diff --git a/tests/sys/netpfil/pf/Makefile b/tests/sys/netpfil/pf/Makefile --- a/tests/sys/netpfil/pf/Makefile +++ b/tests/sys/netpfil/pf/Makefile @@ -10,7 +10,8 @@ dup \ ether \ forward \ - fragmentation \ + fragmentation_compat \ + fragmentation_pass \ get_state \ icmp \ killstate \ @@ -29,7 +30,8 @@ route_to \ rtable \ rules_counter \ - scrub \ + scrub_compat \ + scrub_pass \ set_skip \ set_tos \ src_track \ diff --git a/tests/sys/netpfil/pf/fragmentation.sh b/tests/sys/netpfil/pf/fragmentation_compat.sh rename from tests/sys/netpfil/pf/fragmentation.sh rename to tests/sys/netpfil/pf/fragmentation_compat.sh --- a/tests/sys/netpfil/pf/fragmentation.sh +++ b/tests/sys/netpfil/pf/fragmentation_compat.sh @@ -348,9 +348,6 @@ { setup_router_server_ipv4 - # Tester can send long packets which will get fragmented by the router. - # Replies from server will come in fragments which might get - # reassembled resulting in a long reply packet sent back to tester. ifconfig ${epair_tester}a mtu 9000 jexec router ifconfig ${epair_tester}b mtu 9000 jexec router ifconfig ${epair_server}a mtu 1500 @@ -359,16 +356,29 @@ # Sanity check. ping_server_check_reply exit:0 --ping-type=icmp - # Enable packet reassembly with clearing of the no-df flag. pft_set_rules router \ - "scrub all fragment reassemble no-df" \ - "block" \ - "pass inet proto icmp all icmp-type echoreq" - # Ping with non-fragmentable packets. - # pf will strip the DF flag resulting in fragmentation and packets - # getting properly forwarded. + "scrub fragment reassemble" \ + "pass out" \ + "block in" \ + "pass in inet proto icmp all icmp-type echoreq" + + # Ping with normal, fragmentable packets. + ping_server_check_reply exit:0 --ping-type=icmp --send-length=2000 + + # Ping with non-fragmentable packets, this will fail. + ping_server_check_reply exit:1 --ping-type=icmp --send-length=2000 --send-flags DF + + pft_set_rules router \ + "scrub any reassemble" \ + "pass out" \ + "block in" \ + "pass in inet proto icmp all icmp-type echoreq" + + # Ping with non-fragmentable packets again. + # This time pf will strip the DF flag. ping_server_check_reply exit:0 --ping-type=icmp --send-length=2000 --send-flags DF } + no_df_cleanup() { pft_cleanup @@ -383,5 +393,4 @@ atf_add_test_case "overindex" atf_add_test_case "overlimit" atf_add_test_case "reassemble" - atf_add_test_case "no_df" } diff --git a/tests/sys/netpfil/pf/fragmentation.sh b/tests/sys/netpfil/pf/fragmentation_pass.sh rename from tests/sys/netpfil/pf/fragmentation.sh rename to tests/sys/netpfil/pf/fragmentation_pass.sh --- a/tests/sys/netpfil/pf/fragmentation.sh +++ b/tests/sys/netpfil/pf/fragmentation_pass.sh @@ -27,6 +27,8 @@ . $(atf_get_srcdir)/utils.subr +common_dir=$(atf_get_srcdir)/../common + atf_test_case "too_many_fragments" "cleanup" too_many_fragments_head() @@ -50,7 +52,8 @@ jexec alcatraz pfctl -e pft_set_rules alcatraz \ - "scrub all fragment reassemble" + "set reassemble yes" \ + "pass keep state" # So we know pf is limiting things jexec alcatraz sysctl net.inet.ip.maxfragsperpacket=1024 @@ -109,7 +112,8 @@ jexec alcatraz pfctl -e pft_set_rules alcatraz \ - "scrub fragment reassemble" \ + "set reassemble yes" \ + "pass keep state" \ "block in" \ "pass in inet6 proto icmp6 icmp6-type { neighbrsol, neighbradv }" \ "pass in inet6 proto icmp6 icmp6-type { echoreq, echorep }" @@ -182,7 +186,8 @@ jexec first pfctl -e pft_set_rules first \ - "scrub all fragment reassemble" + "set reassemble