Changeset View
Changeset View
Standalone View
Standalone View
tests/sys/netpfil/pf/fragmentation_pass.sh
- This file was moved from tests/sys/netpfil/pf/fragmentation.sh.
Show All 21 Lines | |||||
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | ||||
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | ||||
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | ||||
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | ||||
# SUCH DAMAGE. | # SUCH DAMAGE. | ||||
. $(atf_get_srcdir)/utils.subr | . $(atf_get_srcdir)/utils.subr | ||||
common_dir=$(atf_get_srcdir)/../common | |||||
atf_test_case "too_many_fragments" "cleanup" | atf_test_case "too_many_fragments" "cleanup" | ||||
too_many_fragments_head() | too_many_fragments_head() | ||||
{ | { | ||||
atf_set descr 'IPv4 fragment limitation test' | atf_set descr 'IPv4 fragment limitation test' | ||||
atf_set require.user root | atf_set require.user root | ||||
} | } | ||||
too_many_fragments_body() | too_many_fragments_body() | ||||
{ | { | ||||
pft_init | pft_init | ||||
epair=$(vnet_mkepair) | epair=$(vnet_mkepair) | ||||
vnet_mkjail alcatraz ${epair}a | vnet_mkjail alcatraz ${epair}a | ||||
ifconfig ${epair}b inet 192.0.2.1/24 up | ifconfig ${epair}b inet 192.0.2.1/24 up | ||||
jexec alcatraz ifconfig ${epair}a 192.0.2.2/24 up | jexec alcatraz ifconfig ${epair}a 192.0.2.2/24 up | ||||
ifconfig ${epair}b mtu 200 | ifconfig ${epair}b mtu 200 | ||||
jexec alcatraz ifconfig ${epair}a mtu 200 | jexec alcatraz ifconfig ${epair}a mtu 200 | ||||
jexec alcatraz pfctl -e | jexec alcatraz pfctl -e | ||||
pft_set_rules alcatraz \ | pft_set_rules alcatraz \ | ||||
"scrub all fragment reassemble" | "set reassemble yes" \ | ||||
"pass keep state" | |||||
# So we know pf is limiting things | # So we know pf is limiting things | ||||
jexec alcatraz sysctl net.inet.ip.maxfragsperpacket=1024 | jexec alcatraz sysctl net.inet.ip.maxfragsperpacket=1024 | ||||
# Sanity check | # Sanity check | ||||
atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2 | atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2 | ||||
# We can ping with < 64 fragments | # We can ping with < 64 fragments | ||||
▲ Show 20 Lines • Show All 42 Lines • ▼ Show 20 Lines | v6_body() | ||||
ifconfig ${epair_send}a inet6 -ifdisabled | ifconfig ${epair_send}a inet6 -ifdisabled | ||||
ifconfig ${epair_send}a | ifconfig ${epair_send}a | ||||
jexec alcatraz ifconfig ${epair_send}b | jexec alcatraz ifconfig ${epair_send}b | ||||
lladdr=$(jexec alcatraz ifconfig ${epair_send}b | awk '/ scopeid / { print($2); }' | cut -f 1 -d %) | lladdr=$(jexec alcatraz ifconfig ${epair_send}b | awk '/ scopeid / { print($2); }' | cut -f 1 -d %) | ||||
jexec alcatraz pfctl -e | jexec alcatraz pfctl -e | ||||
pft_set_rules alcatraz \ | pft_set_rules alcatraz \ | ||||
"scrub fragment reassemble" \ | "set reassemble yes" \ | ||||
"pass keep state" \ | |||||
"block in" \ | "block in" \ | ||||
"pass in inet6 proto icmp6 icmp6-type { neighbrsol, neighbradv }" \ | "pass in inet6 proto icmp6 icmp6-type { neighbrsol, neighbradv }" \ | ||||
"pass in inet6 proto icmp6 icmp6-type { echoreq, echorep }" | "pass in inet6 proto icmp6 icmp6-type { echoreq, echorep }" | ||||
# Host test | # Host test | ||||
atf_check -s exit:0 -o ignore \ | atf_check -s exit:0 -o ignore \ | ||||
ping -6 -c 1 2001:db8:42::2 | ping -6 -c 1 2001:db8:42::2 | ||||
▲ Show 20 Lines • Show All 56 Lines • ▼ Show 20 Lines | mtu_diff_body() | ||||
jexec second ifconfig ${epair_large}b 192.0.2.131/25 up | jexec second ifconfig ${epair_large}b 192.0.2.131/25 up | ||||
jexec second ifconfig ${epair_large}b mtu 9000 | jexec second ifconfig ${epair_large}b mtu 9000 | ||||
jexec second route add default 192.0.2.130 | jexec second route add default 192.0.2.130 | ||||
route add 192.0.2.128/25 192.0.2.2 | route add 192.0.2.128/25 192.0.2.2 | ||||
jexec first pfctl -e | jexec first pfctl -e | ||||
pft_set_rules first \ | pft_set_rules first \ | ||||
"scrub all fragment reassemble" | "set reassemble yes" \ | ||||
"pass keep state" | |||||
# Sanity checks | # Sanity checks | ||||
atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2 | atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2 | ||||
atf_check -s exit:0 -o ignore ping -c 1 192.0.2.130 | atf_check -s exit:0 -o ignore ping -c 1 192.0.2.130 | ||||
atf_check -s exit:0 -o ignore ping -c 1 192.0.2.131 | atf_check -s exit:0 -o ignore ping -c 1 192.0.2.131 | ||||
# Large packet that'll get reassembled and sent out in one on the large | # Large packet that'll get reassembled and sent out in one on the large | ||||
# epair | # epair | ||||
Show All 14 Lines | frag_common() | ||||
