From nobody Wed Jun 12 21:33:44 2024 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4VzzLc4HZBz5NTr2; Wed, 12 Jun 2024 21:33:44 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4VzzLc3mR0z4Kvt; Wed, 12 Jun 2024 21:33:44 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1718228024; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=+olA5DU8Lo9+5Ma1mCdaKbwt820TrNVc4//bKtVdrOI=; b=oqPcxIjLYseYbWHzYwD/K4JH1I3tgNtoQyNXKKNxdM0i9TBALX+Olbur3RV/BPmT9HwbHP 9E/HpG/CZrt799ikPxxfdTrWqSVEAZBSbCvumS5swPSmpu4eOCQKinb/8iPe69Kiz8VG0Z tg68WnP/jxBgE5gYB2p6dblyz7JlnehhlpuzsMNKhky1xwEQds/Cwbh8iJnk5iKcdgYoLU g/RFdcIcOYpUnPhBy3oH3dsrJb1tMjU7SXfLGzBH0mxT+GfnRpg7zPhMC9fXndB5V8XxBu BZUKrE2P37NehZxK8HcJTmndKzw11H4dAXFxKSOhTFnzVORhiwW8MH0/g8Bp9A== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1718228024; a=rsa-sha256; cv=none; b=BSl9ImnHpg90/jfgdV+rHLmLzzYIvo/Er5DN99TxYp5n4/3yneTahZsV+T36OXFKeUsj+O g1Vje9Z1E3uoP3GSlSaAPzJRVI3+ybH/Eu7IHD73KySoDzgE/vRjwoqPSZJ36BP5FZjlva 6VAXPGtGiOFZvthiFY5Dw4NEllq6hgR/TjsHkdze1eBGmCsPe4dCmQB2YkTvd8FxjBJk4M C+XNpx/uR1oSbPAyKwwHkcfOP+Q7y+e/V78tw70CaRWT56323w7FtnjaAiyuZXoRFi7ug0 GP+G9GeP/i/RlKtYW139d7lwWCEbu+0qXAFnHZ2ci4Qjov5zE+t1kxfzMk5CFw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1718228024; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=+olA5DU8Lo9+5Ma1mCdaKbwt820TrNVc4//bKtVdrOI=; b=UpJ/sAPprqA7PRIwqhn5p2hD9FWZitL4Vcly99xINHcvabNmfdLV8KI25lhZIBs5bwhn+t v98ALgIXrzJtY+bvG1PCuVNzzWHrx2xROyKp18fIv1//QULaZjDAZE5JXTarU095VPLIgA wjnhSg7SrHW5dVINGXccAzk4517fQl+H+JzRxFy9MabAId8cOzUj3Zc1sp+W8CUeFsVmcp o6EmR6+saW7yj4TAjHPHeN4yeDk7S5ykcbdnzn0g7HoQ9LVVyao4OLxfhJiayiFiEs6SN0 zbjfWg1+sTLpTflTNH8FoYWjH2uUxFwfjJjzdtDkFS9RyytNEKpBLKyMvKmYbw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4VzzLc3MXCz18dV; Wed, 12 Jun 2024 21:33:44 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 45CLXirH040937; Wed, 12 Jun 2024 21:33:44 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 45CLXicU040934; Wed, 12 Jun 2024 21:33:44 GMT (envelope-from git) Date: Wed, 12 Jun 2024 21:33:44 GMT Message-Id: <202406122133.45CLXicU040934@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Kristof Provost Subject: git: 07ed2396985f - main - pf: make TCP sequence number tracking less strict by one octet for FIN packets List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 07ed2396985f211a1f9c2f84da99f955650df696 Auto-Submitted: auto-generated The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=07ed2396985f211a1f9c2f84da99f955650df696 commit 07ed2396985f211a1f9c2f84da99f955650df696 Author: Kristof Provost AuthorDate: 2024-06-12 18:05:22 +0000 Commit: Kristof Provost CommitDate: 2024-06-12 21:33:11 +0000 pf: make TCP sequence number tracking less strict by one octet for FIN packets The data of a TCP packet must fit into the announced window, but this is not required for the sequence number of the FIN. A packet with the FIN bit set and containing data that fits exactly into the announced window was blocked. Our stack generates such packets when the receive buffer size is set to 1024. Now pf uses only the data lenght for window comparison. OK henning@ Obtained From: OpenBSD Sponsored by: Rubicon Communications, LLC ("Netgate") --- sys/netpfil/pf/pf.