svn commit: r346398 - in head: sys/netinet6 usr.bin/netstat usr.bin/systat
Tom Jones
thj at FreeBSD.org
Fri Apr 19 17:06:45 UTC 2019
Author: thj
Date: Fri Apr 19 17:06:43 2019
New Revision: 346398
URL: https://svnweb.freebsd.org/changeset/base/346398
Log:
Add stat counter for ipv6 atomic fragments
Add a stat counter to track ipv6 atomic fragments. Atomic fragments can be
generated in response to invalid path MTU values, but are also a potential
attack vector and considered harmful (see RFC6946 and RFC8021).
While here add tracking of the atomic fragment counter to netstat and systat.
Reviewed by: tuexen, jtl, bz
Approved by: jtl (mentor), bz (mentor)
Event: Aberdeen hackathon 2019
Differential Revision: https://reviews.freebsd.org/D17511
Modified:
head/sys/netinet6/frag6.c
head/sys/netinet6/ip6_var.h
head/usr.bin/netstat/inet6.c
head/usr.bin/systat/ip6.c
Modified: head/sys/netinet6/frag6.c
==============================================================================
--- head/sys/netinet6/frag6.c Fri Apr 19 15:54:32 2019 (r346397)
+++ head/sys/netinet6/frag6.c Fri Apr 19 17:06:43 2019 (r346398)
@@ -277,12 +277,12 @@ frag6_input(struct mbuf **mp, int *offp, int proto)
offset += sizeof(struct ip6_frag);
/*
- * RFC 6946: Handle "atomic" fragments (offset and m bit set to 0)
- * upfront, unrelated to any reassembly. Just skip the fragment header.
+ * Handle "atomic" fragments (offset and m bit set to 0) upfront,
+ * unrelated to any reassembly (see RFC 6946 and section 4.5 of RFC
+ * 8200). Just skip the fragment header.
*/
if ((ip6f->ip6f_offlg & ~IP6F_RESERVED_MASK) == 0) {
- /* XXX-BZ we want dedicated counters for this. */
- IP6STAT_INC(ip6s_reassembled);
+ IP6STAT_INC(ip6s_atomicfrags);
in6_ifstat_inc(dstifp, ifs6_reass_ok);
*offp = offset;
m->m_flags |= M_FRAGMENTED;
Modified: head/sys/netinet6/ip6_var.h
==============================================================================
--- head/sys/netinet6/ip6_var.h Fri Apr 19 15:54:32 2019 (r346397)
+++ head/sys/netinet6/ip6_var.h Fri Apr 19 17:06:43 2019 (r346398)
@@ -208,6 +208,7 @@ struct ip6stat {
uint64_t ip6s_localout; /* total ip packets generated here */
uint64_t ip6s_odropped; /* lost packets due to nobufs, etc. */
uint64_t ip6s_reassembled; /* total packets reassembled ok */
+ uint64_t ip6s_atomicfrags; /* atomic fragments */
uint64_t ip6s_fragmented; /* datagrams successfully fragmented */
uint64_t ip6s_ofragments; /* output fragments created */
uint64_t ip6s_cantfrag; /* don't fragment flag was set, etc. */
Modified: head/usr.bin/netstat/inet6.c
==============================================================================
--- head/usr.bin/netstat/inet6.c Fri Apr 19 15:54:32 2019 (r346397)
+++ head/usr.bin/netstat/inet6.c Fri Apr 19 17:06:43 2019 (r346398)
@@ -391,6 +391,8 @@ ip6_stats(u_long off, const char *name, int af1 __unus
"{N:/fragment%s dropped after timeout}\n");
p(ip6s_fragoverflow, "\t{:dropped-fragments-overflow/%ju} "
"{N:/fragment%s that exceeded limit}\n");
+ p(ip6s_atomicfrags, "\t{:atomic-fragments/%ju} "
+ "{N:/atomic fragment%s}\n");
