diff --git a/share/man/man4/cxgbe.4 b/share/man/man4/cxgbe.4 index 91c59fe96a8..d4d38b87307 100644 --- a/share/man/man4/cxgbe.4 +++ b/share/man/man4/cxgbe.4 @@ -31,7 +31,7 @@ .\" .\" $FreeBSD$ .\" -.Dd September 17, 2020 +.Dd October 8, 2020 .Dt CXGBE 4 .Os .Sh NAME @@ -362,6 +362,26 @@ The default value is 0 and should be changed only if PF and VF interfaces need to communicate with each other. Different interfaces can be assigned different values using the dev..X.tx_vm_wr sysctl when the interface is administratively down. +.It Va hw.cxgbe.attack_filter +Set to 1 to enable the "attack filter". +Default is 0. +The attack filter will drop an incoming frame if any of these conditions is +true: src ip/ip6 == dst ip/ip6; tcp and src/dst ip is not unicast; src/dst ip is +loopback (127.x.y.z); src ip6 is not unicast; src/dst ip6 is loopback (::1/128) +or unspecified (::/128); tcp and src/dst ip6 is mcast (ff00::/8). +.It Va hw.cxgbe.drop_ip_fragments +Set to 1 to drop all incoming IP fragments. +Default is 0. +Note that this drops valid frames. +.It Va hw.cxgbe.drop_pkts_with_l2_errors +Set to 1 to drop incoming frames with Layer 2 length or checksum errors. +Default is 1. +.It Va hw.cxgbe.drop_pkts_with_l3_errors +Set to 1 to drop incoming frames with IP version, length, or checksum errors. +Default is 0. +.It Va hw.cxgbe.drop_pkts_with_l4_errors +Set to 1 to drop incoming frames with Layer 4 length, checksum, or other errors. +Default is 0. .El .Sh SUPPORT For general information and support, diff --git a/sys/dev/cxgbe/t4_main.c b/sys/dev/cxgbe/t4_main.c index 67fc1f60b09..014a69d2368 100644 --- a/sys/dev/cxgbe/t4_main.c +++ b/sys/dev/cxgbe/t4_main.c @@ -595,6 +595,46 @@ static int t4_tx_vm_wr = 0; SYSCTL_INT(_hw_cxgbe, OID_AUTO, tx_vm_wr, CTLFLAG_RWTUN, &t4_tx_vm_wr, 0, "Use VM work requests to transmit packets."); +/* + * Set to non-zero to enable the attack filter. A packet that matches any of + * these conditions will get dropped on ingress: + * 1) IP && source address == destination address. + * 2) TCP/IP && source address is not a unicast address. + * 3) TCP/IP && destination address is not a unicast address. + * 4) IP && source address is loopback (127.x.y.z). + * 5) IP && destination address is loopback (127.x.y.z). + * 6) IPv6 && source address == destination address. + * 7) IPv6 && source address is not a unicast address. + * 8) IPv6 && source address is loopback (::1/128). + * 9) IPv6 && destination address is loopback (::1/128). + * 10) IPv6 && source address is unspecified (::/128). + * 11) IPv6 && destination address is unspecified (::/128). + * 12) TCP/IPv6 && source address is multicast (ff00::/8). + * 13) TCP/IPv6 && destination address is multicast (ff00::/8). + */ +static int t4_attack_filter = 0; +SYSCTL_INT(_hw_cxgbe, OID_AUTO, attack_filter, CTLFLAG_RDTUN, + &t4_attack_filter, 0, "Drop suspicious traffic"); + +static int t4_drop_ip_fragments = 0; +SYSCTL_INT(_hw_cxgbe, OID_AUTO, drop_ip_fragments, CTLFLAG_RDTUN, + &t4_drop_ip_fragments, 0, "Drop IP fragments"); + +static int t4_drop_pkts_with_l2_errors = 1; +SYSCTL_INT(_hw_cxgbe, OID_AUTO, drop_pkts_with_l2_errors, CTLFLAG_RDTUN, + &t4_drop_pkts_with_l2_errors, 0, + "Drop all frames with Layer 2 length or checksum errors"); + +static int t4_drop_pkts_with_l3_errors = 0; +SYSCTL_INT(_hw_cxgbe, OID_AUTO, drop_pkts_with_l3_errors, CTLFLAG_RDTUN, + &t4_drop_pkts_with_l3_errors, 0, + "Drop all frames with IP version, length, or checksum errors"); + +static int t4_drop_pkts_with_l4_errors = 0; +SYSCTL_INT(_hw_cxgbe, OID_AUTO, drop_pkts_with_l4_errors, CTLFLAG_RDTUN, + &t4_drop_pkts_with_l4_errors, 0, + "Drop all frames with Layer 4 length, checksum, or other errors"); + #ifdef TCP_OFFLOAD /* * TOE tunables. @@ -4740,7 +4780,7 @@ t4_enable_kern_tls(struct adapter *sc) static int set_params__post_init(struct adapter *sc) { - uint32_t param, val; + uint32_t mask, param, val; #ifdef TCP_OFFLOAD int i, v, shift; #endif @@ -4761,6 +4801,33 @@ set_params__post_init(struct adapter *sc) t4_set_reg_field(sc, A_TP_RSS_CONFIG_TNL, V_MASKFILTER(M_MASKFILTER), V_MASKFILTER(val - 1)); + mask = F_DROPERRORANY | F_DROPERRORMAC | F_DROPERRORIPVER | + F_DROPERRORFRAG | F_DROPERRORATTACK | F_DROPERRORETHHDRLEN | + F_DROPERRORIPHDRLEN | F_DROPERRORTCPHDRLEN | F_DROPERRORPKTLEN | + F_DROPERRORTCPOPT | F_DROPERRORCSUMIP | F_DROPERRORCSUM; + val = 0; + if (t4_attack_filter != 0) { + t4_set_reg_field(sc, A_TP_GLOBAL_CONFIG, F_ATTACKFILTERENABLE, + F_ATTACKFILTERENABLE); + val |= F_DROPERRORATTACK; + } + if (t4_drop_ip_fragments != 0) { + t4_set_reg_field(sc, A_TP_GLOBAL_CONFIG, F_FRAGMENTDROP, + F_FRAGMENTDROP); + val |= F_DROPERRORFRAG; + } + if (t4_drop_pkts_with_l2_errors != 0) + val |= F_DROPERRORMAC | F_DROPERRORETHHDRLEN; + if (t4_drop_pkts_with_l3_errors != 0) { + val |= F_DROPERRORIPVER | F_DROPERRORIPHDRLEN | + F_DROPERRORCSUMIP; + } + if (t4_drop_pkts_with_l4_errors != 0) { + val |= F_DROPERRORTCPHDRLEN | F_DROPERRORPKTLEN | + F_DROPERRORTCPOPT | F_DROPERRORCSUM; + } + t4_set_reg_field(sc, A_TP_ERR_CONFIG, mask, val); + #ifdef TCP_OFFLOAD /* * Override the TOE timers with user provided tunables. This is not the