Bug 222746

Summary: ipfw: tcpdatalen does not exactly match IPv6 packets.
Product: Base System Reporter: Tatsuki Makino <tatsuki_makino>
Component: kernAssignee: Andrey V. Elsukov <ae>
Status: Closed FIXED    
Severity: Affects Only Me CC: ae
Priority: --- Keywords: patch
Version: CURRENT   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
patch for CURRENT
none
patch for CURRENT
none
patch for CURRENT
none
Proposed patch for tcplen none

Description Tatsuki Makino 2017-10-03 06:01:02 UTC 
Created attachment 186874 [details]
patch for CURRENT

tcpdatalen rule option does not match IPv6 packets correctly because code for IPv6 is not implemented.

# ipfw show 3100
03100    1819    135800 count log logamount 1000 tcp from any to any { tcpflags syn or tcpflags rst } tcpdatalen 32768-65535 // signed negative number range

The size of 1819 packets was over 32768 bytes, but the total was 135800 bytes.

tested on
# uname -a
FreeBSD T2.test 10.4-PRERELEASE FreeBSD 10.4-PRERELEASE #0 r324142M: Sun Oct  1 01:25:30 UTC 2017     root@T2.test:/usr/obj/usr/src/sys/GENERIC  amd64

A patch needs to be tested by people who know them well.
Comment 1 Tatsuki Makino 2017-10-04 04:08:13 UTC 
Created attachment 186894 [details]
patch for CURRENT

attachment 186874 [details] reused the variable iplen. But iplen overflows when ip6_plen is greater than 65495.
The new patch does not use the sum of header size and payload size.
Comment 2 Andrey V. Elsukov freebsd_committer freebsd_triage 2017-10-04 08:09:05 UTC 
(In reply to Tatsuki Makino from comment #1)
> Created attachment 186894 [details]
> patch for CURRENT
> 
> attachment 186874 [details] reused the variable iplen. But iplen overflows
> when ip6_plen is greater than 65495.
> The new patch does not use the sum of header size and payload size.

You need to handle the case when ip6_plen == 0.
Comment 3 Tatsuki Makino 2017-10-05 04:42:19 UTC 
Created attachment 186915 [details]
patch for CURRENT

(In reply to Andrey V. Elsukov from comment #2)

Thank you.
I made a new one. How about this one?
Comment 4 Andrey V. Elsukov freebsd_committer freebsd_triage 2017-10-18 15:09:36 UTC 
Created attachment 187283 [details]
Proposed patch for tcplen

Can you test this patch instead?
Comment 5 Tatsuki Makino 2017-10-24 01:04:17 UTC 
(In reply to Andrey V. Elsukov from comment #4)

attachment 187283 [details] can be applied to stable/10.
I am using it on the following uname -a.
FreeBSD T2.test 10.4-STABLE FreeBSD 10.4-STABLE #0 r324782M: Fri Oct 20 02:30:37 UTC 2017     root@T2.test:/usr/obj/usr/src/sys/GENERIC  amd64
It works as expected.
Comment 6 commit-hook freebsd_committer freebsd_triage 2017-10-24 08:39:26 UTC 
A commit references this bug:

Author: ae
Date: Tue Oct 24 08:39:06 UTC 2017
New revision: 324947
URL: https://svnweb.freebsd.org/changeset/base/324947

Log:
  Add IPv6 support for O_TCPDATALEN opcode.

  PR:		222746
  MFC after:	1 week

Changes:
  head/sys/netpfil/ipfw/ip_fw2.c
Comment 7 commit-hook freebsd_committer freebsd_triage 2017-10-31 11:34:01 UTC 
A commit references this bug:

Author: ae
Date: Tue Oct 31 10:31:47 UTC 2017
New revision: 325229
URL: https://svnweb.freebsd.org/changeset/base/325229

Log:
  MFC r324947:
    Add IPv6 support for O_TCPDATALEN opcode.

    PR:		222746

Changes:
_U  stable/11/
  stable/11/sys/netpfil/ipfw/ip_fw2.c
Comment 8 commit-hook freebsd_committer freebsd_triage 2017-10-31 11:34:06 UTC 
A commit references this bug:

Author: ae
Date: Tue Oct 31 11:09:39 UTC 2017
New revision: 325230
URL: https://svnweb.freebsd.org/changeset/base/325230

Log:
  MFC r324947:
    Add IPv6 support for O_TCPDATALEN opcode.

    PR:		222746

Changes:
_U  stable/10/
  stable/10/sys/netpfil/ipfw/ip_fw2.c
Comment 9 Andrey V. Elsukov freebsd_committer freebsd_triage 2017-10-31 11:36:41 UTC 
Fixed in head/, stable/11 and stable/10. Thanks!