svn commit: r317045 - in stable/11: sbin/ipfw sys/conf sys/modules sys/modules/ipfw_pmod sys/netpfil/ipfw/pmod
Andrey V. Elsukov
ae at FreeBSD.org
Mon Apr 17 09:42:07 UTC 2017
Author: ae
Date: Mon Apr 17 09:42:05 2017
New Revision: 317045
URL: https://svnweb.freebsd.org/changeset/base/317045
Log:
MFC r316435:
Add ipfw_pmod kernel module.
The module is designed for modification of a packets of any protocols.
For now it implements only TCP MSS modification. It adds the external
action handler for "tcp-setmss" action.
A rule with tcp-setmss action does additional check for protocol and
TCP flags. If SYN flag is present, it parses TCP options and modifies
MSS option if its value is greater than configured value in the rule.
Then it adjustes TCP checksum if needed. After handling the search
continues with the next rule.
Obtained from: Yandex LLC
Relnotes: yes
Sponsored by: Yandex LLC
Differential Revision: https://reviews.freebsd.org/D10150
Added:
stable/11/sys/modules/ipfw_pmod/
- copied from r316435, head/sys/modules/ipfw_pmod/
stable/11/sys/netpfil/ipfw/pmod/
- copied from r316435, head/sys/netpfil/ipfw/pmod/
Modified:
stable/11/sbin/ipfw/ipfw.8
stable/11/sbin/ipfw/ipfw2.c
stable/11/sbin/ipfw/ipfw2.h
stable/11/sys/conf/NOTES
stable/11/sys/conf/files
stable/11/sys/conf/options
stable/11/sys/modules/Makefile
Directory Properties:
stable/11/ (props changed)
Modified: stable/11/sbin/ipfw/ipfw.8
==============================================================================
--- stable/11/sbin/ipfw/ipfw.8 Mon Apr 17 09:38:15 2017 (r317044)
+++ stable/11/sbin/ipfw/ipfw.8 Mon Apr 17 09:42:05 2017 (r317045)
@@ -1,7 +1,7 @@
.\"
.\" $FreeBSD$
.\"
-.Dd March 15, 2017
+.Dd April 3, 2017
.Dt IPFW 8
.Os
.Sh NAME
@@ -1118,6 +1118,20 @@ It is also possible to use the
keyword with setdscp.
If the tablearg value is not within the 0..64 range, lower 6 bits of supplied
value are used.
+.It Cm tcp-setmss Ar mss
+Set the Maximum Segment Size (MSS) in the TCP segment to value
+.Ar mss .
+The kernel module
+.Cm ipfw_pmod
+should be loaded or kernel should have
+.Cm options IPFIREWALL_PMOD
+to be able use this action.
+This command does not change a packet if original MSS value is lower than
+specified value.
+Both TCP over IPv4 and over IPv6 are supported.
+Regardless of matched a packet or not by the
+.Cm tcp-setmss
+rule, the search continues with the next rule.
.It Cm reass
Queue and reassemble IP fragments.
If the packet is not fragmented, counters are updated and
Modified: stable/11/sbin/ipfw/ipfw2.c
==============================================================================
--- stable/11/sbin/ipfw/ipfw2.c Mon Apr 17 09:38:15 2017 (r317044)
+++ stable/11/sbin/ipfw/ipfw2.c Mon Apr 17 09:42:05 2017 (r317045)
@@ -36,6 +36,7 @@
#include <pwd.h>
#include <stdio.h>
#include <stdarg.h>
+#include <stdint.h>
#include <stdlib.h>
#include <string.h>
#include <sysexits.h>
@@ -238,6 +239,7 @@ static struct _s_x rule_eactions[] = {
{ "nat64lsn", TOK_NAT64LSN },
{ "nat64stl", TOK_NAT64STL },
{ "nptv6", TOK_NPTV6 },
+ { "tcp-setmss", TOK_TCPSETMSS },
{ NULL, 0 } /* terminator */
};
@@ -272,6 +274,7 @@ static struct _s_x rule_actions[] = {
{ "call", TOK_CALL },
{ "return", TOK_RETURN },
{ "eaction", TOK_EACTION },
+ { "tcp-setmss", TOK_TCPSETMSS },
{ NULL, 0 } /* terminator */
};
@@ -4007,6 +4010,26 @@ chkarg:
fill_cmd(action, O_CALLRETURN, F_NOT, 0);
