From nobody Sat Aug 03 22:34:25 2024 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WbyDd4nDpz5RSmh; Sat, 03 Aug 2024 22:34:25 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WbyDd4Dv3z4Hp0; Sat, 3 Aug 2024 22:34:25 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1722724465; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=9w41sC7p7FcWq6myO8jS9/8LdMADZ49Sd6IJq9HgPtw=; b=Lg0l/YdmUm/IddAtfZcWzIEvVtQrMUE1F7LEbJYkCKZqimAn5Q7JWDuESi6+AxUTPrLSZ0 7ooOJGJK57tfQM+giA2vg5fFfzunLxISh18Q8jSBUANo25efX9FYhIQuDRkRGQrR79zFOP 3/p2DbbvHw1aeuMIZPGpu8D5EuHMmX7tdySM7kLO1agzTThdDHJbik+tBW9Lwl/wkN8tei XNmlxvzeBjwFb8lDRhleojUFe60re0wV2SD7L/mDqqnU2Sr16ogjKrpxe1uzRiegtiCihW e5Hrg9kmZ7ErAy5TItkb7A3L8At6jfWIl/jE2uR1Oa2hW18prdd4LZ692sseQQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1722724465; a=rsa-sha256; cv=none; b=h+2vBTGskLeog7rFDtZ8vbuy5/WmqTB91IxKFMQMwAU9ASsCvZwcV7RLW6loHcTa4diauJ 5V3r7Q8hKumq8FA1HQTpemepQ2EUQCOpqE6hUrz4B5HrxFIecyfKlK53JulKjIBzSXGVkH 5Hb4TgNWdIg4SytyEy/p6mKG/yXfyCEhtEG6/EMpXX7BmwKhkYz6l66BYsLh9VIp5cRl92 2ekDJNGs+LhZNv8p40UZqeK+NWFC9TO8874tx8x10YwGIy9DmBBr4AxUPzO8Ab2hYaleFz AXsk4AKbdkT/96L6pYFnTbCr08rcUe3hAlFkB28EsgV+uMKPSxjUeE88AdLL/A== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1722724465; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=9w41sC7p7FcWq6myO8jS9/8LdMADZ49Sd6IJq9HgPtw=; b=Z54wj6NoUEd9R0J1h47uSyun9+dtu3TzJncEnYPCrMgcTidm1VB9+1fARdpC4Pxr+l4sGO uJqRbievvjWbTebmbJIDLyUhQJvomG2NDuYQlX+zfPTklbriBs+/0e5vPVrPKJDf2TDsFs 22ssC5YFMTWo1oZXx2XSM5tRCjEVj+lPD67QbUINbWO8rR5yt9P9CvMXZCQAdg+1UCauPu umnYVCpHMaz4YaQnvegyRIIowA5DN+d8o0M7IzfXcInNiVrnGkOHKVeuY0ACnyKONknwX4 UbN1ZIDKifJ+wdD9s+szkwtKeyVmDqclswyQOEv8K2PkEeM5md+5TxyCzGwB6Q== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4WbyDd3ljxzTD8; Sat, 3 Aug 2024 22:34:25 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 473MYPY0043028; Sat, 3 Aug 2024 22:34:25 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 473MYPNa043025; Sat, 3 Aug 2024 22:34:25 GMT (envelope-from git) Date: Sat, 3 Aug 2024 22:34:25 GMT Message-Id: <202408032234.473MYPNa043025@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Michael Tuexen Subject: git: f0697703dd79 - stable/14 - tcp: improve blackhole support List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: tuexen X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: f0697703dd7987158c0b98f89ba7d32a6a089a04 Auto-Submitted: auto-generated The branch stable/14 has been updated by tuexen: URL: https://cgit.FreeBSD.org/src/commit/?id=f0697703dd7987158c0b98f89ba7d32a6a089a04 commit f0697703dd7987158c0b98f89ba7d32a6a089a04 Author: Michael Tuexen AuthorDate: 2024-05-24 04:59:13 +0000 Commit: Michael Tuexen CommitDate: 2024-08-03 22:33:43 +0000 tcp: improve blackhole support There are two improvements to the TCP blackhole support: (1) If net.inet.tcp.blackhole is set to 2, also sent no RST whenever a segment is received on an existing closed socket or if there is a port mismatch when using UDP encapsulation. (2) If net.inet.tcp.blackhole is set to 3, no RST segment is sent in response to incoming segments on closed sockets or in response to unexpected segments on listening sockets. Thanks to gallatin@ for suggesting such an improvement. Reviewed by: gallatin Sponsored by: Netflix, Inc. Differential Revision: https://reviews.freebsd.org/D45304 (cherry picked from commit 02d15215cef2a28f1865e6ad5b19f18af1398b8b) --- share/man/man4/blackhole.4 | 10 +++++++--- sys/netinet/tcp_input.c | 43 +++++++++++++++++++------------------------ 2 files changed, 26 insertions(+), 27 deletions(-) diff --git a/share/man/man4/blackhole.4 b/share/man/man4/blackhole.4 index 090f330a6ed8..bb955fd4497d 100644 --- a/share/man/man4/blackhole.4 +++ b/share/man/man4/blackhole.4 @@ -10,7 +10,7 @@ .