ipf: copy{in,out}ptr -> ipf_copy{in,out}_indirect

These functions take the source or destintation address indirectly from
a potentially missaligned buffer. Rename them to refect this and to
free up

ipf: copy{in,out}ptr -> ipf_copy{in,out}_indirect

These functions take the source or destintation address indirectly from
a potentially missaligned buffer. Rename them to refect this and to
free up the copy{in,out}ptr names.

Some of the code in question is dead code and doesn't or won't compile,
but I've changed it all for consistency.

NB: If the pointers are actually stored under aligned then this code is
broken with CHERI.

Reviewed by: cy
Effort: CHERI upstreaming
Sponsored by: Innovate UK
Differential Revision: https://reviews.freebsd.org/D54232

show more ...

ipfilter: Prevent stack buffer overflow

When copying ipfs data from user space, don't just check that the payload
length is nonzero, but also that it does not exceed the size of the stack
buffer we'

ipfilter: Prevent stack buffer overflow

When copying ipfs data from user space, don't just check that the payload
length is nonzero, but also that it does not exceed the size of the stack
buffer we're copying it into.

While we're at it, use a union to create a buffer of the exact size we
need instead of guessing that 2048 will be enough (and not too much).

Finally, check the size of the payload once it gets to where it's used.

MFC after: 3 days
Reported by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Reviewed by: cy
Differential Revision: https://reviews.freebsd.org/D54194

show more ...

ipfilter: Restrict ipfilter within a jail

Add a sysctl/tunable (net.inet.ipf.jail_allowed) to control whether a
jail can manage its own ipfilter rules, pools, and settings. A jail's
control over its

ipfilter: Restrict ipfilter within a jail

Add a sysctl/tunable (net.inet.ipf.jail_allowed) to control whether a
jail can manage its own ipfilter rules, pools, and settings. A jail's
control over its own ipfilter rules and settings may not be desireable.
The default is jail access to ipfilter is denied.

The host system can stil manage a jail's rules by attaching the rules,
using the on keyword, limiting the rule to the jail's interface. Or
the sysctl/tunable can be enabled to allow a jail control over its own
ipfilter rules and settings.

Implementation note: Rather than store the jail_allowed variable,
referenced by sysctl(9), in a global area, storing the variable in the
ipfilter softc is consistent with ipfilter's use of its softc.

Discussed with: emaste, jrm
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D53623

show more ...

ipfilter: Verify ipnat on entry into kernel

The ipnat struct is built by ipnat(8), specifically ipnat_y.y when
parsing the ipnat configuration file (typically ipnat.conf). ipnat
contains a variable

ipfilter: Verify ipnat on entry into kernel

The ipnat struct is built by ipnat(8), specifically ipnat_y.y when
parsing the ipnat configuration file (typically ipnat.conf). ipnat
contains a variable length string field at the end of the struct. This
data field, called in_names, may contain various text strings such as
NIC names. There is no upper bound limit to the length of strings as
long as the in_namelen length field specifies the length of in_names
within the ipnat structure and in_size specifies the size of the ipnat
structure itself.

Reported by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Reviewed by: markj
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D53843

show more ...

ipfilter: Verify frentry on entry into kernel

The frentry struct is built by ipf(8), specifically ipf_y.y when parsing
the ipfilter configuration file (typically ipf.conf). frentry contains
a variab

ipfilter: Verify frentry on entry into kernel

The frentry struct is built by ipf(8), specifically ipf_y.y when parsing
the ipfilter configuration file (typically ipf.conf). frentry contains
a variable length string field at the end of the struct. This data field,
called fr_names, may contain various text strings such as NIC names,
destination list (dstlist) names, and filter rule comments. The length
field specifies the length of fr_names within the frentry structure and
fr_size specifies the size of the frentry structure itself.

The upper bound limit to the length of strings field is controlled by the
fr_max_namelen sysctl/kenv or the max_namelen ipfilter tuneable.

The initial concepts were discussed with emaste and jrm.

Reported by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Reviewed by: markj
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D53843

show more ...

ipfilter: Don't trust userland supplied iph_size

ipf_htable_create() trusts a user-supplied iph_size from iphtable_t
and computes the allocation size as iph->iph_size * sizeof(*iph->iph_table)
witho

ipfilter: Don't trust userland supplied iph_size

ipf_htable_create() trusts a user-supplied iph_size from iphtable_t
and computes the allocation size as iph->iph_size * sizeof(*iph->iph_table)
without checking for integer overflow. A sufficiently large iph_size
causes the multiplication to wrap, resulting in an under-sized allocation
for the table pointer array. Subsequent code (e.g., in ipf_htent_insert())
can then write past the end of the allocated buffer, corrupting kernel
memory and causing DoS or potential privilege escalation.

