D38129.id119112.diff
No OneTemporary
Actions

Size

16 KB

Referenced Files

None

Subscribers

None

D38129.id119112.diff
View Options

	diff --git a/tests/sys/netpfil/pf/Makefile b/tests/sys/netpfil/pf/Makefile
	--- a/tests/sys/netpfil/pf/Makefile
	+++ b/tests/sys/netpfil/pf/Makefile
	@@ -10,7 +10,8 @@
	dup \
	ether \
	forward \
	- fragmentation \
	+ fragmentation_compat \
	+ fragmentation_pass \
	get_state \
	icmp \
	killstate \
	@@ -29,7 +30,8 @@
	route_to \
	rtable \
	rules_counter \
	- scrub \
	+ scrub_compat \
	+ scrub_pass \
	set_skip \
	set_tos \
	src_track \
	diff --git a/tests/sys/netpfil/pf/fragmentation.sh b/tests/sys/netpfil/pf/fragmentation_compat.sh
	rename from tests/sys/netpfil/pf/fragmentation.sh
	rename to tests/sys/netpfil/pf/fragmentation_compat.sh
	--- a/tests/sys/netpfil/pf/fragmentation.sh
	+++ b/tests/sys/netpfil/pf/fragmentation_compat.sh
	@@ -338,9 +338,6 @@
	{
	setup_router_server_ipv4

	- # Tester can send long packets which will get fragmented by the router.
	- # Replies from server will come in fragments which might get
	- # reassembled resulting in a long reply packet sent back to tester.
	ifconfig ${epair_tester}a mtu 9000
	jexec router ifconfig ${epair_tester}b mtu 9000
	jexec router ifconfig ${epair_server}a mtu 1500
	@@ -349,16 +346,29 @@
	# Sanity check.
	ping_server_check_reply exit:0 --ping-type=icmp

	- # Enable packet reassembly with clearing of the no-df flag.
	pft_set_rules router \
	- "scrub all fragment reassemble no-df" \
	- "block" \
	- "pass inet proto icmp all icmp-type echoreq"
	- # Ping with non-fragmentable packets.
	- # pf will strip the DF flag resulting in fragmentation and packets
	- # getting properly forwarded.
	+ "scrub fragment reassemble" \
	+ "pass out" \
	+ "block in" \
	+ "pass in inet proto icmp all icmp-type echoreq"
	+
	+ # Ping with normal, fragmentable packets.
	+ ping_server_check_reply exit:0 --ping-type=icmp --send-length=2000
	+
	+ # Ping with non-fragmentable packets, this will fail.
	+ ping_server_check_reply exit:1 --ping-type=icmp --send-length=2000 --send-flags DF
	+
	+ pft_set_rules router \
	+ "scrub any reassemble" \
	+ "pass out" \
	+ "block in" \
	+ "pass in inet proto icmp all icmp-type echoreq"
	+
	+ # Ping with non-fragmentable packets again.
	+ # This time pf will strip the DF flag.
	ping_server_check_reply exit:0 --ping-type=icmp --send-length=2000 --send-flags DF
	}
	+
	no_df_cleanup()
	{
	pft_cleanup
	@@ -373,5 +383,4 @@
	atf_add_test_case "overindex"
	atf_add_test_case "overlimit"
	atf_add_test_case "reassemble"
	- atf_add_test_case "no_df"
	}
	diff --git a/tests/sys/netpfil/pf/fragmentation.sh b/tests/sys/netpfil/pf/fragmentation_pass.sh
	rename from tests/sys/netpfil/pf/fragmentation.sh
	rename to tests/sys/netpfil/pf/fragmentation_pass.sh
	--- a/tests/sys/netpfil/pf/fragmentation.sh
	+++ b/tests/sys/netpfil/pf/fragmentation_pass.sh
	@@ -27,6 +27,8 @@

	. $(atf_get_srcdir)/utils.subr

	+common_dir=$(atf_get_srcdir)/../common
	+
	atf_test_case "too_many_fragments" "cleanup"

	too_many_fragments_head()
	@@ -50,7 +52,8 @@

	jexec alcatraz pfctl -e
	pft_set_rules alcatraz \
	- "scrub all fragment reassemble"
	+ "set reassemble yes" \
	+ "pass keep state"

