git: 7a6bcfb44dc0 - main - pf tests: test that reassembly is or is not performed as expected
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 28 Nov 2022 19:22:18 UTC
The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=7a6bcfb44dc0bbdeaa5f701bcf98e80e3bf64a13 commit 7a6bcfb44dc0bbdeaa5f701bcf98e80e3bf64a13 Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2022-11-24 09:25:40 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2022-11-28 19:19:12 +0000 pf tests: test that reassembly is or is not performed as expected We can now tell scrub rules to not reassemble packets. Test that this affects packets being passed or dropped as expected. Sponsored by: Rubicon Communications, LLC ("Netgate") --- tests/sys/netpfil/pf/fragmentation.sh | 59 +++++++++++++++++++++++++++++++++++ 1 file changed, 59 insertions(+) diff --git a/tests/sys/netpfil/pf/fragmentation.sh b/tests/sys/netpfil/pf/fragmentation.sh index 8b16c9655d08..fb57cc62d54b 100644 --- a/tests/sys/netpfil/pf/fragmentation.sh +++ b/tests/sys/netpfil/pf/fragmentation.sh @@ -269,6 +269,64 @@ overlimit_cleanup() pft_cleanup } +atf_test_case "reassemble" "cleanup" +reassemble_head() +{ + atf_set descr 'Test reassembly' + atf_set require.user root +} + +reassemble_body() +{ + pft_init + + epair=$(vnet_mkepair) + vnet_mkjail alcatraz ${epair}a + + ifconfig ${epair}b inet 192.0.2.1/24 up + jexec alcatraz ifconfig ${epair}a 192.0.2.2/24 up + + # Sanity check + atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2 + + jexec alcatraz pfctl -e + pft_set_rules alcatraz \ + "pass out" \ + "block in" \ + "pass in inet proto icmp all icmp-type echoreq" + + # Single fragment passes + atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2 + + # But a fragmented ping does not + atf_check -s exit:2 -o ignore ping -c 1 -s 2000 192.0.2.2 + + pft_set_rules alcatraz \ + "scrub in" \ + "pass out" \ + "block in" \ + "pass in inet proto icmp all icmp-type echoreq" + + # Both single packet & fragmented pass when we scrub + atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2 + atf_check -s exit:0 -o ignore ping -c 1 -s 2000 192.0.2.2 + + pft_set_rules alcatraz \ + "scrub in fragment no reassemble" \ + "pass out" \ + "block in" \ + "pass in inet proto icmp all icmp-type echoreq" + + # And the fragmented ping doesn't pass if we do not reassemble + atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2 + atf_check -s exit:2 -o ignore ping -c 1 -s 2000 192.0.2.2 +} + +reassemble_cleanup() +{ + pft_cleanup +} + atf_init_test_cases() { atf_add_test_case "too_many_fragments" @@ -277,4 +335,5 @@ atf_init_test_cases() atf_add_test_case "overreplace" atf_add_test_case "overindex" atf_add_test_case "overlimit" + atf_add_test_case "reassemble" }