From nobody Wed Aug 21 00:59:18 2024 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WpSf1526Qz5T12l for ; Wed, 21 Aug 2024 00:59:21 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: from mail-io1-xd2e.google.com (mail-io1-xd2e.google.com [IPv6:2607:f8b0:4864:20::d2e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WpSf13Lbqz55BM for ; Wed, 21 Aug 2024 00:59:21 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Authentication-Results: mx1.freebsd.org; none Received: by mail-io1-xd2e.google.com with SMTP id ca18e2360f4ac-8223685fbe9so302808139f.1 for ; Tue, 20 Aug 2024 17:59:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hardenedbsd.org; s=google; t=1724201960; x=1724806760; darn=freebsd.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=u9dArMZ/x4HDxMkmUuU/L74dk9GqqU8b+wIiOfjeZLk=; b=IjFEDtZnve1uftHfMF3ED6HQisuFiOzGU8HRis1hzOb/uw/YGbtRH/r4DnZNeBK6b+ 4Reg+4SOFTivEmtFVFtXppI5fjAgtt6xvmmUCuP4LPac7S4zeo5BmZf1a8hE5edSQ/uq 6TaT8LGncvuacLoPU1F7ROMW+X1w4NoHx7PDpW4rebd+ps1nrBVmPDdl8MjgKTctolme a4OdyHE5vUAPz+0tUr9u8dcr5WtKHdN7sHcdJeCyeutGWGmiIh5eZ59WcZd0EzavjauA 8KONyuAgQ63wvfwdsYbE/twTHxBU3bDtFI8qJalI3g9fSVve8+V6/7qetTsN8APBvj5c PsbA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724201960; x=1724806760; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=u9dArMZ/x4HDxMkmUuU/L74dk9GqqU8b+wIiOfjeZLk=; b=oqFNEr00cLEeQcSHGoXBL5NKirxP7+lTtATY0VBjbKtZL993rkbodWUukk5KKqXnio 9I1clAt2nJViaj0QksmygqkuYFoiEbjX44i2FencQIDBaQht6uKIm7wyn2wZkS/Yyu6o 73mdFGOTcx9/BNjNIvpjhh8vBRnd+xuacnRsxKbN55Q4JuXWMQO1nPte4nJm0HuWm/cJ SXKFSlGc29jblHLB4OD6jp5NGBGbMIOV8FBwFsZJN7/XclMw2FVh+0ZusSsVk5+2OrkR euUeRC9LlS5+Qj7IA8mC5gyzNVebZdf0hu/mD7kF4anpadifGRfWD/vweRMYu75QW7Lu wTbA== X-Forwarded-Encrypted: i=1; AJvYcCWIKLjfVHpHMNna9Syol5n4Vf+SJzq+gM3NTywJZmrJDEgfPdU7Lzwx6pqge81CFIM/3HCq06qSLdE/XAR57pliyKW6@freebsd.org X-Gm-Message-State: AOJu0YxUF7S7bNjzUe3qNbGMsoSAiu1DgDqO0bPWQ+9KSbnHhSDdNVZ4 HnS7yZFZ8rFHfOZ2ZVto+fwItMjeBI10nF7jYlgedGY7OwIkw1W5t1HxF3jrcG0= X-Google-Smtp-Source: AGHT+IG7Cfz48sWhHgNQDm69eRpfZk7M/1w8AKYqPUJ5Thav0iHPedpDQgh13q9fy0l/M2n8oYqecg== X-Received: by 2002:a05:6602:1343:b0:7eb:7f2e:5b3a with SMTP id ca18e2360f4ac-8253189b8e5mr83947239f.2.1724201959964; Tue, 20 Aug 2024 17:59:19 -0700 (PDT) Received: from mutt-hbsd (174-24-73-190.clsp.qwest.net. [174.24.73.190]) by smtp.gmail.com with ESMTPSA id 8926c6da1cb9f-4ccd6eb4c65sm4130637173.76.2024.08.20.17.59.