From nobody Tue Oct 31 15:03:39 2023 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4SKYLN1rNFz4yTrq; Tue, 31 Oct 2023 15:03:40 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4SKYLN19xrz3Sr6; Tue, 31 Oct 2023 15:03:40 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1698764620; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=AsXwsghuVZKwCub/3CQ/uZNJkRmNeo20+N6NLccQZGc=; b=G0lpaV+/ln+zxL4M7gWaY7y7QSvk7tnz23bz7wGwijvo0e0Fyj5um6Ixd4olALRN696D1a r3+QOUQa9HOE/gnA/+XKgzWx6ZSi8JlbbwLHE7HvqK9WCMup/GbHOVlHRA71iNKJbikpIM iRKYF7kvxFxB9MAqtyJQ/ooIoaxYaDE4kfPRZTkFUQw5S11Sv7uuHWD4cmAsnIAdzwSGWL hXbVzXaLE8cPfvCYd4bSp5bXTko4kn7pPmhEA9Gz45N5R+fU9q2IVe5tP9M9AncSrAnehR 9ihuuoi15G+tjy+KwxNw60yRlIMqpXdtfUwHI9J501LXT6kqAxiXcUU9CZx/jg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1698764620; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=AsXwsghuVZKwCub/3CQ/uZNJkRmNeo20+N6NLccQZGc=; b=o1qkY26Wj+kHL9wVpGAxW/HEo4rZzYpys7K6EUHdHpkSaKDIXe7ULMy05FsddrgNgE7c++ 0JrufgHlB6SONFn8IZIWzUVCsPa62o+Cv8lgGwlGypFnkYTAGFpuGbkmUPGaqQa2ecjH+e vcy0TZqsbtI1Zr+/GJVA4qXr+ZdlT0Vrrd6QbNutRHjLFQPr5lJsWQGTgubSMACbmOB736 LDvJOwYW9+TumXB3Yhr1z1NCKFUzFM55UG0pjA5bHEETb2eLiS6xjKCTSic3H/SA0xHTdT XgodeL+1iwuajg4QXUOtbYnvAqqK1/ifwpbsb+ZJNpnbec5c7EEzneURFdyIyA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1698764620; a=rsa-sha256; cv=none; b=rnkh6jCweGrXRqnRZPZtXq6QFprYd822h9NnFc8sKaptZviIw1iCjTIfs7PiBtT0zk2fWk cyN72R1240VLM6CpnJvDj3vftazlHYKEUctOicjfT8b23qpixIiM5HZCqRDo3lu1alM67S Wkr5T5dICcwwSkDtLKxhy39OWGDZbLIHIbM0jrqK0tqT9J1FqGusnSXS8TPo+wIOS7jwHG 0cEimA3HhgHznHXwSLFbt9CPKqabzqP8qq6On5o5d85djlKTY4swVZPweSC/uu6e0c8ZGe yHdD28eXSXgKrOX23lRwhwlR+HSJ67YSFmyuzcTrbbOFkW9Ez/HwSvoQGXKQ/w== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4SKYLM6pzZz17GF; Tue, 31 Oct 2023 15:03:39 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 39VF3d76048355; Tue, 31 Oct 2023 15:03:39 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 39VF3dsg048352; Tue, 31 Oct 2023 15:03:39 GMT (envelope-from git) Date: Tue, 31 Oct 2023 15:03:39 GMT Message-Id: <202310311503.39VF3dsg048352@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Kristof Provost Subject: git: ca9dbde88122 - main - pf: support SCTP-specific timeouts List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-main@freebsd.org X-BeenThere: dev-commits-src-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: ca9dbde88122beb079b55fb4580b200f73044da6 Auto-Submitted: auto-generated The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=ca9dbde88122beb079b55fb4580b200f73044da6 commit ca9dbde88122beb079b55fb4580b200f73044da6 Author: Kristof Provost AuthorDate: 2023-10-27 14:45:07 +0000 Commit: Kristof Provost CommitDate: 2023-10-31 15:03:22 +0000 pf: support SCTP-specific timeouts Allow SCTP state timeouts to be configured independently from TCP state timeouts. Reviewed by: tuexen MFC after: 1 week Sponsored by: Orange Business