\" notice, this list of conditions and the following disclaimer in the .\" documentation and/or other materials provided with the distribution. .\" -.Dd May 22, 2024 +.Dd May 25, 2024 .Dt BLACKHOLE 4 .Os .Sh NAME @@ -21,7 +21,7 @@ MIB for manipulating behaviour in respect of refused SCTP, TCP, or UDP connectio attempts .Sh SYNOPSIS .Cd sysctl net.inet.sctp.blackhole Ns Op = Ns Brq "0 | 1 | 2" -.Cd sysctl net.inet.tcp.blackhole Ns Op = Ns Brq "0 | 1 | 2" +.Cd sysctl net.inet.tcp.blackhole Ns Op = Ns Brq "0 | 1 | 2 | 3" .Cd sysctl net.inet.tcp.blackhole_local Ns Op = Ns Brq "0 | 1" .Cd sysctl net.inet.udp.blackhole Ns Op = Ns Brq "0 | 1" .Cd sysctl net.inet.udp.blackhole_local Ns Op = Ns Brq "0 | 1" @@ -30,7 +30,8 @@ The .Nm .Xr sysctl 8 MIB is used to control system behaviour when connection requests -are received on SCTP, TCP, or UDP ports where there is no socket listening. +are received on SCTP, TCP, or UDP ports where there is no socket listening +or unexpected packets are received on listening sockets. .Pp The blackhole behaviour is useful to slow down an attacker who is port-scanning a system in an attempt to detect vulnerable services. @@ -61,6 +62,9 @@ is merely dropped, and no RST is sent, making the system appear as a blackhole. By setting the MIB value to two, any segment arriving on a closed port is dropped without returning a RST. +Setting the MIB value to three, any segment arriving on a closed port +or an unexpected segment on a listening port is dropped without sending a +RST in reply. This provides some degree of protection against stealth port scans. .Ss UDP Enabling blackhole behaviour turns off the sending diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c index 2894b6fcf658..a45eb3201f7e 100644 --- a/sys/netinet/tcp_input.c +++ b/sys/netinet/tcp_input.c @@ -911,23 +911,6 @@ findpcb: log(LOG_INFO, "%s; %s: Connection attempt " "to closed port\n", s, __func__); } - /* - * When blackholing do not respond with a RST but - * completely ignore the segment and drop it. - */ - if (((V_blackhole == 1 && (thflags & TH_SYN)) || - V_blackhole == 2) && (V_blackhole_local || ( -#ifdef INET6 - isipv6 ? !in6_localaddr(&ip6->ip6_src) : -#endif -#ifdef INET - !in_localip(ip->ip_src) -#else - true -#endif - ))) - goto dropunlock; - rstreason = BANDLIM_RST_CLOSEDPORT; goto dropwithreset; } @@ -1406,15 +1389,27 @@ tfo_socket_result: return (IPPROTO_DONE); dropwithreset: + /* + * When blackholing do not respond with a RST but + * completely ignore the segment and drop it. + */ + if (((rstreason == BANDLIM_RST_OPENPORT && V_blackhole == 3) || + (rstreason == BANDLIM_RST_CLOSEDPORT && + ((V_blackhole == 1 && (thflags & TH_SYN)) || V_blackhole > 1))) && + (V_blackhole_local || ( +#ifdef INET6 + isipv6 ? !in6_localaddr(&ip6->ip6_src) : +#endif +#ifdef INET + !in_localip(ip->ip_src) +#else + true +#endif + ))) + goto dropunlock; TCP_PROBE5(receive, NULL, tp, m, tp, th); - - if (inp != NULL) { - tcp_dropwithreset(m, th, tp, tlen, rstreason); - INP_UNLOCK(inp); - } else - tcp_dropwithreset(m, th, NULL, tlen, rstreason); + tcp_dropwithreset(m, th, tp, tlen, rstreason); m = NULL; /* mbuf chain got consumed. */ - goto drop; dropunlock: if (m != NULL)