	# So we know pf is limiting things
	jexec alcatraz sysctl net.inet.ip.maxfragsperpacket=1024
	@@ -105,7 +108,8 @@

	jexec alcatraz pfctl -e
	pft_set_rules alcatraz \
	- "scrub fragment reassemble" \
	+ "set reassemble yes" \
	+ "pass keep state" \
	"block in" \
	"pass in inet6 proto icmp6 icmp6-type { neighbrsol, neighbradv }" \
	"pass in inet6 proto icmp6 icmp6-type { echoreq, echorep }"
	@@ -172,7 +176,8 @@

	jexec first pfctl -e
	pft_set_rules first \
	- "scrub all fragment reassemble"
	+ "set reassemble yes" \
	+ "pass keep state"

	# Sanity checks
	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2
	@@ -203,7 +208,8 @@

	jexec alcatraz pfctl -e
	pft_set_rules alcatraz \
	- "scrub all fragment reassemble"
	+ "set reassemble yes" \
	+ "pass keep state"

	# Sanity check
	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2
	@@ -302,7 +308,7 @@
	atf_check -s exit:2 -o ignore ping -c 1 -s 2000 192.0.2.2

	pft_set_rules alcatraz \
	- "scrub in" \
	+ "set reassemble yes" \
	"pass out" \
	"block in" \
	"pass in inet proto icmp all icmp-type echoreq"
	@@ -310,19 +316,64 @@
	# Both single packet & fragmented pass when we scrub
	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2
	atf_check -s exit:0 -o ignore ping -c 1 -s 2000 192.0.2.2
	+}

	- pft_set_rules alcatraz \
	- "scrub in fragment no reassemble" \
	+reassemble_cleanup()
	+{
	+ pft_cleanup
	+}
	+
	+atf_test_case "no_df" "cleanup"
	+no_df_head()
	+{
	+ atf_set descr 'Test removing of DF flag'
	+ atf_set require.user root
	+}
	+
	+no_df_body()
	+{
	+ setup_router_server_ipv4
	+
	+ ifconfig ${epair_tester}a mtu 9000
	+ jexec router ifconfig ${epair_tester}b mtu 9000
	+ jexec router ifconfig ${epair_server}a mtu 1500
	+ jexec server ifconfig ${epair_server}b mtu 1500
	+
	+ # Sanity check.
	+ ping_server_check_reply exit:0 --ping-type=icmp
	+
	+ pft_set_rules router \
	+ "set reassemble no" \
	"pass out" \
	"block in" \
	"pass in inet proto icmp all icmp-type echoreq"

	- # And the fragmented ping doesn't pass if we do not reassemble
	- atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2
	- atf_check -s exit:2 -o ignore ping -c 1 -s 2000 192.0.2.2
	-}
	+ # Ping with normal, fragmentable packets.
	+ ping_server_check_reply exit:1 --ping-type=icmp --send-length=2000

