From nobody Thu Sep 14 08:40:37 2023 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RmW4547X0z4sswn; Thu, 14 Sep 2023 08:40:37 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4RmW453j48z4MHj; Thu, 14 Sep 2023 08:40:37 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1694680837; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=F/OmM5QsPHqt0ySDL0uL/6o7lA+HBJwJ/cMFIW8qhLQ=; b=s/ur37FYP2Lrj9vt2gzYR5wENc/4xYN8zUdiRExHdHAMX9QDFjCJhlemBtbxQsTaNTfn0+ SiCGEhf5/xCOGOfa0za1lE7lYyeLNM/Ss7C+WwD8/0a0cEi918HqOTURRoX3U/i0b9bff2 +Cm303ca3kF4lH/WldLVECIyRxCiXerKdGwKdWNl+xhWrmbB2nLLFg7f7AmhgPRb2bgYKU SEGgI8Zi0Xi/bSA0R/6PWGJulTLN/lDc+XXUuBh4u81OBDSIZpkPf7vI9vCqZ2pMsaCXbf sb3+Z43s7o6zU1B2wFZxRvJvf0KFUNK/CBtAZXVYP9w3fzMgqBVBPNPzuus1gQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1694680837; a=rsa-sha256; cv=none; b=O5W6wncbQAmA2NTQyfG84XwCVq8Syh8XX/MYHLOps9g95od0rZLK5tTADNSZY1bZsU57OH 15B+qjFJQZu/rxs/hwHReOPR+vJ+t3vOs9CBEXPriKDDgi69McLE+cviHGFiIr9mjkwVoF GRitJ3qE47vMKzn/v9n2Lif5Lv7LSZlbGxtCapl8TtH6ApbbWQJO++m2dUHJXTYg5Pu5JJ cuzZu0bvDQOIq5thch6b0RCJz7kxke2Mhk4dVn3egV7OP0T5N/s6Ui2QwlQn0ulU4228Gx yVuJW4HQs8QRjSVzyQXgm0kvvUpmTqOAUWbXsdIwC+chbf/wM1Hn2Nyn1dRp3w== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1694680837; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=F/OmM5QsPHqt0ySDL0uL/6o7lA+HBJwJ/cMFIW8qhLQ=; b=ejsCYpdN/cxwPaw28qd468kDHt0N33nhGursH7+Q41d39WSTTxjtFkZhWFuZ7/oBK3WxXG uBCok+fyK3EFxN2WoSMFGjW4bBsuD+5gbPL3LUuEL1Jc09QAc303XSi0TRSbyFVDXxTmw+ 2/MTDs0zLUR6e3WHHOK0MsuQ6Qi6isVIuVuggXUNNOLI31nCSDwXeNRG8sgk5aOYNGAcWI IOFvMWfixEVTX9DzuvjQ/f/auURUgn4VOEBhROQXDowM1tHNuxmPygGWWbsKqXpHCgqGNA DEELA7gGUgwBUMZZfcf226dz0GmDfx28PmbezmN6qvtVTsaATGeUzJ4+rBfujg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4RmW452pPKzqRg; Thu, 14 Sep 2023 08:40:37 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 38E8ebuQ052750; Thu, 14 Sep 2023 08:40:37 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 38E8ebUD052747; Thu, 14 Sep 2023 08:40:37 GMT (envelope-from git) Date: Thu, 14 Sep 2023 08:40:37 GMT Message-Id: <202309140840.38E8ebUD052747@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: "Andrey V. Elsukov" Subject: git: 0bf5377b6b96 - main - Avoid IPv6 source address selection on accepting TCP connections List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-main@freebsd.org X-BeenThere: dev-commits-src-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: ae X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 0bf5377b6b9642acc85355062b921a07604b7c04 Auto-Submitted: auto-generated The branch main has been updated by ae: URL: https://cgit.FreeBSD.org/src/commit/?id=0bf5377b6b9642acc85355062b921a07604b7c04 commit 0bf5377b6b9642acc85355062b921a07604b7c04 Author: Andrey V. Elsukov AuthorDate: 2023-09-14 08:39:06 +0000 Commit: Andrey V. Elsukov CommitDate: 2023-09-14 08:39:06 +0000 Avoid IPv6 source address selection on accepting TCP connections When an application listens IPv6 TCP socket, due to ipfw forwarding tag it may handle connections for addresses that do not belongs to the jail or even current host (transparent proxy). Syncache code can successfully handle TCP handshake for such connections. When syncache finally accepts connection it uses in6_pcbconnect() to properly initlize new connection info. For IPv4 this scenario just works, but for IPv6 it fails when local address doesn't belongs to the jail. This check occurs when in6_pcbladdr() applies IPv6 SAS algorithm. We need IPv6 SAS when we are connection initiator, but in the above case connection is already established and both source and destination addresses are known. Use unused argument to notify in6_pcbconnect() when we don't need source address selection. This will fix `ipfw fwd` to jailed IPv6 address. When we are connection initiator, we stil use IPv6 SAS algorithm and apply all related restrictions. MFC after: 1 month Sponsored by: Yandex LLC Differential Revision: https://reviews.freebsd.org/D41685 --- sys/netinet6/in6_pcb.c | 29 +++++++++++++++++++++-------- 1 file changed, 21 insertions(+), 8 deletions(-) diff --git a/sys/netinet6/in6_pcb.c b/sys/netinet6/in6_pcb.c index bf81de78f992..5c4ef7570ddc 100644 --- a/sys/netinet6/in6_pcb.c +++ b/sys/netinet6/in6_pcb.c @@ -335,7 +335,7 @@ in6_pcbbind(struct inpcb *inp, struct sockaddr_in6 *sin6, struct ucred *cred) */ static int in6_pcbladdr(struct inpcb *inp, struct sockaddr_in6 *sin6, - struct in6_addr *plocal_addr6) + struct in6_addr *plocal_addr6, bool sas_required) { int error = 0; int scope_ambiguous = 0; @@ -364,13 +364,25 @@ in6_pcbladdr(struct inpcb *inp, struct sockaddr_in6 *sin6, if ((error = prison_remote_ip6(inp->inp_cred, &sin6->sin6_addr)) != 0) return (error); - error = in6_selectsrc_socket(sin6, inp->in6p_outputopts, - inp, inp->inp_cred, scope_ambiguous, &in6a, NULL); - if (error) - return (error); + if (sas_required) { + error = in6_selectsrc_socket(sin6, inp->in6p_outputopts, + inp, inp->inp_cred, scope_ambiguous, &in6a, NULL); + if (error) + return (error); + } else { + /* + * Source address selection isn't required when syncache + * has already established connection and both source and + * destination addresses was chosen. + * + * This also includes the case when fwd_tag was used to + * select source address in tcp_input(). + */ + in6a = inp->in6p_laddr; + } + if (IN6_IS_ADDR_UNSPECIFIED(&in6a)) return (EHOSTUNREACH); - /* * Do not update this earlier, in case we return with an error. * @@ -398,7 +410,7 @@ in6_pcbladdr(struct inpcb *inp, struct sockaddr_in6 *sin6, */ int in6_pcbconnect(struct inpcb *inp, struct sockaddr_in6 *sin6, struct ucred *cred, - bool rehash __unused) + bool sas_required) { struct inpcbinfo *pcbinfo = inp->inp_pcbinfo; struct sockaddr_in6 laddr6; @@ -432,7 +444,8 @@ in6_pcbconnect(struct inpcb *inp, struct sockaddr_in6 *sin6, struct ucred *cred, * Call inner routine, to assign local interface address. * in6_pcbladdr() may automatically fill in sin6_scope_id. */ - if ((error = in6_pcbladdr(inp, sin6, &laddr6.sin6_addr)) != 0) + if ((error = in6_pcbladdr(inp, sin6, &laddr6.sin6_addr, + sas_required)) != 0) return (error); if (in6_pcblookup_hash_locked(pcbinfo, &sin6->sin6_addr,