From nobody Thu Nov 10 14:21:29 2022
X-Original-To: freebsd-net@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4N7PCf3Mkfz4dc06
	for <freebsd-net@mlmmj.nyi.freebsd.org>; Thu, 10 Nov 2022 14:21:34 +0000 (UTC)
	(envelope-from gjb@freebsd.org)
Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "freefall.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4N7PCf2ryyz4JfP;
	Thu, 10 Nov 2022 14:21:34 +0000 (UTC)
	(envelope-from gjb@freebsd.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1668090094;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 in-reply-to:in-reply-to:references:references;
	bh=kAr6WNSfVIVZ8F1924b2Ier0WPfQXO57tbjw/EFwWBo=;
	b=lC3I14FMBiA9desHDkOd6LbOFHwcjotsDwgeBGWzto/HE10UVuGK+84NKY+V8cOYfvJIB1
	nkoyuRLV8M9Lf7pG4iUidmPHT+PSRa0+QGL9OIHrM2udG6lHMjNGTgkiyfOVUgqe4P6ycs
	zEQyR4dce8cI3U3cRXNsYWvRpsMDwU4I3BmYDfpWDqU5ukxJCGkjz0KNh1kmUST+uDHtXF
	2oLXot9QlclxOzjq72Z9GIOy1nHLTWFIhD+T8UrN0q8BMw0Mzs7xhnPsEZzftYA6++M8Go
	yU77a1ywUBJ+1qIc2nOp+3B+p8gKH7hwzX6nwb+zJyx22EjWZagJlT60qbLSwg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1668090094;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 in-reply-to:in-reply-to:references:references;
	bh=kAr6WNSfVIVZ8F1924b2Ier0WPfQXO57tbjw/EFwWBo=;
	b=PU6B4RZAo9h9C5i1Hu4w+h1+OF3qFv/YKZKWWw7zFazEMFvy88lLuzaKdoE3GVvVcH5XXn
	SlSLcVgWXWU1J+erptyRIiORLoqOrwVi0HA09Ep3jKri4riPCS8AnMFGDUFbOP43lq10Zr
	Agznj3THWzmrwkP5wrygrPWBRmg/d+128lc7yp+6Lyi4fKBISNRqvslJgTWWbjtktshZcO
	Aombv/TU2LBDVFCMb8lj2mQpc5CzLWWNkK8QMvI7uL6gINocPficcr2emLe969ya1ngc85
	Fzg2eiRPCuDQtX7qabVr6dpCQ6is85e2zVz13I03qorcVPoIyPExFf2kgymvUA==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1668090094; a=rsa-sha256; cv=none;
	b=vJrXAMJCHSAAbe9Uga0GPU0Ifo2bdLDpQDlz4sI5lHgI4OWUQ0+qpP4zhygchY5skxtSmK
	3yNwnll75+6knWC6RV+62WWU/B3rt8lf7+22MEzKcXDfkOsvWDaN5G/DP/Li7RcrJiHKsi
	whTZ/X8hMy6fmwkqw3CkM2+xjyBXXWJRCb3pkSw0tmnf/gUo3KiUkEo/85CrPuiQTGJa2n
	yTfzR9M4CWMJef9Qo1PVPMyx8sJwrCEBTcLaJCkN7nzn5JVDgqlmRujvvlN+JvkCnNS6YB
	1Tt9KBVtd1pd478fS6jiwqQlMSV+KRXOQ6/p4uO7cHthnTcDrqlRc55g5NURsQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
Received: from FreeBSD.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84])
	(using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
	(Client did not present a certificate)
	by freefall.freebsd.org (Postfix) with ESMTPS id 0210DF04E;
	Thu, 10 Nov 2022 14:21:33 +0000 (UTC)
	(envelope-from gjb@freebsd.org)
Date: Thu, 10 Nov 2022 14:21:29 +0000
From: Glen Barber <gjb@freebsd.org>
To: rscheff@freebsd.org
Cc: re@freebsd.org, Michael Tuexen <tuexen@freebsd.org>,
	freebsd-net@freebsd.org
Subject: Re: ip_fw_nat stealing bits
Message-ID: <20221110142129.GV76435@FreeBSD.org>
References: <bce6167d-13d3-6812-ba5a-edad869df5dd@gmx.at>
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-net
List-Help: <mailto:freebsd-net+help@freebsd.org>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Subscribe: <mailto:freebsd-net+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-net+unsubscribe@freebsd.org>
Sender: owner-freebsd-net@freebsd.org
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="Updp2kPf0AC/OOrB"
Content-Disposition: inline
In-Reply-To: <bce6167d-13d3-6812-ba5a-edad869df5dd@gmx.at>
X-ThisMailContainsUnwantedMimeParts: N


--Updp2kPf0AC/OOrB
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Nov 10, 2022 at 12:51:48PM +0100, Scheffenegger, Richard wrote:
> As mentioned previously, the nat module of ip_fw steals one bit in the
> TCP header, which used to be unallocated, for internal purposes.