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 20 Aug 2024 17:59:19 -0700 (PDT) Date: Wed, 21 Aug 2024 00:59:18 +0000 From: Shawn Webb To: Mark Johnston Cc: src-committers@freebsd.org, dev-commits-src-all@freebsd.org, dev-commits-src-main@freebsd.org Subject: Re: git: 417b35a97b76 - main - netinet: Add a sysctl to allow disabling connections to INADDR_ANY Message-ID: X-Operating-System: FreeBSD mutt-hbsd 15.0-CURRENT-HBSD FreeBSD 15.0-CURRENT-HBSD X-PGP-Key: https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/blob/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc References: <202408202134.47KLYdPH055386@gitrepo.freebsd.org> List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="7cczi3fmhkdqbt5t" Content-Disposition: inline In-Reply-To: <202408202134.47KLYdPH055386@gitrepo.freebsd.org> X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US] X-Rspamd-Queue-Id: 4WpSf13Lbqz55BM --7cczi3fmhkdqbt5t Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hey Mark, When I set the net.inet.ip.connect_inaddr_wild sysctl node to 0 and try running `nc -vv 0.0.0.0 22` (this VM has sshd enabled), the below-linked KASSERT fires: https://cgit.freebsd.org/src/tree/sys/netinet/in_pcb.c#n2304 No KASSERT is tripped on the IPv6 code path--that works fine. Only IPv4 is impacted. Thanks, --=20 Shawn Webb Cofounder / Security Engineer HardenedBSD Tor-ified Signal: +1 303-901-1600 / shawn_webb_opsec.50 https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A= 4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc On Tue, Aug 20, 2024 at 09:34:39PM UTC, Mark Johnston wrote: > The branch main has been updated by markj: >=20 > URL: https://cgit.FreeBSD.org/src/commit/?id=3D417b35a97b7669eb0bf417b43e= 97cccbedbce6f9 >=20 > commit 417b35a97b7669eb0bf417b43e97cccbedbce6f9 > Author: Mark Johnston > AuthorDate: 2024-08-20 21:31:57 +0000 > Commit: Mark Johnston > CommitDate: 2024-08-20 21:31:57 +0000 >=20 > netinet: Add a sysctl to allow disabling connections to INADDR_ANY > =20 > See the discussion in Bugzilla PR 280705 for context. > =20 > PR: 280705 > MFC after: 1 week > Differential Revision: https://reviews.freebsd.org/D46259 > --- > sys/netinet/in_pcb.c | 8 +++++++- > sys/netinet6/in6_pcb.c | 12 +++++++++++- > 2 files changed, 18 insertions(+), 2 deletions(-) >=20 > diff --git a/sys/netinet/in_pcb.c b/sys/netinet/in_pcb.c > index 1a341d421f31..3fc90f1e12c2 100644 > --- a/sys/netinet/in_pcb.c > +++ b/sys/netinet/in_pcb.c > @@ -234,6 +234,12 @@ in_pcbhashseed_init(void) > VNET_SYSINIT(in_pcbhashseed_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_FIRST, > in_pcbhashseed_init, 0); > =20 > +VNET_DEFINE_STATIC(int, connect_inaddr_wild) =3D 1; > +#define V_connect_inaddr_wild VNET(connect_inaddr_wild) > +SYSCTL_INT(_net_inet_ip, OID_AUTO, connect_inaddr_wild, > + CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(connect_inaddr_wild), 