From nobody Mon Jan 22 12:52:51 2024
X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4TJVW74CgZz57rLZ;
	Mon, 22 Jan 2024 12:52:51 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4TJVW73b7Jz3xKL;
	Mon, 22 Jan 2024 12:52:51 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1705927971;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=nAzlGSqCQPPcs7iu4eL46NS+GzSPUkZXYHR/NYi9BiQ=;
	b=wbPemWvoo8bmvEzxnQr/d/7u5ezOzp8ZjaDriBstZydk8Xfq0uWUkRarLW6LxbJczRxSpF
	daTxJAYAp8xGKcktbxn9y0qBngMa5vX+1l89CXBABcRcqv80UMb8Hwqd9UD3y4CeY6JHsA
	cjkbTk1NUmU1qzRucTLeU9OsN/rzXlP4fJkn0QZK8JDRyrsDt12ZmOey+I+Lc0Sa+qvD1i
	KKTWSF4h6QF4+m12CVKmBs6Zo0Bmvyhu3G7mZh8isq0pbPFjMIGmfY+kYYi6OutSdTje6W
	SWbZMYlwzD/y/yhhgwraA+U55kHGIXu6sTXMGyK0Hwt7f5YnRmaZSWHfjXbcsw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1705927971;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=nAzlGSqCQPPcs7iu4eL46NS+GzSPUkZXYHR/NYi9BiQ=;
	b=tB4Rs94Qms5edk7odg2WBHR5+ErS/UyCIAdAeUSHZdBewus2qgKU45tlUIMMRkjf92hDjX
	NkCRVUN0RSemIU8TLaH0dG1/WStwS3ClgJeDIJMtLLQ6JMfSzTMJ7qsm+5g6X5Jb/AHNvf
	wJ8I30faYJBz5nUX+vZaCCjiHUvS3hK6CHCGoFgf760agtrWB6ndqLJq4tTyG6qZQShR+/
	os7oZVArp9SphUFa3ORgMW+aM9UeQkfhwhzQJ2jLGFwfrvM4SsNezjGJEzs5u8FwA6D5yu
	836hqwa0DyV7wyPsQdJ55lL5XKqAC/EtuY4MHTzzEr85h4Scr2zZKMfQx4UhgA==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1705927971; a=rsa-sha256; cv=none;
	b=wYrmfMc3uzvmfwWghs3p5UgIekzzTPhuTbgmsKvbgnSIA9AzXi3aWAg94+scw0DLRkZMAJ
	aQolD3hFuQ0foVV6ZTbrcOIYuLyRZxLIB17i/fXK1Wo5WnG4soRC6j214b/q2otGb1YufO
	DXye0+bQAuE4yb3YkM8gF6qWAWV2LlaRlddgUst/pveZq1kpp8PD43uJQqHXxxiETJAomc
	KZtavQgUKc4To02PqG5AFfTNdLQj36/9y8qQxMxb+1wanyiGclqpHILsNcJH8aFpb3lJOk
	xKlC5Fb2EwQIKn/KOikta94BpSHIn/fOU+Xvi0FbZx1Gdybq29Vgtfrs/pEj3g==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4TJVW72fLvz12n7;
	Mon, 22 Jan 2024 12:52:51 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 40MCqpF2047529;
	Mon, 22 Jan 2024 12:52:51 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 40MCqpf6047526;
	Mon, 22 Jan 2024 12:52:51 GMT
	(envelope-from git)
Date: Mon, 22 Jan 2024 12:52:51 GMT
Message-Id: <202401221252.40MCqpf6047526@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: Kristof Provost <kp@FreeBSD.org>
Subject: git: 54c62e3e5d8c - main - pf: work around icmp6 packet-too-big
  not being sent when binat-ing
List-Id: Commit messages for the main branch of the src repository <dev-commits-src-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main
List-Help: <mailto:dev-commits-src-main+help@freebsd.org>
List-Post: <mailto:dev-commits-src-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-main+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-main@freebsd.org
X-BeenThere: dev-commits-src-main@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: kp
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 54c62e3e5d8cd90c5571a1d4c8c5f062d580480e
Auto-Submitted: auto-generated