Services Differential Revision: https://reviews.freebsd.org/D42393 --- sbin/pfctl/pfctl.c | 5 +++++ sbin/pfctl/pfctl_parser.c | 5 +++++ sbin/pfctl/tests/files/pf1002.in | 5 +++++ sbin/pfctl/tests/files/pf1002.ok | 5 +++++ share/man/man5/pf.conf.5 | 19 ++++++++++++++++++- sys/netpfil/pf/pf.c | 14 +++++++++----- sys/netpfil/pf/pf.h | 41 +++++++++++++++++++++++++++++++--------- sys/netpfil/pf/pf_ioctl.c | 5 +++++ 8 files changed, 84 insertions(+), 15 deletions(-) diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c index 03b7f24ce60a..b752d87e63c6 100644 --- a/sbin/pfctl/pfctl.c +++ b/sbin/pfctl/pfctl.c @@ -2272,6 +2272,11 @@ pfctl_init_options(struct pfctl *pf) pf->timeout[PFTM_TCP_CLOSING] = PFTM_TCP_CLOSING_VAL; pf->timeout[PFTM_TCP_FIN_WAIT] = PFTM_TCP_FIN_WAIT_VAL; pf->timeout[PFTM_TCP_CLOSED] = PFTM_TCP_CLOSED_VAL; + pf->timeout[PFTM_SCTP_FIRST_PACKET] = PFTM_TCP_FIRST_PACKET_VAL; + pf->timeout[PFTM_SCTP_OPENING] = PFTM_TCP_OPENING_VAL; + pf->timeout[PFTM_SCTP_ESTABLISHED] = PFTM_TCP_ESTABLISHED_VAL; + pf->timeout[PFTM_SCTP_CLOSING] = PFTM_TCP_CLOSING_VAL; + pf->timeout[PFTM_SCTP_CLOSED] = PFTM_TCP_CLOSED_VAL; pf->timeout[PFTM_UDP_FIRST_PACKET] = PFTM_UDP_FIRST_PACKET_VAL; pf->timeout[PFTM_UDP_SINGLE] = PFTM_UDP_SINGLE_VAL; pf->timeout[PFTM_UDP_MULTIPLE] = PFTM_UDP_MULTIPLE_VAL; diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c index 925848055bba..0268d1b07c79 100644 --- a/sbin/pfctl/pfctl_parser.c +++ b/sbin/pfctl/pfctl_parser.c @@ -192,6 +192,11 @@ const struct pf_timeout pf_timeouts[] = { { "tcp.finwait", PFTM_TCP_FIN_WAIT }, { "tcp.closed", PFTM_TCP_CLOSED }, { "tcp.tsdiff", PFTM_TS_DIFF }, + { "sctp.first", PFTM_SCTP_FIRST_PACKET }, + { "sctp.opening", PFTM_SCTP_OPENING }, + { "sctp.established", PFTM_SCTP_ESTABLISHED }, + { "sctp.closing", PFTM_SCTP_CLOSING }, + { "sctp.closed", PFTM_SCTP_CLOSED }, { "udp.first", PFTM_UDP_FIRST_PACKET }, { "udp.single", PFTM_UDP_SINGLE }, { "udp.multiple", PFTM_UDP_MULTIPLE }, diff --git a/sbin/pfctl/tests/files/pf1002.in b/sbin/pfctl/tests/files/pf1002.in index 5180e8395f9c..3fdde81be7de 100644 --- a/sbin/pfctl/tests/files/pf1002.in +++ b/sbin/pfctl/tests/files/pf1002.in @@ -1 +1,6 @@ set timeout interval 10 +set timeout sctp.first 11 +set timeout sctp.opening 12 +set timeout sctp.established 13 +set timeout sctp.closing 14 +set timeout sctp.closed 15 diff --git a/sbin/pfctl/tests/files/pf1002.ok b/sbin/pfctl/tests/files/pf1002.ok index 5180e8395f9c..3fdde81be7de 100644 --- a/sbin/pfctl/tests/files/pf1002.ok +++ b/sbin/pfctl/tests/files/pf1002.ok @@ -1 +1,6 @@ set timeout interval 10 +set timeout sctp.first 11 +set timeout sctp.opening 12 +set timeout sctp.established 13 +set timeout sctp.closing 14 +set timeout sctp.closed 15 diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5 index 349e6c9ee4eb..b241e5173ef0 100644 --- a/share/man/man5/pf.conf.5 +++ b/share/man/man5/pf.conf.5 @@ -27,7 +27,7 @@ .