0, > + "Allow connecting to INADDR_ANY or INADDR_BROADCAST for connect(2)"); > + > static void in_pcbremhash(struct inpcb *); > =20 > /* > @@ -1309,7 +1315,7 @@ in_pcbconnect_setup(struct inpcb *inp, struct socka= ddr_in *sin, > inp->inp_flowtype =3D hash_type; > } > #endif > - if (!CK_STAILQ_EMPTY(&V_in_ifaddrhead)) { > + if (V_connect_inaddr_wild && !CK_STAILQ_EMPTY(&V_in_ifaddrhead)) { > /* > * If the destination address is INADDR_ANY, > * use the primary local address. > diff --git a/sys/netinet6/in6_pcb.c b/sys/netinet6/in6_pcb.c > index e6ec0f24c898..098b4e50483c 100644 > --- a/sys/netinet6/in6_pcb.c > +++ b/sys/netinet6/in6_pcb.c > @@ -83,6 +83,7 @@ > #include > #include > #include > +#include > #include > #include > #include > @@ -97,6 +98,7 @@ > #include > #include > #include > +#include > =20 > #include > #include > @@ -112,6 +114,14 @@ > #include > #include > =20 > +SYSCTL_DECL(_net_inet6); > +SYSCTL_DECL(_net_inet6_ip6); > +VNET_DEFINE_STATIC(int, connect_in6addr_wild) =3D 1; > +#define V_connect_in6addr_wild VNET(connect_in6addr_wild) > +SYSCTL_INT(_net_inet6_ip6, OID_AUTO, connect_in6addr_wild, > + CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(connect_in6addr_wild), 0, > + "Allow connecting to the unspecified address for connect(2)"); > + > int > in6_pcbsetport(struct in6_addr *laddr, struct inpcb *inp, struct ucred *= cred) > { > @@ -351,7 +361,7 @@ in6_pcbladdr(struct inpcb *inp, struct sockaddr_in6 *= sin6, > if ((error =3D sa6_embedscope(sin6, V_ip6_use_defzone)) !=3D 0) > return(error); > =20 > - if (!CK_STAILQ_EMPTY(&V_in6_ifaddrhead)) { > + if (V_connect_in6addr_wild && !CK_STAILQ_EMPTY(&V_in6_ifaddrhead)) { > /* > * If the destination address is UNSPECIFIED addr, > * use the loopback addr, e.g ::1. >=20 --7cczi3fmhkdqbt5t Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEA6TL67gupaZ9nzhT/y5nonf44foFAmbFO+AACgkQ/y5nonf4 4fqemBAAjf67rFwLzeO9c4TVt+tKSJvOwnQuQGu+dsCzVHiEpx0UlLCU7aH867Uo 7rUQvnq5ZXP9JBb53xk9M4g4Qv/jAky0waM4nWy6XvI9dohGVRQY/dB+6L0d+A/1 QcMcJsxs3VV0NTQ2vKPayB1YYtsM0uX4OwfTDx1mKHkVIucq84n5nCeHWWLcvoUh e7TF038IFvgfI/FdMGsBuLiv5gAxE0fTMftMB6ss/3wAlEKrTHNfR9K8CJTlkZig FPRe19byPYPutMjReMYTqkaEpgs37UB+iuVDCJRIaNmlzheHHVZIUePXgZHlh6r9 PsBdan/BlipbyDHtqWR2gtVH1a8XvdAUJZF5iIhPSRu6Tg0/mTn1iyWKQKsdElv3 /WW+YnlUnCP48ea4K83CTYS0ip7f0mQTX8G5dCcAhO99WixLZzok8HQNGs+/+Lik Jd491rqLzntkp1EQPjh+56kOdYxNthXbVLGAbGjPYRFKmHVRrpEpWllSvUjcdHdW xdzbB7yXkCR92c3fJcKkf4SeFqhsArFRU+FTuhrkZqawrQ8g6aS914tghJXQtMKP ftIRo/cb4fLrmopWGBzh/r3qGwiOoiWOuMjJULDTjvViaKUN0NnAsPE7OQhVTlqe 9yjJcHqni9GnnZ9yyHlAhGfu+OCo3nupc27Ki2nY8BBx991V0kE= =kGZs -----END PGP SIGNATURE----- --7cczi3fmhkdqbt5t--