p(ip6s_reassembled, "\t{:reassembled-packets/%ju} "
"{N:/packet%s reassembled ok}\n");
p(ip6s_delivered, "\t{:received-local-packets/%ju} "
Modified: head/usr.bin/systat/ip6.c
==============================================================================
--- head/usr.bin/systat/ip6.c Fri Apr 19 15:54:32 2019 (r346397)
+++ head/usr.bin/systat/ip6.c Fri Apr 19 17:06:43 2019 (r346398)
@@ -121,16 +121,16 @@ labelip6(void)
L(6, "- fragments dropped"); R(6, "destinations unreachable");
L(7, "- fragments timed out"); R(7, "packets output via raw IP");
L(8, "- fragments overflown");
- L(9, "- packets reassembled ok"); R(9, "Input next-header histogram");
- L(10, "packets forwarded"); R(10, " - destination options");
- L(11, "- unreachable dests"); R(11, " - hop-by-hop options");
- L(12, "- redirects generated"); R(12, " - IPv4");
- L(13, "option errors"); R(13, " - TCP");
- L(14, "unwanted multicasts"); R(14, " - UDP");
- L(15, "delivered to upper layer"); R(15, " - IPv6");
- L(16, "bad scope packets"); R(16, " - routing header");
- L(17, "address selection failed"); R(17, " - fragmentation header");
- R(18, " - ICMP6");
+ L(9, "- atomic fragments"); R(9, "Input next-header histogram");
+ L(10, "- packets reassembled ok"); R(10, " - destination options");
+ L(11, "packets forwarded"); R(11, " - hop-by-hop options");
+ L(12, "- unreachable dests"); R(12, " - IPv4");
+ L(13, "- redirects generated"); R(13, " - TCP");
+ L(14, "option errors"); R(14, " - UDP");
+ L(15, "unwanted multicasts"); R(15, " - IPv6");
+ L(16, "delivered to upper layer"); R(16, " - routing header");
+ L(17, "bad scope packets"); R(17, " - fragmentation header");
+ L(18, "address selection failed");R(18, " - ICMP6");
R(19, " - none");
#undef L
#undef R
@@ -165,6 +165,7 @@ domode(struct ip6stat *ret)
DO(ip6s_fragdropped);
DO(ip6s_fragtimeout);
DO(ip6s_fragoverflow);
+ DO(ip6s_atomicfrags);
DO(ip6s_forward);
DO(ip6s_cantforward);
DO(ip6s_redirectsent);
@@ -214,22 +215,23 @@ showip6(void)
DO(ip6s_fragtimeout, 7, 0);
DO(ip6s_rawout, 7, 35);
DO(ip6s_fragoverflow, 8, 0);
- DO(ip6s_reassembled, 9, 0);
- DO(ip6s_forward, 10, 0);
+ DO(ip6s_atomicfrags, 9, 0);
+ DO(ip6s_reassembled, 10, 0);
+ DO(ip6s_forward, 11, 0);
DO(ip6s_nxthist[IPPROTO_DSTOPTS], 10, 35);
- DO(ip6s_cantforward, 11, 0);
+ DO(ip6s_cantforward, 12, 0);
DO(ip6s_nxthist[IPPROTO_HOPOPTS], 11, 35);
- DO(ip6s_redirectsent, 12, 0);
+ DO(ip6s_redirectsent, 13, 0);
DO(ip6s_nxthist[IPPROTO_IPV4], 12, 35);
- DO(ip6s_badoptions, 13, 0);
+ DO(ip6s_badoptions, 14, 0);
DO(ip6s_nxthist[IPPROTO_TCP], 13, 35);
- DO(ip6s_notmember, 14, 0);
+ DO(ip6s_notmember, 15, 0);
DO(ip6s_nxthist[IPPROTO_UDP], 14, 35);
- DO(ip6s_delivered, 15, 0);
+ DO(ip6s_delivered, 16, 0);
DO(ip6s_nxthist[IPPROTO_IPV6], 15, 35);
- DO(ip6s_badscope, 16, 0);
+ DO(ip6s_badscope, 17, 0);
DO(ip6s_nxthist[IPPROTO_ROUTING], 16, 35);
- DO(ip6s_sources_none, 17, 0);
+ DO(ip6s_sources_none, 18, 0);
DO(ip6s_nxthist[IPPROTO_FRAGMENT], 17, 35);
DO(ip6s_nxthist[IPPROTO_ICMPV6], 18, 35);
DO(ip6s_nxthist[IPPROTO_NONE], 19, 35);
More information about the svn-src-all
mailing list