#
a6173e94 |
|
06-Nov-2023 |
Kristof Provost <kp@FreeBSD.org> |
pf: expose more syncookie state information to userspace Allow userspace to retrieve low and high water marks, as well as the current number of half open states. MFC after: 1 week Sponsored by: Modirum MDPay
|
#
7dc3be36 |
|
19-Jun-2023 |
Kajetan Staszkiewicz <vegeta@tuxpowered.net> |
pf: Fix usage of pf tags with syncookies The value stored in pf_mtag->tag comes from "tag" and "match tag" keywords in pf.conf and must not be abused for storing other information. A ruleset with enough tags could set or remove the bits responsible for PF_TAG_SYNCOOKIE_RECREATED. Move this syncookie status to pf_mtag->flags. Rename this and other related constants in a way that will prevent such mistakes in the future. Move PF_REASSEMBLED constant to mbuf.h and rename accordingly because it's not a flag stored in pf_mtag, but an identifier of a different m_tag. Change the value of the constant to avoid conflicts with other m_tags using MTAG_ABI_COMPAT. Rename the variables in pf_build_tcp() and pf_send_tcp() in to reduce confusion. Reviewed by: kp Sponsored by: InnoGames GmbH Differential Revision: https://reviews.freebsd.org/D40587
|
#
39282ef3 |
|
13-Apr-2023 |
Kajetan Staszkiewicz <vegeta@tuxpowered.net> |
pf: backport OpenBSD syntax of "scrub" option for "match" and "pass" rules Introduce the OpenBSD syntax of "scrub" option for "match" and "pass" rules and the "set reassemble" flag. The patch is backward-compatible, pf.conf can be still written in FreeBSD-style. Obtained from: OpenBSD MFC after: never Sponsored by: InnoGames GmbH Differential Revision: https://reviews.freebsd.org/D38025
|
#
933be8d7 |
|
31-Dec-2022 |
Kristof Provost <kp@FreeBSD.org> |
pf: default syncookies to adaptive mode The cost of enabling syncookies in adaptive mode is very low (basically a single atomic add when we create a new half-open state), and the payoff when under SYN flood is huge. So, enable adaptive mode by default. Suggested by: Eirik Øverby
|
#
9c041b45 |
|
31-Dec-2022 |
Kristof Provost <kp@FreeBSD.org> |
pf: fix syncookies in conjunction with tcp fast port reuse Basic scenario: we have a closed connection (In TCPS_FIN_WAIT_2), and get a new connection (i.e. SYN) re-using the tuple. Without syncookies we look at the SYN, and completely unlink the old, closed state on the SYN. With syncookies we send a generated SYN|ACK back, and drop the SYN, never looking at the state table. So when the ACK (i.e. the third step in the three way handshake for connection setup) turns up, we’ve not actually removed the old state, so we find it, and don’t do the syncookie dance, or allow the new connection to get set up. Explicitly check for this in pf_test_state_tcp(). If we find a state in TCPS_FIN_WAIT_2 and the syncookie is valid we delete the existing state so we can set up the new state. Note that when we verify the syncookie in pf_test_state_tcp() we don't decrement the number of half-open connections to avoid an incorrect double decrement. MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D37919
|
#
e68b3792 |
|
07-Dec-2022 |
Gleb Smirnoff <glebius@FreeBSD.org> |
tcp: embed inpcb into tcpcb For the TCP protocol inpcb storage specify allocation size that would provide space to most of the data a TCP connection needs, embedding into struct tcpcb several structures, that previously were allocated separately. The most import one is the inpcb itself. With embedding we can provide strong guarantee that with a valid TCP inpcb the tcpcb is always valid and vice versa. Also we reduce number of allocs/frees per connection. The embedded inpcb is placed in the beginning of the struct tcpcb, since in_pcballoc() requires that. However, later we may want to move it around for cache line efficiency, and this can be done with a little effort. The new intotcpcb() macro is ready for such move. The congestion algorithm data, the TCP timers and osd(9) data are also embedded into tcpcb, and temprorary struct tcpcb_mem goes away. There was no extra allocation here, but we went through extra pointer every time we accessed this data. One interesting side effect is that now TCP data is allocated from SMR-protected zone. Potentially this allows the TCP stacks or other TCP related modules to utilize that for their own synchronization. Large part of the change was done with sed script: s/tp->ccv->/tp->t_ccv./g s/tp->ccv/\&tp->t_ccv/g s/tp->cc_algo/tp->t_cc/g s/tp->t_timers->tt_/tp->tt_/g s/CCV\(ccv, osd\)/\&CCV(ccv, t_osd)/g Dependency side effect is that code that needs to know struct tcpcb should also know struct inpcb, that added several <netinet/in_pcb.h>. Differential revision: https://reviews.freebsd.org/D37127
