diff --git a/tests/sys/netpfil/pf/Makefile b/tests/sys/netpfil/pf/Makefile index f4dd36d9e35d..4a16642a967b 100644 --- a/tests/sys/netpfil/pf/Makefile +++ b/tests/sys/netpfil/pf/Makefile @@ -1,87 +1,88 @@ PACKAGE= tests TESTSDIR= ${TESTSBASE}/sys/netpfil/pf BINDIR= ${TESTSDIR} TESTS_SUBDIRS+= ioctl ATF_TESTS_SH+= altq \ anchor \ debug \ divert-to \ dup \ ether \ forward \ fragmentation_compat \ fragmentation_pass \ fragmentation_no_reassembly \ get_state \ icmp \ icmp6 \ if_enc \ limits \ loginterface \ killstate \ macro \ map_e \ match \ + mbuf \ modulate \ names \ nat \ pass_block \ pflog \ pflow \ pfsync \ prio \ proxy \ rdr \ ridentifier \ route_to \ rtable \ rules_counter \ scrub_compat \ scrub_pass \ sctp \ set_skip \ set_tos \ src_track \ status \ syncookie \ synproxy \ table \ tcp \ tos ATF_TESTS_PYTEST+= frag6.py ATF_TESTS_PYTEST+= nat66.py ATF_TESTS_PYTEST+= sctp.py # Allow tests to run in parallel in their own jails TEST_METADATA+= execenv="jail" TEST_METADATA+= execenv_jail_params="vnet allow.raw_sockets" PROGS= divapp ${PACKAGE}FILES+= CVE-2019-5597.py \ CVE-2019-5598.py \ daytime_inetd.conf \ echo_inetd.conf \ fragcommon.py \ frag-overindex.py \ frag-overlimit.py \ frag-overreplace.py \ pfsync_defer.py \ pft_ether.py \ pft_read_ipfix.py \ utils.subr ${PACKAGE}FILESMODE_CVE-2019-5597.py= 0555 ${PACKAGE}FILESMODE_CVE-2019-5598.py= 0555 ${PACKAGE}FILESMODE_fragcommon.py= 0555 ${PACKAGE}FILESMODE_frag-overindex.py= 0555 ${PACKAGE}FILESMODE_frag-overlimit.py= 0555 ${PACKAGE}FILESMODE_frag-overreplace.py= 0555 ${PACKAGE}FILESMODE_pfsync_defer.py= 0555 ${PACKAGE}FILESMODE_pft_ether.py= 0555 ${PACKAGE}FILESMODE_pft_read_ipfix.py= 0555 .include diff --git a/tests/sys/netpfil/pf/mbuf.sh b/tests/sys/netpfil/pf/mbuf.sh new file mode 100644 index 000000000000..082de08b0838 --- /dev/null +++ b/tests/sys/netpfil/pf/mbuf.sh @@ -0,0 +1,97 @@ +# +# SPDX-License-Identifier: BSD-2-Clause +# +# Copyright (c) 2024 Igor Ostapenko +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. + +. $(atf_get_srcdir)/utils.subr + +dummymbuf_init() +{ + if ! kldstat -q -m dummymbuf; then + atf_skip "This test requires dummymbuf" + fi +} + +atf_test_case "inet_in_mbuf_len" "cleanup" +inet_in_mbuf_len_head() +{ + atf_set descr 'Test that pf can handle inbound with the first mbuf with m_len < sizeof(struct ip)' + atf_set require.user root +} +inet_in_mbuf_len_body() +{ + pft_init + dummymbuf_init + + epair=$(vnet_mkepair) + ifconfig ${epair}a 192.0.2.1/24 up + + # Set up a simple jail with one interface + vnet_mkjail alcatraz ${epair}b + jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up + + # Sanity check + atf_check -s exit:0 -o ignore ping -c1 192.0.2.2 + + # Should be denied + jexec alcatraz pfctl -e + pft_set_rules alcatraz \ + "block" + atf_check -s not-exit:0 -o ignore ping -c1 -t1 192.0.2.2 + + # Should be allowed by from/to addresses + pft_set_rules alcatraz \ + "block" \ + "pass in from 192.0.2.1 to 192.0.2.2" + atf_check -s exit:0 -o ignore ping -c1 192.0.2.2 + + # Should still work for m_len=0 + jexec alcatraz pfilctl link -i dummymbuf:inet inet + jexec alcatraz sysctl net.dummymbuf.rules="inet in ${epair}b pull-head 0;" + atf_check_equal "0" "$(jexec alcatraz sysctl -n net.dummymbuf.hits)" + atf_check -s exit:0 -o ignore ping -c1 192.0.2.2 + atf_check_equal "1" "$(jexec alcatraz sysctl -n net.dummymbuf.hits)" + + # m_len=1 + jexec alcatraz sysctl net.dummymbuf.rules="inet in ${epair}b pull-head 1;" + jexec alcatraz sysctl net.dummymbuf.hits=0 + atf_check -s exit:0 -o ignore ping -c1 192.0.2.2 + atf_check_equal "1" "$(jexec alcatraz sysctl -n net.dummymbuf.hits)" + + # m_len=19 + # provided IPv4 basic header is 20 bytes long, it should impact the dst addr + jexec alcatraz sysctl net.dummymbuf.rules="inet in ${epair}b pull-head 19;" + jexec alcatraz sysctl net.dummymbuf.hits=0 + atf_check -s exit:0 -o ignore ping -c1 192.0.2.2 + atf_check_equal "1" "$(jexec alcatraz sysctl -n net.dummymbuf.hits)" +} +inet_in_mbuf_len_cleanup() +{ + pft_cleanup +} + +atf_init_test_cases() +{ + atf_add_test_case "inet_in_mbuf_len" +}