Page MenuHomeFreeBSD
Files F140099521

D46840.id143880.diff
No OneTemporary
Actions

D46840.id143880.diff
View Options

diff --git a/tests/sys/netpfil/pf/src_track.sh b/tests/sys/netpfil/pf/src_track.sh
--- a/tests/sys/netpfil/pf/src_track.sh
+++ b/tests/sys/netpfil/pf/src_track.sh
@@ -120,8 +120,74 @@
pft_cleanup
}
+max_src_states_rule_head()
+{
+ atf_set descr 'Max states per source per rule'
+ atf_set require.user root
+}
+
+max_src_states_rule_body()
+{
+ setup_router_server_ipv6
+
+ # Clients will connect from another network behind the router.
+ # This allows for using multiple source addresses and for tester jail
+ # to not respond with RST packets for SYN+ACKs.
+ jexec router route add -6 2001:db8:44::0/64 2001:db8:42::2
+ jexec server route add -6 2001:db8:44::0/64 2001:db8:43::1
+
+ pft_set_rules router \
+ "block" \
+ "pass inet6 proto icmp6 icmp6-type { neighbrsol, neighbradv }" \
+ "pass in on ${epair_tester}b inet6 proto tcp from port 4210:4219 keep state (max-src-states 3 source-track rule) label rule_A" \
+ "pass in on ${epair_tester}b inet6 proto tcp from port 4220:4229 keep state (max-src-states 3 source-track rule) label rule_B" \
+ "pass out on ${epair_server}a keep state"
+
+ # The option max-src-states prevents even the initial SYN packet going
+ # through. It's enough that we check ping_server_check_reply, no need to
+ # bother checking created states.
+
+ # 2 connections from host ::1 matching rule_A will be allowed, 1 will fail to create a state.
+ ping_server_check_reply exit:0 --ping-type=tcp3way --send-sport=4211 --fromaddr 2001:db8:44::1
+ ping_server_check_reply exit:0 --ping-type=tcp3way --send-sport=4212 --fromaddr 2001:db8:44::1
+ ping_server_check_reply exit:1 --ping-type=tcp3way --send-sport=4213 --fromaddr 2001:db8:44::1
+
+ # 2 connections from host ::1 matching rule_B will be allowed, 1 will fail to create a state.
+ # Limits from rule_A don't interfere with rule_B.
+ ping_server_check_reply exit:0 --ping-type=tcp3way --send-sport=4221 --fromaddr 2001:db8:44::1
+ ping_server_check_reply exit:0 --ping-type=tcp3way --send-sport=4222 --fromaddr 2001:db8:44::1
+ ping_server_check_reply exit:1 --ping-type=tcp3way --send-sport=4223 --fromaddr 2001:db8:44::1
+
+ # 2 connections from host ::2 matching rule_B will be allowed, 1 will fail to create a state.
+ # Limits for host ::1 will not interfere with host ::2.
+ ping_server_check_reply exit:0 --ping-type=tcp3way --send-sport=4224 --fromaddr 2001:db8:44::2
+ ping_server_check_reply exit:0 --ping-type=tcp3way --send-sport=4225 --fromaddr 2001:db8:44::2
+ ping_server_check_reply exit:1 --ping-type=tcp3way --send-sport=4226 --fromaddr 2001:db8:44::2
+
+ # We will check the resulting source nodes, though.
+ # Order of source nodes in output is not guaranteed, find each one separately.
+ nodes=$(mktemp) || exit 1
+ jexec router pfctl -qvsS > $nodes
+ for node_regexp in \
+ '2001:db8:44::1 -> :: \( states 2, connections 2, rate [0-9/\.]+s \)\s+age [0-9:]+, 6 pkts, [0-9]+ bytes, filter rule 3' \
+ '2001:db8:44::1 -> :: \( states 2, connections 2, rate [0-9/\.]+s \)\s+age [0-9:]+, 6 pkts, [0-9]+ bytes, filter rule 4' \
+ '2001:db8:44::2 -> :: \( states 2, connections 2, rate [0-9/\.]+s \)\s+age [0-9:]+, 6 pkts, [0-9]+ bytes, filter rule 4' \
+ ; do
+ cat $nodes | tr '\n' ' ' | grep -qE "$node_regexp" || atf_fail "Source nodes not matching expected output"
+ done
+
+ # Check if limit counters have been properly set.
+ jexec router pfctl -qvvsi | grep -qE 'max-src-states\s+3\s+' || atf_fail "max-src-states not set to 3"
+}
+
+max_src_states_rule_cleanup()
+{
+ pft_cleanup
+}
+
atf_init_test_cases()
{
atf_add_test_case "source_track"
atf_add_test_case "max_src_conn_rule"
+ atf_add_test_case "max_src_states_rule"
}

File Metadata

Mime Type
text/plain
Expires
Sun, Dec 21, 5:27 AM (1 h, 32 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
27108034
Default Alt Text
D46840.id143880.diff (3 KB)

Event Timeline