|
#
a37e0e6d |
|
02-Jun-2022 |
Franco Fichtner <franco@opnsense.org> |
pf: fix more syncookie memory leaks Allocate memory for packed nvlists in M_NVLIST, as nvlist_pack() does this as well, and we use the same variable interchangable with the memory we allocate. When we free it we can end up freeing from the wrong zone, leaking memory. Reviewed by: kp Differential Revision: https://reviews.freebsd.org/D35385
|
#
be461cdf |
|
07-Apr-2022 |
Kristof Provost <kp@FreeBSD.org> |
pf syncookies: fix memory leak We forgot to free the nvlist (and packed nvlist) on success. While here start using the ERROUT macro to clean up error handling, and to add SDTs for better debugging. Reported by: Coverity CID: 1473150
|
#
955460d4 |
|
24-Jul-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: hook up adaptive mode configuration The kernel side of pf syncookie adaptive mode configuration. MFC after: 1 week Sponsored by: Modirum MDPay Differential Revision: https://reviews.freebsd.org/D32135
|
#
bf863718 |
|
24-Jul-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: implement adaptive mode Use atomic counters to ensure that we correctly track the number of half open states and syncookie responses in-flight. This determines if we activate or deactivate syncookies in adaptive mode. MFC after: 1 week Sponsored by: Modirum MDPay Differential Revision: https://reviews.freebsd.org/D32134
|
#
4cab80a8 |
|
29-Aug-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: Add counters for syncookies Count when we send a syncookie, receive a valid syncookie or detect a synflood. Reviewed by: kbowling MFC after: 1 week Sponsored by: Modirum MDPay Differential Revision: https://reviews.freebsd.org/D31713
|
#
da8d8b22 |
|
28-Jul-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: fix ABI breakage The introduction of synproxy support changed the size of struct pf_status, which in turn broke the userspace ABI. Revert the relevant change. More work is needed on the synproxy code to keep and expose the counters, but in the mean time this restores the ABI. PR: 257469 MFC after: 3 days Sponsored by: Modirum MDPay
|
#
32271c4d |
|
20-Jul-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: clean up syncookie callout on vnet shutdown Ensure that we cancel any outstanding callouts for syncookies when we terminate the vnet. MFC after: 1 week Sponsored by: Modirum MDPay
|
#
84db87b8 |
|
20-Jul-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: remove stray debug line MFC after: 1 week Sponsored by: Modirum MDPay
|
#
231e83d3 |
|
26-May-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: syncookie ioctl interface Kernel side implementation to allow switching between on and off modes, and allow this configuration to be retrieved. MFC after: 1 week Sponsored by: Modirum MDPay Differential Revision: https://reviews.freebsd.org/D31139
|
#
8e1864ed |
|
20-May-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: syncookie support Import OpenBSD's syncookie support for pf. This feature help pf resist TCP SYN floods by only creating states once the remote host completes the TCP handshake rather than when the initial SYN packet is received. This is accomplished by using the initial sequence numbers to encode a cookie (hence the name) in the SYN+ACK response and verifying this on receipt of the client ACK. Reviewed by: kbowling Obtained from: OpenBSD MFC after: 1 week Sponsored by: Modirum MDPay Differential Revision: https://reviews.freebsd.org/D31138
|