git: 07ffa50ba075 - main - pf tests: test short packets
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 28 Jun 2022 08:43:43 UTC
The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=07ffa50ba075d450287e22385f110e3c319470e9 commit 07ffa50ba075d450287e22385f110e3c319470e9 Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2022-06-23 15:52:52 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2022-06-28 08:31:23 +0000 pf tests: test short packets Test sending very short packets (i.e. too short for an IP header) packets in the Ethernet filtering code. Sponsored by: Rubicon Communications, LLC ("Netgate") --- tests/sys/netpfil/pf/Makefile | 2 ++ tests/sys/netpfil/pf/ether.sh | 46 +++++++++++++++++++++++++++ tests/sys/netpfil/pf/pft_ether.py | 67 +++++++++++++++++++++++++++++++++++++++ 3 files changed, 115 insertions(+) diff --git a/tests/sys/netpfil/pf/Makefile b/tests/sys/netpfil/pf/Makefile index 45eaec2f8ddc..83f0d94e952e 100644 --- a/tests/sys/netpfil/pf/Makefile +++ b/tests/sys/netpfil/pf/Makefile @@ -45,6 +45,7 @@ ${PACKAGE}FILES+= CVE-2019-5597.py \ frag-overlimit.py \ frag-overreplace.py \ pfsync_defer.py \ + pft_ether.py \ utils.subr ${PACKAGE}FILESMODE_CVE-2019-5597.py= 0555 @@ -54,5 +55,6 @@ ${PACKAGE}FILESMODE_frag-overindex.py= 0555 ${PACKAGE}FILESMODE_frag-overlimit.py= 0555 ${PACKAGE}FILESMODE_frag-overreplace.py= 0555 ${PACKAGE}FILESMODE_pfsync_defer.py= 0555 +${PACKAGE}FILESMODE_pft_ether.py= 0555 .include <bsd.test.mk> diff --git a/tests/sys/netpfil/pf/ether.sh b/tests/sys/netpfil/pf/ether.sh index 283267b98c54..549fbf22ab7b 100644 --- a/tests/sys/netpfil/pf/ether.sh +++ b/tests/sys/netpfil/pf/ether.sh @@ -634,6 +634,51 @@ match_tag_cleanup() pft_cleanup } +atf_test_case "short_pkt" "cleanup" +short_pkt_head() +{ + atf_set descr 'Test overly short Ethernet packets' + atf_set require.user root +} + +short_pkt_body() +{ + pft_init + + epair=$(vnet_mkepair) + ifconfig ${epair}a 192.0.2.1/24 up + + vnet_mkjail alcatraz ${epair}b + jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up + + jexec alcatraz pfctl -e + pft_set_rules alcatraz \ + "ether pass in" \ + "ether pass out" \ + "ether pass in l3 from 192.0.2.1" + + # Sanity check + atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2 + + jexec alcatraz pfctl -se -v + + # Try sending ever shorter ping requests + # BPF won't let us send anything shorter than an Ethernet header, but + # that's good enough for this test + for i in `seq 46 14` + do + $(atf_get_srcdir)/pft_ether.py \ + --sendif ${epair}a \ + --to 192.0.2.2 \ + --len ${i} + done +} + +short_pkt_cleanup() +{ + pft_cleanup +} + atf_init_test_cases() { atf_add_test_case "mac" @@ -646,4 +691,5 @@ atf_init_test_cases() atf_add_test_case "ip" atf_add_test_case "tag" atf_add_test_case "match_tag" + atf_add_test_case "short_pkt" } diff --git a/tests/sys/netpfil/pf/pft_ether.py b/tests/sys/netpfil/pf/pft_ether.py new file mode 100644 index 000000000000..1892e0a8f95e --- /dev/null +++ b/tests/sys/netpfil/pf/pft_ether.py @@ -0,0 +1,67 @@ +#!/usr/bin/env python3 +# +# SPDX-License-Identifier: BSD-2-Clause +# +# Copyright © 2022. Rubicon Communications, LLC (Netgate). All Rights Reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# + +import argparse +import logging +logging.getLogger("scapy").setLevel(logging.CRITICAL) +import scapy.all as sp +import socket +import sys + +PAYLOAD_MAGIC = bytes.fromhex('42c0ffee') + +def ping(send_if, dst_ip, length): + ether = sp.Ether() + ip = sp.IP(dst=dst_ip) + icmp = sp.ICMP(type='echo-request') + raw = sp.raw(PAYLOAD_MAGIC) + + req = ether / ip / icmp / raw + req = req.build()[0:length] + + sp.sendp(req, iface=send_if, verbose=False) + +def main(): + parser = argparse.ArgumentParser("pft_ether.py", + description="Ethernet test tool") + parser.add_argument('--sendif', nargs=1, + required=True, + help='The interface through which the packet(s) will be sent') + parser.add_argument('--to', nargs=1, + required=True, + help='The destination IP address for the ICMP echo request') + parser.add_argument('--len', nargs=1, + required=True, + help='The length of the packet') + + args = parser.parse_args() + + ping(args.sendif[0], args.to[0], int(args.len[0])) + +if __name__ == '__main__': + main()