1aac74aeaSAndrey V. Elsukov /*-
2aac74aeaSAndrey V. Elsukov * Copyright (c) 2017 Yandex LLC
3aac74aeaSAndrey V. Elsukov * Copyright (c) 2017 Andrey V. Elsukov <ae@FreeBSD.org>
4aac74aeaSAndrey V. Elsukov * All rights reserved.
5aac74aeaSAndrey V. Elsukov *
6aac74aeaSAndrey V. Elsukov * Redistribution and use in source and binary forms, with or without
7aac74aeaSAndrey V. Elsukov * modification, are permitted provided that the following conditions
8aac74aeaSAndrey V. Elsukov * are met:
9aac74aeaSAndrey V. Elsukov *
10aac74aeaSAndrey V. Elsukov * 1. Redistributions of source code must retain the above copyright
11aac74aeaSAndrey V. Elsukov * notice, this list of conditions and the following disclaimer.
12aac74aeaSAndrey V. Elsukov * 2. Redistributions in binary form must reproduce the above copyright
13aac74aeaSAndrey V. Elsukov * notice, this list of conditions and the following disclaimer in the
14aac74aeaSAndrey V. Elsukov * documentation and/or other materials provided with the distribution.
15aac74aeaSAndrey V. Elsukov *
16aac74aeaSAndrey V. Elsukov * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
17aac74aeaSAndrey V. Elsukov * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
18aac74aeaSAndrey V. Elsukov * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
19aac74aeaSAndrey V. Elsukov * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
20aac74aeaSAndrey V. Elsukov * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
21aac74aeaSAndrey V. Elsukov * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
22aac74aeaSAndrey V. Elsukov * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
23aac74aeaSAndrey V. Elsukov * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
24aac74aeaSAndrey V. Elsukov * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
25aac74aeaSAndrey V. Elsukov * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
26aac74aeaSAndrey V. Elsukov */
27aac74aeaSAndrey V. Elsukov
28aac74aeaSAndrey V. Elsukov #include "opt_inet.h"
29aac74aeaSAndrey V. Elsukov #include "opt_inet6.h"
30aac74aeaSAndrey V. Elsukov
31aac74aeaSAndrey V. Elsukov #include <sys/param.h>
32aac74aeaSAndrey V. Elsukov #include <sys/systm.h>
33aac74aeaSAndrey V. Elsukov #include <sys/errno.h>
34aac74aeaSAndrey V. Elsukov #include <sys/kernel.h>
35aac74aeaSAndrey V. Elsukov #include <sys/mbuf.h>
36aac74aeaSAndrey V. Elsukov #include <sys/module.h>
37aac74aeaSAndrey V. Elsukov #include <sys/socket.h>
38aac74aeaSAndrey V. Elsukov
39aac74aeaSAndrey V. Elsukov #include <net/if.h>
40aac74aeaSAndrey V. Elsukov #include <net/if_var.h>
41aac74aeaSAndrey V. Elsukov #include <net/pfil.h>
42aac74aeaSAndrey V. Elsukov #include <net/vnet.h>
43aac74aeaSAndrey V. Elsukov
