Changeset View
Changeset View
Standalone View
Standalone View
tests/sys/netpfil/pf/fragmentation_pass.sh
- This file was moved from tests/sys/netpfil/pf/fragmentation.sh.
| Show All 21 Lines | |||||
| # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | ||||
| # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | ||||
| # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | ||||
| # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | ||||
| # SUCH DAMAGE. | # SUCH DAMAGE. | ||||
| . $(atf_get_srcdir)/utils.subr | . $(atf_get_srcdir)/utils.subr | ||||
| common_dir=$(atf_get_srcdir)/../common | |||||
| atf_test_case "too_many_fragments" "cleanup" | atf_test_case "too_many_fragments" "cleanup" | ||||
| too_many_fragments_head() | too_many_fragments_head() | ||||
| { | { | ||||
| atf_set descr 'IPv4 fragment limitation test' | atf_set descr 'IPv4 fragment limitation test' | ||||
| atf_set require.user root | atf_set require.user root | ||||
| } | } | ||||
| too_many_fragments_body() | too_many_fragments_body() | ||||
| { | { | ||||
| pft_init | pft_init | ||||
| epair=$(vnet_mkepair) | epair=$(vnet_mkepair) | ||||
| vnet_mkjail alcatraz ${epair}a | vnet_mkjail alcatraz ${epair}a | ||||
| ifconfig ${epair}b inet 192.0.2.1/24 up | ifconfig ${epair}b inet 192.0.2.1/24 up | ||||
| jexec alcatraz ifconfig ${epair}a 192.0.2.2/24 up | jexec alcatraz ifconfig ${epair}a 192.0.2.2/24 up | ||||
| ifconfig ${epair}b mtu 200 | ifconfig ${epair}b mtu 200 | ||||
| jexec alcatraz ifconfig ${epair}a mtu 200 | jexec alcatraz ifconfig ${epair}a mtu 200 | ||||
| jexec alcatraz pfctl -e | jexec alcatraz pfctl -e | ||||
| pft_set_rules alcatraz \ | pft_set_rules alcatraz \ | ||||
| "scrub all fragment reassemble" | "set reassemble yes" \ | ||||
| "pass keep state" | |||||
| # So we know pf is limiting things | # So we know pf is limiting things | ||||
| jexec alcatraz sysctl net.inet.ip.maxfragsperpacket=1024 | jexec alcatraz sysctl net.inet.ip.maxfragsperpacket=1024 | ||||
| # Sanity check | # Sanity check | ||||
| atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2 | atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2 | ||||
| # We can ping with < 64 fragments | # We can ping with < 64 fragments | ||||
| ▲ Show 20 Lines • Show All 42 Lines • ▼ Show 20 Lines | v6_body() | ||||
| ifconfig ${epair_send}a inet6 -ifdisabled | ifconfig ${epair_send}a inet6 -ifdisabled | ||||
| ifconfig ${epair_send}a | ifconfig ${epair_send}a | ||||
| jexec alcatraz ifconfig ${epair_send}b | jexec alcatraz ifconfig ${epair_send}b | ||||
| lladdr=$(jexec alcatraz ifconfig ${epair_send}b | awk '/ scopeid / { print($2); }' | cut -f 1 -d %) | lladdr=$(jexec alcatraz ifconfig ${epair_send}b | awk '/ scopeid / { print($2); }' | cut -f 1 -d %) | ||||
| jexec alcatraz pfctl -e | jexec alcatraz pfctl -e | ||||
| pft_set_rules alcatraz \ | pft_set_rules alcatraz \ | ||||
| "scrub fragment reassemble" \ | "set reassemble yes" \ | ||||
| "pass keep state" \ | |||||
| "block in" \ | "block in" \ | ||||
| "pass in inet6 proto icmp6 icmp6-type { neighbrsol, neighbradv }" \ | "pass in inet6 proto icmp6 icmp6-type { neighbrsol, neighbradv }" \ | ||||
