From nobody Tue Aug 27 13:53:38 2024 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WtTXm0xD0z52BsL; Tue, 27 Aug 2024 13:53:44 +0000 (UTC) (envelope-from markjdb@gmail.com) Received: from mail-io1-xd35.google.com (mail-io1-xd35.google.com [IPv6:2607:f8b0:4864:20::d35]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WtTXl1rK9z44b0; Tue, 27 Aug 2024 13:53:43 +0000 (UTC) (envelope-from markjdb@gmail.com) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20230601 header.b=OCxT7UTH; dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=freebsd.org (policy=none); spf=pass (mx1.freebsd.org: domain of markjdb@gmail.com designates 2607:f8b0:4864:20::d35 as permitted sender) smtp.mailfrom=markjdb@gmail.com Received: by mail-io1-xd35.google.com with SMTP id ca18e2360f4ac-829e856a173so77361939f.1; Tue, 27 Aug 2024 06:53:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1724766822; x=1725371622; darn=freebsd.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:sender:from:to:cc:subject:date:message-id :reply-to; bh=i1KKLkz+HYQF4K6P7MuSBiQTgJvlFxAxJpWJ68S1lQw=; b=OCxT7UTHn9/4kS0mO2LKnSM35GLbVqH1T8dfASP01vp2A4WdWKKmSZx8Exr9dTLVJR ivLbWjfGhIwVkvTZatEJOsBAkyTwMOq54BKRjiu6WF11Lji36GEzDTVirhb6R3IT1hfv 7IJwhHzoh+PSI6AS73AZDKgusyUnNnaeq5RLrcWDSOazoHYIA+HRU6pAhdu1NQl6a8Dz ukrLTtyhHiSZFi5c08VSPIQmFWDjt+ZUGjHILmEVI3+eycu3T+bSxX/TiR6oTzvXo6ih ftfyf0UjptQ+znx0mrnCEVG1LdS90VdXVTRZxp/BF5GA2yv5vKjVerXKuxUX9nF6CsDx gxWQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724766822; x=1725371622; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:sender:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=i1KKLkz+HYQF4K6P7MuSBiQTgJvlFxAxJpWJ68S1lQw=; b=S4WvDkSZVmEb4rlqrE72SkOsDSlZT4p3/4GdyH3iluGR3cMpMkbPTg4rrSzzoWwTxZ FIL/6WRcBatM8Wg1XXcS8mQjr9UsRnrPo7GiCWLRPc5g8PFB7jY/G2I+1yWQ6hVYGV6W V7ps3wmoMC6mIpRqII3mEIJh2EKcnj7qS4bWCaQCt6kH8zNWFtlXWUCBzzqHEF3Sh8QP viPBCvJhpr7j9posp31li1kan1LrroGfZBQwcfV/0vrTxE/jhs6qtYSibRsvxzYa1B6R q9TIUTnYK7BP0K0ew4ets+98Gj+ZDoS+VeiREABx6IenID1KKTHYrYoYcu9nDOLtQ389 LzfA== X-Forwarded-Encrypted: i=1; AJvYcCUH+Aq7VYV0rmUqAYQrThoDVnZrf1vHHmA1G/eOmW0wuIArK802S6QGrem8z78KsKT8/ZuWNFD44WS7Gk9sMlYW96iyxfg=@freebsd.org, AJvYcCWBV2tE7c+O/4Y4p1CkqSgKg3rp7zSbWERlr1YY/KvQZkW7imy6w/rEguQEX9AJzIosqFFCP1HAV2/KdKvo4GV18TDc@freebsd.org X-Gm-Message-State: AOJu0Yz2FpWMdsQvuVSRZrGsVS/b7JLHKE07RIJePbXByexxsN+K//82 IxZ16oPbz1dAWw1PAmOw4W5ZFSeLRFG+9spKKB8AiCQRZvC+RaewxylHVg== X-Google-Smtp-Source: AGHT+IER4mPIXbpb2kMEYR2fiDd8FpOET6+mORXK85FDwyQtpMuvk9fZNBfduvArCVOFPA6QC6YvJA== X-Received: by 2002:a05:6602:1691:b0:824:d641:9448 with SMTP id ca18e2360f4ac-82788141a1bmr1829953439f.7.1724766822126; Tue, 27 Aug 2024 06:53:42 -0700 (PDT) Received: from nuc (192-0-220-237.cpe.teksavvy.com. [192.0.220.237]) by smtp.gmail.com with ESMTPSA id 8926c6da1cb9f-4ce7106a1a5sm2662775173.102.2024.08.27.06.53.