44aac74aeaSAndrey V. Elsukov #include <netinet/in.h>
45aac74aeaSAndrey V. Elsukov #include <netinet/ip.h>
46aac74aeaSAndrey V. Elsukov #include <netinet/ip_var.h>
47aac74aeaSAndrey V. Elsukov #include <netinet/tcp.h>
48aac74aeaSAndrey V. Elsukov #include <netinet/ip_fw.h>
49aac74aeaSAndrey V. Elsukov #include <netinet/ip6.h>
50aac74aeaSAndrey V. Elsukov
51aac74aeaSAndrey V. Elsukov #include <netpfil/ipfw/ip_fw_private.h>
52aac74aeaSAndrey V. Elsukov #include <netpfil/ipfw/pmod/pmod.h>
53aac74aeaSAndrey V. Elsukov
54aac74aeaSAndrey V. Elsukov #include <machine/in_cksum.h>
55aac74aeaSAndrey V. Elsukov
56*4a77657cSAndrey V. Elsukov VNET_DEFINE_STATIC(uint32_t, tcpmod_setmss_eid) = 0;
57aac74aeaSAndrey V. Elsukov #define V_tcpmod_setmss_eid VNET(tcpmod_setmss_eid)
58aac74aeaSAndrey V. Elsukov
59aac74aeaSAndrey V. Elsukov static int
tcpmod_setmss(struct mbuf ** mp,struct tcphdr * tcp,int tlen,uint16_t mss)60aac74aeaSAndrey V. Elsukov tcpmod_setmss(struct mbuf **mp, struct tcphdr *tcp, int tlen, uint16_t mss)
61aac74aeaSAndrey V. Elsukov {
62aac74aeaSAndrey V. Elsukov struct mbuf *m;
63aac74aeaSAndrey V. Elsukov u_char *cp;
64aac74aeaSAndrey V. Elsukov int optlen, ret;
65aac74aeaSAndrey V. Elsukov uint16_t oldmss, csum;
66aac74aeaSAndrey V. Elsukov
67aac74aeaSAndrey V. Elsukov m = *mp;
68aac74aeaSAndrey V. Elsukov ret = IP_FW_DENY;
69aac74aeaSAndrey V. Elsukov if (m->m_len < m->m_pkthdr.len) {
70aac74aeaSAndrey V. Elsukov /*
71aac74aeaSAndrey V. Elsukov * We shouldn't have any data, IP packet contains only
72aac74aeaSAndrey V. Elsukov * TCP header with options.
73aac74aeaSAndrey V. Elsukov */
74aac74aeaSAndrey V. Elsukov *mp = m = m_pullup(m, m->m_pkthdr.len);
75aac74aeaSAndrey V. Elsukov if (m == NULL)
76aac74aeaSAndrey V. Elsukov return (ret);
77aac74aeaSAndrey V. Elsukov }
78aac74aeaSAndrey V. Elsukov /* Parse TCP options. */
79aac74aeaSAndrey V. Elsukov for (tlen -= sizeof(struct tcphdr), cp = (u_char *)(tcp + 1);
80aac74aeaSAndrey V. Elsukov tlen > 0; tlen -= optlen, cp += optlen) {
81aac74aeaSAndrey V. Elsukov if (cp[0] == TCPOPT_EOL)
82aac74aeaSAndrey V. Elsukov break;
83aac74aeaSAndrey V. Elsukov if (cp[0] == TCPOPT_NOP) {
84aac74aeaSAndrey V. Elsukov optlen = 1;
85aac74aeaSAndrey V. Elsukov continue;
86aac74aeaSAndrey V. Elsukov }
87aac74aeaSAndrey V. Elsukov if (tlen < 2)
88aac74aeaSAndrey V. Elsukov break;
89aac74aeaSAndrey V. Elsukov optlen = cp[1];
90aac74aeaSAndrey V. Elsukov if (optlen < 2 || optlen > tlen)
91aac74aeaSAndrey V. Elsukov break;
92aac74aeaSAndrey V. Elsukov if (cp[0] == TCPOPT_MAXSEG) {
93aac74aeaSAndrey V. Elsukov if (optlen != TCPOLEN_MAXSEG)
94aac74aeaSAndrey V. Elsukov break;
95aac74aeaSAndrey V. Elsukov ret = 0; /* report success */
