NetBSD Problem Report #52592

From mlelstv@hoppa.1st.de  Tue Oct  3 16:13:27 2017
Return-Path: <mlelstv@hoppa.1st.de>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
	by mollari.NetBSD.org (Postfix) with ESMTPS id 9F54C7A173
	for <gnats-bugs@gnats.NetBSD.org>; Tue,  3 Oct 2017 16:13:27 +0000 (UTC)
Message-Id: <20171003161257.C1859A9@hoppa.1st.de>
Date: Tue,  3 Oct 2017 18:12:57 +0200 (CEST)
From: mlelstv@serpens.de
Reply-To: mlelstv@serpens.de
To: gnats-bugs@NetBSD.org
Subject: npf max-mss corrupts TCP checksum
X-Send-Pr-Version: 3.95

>Number:         52592
>Category:       kern
>Synopsis:       npf max-mss corrupts TCP checksum
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    kern-bug-people
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Oct 03 16:15:00 +0000 2017
>Closed-Date:    Sun Jul 29 14:09:19 +0000 2018
>Last-Modified:  Sun Jul 29 14:09:19 +0000 2018
>Originator:     Michael van Elst
>Release:        NetBSD 8.99.3
>Organization:

>Environment:


System: NetBSD ghostbear 8.99.3 NetBSD 8.99.3 (GHOSTBEAR) #1: Tue Oct  3 15:15:28 CEST 2017  mlelstv@gossam:/home/netbsd-current/obj.evbmips64-eb/home/netbsd-current/src/sys/arch/evbmips/compile/GHOSTBEAR evbmips
Architecture: mips64eb
Machine: evbmips
>Description:
When npf is used to clamp the TCP maximum segment size, it changes bits
in the header of a TCP SYN packet and adjusts the TCP checksum accordingly.

This works fine for forwarded packets, but for packets created locally
the resulting checksum is garbage.

>How-To-Repeat:

Here is a simple npf.conf that creates the corruption.

procedure "norm" {
        normalize:  "random-id", "max-mss" 1380
}
group "external" on pppoe0 {
        pass stateful out final all apply "norm"
}
group default {
        pass final on lo0 all
        block final all apply
}

When you remove the "max-mss" clamping, the checksum is good again.

The value in the TCP header that npf operates on is completely different
from the checksum that arrives at the destination and the latter misses
the necessary adjustment for the changed mss value.

>Fix:


>Release-Note:

>Audit-Trail:
From: Michael van Elst <mlelstv@serpens.de>
To: gnats-bugs@netbsd.org
Cc: 
Subject: Re: kern/52592: npf max-mss corrupts TCP checksum
Date: Wed, 4 Oct 2017 16:07:47 +0200

 Analysis:

 1. the TCP stack prepares a partial TCP header checksum when a session
    is created.
 2. Packets are then passed with that partial checksum through pfil_run_hooks()
    which calls npf.
 3. Finally the remaining checksum which includes the TCP options is
    calculated or offloaded to hardware.

 So, for outgoing packets, the max-mss difference is effectively
 added twice to the checksum, causing the observed problems.

 For incoming packets, the checksum handling is done before the packet
 filter sees the packet, and the checksum needs to be always adjusted.

 If the packet filter could distinguish between incoming and outgoing
 packets, it could also handle the checksum adjustments accordingly.
 But in npf the packet direction is lost after looking up the
 stateful npf_match_info with npf_conn_pass().


 I have augmented the npf_match_info structure to record the original
 direction and changed npf_conn_pass to not overwrite that value. This
 fixes the problem, but it's a rather crude patch that needs discussion.



 Greetings,
 -- 
                                 Michael van Elst
 Internet: mlelstv@serpens.de
                                 "A potential Snark may lurk in every tree."

State-Changed-From-To: open->feedback
State-Changed-By: rmind@NetBSD.org
State-Changed-When: Sun, 10 Dec 2017 00:25:56 +0000
State-Changed-Why:
Committed a potential fix.


State-Changed-From-To: feedback->closed
State-Changed-By: maxv@NetBSD.org
State-Changed-When: Sun, 29 Jul 2018 14:09:19 +0000
State-Changed-Why:
The issue was fixed, there was an inverted logic, I did test and max-mss
clamping worked again. Now there is still another problem related to
alignment, but I'll file a separate PR for this one.


>Unformatted:

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.43 2018/01/16 07:36:43 maya Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2017 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.