--- - branch: netbsd-8 date: Wed May 9 15:35:37 UTC 2018 files: - new: 1.54.6.2 old: 1.54.6.1 path: src/sys/net/npf/npf.h pathrev: src/sys/net/npf/npf.h@1.54.6.2 type: modified - new: 1.24.8.1 old: '1.24' path: src/sys/net/npf/npf_alg_icmp.c pathrev: src/sys/net/npf/npf_alg_icmp.c@1.24.8.1 type: modified - new: 1.37.6.1 old: '1.37' path: src/sys/net/npf/npf_handler.c pathrev: src/sys/net/npf/npf_handler.c@1.37.6.1 type: modified - new: 1.37.6.1 old: '1.37' path: src/sys/net/npf/npf_inet.c pathrev: src/sys/net/npf/npf_inet.c@1.37.6.1 type: modified - new: 1.16.8.1 old: '1.16' path: src/sys/net/npf/npf_sendpkt.c pathrev: src/sys/net/npf/npf_sendpkt.c@1.16.8.1 type: modified id: 20180509T153537Z.7a559d55de2c3dcf21ee845766e73830165e0132 log: "Pull up following revision(s) (requested by maxv in ticket #817):\n\n\tsys/net/npf/npf_inet.c: revision 1.38-1.44\n\tsys/net/npf/npf_handler.c: revision 1.38-1.39\n\tsys/net/npf/npf_alg_icmp.c: revision 1.26\n\tsys/net/npf/npf.h: revision 1.56\n\tsys/net/npf/npf_sendpkt.c: revision 1.17-1.18\n\nDeclare NPC_FMTERR, and use it to kick malformed packets. Several sanity\nchecks are added in IPv6; after we see the first IPPROTO_FRAGMENT header,\nwe are allowed to fail to advance, otherwise we kick the packet.\nSent on tech-net@ a few days ago, no response, but I'm committing it now\nanyway.\n\nSwitch nptr to uint8_t, and use nbuf_ensure_contig. Makes us use fewer\nmagic values.\n\nRemove dead branches, 'npc' can't be NULL (and it is dereferenced\nearlier).\n\nFix two consecutive mistakes.\n\nThe first mistake was npf_inet.c rev1.37:\n \"Don't reassemble ipv6 fragments, instead treat the first fragment\n as a regular packet (subject to filtering rules), and pass\n subsequent fragments in the same group unconditionally.\"\n\nDoing this was entirely wrong, because then a packet just had to push\nthe L4 payload in a secondary fragment, and NPF wouldn't apply rules on\nit - meaning any IPv6 packet could bypass >=L4 filtering. This mistake\nwas supposed to be a fix for the second mistake.\n\nThe second mistake was that ip6_reass_packet (in npf_reassembly) was\ngetting called with npc->npc_hlen. But npc_hlen pointed to the last\nencountered header in the IPv6 chain, which was not necessarily the\nfragment header. So ip6_reass_packet was given garbage, and would fail,\nresulting in the packet getting kicked. So basically IPv6 was broken by\nNPF.\n\nThe first mistake is reverted, and the second one is fixed by doing:\n- hlen = sizeof(struct ip6_frag);\n+ hlen = 0;\n\nNow the iteration stops on the fragment header, and the call to\nip6_reass_packet is valid.\n\nMy npf_inet.c rev1.38 is partially reverted: we don't need to worry\nabout failing properly to advance; once the packet is reassembled\nnpf_cache_ip gets called again, and this time the whole chain should be\nthere.\n\nTested with a simple UDPv6 server - send a 3000-byte-sized buffer, the\npacket gets correctly reassembled by NPF now.\n\nMmh, put back the RFC6946 check (about dummy fragments), otherwise NPF\nis not happy in npf_reassembly, because NPC_IPFRAG is again returned after\nthe packet was reassembled.\n\nI'm wondering whether it would not be better to just remove the fragment\nheader in frag6_input directly.\n\nFix the \"return-rst\" rule on IPv6 packets.\nThe scopes needed to be set on the addresses before invoking ip6_output,\nbecause ip6_output needs them. The reason they are not here already is\nbecause pfil_run_hooks (in ip6_input) is called _before_ the kernel\ninitializes the scopes.\n\nUntil now ip6_output was always failing, and the IPv6-TCP-RST packet was\nnever actually sent.\n\nPerhaps it would be better to have the kernel initialize the scopes\nbefore invoking pfil_run_hooks, but several things will need to be fixed\nin several places.\n\nTested with a simple TCPv6 server. Until now the client would block\nwaiting for an answer that never came; now it receives an RST right away\nand closes the connection, as expected.\nI believe that the same problem exists in the \"return-icmp\" rules, but I\ncan't investigate this right now (some problems with wireshark).\n\nFix the IPv6 payload computation in npf_tcpsaw. It was incorrect, and this\ncaused the \"return-rst\" rules to send back an RST with the wrong ACK when\nthe received SYN had an IPv6 option.\n\nSet the scopes before calling icmp6_error(). This fixes a bug similar to\nthe one I fixed in rev1.17: since the scopes were not set the packet was\nnever actually sent.\n\nTested with wireshark, now the ICMPv6 reply is correctly sent, as\nexpected.\n\nDon't read the L4 payload after IPPROTO_AH when handling IPv6 packets.\nAH must be considered as the payload, otherwise a\n\n block all\n pass in proto ah from any\n pass out proto ah from any\n\nconfiguration will actually block everything, because NPF checks the\nprotocol against the one found after AH, and not AH itself.\n\nIn addition it may have been a problem for stateful connections; an AH\npacket sent by an attacker with an incorrect authentication and a correct\nTCP/UDP/whatever payload from an active connection could manage to change\nNPF's FSM state, which would perhaps have altered the legitimate\nconnection with the authenticated remote IPsec host.\n\nNote that IPv4 already doesn't go beyond AH, which is the correct\nbehavior.\n\nAdd XXX (we don't handle IPv6 Jumbograms), and whitespace.\n" module: src subject: 'CVS commit: [netbsd-8] src/sys/net/npf' unixtime: '1525880137' user: martin