From nobody Tue Oct 01 10:12:13 2024 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4XHtz13lmRz5XcRW; Tue, 01 Oct 2024 10:12:13 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4XHtz11j47z4s6s; Tue, 1 Oct 2024 10:12:13 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1727777533; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=or5LBrqkquC7Brc0v9CiaWD/4YUd25luUk2+TSRVKfc=; b=QMM4kiccNM+pjKyhwBOk680tNAjM5bxEPzz9wO9MAEtZ7Gp0sC7EJstgeEUKIIHuK3N4aE qEJf0B7GP5VFgokWWXHHpEOZAGCgT/ZMFfmyT4vXuC3ZXIvXKLuDILjkdHO1a/fRoU6sUL 3AWYcMeQiwI2aWPrhq75QzOGnU3CclcyHWr3bhjnJSUvphF6AHevLzkHUZLOFgpEkn4ldZ yuiDOfdsZkWarRLKu9rKLd8ARp248Rypnc0vP0RrphsG1h11J4RpBAvFY71cXG7WUPVdG9 7jztyDRTsM/pC0wT16VWY49+0hFWimm+8oLQU5Al7rjzJrVbumhWxShpc110xQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1727777533; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=or5LBrqkquC7Brc0v9CiaWD/4YUd25luUk2+TSRVKfc=; b=xEItnDDS9YO19WijpUo0e6OAEmesihZhlZ7d106lPgcjDeyrt/DxIyrtuuLloBixmnJYQc DcrgSXrYVSLAPUJVW4acrCnNFK1MUvbQSmWbaYcxq6NQdwFVyfE+V5Vx4Hn4nhCYpdTJUa oMcWOzcRKPIuArQ8l1CZkpSwHE5U4fVKoMx7geWBeKrYD5M/gYJ3RlpMOhgyRie+ceZw9u P46aBAM5bfoMpCn+ZptS3TDqdCvcSMnxqd3xUvXB4qYt257AWChQiDPuwLciTMIIe11Mxh U8uvJs8HxeSaEWL4tNJxGQP8BSOvhnx1xY3lIrSzeZlnetv83xn48UmIF0VaNw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1727777533; a=rsa-sha256; cv=none; b=JgL1DuR3CGmw15YrLGtqTF82SjSlZlpetzdAprCk2Fom1o2zgiZPXu1UPgeBMBPXfNEAyE I2doeI58FyYPSzx9YaaPkEN7yszXCL4ZaWDZOtkDpIE9XgWPd6kHBFFYBUWcMB/t/2Us7Q pauvUGDagWTK+l4HuaXhJxeXFPmdugZJyElmgbuO7OG9l+Qf+xruKz0Axsl13M/ZzIwEFD oFovXQgxxu0ITv+gCRyvIfHCb5CVMOmtKXeI/bLLFYsiQv9mPtEh3sZ4PBLipJX/tjMgMz GOYUSubDGfYoQRcW7LNVMjo64Z0l1taz+pHC/jaYEY8WknSl5Mjdc75E0MHqjQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4XHtz11JF3zYCN; Tue, 1 Oct 2024 10:12:13 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 491ACD3E031700; Tue, 1 Oct 2024 10:12:13 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 491ACDkj031697; Tue, 1 Oct 2024 10:12:13 GMT (envelope-from git) Date: Tue, 1 Oct 2024 10:12:13 GMT Message-Id: <202410011012.491ACDkj031697@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Kristof Provost Subject: git: 1b745d8b23e4 - main - pf: move normalisation into pf_setup_pdesc() List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 1b745d8b23e465872e171579cfc944bd57e5501a Auto-Submitted: auto-generated The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=1b745d8b23e465872e171579cfc944bd57e5501a commit 1b745d8b23e465872e171579cfc944bd57e5501a Author: Kristof Provost AuthorDate: 2024-09-16 11:58:49 +0000 Commit: Kristof Provost CommitDate: 2024-10-01 07:55:14 +0000 pf: move normalisation into pf_setup_pdesc() This simplifies the code slightly, and brings us closer to the OpenBSD code. Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D46707 --- sys/netpfil/pf/pf.c | 111 ++++++++++++++++++++++++++++------------------------ 1 file changed, 60 insertions(+), 51 deletions(-) diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index ccfe1a0fcd96..51b4cebc88e9 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -8462,12 +8462,16 @@ pf_dummynet_route(struct pf_pdesc *pd, struct pf_kstate *s, } static int -pf_setup_pdesc(sa_family_t af, int dir, struct pf_pdesc *pd, struct mbuf *m, +pf_setup_pdesc(sa_family_t af, int dir, struct pf_pdesc *pd, struct mbuf **m0, u_short *action, u_short *reason, struct pfi_kkif *kif, struct pf_krule **a, struct pf_krule **r, struct pf_kstate **s, struct pf_kruleset **ruleset, int *off, int *hdrlen, struct inpcb *inp, struct pf_rule_actions *default_actions) { + struct mbuf *m = *m0; + + memset(pd, 0, sizeof(*pd)); + pd->dir = dir; TAILQ_INIT(&pd->sctp_multihome_jobs); if (default_actions != NULL) @@ -8486,6 +8490,22 @@ pf_setup_pdesc(sa_family_t af, int dir, struct pf_pdesc *pd, struct mbuf *m, case AF_INET: { struct ip *h; + if (__predict_false(m->m_len < sizeof(struct ip)) && + (m = *m0 = m_pullup(*m0, sizeof(struct ip))) == NULL) { + DPFPRINTF(PF_DEBUG_URGENT, + ("pf_test: m_len < sizeof(struct ip), pullup failed\n")); + *action = PF_DROP; + REASON_SET(reason, PFRES_SHORT); + return (-1); + } + + if (pf_normalize_ip(m0, kif, reason, pd) != PF_PASS) { + /* We do IP header normalization and packet reassembly here */ + *action = PF_DROP; + return (-1); + } + m = *m0; + h = mtod(m, struct ip *); *off = h->ip_hl << 2; if (*off < (int)sizeof(*h)) { @@ -8533,6 +8553,23 @@ pf_setup_pdesc(sa_family_t af, int dir, struct pf_pdesc *pd, struct mbuf *m, struct ip6_hdr *h; int terminal = 0; + if (__predict_false(m->m_len < sizeof(struct ip6_hdr)) && + (m = *m0 = m_pullup(*m0, sizeof(struct ip6_hdr))) == NULL) { + DPFPRINTF(PF_DEBUG_URGENT, + ("pf_test6: m_len < sizeof(struct ip6_hdr)" + ", pullup failed\n")); + *action = PF_DROP; + REASON_SET(reason, PFRES_SHORT); + return (-1); + } + + /* We do IP header normalization and packet reassembly here */ + if (pf_normalize_ip6(m0, kif, reason, pd) != PF_PASS) { + *action = PF_DROP; + return (-1); + } + m = *m0; + h = mtod(m, struct ip6_hdr *); pd->src = (struct pf_addr *)&h->ip6_src; pd->dst = (struct pf_addr *)&h->ip6_dst; @@ -8855,65 +8892,44 @@ pf_test(sa_family_t af, int dir, int pflags, struct ifnet *ifp, struct mbuf **m0 return (PF_PASS); } +#ifdef INET6 + /* + * If we end up changing IP addresses (e.g. binat) the stack may get + * confused and fail to send the icmp6 packet too big error. Just send + * it here, before we do any NAT. + */ + if (af == AF_INET6 && dir == PF_OUT && pflags & PFIL_FWD && + IN6_LINKMTU(ifp) < pf_max_frag_size(m)) { + PF_RULES_RUNLOCK(); + *m0 = NULL; + icmp6_error(m, ICMP6_PACKET_TOO_BIG, 0, IN6_LINKMTU(ifp)); + return (PF_DROP); + } +#endif + if (__predict_false(! M_WRITABLE(*m0))) { m = *m0 = m_unshare(*m0, M_NOWAIT); if (*m0 == NULL) return (PF_DROP); } - memset(&pd, 0, sizeof(pd)); - pd.dir = dir; + if (pf_setup_pdesc(af, dir, &pd, m0, &action, &reason, kif, &a, &r, + &s, &ruleset, &off, &hdrlen, inp, default_actions) == -1) { + if (action != PF_PASS) + pd.act.log |= PF_LOG_FORCE; + goto done; + } + m = *m0; switch (af) { #ifdef INET case AF_INET: - if (__predict_false(m->m_len < sizeof(struct ip)) && - (m = *m0 = m_pullup(*m0, sizeof(struct ip))) == NULL) { - DPFPRINTF(PF_DEBUG_URGENT, - ("pf_test: m_len < sizeof(struct ip), pullup failed\n")); - PF_RULES_RUNLOCK(); - return (PF_DROP); - } - - if (pf_normalize_ip(m0, kif, &reason, &pd) != PF_PASS) { - /* We do IP header normalization and packet reassembly here */ - action = PF_DROP; - goto done; - } - m = *m0; /* pf_normalize messes with m0 */ h = mtod(m, struct ip *); ttl = h->ip_ttl; break; #endif #ifdef INET6 case AF_INET6: - /* - * If we end up changing IP addresses (e.g. binat) the stack may get - * confused and fail to send the icmp6 packet too big error. Just send - * it here, before we do any NAT. - */ - if (dir == PF_OUT && pflags & PFIL_FWD && IN6_LINKMTU(ifp) < pf_max_frag_size(m)) { - PF_RULES_RUNLOCK(); - *m0 = NULL; - icmp6_error(m, ICMP6_PACKET_TOO_BIG, 0, IN6_LINKMTU(ifp)); - return (PF_DROP); - } - - if (__predict_false(m->m_len < sizeof(struct ip6_hdr)) && - (m = *m0 = m_pullup(*m0, sizeof(struct ip6_hdr))) == NULL) { - DPFPRINTF(PF_DEBUG_URGENT, - ("pf_test6: m_len < sizeof(struct ip6_hdr)" - ", pullup failed\n")); - PF_RULES_RUNLOCK(); - return (PF_DROP); - } - - /* We do IP header normalization and packet reassembly here */ - if (pf_normalize_ip6(m0, kif, &reason, &pd) != PF_PASS) { - action = PF_DROP; - goto done; - } - m = *m0; /* pf_normalize messes with m0 */ h6 = mtod(m, struct ip6_hdr *); ttl = h6->ip6_hlim; break; @@ -8922,13 +8938,6 @@ pf_test(sa_family_t af, int dir, int pflags, struct ifnet *ifp, struct mbuf **m0 panic("Unknown af %d", af); } - if (pf_setup_pdesc(af, dir, &pd, m, &action, &reason, kif, &a, &r, - &s, &ruleset, &off, &hdrlen, inp, default_actions) == -1) { - if (action != PF_PASS) - pd.act.log |= PF_LOG_FORCE; - goto done; - } - if (pd.pf_mtag != NULL && (pd.pf_mtag->flags & PF_MTAG_FLAG_ROUTE_TO)) { pd.pf_mtag->flags &= ~PF_MTAG_FLAG_ROUTE_TO;