| "pass in inet6 proto icmp6 icmp6-type { echoreq, echorep }" | "pass in inet6 proto icmp6 icmp6-type { echoreq, echorep }" | ||||
| # Host test | # Host test | ||||
| atf_check -s exit:0 -o ignore \ | atf_check -s exit:0 -o ignore \ | ||||
| ping -6 -c 1 2001:db8:42::2 | ping -6 -c 1 2001:db8:42::2 | ||||
| ▲ Show 20 Lines • Show All 56 Lines • ▼ Show 20 Lines | mtu_diff_body() | ||||
| jexec second ifconfig ${epair_large}b 192.0.2.131/25 up | jexec second ifconfig ${epair_large}b 192.0.2.131/25 up | ||||
| jexec second ifconfig ${epair_large}b mtu 9000 | jexec second ifconfig ${epair_large}b mtu 9000 | ||||
| jexec second route add default 192.0.2.130 | jexec second route add default 192.0.2.130 | ||||
| route add 192.0.2.128/25 192.0.2.2 | route add 192.0.2.128/25 192.0.2.2 | ||||
| jexec first pfctl -e | jexec first pfctl -e | ||||
| pft_set_rules first \ | pft_set_rules first \ | ||||
| "scrub all fragment reassemble" | "set reassemble yes" \ | ||||
| "pass keep state" | |||||
| # Sanity checks | # Sanity checks | ||||
| atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2 | atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2 | ||||
| atf_check -s exit:0 -o ignore ping -c 1 192.0.2.130 | atf_check -s exit:0 -o ignore ping -c 1 192.0.2.130 | ||||
| atf_check -s exit:0 -o ignore ping -c 1 192.0.2.131 | atf_check -s exit:0 -o ignore ping -c 1 192.0.2.131 | ||||
| # Large packet that'll get reassembled and sent out in one on the large | # Large packet that'll get reassembled and sent out in one on the large | ||||
| # epair | # epair | ||||
| Show All 14 Lines | frag_common() | ||||
| epair=$(vnet_mkepair) | epair=$(vnet_mkepair) | ||||
| vnet_mkjail alcatraz ${epair}a | vnet_mkjail alcatraz ${epair}a | ||||
| ifconfig ${epair}b inet 192.0.2.1/24 up | ifconfig ${epair}b inet 192.0.2.1/24 up | ||||
| jexec alcatraz ifconfig ${epair}a 192.0.2.2/24 up | jexec alcatraz ifconfig ${epair}a 192.0.2.2/24 up | ||||
| jexec alcatraz pfctl -e | jexec alcatraz pfctl -e | ||||
| pft_set_rules alcatraz \ | pft_set_rules alcatraz \ | ||||
| "scrub all fragment reassemble" | "set reassemble yes" \ | ||||
| "pass keep state" | |||||
| # Sanity check | # Sanity check | ||||
| atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2 | atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2 | ||||
| atf_check -s exit:0 -o ignore $(atf_get_srcdir)/frag-${1}.py \ | atf_check -s exit:0 -o ignore $(atf_get_srcdir)/frag-${1}.py \ | ||||
| --to 192.0.2.2 \ | --to 192.0.2.2 \ | ||||
| --fromaddr 192.0.2.1 \ | --fromaddr 192.0.2.1 \ | ||||
| --sendif ${epair}b \ | --sendif ${epair}b \ | ||||
| ▲ Show 20 Lines • Show All 82 Lines • ▼ Show 20 Lines | reassemble_body() | ||||
| # Single fragment passes | # Single fragment passes | ||||
| atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2 | atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2 | ||||
| # But a fragmented ping does not | # But a fragmented ping does not | ||||
| atf_check -s exit:2 -o ignore ping -c 1 -s 2000 192.0.2.2 | atf_check -s exit:2 -o ignore ping -c 1 -s 2000 192.0.2.2 | ||||
