From nobody Mon Aug 28 12:03:22 2023 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RZ8Mt6WDfz4rTVP; Mon, 28 Aug 2023 12:03:22 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4RZ8Mt5m1Rz3dtH; Mon, 28 Aug 2023 12:03:22 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1693224202; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=th4B5cetEyF6xnbYxOL59VAPK7Xd1fbs2f1lyC4f9wE=; b=qmYi0bHMruXAUDobqKTdkxYoQG0KAmSQL0j4TyN7fhlh1uwedYpjrBNadvZOp8cUKls26G TDiQ87QBiMGNnque2FHWhGmAGM6WyHsWcJHrKVfmFLwvazNsvRLF0EppJ+U36PRjQ4pej3 vSgNZmOsRQUuTNEii7MU9m3GLl4UFrhLHmlBfMwZqVSLYL4qVybNLbbz8xncMv3hmuNzF/ 9kMwAQ6rcaMnf66OQhyMUc3IaBlTqqIp+Uemx7wiwmbJMNyjro2ionI1uBySFR8WchhUfJ D28Sp0Su3vw3qr3wC3Rx6AJCmqfZl9tgTHEx/H9KyrBzBAYL0iOeWxQPqUjC+Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1693224202; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=th4B5cetEyF6xnbYxOL59VAPK7Xd1fbs2f1lyC4f9wE=; b=q3mvulL8SV4gCmehHqf5estP1TYX2SNBInDpDUr4a6PdLxMYeIy6R0SIUXgPm7/+laBA+/ 5l76fp8oVKUkefcgcJyovIEbCTBKuTdTbbhP1rmSpSKRoRsPAVjLrqi/fixhXeoB4zde87 T8uFMw7VYW01uFi2prv5r2tXEjty9bnY8trlL2Q3zuZHQBHXzxJUMvHZMMGbKk2UbCeIK6 t9FZY4J09VEUuOC5s4xgOTkL2BG6GjSow8uluAs8o/2KZ8PGkMKiQ7E0ETMSifbIWeY6y7 Mk6ek1M9M6GBe5lhQIukcTrEIN/TOuiZIXTiQ9bSr6SRIiBB+ZXmEcNWZxiJmA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1693224202; a=rsa-sha256; cv=none; b=t4iGm0EN+RAIwd2VLpvR5Co/MJdwqwOOFLsFWYhVEaeeJMM8Y+eXPnXlJTL59OOrCTyKBz 3nPgEY9mrp9Wm+l7rGaNhoCLHoAQl+sy07HIsURVte8SvH74m6SVgmNbqIU0fWhWgWAJ5u +myUl+aDEqhO+P5OVxRmHRp8x6djN7lqj1cRdhpyeErsd0Dx6smCdS/M6SeLK/ErhnNigb hVe0YoQeUtXJy1QTQB0Y71Irba4rGlin92/924Rl1y7BDyn+pMWM/By5yxsw0SwyWf9iiG cprlQPI1gYcNdJqCucKbBcIe9LJZBv0msGItYnk1mb/99xfAitER86GJD9+JKA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4RZ8Mt4pyxz17MV; Mon, 28 Aug 2023 12:03:22 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 37SC3MDE030527; Mon, 28 Aug 2023 12:03:22 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 37SC3MNq030524; Mon, 28 Aug 2023 12:03:22 GMT (envelope-from git) Date: Mon, 28 Aug 2023 12:03:22 GMT Message-Id: <202308281203.37SC3MNq030524@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Kristof Provost Subject: git: 89437732d361 - stable/13 - pf tests: test syncookies on IPv6 List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/stable/13 X-Git-Reftype: branch X-Git-Commit: 89437732d361d9b761660021cefc3f362c9ca672 Auto-Submitted: auto-generated The branch stable/13 has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=89437732d361d9b761660021cefc3f362c9ca672 commit 89437732d361d9b761660021cefc3f362c9ca672 Author: Kristof Provost AuthorDate: 2023-08-21 06:06:50 +0000 Commit: Kristof Provost CommitDate: 2023-08-28 08:17:18 +0000 pf tests: test syncookies on IPv6 MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") (cherry picked from commit 1fd8c845b8b77f208f481901823fb87df04f8add) --- tests/sys/netpfil/common/pft_synflood.py | 8 +- tests/sys/netpfil/pf/syncookie.sh | 151 ++++++++++++++++++++++++++++++- 2 files changed, 157 insertions(+), 2 deletions(-) diff --git a/tests/sys/netpfil/common/pft_synflood.py b/tests/sys/netpfil/common/pft_synflood.py index 67a5bba0def7..f73caa1b6aa6 100644 --- a/tests/sys/netpfil/common/pft_synflood.py +++ b/tests/sys/netpfil/common/pft_synflood.py @@ -35,7 +35,10 @@ def syn_flood(args): # Set a src mac, to avoid doing lookups which really slow us down. ether = sp.Ether(src='01:02:03:04:05') - ip = sp.IP(dst=args.to[0]) + if args.ip6: + ip = sp.IPv6(dst=args.to[0]) + else: + ip = sp.IP(dst=args.to[0]) for i in range(int(args.count[0])): tcp = sp.TCP(flags='S', sport=1+i, dport=22, seq=500+i) pkt = ether / ip / tcp @@ -44,6 +47,9 @@ def syn_flood(args): def main(): parser = argparse.ArgumentParser("pft_synflood.py", description="SYN flooding tool") + parser.add_argument('--ip6', + action='store_true', + help='Use IPv6 rather than IPv4') parser.add_argument('--sendif', nargs=1, required=True, help='The interface through which the packet(s) will be sent') diff --git a/tests/sys/netpfil/pf/syncookie.sh b/tests/sys/netpfil/pf/syncookie.sh index 290b61817471..814593adbf98 