\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd October 17, 2023 +.Dd October 27, 2023 .Dt PF.CONF 5 .Os .Sh NAME @@ -283,6 +283,21 @@ can prevent blocking of such packets. The state after one endpoint sends an RST. .El .Pp +SCTP timeout are handled similar to TCP, but with its own set of states: +.Pp +.Bl -tag -width xxxx -compact +.It Ar sctp.first +The state after the first packet. +.It Ar sctp.opening +The state before the destination host ever sends a packet. +.It Ar sctp.established +The fully established state. +.It Ar sctp.closing +The state after the first SHUTDOWN chunk has been sent. +.It Ar sctp.closed +The state after SHUTDOWN_ACK has been exchanged and the connection is closed. +.El +.Pp ICMP and UDP are handled in a fashion similar to TCP, but with a much more limited set of states: .Pp @@ -3334,6 +3349,8 @@ fragmentation = [ "fragment reassemble" ] timeout-list = timeout [ [ "," ] timeout-list ] timeout = ( "tcp.first" | "tcp.opening" | "tcp.established" | "tcp.closing" | "tcp.finwait" | "tcp.closed" | + "sctp.first" | "sctp.opening" | "sctp.established" | + "sctp.closing" | "sctp.closed" | "udp.first" | "udp.single" | "udp.multiple" | "icmp.first" | "icmp.error" | "other.first" | "other.single" | "other.multiple" | diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index ec3ac106f34d..4990dce653b1 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -4906,7 +4906,7 @@ pf_create_state(struct pf_krule *r, struct pf_krule *nr, struct pf_krule *a, case IPPROTO_SCTP: pf_set_protostate(s, PF_PEER_SRC, SCTP_COOKIE_WAIT); pf_set_protostate(s, PF_PEER_DST, SCTP_CLOSED); - s->timeout = PFTM_TCP_FIRST_PACKET; + s->timeout = PFTM_SCTP_FIRST_PACKET; break; case IPPROTO_ICMP: #ifdef INET6 @@ -5915,7 +5915,7 @@ pf_test_state_sctp(struct pf_kstate **state, struct pfi_kkif *kif, if (pd->sctp_flags & PFDESC_SCTP_INIT) { if (src->state < SCTP_COOKIE_WAIT) { pf_set_protostate(*state, psrc, SCTP_COOKIE_WAIT); - (*state)->timeout = PFTM_TCP_OPENING; + (*state)->timeout = PFTM_SCTP_OPENING; } } if (pd->sctp_flags & PFDESC_SCTP_INIT_ACK) { @@ -5927,16 +5927,20 @@ pf_test_state_sctp(struct pf_kstate **state, struct pfi_kkif *kif, if (pd->sctp_flags & PFDESC_SCTP_COOKIE) { if (src->state < SCTP_ESTABLISHED) { pf_set_protostate(*state, psrc, SCTP_ESTABLISHED); - (*state)->timeout = PFTM_TCP_ESTABLISHED; + (*state)->timeout = PFTM_SCTP_ESTABLISHED; } } if (pd->sctp_flags & (PFDESC_SCTP_SHUTDOWN | PFDESC_SCTP_ABORT | PFDESC_SCTP_SHUTDOWN_COMPLETE)) { if (src->state < SCTP_SHUTDOWN_PENDING) { pf_set_protostate(*state, psrc, SCTP_SHUTDOWN_PENDING); - (*state)->timeout = PFTM_TCP_CLOSING; + (*state)->timeout = PFTM_SCTP_CLOSING; } } + if (pd->sctp_flags & (PFDESC_SCTP_SHUTDOWN_COMPLETE)) { + pf_set_protostate(*state, psrc, SCTP_CLOSED); + (*state)->timeout = PFTM_SCTP_CLOSED; + } if (src->scrub != NULL) { if (src->scrub->pfss_v_tag == 0) { @@ -6216,7 +6220,7 @@ again: psrc = PF_PEER_DST; } pf_set_protostate(sm, psrc, SCTP_SHUTDOWN_PENDING); - sm->timeout = PFTM_TCP_CLOSING; + sm->timeout = PFTM_SCTP_CLOSING; PF_STATE_UNLOCK(sm); } break; diff --git a/sys/netpfil/pf/pf.h b/sys/netpfil/pf/pf.h index d83aa5e579bd..dd9796b59ce9 100644 --- a/sys/netpfil/pf/pf.h +++ b/sys/netpfil/pf/pf.h @@ -66,14 +66,37 @@ enum { PF_PEER_SRC, PF_PEER_DST, PF_PEER_BOTH }; * Note about PFTM_*: real indices into pf_rule.timeout[] come before * PFTM_MAX, special cases afterwards. See pf_state_expires(). */ -enum { PFTM_TCP_FIRST_PACKET, PFTM_TCP_OPENING, PFTM_TCP_ESTABLISHED, - PFTM_TCP_CLOSING, PFTM_TCP_FIN_WAIT, PFTM_TCP_CLOSED, - PFTM_UDP_FIRST_PACKET, PFTM_UDP_SINGLE, PFTM_UDP_MULTIPLE, - PFTM_ICMP_FIRST_PACKET, PFTM_ICMP_ERROR_REPLY, - PFTM_OTHER_FIRST_PACKET, PFTM_OTHER_SINGLE, - PFTM_OTHER_MULTIPLE, PFTM_FRAG, PFTM_INTERVAL, - PFTM_ADAPTIVE_START, PFTM_ADAPTIVE_END, PFTM_SRC_NODE, - PFTM_TS_DIFF, PFTM_MAX, PFTM_PURGE, PFTM_UNLINKED }; +enum { + PFTM_TCP_FIRST_PACKET = 0, + PFTM_TCP_OPENING = 1, + PFTM_TCP_ESTABLISHED = 2, + PFTM_TCP_CLOSING = 3, + PFTM_TCP_FIN_WAIT = 4, + PFTM_TCP_CLOSED = 5, + PFTM_UDP_FIRST_PACKET = 6, + PFTM_UDP_SINGLE = 7, + PFTM_UDP_MULTIPLE = 8, + PFTM_ICMP_FIRST_PACKET = 9, + PFTM_ICMP_ERROR_REPLY = 10, + PFTM_OTHER_FIRST_PACKET = 11, + PFTM_OTHER_SINGLE = 12, + PFTM_OTHER_MULTIPLE = 13, + PFTM_FRAG = 14, + PFTM_INTERVAL = 15, + PFTM_ADAPTIVE_START = 16, + PFTM_ADAPTIVE_END = 17, + PFTM_SRC_NODE = 18, + PFTM_TS_DIFF = 19, + PFTM_OLD_MAX = 20, /* Legacy limit, for binary compatibility with old kernels. */ + PFTM_SCTP_FIRST_PACKET = 20, + PFTM_SCTP_OPENING = 21, + PFTM_SCTP_ESTABLISHED = 22, + PFTM_SCTP_CLOSING = 23, + PFTM_SCTP_CLOSED = 24, + PFTM_MAX = 25, + PFTM_PURGE = 26, + PFTM_UNLINKED = 27, +}; /* PFTM default values */ #define PFTM_TCP_FIRST_PACKET_VAL 120 /* First TCP packet */ @@ -497,7 +520,7 @@ struct pf_rule { pf_osfp_t os_fingerprint; int rtableid; - u_int32_t timeout[PFTM_MAX]; + u_int32_t timeout[PFTM_OLD_MAX]; u_int32_t max_states; u_int32_t max_src_nodes; u_int32_t max_src_states; diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c index 851bf8ee5b63..65d4b45afd79 100644 --- a/sys/netpfil/pf/pf_ioctl.c +++ b/sys/netpfil/pf/pf_ioctl.c @@ -380,6 +380,11 @@ pfattach_vnet(void) my_timeout[PFTM_TCP_CLOSING] = PFTM_TCP_CLOSING_VAL; my_timeout[PFTM_TCP_FIN_WAIT] = PFTM_TCP_FIN_WAIT_VAL; my_timeout[PFTM_TCP_CLOSED] = PFTM_TCP_CLOSED_VAL; + my_timeout[PFTM_SCTP_FIRST_PACKET] = PFTM_TCP_FIRST_PACKET_VAL; + my_timeout[PFTM_SCTP_OPENING] = PFTM_TCP_OPENING_VAL; + my_timeout[PFTM_SCTP_ESTABLISHED] = PFTM_TCP_ESTABLISHED_VAL; + my_timeout[PFTM_SCTP_CLOSING] = PFTM_TCP_CLOSING_VAL; + my_timeout[PFTM_SCTP_CLOSED] = PFTM_TCP_CLOSED_VAL; my_timeout[PFTM_UDP_FIRST_PACKET] = PFTM_UDP_FIRST_PACKET_VAL; my_timeout[PFTM_UDP_SINGLE] = PFTM_UDP_SINGLE_VAL; my_timeout[PFTM_UDP_MULTIPLE] = PFTM_UDP_MULTIPLE_VAL;