	-reassemble_cleanup()
	+ pft_set_rules router \
	+ "set reassemble yes" \
	+ "pass out" \
	+ "block in" \
	+ "pass in inet proto icmp all icmp-type echoreq"
	+
	+ # Ping with normal, fragmentable packets.
	+ ping_server_check_reply exit:0 --ping-type=icmp --send-length=2000
	+
	+ # Ping with non-fragmentable packets.
	+ ping_server_check_reply exit:1 --ping-type=icmp --send-length=2000 --send-flags DF
	+
	+ pft_set_rules router \
	+ "set reassemble yes no-df" \
	+ "pass out" \
	+ "block in" \
	+ "pass in inet proto icmp all icmp-type echoreq"
	+
	+ # Ping with non-fragmentable packets again.
	+ # This time pf will strip the DF flag.
	+ ping_server_check_reply exit:0 --ping-type=icmp --send-length=2000 --send-flags DF
	+}
	+no_df_cleanup()
	{
	pft_cleanup
	}
	diff --git a/tests/sys/netpfil/pf/scrub_compat.sh b/tests/sys/netpfil/pf/scrub_compat.sh
	new file mode 100644
	--- /dev/null
	+++ b/tests/sys/netpfil/pf/scrub_compat.sh
	@@ -0,0 +1,221 @@
	+# SPDX-License-Identifier: BSD-2-Clause-FreeBSD
	+#
	+# Copyright (c) 2020 Kristof Provost <kp@FreeBSD.org>
	+# Copyright (c) 2023 Kajetan Staszkiewicz <vegeta@tuxpowered.net>
	+#
	+# Redistribution and use in source and binary forms, with or without
	+# modification, are permitted provided that the following conditions
	+# are met:
	+# 1. Redistributions of source code must retain the above copyright
	+# notice, this list of conditions and the following disclaimer.
	+# 2. Redistributions in binary form must reproduce the above copyright
	+# notice, this list of conditions and the following disclaimer in the
	+# documentation and/or other materials provided with the distribution.
	+#
	+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
	+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
	+# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
	+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
	+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
	+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
	+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
	+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
	+# SUCH DAMAGE.
	+
	+. $(atf_get_srcdir)/utils.subr
	+
	+common_dir=$(atf_get_srcdir)/../common
	+
	+atf_test_case "max_mss_v4" "cleanup"
	+max_mss_v4_head()
	+{
	+ atf_set descr 'Test IPv4 scrub "mss" rule'
	+ atf_set require.user root
	+ atf_set require.progs scapy
	+}
	+
	+max_mss_v4_body()
	+{
	+ setup_router_dummy_ipv4
	+ pft_set_rules router "scrub on ${epair_tester}b max-mss 1300"
	+ # Check aligned
	+ ping_dummy_check_request exit:0 --ping-type=tcpsyn --send-mss=1400 --expect-mss=1300
	+ # And unaligned
	+ ping_dummy_check_request exit:0 --ping-type=tcpsyn --send-mss=1400 --expect-mss=1300 \
	+ --send-tcpopt-unaligned
	+}
	+
	+max_mss_v4_cleanup()
	+{
	+ pft_cleanup
	+}
	+
	+
	+atf_test_case "max_mss_v6" "cleanup"
	+max_mss_v6_head()
	+{
	+ atf_set descr 'Test IPv6 scrub "mss" rule'
	+ atf_set require.user root
	+ atf_set require.progs scapy
	+}
	+
	+max_mss_v6_body()
	+{
	+ setup_router_dummy_ipv6
	+ pft_set_rules router "scrub on ${epair_tester}b max-mss 1300"
	+ # Check aligned
	+ ping_dummy_check_request exit:0 --ping-type=tcpsyn --send-mss=1400 --expect-mss=1300
	+ # And unaligned
	+ ping_dummy_check_request exit:0 --ping-type=tcpsyn --send-mss=1400 --expect-mss=1300 \
	+ --send-tcpopt-unaligned
	+}
	+
	+max_mss_v6_cleanup()
	+{
	+ pft_cleanup
	+}
	+
	+
	+atf_test_case "set_tos_v4" "cleanup"
	+set_tos_v4_head()
	+{
	+ atf_set descr 'Test IPv4 scub "set-tos" rule'
	+ atf_set require.user root
	+ atf_set require.progs scapy
	+}
	+
	+set_tos_v4_body()
	+{
	+ setup_router_dummy_ipv4
	+ pft_set_rules router "scrub on ${epair_tester}b set-tos 0x42"
	+ ping_dummy_check_request exit:0 --send-tc=0 --expect-tc=66
	+}
	+
	+set_tos_v4_cleanup()
	+{
	+ pft_cleanup