>=20
> That prevents the use of TCP AccECN across fbsd operated NAT devices.
>=20
> This simple fix shifts the used bit (unnamed previously and therefore
> missed for a long time) from TH_AE (0x100 of the TCP header flags) to
> TH_RES1 (0x800). Because of endianess, and how the TCP header flags are
> split into th_flags and th_x2, some bitshifting is required.
>=20
> The patch was run earlier this week at the IETF115 L4S Interop during
> the Hackathon, and reviewed/tested by tuexen@FreeBSD.org (present at the
> time, and finding this issue earlier during Interop testing).
>=20
> The risk involved here is also small, as the previously used bottommost
> bit ("1") is only shifted left to the topmost bit, and checked properly.
>=20
> As 12.4 may be around for a long time, getting this patch picked up will
> allow the more widespread use of L4S and AccECN faster in the coming year=
s.
>=20

Approved.

Glen

> From 5009a530f6964c6a1193f9d97873cea7f96cf217 Mon Sep 17 00:00:00 2001
> From: Richard Scheffenegger <rscheff@FreeBSD.org>
> Date: Wed, 9 Nov 2022 10:54:34 +0100
> Subject: [PATCH] ipfw: Have NAT steal the TH_RES1 bit, instead of the TH_=
AE
>  bit
>=20
> The NAT module use of the tcphdr.th_x2 field now collides with the
> use of this TCP header flag as AccECN (AE) bit. Use the topmost
> bit instead to allow negotiation of AccECN across a NAT device.
>=20
> Event:			IETF 115 Hackathon
> Reviewed By:		#transport, tuexen
> MFC after:		3 days
> Approved by:		re (gjb, early-MFC)
> Sponsored by:		NetApp, Inc.
> Differential Revision:	https://reviews.freebsd.org/D37300
>=20
> (cherry picked from commit 0b00b801493aa1d4996b0891ea58fbef343f85df)
> (cherry picked from commit 9839a5ad3a683c3841ec00c9e1a4d551dcf9c1de)
> ---
>  sys/netinet/libalias/alias_ftp.c    | 2 +-
>  sys/netinet/libalias/alias_irc.c    | 2 +-
>  sys/netinet/libalias/alias_proxy.c  | 2 +-
>  sys/netinet/libalias/alias_skinny.c | 6 +++---
>  sys/netinet/libalias/alias_smedia.c | 4 ++--
>  sys/netinet/tcp.h                   | 3 +++
>  sys/netpfil/ipfw/ip_fw_nat.c        | 4 ++--
>  7 files changed, 13 insertions(+), 10 deletions(-)
>=20
> diff --git a/sys/netinet/libalias/alias_ftp.c b/sys/netinet/libalias/alia=
s_ftp.c
> index 962194ec0a68..b2fcfbf2396b 100644
> --- a/sys/netinet/libalias/alias_ftp.c
> +++ b/sys/netinet/libalias/alias_ftp.c
> @@ -754,7 +754,7 @@ NewFtpMessage(struct libalias *la, struct ip *pip,
>  		/* Compute TCP checksum for revised packet */
>  		tc->th_sum =3D 0;