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index c635251c3490..edb95d7ef0ec 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -5246,7 +5246,7 @@ pf_tcp_track_full(struct pf_kstate **state, struct pfi_kkif *kif, struct tcphdr *th = &pd->hdr.tcp; struct pf_state_peer *src, *dst; u_int16_t win = ntohs(th->th_win); - u_int32_t ack, end, seq, orig_seq; + u_int32_t ack, end, data_end, seq, orig_seq; u_int8_t sws, dws, psrc, pdst; int ackskew; @@ -5323,6 +5323,7 @@ pf_tcp_track_full(struct pf_kstate **state, struct pfi_kkif *kif, } } } + data_end = end; if (th->th_flags & TH_FIN) end++; @@ -5353,6 +5354,7 @@ pf_tcp_track_full(struct pf_kstate **state, struct pfi_kkif *kif, end = seq + pd->p_len; if (th->th_flags & TH_SYN) end++; + data_end = end; if (th->th_flags & TH_FIN) end++; } @@ -5374,7 +5376,7 @@ pf_tcp_track_full(struct pf_kstate **state, struct pfi_kkif *kif, if (seq == end) { /* Ease sequencing restrictions on no data packets */ seq = src->seqlo; - end = seq; + data_end = end = seq; } ackskew = dst->seqlo - ack; @@ -5397,7 +5399,7 @@ pf_tcp_track_full(struct pf_kstate **state, struct pfi_kkif *kif, } #define MAXACKWINDOW (0xffff + 1500) /* 1500 is an arbitrary fudge factor */ - if (SEQ_GEQ(src->seqhi, end) && + if (SEQ_GEQ(src->seqhi, data_end) && /* Last octet inside other's window space */ SEQ_GEQ(seq, src->seqlo - (dst->max_win << dws)) && /* Retrans: not more than one window back */ @@ -5471,7 +5473,7 @@ pf_tcp_track_full(struct pf_kstate **state, struct pfi_kkif *kif, } else if ((dst->state < TCPS_SYN_SENT || dst->state >= TCPS_FIN_WAIT_2 || src->state >= TCPS_FIN_WAIT_2) && - SEQ_GEQ(src->seqhi + MAXACKWINDOW, end) && + SEQ_GEQ(src->seqhi + MAXACKWINDOW, data_end) && /* Within a window forward of the originating packet */ SEQ_GEQ(seq, src->seqlo - MAXACKWINDOW)) { /* Within a window backward of the originating packet */ @@ -5564,12 +5566,12 @@ pf_tcp_track_full(struct pf_kstate **state, struct pfi_kkif *kif, pd->dir == PF_IN ? "in" : "out", pd->dir == (*state)->direction ? "fwd" : "rev"); printf("pf: State failure on: %c %c %c %c | %c %c\n", - SEQ_GEQ(src->seqhi, end) ? ' ' : '1', + SEQ_GEQ(src->seqhi, data_end) ? ' ' : '1', SEQ_GEQ(seq, src->seqlo - (dst->max_win << dws)) ? ' ': '2', (ackskew >= -MAXACKWINDOW) ? ' ' : '3', (ackskew <= (MAXACKWINDOW << sws)) ? ' ' : '4', - SEQ_GEQ(src->seqhi + MAXACKWINDOW, end) ?' ' :'5', + SEQ_GEQ(src->seqhi + MAXACKWINDOW, data_end) ?' ' :'5', SEQ_GEQ(seq, src->seqlo - MAXACKWINDOW) ?' ' :'6'); } REASON_SET(reason, PFRES_BADSTATE);