From nobody Mon Aug 19 16:02:46 2024 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WncnL55gGz5TH5L; Mon, 19 Aug 2024 16:02:46 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WncnL4f7pz47xK; Mon, 19 Aug 2024 16:02:46 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1724083366; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=RCGWO6FFjAstJ6eaAlIi0GfZkp0YYyHuVgUVRqjsc0U=; b=qMH4GSiKLoAa8WdQcUgLq1XL2r+AujhMde+NzVA7dkM/fYkKT1BM9rIB12qwFcR0sOR6N5 SmuEfGGvYa4MOxdlpY22wKM0P3tL+AqOjbIrEbYxDKFPslESVW3JeWWGPAthUu+E0G2tHj 42Wetg3+MK3XK249w/wzwbFRVAVatWcD1CgUwhlriJR9eU9a8HUST514Hc4mm73JrDLOz3 vvrlJ7Q7gmmAKaZx9cZCGcAdYb5qooAnwnpwQv+98nQColE0mE9mxQRUxXX+bV5JSFgEb7 eE5Fpq6PHOImnhzBF7MYjKf3Hov+BeM2UPSXGav6TOACiQsxfG3MOFA4VM00xw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1724083366; a=rsa-sha256; cv=none; b=E6Nn5u+HhcEhYfjGsxMcFnc8VYLZkNGSZaB3v4vB3pAjy2LGKHT4wkE6P+ISgS34l7FJXH XSzBtaV1mZ9oT9YCsBItcIEPIKi0m5ltqh61RbxY3rMha3WPmfTPpts8bzcWlDq09Gn/Q+ MZGPVq34i7yLGnoPFB1k2OXY+5beQJggQW0EJSCrP2PCUVxE0qChUxz1Wy2SRqYdql43qe 2HW4pNbR02fgRKO+w3ek9v8yT25Xfq39+R4QHJV+pkEDmMMCE8FMzmNaGsBhUzXMN+UW+O 8etOg+DDyut0Kg+twDcJ4HthJ0FTSzEacFUkNLxUyfd17NyD5WWUwxTj4Fw2sg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1724083366; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=RCGWO6FFjAstJ6eaAlIi0GfZkp0YYyHuVgUVRqjsc0U=; b=UWnjYjPm3+C3+HVSRPoKsMskgZsE1r5cFPAQ98KRXq6/s7AgSqHdQ8+86hzwz1ZbwsYI6u iNbBulcJJsi8TmZqjkBImyySmo+eaXEnfHuhidU+di6klnMyRyLKFE0n5nBP7dqj4uTzeZ ujUDEk8j9UzCJqJLiZ3hsXRgC+67BF2fKpEYg+DqWw7urDJoTBkqGzblnYjCKW4O3NpW5T JSsbLyPzeNs3YhV95JfiAUXklMrHqgannveBBtoRSNmhT9vdqSEfTGv3jKi2ZrDubGQhn+ bruikIjr62oX2UAW9fbp4/8tm3kRSzqsN9JggvMWwi0Ow/cYkK3IWA5sp3fRDw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4WncnL4GYszNZF; Mon, 19 Aug 2024 16:02:46 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 47JG2kFb047638; Mon, 19 Aug 2024 16:02:46 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 47JG2kBd047635; Mon, 19 Aug 2024 16:02:46 GMT (envelope-from git) Date: Mon, 19 Aug 2024 16:02:46 GMT Message-Id: <202408191602.47JG2kBd047635@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Kristof Provost Subject: git: 22a632c366a9 - main - pf: Make pf_test6 handle m_len < sizeof(struct ip6_hdr) case List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 22a632c366a98692d7114135241c10f154e52a76 Auto-Submitted: auto-generated The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=22a632c366a98692d7114135241c10f154e52a76 commit 22a632c366a98692d7114135241c10f154e52a76 Author: Igor Ostapenko AuthorDate: 2024-08-16 14:49:06 +0000 Commit: Kristof Provost CommitDate: 2024-08-19 16:02:20 +0000 pf: Make pf_test6 handle m_len < sizeof(struct ip6_hdr) case Reviewed by: kp Differential Revision: https://reviews.freebsd.org/D46312 --- sys/netpfil/pf/pf.c | 8 ++++++ tests/sys/netpfil/pf/mbuf.sh | 61 ++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 69 insertions(+) diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 