>  #ifdef _KERNEL
> -		tc->th_x2 =3D 1;
> +		tc->th_x2 =3D (TH_RES1 >> 8);
>  #else
>  		tc->th_sum =3D TcpChecksum(pip);
>  #endif
> diff --git a/sys/netinet/libalias/alias_irc.c b/sys/netinet/libalias/alia=
s_irc.c
> index 32e831742048..524b70b0632c 100644
> --- a/sys/netinet/libalias/alias_irc.c
> +++ b/sys/netinet/libalias/alias_irc.c
> @@ -458,7 +458,7 @@ AliasHandleIrcOut(struct libalias *la,
>  		/* Compute TCP checksum for revised packet */
>  		tc->th_sum =3D 0;
>  #ifdef _KERNEL
> -		tc->th_x2 =3D 1;
> +		tc->th_x2 =3D (TH_RES1 >> 8);
>  #else
>  		tc->th_sum =3D TcpChecksum(pip);
>  #endif
> diff --git a/sys/netinet/libalias/alias_proxy.c b/sys/netinet/libalias/al=
ias_proxy.c
> index 9b75b22a74b3..7efab1fdc8db 100644
> --- a/sys/netinet/libalias/alias_proxy.c
> +++ b/sys/netinet/libalias/alias_proxy.c
> @@ -368,7 +368,7 @@ ProxyEncodeTcpStream(struct alias_link *lnk,
> =20
>  	tc->th_sum =3D 0;
>  #ifdef _KERNEL
> -	tc->th_x2 =3D 1;
> +	tc->th_x2 =3D (TH_RES1 >> 8);
>  #else
>  	tc->th_sum =3D TcpChecksum(pip);
>  #endif
> diff --git a/sys/netinet/libalias/alias_skinny.c b/sys/netinet/libalias/a=
lias_skinny.c
> index 31b33696fc20..2c664c2c58d9 100644
> --- a/sys/netinet/libalias/alias_skinny.c
> +++ b/sys/netinet/libalias/alias_skinny.c
> @@ -216,7 +216,7 @@ alias_skinny_reg_msg(struct RegisterMessage *reg_msg,=
 struct ip *pip,
> =20
>  	tc->th_sum =3D 0;
>  #ifdef _KERNEL
> -	tc->th_x2 =3D 1;
> +	tc->th_x2 =3D (TH_RES1 >> 8);
>  #else
>  	tc->th_sum =3D TcpChecksum(pip);
>  #endif
> @@ -259,7 +259,7 @@ alias_skinny_port_msg(struct IpPortMessage *port_msg,=
 struct ip *pip,
> =20
>  	tc->th_sum =3D 0;
>  #ifdef _KERNEL
> -	tc->th_x2 =3D 1;
> +	tc->th_x2 =3D (TH_RES1 >> 8);
>  #else
>  	tc->th_sum =3D TcpChecksum(pip);
>  #endif
> @@ -291,7 +291,7 @@ alias_skinny_opnrcvch_ack(struct libalias *la, struct=
 OpenReceiveChannelAck *opn
> =20
>  	tc->th_sum =3D 0;
>  #ifdef _KERNEL
> -	tc->th_x2 =3D 1;
> +	tc->th_x2 =3D (TH_RES1 >> 8);
>  #else
>  	tc->th_sum =3D TcpChecksum(pip);
>  #endif
> diff --git a/sys/netinet/libalias/alias_smedia.c b/sys/netinet/libalias/a=
lias_smedia.c
> index 9b5a9d673ecf..c09c8e0c6d77 100644
> --- a/sys/netinet/libalias/alias_smedia.c
> +++ b/sys/netinet/libalias/alias_smedia.c
> @@ -404,7 +404,7 @@ alias_rtsp_out(struct libalias *la, struct ip *pip,
> =20
>  	tc->th_sum =3D 0;
>  #ifdef _KERNEL
> -	tc->th_x2 =3D 1;
> +	tc->th_x2 =3D (TH_RES1 >> 8);
>  #else
>  	tc->th_sum =3D TcpChecksum(pip);