	+}
	+
	+
	+atf_test_case "set_tos_v6" "cleanup"
	+set_tos_v6_head()
	+{
	+ atf_set descr 'Test IPv6 scub "set-tos" rule'
	+ atf_set require.user root
	+ atf_set require.progs scapy
	+}
	+
	+set_tos_v6_body()
	+{
	+ setup_router_dummy_ipv6
	+ pft_set_rules router "scrub on ${epair_tester}b set-tos 0x42"
	+ ping_dummy_check_request exit:0 --ping-type=tcpsyn --send-tc=0 --expect-tc=66
	+}
	+
	+set_tos_v6_cleanup()
	+{
	+ pft_cleanup
	+}
	+
	+
	+atf_test_case "min_ttl_v4" "cleanup"
	+min_ttl_v4_head()
	+{
	+ atf_set descr 'Test IPv4 scub "min-ttl" rule'
	+ atf_set require.user root
	+ atf_set require.progs scapy
	+}
	+
	+min_ttl_v4_body()
	+{
	+ setup_router_dummy_ipv4
	+ pft_set_rules router "scrub on ${epair_tester}b min-ttl 50"
	+ ping_dummy_check_request exit:0 --ping-type=tcpsyn --send-hlim=40 --expect-hlim=49
	+}
	+
	+min_ttl_v4_cleanup()
	+{
	+ pft_cleanup
	+}
	+
	+
	+atf_test_case "min_ttl_v6" "cleanup"
	+min_ttl_v6_head()
	+{
	+ atf_set descr 'Test IPv6 scub "min-ttl" rule'
	+ atf_set require.user root
	+ atf_set require.progs scapy
	+}
	+
	+min_ttl_v6_body()
	+{
	+ setup_router_dummy_ipv6
	+ pft_set_rules router "scrub on ${epair_tester}b min-ttl 50"
	+ ping_dummy_check_request exit:0 --ping-type=tcpsyn --send-hlim=40 --expect-hlim=49
	+}
	+
	+min_ttl_v6_cleanup()
	+{
	+ pft_cleanup
	+}
	+
	+
	+atf_test_case "no_scrub_v4" "cleanup"
	+no_scrub_v4_head()
	+{
	+ atf_set descr 'Test IPv4 "no scrub" rule'
	+ atf_set require.user root
	+ atf_set require.progs scapy
	+}
	+
	+no_scrub_v4_body()
	+{
	+ setup_router_dummy_ipv4
	+ pft_set_rules router\
	+ "no scrub on ${epair_tester}b to ${net_server_host_server}"
	+ "scrub on ${epair_tester}b set-tos 0x42"
	+ ping_dummy_check_request exit:0 --send-tc=0 --expect-tc=0
	+}
	+
	+no_scrub_v4_cleanup()
	+{
	+ pft_cleanup
	+}
	+
	+
	+atf_test_case "no_scrub_v6" "cleanup"
	+no_scrub_v6_head()
	+{
	+ atf_set descr 'Test IPv6 "no scrub" rule'
	+ atf_set require.user root
	+ atf_set require.progs scapy
	+}
	+
	+no_scrub_v6_body()
	+{
	+ setup_router_dummy_ipv6
	+ pft_set_rules router \
	+ "no scrub on ${epair_tester}b to ${net_server_host_server}"
	+ "scrub on ${epair_tester}b set-tos 0x42"
	+ ping_dummy_check_request exit:0 --send-tc=0 --expect-tc=0
	+}
	+
	+no_scrub_v6_cleanup()
	+{
	+ pft_cleanup
	+}
	+
	+
	+atf_init_test_cases()
	+{
	+ atf_add_test_case "max_mss_v4"
	+ atf_add_test_case "max_mss_v6"
	+ atf_add_test_case "set_tos_v4"
	+ atf_add_test_case "set_tos_v6"
	+ atf_add_test_case "min_ttl_v4"
	+ atf_add_test_case "min_ttl_v6"
	+ atf_add_test_case "no_scrub_v4"
	+ atf_add_test_case "no_scrub_v6"
	+}
	diff --git a/tests/sys/netpfil/pf/scrub_pass.sh b/tests/sys/netpfil/pf/scrub_pass.sh
	new file mode 100644
	--- /dev/null
	+++ b/tests/sys/netpfil/pf/scrub_pass.sh
	@@ -0,0 +1,173 @@
	+# SPDX-License-Identifier: BSD-2-Clause-FreeBSD
	+#
	+# Copyright (c) 2020 Kristof Provost <kp@FreeBSD.org>
	+# Copyright (c) 2023 Kajetan Staszkiewicz <vegeta@tuxpowered.net>
	+#
	+# Redistribution and use in source and binary forms, with or without
	+# modification, are permitted provided that the following conditions
	+# are met:
	+# 1. Redistributions of source code must retain the above copyright
	+# notice, this list of conditions and the following disclaimer.
	+# 2. Redistributions in binary form must reproduce the above copyright
	+# notice, this list of conditions and the following disclaimer in the
	+# documentation and/or other materials provided with the distribution.
	+#
	+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
	+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
	+# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
	+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
	+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
	+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
