From nobody Tue Aug 13 11:16:55 2024 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WjpkH4B8Tz5STPK; Tue, 13 Aug 2024 11:16:55 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WjpkH261Xz4m05; Tue, 13 Aug 2024 11:16:55 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1723547815; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=KS/BpgD6TKR/nKEi4a+tZzkR+dSFFoqbZeZBfmDbbqI=; b=qp8xBZHU65MCH/WMSspGcU0n2W5HA74jsOdFx+Ddk1sDXKaFDcVsZlY6jN44Oa8ynWXh8u o+rJqianx+x3EeIOkkNUNrj7tHcc2bGyWwpeRba2na771bOxy+VtY5ODCuTaYWmcrjwmZZ 1krt6UOK623ptleVoDgivtrA3u27/ohbIMHWtDRqi9zmSDr4OP1rR4+WDOpBq52mBrP9nf Aq22UemY+Pzi8xoc6GZ/CIMq0bKCsh6vf+7e4kV4Bt9p87jp1D3w9MGp85aTo4HGKe5cDA sZ7gYjuQEQrn5FodRGti/nYXEfxu1hO72cg1J5uBqjwBUn73G8b7uH1XdrPgqg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1723547815; a=rsa-sha256; cv=none; b=fTAnwbOmZS6r/GWTTNlV+CFkWR+Yd3sT35EitPpqgXsnqbV4ZsPctfeM06RSU2ACcaBKAA w4kjFoJUAUseYVryyM3dP5tAQKEnuFKWy6hhVjrXarYbSIWXBi0NF4xE4UpTAahdEV6fm1 m3jMrzN/rNIrcivqcJmUkf19TvBbJCkZEaG8Dy/dH44Yk7oGJ2XaNNHBh9dvxogBHqLULr wkI4sKNab2tPbqJVuZI19PWjMnRHWDjUAD1appRJg4S5kIW+ygWvrg/7e/iLF9e2iW8zXm ik+7vPVw8o77PABpdLea90y4gt8g7lr9JGkkhpHs8zDKK2a4i2evuvW9lbw/dQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1723547815; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=KS/BpgD6TKR/nKEi4a+tZzkR+dSFFoqbZeZBfmDbbqI=; b=PCxP9sn7I/SRzzVjW2Jx4fgSBFVScem4bUs4qDq+9d9zvMrSNr4tJBF0JQwv49hqs4+CV/ FHjVsO58lv52e5k8ud2yifS5B9rllewQtUTlMrJokCBxTGo12wdWdG7kqa8uia+ObNOsll TYlhaYdpqWphnQz6GP5wPnnylM9XV5zAzq1Jt4o7L2uq9PiPYxnB3eTl+yNsl/+xjBVe0X 4lZ8DPp7poroZfkGHDFnDIqKshfiPGtbvbaMqElr4fyRMBaV1JYjQdpC99bqJQ/lFnKCIf 8pj7GSkhGnHQ8hCcuJWm/fotuiPiUNJ3bApYy9jjGo9dIK7deUDn6Dts7wIcQw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4WjpkH1jPCz17tW; Tue, 13 Aug 2024 11:16:55 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 47DBGtYY008379; Tue, 13 Aug 2024 11:16:55 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 47DBGtJ4008376; Tue, 13 Aug 2024 11:16:55 GMT (envelope-from git) Date: Tue, 13 Aug 2024 11:16:55 GMT Message-Id: <202408131116.47DBGtJ4008376@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Kristof Provost Subject: git: 82e021443a76 - main - pf: cope with SCTP port re-use List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 82e021443a76b1f210cfb929a495185179606868 Auto-Submitted: auto-generated The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=82e021443a76b1f210cfb929a495185179606868 commit 82e021443a76b1f210cfb929a495185179606868 Author: Kristof Provost AuthorDate: 2024-08-12 16:18:36 +0000 Commit: Kristof Provost CommitDate: 2024-08-13 11:16:12 +0000 pf: cope with SCTP port re-use Some SCTP implementations will abort connections and then later re-use the same port numbers (i.e. both src and dst) for a new connection, before pf has fully purged the old connection. Apply the same hack we already have for similarly misbehaving TCP implementations and forcibly remove the old state so we can create a new one. MFC after: 2 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") --- sys/netpfil/pf/pf.c | 9 +++++++ tests/sys/netpfil/pf/sctp.sh | 59 ++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 68 insertions(+) diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 62d604260713..0a6f6b4d2c10 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -6139,6 +6139,15 @@ pf_test_state_sctp(struct pf_kstate **state, struct pfi_kkif *kif, psrc = PF_PEER_DST; } + if ((src->state >= SCTP_SHUTDOWN_SENT || src->state == SCTP_CLOSED) && + (dst->state >= SCTP_SHUTDOWN_SENT || dst->state == SCTP_CLOSED) && + pd->sctp_flags & PFDESC_SCTP_INIT) { + pf_set_protostate(*state, PF_PEER_BOTH, SCTP_CLOSED); + pf_unlink_state(*state); + *state = NULL; + return (PF_DROP); + } + /* Track state. */ if (pd->sctp_flags & PFDESC_SCTP_INIT) { if (src->state < SCTP_COOKIE_WAIT) { diff --git a/tests/sys/netpfil/pf/sctp.sh b/tests/sys/netpfil/pf/sctp.sh index d07d1122048b..95a780747d82 100644 --- a/tests/sys/netpfil/pf/sctp.sh +++ b/tests/sys/netpfil/pf/sctp.sh @@ -181,6 +181,64 @@ basic_v6_cleanup() pft_cleanup } +atf_test_case "reuse" "cleanup" +reuse_head() +{ + atf_set descr 'Test handling dumb clients that reuse source ports' + atf_set require.user root +} + +reuse_body() +{ + sctp_init + + j="sctp:reuse" + epair=$(vnet_mkepair) + + vnet_mkjail ${j}a ${epair}a + vnet_mkjail ${j}b ${epair}b + + jexec ${j}a ifconfig ${epair}a 192.0.2.1/24 up + jexec ${j}b ifconfig ${epair}b 192.0.2.2/24 up + # Sanity check + atf_check -s exit:0 -o ignore \ + jexec ${j}a ping -c 1 192.0.2.2 + + jexec ${j}a pfctl -e + pft_set_rules ${j}a \ + "block" \ + "pass in proto sctp to port 1234" + + echo "foo" | jexec ${j}a nc --sctp -N -l 1234 & + + # Wait for the server to start + sleep 1 + + out=$(jexec ${j}b nc --sctp -N -w 3 -p 1234 192.0.2.1 1234) + if [ "$out" != "foo" ]; then + atf_fail "SCTP connection failed" + fi + + # Now do the same thing again, with the same port numbers + jexec ${j}a pfctl -ss -v + + echo "foo" | jexec ${j}a nc --sctp -N -l 1234 & + + # Wait for the server to start + sleep 1 + + out=$(jexec ${j}b nc --sctp -N -w 3 -p 1234 192.0.2.1 1234) + if [ "$out" != "foo" ]; then + atf_fail "SCTP connection failed" + fi + jexec ${j}a pfctl -ss -v +} + +reuse_cleanup() +{ + pft_cleanup +} + atf_test_case "abort_v4" "cleanup" abort_v4_head() { @@ -691,6 +749,7 @@ atf_init_test_cases() { atf_add_test_case "basic_v4" atf_add_test_case "basic_v6" + atf_add_test_case "reuse" atf_add_test_case "abort_v4" atf_add_test_case "abort_v6" atf_add_test_case "nat_v4"