>  #endif
> @@ -451,7 +451,7 @@ alias_pna_out(struct libalias *la, struct ip *pip,
>  				/* Compute TCP checksum for revised packet */
>  				tc->th_sum =3D 0;
>  #ifdef _KERNEL
> -				tc->th_x2 =3D 1;
> +				tc->th_x2 =3D (TH_RES1 >> 8);
>  #else
>  				tc->th_sum =3D TcpChecksum(pip);
>  #endif
> diff --git a/sys/netinet/tcp.h b/sys/netinet/tcp.h
> index 21922eb4df2e..beb6ece82f35 100644
> --- a/sys/netinet/tcp.h
> +++ b/sys/netinet/tcp.h
> @@ -72,6 +72,9 @@ struct tcphdr {
>  #define	TH_ECE	0x40
>  #define	TH_CWR	0x80
>  #define	TH_AE	0x100			/* maps into th_x2 */
> +#define	TH_RES3	0x200
> +#define	TH_RES2	0x400
> +#define	TH_RES1	0x800
>  #define	TH_FLAGS	(TH_FIN|TH_SYN|TH_RST|TH_PUSH|TH_ACK|TH_URG|TH_ECE|TH_C=
WR)
>  #define	PRINT_TH_FLAGS	"\20\1FIN\2SYN\3RST\4PUSH\5ACK\6URG\7ECE\10CWR\11=
AE"
> =20
> diff --git a/sys/netpfil/ipfw/ip_fw_nat.c b/sys/netpfil/ipfw/ip_fw_nat.c
> index 9e15e9addbe5..b75210246a00 100644
> --- a/sys/netpfil/ipfw/ip_fw_nat.c
> +++ b/sys/netpfil/ipfw/ip_fw_nat.c
> @@ -416,7 +416,7 @@ ipfw_nat(struct ip_fw_args *args, struct cfg_nat *t, =
struct mbuf *m)
>  		struct tcphdr 	*th;
> =20
>  		th =3D (struct tcphdr *)(ip + 1);
> -		if (th->th_x2)
> +		if (th->th_x2 & (TH_RES1 >> 8))
>  			ldt =3D 1;
>  	}
> =20
> @@ -436,7 +436,7 @@ ipfw_nat(struct ip_fw_args *args, struct cfg_nat *t, =
struct mbuf *m)
>  			 * Maybe it was set in
>  			 * libalias...
>  			 */
> -			th->th_x2 =3D 0;
> +			th->th_x2 &=3D ~(TH_RES1 >> 8);
>  			th->th_sum =3D cksum;
>  			mcl->m_pkthdr.csum_data =3D
>  			    offsetof(struct tcphdr, th_sum);
> --=20
> 2.37.3
>=20


--Updp2kPf0AC/OOrB
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEjRJAPC5sqwhs9k2jAxRYpUeP4pMFAmNtCOMACgkQAxRYpUeP
4pMmqQ/+Mqoo/bwufQjwmO/FHxf/1//I3g7qDscf6VkzxTq4pT64UtBVFo6TwWJp
Oo8XN3kNwc3ZSmIr0BqSHLs+HhDXdXg+QNO6VvFXDjH05KYkDiEGU/kJve6rfWan
hYQsKng7Axwron+h+Znx3q776FvT/8IV3nh/xqW17nL5AAmVTQ4kORzo/UKlbMvf
zMpVGNwp0YbuAiBAyMNyg7jcwTPs+VXiRgK0yysuqDpN44MujDCJhMvXMK7pIhCu
6XCIK0jAQP7p4PIYbaJG9FO+vAbehPoVF+/EmXjrP0dRvdl7YHNNfmGlj4/s+e9C
f54ONg1fcfLPVVmli+odMGPl1MjAo/u7i8CI4jNGR4f0MtU7U9ztd2NrntWPsFd1
WqNTCZOn7PODS6/Z452G2xQCuWpZLKMpJaN9y9M0hZnmiszbv2/ZEPNnFKrvWKk6
b4ZPncWb6GtUFIC3REWJjBWolOLw3VhMxOPG9Ypd98Fz+Y4GHj71NipGNSZvz2xh
IAvzNw2+HOjBVsPo4xVlirS/IqqI4j2GXRj09c+l4I1eDyKgQG2anjUGOKTFAmAJ
/DqY+DtD1qatLlCDDmd7sjJweATl+hKUSbxRkR8GZ3DZGT1NEZ7LP82F+dYaNs/e
Bb7S90tZwTeMH3siH23QRQShvUkgbJa33lrvovjlzKqONpczWAs=
=Yk49
-----END PGP SIGNATURE-----

--Updp2kPf0AC/OOrB--