diff options
author | Andrew Yourtchenko <ayourtch@gmail.com> | 2017-04-04 14:10:40 +0000 |
---|---|---|
committer | Damjan Marion <dmarion.lists@gmail.com> | 2017-04-06 15:30:21 +0000 |
commit | d1b05647427c79cfd5322991bbe663fae65f37b5 (patch) | |
tree | c7449b51cd46575c7978d8cac795b15a84f4163a /src/plugins/acl | |
parent | 0eb2b16f95c0c43302be79a1c4df8b828ac97e37 (diff) |
acl-plugin: make the IPv4/IPv6 non-first fragment handling in line with ACL (VPP-682)
This fixes the previously-implicit "drop all non-first fragments" behavior
to be more in line with security rules: a non-first fragment is treated
for the purposes of matching the ACL as a packet with the port
match succeeding. This allows to change the behavior to permit
the fragmented packets for the default "permit specific rules"
ruleset, but also gives the flexibility to block the non-initial
fragments by inserting into the begining a bogus rule
which would deny the L4 traffic.
Also, add a knob which allows to potentially turn this behavior off
in case of a dire need (and revert to dropping all non-initial fragments),
via a debug CLI.
Change-Id: I546b372b65ff2157d9c68b1d32f9e644f1dd71b4
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
(cherry picked from commit 9fc0c26c6b28fd6c8b8142ea52f52eafa7e8c7ac)
Diffstat (limited to 'src/plugins/acl')
-rw-r--r-- | src/plugins/acl/acl.c | 7 | ||||
-rw-r--r-- | src/plugins/acl/acl.h | 5 | ||||
-rw-r--r-- | src/plugins/acl/fa_node.c | 70 | ||||
-rw-r--r-- | src/plugins/acl/fa_node.h | 8 |
4 files changed, 77 insertions, 13 deletions
diff --git a/src/plugins/acl/acl.c b/src/plugins/acl/acl.c index 6657d370..98c74b9b 100644 --- a/src/plugins/acl/acl.c +++ b/src/plugins/acl/acl.c @@ -2008,6 +2008,11 @@ acl_set_aclplugin_fn (vlib_main_t * vm, } goto done; } + if (unformat (input, "l4-match-nonfirst-fragment %u", &val)) + { + am->l4_match_nonfirst_fragment = (val != 0); + goto done; + } if (unformat (input, "session")) { if (unformat (input, "clear")) { acl_main_t *am = &acl_main; @@ -2205,6 +2210,8 @@ acl_init (vlib_main_t * vm) foreach_acl_eh #undef _ + am->l4_match_nonfirst_fragment = 1; + return error; } diff --git a/src/plugins/acl/acl.h b/src/plugins/acl/acl.h index f5a1fe0f..d708c521 100644 --- a/src/plugins/acl/acl.h +++ b/src/plugins/acl/acl.h @@ -181,6 +181,9 @@ typedef struct { /* EH values that we can skip over */ uword *fa_ipv6_known_eh_bitmap; + /* whether to match L4 ACEs with ports on the non-initial fragment */ + int l4_match_nonfirst_fragment; + /* conn table per-interface conn table parameters */ u32 fa_conn_table_hash_num_buckets; uword fa_conn_table_hash_memory_size; @@ -235,6 +238,7 @@ typedef struct { _(HOPBYHOP , 0 , "IPv6ExtHdrHopByHop") \ _(ROUTING , 43 , "IPv6ExtHdrRouting") \ _(DESTOPT , 60 , "IPv6ExtHdrDestOpt") \ + _(FRAGMENT , 44 , "IPv6ExtHdrFragment") \ _(MOBILITY , 135, "Mobility Header") \ _(HIP , 139, "Experimental use Host Identity Protocol") \ _(SHIM6 , 140, "Shim6 Protocol") \ @@ -247,7 +251,6 @@ typedef struct { Also, Fragment header needs special processing. _(NONEXT , 59 , "NoNextHdr") \ - _(FRAGMENT , 44 , "IPv6ExtHdrFragment") \ ESP is hiding its internal format, so no point in trying to go past it. diff --git a/src/plugins/acl/fa_node.c b/src/plugins/acl/fa_node.c index 1f9117a6..e12cbaa7 100644 --- a/src/plugins/acl/fa_node.c +++ b/src/plugins/acl/fa_node.c @@ -191,7 +191,21 @@ acl_match_5tuple (acl_main_t * am, u32 acl_index, fa_5tuple_t * pkt_5tuple, { if (pkt_5tuple->l4.proto != r->proto) continue; - /* A sanity check just to ensure what we jave just matched was a valid L4 extracted from the packet */ + + if (PREDICT_FALSE (pkt_5tuple->pkt.is_nonfirst_fragment && + am->l4_match_nonfirst_fragment)) + { + /* non-initial fragment with frag match configured - match this rule */ + *trace_bitmap |= 0x80000000; + *r_action = r->is_permit; + if (r_acl_match_p) + *r_acl_match_p = acl_index; + if (r_rule_match_p) + *r_rule_match_p = i; + return 1; + } + + /* A sanity check just to ensure we are about to match the ports extracted from the packet */ if (PREDICT_FALSE (!pkt_5tuple->pkt.l4_valid)) continue; @@ -312,6 +326,10 @@ acl_fill_5tuple (acl_main_t * am, vlib_buffer_t * b0, int is_ip6, l3_offset = 0; } + /* key[0..3] contains src/dst address and is cleared/set below */ + /* Remainder of the key and per-packet non-key data */ + p5tuple_pkt->kv.key[4] = 0; + p5tuple_pkt->kv.value = 0; if (is_ip6) { @@ -333,12 +351,33 @@ acl_fill_5tuple (acl_main_t * am, vlib_buffer_t * b0, int is_ip6, int need_skip_eh = clib_bitmap_get (am->fa_ipv6_known_eh_bitmap, proto); if (PREDICT_FALSE (need_skip_eh)) { - /* FIXME: add fragment header special handling. Currently causes treated as unknown header. */ while (need_skip_eh && offset_within_packet (b0, l4_offset)) { - u8 nwords = *(u8 *) get_ptr_to_offset (b0, 1 + l4_offset); - proto = *(u8 *) get_ptr_to_offset (b0, l4_offset); - l4_offset += 8 * (1 + (u16) nwords); + /* Fragment header needs special handling */ + if (PREDICT_FALSE(ACL_EH_FRAGMENT == proto)) + { + proto = *(u8 *) get_ptr_to_offset (b0, l4_offset); + u16 frag_offset; + clib_memcpy (&frag_offset, get_ptr_to_offset (b0, 2 + l4_offset), sizeof(frag_offset)); + frag_offset = ntohs(frag_offset) >> 3; + if (frag_offset) + { + p5tuple_pkt->pkt.is_nonfirst_fragment = 1; + /* invalidate L4 offset so we don't try to find L4 info */ + l4_offset += b0->current_length; + } + else + { + /* First fragment: skip the frag header and move on. */ + l4_offset += 8; + } + } + else + { + u8 nwords = *(u8 *) get_ptr_to_offset (b0, 1 + l4_offset); + proto = *(u8 *) get_ptr_to_offset (b0, l4_offset); + l4_offset += 8 * (1 + (u16) nwords); + } #ifdef FA_NODE_VERBOSE_DEBUG clib_warning ("ACL_FA_NODE_DBG: new proto: %d, new offset: %d", proto, l4_offset); @@ -369,13 +408,26 @@ acl_fill_5tuple (acl_main_t * am, vlib_buffer_t * b0, int is_ip6, offsetof (ip4_header_t, protocol) + l3_offset); l4_offset = l3_offset + sizeof (ip4_header_t); + u16 flags_and_fragment_offset; + clib_memcpy (&flags_and_fragment_offset, + get_ptr_to_offset (b0, + offsetof (ip4_header_t, + flags_and_fragment_offset)) + l3_offset, + sizeof(flags_and_fragment_offset)); + flags_and_fragment_offset = ntohs (flags_and_fragment_offset); + + /* non-initial fragments have non-zero offset */ + if ((PREDICT_FALSE(0xfff & flags_and_fragment_offset))) + { + p5tuple_pkt->pkt.is_nonfirst_fragment = 1; + /* invalidate L4 offset so we don't try to find L4 info */ + l4_offset += b0->current_length; + } + } - /* Remainder of the key and per-packet non-key data */ - p5tuple_pkt->kv.key[4] = 0; - p5tuple_pkt->kv.value = 0; + p5tuple_pkt->l4.proto = proto; if (PREDICT_TRUE (offset_within_packet (b0, l4_offset))) { - p5tuple_pkt->l4.proto = proto; p5tuple_pkt->pkt.l4_valid = 1; if (icmp_protos[is_ip6] == proto) { diff --git a/src/plugins/acl/fa_node.h b/src/plugins/acl/fa_node.h index 76a40a38..8edd0069 100644 --- a/src/plugins/acl/fa_node.h +++ b/src/plugins/acl/fa_node.h @@ -22,10 +22,12 @@ typedef union { u64 as_u64; struct { - u8 tcp_flags_valid; u8 tcp_flags; - u8 is_input; - u8 l4_valid; + u8 tcp_flags_valid:1; + u8 is_input:1; + u8 l4_valid:1; + u8 is_nonfirst_fragment:1; + u8 flags_reserved:4; }; } fa_packet_info_t; |