96aac74aeaSAndrey V. Elsukov bcopy(cp + 2, &oldmss, sizeof(oldmss));
97aac74aeaSAndrey V. Elsukov /* Do not update lower MSS value */
985c4aca82SAndrey V. Elsukov if (ntohs(oldmss) <= ntohs(mss))
99aac74aeaSAndrey V. Elsukov break;
100aac74aeaSAndrey V. Elsukov bcopy(&mss, cp + 2, sizeof(mss));
101aac74aeaSAndrey V. Elsukov /* Update checksum if it is not delayed. */
102aac74aeaSAndrey V. Elsukov if ((m->m_pkthdr.csum_flags &
103aac74aeaSAndrey V. Elsukov (CSUM_TCP | CSUM_TCP_IPV6)) == 0) {
104aac74aeaSAndrey V. Elsukov bcopy(&tcp->th_sum, &csum, sizeof(csum));
105aac74aeaSAndrey V. Elsukov csum = cksum_adjust(csum, oldmss, mss);
106aac74aeaSAndrey V. Elsukov bcopy(&csum, &tcp->th_sum, sizeof(csum));
107aac74aeaSAndrey V. Elsukov }
108aac74aeaSAndrey V. Elsukov break;
109aac74aeaSAndrey V. Elsukov }
110aac74aeaSAndrey V. Elsukov }
111aac74aeaSAndrey V. Elsukov
112aac74aeaSAndrey V. Elsukov return (ret);
113aac74aeaSAndrey V. Elsukov }
114aac74aeaSAndrey V. Elsukov
115aac74aeaSAndrey V. Elsukov #ifdef INET6
116aac74aeaSAndrey V. Elsukov static int
tcpmod_ipv6_setmss(struct mbuf ** mp,uint16_t mss)117aac74aeaSAndrey V. Elsukov tcpmod_ipv6_setmss(struct mbuf **mp, uint16_t mss)
118aac74aeaSAndrey V. Elsukov {
119aac74aeaSAndrey V. Elsukov struct ip6_hdr *ip6;
120aac74aeaSAndrey V. Elsukov struct ip6_hbh *hbh;
121aac74aeaSAndrey V. Elsukov struct tcphdr *tcp;
122aac74aeaSAndrey V. Elsukov int hlen, plen, proto;
123aac74aeaSAndrey V. Elsukov
124aac74aeaSAndrey V. Elsukov ip6 = mtod(*mp, struct ip6_hdr *);
125aac74aeaSAndrey V. Elsukov hlen = sizeof(*ip6);
126aac74aeaSAndrey V. Elsukov proto = ip6->ip6_nxt;
127aac74aeaSAndrey V. Elsukov /*
128aac74aeaSAndrey V. Elsukov * Skip IPv6 extension headers and get the TCP header.
129aac74aeaSAndrey V. Elsukov * ipfw_chk() has already done this work. So we are sure that
130aac74aeaSAndrey V. Elsukov * we will not do an access to the out of bounds. For this
131aac74aeaSAndrey V. Elsukov * reason we skip some checks here.
132aac74aeaSAndrey V. Elsukov */
133aac74aeaSAndrey V. Elsukov while (proto == IPPROTO_HOPOPTS || proto == IPPROTO_ROUTING ||
134aac74aeaSAndrey V. Elsukov proto == IPPROTO_DSTOPTS) {
135aac74aeaSAndrey V. Elsukov hbh = mtodo(*mp, hlen);
136aac74aeaSAndrey V. Elsukov proto = hbh->ip6h_nxt;
137785c0d4dSAndrey V. Elsukov hlen += (hbh->ip6h_len + 1) << 3;
138aac74aeaSAndrey V. Elsukov }
139aac74aeaSAndrey V. Elsukov tcp = mtodo(*mp, hlen);
140aac74aeaSAndrey V. Elsukov plen = (*mp)->m_pkthdr.len - hlen;
141aac74aeaSAndrey V. Elsukov hlen = tcp->th_off << 2;
142aac74aeaSAndrey V. Elsukov /* We must have TCP options and enough data in a packet. */
143aac74aeaSAndrey V. Elsukov if (hlen <= sizeof(struct tcphdr) || hlen > plen)
