From 2387715c49e45565233a19035b4b09e175e77cba Mon Sep 17 00:00:00 2001 From: cy Date: Fri, 12 Jul 2019 00:50:33 +0000 Subject: [PATCH] MFC r348987, r348989: Resolve IPv6 checksum errors with stateful inspection. According to PR/203585 this appears to have been broken by r235959, which predates the ipfilter 5.1.2 import into FreeBSD. The IPv6 checksum calculation is incorrect. To resolve this we call in6_cksum() to do the the heavy lifting for us, through a new function ipf_pcksum6(). Should we need to revisit this area again, a DTrace probe is added to aid with future debugging. Plus whitespace adjustments (r348989). PR: 203275, 203585 Differential Revision: https://reviews.freebsd.org/D20583 git-svn-id: svn://svn.freebsd.org/base/stable/10@349927 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f --- sys/contrib/ipfilter/netinet/fil.c | 40 +++++++------- sys/contrib/ipfilter/netinet/ip_fil.h | 4 ++ sys/contrib/ipfilter/netinet/ip_fil_freebsd.c | 53 +++++++++++++++++++ 3 files changed, 75 insertions(+), 22 deletions(-) diff --git a/sys/contrib/ipfilter/netinet/fil.c b/sys/contrib/ipfilter/netinet/fil.c index 8f10e414a..8cd2062c8 100644 --- a/sys/contrib/ipfilter/netinet/fil.c +++ b/sys/contrib/ipfilter/netinet/fil.c @@ -3433,35 +3433,21 @@ fr_cksum(fin, ip, l4proto, l4hdr) sum += *sp++; sum += *sp++; /* ip_dst */ sum += *sp++; + slen = fin->fin_plen - off; + sum += htons(slen); #ifdef USE_INET6 } else if (IP_V(ip) == 6) { + mb_t *m; + + m = fin->fin_m; ip6 = (ip6_t *)ip; - hlen = sizeof(*ip6); - off = ((char *)fin->fin_dp - (char *)fin->fin_ip); - sp = (u_short *)&ip6->ip6_src; - sum += *sp++; /* ip6_src */ - sum += *sp++; - sum += *sp++; - sum += *sp++; - sum += *sp++; - sum += *sp++; - sum += *sp++; - sum += *sp++; - /* This needs to be routing header aware. */ - sum += *sp++; /* ip6_dst */ - sum += *sp++; - sum += *sp++; - sum += *sp++; - sum += *sp++; - sum += *sp++; - sum += *sp++; - sum += *sp++; + off = ((caddr_t)ip6 - m->m_data) + sizeof(struct ip6_hdr); + int len = ntohs(ip6->ip6_plen) - (off - sizeof(*ip6)); + return(ipf_pcksum6(fin, ip6, off, len)); } else { return 0xffff; } #endif - slen = fin->fin_plen - off; - sum += htons(slen); switch (l4proto) { @@ -6662,6 +6648,12 @@ ipf_checkl4sum(fin) if ((fin->fin_flx & (FI_FRAG|FI_SHORT|FI_BAD)) != 0) return 1; + DT2(l4sumo, int, fin->fin_out, int, (int)fin->fin_p); + if (fin->fin_out == 1) { + fin->fin_cksum = FI_CK_SUMOK; + return 0; + } + csump = NULL; hdrsum = 0; dosum = 0; @@ -6713,7 +6705,11 @@ ipf_checkl4sum(fin) } #endif DT2(l4sums, u_short, hdrsum, u_short, sum); +#ifdef USE_INET6 + if (hdrsum == sum || (sum == 0 && fin->fin_p == IPPROTO_ICMPV6)) { +#else if (hdrsum == sum) { +#endif fin->fin_cksum = FI_CK_SUMOK; return 0; } diff --git a/sys/contrib/ipfilter/netinet/ip_fil.h b/sys/contrib/ipfilter/netinet/ip_fil.h index 33d14b837..82419c9a7 100644 --- a/sys/contrib/ipfilter/netinet/ip_fil.h +++ b/sys/contrib/ipfilter/netinet/ip_fil.h @@ -1903,6 +1903,10 @@ extern int ipf_matchicmpqueryreply __P((int, icmpinfo_t *, extern u_32_t ipf_newisn __P((fr_info_t *)); extern u_short ipf_nextipid __P((fr_info_t *)); extern u_int ipf_pcksum __P((fr_info_t *, int, u_int)); +#ifdef USE_INET6 +extern u_int ipf_pcksum6 __P((fr_info_t *, ip6_t *, + u_int32_t, u_int32_t)); +#endif extern void ipf_rule_expire __P((ipf_main_softc_t *)); extern int ipf_scanlist __P((fr_info_t *, u_32_t)); extern frentry_t *ipf_srcgrpmap __P((fr_info_t *, u_32_t *)); diff --git a/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c b/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c index 831c4c632..9d5d05baa 100644 --- a/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c +++ b/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c @@ -1465,3 +1465,56 @@ ipf_pcksum(fin, hlen, sum) sum2 = ~sum & 0xffff; return sum2; } + +#ifdef USE_INET6 +#ifdef _KERNEL +u_int +ipf_pcksum6(fin, ip6, off, len) + fr_info_t *fin; + ip6_t *ip6; + u_int32_t off; + u_int32_t len; +{ + struct mbuf *m; + int sum; + + m = fin->fin_m; + if (m->m_len < sizeof(struct ip6_hdr)) { + return 0xffff; + } + + sum = in6_cksum(m, ip6->ip6_nxt, off, len); + return(sum); +} +#else +u_int +ipf_pcksum6(fin, ip6, off, len) + fr_info_t *fin; + ip6_t *ip6; + u_int32_t off; + u_int32_t len; +{ + u_short *sp; + u_int sum; + + sp = (u_short *)&ip6->ip6_src; + sum = *sp++; /* ip6_src */ + sum += *sp++; + sum += *sp++; + sum += *sp++; + sum += *sp++; + sum += *sp++; + sum += *sp++; + sum += *sp++; + sum += *sp++; /* ip6_dst */ + sum += *sp++; + sum += *sp++; + sum += *sp++; + sum += *sp++; + sum += *sp++; + sum += *sp++; + sum += *sp++; + return(ipf_pcksum(fin, off, sum)); +} +#endif +#endif -- 2.42.0