From owner-freebsd-pf@freebsd.org Mon Jan 22 08:10:56 2018 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C3E2EED51EC for ; Mon, 22 Jan 2018 08:10:56 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.ysv.freebsd.org (mxrelay.ysv.freebsd.org [IPv6:2001:1900:2254:206a::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.ysv.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id AA9A570D84 for ; Mon, 22 Jan 2018 08:10:56 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.ysv.freebsd.org (Postfix) with ESMTPS id 9DF0E12870 for ; Mon, 22 Jan 2018 08:10:56 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id w0M8Auv0021951 for ; Mon, 22 Jan 2018 08:10:56 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id w0M8AugS021950 for freebsd-pf@FreeBSD.org; Mon, 22 Jan 2018 08:10:56 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 209475] pf didn't check if enough free RAM for net.pf.states_hashsize Date: Mon, 22 Jan 2018 08:10:56 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.3-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: david.marec@davenulle.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Jan 2018 08:10:56 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D209475 --- Comment #21 from david.marec@davenulle.org --- mallocarray() is now available for 11-Stable. https://svnweb.freebsd.org/changeset/base/328210 --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Tue Jan 23 15:51:55 2018 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2ADB9EB4536 for ; Tue, 23 Jan 2018 15:51:55 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.ysv.freebsd.org (mxrelay.ysv.freebsd.org [IPv6:2001:1900:2254:206a::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.ysv.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 0EEA983216 for ; Tue, 23 Jan 2018 15:51:55 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.ysv.freebsd.org (Postfix) with ESMTPS id DFD2C5BB4 for ; Tue, 23 Jan 2018 15:51:54 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id w0NFpsoI075127 for ; Tue, 23 Jan 2018 15:51:54 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id w0NFpsOc075126 for freebsd-pf@FreeBSD.org; Tue, 23 Jan 2018 15:51:54 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 193568] PF rdr rule with ipv6 does not work Date: Tue, 23 Jan 2018 15:51:54 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 9.3-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: asomers@FreeBSD.org X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: attachments.created Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Jan 2018 15:51:55 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D193568 --- Comment #5 from Alan Somers --- Created attachment 190002 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D190002&action= =3Dedit Fix RDR rules that redirect to ::1 "Fix" pf rdr rules with ::1 targets Redirecting an IPv6 packet to ::1 is a violation of IPv6 scoping rules, bec= ause ::1 only has node-local scope. It's supposed to be used only for traffic t= he begins and ends on a single node. Plus, it's a bad practice security-wise (server processes are often bound to ::1 as a deliberate way to prevent them from talking to the outside world), and it doesn't work on multihomed, single-fib hosts (the reply packet doesn't know which interface to use if i= ts destination is non-local). However, the same arguments apply to IPv4, and FreeBSD already has hacks to make it work there. So I'm extending those ha= cks to IPv6. Even with this "fix", rdr won't work for packets destined to a link-local (ff80::*) address, because pf doesn't know how to set the embedded scope identifier on the reply packets. A better solution would be to configure pf to only redirect a packet's port, not its address and port. However, pf doesn't currently have that capabili= ty. netinet6/ip6_input.c In ip6_input, don't reject a packet with bad scope if the firewall = has changed the destination address. ip_input does something similar w= ith the "dchg" variable. sys/netinet6/ip6_output.c In ip6_output, don't fail a packet immediately if the scope check fails. Instead, repeat the scope check after running it through the firewall, if the firewall changed either the src or dst address. ip_output simply does the scope checking after the firewall. Howev= er, ip6_output can't do that, because at that point multicast packets w= ill have inconsistent embedded scope identifiers. --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Tue Jan 23 23:34:40 2018 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 192E9ED141E for ; Tue, 23 Jan 2018 23:34:39 +0000 (UTC) (envelope-from srs0=8nit=es=sigsegv.be=kristof@codepro.be) Received: from venus.codepro.be (venus.codepro.be [IPv6:2a01:4f8:162:1127::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.codepro.be", Issuer "Gandi Standard SSL CA 2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 855516BDD4 for ; Tue, 23 Jan 2018 23:34:39 +0000 (UTC) (envelope-from srs0=8nit=es=sigsegv.be=kristof@codepro.be) Received: from [138.44.250.147] (unknown [138.44.250.147]) (Authenticated sender: kp) by venus.codepro.be (Postfix) with ESMTPSA id 2B92DA1D5; Wed, 24 Jan 2018 00:34:36 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sigsegv.be; s=mail; t=1516750478; bh=uM+14CnkEAsz6ndnjf0AtrTZzvzx6nTNqNaEnbyihSA=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=b8NNlYQlgzvdJLcIA1buy9JWnfHXzMU5VcDhX4Ku5ewBZP2qFXlayMW+kzS5Gw2UJ KiodpCPF7QpsIkf/Wa49rC0WsiAqXzEUZX7PV4iwxcaMP16oOC0QtrMZabeoczyY7c mRlK1DJslLTRat1ueOHTY4Yahtzo0RCZosnsixwo= From: "Kristof Provost" To: "John Jasen" Cc: "FreeBSD PF" Subject: Re: problems with tftp-proxy in 11.1? Date: Wed, 24 Jan 2018 10:34:33 +1100 X-Mailer: MailMate (2.0BETAr6103) Message-ID: <6323CE5B-5F06-4A9F-BFFB-84EB88A69ABC@sigsegv.be> In-Reply-To: <25C215BD-3869-4D74-88D6-50298287FBE0@sigsegv.be> References: <9f0fc087-2aed-535e-c779-be0cc49cde26@gmail.com> <03C8B641-5A71-4FA5-92AD-178597EC5421@sigsegv.be> <25C215BD-3869-4D74-88D6-50298287FBE0@sigsegv.be> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Jan 2018 23:34:40 -0000 On 14 Dec 2017, at 8:16, Kristof Provost wrote: > On 7 Dec 2017, at 18:02, John Jasen wrote: >> On Wed, Dec 6, 2017 at 5:01 PM, Kristof Provost >> wrote: >> >>> On 6 Dec 2017, at 21:25, John Jasen wrote: >>> >>> On 12/04/2017 02:47 PM, Kristof Provost wrote: >>> >>> Okay, so this is interesting: >>> >>> 25013: ioctl(4,0xc04c4417 { IORW 0x44('D'), 23, 76 },0x7fffffffe5b0) >>> ERR#2 >>> 'No such file or directory' >>> >>> The DIOCNATLOOK ioctl() fails with ENOENT, which happens if the >>> state >>> can’t be found. >>> Of course, I have no idea why that would happen. Does this affect >>> some >>> tftp connections or all of them? >>> >> >> Some, where the amount seems somewhat random. >> > I *think* I’ve reproduced this. It seems to happen only to the first > tftp packet, but at least that’s something to go on. I’ll try to > investigate further soon. > Do you have ‘set skip on lo0’ set by any chance? I only see issues with that set, not once I unset it. Regards, Kristof From owner-freebsd-pf@freebsd.org Sat Jan 27 09:39:56 2018 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AC756E7AD1E for ; Sat, 27 Jan 2018 09:39:56 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.ysv.freebsd.org (mxrelay.ysv.freebsd.org [IPv6:2001:1900:2254:206a::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.ysv.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4764B7F164 for ; Sat, 27 Jan 2018 09:39:56 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.ysv.freebsd.org (Postfix) with ESMTPS id 813E9151DE for ; Sat, 27 Jan 2018 09:39:55 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id w0R9dtCj074464 for ; Sat, 27 Jan 2018 09:39:55 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id w0R9dt6X074459 for freebsd-pf@FreeBSD.org; Sat, 27 Jan 2018 09:39:55 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 209475] pf didn't check if enough free RAM for net.pf.states_hashsize Date: Sat, 27 Jan 2018 09:39:54 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.3-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: fnoyanisi@yahoo.com X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 27 Jan 2018 09:39:56 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D209475 --- Comment #22 from fehmi noyan isi --- Hi there. I patched pf_initialize() in head (r328383, which has mallocarray= (9)) by implementing a fallback mallocarray(9) call (as discussed in the commen= ts) if ((V_pf_idhash =3D mallocarray(pf_hashsize, sizeof(pf_idhash), M_PFHASH, M_WAITOK|M_ZERO)) =3D=3D NULL) { V_pf_idhash =3D mallocarray(PH_HASHSIZ, sizeof(pf_idhash), M_PFHASH, M_NOWAIT|M_ZERO) } // and all other malloc(9) calls Although, this change prevents the initialisation process against any overf= low issues, the fallback mallocarray(...,M_WAITOK) calls still block in case too much memory is requested.=20 >> Memory allocation is very complicated and it's basically impossible to p= redict if there'd be enough free memory to satisfy a request without actual= ly doing it. Moreover, it'd always be susceptible to races. Based on Kristof's comment above, shall we assume this is as far as we can = go? --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Sat Jan 27 10:25:02 2018 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 79FABE7CFD3 for ; Sat, 27 Jan 2018 10:25:02 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.ysv.freebsd.org (mxrelay.ysv.freebsd.org [IPv6:2001:1900:2254:206a::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.ysv.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id D6B6C817B3 for ; Sat, 27 Jan 2018 10:25:01 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.ysv.freebsd.org (Postfix) with ESMTPS id 1DA8D158FC for ; Sat, 27 Jan 2018 10:25:01 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id w0RAP0KV089245 for ; Sat, 27 Jan 2018 10:25:00 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id w0RAP0ss089244 for freebsd-pf@FreeBSD.org; Sat, 27 Jan 2018 10:25:00 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 209475] pf didn't check if enough free RAM for net.pf.states_hashsize Date: Sat, 27 Jan 2018 10:25:00 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.3-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: kp@freebsd.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 27 Jan 2018 10:25:02 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D209475 --- Comment #23 from Kristof Provost --- (In reply to fehmi noyan isi from comment #22) Yeah, that's probably the best we can do for the allocation. It'd also be g= ood to log that we haven't allocated all of the requested memory. That's part of the problem. Another part (for another patch) is that the pf ioctl() handler seems to get registered before these allocations are done. --=20 You are receiving this mail because: You are the assignee for the bug.=