144aac74aeaSAndrey V. Elsukov return (IP_FW_DENY);
145aac74aeaSAndrey V. Elsukov return (tcpmod_setmss(mp, tcp, hlen, mss));
146aac74aeaSAndrey V. Elsukov }
147aac74aeaSAndrey V. Elsukov #endif /* INET6 */
148aac74aeaSAndrey V. Elsukov
149aac74aeaSAndrey V. Elsukov #ifdef INET
150aac74aeaSAndrey V. Elsukov static int
tcpmod_ipv4_setmss(struct mbuf ** mp,uint16_t mss)151aac74aeaSAndrey V. Elsukov tcpmod_ipv4_setmss(struct mbuf **mp, uint16_t mss)
152aac74aeaSAndrey V. Elsukov {
153aac74aeaSAndrey V. Elsukov struct tcphdr *tcp;
154aac74aeaSAndrey V. Elsukov struct ip *ip;
155aac74aeaSAndrey V. Elsukov int hlen, plen;
156aac74aeaSAndrey V. Elsukov
157aac74aeaSAndrey V. Elsukov ip = mtod(*mp, struct ip *);
158aac74aeaSAndrey V. Elsukov hlen = ip->ip_hl << 2;
159aac74aeaSAndrey V. Elsukov tcp = mtodo(*mp, hlen);
160aac74aeaSAndrey V. Elsukov plen = (*mp)->m_pkthdr.len - hlen;
161aac74aeaSAndrey V. Elsukov hlen = tcp->th_off << 2;
162aac74aeaSAndrey V. Elsukov /* We must have TCP options and enough data in a packet. */
163aac74aeaSAndrey V. Elsukov if (hlen <= sizeof(struct tcphdr) || hlen > plen)
164aac74aeaSAndrey V. Elsukov return (IP_FW_DENY);
165aac74aeaSAndrey V. Elsukov return (tcpmod_setmss(mp, tcp, hlen, mss));
166aac74aeaSAndrey V. Elsukov }
167aac74aeaSAndrey V. Elsukov #endif /* INET */
168aac74aeaSAndrey V. Elsukov
169aac74aeaSAndrey V. Elsukov /*
170aac74aeaSAndrey V. Elsukov * ipfw external action handler.
171aac74aeaSAndrey V. Elsukov */
172aac74aeaSAndrey V. Elsukov static int
ipfw_tcpmod(struct ip_fw_chain * chain,struct ip_fw_args * args,ipfw_insn * cmd,int * done)173aac74aeaSAndrey V. Elsukov ipfw_tcpmod(struct ip_fw_chain *chain, struct ip_fw_args *args,
174aac74aeaSAndrey V. Elsukov ipfw_insn *cmd, int *done)
175aac74aeaSAndrey V. Elsukov {
176aac74aeaSAndrey V. Elsukov ipfw_insn *icmd;
177aac74aeaSAndrey V. Elsukov int ret;
178aac74aeaSAndrey V. Elsukov
179aac74aeaSAndrey V. Elsukov *done = 0; /* try next rule if not matched */
180aac74aeaSAndrey V. Elsukov ret = IP_FW_DENY;
181*4a77657cSAndrey V. Elsukov icmd = cmd + F_LEN(cmd);
182aac74aeaSAndrey V. Elsukov if (cmd->opcode != O_EXTERNAL_ACTION ||
183*4a77657cSAndrey V. Elsukov insntod(cmd, kidx)->kidx != V_tcpmod_setmss_eid ||
184aac74aeaSAndrey V. Elsukov icmd->opcode != O_EXTERNAL_DATA ||
185aac74aeaSAndrey V. Elsukov icmd->len != F_INSN_SIZE(ipfw_insn))
186aac74aeaSAndrey V. Elsukov return (ret);
187aac74aeaSAndrey V. Elsukov
188aac74aeaSAndrey V. Elsukov /*
189aac74aeaSAndrey V. Elsukov * NOTE: ipfw_chk() can set f_id.proto from IPv6 fragment header,
190aac74aeaSAndrey V. Elsukov * but f_id._flags can be filled only from real TCP header.
