Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
freebsd
GitHub Repository: freebsd/freebsd-src
 Path: blob/main/tests/sys/netpfil/pf/fragmentation_compat.sh
39507 views
1
#

2
# SPDX-License-Identifier: BSD-2-Clause

3
#

4
# Copyright (c) 2017 Kristof Provost <[email protected]>

5
#

6
# Redistribution and use in source and binary forms, with or without

7
# modification, are permitted provided that the following conditions

8
# are met:

9
# 1. Redistributions of source code must retain the above copyright

10
#    notice, this list of conditions and the following disclaimer.

11
# 2. Redistributions in binary form must reproduce the above copyright

12
#    notice, this list of conditions and the following disclaimer in the

13
#    documentation and/or other materials provided with the distribution.

14
#

15
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND

16
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

17
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

18
# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE

19
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

20
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

21
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

22
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

23
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

24
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

25
# SUCH DAMAGE.

26


27
. $(atf_get_srcdir)/utils.subr

28


29
atf_test_case "too_many_fragments" "cleanup"

30


31
too_many_fragments_head()

32
{

33
	atf_set descr 'IPv4 fragment limitation test'

34
	atf_set require.user root

35
}

36


37
too_many_fragments_body()

38
{

39
	pft_init

40


41
	epair=$(vnet_mkepair)

42
	vnet_mkjail alcatraz ${epair}a

43


44
	ifconfig ${epair}b inet 192.0.2.1/24 up

45
	jexec alcatraz ifconfig ${epair}a 192.0.2.2/24 up

46


47
	ifconfig ${epair}b mtu 200

48
	jexec alcatraz ifconfig ${epair}a mtu 200

49


50
	jexec alcatraz pfctl -e

51
	pft_set_rules alcatraz \

52
		"scrub all fragment reassemble"

53


54
	# So we know pf is limiting things

55
	jexec alcatraz sysctl net.inet.ip.maxfragsperpacket=1024

56


57
	# Sanity check

58
	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2

59


60
	# We can ping with < 64 fragments

61
	atf_check -s exit:0 -o ignore ping -c 1 -s 800 192.0.2.2

62


63
	# Too many fragments should fail

64
	atf_check -s exit:2 -o ignore ping -c 1 -s 20000 192.0.2.2

65
}

66


67
too_many_fragments_cleanup()

68
{

69
	pft_cleanup

70
}

71


72
atf_test_case "v6" "cleanup"

73
v6_head()

74
{

75
	atf_set descr 'IPv6 fragmentation test'

76
	atf_set require.user root

77
	atf_set require.progs python3 scapy

78
}

79


80
v6_body()

81
{

82
	pft_init

83


84
	epair_send=$(vnet_mkepair)

85
	epair_link=$(vnet_mkepair)

86


87
	vnet_mkjail alcatraz ${epair_send}b ${epair_link}a

88
	vnet_mkjail singsing ${epair_link}b

89


90
	ifconfig ${epair_send}a inet6 2001:db8:42::1/64 no_dad up

91


92
	jexec alcatraz ifconfig ${epair_send}b inet6 2001:db8:42::2/64 no_dad up

93
	jexec alcatraz ifconfig ${epair_link}a inet6 2001:db8:43::2/64 no_dad up

94
	jexec alcatraz sysctl net.inet6.ip6.forwarding=1

95


96
	jexec singsing ifconfig ${epair_link}b inet6 2001:db8:43::3/64 no_dad up

97
	jexec singsing route add -6 2001:db8:42::/64 2001:db8:43::2

98
	route add -6 2001:db8:43::/64 2001:db8:42::2

99


100
	jexec alcatraz ifconfig ${epair_send}b inet6 -ifdisabled

101
	jexec alcatraz ifconfig ${epair_link}a inet6 -ifdisabled

102
	jexec singsing ifconfig ${epair_link}b inet6 -ifdisabled

103
	ifconfig ${epair_send}a inet6 -ifdisabled

104


105
	ifconfig ${epair_send}a

106
	jexec alcatraz ifconfig ${epair_send}b

107
	lladdr=$(jexec alcatraz ifconfig ${epair_send}b | awk '/ scopeid / { print($2); }' | cut -f 1 -d %)

108


109
	jexec alcatraz pfctl -e

110
	pft_set_rules alcatraz \

111
		"scrub fragment reassemble" \

112
		"block in" \

113
		"pass in inet6 proto icmp6 icmp6-type { neighbrsol, neighbradv }" \

114
		"pass in inet6 proto icmp6 icmp6-type { echoreq, echorep }" \

115
		"set skip on lo"

116


117
	# Host test

118
	atf_check -s exit:0 -o ignore \

119
		ping -6 -c 1 2001:db8:42::2

120


121
	atf_check -s exit:0 -o ignore \

122
		ping -6 -c 1 -s 4500 2001:db8:42::2

123


124
	atf_check -s exit:0 -o ignore\

125
		ping -6 -c 1 -b 70000 -s 65000 2001:db8:42::2

126


127
	# Force an NDP lookup

128
	ping -6 -c 1 ${lladdr}%${epair_send}a

129


130
	atf_check -s exit:0 -o ignore\

131
		ping -6 -c 1 -b 70000 -s 65000 ${lladdr}%${epair_send}a

132


133
	# Forwarding test

134
	atf_check -s exit:0 -o ignore \

135
		ping -6 -c 1 2001:db8:43::3

136


137
	atf_check -s exit:0 -o ignore \

138
		ping -6 -c 1 -s 4500 2001:db8:43::3

139


140
	atf_check -s exit:0 -o ignore\

141
		ping -6 -c 1 -b 70000 -s 65000 2001:db8:43::3

142


143
	$(atf_get_srcdir)/CVE-2019-5597.py \

144
		${epair_send}a \

145
		2001:db8:42::1 \

146
		2001:db8:43::3

147
}

148


149
v6_cleanup()

