svn commit: r349931 - in stable: 10/sys/contrib/ipfilter/netinet 11/sys/contrib/ipfilter/netinet

Fri Jul 12 02:14:07 UTC 2019

Author: cy
Date: Fri Jul 12 02:14:05 2019
New Revision: 349931
URL: https://svnweb.freebsd.org/changeset/base/349931

Log:
  MFC r349927, r349929:
  
  r349927:
    Resolve IPv6 checksum errors with stateful inspection. According to
    PR/203585 this appears to have been broken by r235959, which predates
    the ipfilter 5.1.2 import into FreeBSD.
  
    The IPv6 checksum calculation is incorrect. To resolve this we call
    in6_cksum() to do the the heavy lifting for us, through a new function
    ipf_pcksum6(). Should we need to revisit this area again, a DTrace probe
    is added to aid with future debugging.
  
    Plus whitespace adjustments (r348989).
  
    PR:		203275, 203585
    Differential Revision:	https://reviews.freebsd.org/D20583
  
  r349929:
    Move the new ipf_pcksum6() function from ip_fil_freebsd.c to fil.c.
    The reason for this is that ipftest(8), which still works on FreeBSD-11,
    fails to link to it, breaking stable/11 builds.
  
    ipftest(8) was broken (segfault) sometime during the FreeBSD-12 cycle.
    glebius@ suggested we disable building it until I can get around to
    fixing it. Hence this was not caught in -current.
  
    The intention is to fix ipftest(8) as it is used by the netbsd-tests
    (imported by ngie@ many moons ago) for regression testing.

Modified:
  stable/11/sys/contrib/ipfilter/netinet/fil.c
  stable/11/sys/contrib/ipfilter/netinet/ip_fil.h
  stable/11/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c
Directory Properties:
  stable/11/   (props changed)

Changes in other areas also in this revision:
Modified:
  stable/10/sys/contrib/ipfilter/netinet/fil.c
  stable/10/sys/contrib/ipfilter/netinet/ip_fil.h
  stable/10/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c
Directory Properties:
  stable/10/   (props changed)

Modified: stable/11/sys/contrib/ipfilter/netinet/fil.c
==============================================================================

--- stable/11/sys/contrib/ipfilter/netinet/fil.c	Fri Jul 12 02:03:43 2019	(r349930)
+++ stable/11/sys/contrib/ipfilter/netinet/fil.c	Fri Jul 12 02:14:05 2019	(r349931)
@@ -179,6 +179,10 @@ static	int		ipf_updateipid __P((fr_info_t *));
 static	int		ipf_settimeout __P((struct ipf_main_softc_s *,
 					    struct ipftuneable *,
 					    ipftuneval_t *));
+#ifdef	USE_INET6
+static	u_int		ipf_pcksum6 __P((fr_info_t *, ip6_t *,
+						u_int32_t, u_int32_t));
+#endif
 #if !defined(_KERNEL) || SOLARIS
 static	int		ppsratecheck(struct timeval *, int *, int);
 #endif
@@ -10223,4 +10227,55 @@ ipf_inet6_mask_del(bits, mask, mtab)
 	mtab->imt6_max--;
 	ASSERT(mtab->imt6_max >= 0);
 }
+
+#ifdef	_KERNEL
+static u_int
+ipf_pcksum6(fin, ip6, off, len)
+	fr_info_t *fin;
+	ip6_t *ip6;
+	u_int32_t off;
+	u_int32_t len;
+{
+	struct mbuf *m;
+	int sum;
+
+	m = fin->fin_m;
+	if (m->m_len < sizeof(struct ip6_hdr)) {
+		return 0xffff;
+	}
+
+	sum = in6_cksum(m, ip6->ip6_nxt, off, len);
+	return(sum);
+}
+#else
+static u_int
+ipf_pcksum6(fin, ip6, off, len)
+	fr_info_t *fin;
+	ip6_t *ip6;
+	u_int32_t off;
+	u_int32_t len;
+{
+	u_short *sp;
+	u_int sum;
+
+	sp = (u_short *)&ip6->ip6_src;
+	sum = *sp++;   /* ip6_src */
+	sum += *sp++;
+	sum += *sp++;
+	sum += *sp++;
+	sum += *sp++;
+	sum += *sp++;
+	sum += *sp++;
+	sum += *sp++;
+	sum += *sp++;   /* ip6_dst */
+	sum += *sp++;
+	sum += *sp++;
+	sum += *sp++;
+	sum += *sp++;
+	sum += *sp++;
+	sum += *sp++;
+	sum += *sp++;
+	return(ipf_pcksum(fin, off, sum));
+}
+#endif
 #endif

Modified: stable/11/sys/contrib/ipfilter/netinet/ip_fil.h
==============================================================================
--- stable/11/sys/contrib/ipfilter/netinet/ip_fil.h	Fri Jul 12 02:03:43 2019	(r349930)
+++ stable/11/sys/contrib/ipfilter/netinet/ip_fil.h	Fri Jul 12 02:14:05 2019	(r349931)
@@ -1835,10 +1835,6 @@ extern	int		ipf_matchicmpqueryreply __P((int, icmpinfo
 						     struct icmp *, int));
 extern	u_32_t		ipf_newisn __P((fr_info_t *));
 extern	u_int		ipf_pcksum __P((fr_info_t *, int, u_int));
-#ifdef	USE_INET6
-extern	u_int		ipf_pcksum6 __P((fr_info_t *, ip6_t *,
-						u_int32_t, u_int32_t));
-#endif
 extern	void		ipf_rule_expire __P((ipf_main_softc_t *));
 extern	int		ipf_scanlist __P((fr_info_t *, u_32_t));
 extern	frentry_t 	*ipf_srcgrpmap __P((fr_info_t *, u_32_t *));

Modified: stable/11/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c
==============================================================================
--- stable/11/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c	Fri Jul 12 02:03:43 2019	(r349930)
+++ stable/11/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c	Fri Jul 12 02:14:05 2019	(r349931)
@@ -1447,56 +1447,3 @@ ipf_pcksum(fin, hlen, sum)
 	sum2 = ~sum & 0xffff;
 	return sum2;
 }
-
-#ifdef  USE_INET6
-#ifdef	_KERNEL
-u_int
-ipf_pcksum6(fin, ip6, off, len)
-	fr_info_t *fin;
-	ip6_t *ip6;
-	u_int32_t off;
-	u_int32_t len;
-{
-	struct mbuf *m;
-	int sum;
-
-	m = fin->fin_m;
-	if (m->m_len < sizeof(struct ip6_hdr)) {
-		return 0xffff;
-	}
-
-	sum = in6_cksum(m, ip6->ip6_nxt, off, len);
-	return(sum);
-}
-#else
-u_int
-ipf_pcksum6(fin, ip6, off, len)
-	fr_info_t *fin;
-	ip6_t *ip6;
-	u_int32_t off;
-	u_int32_t len;
-{
-	u_short *sp;
-	u_int sum;
-
-	sp = (u_short *)&ip6->ip6_src;
-	sum = *sp++;   /* ip6_src */
-	sum += *sp++;
-	sum += *sp++;
-	sum += *sp++;
-	sum += *sp++;
-	sum += *sp++;
-	sum += *sp++;
-	sum += *sp++;
-	sum += *sp++;   /* ip6_dst */
-	sum += *sp++;
-	sum += *sp++;
-	sum += *sp++;
-	sum += *sp++;
-	sum += *sp++;
-	sum += *sp++;
-	sum += *sp++;
-	return(ipf_pcksum(fin, off, sum));
-}
-#endif
-#endif