191aac74aeaSAndrey V. Elsukov *
192aac74aeaSAndrey V. Elsukov * NOTE: ipfw_chk() drops very short packets in the PULLUP_TO()
193aac74aeaSAndrey V. Elsukov * macro. But we need to check that mbuf is contiguous more than
194aac74aeaSAndrey V. Elsukov * IP+IP_options/IP_extensions+tcphdr length, because TCP header
195aac74aeaSAndrey V. Elsukov * must have TCP options, and ipfw_chk() does PULLUP_TO() size of
196aac74aeaSAndrey V. Elsukov * struct tcphdr.
197aac74aeaSAndrey V. Elsukov *
198aac74aeaSAndrey V. Elsukov * NOTE: we require only the presence of SYN flag. User should
199aac74aeaSAndrey V. Elsukov * properly configure the rule to select the direction of packets,
200aac74aeaSAndrey V. Elsukov * that should be modified.
201aac74aeaSAndrey V. Elsukov */
202aac74aeaSAndrey V. Elsukov if (args->f_id.proto != IPPROTO_TCP ||
203aac74aeaSAndrey V. Elsukov (args->f_id._flags & TH_SYN) == 0)
204aac74aeaSAndrey V. Elsukov return (ret);
205aac74aeaSAndrey V. Elsukov
206aac74aeaSAndrey V. Elsukov switch (args->f_id.addr_type) {
207aac74aeaSAndrey V. Elsukov #ifdef INET
208aac74aeaSAndrey V. Elsukov case 4:
209aac74aeaSAndrey V. Elsukov ret = tcpmod_ipv4_setmss(&args->m, htons(icmd->arg1));
210aac74aeaSAndrey V. Elsukov break;
211aac74aeaSAndrey V. Elsukov #endif
212aac74aeaSAndrey V. Elsukov #ifdef INET6
213aac74aeaSAndrey V. Elsukov case 6:
214aac74aeaSAndrey V. Elsukov ret = tcpmod_ipv6_setmss(&args->m, htons(icmd->arg1));
215aac74aeaSAndrey V. Elsukov break;
216aac74aeaSAndrey V. Elsukov #endif
217aac74aeaSAndrey V. Elsukov }
218aac74aeaSAndrey V. Elsukov /*
219aac74aeaSAndrey V. Elsukov * We return zero in both @ret and @done on success, and ipfw_chk()
220aac74aeaSAndrey V. Elsukov * will update rule counters. Otherwise a packet will not be matched
221aac74aeaSAndrey V. Elsukov * by rule.
222aac74aeaSAndrey V. Elsukov */
223aac74aeaSAndrey V. Elsukov return (ret);
224aac74aeaSAndrey V. Elsukov }
225aac74aeaSAndrey V. Elsukov
226aac74aeaSAndrey V. Elsukov int
tcpmod_init(struct ip_fw_chain * ch,int first)227aac74aeaSAndrey V. Elsukov tcpmod_init(struct ip_fw_chain *ch, int first)
228aac74aeaSAndrey V. Elsukov {
229aac74aeaSAndrey V. Elsukov
230aac74aeaSAndrey V. Elsukov V_tcpmod_setmss_eid = ipfw_add_eaction(ch, ipfw_tcpmod, "tcp-setmss");
231aac74aeaSAndrey V. Elsukov if (V_tcpmod_setmss_eid == 0)
232aac74aeaSAndrey V. Elsukov return (ENXIO);
233aac74aeaSAndrey V. Elsukov return (0);
234aac74aeaSAndrey V. Elsukov }
235aac74aeaSAndrey V. Elsukov
236aac74aeaSAndrey V. Elsukov void
tcpmod_uninit(struct ip_fw_chain * ch,int last)237aac74aeaSAndrey V. Elsukov tcpmod_uninit(struct ip_fw_chain *ch, int last)
238aac74aeaSAndrey V. Elsukov {
239aac74aeaSAndrey V. Elsukov
240aac74aeaSAndrey V. Elsukov ipfw_del_eaction(ch, V_tcpmod_setmss_eid);
241aac74aeaSAndrey V. Elsukov V_tcpmod_setmss_eid = 0;
242aac74aeaSAndrey V. Elsukov }
243