2bbd231b3ee9..9b1601ac0ee5 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -8946,6 +8946,14 @@ pf_test6(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, struct inpcb pd.af = AF_INET6; pd.act.rtableid = -1; + if (__predict_false(m->m_len < sizeof(struct ip6_hdr)) && + (m = *m0 = m_pullup(*m0, sizeof(struct ip6_hdr))) == NULL) { + DPFPRINTF(PF_DEBUG_URGENT, + ("pf_test6: m_len < sizeof(struct ip6_hdr)" + ", pullup failed\n")); + PF_RULES_RUNLOCK(); + return (PF_DROP); + } h = mtod(m, struct ip6_hdr *); off = ((caddr_t)h - m->m_data) + sizeof(struct ip6_hdr); diff --git a/tests/sys/netpfil/pf/mbuf.sh b/tests/sys/netpfil/pf/mbuf.sh index 082de08b0838..2dffa48ed2f5 100644 --- a/tests/sys/netpfil/pf/mbuf.sh +++ b/tests/sys/netpfil/pf/mbuf.sh @@ -91,7 +91,68 @@ inet_in_mbuf_len_cleanup() pft_cleanup } +atf_test_case "inet6_in_mbuf_len" "cleanup" +inet6_in_mbuf_len_head() +{ + atf_set descr 'Test that pf can handle inbound with the first mbuf with m_len < sizeof(struct ip6_hdr)' + atf_set require.user root +} +inet6_in_mbuf_len_body() +{ + pft_init + dummymbuf_init + + epair=$(vnet_mkepair) + ifconfig ${epair}a inet6 2001:db8::1/64 up no_dad + + # Set up a simple jail with one interface + vnet_mkjail alcatraz ${epair}b + jexec alcatraz ifconfig ${epair}b inet6 2001:db8::2/64 up no_dad + + # Sanity check + atf_check -s exit:0 -o ignore ping -c1 2001:db8::2 + + # Should be denied + jexec alcatraz pfctl -e + pft_set_rules alcatraz \ + "block" \ + "pass quick inet6 proto icmp6 icmp6-type { neighbrsol, neighbradv }" + atf_check -s not-exit:0 -o ignore ping -c1 -t1 2001:db8::2 + + # Should be allowed by from/to addresses + pft_set_rules alcatraz \ + "block" \ + "pass quick inet6 proto icmp6 icmp6-type { neighbrsol, neighbradv }" \ + "pass in inet6 from 2001:db8::1 to 2001:db8::2" + atf_check -s exit:0 -o ignore ping -c1 2001:db8::2 + + # Should still work for m_len=0 + jexec alcatraz pfilctl link -i dummymbuf:inet6 inet6 + jexec alcatraz sysctl net.dummymbuf.rules="inet6 in ${epair}b pull-head 0;" + atf_check_equal "0" "$(jexec alcatraz sysctl -n net.dummymbuf.hits)" + atf_check -s exit:0 -o ignore ping -c1 2001:db8::2 + atf_check_equal "1" "$(jexec alcatraz sysctl -n net.dummymbuf.hits)" + + # m_len=1 + jexec alcatraz sysctl net.dummymbuf.rules="inet6 in ${epair}b pull-head 1;" + jexec alcatraz sysctl net.dummymbuf.hits=0 + atf_check -s exit:0 -o ignore ping -c1 2001:db8::2 + atf_check_equal "1" "$(jexec alcatraz sysctl -n net.dummymbuf.hits)" + + # m_len=39 + # provided IPv6 basic header is 40 bytes long, it should impact the dst addr + jexec alcatraz sysctl net.dummymbuf.rules="inet6 in ${epair}b pull-head 39;" + jexec alcatraz sysctl net.dummymbuf.hits=0 + atf_check -s exit:0 -o ignore ping -c1 2001:db8::2 + atf_check_equal "1" "$(jexec alcatraz sysctl -n net.dummymbuf.hits)" +} +inet6_in_mbuf_len_cleanup() +{ + pft_cleanup +} + atf_init_test_cases() { atf_add_test_case "inet_in_mbuf_len" + atf_add_test_case "inet6_in_mbuf_len" }