NPF: fast kick

To: "tech-net%NetBSD.org@localhost" <tech-net%netbsd.org@localhost>
Subject: NPF: fast kick
From: Maxime Villard <max%m00nbsd.net@localhost>
Date: Tue, 6 Mar 2018 20:37:39 +0100

Currently, NPF does not immediately kick malformed packets, and performs very
few sanity checks. Here is a patch [1] that fixes that.

When a packet is malformed, we return NPC_FMTERR, and kick it immediately. We
don't send a response (TCP-RST or ICMP).

In addition the checks are strengthened. In particular with fragments:

 * As long as we don't see IPPROTO_FRAGMENT, if we fail to advance in the
   nbuf that's fatal, and we return NPC_FMTERR.

 * After seeing IPPROTO_FRAGMENT for the first time, if we fail to advance
   in the nbuf we roll back to the previous header in the chain and process
   the packet from there.

The point is that after the first IPPROTO_FRAGMENT we are not guaranteed to
find the L4 layer, so it's legitimate to fail. In the other cases, it's not.

Maxime

[1] http://m00nbsd.net/garbage/npf/fastkick.diff

Follow-Ups:
- Re: NPF: fast kick
  - From: Mindaugas Rasiukevicius

Prev by Date: Re: IPv6 NS looback avoidance - RFC7527 support
Next by Date: Re: IPsec: duplicate sysctls
Previous by Thread: IPsec: duplicate sysctls
Next by Thread: Re: NPF: fast kick
Indexes:

Home | Main Index | Thread Index | Old Index