yes" \ + "pass keep state" # Sanity checks atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2 @@ -213,7 +218,8 @@ jexec alcatraz pfctl -e pft_set_rules alcatraz \ - "scrub all fragment reassemble" + "set reassemble yes" \ + "pass keep state" # Sanity check atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2 @@ -312,7 +318,7 @@ atf_check -s exit:2 -o ignore ping -c 1 -s 2000 192.0.2.2 pft_set_rules alcatraz \ - "scrub in" \ + "set reassemble yes" \ "pass out" \ "block in" \ "pass in inet proto icmp all icmp-type echoreq" @@ -320,19 +326,64 @@ # Both single packet & fragmented pass when we scrub atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2 atf_check -s exit:0 -o ignore ping -c 1 -s 2000 192.0.2.2 +} - pft_set_rules alcatraz \ - "scrub in fragment no reassemble" \ +reassemble_cleanup() +{ + pft_cleanup +} + +atf_test_case "no_df" "cleanup" +no_df_head() +{ + atf_set descr 'Test removing of DF flag' + atf_set require.user root +} + +no_df_body() +{ + setup_router_server_ipv4 + + ifconfig ${epair_tester}a mtu 9000 + jexec router ifconfig ${epair_tester}b mtu 9000 + jexec router ifconfig ${epair_server}a mtu 1500 + jexec server ifconfig ${epair_server}b mtu 1500 + + # Sanity check. + ping_server_check_reply exit:0 --ping-type=icmp + + pft_set_rules router \ + "set reassemble no" \ "pass out" \ "block in" \ "pass in inet proto icmp all icmp-type echoreq" - # And the fragmented ping doesn't pass if we do not reassemble - atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2 - atf_check -s exit:2 -o ignore ping -c 1 -s 2000 192.0.2.2 -} + # Ping with normal, fragmentable packets. + ping_server_check_reply exit:1 --ping-type=icmp --send-length=2000 -reassemble_cleanup() + pft_set_rules router \ + "set reassemble yes" \ + "pass out" \ + "block in" \ + "pass in inet proto icmp all icmp-type echoreq" + + # Ping with normal, fragmentable packets. + ping_server_check_reply exit:0 --ping-type=icmp --send-length=2000 + + # Ping with non-fragmentable packets. + ping_server_check_reply exit:1 --ping-type=icmp --send-length=2000 --send-flags DF + + pft_set_rules router \ + "set reassemble yes no-df" \ + "pass out" \ + "block in" \ + "pass in inet proto icmp all icmp-type echoreq" + + # Ping with non-fragmentable packets again. + # This time pf will strip the DF flag. + ping_server_check_reply exit:0 --ping-type=icmp --send-length=2000 --send-flags DF +} +no_df_cleanup() { pft_cleanup } diff --git a/tests/sys/netpfil/pf/scrub_compat.sh b/tests/sys/netpfil/pf/scrub_compat.sh new file mode 100644 --- /dev/null +++ b/tests/sys/netpfil/pf/scrub_compat.sh @@ -0,0 +1,221 @@ +# SPDX-License-Identifier: BSD-2-Clause-FreeBSD +# +# Copyright (c) 2020 Kristof Provost +# Copyright (c) 2023 Kajetan Staszkiewicz +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. + +. $(atf_get_srcdir)/utils.subr + +common_dir=$(atf_get_srcdir)/../common + +atf_test_case "max_mss_v4" "cleanup" +max_mss_v4_head() +{ + atf_set descr 'Test IPv4 scrub "mss" rule' + atf_set require.user root + atf_set require.progs scapy +} + +max_mss_v4_body() +{ + setup_router_dummy_ipv4 + pft_set_rules router "scrub on ${epair_tester}b max-mss 1300" + # Check aligned + ping_dummy_check_request exit:0 --ping-type=tcpsyn --send-mss=1400 --expect-mss=1300 + # And unaligned + ping_dummy_check_request exit:0 --ping-type=tcpsyn --send-mss=1400 --expect-mss=1300 \ + --send-tcpopt-unaligned +} + +max_mss_v4_cleanup() +{ + pft_cleanup +} + + +atf_test_case "max_mss_v6" "cleanup" +max_mss_v6_head() +{ + atf_set descr 'Test IPv6 scrub "mss" rule' + atf_set require.user root + atf_set require.progs scapy +} + +max_mss_v6_body() +{ + setup_router_dummy_ipv6 + pft_set_rules router "scrub on ${epair_tester}b max-mss 1300" + # Check aligned + ping_dummy_check_request exit:0 --ping-type=tcpsyn --send-mss=1400 --expect-mss=1300 + # And unaligned + ping_dummy_check_request exit:0 --ping-type=tcpsyn --send-mss=1400 --expect-mss=1300 \ + --send-tcpopt-unaligned +} + +max_mss_v6_cleanup() +{ + pft_cleanup +} + + +atf_test_case "set_tos_v4" "cleanup" +set_tos_v4_head() +{ + atf_set descr 'Test IPv4 scub "set-tos" rule' + atf_set require.user root + atf_set require.progs scapy +} + +set_tos_v4_body() +{ + setup_router_dummy_ipv4 + pft_set_rules router "scrub on ${epair_tester}b set-tos 0x42" + ping_dummy_check_request exit:0 --send-tc=0 --expect-tc=66 +} + +set_tos_v4_cleanup() +{ + pft_cleanup +} + + +atf_test_case "set_tos_v6" "cleanup" +set_tos_v6_head() +{ + atf_set descr 'Test IPv6 scub "set-tos" rule' + atf_set require.user root + atf_set require.progs scapy +} + +set_tos_v6_body() +{ + setup_router_dummy_ipv6 + pft_set_rules router "scrub on ${epair_tester}b set-tos 0x42" + ping_dummy_check_request exit:0 --ping-type=tcpsyn --send-tc=0 --expect-tc=66 +} + +set_tos_v6_cleanup() +{ + pft_cleanup +} + + +atf_test_case "min_ttl_v4" "cleanup" +min_ttl_v4_head() +{ + atf_set descr 'Test IPv4 scub "min-ttl" rule' + atf_set require.user root + atf_set require.progs scapy +} + +min_ttl_v4_body() +{ + setup_router_dummy_ipv4 + pft_set_rules router "scrub on ${epair_tester}b min-ttl 50" + ping_dummy_check_request exit:0 --ping-type=tcpsyn --send-hlim=40 --expect-hlim=49 +} + +min_ttl_v4_cleanup() +{ + pft_cleanup +} + + +atf_test_case "min_ttl_v6" "cleanup" +min_ttl_v6_head() +{ + atf_set descr 'Test IPv6 scub "min-ttl" rule' + atf_set require.user root + atf_set require.progs scapy +} + +min_ttl_v6_body() +{ + setup_router_dummy_ipv6 + pft_set_rules router "scrub on ${epair_tester}b min-ttl 50" + ping_dummy_check_request exit:0 --ping-type=tcpsyn --send-hlim=40 --expect-hlim=49 +} + +min_ttl_v6_cleanup() +{ + pft_cleanup +} + + +atf_test_case "no_scrub_v4" "cleanup" +no_scrub_v4_head() +{ + atf_set descr 'Test IPv4 "no scrub" rule' + atf_set require.user root + atf_set require.progs scapy +} + +no_scrub_v4_body() +{ + setup_router_dummy_ipv4 + pft_set_rules router\ + "no scrub on ${epair_tester}b to ${net_server_host_server}" + "scrub on ${epair_tester}b set-tos 0x42" + ping_dummy_check_request exit:0 --send-tc=0 --expect-tc=0 +} + +no_scrub_v4_cleanup() +{ + pft_cleanup +} + + +atf_test_case "no_scrub_v6" "cleanup" +no_scrub_v6_head() +{ + atf_set descr 'Test IPv6 "no scrub" rule' + atf_set require.user root + atf_set require.progs scapy +} + +no_scrub_v6_body() +{ + setup_router_dummy_ipv6 + pft_set_rules router \ + "no scrub on ${epair_tester}b to ${net_server_host_server}" + "scrub on ${epair_tester}b set-tos 0x42" + ping_dummy_check_request exit:0 --send-tc=0 --expect-tc=0 +} + +no_scrub_v6_cleanup() +{ + pft_cleanup +} + + +atf_init_test_cases() +{ + atf_add_test_case "max_mss_v4" + atf_add_test_case "max_mss_v6" + atf_add_test_case "set_tos_v4" + atf_add_test_case "set_tos_v6" + atf_add_test_case "min_ttl_v4" + atf_add_test_case "min_ttl_v6" + atf_add_test_case "no_scrub_v4" + atf_add_test_case "no_scrub_v6" +} diff --git a/tests/sys/netpfil/pf/scrub_pass.sh