	+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
	+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
	+# SUCH DAMAGE.
	+
	+. $(atf_get_srcdir)/utils.subr
	+
	+common_dir=$(atf_get_srcdir)/../common
	+
	+atf_test_case "max_mss_v4" "cleanup"
	+max_mss_v4_head()
	+{
	+ atf_set descr 'Test IPv4 pass "mss" rule'
	+ atf_set require.user root
	+ atf_set require.progs scapy
	+}
	+
	+max_mss_v4_body()
	+{
	+ setup_router_dummy_ipv4
	+ pft_set_rules router "pass on ${epair_tester}b scrub ( max-mss 1300 )"
	+ # Check aligned
	+ ping_dummy_check_request exit:0 --ping-type=tcpsyn --send-mss=1400 --expect-mss=1300
	+ # And unaligned
	+ ping_dummy_check_request exit:0 --ping-type=tcpsyn --send-mss=1400 --expect-mss=1300 \
	+ --send-tcpopt-unaligned
	+}
	+
	+max_mss_v4_cleanup()
	+{
	+ pft_cleanup
	+}
	+
	+
	+atf_test_case "max_mss_v6" "cleanup"
	+max_mss_v6_head()
	+{
	+ atf_set descr 'Test IPv6 pass "mss" rule'
	+ atf_set require.user root
	+ atf_set require.progs scapy
	+}
	+
	+max_mss_v6_body()
	+{
	+ setup_router_dummy_ipv6
	+ pft_set_rules router "pass on ${epair_tester}b scrub ( max-mss 1300 )"
	+ # Check aligned
	+ ping_dummy_check_request exit:0 --ping-type=tcpsyn --send-mss=1400 --expect-mss=1300
	+ # And unaligned
	+ ping_dummy_check_request exit:0 --ping-type=tcpsyn --send-mss=1400 --expect-mss=1300 \
	+ --send-tcpopt-unaligned
	+}
	+
	+max_mss_v6_cleanup()
	+{
	+ pft_cleanup
	+}
	+
	+
	+atf_test_case "set_tos_v4" "cleanup"
	+set_tos_v4_head()
	+{
	+ atf_set descr 'Test IPv4 pass "set-tos" rule'
	+ atf_set require.user root
	+ atf_set require.progs scapy
	+}
	+
	+set_tos_v4_body()
	+{
	+ setup_router_dummy_ipv4
	+ pft_set_rules router "pass on ${epair_tester}b set ( tos 0x42 )"
	+ ping_dummy_check_request exit:0 --send-tc=66 --expect-tc=66
	+}
	+
	+set_tos_v4_cleanup()
	+{
	+ pft_cleanup
	+}
	+
	+
	+atf_test_case "set_tos_v6" "cleanup"
	+set_tos_v6_head()
	+{
	+ atf_set descr 'Test IPv6 pass "set-tos" rule'
	+ atf_set require.user root
	+ atf_set require.progs scapy
	+}
	+
	+set_tos_v6_body()
	+{
	+ setup_router_dummy_ipv4
	+ pft_set_rules router "pass on ${epair_tester}b set ( tos 0x42 )"
	+ ping_dummy_check_request exit:0 --ping-type=tcpsyn --send-tc=66 --expect-tc=66
	+}
	+
	+set_tos_v6_cleanup()
	+{
	+ pft_cleanup
	+}
	+
	+
	+atf_test_case "min_ttl_v4" "cleanup"
	+min_ttl_v4_head()
	+{
	+ atf_set descr 'Test IPv4 pass "min-ttl" rule'
	+ atf_set require.user root
	+ atf_set require.progs scapy
	+}
	+
	+min_ttl_v4_body()
	+{
	+ setup_router_dummy_ipv4
	+ pft_set_rules router "pass on ${epair_tester}b scrub ( min-ttl 50 )"
	+ ping_dummy_check_request exit:0 --ping-type=tcpsyn --send-hlim=40 --expect-hlim=49
	+}
	+
	+min_ttl_v4_cleanup()
	+{
	+ pft_cleanup
	+}
	+
	+
	+atf_test_case "min_ttl_v6" "cleanup"
	+min_ttl_v6_head()
	+{
	+ atf_set descr 'Test IPv6 pass "min-ttl" rule'
	+ atf_set require.user root
	+ atf_set require.progs scapy
	+}
	+
	+min_ttl_v6_body()
	+{
	+ setup_router_dummy_ipv6
	+ pft_set_rules router "pass on ${epair_tester}b scrub ( min-ttl 50 )"
	+ ping_dummy_check_request exit:0 --ping-type=tcpsyn --send-hlim=40 --expect-hlim=49
	+}
	+
	+min_ttl_v6_cleanup()
	+{
	+ pft_cleanup
	+}
	+
	+
	+atf_init_test_cases()
	+{
	+ atf_add_test_case "max_mss_v4"
	+ atf_add_test_case "max_mss_v6"
	+ atf_add_test_case "set_tos_v4"
	+ atf_add_test_case "set_tos_v6"
	+ atf_add_test_case "min_ttl_v4"
	+ atf_add_test_case "min_ttl_v6"
	+}

File Metadata

Mime Type: text/plain
Expires: Sun, Jun 28, 11:53 AM (13 h, 59 m)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 34431885
Default Alt Text: D38129.id119112.diff (16 KB)

D38129.id119112.diffNo OneTemporaryActions

D38129.id119112.diffView Options

File Metadata

Event Timeline

D38129.id119112.diff
No OneTemporary
Actions

D38129.id119112.diff
View Options