epair=$(vnet_mkepair) | epair=$(vnet_mkepair) | ||||
vnet_mkjail alcatraz ${epair}a | vnet_mkjail alcatraz ${epair}a | ||||
ifconfig ${epair}b inet 192.0.2.1/24 up | ifconfig ${epair}b inet 192.0.2.1/24 up | ||||
jexec alcatraz ifconfig ${epair}a 192.0.2.2/24 up | jexec alcatraz ifconfig ${epair}a 192.0.2.2/24 up | ||||
jexec alcatraz pfctl -e | jexec alcatraz pfctl -e | ||||
pft_set_rules alcatraz \ | pft_set_rules alcatraz \ | ||||
"scrub all fragment reassemble" | "set reassemble yes" \ | ||||
"pass keep state" | |||||
# Sanity check | # Sanity check | ||||
atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2 | atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2 | ||||
atf_check -s exit:0 -o ignore $(atf_get_srcdir)/frag-${1}.py \ | atf_check -s exit:0 -o ignore $(atf_get_srcdir)/frag-${1}.py \ | ||||
--to 192.0.2.2 \ | --to 192.0.2.2 \ | ||||
--fromaddr 192.0.2.1 \ | --fromaddr 192.0.2.1 \ | ||||
--sendif ${epair}b \ | --sendif ${epair}b \ | ||||
▲ Show 20 Lines • Show All 82 Lines • ▼ Show 20 Lines | reassemble_body() | ||||
# Single fragment passes | # Single fragment passes | ||||
atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2 | atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2 | ||||
# But a fragmented ping does not | # But a fragmented ping does not | ||||
atf_check -s exit:2 -o ignore ping -c 1 -s 2000 192.0.2.2 | atf_check -s exit:2 -o ignore ping -c 1 -s 2000 192.0.2.2 | ||||
pft_set_rules alcatraz \ | pft_set_rules alcatraz \ | ||||
"scrub in" \ | "set reassemble yes" \ | ||||
"pass out" \ | "pass out" \ | ||||
"block in" \ | "block in" \ | ||||
"pass in inet proto icmp all icmp-type echoreq" | "pass in inet proto icmp all icmp-type echoreq" | ||||
# Both single packet & fragmented pass when we scrub | # Both single packet & fragmented pass when we scrub | ||||
atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2 | atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2 | ||||
atf_check -s exit:0 -o ignore ping -c 1 -s 2000 192.0.2.2 | atf_check -s exit:0 -o ignore ping -c 1 -s 2000 192.0.2.2 | ||||
} | |||||
pft_set_rules alcatraz \ | reassemble_cleanup() | ||||
"scrub in fragment no reassemble" \ | { | ||||
pft_cleanup | |||||
} | |||||
atf_test_case "no_df" "cleanup" | |||||
no_df_head() | |||||
{ | |||||
atf_set descr 'Test removing of DF flag' | |||||
atf_set require.user root | |||||
} | |||||
no_df_body() | |||||
{ | |||||
setup_router_server_ipv4 | |||||
ifconfig ${epair_tester}a mtu 9000 | |||||
jexec router ifconfig ${epair_tester}b mtu 9000 | |||||
jexec router ifconfig ${epair_server}a mtu 1500 | |||||
jexec server ifconfig ${epair_server}b mtu 1500 | |||||
# Sanity check. | |||||
ping_server_check_reply exit:0 --ping-type=icmp | |||||
pft_set_rules router \ | |||||
"set reassemble no" \ | |||||
"pass out" \ | "pass out" \ | ||||
"block in" \ | "block in" \ | ||||
"pass in inet proto icmp all icmp-type echoreq" | "pass in inet proto icmp all icmp-type echoreq" | ||||
# And the fragmented ping doesn't pass if we do not reassemble | # Ping with normal, fragmentable packets. | ||||
atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2 | ping_server_check_reply exit:1 --ping-type=icmp --send-length=2000 | ||||
atf_check -s exit:2 -o ignore ping -c 1 -s 2000 192.0.2.2 | |||||
} | |||||
reassemble_cleanup() | pft_set_rules router \ | ||||
"set reassemble yes" \ | |||||
"pass out" \ | |||||
"block in" \ | |||||
"pass in inet proto icmp all icmp-type echoreq" | |||||
# Ping with normal, fragmentable packets. | |||||
ping_server_check_reply exit:0 --ping-type=icmp --send-length=2000 | |||||
# Ping with non-fragmentable packets. | |||||
ping_server_check_reply exit:1 --ping-type=icmp --send-length=2000 --send-flags DF | |||||
pft_set_rules router \ | |||||
"set reassemble yes no-df" \ | |||||
"pass out" \ | |||||
"block in" \ | |||||
"pass in inet proto icmp all icmp-type echoreq" | |||||
# Ping with non-fragmentable packets again. | |||||
# This time pf will strip the DF flag. | |||||
ping_server_check_reply exit:0 --ping-type=icmp --send-length=2000 --send-flags DF | |||||
} | |||||
no_df_cleanup() | |||||
{ | { | ||||
pft_cleanup | pft_cleanup | ||||
} | } | ||||
atf_test_case "no_df" "cleanup" | atf_test_case "no_df" "cleanup" | ||||
no_df_head() | no_df_head() | ||||
{ | { | ||||
atf_set descr 'Test removing of DF flag' | atf_set descr 'Test removing of DF flag' | ||||
▲ Show 20 Lines • Show All 44 Lines • Show Last 20 Lines |