b/tests/sys/netpfil/pf/scrub_pass.sh new file mode 100644 --- /dev/null +++ b/tests/sys/netpfil/pf/scrub_pass.sh @@ -0,0 +1,173 @@ +# SPDX-License-Identifier: BSD-2-Clause-FreeBSD +# +# Copyright (c) 2020 Kristof Provost +# Copyright (c) 2023 Kajetan Staszkiewicz +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. + +. $(atf_get_srcdir)/utils.subr + +common_dir=$(atf_get_srcdir)/../common + +atf_test_case "max_mss_v4" "cleanup" +max_mss_v4_head() +{ + atf_set descr 'Test IPv4 pass "mss" rule' + atf_set require.user root + atf_set require.progs scapy +} + +max_mss_v4_body() +{ + setup_router_dummy_ipv4 + pft_set_rules router "pass on ${epair_tester}b scrub ( max-mss 1300 )" + # Check aligned + ping_dummy_check_request exit:0 --ping-type=tcpsyn --send-mss=1400 --expect-mss=1300 + # And unaligned + ping_dummy_check_request exit:0 --ping-type=tcpsyn --send-mss=1400 --expect-mss=1300 \ + --send-tcpopt-unaligned +} + +max_mss_v4_cleanup() +{ + pft_cleanup +} + + +atf_test_case "max_mss_v6" "cleanup" +max_mss_v6_head() +{ + atf_set descr 'Test IPv6 pass "mss" rule' + atf_set require.user root + atf_set require.progs scapy +} + +max_mss_v6_body() +{ + setup_router_dummy_ipv6 + pft_set_rules router "pass on ${epair_tester}b scrub ( max-mss 1300 )" + # Check aligned + ping_dummy_check_request exit:0 --ping-type=tcpsyn --send-mss=1400 --expect-mss=1300 + # And unaligned + ping_dummy_check_request exit:0 --ping-type=tcpsyn --send-mss=1400 --expect-mss=1300 \ + --send-tcpopt-unaligned +} + +max_mss_v6_cleanup() +{ + pft_cleanup +} + + +atf_test_case "set_tos_v4" "cleanup" +set_tos_v4_head() +{ + atf_set descr 'Test IPv4 pass "set-tos" rule' + atf_set require.user root + atf_set require.progs scapy +} + +set_tos_v4_body() +{ + setup_router_dummy_ipv4 + pft_set_rules router "pass on ${epair_tester}b set ( tos 0x42 )" + ping_dummy_check_request exit:0 --send-tc=66 --expect-tc=66 +} + +set_tos_v4_cleanup() +{ + pft_cleanup +} + + +atf_test_case "set_tos_v6" "cleanup" +set_tos_v6_head() +{ + atf_set descr 'Test IPv6 pass "set-tos" rule' + atf_set require.user root + atf_set require.progs scapy +} + +set_tos_v6_body() +{ + setup_router_dummy_ipv4 + pft_set_rules router "pass on ${epair_tester}b set ( tos 0x42 )" + ping_dummy_check_request exit:0 --ping-type=tcpsyn --send-tc=66 --expect-tc=66 +} + +set_tos_v6_cleanup() +{ + pft_cleanup +} + + +atf_test_case "min_ttl_v4" "cleanup" +min_ttl_v4_head() +{ + atf_set descr 'Test IPv4 pass "min-ttl" rule' + atf_set require.user root + atf_set require.progs scapy +} + +min_ttl_v4_body() +{ + setup_router_dummy_ipv4 + pft_set_rules router "pass on ${epair_tester}b scrub ( min-ttl 50 )" + ping_dummy_check_request exit:0 --ping-type=tcpsyn --send-hlim=40 --expect-hlim=49 +} + +min_ttl_v4_cleanup() +{ + pft_cleanup +} + + +atf_test_case "min_ttl_v6" "cleanup" +min_ttl_v6_head() +{ + atf_set descr 'Test IPv6 pass "min-ttl" rule' + atf_set require.user root + atf_set require.progs scapy +} + +min_ttl_v6_body() +{ + setup_router_dummy_ipv6 + pft_set_rules router "pass on ${epair_tester}b scrub ( min-ttl 50 )" + ping_dummy_check_request exit:0 --ping-type=tcpsyn --send-hlim=40 --expect-hlim=49 +} + +min_ttl_v6_cleanup() +{ + pft_cleanup +} + + +atf_init_test_cases() +{ + atf_add_test_case "max_mss_v4" + atf_add_test_case "max_mss_v6" + atf_add_test_case "set_tos_v4" + atf_add_test_case "set_tos_v6" + atf_add_test_case "min_ttl_v4" + atf_add_test_case "min_ttl_v6" +}