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 27 Aug 2024 06:53:41 -0700 (PDT) Date: Tue, 27 Aug 2024 09:53:38 -0400 From: Mark Johnston To: Shawn Webb Cc: src-committers@freebsd.org, dev-commits-src-all@freebsd.org, dev-commits-src-main@freebsd.org Subject: Re: git: 417b35a97b76 - main - netinet: Add a sysctl to allow disabling connections to INADDR_ANY Message-ID: References: <202408202134.47KLYdPH055386@gitrepo.freebsd.org> List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Spamd-Bar: -- X-Spamd-Result: default: False [-2.45 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.85)[-0.850]; MID_RHS_NOT_FQDN(0.50)[]; FORGED_SENDER(0.30)[markj@freebsd.org,markjdb@gmail.com]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20230601]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c]; DMARC_POLICY_SOFTFAIL(0.10)[freebsd.org : SPF not aligned (relaxed), DKIM not aligned (relaxed),none]; MIME_GOOD(-0.10)[text/plain]; TO_DN_SOME(0.00)[]; RCVD_TLS_LAST(0.00)[]; FREEMAIL_ENVFROM(0.00)[gmail.com]; MIME_TRACE(0.00)[0:+]; ARC_NA(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; FROM_HAS_DN(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::d35:from]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; FROM_NEQ_ENVFROM(0.00)[markj@freebsd.org,markjdb@gmail.com]; RCPT_COUNT_THREE(0.00)[4]; MLMMJ_DEST(0.00)[dev-commits-src-all@freebsd.org,dev-commits-src-main@freebsd.org]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_VIA_SMTP_AUTH(0.00)[]; MISSING_XM_UA(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim] X-Rspamd-Queue-Id: 4WtTXl1rK9z44b0 On Wed, Aug 21, 2024 at 12:59:18AM +0000, Shawn Webb wrote: > Hey Mark, > > When I set the net.inet.ip.connect_inaddr_wild sysctl node to 0 and > try running `nc -vv 0.0.0.0 22` (this VM has sshd enabled), the > below-linked KASSERT fires: > > https://cgit.freebsd.org/src/tree/sys/netinet/in_pcb.c#n2304 > > No KASSERT is tripped on the IPv6 code path--that works fine. Only > IPv4 is impacted. I had tested this when I wrote the patch, and just tried again now. I haven't been able to trigger the panic: root@freebsd:~ # nc -4 -vv 0.0.0.0 22 nc: connect to 0.0.0.0 port 22 (tcp) failed: Network is unreachable I believe the error is coming from in_pcbladdr(). But, I can bypass that by rerunning the test in a classic jail with ip4.saddrsel=0. So, it seems it's best to explicitly catch that case and return an error: https://reviews.freebsd.org/D46454 > -- > Shawn Webb > Cofounder / Security Engineer > HardenedBSD > > Tor-ified Signal: +1 303-901-1600 / shawn_webb_opsec.50 > https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc > > On Tue, Aug 20, 2024 at 09:34:39PM UTC, Mark Johnston wrote: > > The branch main has been updated by markj: > > > > URL: https://cgit.FreeBSD.org/src/commit/?id=417b35a97b7669eb0bf417b43e97cccbedbce6f9 > > > > commit 417b35a97b7669eb0bf417b43e97cccbedbce6f9 > > Author: Mark Johnston > > AuthorDate: 2024-08-20 21:31:57 +0000 > > Commit: