhoAv5pKuwAv 8BzBoeZwZ4Th7YEh18FTXPSXuZzCHGxXG1/XaaEPLxMq28JI0qi89qL0RZe+mHBNq8twiA GAyH6Y3K+BufgD5dPeG/dk3u/goYUJlnC47C0qD9Wzg4heB4WRuo4jawpVbv84f9Kezm96 sc57guAwl7aQnLu8rZMtBwaCw2vkolndPy4q54mshGAv06ILPrT35mor25kSJE+Gxsrimz /JuwxiACk9/RgLjoyDUk4XY3vTRHsc5BxmY/7kXXSi/X0FFSJnFGxa0KtUCowg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1699372045; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=WwpRyIMRYpsXZtMuWnlAgV4vO07+TMZ6QjA0nr0njTY=; b=cfQLP65cQBj5y1VGIihnLelYHZT9mngngXT8NIiEGZQSnesxtV56rfsNJHseOEvoTIdE+l dMd2c/N+sHuik7UOZb0u3nWWKm2XOPNlIZETeq7wRh3qAUZNzNLy1qPpzCgCA239YRcnEg wWxGxKmL97FSPbyIIi7cw6pbb4v0LNP7FaPfZIfGdDlOEQhpFApc9xdFHCgt1JPNHZHJ4N 8EBd3EOfVtHNtIIK9FP4kjBBcvprP1lj/NPS23Cpsp6xCEkl+ZQVMYfDwnUYsf76yUFpea iETQ3mJgyf68dIFDHGN+eforhV2BFdpZAtkAKb3h7T8bdkGRHb8/CVCfy1f5jA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1699372045; a=rsa-sha256; cv=none; b=w+xFD72C8YCxTsRue11uPshIIYXtLfQwG9D0I4Z0rroPf0hW1jNjvmcFmavT0HRslk+jJs hj/PeWCwmUOobghEp34odV83VHxBSRqxcS9gsCZDZN7WaXFu4M60GTM6ggnyj2yn0KLxWU vE9bPNliDfXPgIKimHHBRWHAg1Gfo31xSUDy0wkYGk/jGsHFm3S2w3Q48suSF6xdsmZEZG XnZCGF43EO0Z8jZ7Vf3sshqyiIZXUe3ZVVD4lA4jXIhJnmlW1hWRFAxbX4+ROpcti9uVN2 L9PI72Bs2czV65xb3jIiQMg1VJAmXRT0nWdqs7Gcux7c6cqaUhBWbUxEW5PA+w== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4SPszd4yHJzwC3; Tue, 7 Nov 2023 15:47:25 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 3A7FlP9a069964; Tue, 7 Nov 2023 15:47:25 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 3A7FlPtL069961; Tue, 7 Nov 2023 15:47:25 GMT (envelope-from git) Date: Tue, 7 Nov 2023 15:47:25 GMT Message-Id: <202311071547.3A7FlPtL069961@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Kristof Provost Subject: git: 47b2432a5c20 - stable/14 - pf: support SCTP-specific timeouts List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: 47b2432a5c207314f8b5d9b570b26549ae895bf5 Auto-Submitted: auto-generated The branch stable/14 has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=47b2432a5c207314f8b5d9b570b26549ae895bf5 commit 47b2432a5c207314f8b5d9b570b26549ae895bf5 Author: Kristof Provost AuthorDate: 2023-10-27 14:45:07 +0000 Commit: Kristof Provost CommitDate: 2023-11-07 15:46:52 +0000 pf: support SCTP-specific timeouts Allow SCTP state timeouts to be configured independently from TCP state timeouts. Reviewed by: tuexen MFC after: 1 week Sponsored by: Orange Business Services Differential Revision: https://reviews.freebsd.org/D42393 (cherry picked from commit ca9dbde88122beb079b55fb4580b200f73044da6) --- sbin/pfctl/pfctl.c | 5 +++++ sbin/pfctl/pfctl_parser.c | 5 +++++ sbin/pfctl/tests/files/pf1002.in | 5 +++++ sbin/pfctl/tests/files/pf1002.ok | 5 +++++ share/man/man5/pf.conf.5 | 19 ++++++++++++++++++- sys/netpfil/pf/pf.c | 14 +++++++++----- sys/netpfil/pf/pf.h | 41 +++++++++++++++++++++++++++++++--------- sys/netpfil/pf/pf_ioctl.c | 5 +++++ 8 files changed, 84 insertions(+), 15 deletions(-) diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c index bfa76b299a02..d5541571a135 100644 --- a/sbin/pfctl/pfctl.c +++ b/sbin/pfctl/pfctl.c @@ -2234,6 +2234,11 @@ pfctl_init_options(struct pfctl *pf) pf->timeout[PFTM_TCP_CLOSING] = PFTM_TCP_CLOSING_VAL; pf->timeout[PFTM_TCP_FIN_WAIT] = PFTM_TCP_FIN_WAIT_VAL; pf->timeout[PFTM_TCP_CLOSED] = PFTM_TCP_CLOSED_VAL; + pf->timeout[PFTM_SCTP_FIRST_PACKET] = PFTM_TCP_FIRST_PACKET_VAL; + pf->timeout[PFTM_SCTP_OPENING] = PFTM_TCP_OPENING_VAL; + pf->timeout[PFTM_SCTP_ESTABLISHED] = PFTM_TCP_ESTABLISHED_VAL; + pf->timeout[PFTM_SCTP_CLOSING] = PFTM_TCP_CLOSING_VAL; + pf->timeout[PFTM_SCTP_CLOSED] = PFTM_TCP_CLOSED_VAL; pf->timeout[PFTM_UDP_FIRST_PACKET] = PFTM_UDP_FIRST_PACKET_VAL; pf->timeout[PFTM_UDP_SINGLE] = PFTM_UDP_SINGLE_VAL; pf->timeout[PFTM_UDP_MULTIPLE] = PFTM_UDP_MULTIPLE_VAL; diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c index 925848055bba..0268d1b07c79 100644 --- a/sbin/pfctl/pfctl_parser.c +++ b/sbin/pfctl/pfctl_parser.c @@ -192,6 +192,11 @@ const struct pf_timeout pf_timeouts[] = { { "tcp.finwait", PFTM_TCP_FIN_WAIT }, { "tcp.closed", PFTM_TCP_CLOSED }, { "tcp.tsdiff", PFTM_TS_DIFF }, + { "sctp.first", PFTM_SCTP_FIRST_PACKET }, + { "sctp.opening", PFTM_SCTP_OPENING }, + { "sctp.established", PFTM_SCTP_ESTABLISHED }, + { "sctp.closing", PFTM_SCTP_CLOSING }, + { "sctp.closed", PFTM_SCTP_CLOSED }, { "udp.first", PFTM_UDP_FIRST_PACKET }, { "udp.single", PFTM_UDP_SINGLE }, { "udp.multiple", PFTM_UDP_MULTIPLE }, diff --git a/sbin/pfctl/tests/files/pf1002.in b/sbin/pfctl/tests/files/pf1002.in index 5180e8395f9c..3fdde81be7de 100644 --- a/sbin/pfctl/tests/files/pf1002.in +++ b/sbin/pfctl/tests/files/pf1002.in @@ -1 +1,6 @@ set timeout interval 10 +set timeout sctp.first 11 +set timeout sctp.opening 12 +set timeout sctp.established 13 +set timeout sctp.closing 14 +set timeout sctp.closed 15 diff --git a/sbin/pfctl/tests/files/pf1002.ok b/sbin/pfctl/tests/files/pf1002.ok index 5180e8395f9c..3fdde81be7de 100644 --- a/sbin/pfctl/tests/files/pf1002.ok +++ b/sbin/pfctl/tests/files/pf1002.ok @@ -1 +1,6 @@ set timeout interval 10 +set timeout sctp.first 11 +set timeout sctp.opening 12 +set timeout sctp.established 13 +set timeout sctp.closing 14 +set timeout sctp.closed 15 diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5 index 2bc57d4f7f5b..ce64df78ad62 100644 --- a/share/man/man5/pf.conf.5 +++ b/share/man/man5/pf.conf.5 @@ -27,7 +27,7 @@ .