100644 --- a/tests/sys/netpfil/pf/syncookie.sh +++ b/tests/sys/netpfil/pf/syncookie.sh @@ -71,7 +71,6 @@ basic_body() atf_fail "Failed to connect to syncookie protected echo daemon" fi - # Check that status shows syncookies as being active active=$(syncookie_state alcatraz) if [ "$active" != "active" ]; @@ -86,6 +85,55 @@ basic_cleanup() pft_cleanup } +atf_test_case "basic_v6" "cleanup" +basic_v6_head() +{ + atf_set descr 'Basic syncookie IPv6 test' + atf_set require.user root +} + +basic_v6_body() +{ + pft_init + + epair=$(vnet_mkepair) + + vnet_mkjail alcatraz ${epair}b + jexec alcatraz ifconfig ${epair}b inet6 2001:db8::1/64 up no_dad + jexec alcatraz /usr/sbin/inetd -p inetd-alcatraz.pid \ + $(atf_get_srcdir)/echo_inetd.conf + + ifconfig ${epair}a inet6 2001:db8::2/64 up no_dad + + jexec alcatraz pfctl -e + pft_set_rules alcatraz \ + "set syncookies always" \ + "pass in" \ + "pass out" + + # Sanity check + atf_check -s exit:0 -o ignore ping6 -c 1 2001:db8::1 + + reply=$(echo foo | nc -N -w 5 2001:db8::1 7) + if [ "${reply}" != "foo" ]; + then + atf_fail "Failed to connect to syncookie protected echo daemon" + fi + + # Check that status shows syncookies as being active + active=$(syncookie_state alcatraz) + if [ "$active" != "active" ]; + then + atf_fail "syncookies not active" + fi +} + +basic_v6_cleanup() +{ + rm -f inetd-alcatraz.pid + pft_cleanup +} + atf_test_case "forward" "cleanup" forward_head() { @@ -137,6 +185,57 @@ forward_cleanup() pft_cleanup } +atf_test_case "forward_v6" "cleanup" +forward_v6_head() +{ + atf_set descr 'Syncookies for forwarded hosts' + atf_set require.user root +} + +forward_v6_body() +{ + pft_init + + epair_in=$(vnet_mkepair) + epair_out=$(vnet_mkepair) + + vnet_mkjail fwd ${epair_in}b ${epair_out}a + vnet_mkjail srv ${epair_out}b + + jexec fwd ifconfig ${epair_in}b inet6 2001:db8::1/64 up no_dad + jexec fwd ifconfig ${epair_out}a inet6 2001:db8:1::1/64 up no_dad + jexec fwd sysctl net.inet6.ip6.forwarding=1 + + jexec srv ifconfig ${epair_out}b inet6 2001:db8:1::2/64 up no_dad + jexec srv route -6 add default 2001:db8:1::1 + jexec srv /usr/sbin/inetd -p inetd-alcatraz.pid \ + $(atf_get_srcdir)/echo_inetd.conf + + ifconfig ${epair_in}a inet6 2001:db8::2/64 up no_dad + route -6 add -net 2001:db8:1::/64 2001:db8::1 + + jexec fwd pfctl -e + pft_set_rules fwd \ + "set syncookies always" \ + "pass in" \ + "pass out" + + # Sanity check + atf_check -s exit:0 -o ignore ping6 -c 1 2001:db8:1::2 + + reply=$(echo foo | nc -N -w 5 2001:db8:1::2 7) + if [ "${reply}" != "foo" ]; + then + atf_fail "Failed to connect to syncookie protected echo daemon" + fi +} + +forward_v6_cleanup() +{ + rm -f inetd-alcatraz.pid + pft_cleanup +} + atf_test_case "nostate" "cleanup" nostate_head() { @@ -183,6 +282,53 @@ nostate_cleanup() pft_cleanup } +atf_test_case "nostate_v6" "cleanup" +nostate_v6_head() +{ + atf_set descr 'Ensure that we do not create until SYN|ACK' + atf_set require.user root + atf_set require.progs scapy +} + +nostate_v6_body() +{ + pft_init + + epair=$(vnet_mkepair) + ifconfig ${epair}a inet6 2001:db8::2/64 up no_dad + + vnet_mkjail alcatraz ${epair}b + jexec alcatraz ifconfig ${epair}b inet6 2001:db8::1/64 up no_dad + + jexec alcatraz pfctl -e + pft_set_rules alcatraz \ + "set syncookies always" \ + "pass in" \ + "pass out" + + # Sanity check + atf_check -s exit:0 -o ignore ping6 -c 1 2001:db8::1 + + # Now syn flood to create many states + ${common_dir}/pft_synflood.py \ + --ip6 \ + --sendif ${epair}a \ + --to 2001:db8::2 \ + --count 20 + + states=$(jexec alcatraz pfctl -ss | grep tcp) + if [ -n "$states" ]; + then + echo "$states" + atf_fail "Found unexpected state" + fi +} + +nostate_v6_cleanup() +{ + pft_cleanup +} + atf_test_case "adaptive" "cleanup" adaptive_head() { @@ -305,8 +451,11 @@ port_reuse_cleanup() atf_init_test_cases() { atf_add_test_case "basic" + atf_add_test_case "basic_v6" atf_add_test_case "forward" + atf_add_test_case "forward_v6" atf_add_test_case "nostate" + atf_add_test_case "nostate_v6" atf_add_test_case "adaptive" atf_add_test_case "port_reuse" }