ifnet: Defer detaching address family dependent data
While diagnosing PR 279653 and PR 285129, I observed that thread may
write to freed memory but the system does not crash. This hides the
real problem. A clear NULL pointer derefence is much better than writing
to freed memory.
PR: 279653
PR: 285129
Reviewed by: glebius
MFC after: 3 weeks
Differential Revision: https://reviews.freebsd.org/D49444
ifnet: Defer detaching address family dependent data
While diagnosing PR 279653 and PR 285129, I observed that thread may
write to freed memory but the system does not crash. This hides the
real problem. A clear NULL pointer derefence is much better than writing
to freed memory.
PR: 279653
PR: 285129
Reviewed by: glebius
MFC after: 3 weeks
Differential Revision: https://reviews.freebsd.org/D49444
jail: Make prison_owns_vnet() operate on a prison instead of a ucred
This will be useful in an upcoming change. No functional change
intended.
Reviewed by: jamie
MFC after: 2 weeks
Sponsored by: Stormshield
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D51524
(cherry picked from commit 748a4ea1caffca48c4949d5a7b964853c44fbdae)
ifnet: Defer detaching address family dependent data
While diagnosing PR 279653 and PR 285129, I observed that thread may
write to freed memory but the system does not crash. This hides the
real problem. A clear NULL pointer derefence is much better than writing
to freed memory.
PR: 279653
PR: 285129
Reviewed by: glebius
MFC after: 3 weeks
Differential Revision: https://reviews.freebsd.org/D49444
icmp: clear offset and flags when reflecting a packet
When reflecting a packet, use an offset of 0 and clear all three bits,
in particular the DF bit.
PR: 288558
Reviewed by: markj, zlei
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D51991
(cherry picked from commit b9a2d84b1bf7f9cf556e2f0b68023d5af8362797)
tcp: mitigate a side channel for detection of TCP connections
If a blind attacker wants to guess by sending ACK segments if there
exists a TCP connection , this might trigger a challenge ACK on an
existing TCP connection. To make this hit non-observable for the
attacker, also increment the global counter, which would have been
incremented if it would have been a non-hit.
This issue was reported as issue number 11 in Keyu Man et al.:
SCAD: Towards a Universal and Automated Network Side-Channel
Vulnerability Detection
Reviewed by: Nick Banks, Peter Lei
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D51724
(cherry picked from commit f0f6e50388963cae44bb92bb69ed7a1135dd2eec)
udp: fix local blackholing
The sysctl-variable net.inet.udp.blackhole_local should affect
UDP packets from an IPv6 address of the local host, not of a host on
the local area network.
Thanks to cc@ for pointing me to the issue.
Reviewed by: cc
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D50829
(cherry picked from commit 16587f60a69820f1a319644da4ec1a40efbcbdf0)
tcp: fix local blackholing
The sysctl-variable net.inet.tcp.blackhole_local should affect
TCP segments from an IPv6 address of the local host, not of a host
on the local area network.
Thanks to cc@ for pointing me to the issue.
Reviewed by: cc
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D50828
(cherry picked from commit de8fb1b3835758998a53d772deeebcdb71bbb823)
tcp: use 0 as the value being ignored
No functional change intended.
Sponsored by: Netflix, Inc.
(cherry picked from commit 36ba7339d4df0803f8e0655e2ba8d174d4ccec38)
tcp: fix handling of TIME WAIT for local TCP connections
The sysctl-variable net.inet.tcp.nolocaltimewait should affect
TCP connections where the remote endpoint is on the local host and
not on the local area network.
Reported by: cc
Reviewed by: cc
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D50830
(cherry picked from commit 49eabd405f661fa3a9f0a005c2e54dc4cad07e48)
IfAPI: restore KBI after bceb9c2f2b19
This commit restores if_bpfmtap and if_etherbpfmtap functions, and
implement them as wrappers around bpf_mtap_if and ether_bpf_mtap_if
funcitons.
Fixes: bceb9c2f2b19
Sponsored by: Juniper Networks, Inc.
IfAPI: Retire if_etherbpfmtap() and if_bpfmtap()
Summary:
These came in the original DrvAPI commits in 2014, and are obsoleted by
bpf_mtap_if() and ether_bpf_mtap_if(). The `_if` suffix, rather than
prefix, conveys that it's operating on the bpf of the interface, instead
than the interface itself.
Reviewed by: glebius
Sponsored by: Juniper Networks, Inc.
Differential Revision: https://reviews.freebsd.org/D41146
(cherry picked from commit 2a3716432d209c5fef1eb1a719f4c1914e7c8b5a)
vtnet, ptnet: include opt_*.h files early
Include opt_inet.h and opt_inet6.h early in the files including
virtio_net.h, since they use INET and/or INET6.
While there, remove redundant inclusion of sys/types.h, since it is
included already by sys/param.h.
There was a discussion to include opt_inet.h and opt_inet6.h also
in virtio_net.h. glebius suggested to add a mechanism for files
to check, if required opt_*.h files were included. virtio_net.h
will be the first consumer of this mechanism.
Reviewed by: glebius, Peter Lei
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D52046
(cherry picked from commit 3077532b1bb2911d3012ee90bae9d9499c960569)
if_ovpn: support floating clients
If a client changes its IP address notify userspace of this.
The UDP filtering function supplies the remote IP address, so we check if the
address changed there. If so, we tag the packet with the new address. Once the
packet is decrypted (and as part of that, has had its signature checked) we
can commit to the address change. Take the write lock and notify userspace of
the change.
Reviewed by: markj
MFC after: 3 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D51468
(cherry picked from commit 9c52600a5a150117b4396df3b868cf2516e1674c)
if_ovpn: fill out sin_len/sin6_len
When we parse an nvlist sockaddr we should set the sockaddr_in(6)'s length
field. This isn't currently used by anything yet, but it's reasonable to expect
a sockaddr to contain its length.
MFC after: 3 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit e83df5367d30761803e09bd7fcf518638dfe43d2)
if_ovpn: Destroy cloned interfaces via a prison removal callback
A if_ovpn interface carries a reference to a socket, which has a
credential reference, which holds a reference on the containing prison
and prevents SYSUNINITs from being invoked. So, register a
PR_METHOD_REMOVE callback and destroy the cloner from there instead,
since that mechanism doesn't require the prison refcount to drop to zero
first.
This fixes a bug where jails get left stuck in the DYING state after
running if_ovpn regression tests.
Reviewed by: kp
MFC after: 2 weeks
Sponsored by: Stormshield
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D51526
(cherry picked from commit 96b29c7f0cffd377a757ad8ccc0cdd8fcb96d0dd)
ifnet: Defer detaching address family dependent data
While diagnosing PR 279653 and PR 285129, I observed that thread may
write to freed memory but the system does not crash. This hides the
real problem. A clear NULL pointer derefence is much better than writing
to freed memory.
PR: 279653
PR: 285129
Reviewed by: glebius
MFC after: 3 weeks
Differential Revision: https://reviews.freebsd.org/D49444