150
{

151
	pft_cleanup

152
}

153


154
atf_test_case "mtu_diff" "cleanup"

155
mtu_diff_head()

156
{

157
	atf_set descr 'Test reassembly across different MTUs, PR #255432'

158
	atf_set require.user root

159
}

160


161
mtu_diff_body()

162
{

163
	pft_init

164


165
	epair_small=$(vnet_mkepair)

166
	epair_large=$(vnet_mkepair)

167


168
	vnet_mkjail first ${epair_small}b ${epair_large}a

169
	vnet_mkjail second ${epair_large}b

170


171
	ifconfig ${epair_small}a 192.0.2.1/25 up

172
	jexec first ifconfig ${epair_small}b 192.0.2.2/25 up

173


174
	jexec first sysctl net.inet.ip.forwarding=1

175
	jexec first ifconfig ${epair_large}a 192.0.2.130/25 up

176
	jexec first ifconfig ${epair_large}a mtu 9000

177
	jexec second ifconfig ${epair_large}b 192.0.2.131/25 up

178
	jexec second ifconfig ${epair_large}b mtu 9000

179
	jexec second route add default 192.0.2.130

180


181
	route add 192.0.2.128/25 192.0.2.2

182


183
	jexec first pfctl -e

184
	pft_set_rules first \

185
		"scrub all fragment reassemble"

186


187
	# Sanity checks

188
	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2

189
	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.130

190
	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.131

191


192
	# Large packet that'll get reassembled and sent out in one on the large

193
	# epair

194
	atf_check -s exit:0 -o ignore ping -c 1 -s 8000 192.0.2.131

195
}

196


197
mtu_diff_cleanup()

198
{

199
	pft_cleanup

200
}

201


202
frag_common()

203
{

204
	name=$1

205


206
	pft_init

207


208
	epair=$(vnet_mkepair)

209
	vnet_mkjail alcatraz ${epair}a

210


211
	ifconfig ${epair}b inet 192.0.2.1/24 up

212
	jexec alcatraz ifconfig ${epair}a 192.0.2.2/24 up

213


214
	jexec alcatraz pfctl -e

215
	pft_set_rules alcatraz \

216
		"scrub all fragment reassemble"

217


218
	# Sanity check

219
	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2

220


221
	atf_check -s exit:0 -o ignore $(atf_get_srcdir)/frag-${1}.py \

222
		--to 192.0.2.2 \

223
		--fromaddr 192.0.2.1 \

224
		--sendif ${epair}b \

225
		--recvif ${epair}b

226
}

227


228
atf_test_case "overreplace" "cleanup"

229
overreplace_head()

230
{

231
	atf_set descr 'ping fragment that overlaps fragment at index boundary and replace it'

232
	atf_set require.user root

233
	atf_set require.progs python3 scapy

234
}

235


236
overreplace_body()

237
{

238
	frag_common overreplace

239
}

240


241
overreplace_cleanup()

242
{

243
	pft_cleanup

244
}

245


246
atf_test_case "overindex" "cleanup"

247
overindex_head()

248
{

249
	atf_set descr 'ping fragment that overlaps the first fragment at index boundary'

250
	atf_set require.user root

251
	atf_set require.progs python3 scapy

252
}

253


254
overindex_body()

255
{

256
	frag_common overindex

257
}

258


259
overindex_cleanup()

260
{

261
	pft_cleanup

262
}

263


264
atf_test_case "overlimit" "cleanup"

265
overlimit_head()

266
{

267
	atf_set descr 'ping fragment at index boundary that cannot be requeued'

268
	atf_set require.user root

269
	atf_set require.progs python3 scapy

270
}

271


272
overlimit_body()

273
{

274
	frag_common overlimit

275
}

276


277
overlimit_cleanup()

278
{

279
	pft_cleanup

280
}

281


282
atf_test_case "reassemble" "cleanup"

283
reassemble_head()

284
{

285
	atf_set descr 'Test reassembly'

286
	atf_set require.user root

287
}

288


289
reassemble_body()

290
{

291
	pft_init

292


293
	epair=$(vnet_mkepair)

294
	vnet_mkjail alcatraz ${epair}a

295


296
	ifconfig ${epair}b inet 192.0.2.1/24 up

297
	jexec alcatraz ifconfig ${epair}a 192.0.2.2/24 up

298


299
	# Sanity check

300
	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2

301


302
	jexec alcatraz pfctl -e

303
	pft_set_rules alcatraz \

304
		"scrub in" \

305
		"pass out" \

306
		"block in" \

307
		"pass in inet proto icmp all icmp-type echoreq"

308


309
	# Both single packet & fragmented pass when we scrub

310
	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2

311
	atf_check -s exit:0 -o ignore ping -c 1 -s 2000 192.0.2.2

312


313
	pft_set_rules alcatraz \

314
		"scrub in fragment no reassemble" \

315
		"pass out" \

316
		"block in" \

317
		"pass in inet proto icmp all icmp-type echoreq"

318


319
	# And the fragmented ping doesn't pass if we do not reassemble

320
	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2

321
	atf_check -s exit:2 -o ignore ping -c 1 -s 2000 192.0.2.2

322
}

323


324
reassemble_cleanup()

325
{

326
	pft_cleanup

327
}

328


329
atf_init_test_cases()

330
{

331
	atf_add_test_case "too_many_fragments"

332
	atf_add_test_case "v6"

333
	atf_add_test_case "mtu_diff"

334
	atf_add_test_case "overreplace"

335
	atf_add_test_case "overindex"

336
	atf_add_test_case "overlimit"

337
	atf_add_test_case "reassemble"

338
}

339


340