Re: npf bug(?)

[christos%zoulas.com@localhost (Christos Zoulas)]

On Apr 3,  7:49am, 6bone%6bone.informatik.uni-leipzig.de@localhost (6bone%6bone.informatik.uni-leipzig.de@localhost) wrote:
-- Subject: Re: npf bug(?)

| On Sun, 2 Apr 2017, Christos Zoulas wrote:
| 
| >
| > I am trying to understand the use case here:
| > 1. you want to have V4 DNS and 6to4 service that can generate V4 fragments
| > 2. you want V4 fragments dropped.
| > 3. you can't put V4 rules in your firewall to restrict traffic to only
| >   those services.
| >
| > Is that correct?
| 
| That is not completely right. I want to filter IPv6 with npf. IPv4 should 
| not be filtered. After the activation of npf the statistics shows:
| 
| Fragmentation:
|          1296 fragments
|          1104 reassembled
|          7160 failed reassembly
| 
| Since IPv6 is no longer reassambling, it must be IPv4 packets. I want to 
| make sure that the reassembly errors do not lead to packet losses, 
| especially at 6to4.

Here's a rough patch that kills v4 processing.

christos

Index: npf.h
===================================================================
RCS file: /cvsroot/src/sys/net/npf/npf.h,v
retrieving revision 1.54
diff -u -u -r1.54 npf.h
--- npf.h	29 Jan 2017 00:15:54 -0000	1.54
+++ npf.h	3 Apr 2017 15:08:08 -0000
@@ -142,6 +142,7 @@
 #define	NPC_ICMP_ID	0x80	/* ICMP with query ID. */
 
 #define	NPC_ALG_EXEC	0x100	/* ALG execution. */
+#define	NPC_IGNORE	0x200	/* Don't process */
 
 #define	NPC_IP46	(NPC_IP4|NPC_IP6)
 
Index: npf_handler.c
===================================================================
RCS file: /cvsroot/src/sys/net/npf/npf_handler.c,v
retrieving revision 1.37
diff -u -u -r1.37 npf_handler.c
--- npf_handler.c	19 Feb 2017 20:27:22 -0000	1.37
+++ npf_handler.c	3 Apr 2017 15:08:08 -0000
@@ -156,6 +156,10 @@
 
 	/* Cache everything.  Determine whether it is an IP fragment. */
 	flags = npf_cache_all(&npc);
+
+	if (__predict_false(flags & NPC_IGNORE))
+		return 0;
+
 	if (__predict_false(flags & NPC_IPFRAG)) {
 		/*
 		 * We pass IPv6 fragments unconditionally
Index: npf_inet.c
===================================================================
RCS file: /cvsroot/src/sys/net/npf/npf_inet.c,v
retrieving revision 1.37
diff -u -u -r1.37 npf_inet.c
--- npf_inet.c	19 Feb 2017 20:27:22 -0000	1.37
+++ npf_inet.c	3 Apr 2017 15:08:08 -0000
@@ -324,6 +324,7 @@
 
 	switch (ver >> 4) {
 	case IPVERSION: {
+#if 0
 		struct ip *ip;
 
 		ip = nbuf_ensure_contig(nbuf, sizeof(struct ip));
@@ -349,6 +350,9 @@
 
 		npc->npc_ip.v4 = ip;
 		flags |= NPC_IP4;
+#else
+		flags |= NPC_IGNORE;
+#endif
 		break;
 	}