This is not typically a problem when using the ipfilter provided
userland tools as calculate the correct lengths. This mitigates a
rogue actor calling ipfilter ioctls directly.

Reported by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Reviewed by: markj
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D53286

show more ...

ipfilter: Calculate the number of elements in ipf_errors

It serves no purpose to manually manage the IPF_NUM_ERRORS count.
Calculate it instead.

Reviewed by: emaste, markj
MFC after: 1 week
Diffe

ipfilter: Calculate the number of elements in ipf_errors

It serves no purpose to manually manage the IPF_NUM_ERRORS count.
Calculate it instead.

Reviewed by: emaste, markj
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D53308

show more ...

ipf: Fix some typos

Signed-off-by: Elyes Haouas <ehaouas@noos.fr>

tree: Use 1 semicolon at the end of a statement

Signed-off-by: Elyes Haouas <ehaouas@noos.fr>
Reviewed by: imp
Pull Request: https://github.com/freebsd/freebsd-src/pull/889

ipf/libipf: Fix typos

Signed-off-by: Elyes Haouas <ehaouas@noos.fr>
Reviewed by: imp
Pull Request: https://github.com/freebsd/freebsd-src/pull/653

ipfilter: Support only jails in VNET

Jails without VNET have complete access to the ipfilter rules, NAT,
pools and logs. This is insecure. Only allow jails to manipulate
ipfilter rules, NAT tables a

ipfilter: Support only jails in VNET

Jails without VNET have complete access to the ipfilter rules, NAT,
pools and logs. This is insecure. Only allow jails to manipulate
ipfilter rules, NAT tables and ippools if the jail has its own VNET.
Otherwise a jail can affect the global system.

This patch brings ipfilter in line with ipfw's support of VNET jails and
non-support of non-VNET jails.

MFC after: 1 week

show more ...

ipfilter userland: Style(9) requires a space after return

Reported by: jrtc27
Fixes: 2582ae5740181e0d2bab10003d66ae91c9b56329
MFC after: 1 month

ipfilter: Adjust userland returns to conform to style(9)

Adjust ipfilter's userland return statements to conform to style(9).

MFC after: 1 month

ipflter: ANSIfy userland function declarations

Convert ipfilter userland function declarations from K&R to ANSI. This
syncs our function declarations with NetBSD hg commit 75edcd7552a0
(apply our ch

ipflter: ANSIfy userland function declarations

Convert ipfilter userland function declarations from K&R to ANSI. This
syncs our function declarations with NetBSD hg commit 75edcd7552a0
(apply our changes). Though not copied from NetBSD, this change was
partially inspired by NetBSD's work and inspired by style(9).

Reviewed by: glebius (for #network)
MFC after: 1 month
Differential Revision: https://reviews.freebsd.org/D33595

show more ...

ipfilter: Move userland bits to sbin

Through fixes and improvements our ipfilter sources have diverged
enough to warrant move from contrib into sbin/ipf. Now that I'm
planning on implementing MSS cl

ipfilter: Move userland bits to sbin

Through fixes and improvements our ipfilter sources have diverged
enough to warrant move from contrib into sbin/ipf. Now that I'm
planning on implementing MSS clamping as in iptables it makes more
sense to move ipfilter to sbin.

This is the second of three commits of the ipfilter move.

Suggested by glebius on two occaions.

Suggested by and discussed with: glebius
Reviewed by: glebius, kp (for #network)
MFC after: 1 month
Differential Revision: https://reviews.freebsd.org/D33510

show more ...

ipfilter userland: Replace sprintf with range checking version (snprintf)

MFC after: 1 week

ipfilter(4): Fix a typo in an error message

- s/addresss/address/

This is a direct commit to contrib since the upstream is
no longer active.

MFC after: 3 days

Retire the K&R/STD C __P prototype declarations.

In the old days when K&R C and STD C were each in use a workaround
(read hack) was required to allow the same code to work on each
without modificati

Retire the K&R/STD C __P prototype declarations.

In the old days when K&R C and STD C were each in use a workaround
(read hack) was required to allow the same code to work on each
without modification. All C compilers support STD C. We can finally
put the __P prototype to rest.

MFC after: 1 week

show more ...

Update ipfilter 4.1.28 --> 5.1.2.

Approved by: glebius (mentor)
BSD Licensed by: Darren Reed <darrenr@reed.wattle.id.au> (author)