\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd June 21, 2023 +.Dd October 27, 2023 .Dt PF.CONF 5 .Os .Sh NAME @@ -283,6 +283,21 @@ can prevent blocking of such packets. The state after one endpoint sends an RST. .El .Pp +SCTP timeout are handled similar to TCP, but with its own set of states: +.Pp +.Bl -tag -width xxxx -compact +.It Ar sctp.first +The state after the first packet. +.It Ar sctp.opening +The state before the destination host ever sends a packet. +.It Ar sctp.established +The fully established state. +.It Ar sctp.closing +The state after the first SHUTDOWN chunk has been sent. +.It Ar sctp.closed +The state after SHUTDOWN_ACK has been exchanged and the connection is closed. +.El +.Pp ICMP and UDP are handled in a fashion similar to TCP, but with a much more limited set of states: .Pp @@ -3277,6 +3292,8 @@ fragmentation = [ "fragment reassemble" ] timeout-list = timeout [ [ "," ] timeout-list ] timeout = ( "tcp.first" | "tcp.opening" | "tcp.established" | "tcp.closing" | "tcp.finwait" | "tcp.closed" | + "sctp.first" | "sctp.opening" | "sctp.established" | + "sctp.closing" | "sctp.closed" | "udp.first" | "udp.single" | "udp.multiple" | "icmp.first" | "icmp.error" | "other.first" | "other.single" | "other.multiple" | diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 96e8a165692f..b80ec2bb303d 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -4906,7 +4906,7 @@ pf_create_state(struct pf_krule *r, struct pf_krule *nr, struct pf_krule *a, case IPPROTO_SCTP: pf_set_protostate(s, PF_PEER_SRC, SCTP_COOKIE_WAIT); pf_set_protostate(s, PF_PEER_DST, SCTP_CLOSED); - s->timeout = PFTM_TCP_FIRST_PACKET; + s->timeout = PFTM_SCTP_FIRST_PACKET; break; case IPPROTO_ICMP: #ifdef INET6 @@ -5915,7 +5915,7 @@ pf_test_state_sctp(struct pf_kstate **state, struct pfi_kkif *kif, if (pd->sctp_flags & PFDESC_SCTP_INIT) { if (src->state < SCTP_COOKIE_WAIT) { pf_set_protostate(*state, psrc, SCTP_COOKIE_WAIT); - (*state)->timeout = PFTM_TCP_OPENING; + (*state)->timeout = PFTM_SCTP_OPENING; } } if (pd->sctp_flags & PFDESC_SCTP_INIT_ACK) { @@ -5927,16 +5927,20 @@ pf_test_state_sctp(struct pf_kstate **state, struct pfi_kkif *kif, if (pd->sctp_flags & PFDESC_SCTP_COOKIE) { if (src->state < SCTP_ESTABLISHED) { pf_set_protostate(*state, psrc, SCTP_ESTABLISHED); - (*state)->timeout = PFTM_TCP_ESTABLISHED; + (*state)->timeout = PFTM_SCTP_ESTABLISHED; } } if (pd->sctp_flags & (PFDESC_SCTP_SHUTDOWN | PFDESC_SCTP_ABORT | PFDESC_SCTP_SHUTDOWN_COMPLETE)) { if (src->state < SCTP_SHUTDOWN_PENDING) { pf_set_protostate(*state, psrc, SCTP_SHUTDOWN_PENDING); - (*state)->timeout = PFTM_TCP_CLOSING; + (*state)->timeout = PFTM_SCTP_CLOSING; } } + if (pd->sctp_flags & (PFDESC_SCTP_SHUTDOWN_COMPLETE)) { + pf_set_protostate(*state, psrc, SCTP_CLOSED); + (*state)->timeout = PFTM_SCTP_CLOSED; + } if (src->scrub != NULL) { if (src->scrub->pfss_v_tag == 0) { @@ -6216,7 +6220,7 @@ again: psrc = PF_PEER_DST; } pf_set_protostate(sm, psrc, SCTP_SHUTDOWN_PENDING); - sm->timeout = PFTM_TCP_CLOSING; + sm->timeout = PFTM_SCTP_CLOSING; PF_STATE_UNLOCK(sm); } break; diff --git a/sys/netpfil/pf/pf.h b/sys/netpfil/pf/pf.h index d83aa5e579bd..dd9796b59ce9 100644 --- a/sys/netpfil/pf/pf.h +++ b/sys/netpfil/pf/pf.h @@ -66,14 +66,37 @@ enum { PF_PEER_SRC, PF_PEER_DST, PF_PEER_BOTH }; * Note about PFTM_*: real indices into pf_rule.timeout[] come before * PFTM_MAX, special cases afterwards. See pf_state_expires(). */ -enum { PFTM_TCP_FIRST_PACKET, PFTM_TCP_OPENING, PFTM_TCP_ESTABLISHED, - PFTM_TCP_CLOSING, PFTM_TCP_FIN_WAIT, PFTM_TCP_CLOSED, - PFTM_UDP_FIRST_PACKET, PFTM_UDP_SINGLE, PFTM_UDP_MULTIPLE, - PFTM_ICMP_FIRST_PACKET, PFTM_ICMP_ERROR_REPLY, - PFTM_OTHER_FIRST_PACKET, PFTM_OTHER_SINGLE, - PFTM_OTHER_MULTIPLE, PFTM_FRAG, PFTM_INTERVAL, - PFTM_ADAPTIVE_START, PFTM_ADAPTIVE_END, PFTM_SRC_NODE, - PFTM_TS_DIFF, PFTM_MAX, PFTM_PURGE, PFTM_UNLINKED }; +enum { + PFTM_TCP_FIRST_PACKET = 0, + PFTM_TCP_OPENING = 1, + PFTM_TCP_ESTABLISHED = 2, + PFTM_TCP_CLOSING = 3, + PFTM_TCP_FIN_WAIT = 4, + PFTM_TCP_CLOSED = 5, + PFTM_UDP_FIRST_PACKET = 6, + PFTM_UDP_SINGLE = 7, + PFTM_UDP_MULTIPLE = 8, + PFTM_ICMP_FIRST_PACKET = 9, + PFTM_ICMP_ERROR_REPLY = 10, + PFTM_OTHER_FIRST_PACKET = 11, + PFTM_OTHER_SINGLE = 12, + PFTM_OTHER_MULTIPLE = 13, + PFTM_FRAG = 14, + PFTM_INTERVAL = 15, + PFTM_ADAPTIVE_START = 16, + PFTM_ADAPTIVE_END = 17, + PFTM_SRC_NODE = 18, + PFTM_TS_DIFF = 19, + PFTM_OLD_MAX = 20, /* Legacy limit, for binary compatibility with old kernels. */ + PFTM_SCTP_FIRST_PACKET = 20, + PFTM_SCTP_OPENING = 21, + PFTM_SCTP_ESTABLISHED = 22, + PFTM_SCTP_CLOSING = 23, + PFTM_SCTP_CLOSED = 24, + PFTM_MAX = 25, + PFTM_PURGE = 26, + PFTM_UNLINKED = 27, +}; /* PFTM default values */ #define PFTM_TCP_FIRST_PACKET_VAL 120 /* First TCP packet */ @@ -497,7 +520,7 @@ struct pf_rule { pf_osfp_t os_fingerprint; int rtableid; - u_int32_t timeout[PFTM_MAX]; + u_int32_t timeout[PFTM_OLD_MAX]; u_int32_t max_states; u_int32_t max_src_nodes; u_int32_t max_src_states; diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c index 65bab7195d46..6b8fbf77fd29 100644 --- a/sys/netpfil/pf/pf_ioctl.c +++ b/sys/netpfil/pf/pf_ioctl.c @@ -373,6 +373,11 @@ pfattach_vnet(void) my_timeout[PFTM_TCP_CLOSING] = PFTM_TCP_CLOSING_VAL; my_timeout[PFTM_TCP_FIN_WAIT] = PFTM_TCP_FIN_WAIT_VAL; my_timeout[PFTM_TCP_CLOSED] = PFTM_TCP_CLOSED_VAL; + my_timeout[PFTM_SCTP_FIRST_PACKET] = PFTM_TCP_FIRST_PACKET_VAL; + my_timeout[PFTM_SCTP_OPENING] = PFTM_TCP_OPENING_VAL; + my_timeout[PFTM_SCTP_ESTABLISHED] = PFTM_TCP_ESTABLISHED_VAL; + my_timeout[PFTM_SCTP_CLOSING] = PFTM_TCP_CLOSING_VAL; + my_timeout[PFTM_SCTP_CLOSED] = PFTM_TCP_CLOSED_VAL; my_timeout[PFTM_UDP_FIRST_PACKET] = PFTM_UDP_FIRST_PACKET_VAL; my_timeout[PFTM_UDP_SINGLE] = PFTM_UDP_SINGLE_VAL; my_timeout[PFTM_UDP_MULTIPLE] = PFTM_UDP_MULTIPLE_VAL;