Mark Johnston > > CommitDate: 2024-08-20 21:31:57 +0000 > > > > netinet: Add a sysctl to allow disabling connections to INADDR_ANY > > > > See the discussion in Bugzilla PR 280705 for context. > > > > PR: 280705 > > MFC after: 1 week > > Differential Revision: https://reviews.freebsd.org/D46259 > > --- > > sys/netinet/in_pcb.c | 8 +++++++- > > sys/netinet6/in6_pcb.c | 12 +++++++++++- > > 2 files changed, 18 insertions(+), 2 deletions(-) > > > > diff --git a/sys/netinet/in_pcb.c b/sys/netinet/in_pcb.c > > index 1a341d421f31..3fc90f1e12c2 100644 > > --- a/sys/netinet/in_pcb.c > > +++ b/sys/netinet/in_pcb.c > > @@ -234,6 +234,12 @@ in_pcbhashseed_init(void) > > VNET_SYSINIT(in_pcbhashseed_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_FIRST, > > in_pcbhashseed_init, 0); > > > > +VNET_DEFINE_STATIC(int, connect_inaddr_wild) = 1; > > +#define V_connect_inaddr_wild VNET(connect_inaddr_wild) > > +SYSCTL_INT(_net_inet_ip, OID_AUTO, connect_inaddr_wild, > > + CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(connect_inaddr_wild), 0, > > + "Allow connecting to INADDR_ANY or INADDR_BROADCAST for connect(2)"); > > + > > static void in_pcbremhash(struct inpcb *); > > > > /* > > @@ -1309,7 +1315,7 @@ in_pcbconnect_setup(struct inpcb *inp, struct sockaddr_in *sin, > > inp->inp_flowtype = hash_type; > > } > > #endif > > - if (!CK_STAILQ_EMPTY(&V_in_ifaddrhead)) { > > + if (V_connect_inaddr_wild && !CK_STAILQ_EMPTY(&V_in_ifaddrhead)) { > > /* > > * If the destination address is INADDR_ANY, > > * use the primary local address. > > diff --git a/sys/netinet6/in6_pcb.c b/sys/netinet6/in6_pcb.c > > index e6ec0f24c898..098b4e50483c 100644 > > --- a/sys/netinet6/in6_pcb.c > > +++ b/sys/netinet6/in6_pcb.c > > @@ -83,6 +83,7 @@ > > #include > > #include > > #include > > +#include > > #include > > #include > > #include > > @@ -97,6 +98,7 @@ > > #include > > #include > > #include > > +#include > > > > #include > > #include > > @@ -112,6 +114,14 @@ > > #include > > #include > > > > +SYSCTL_DECL(_net_inet6); > > +SYSCTL_DECL(_net_inet6_ip6); > > +VNET_DEFINE_STATIC(int, connect_in6addr_wild) = 1; > > +#define V_connect_in6addr_wild VNET(connect_in6addr_wild) > > +SYSCTL_INT(_net_inet6_ip6, OID_AUTO, connect_in6addr_wild, > > + CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(connect_in6addr_wild), 0, > > + "Allow connecting to the unspecified address for connect(2)"); > > + > > int > > in6_pcbsetport(struct in6_addr *laddr, struct inpcb *inp, struct ucred *cred) > > { > > @@ -351,7 +361,7 @@ in6_pcbladdr(struct inpcb *inp, struct sockaddr_in6 *sin6, > > if ((error = sa6_embedscope(sin6, V_ip6_use_defzone)) != 0) > > return(error); > > > > - if (!CK_STAILQ_EMPTY(&V_in6_ifaddrhead)) { > > + if (V_connect_in6addr_wild && !CK_STAILQ_EMPTY(&V_in6_ifaddrhead)) { > > /* > > * If the destination address is UNSPECIFIED addr, > > * use the loopback addr, e.g ::1. > >