| pft_set_rules alcatraz \ | pft_set_rules alcatraz \ | ||||
| "scrub in" \ | "set reassemble yes" \ | ||||
| "pass out" \ | "pass out" \ | ||||
| "block in" \ | "block in" \ | ||||
| "pass in inet proto icmp all icmp-type echoreq" | "pass in inet proto icmp all icmp-type echoreq" | ||||
| # Both single packet & fragmented pass when we scrub | # Both single packet & fragmented pass when we scrub | ||||
| atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2 | atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2 | ||||
| atf_check -s exit:0 -o ignore ping -c 1 -s 2000 192.0.2.2 | atf_check -s exit:0 -o ignore ping -c 1 -s 2000 192.0.2.2 | ||||
| } | |||||
| pft_set_rules alcatraz \ | reassemble_cleanup() | ||||
| "scrub in fragment no reassemble" \ | { | ||||
| pft_cleanup | |||||
| } | |||||
| atf_test_case "no_df" "cleanup" | |||||
| no_df_head() | |||||
| { | |||||
| atf_set descr 'Test removing of DF flag' | |||||
| atf_set require.user root | |||||
| } | |||||
| no_df_body() | |||||
| { | |||||
| setup_router_server_ipv4 | |||||
| ifconfig ${epair_tester}a mtu 9000 | |||||
| jexec router ifconfig ${epair_tester}b mtu 9000 | |||||
| jexec router ifconfig ${epair_server}a mtu 1500 | |||||
| jexec server ifconfig ${epair_server}b mtu 1500 | |||||
| # Sanity check. | |||||
| ping_server_check_reply exit:0 --ping-type=icmp | |||||
| pft_set_rules router \ | |||||
| "set reassemble no" \ | |||||
| "pass out" \ | "pass out" \ | ||||
| "block in" \ | "block in" \ | ||||
| "pass in inet proto icmp all icmp-type echoreq" | "pass in inet proto icmp all icmp-type echoreq" | ||||
| # And the fragmented ping doesn't pass if we do not reassemble | # Ping with normal, fragmentable packets. | ||||
| atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2 | ping_server_check_reply exit:1 --ping-type=icmp --send-length=2000 | ||||
| atf_check -s exit:2 -o ignore ping -c 1 -s 2000 192.0.2.2 | |||||
| } | |||||
| reassemble_cleanup() | pft_set_rules router \ | ||||
| "set reassemble yes" \ | |||||
| "pass out" \ | |||||
| "block in" \ | |||||
| "pass in inet proto icmp all icmp-type echoreq" | |||||
| # Ping with normal, fragmentable packets. | |||||
| ping_server_check_reply exit:0 --ping-type=icmp --send-length=2000 | |||||
| # Ping with non-fragmentable packets. | |||||
| ping_server_check_reply exit:1 --ping-type=icmp --send-length=2000 --send-flags DF | |||||
| pft_set_rules router \ | |||||
| "set reassemble yes no-df" \ | |||||
| "pass out" \ | |||||
| "block in" \ | |||||
| "pass in inet proto icmp all icmp-type echoreq" | |||||
| # Ping with non-fragmentable packets again. | |||||
| # This time pf will strip the DF flag. | |||||
| ping_server_check_reply exit:0 --ping-type=icmp --send-length=2000 --send-flags DF | |||||
| } | |||||
| no_df_cleanup() | |||||
| { | { | ||||
| pft_cleanup | pft_cleanup | ||||
| } | } | ||||
| atf_test_case "no_df" "cleanup" | atf_test_case "no_df" "cleanup" | ||||
| no_df_head() | no_df_head() | ||||
| { | { | ||||
| atf_set descr 'Test removing of DF flag' | atf_set descr 'Test removing of DF flag' | ||||
| ▲ Show 20 Lines • Show All 44 Lines • Show Last 20 Lines | |||||