The branch main has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=54c62e3e5d8cd90c5571a1d4c8c5f062d580480e

commit 54c62e3e5d8cd90c5571a1d4c8c5f062d580480e
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2024-01-17 17:11:27 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2024-01-22 11:52:14 +0000

    pf: work around icmp6 packet-too-big not being sent when binat-ing
    
    If we're applying NPTv6 we pass a packet with a modified source and/or
    destination address to the network stack.
    
    If that packet then turns out to be larger than the MTU of the sending
    interface the stack will attempt to generate an icmp6 packet-too-big
    error, but may fail to look up the appropriate source address for that
    error message. Even if it does, pf would still have to undo the binat
    operation inside the icmp6 packet so the sending host can make sense of
    the error.
    
    We can avoid both problems entirely by having pf also perform the MTU
    check (taking the potential refragmentation into account), and
    generating the icmp6 error directly in pf.
    
    See also:       https://redmine.pfsense.org/issues/14290
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
    Differential Revision:  https://reviews.freebsd.org/D43499
---
 sys/net/pfvar.h          |  1 +
 sys/netpfil/pf/pf.c      | 12 ++++++++++++
 sys/netpfil/pf/pf_norm.c | 15 +++++++++++++++
 3 files changed, 28 insertions(+)

diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
index f0742c99a4a8..ff3370bc105e 100644
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@@ -2297,6 +2297,7 @@ int	pf_normalize_ip6(struct mbuf **, struct pfi_kkif *, u_short *,
 void	pf_poolmask(struct pf_addr *, struct pf_addr*,
 	    struct pf_addr *, struct pf_addr *, sa_family_t);
 void	pf_addr_inc(struct pf_addr *, sa_family_t);
+int	pf_max_frag_size(struct mbuf *);
 int	pf_refragment6(struct ifnet *, struct mbuf **, struct m_tag *, bool);
 #endif /* INET6 */
 
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 9bd9828a99d9..38a5a45d7991 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -8510,6 +8510,18 @@ pf_test6(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, struct inpcb
 		return (PF_PASS);
 	}
 
+	/*
+	 * If we end up changing IP addresses (e.g. binat) the stack may get
+	 * confused and fail to send the icmp6 packet too big error. Just send
+	 * it here, before we do any NAT.
+	 */
+	if (dir == PF_OUT && IN6_LINKMTU(ifp) < pf_max_frag_size(m)) {
+		PF_RULES_RUNLOCK();
+		*m0 = NULL;
+		icmp6_error(m, ICMP6_PACKET_TOO_BIG, 0, IN6_LINKMTU(ifp));
+		return (PF_DROP);
+	}
+
 	memset(&pd, 0, sizeof(pd));
 	TAILQ_INIT(&pd.sctp_multihome_jobs);
 	if (default_actions != NULL)
diff --git a/sys/netpfil/pf/pf_norm.c b/sys/netpfil/pf/pf_norm.c
index f5d1a66f6467..295377bef3e8 100644
--- a/sys/netpfil/pf/pf_norm.c
+++ b/sys/netpfil/pf/pf_norm.c
@@ -939,6 +939,21 @@ fail:
 #endif	/* INET6 */
 
 #ifdef INET6
+int
+pf_max_frag_size(struct mbuf *m)
+{
+	struct m_tag *tag;
+	struct pf_fragment_tag *ftag;
+
+	tag = m_tag_find(m, PACKET_TAG_PF_REASSEMBLED, NULL);
+	if (tag == NULL)
+		return (m->m_pkthdr.len);
+
+	ftag = (struct pf_fragment_tag *)(tag + 1);
+
+	return (ftag->ft_maxlen);
+}
+
 int
 pf_refragment6(struct ifnet *ifp, struct mbuf **m0, struct m_tag *mtag,
     bool forward)