[Xorp-users] [Fwd: [PATCH] PF: Allow IP Router Alert option by default]

Thu Oct 9 10:02:59 PDT 2008

Hi Pavlin and Bruce,

I just wanted to let the list know that I updated xorp from cvs and  
all is working out great.  Thanks again for all the help and quick  
turnaroun.  Great stuff!

stegen
On Oct 9, 2008, at 5:51 AM, Bruce M. Simpson wrote:

> I actually submitted a patch to dhartmei@ to allow the RA option  
> filter to be disabled by default, as this is almost always what  
> bites us with PF on BSD systems.
>
> Forwarding here to pick up in archives.
>
> thanks
> BMS
>
> From: Bruce M Simpson <bms at incunabulum.net>
> Date: May 4, 2008 8:38:14 PM PDT
> To: dhartmei at freebsd.org, Max Laier <max at love2party.net>, Pavlin  
> Radoslavov <pavlin at icir.org>
> Subject: [PATCH] PF: Allow IP Router Alert option by default
>
>
> I've tested this in a virtual machine, against FreeBSD 6.3-RELEASE,  
> and it looks fine.
>
> I'd like to commit it as soon as possible if there are no objections.
>
>   Performance impact should be negligible, though I haven't  
> measured. The pf_pull_hdr() call is however required as you know,  
> the mbuf chain might not be pulled up.
>
>   The match is a loose match, although the RA option must come right  
> after the header. This is the norm for the implementations I've  
> seen. The value of the option isn't checked, I believe hardware  
> router boxes don't either.
>
>   I deliberately rolled this to respect the existing values of  
> "allow_opts", so that existing pfsync installations will continue to  
> work; nodes which don't understand the PF_ALLOWOPTS_RA flag will  
> treat it as "allow all options" however. Caveat user: should really  
> upgrade redundant firewalls in tandem.
>
>   The syntax originally suggested ("allow-opts(RA)") doesn't work,  
> because the parser treats '(' and ')' as special tokens which can't  
> be part of other tokens, so I added a keyword "allow-ra-opt".
>
> cheers
> BMS
> --- contrib/pf/pfctl/parse.y.orig	2005-05-03 17:55:20.000000000 +0100
> +++ contrib/pf/pfctl/parse.y	2008-05-05 03:15:05.000000000 +0100
> @@ -405,7 +405,8 @@
> %token	PASS BLOCK SCRUB RETURN IN OS OUT LOG LOGALL QUICK ON FROM TO  
> FLAGS
> %token	RETURNRST RETURNICMP RETURNICMP6 PROTO INET INET6 ALL ANY  
> ICMPTYPE
> %token	ICMP6TYPE CODE KEEP MODULATE STATE PORT RDR NAT BINAT ARROW  
> NODF
> -%token	MINTTL ERROR ALLOWOPTS FASTROUTE FILENAME ROUTETO DUPTO  
> REPLYTO NO LABEL
> +%token	MINTTL ERROR ALLOWOPTS ALLOWOPTSRA
> +%token	FASTROUTE FILENAME ROUTETO DUPTO REPLYTO NO LABEL
> %token	NOROUTE FRAGMENT USER GROUP MAXMSS MAXIMUM TTL TOS DROP TABLE
> %token	REASSEMBLE FRAGDROP FRAGCROP ANCHOR NATANCHOR RDRANCHOR  
> BINATANCHOR
> %token	SET OPTIMIZATION TIMEOUT LIMIT LOGINTERFACE BLOCKPOLICY  
> RANDOMID
> @@ -1902,7 +1903,10 @@
> 			filter_opts.fragment = 1;
> 		}
> 		| ALLOWOPTS {
> -			filter_opts.allowopts = 1;
> +			filter_opts.allowopts = PF_ALLOWOPTS_ALL;
> +		}
> +		| ALLOWOPTSRA {
> +			filter_opts.allowopts |= PF_ALLOWOPTS_RA;
> 		}
> 		| label	{
> 			if (filter_opts.label) {
> @@ -4577,6 +4581,7 @@
> 	static const struct keywords keywords[] = {
> 		{ "all",		ALL},
> 		{ "allow-opts",		ALLOWOPTS},
> +		{ "allow-ra-opt",		ALLOWOPTSRA},
> 		{ "altq",		ALTQ},
> 		{ "anchor",		ANCHOR},
