HomeFreeBSD
Diffusion FreeBSD src repository 40faf87894ff

ip: Defer checks for an unspecified dstaddr until after pfil hooks
40faf87894ff
Actions

Description

ip: Defer checks for an unspecified dstaddr until after pfil hooks

To comply with Common Criteria certification requirements, it may be
necessary to ensure that packets to 0.0.0.0/::0 are dropped and logged
by the system firewall. Currently, such packets are dropped by
ip_input() and ip6_input() before reaching pfil hooks; let's defer the
checks slightly to give firewalls a chance to drop the packets
themselves, as this gives better observability. Add some regression
tests for this with pf+pflog.

Note that prior to commit 713264f6b8b, v4 packets to the unspecified
address were not dropped by the IP stack at all.

Note that ip_forward() and ip6_forward() ensure that such packets are
not forwarded; they are passed back unmodified.

Add a regression test which ensures that such packets are visible to
pflog.

Reviewed by: glebius
MFC after: 3 weeks
Sponsored by: Klara, Inc.
Sponsored by: OPNsense
Differential Revision: https://reviews.freebsd.org/D48163

Details

Provenance
markjAuthored on Thu, Jan 16, 3:46 PM
Reviewer
glebius
Differential Revision
D48163: ip: Defer checks for an unspecified dstaddr until after pfil hooks
Parents
rG886396f1b1a7: pf: Force logging if pf_create_state() fails
Branches
Unknown
Tags
Unknown

Changes (4)

PathSize
sys/
netinet/
netinet6/
tests/
sys/
netpfil/
pf/

rG40faf87894ff

View Options

sys/netinet/ip_input.c

Loading...
View Options

sys/netinet6/ip6_fastfwd.c

Loading...
View Options

sys/netinet6/ip6_input.c

Loading...
View Options

tests/sys/netpfil/pf/pflog.sh

Loading...