break;
+ case TOK_TCPSETMSS: {
+ u_long mss;
+ uint16_t idx;
+
+ idx = pack_object(tstate, "tcp-setmss", IPFW_TLV_EACTION);
+ if (idx == 0)
+ errx(EX_DATAERR, "pack_object failed");
+ fill_cmd(action, O_EXTERNAL_ACTION, 0, idx);
+ NEED1("Missing MSS value");
+ action = next_cmd(action, &ablen);
+ action->len = 1;
+ CHECK_ACTLEN;
+ mss = strtoul(*av, NULL, 10);
+ if (mss == 0 || mss > UINT16_MAX)
+ errx(EX_USAGE, "invalid MSS value %s", *av);
+ fill_cmd(action, O_EXTERNAL_DATA, 0, (uint16_t)mss);
+ av++;
+ break;
+ }
+
default:
av--;
if (match_token(rule_eactions, *av) == -1)
Modified: stable/11/sbin/ipfw/ipfw2.h
==============================================================================
--- stable/11/sbin/ipfw/ipfw2.h Mon Apr 17 09:38:15 2017 (r317044)
+++ stable/11/sbin/ipfw/ipfw2.h Mon Apr 17 09:42:05 2017 (r317045)
@@ -284,6 +284,8 @@ enum tokens {
TOK_INTPREFIX,
TOK_EXTPREFIX,
TOK_PREFIXLEN,
+
+ TOK_TCPSETMSS,
};
/*
Modified: stable/11/sys/conf/NOTES
==============================================================================
--- stable/11/sys/conf/NOTES Mon Apr 17 09:38:15 2017 (r317044)
+++ stable/11/sys/conf/NOTES Mon Apr 17 09:42:05 2017 (r317045)
@@ -957,6 +957,9 @@ device lagg
#
# IPFIREWALL_NPTV6 adds support for in kernel NPTv6 in ipfw.
#
+# IPFIREWALL_PMOD adds support for protocols modification module. Currently
+# it supports only TCP MSS modification.
+#
# IPSTEALTH enables code to support stealth forwarding (i.e., forwarding
# packets without touching the TTL). This can be useful to hide firewalls
# from traceroute and similar tools.
Modified: stable/11/sys/conf/files
==============================================================================
--- stable/11/sys/conf/files Mon Apr 17 09:38:15 2017 (r317044)
+++ stable/11/sys/conf/files Mon Apr 17 09:42:05 2017 (r317045)
@@ -4006,6 +4006,8 @@ netpfil/ipfw/nptv6/ip_fw_nptv6.c optiona
ipfirewall_nptv6
netpfil/ipfw/nptv6/nptv6.c optional inet inet6 ipfirewall \
ipfirewall_nptv6
+netpfil/ipfw/pmod/ip_fw_pmod.c optional inet ipfirewall_pmod
+netpfil/ipfw/pmod/tcpmod.c optional inet ipfirewall_pmod
netpfil/pf/if_pflog.c optional pflog pf inet
netpfil/pf/if_pfsync.c optional pfsync pf inet
netpfil/pf/pf.c optional pf inet
Modified: stable/11/sys/conf/options
==============================================================================
--- stable/11/sys/conf/options Mon Apr 17 09:38:15 2017 (r317044)
+++ stable/11/sys/conf/options Mon Apr 17 09:42:05 2017 (r317045)
@@ -424,6 +424,7 @@ IPFIREWALL_NAT64_DIRECT_OUTPUT opt_ipfw.
IPFIREWALL_NPTV6 opt_ipfw.h
IPFIREWALL_VERBOSE opt_ipfw.h
IPFIREWALL_VERBOSE_LIMIT opt_ipfw.h
+IPFIREWALL_PMOD opt_ipfw.h
IPSEC opt_ipsec.h
IPSEC_DEBUG opt_ipsec.h
IPSEC_SUPPORT opt_ipsec.h
Modified: stable/11/sys/modules/Makefile
==============================================================================
--- stable/11/sys/modules/Makefile Mon Apr 17 09:38:15 2017 (r317044)
+++ stable/11/sys/modules/Makefile Mon Apr 17 09:42:05 2017 (r317045)
@@ -176,6 +176,7 @@ SUBDIR= \
ipfw_nat \
${_ipfw_nat64} \
${_ipfw_nptv6} \
+ ${_ipfw_pmod} \
${_ipmi} \
ip6_mroute_mod \
ip_mroute_mod \
@@ -460,6 +461,7 @@ _toecore= toecore
_if_enc= if_enc
_if_gif= if_gif
_if_gre= if_gre
+_ipfw_pmod= ipfw_pmod
.if ${MK_IPSEC_SUPPORT} != "no"
_ipsec= ipsec
_tcpmd5= tcp/tcpmd5
More information about the svn-src-all
mailing list