> 		{ "antispoof",		ANTISPOOF},
> --- contrib/pf/pfctl/pfctl_parser.c.orig	2005-05-03  
> 17:55:20.000000000 +0100
> +++ contrib/pf/pfctl/pfctl_parser.c	2008-05-05 03:16:29.000000000  
> +0100
> @@ -928,8 +928,10 @@
> 		printf(" min-ttl %d", r->min_ttl);
> 	if (r->max_mss)
> 		printf(" max-mss %d", r->max_mss);
> -	if (r->allow_opts)
> +	if (r->allow_opts & PF_ALLOWOPTS_ALL)
> 		printf(" allow-opts");
> +	else if (r->allow_opts & PF_ALLOWOPTS_RA)
> +		printf(" allow-ra-opt");
> 	if (r->action == PF_SCRUB) {
> 		if (r->rule_flag & PFRULE_REASSEMBLE_TCP)
> 			printf(" reassemble tcp");
> --- sys/contrib/pf/net/pf.c.orig	2008-05-05 04:12:00.000000000 +0100
> +++ sys/contrib/pf/net/pf.c	2008-05-05 04:24:48.000000000 +0100
> @@ -6681,13 +6681,35 @@
> 	}
>
> done:
> -	if (action == PF_PASS && h->ip_hl > 5 &&
> -	    !((s && s->allow_opts) || r->allow_opts)) {
> -		action = PF_DROP;
> -		REASON_SET(&reason, PFRES_IPOPTIONS);
> -		log = 1;
> -		DPFPRINTF(PF_DEBUG_MISC,
> -		    ("pf: dropping packet with ip options\n"));
> +	if (action == PF_PASS && h->ip_hl > 5) {
> +		do {
> +			/* If allow-opts is set, allow any IP option. */
> +			if ((s && (s->allow_opts & PF_ALLOWOPTS_ALL)) ||
> +			    (r->allow_opts & PF_ALLOWOPTS_ALL))
> +				break;
> +			/*
> +			 * If allow-ra-opt is set, allow only the
> +			 * IP Router Alert option; it must be the first
> +			 * IP option, and its value is ignored.
> +			 */
> +			if ((s && (s->allow_opts & PF_ALLOWOPTS_RA)) ||
> +			    (r->allow_opts & PF_ALLOWOPTS_RA)) {
> +				uint8_t opt[4];
> +				if (pf_pull_hdr(m, sizeof(struct ip),
> +						&opt[0], sizeof(opt),
> +						&action, &reason,
> +						AF_INET) != NULL) {
> +					if (opt[0] == IPOPT_RA &&
> +					    opt[1] == 4)
> +						break;
> +				}
> +			}
> +			action = PF_DROP;
> +			REASON_SET(&reason, PFRES_IPOPTIONS);
> +			log = 1;
> +			DPFPRINTF(PF_DEBUG_MISC,
> +			    ("pf: dropping packet with ip options\n"));
> +		} while (0);
> 	}
>
> 	if (s && s->tag)
> --- sys/contrib/pf/net/pf_ioctl.c.orig	2007-01-04 18:31:43.000000000  
> +0000
> +++ sys/contrib/pf/net/pf_ioctl.c	2008-05-05 04:23:02.000000000 +0100
> @@ -320,6 +320,7 @@
> 	/* default rule should never be garbage collected */
> 	pf_default_rule.entries.tqe_prev = &pf_default_rule.entries.tqe_next;
> 	pf_default_rule.action = PF_PASS;
> +	pf_default_rule.allow_opts = PF_ALLOWOPTS_RA;
> 	pf_default_rule.nr = -1;
>
> 	/* initialize default timeouts */
> @@ -391,6 +392,7 @@
> 	/* default rule should never be garbage collected */
> 	pf_default_rule.entries.tqe_prev = &pf_default_rule.entries.tqe_next;
> 	pf_default_rule.action = PF_PASS;
> +	pf_default_rule.allow_opts = PF_ALLOWOPTS_RA;
> 	pf_default_rule.nr = -1;
>
> 	/* initialize default timeouts */
> --- sys/contrib/pf/net/pfvar.h.orig	2005-12-30 00:50:18.000000000  
> +0000
> +++ sys/contrib/pf/net/pfvar.h	2008-05-05 03:05:42.000000000 +0100
> @@ -651,6 +651,9 @@
> 	u_int8_t		 flagset;
> 	u_int8_t		 min_ttl;
> 	u_int8_t		 allow_opts;
> +#define PF_ALLOWOPTS_ALL	0x1
> +#define PF_ALLOWOPTS_RA		0x2			/* IP Router Alert */
> +#define PF_ALLOWOPTS_MASK	0x3
> 	u_int8_t		 rt;
> 	u_int8_t		 return_ttl;
> 	u_int8_t		 tos;
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/xorp-users/attachments/20081009/4dc97231/attachment-0001.html 