From nobody Mon Nov 28 19:22:18 2022 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NLb2L6My0z4hh5W; Mon, 28 Nov 2022 19:22:18 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4NLb2L5Wfrz3CQ4; Mon, 28 Nov 2022 19:22:18 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1669663338; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=fGN3hXiUWpAgFISpEF9JIMlZEpC8vSRs1y5T6c9LtYw=; b=Ro7U86QE0Lj3rMhbyUJciKtnxLgob9ovHylM0BNafD9aO0e3kmuXt/2WwyneMZ2EgZeio/ REwY47XKNzK4BuSxxFdVBpxYdPEZntADXzNnY98x8jDPs4lD65Tz9wxjJpG3xkdRvlJG4y J+BG3HPfCrTUz0PeOZhshWJU/pgUE0Uicu24IAeyVcimIq0+8ASjYHU5W80HLKMUNqCU4H djXySH91kSjZcIoHHApOZKQUZr25nUyNWEywquGasz1mbAkBipBJVoIl2XtyzZBIUdj0Qq YLoWcFtXFl3fL1l2r8PzV4hY/6lsrYY896KMeprvKID3cwxqacgfGeLmzHPzvQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1669663338; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=fGN3hXiUWpAgFISpEF9JIMlZEpC8vSRs1y5T6c9LtYw=; b=kWMPzmN1OJD+yqkxpQF0z8YgvsXdUdzeNIy+YlLUBAjY4KP7on39JIUvHjhvgmIAGRv1bP hsA0hMOuStX+FkWp+JbI4LkQH1QoWkm27MwWhVwc4WJyrW7+uXWEVh5ly5aYH9yzU1OC20 xS1MsJAkw3rCvuJMMd2VuI3BrVRBEjoDNAp2VFG6/u1fgjKK5+mJdSJwMq07Ry4jAz8jrj tR5xkjiLiImoDMHrCOd0HL04s53ACSpO7SNDvInaB9Kk+dO+Wqos3WIDHPgHXkM21e5Ucx KbJ9MDen4nAlnK7F1zNJLXmwx/mGbApX8EFBl7DYWmxvMIp1CFxNuIA+/XesQQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1669663338; a=rsa-sha256; cv=none; b=nxtT011avioSl303gGop2i8vMKVhIYaYcyph9tDODqYvR1txfoOn1ROzx1XfVVytrffHd0 Azqk84owTKNKfoZlmOIcaRXAxnD01JWMm5jTDUVvQFCNLJU05OhwcV3nV0WrP49XPR2hOY 5SoIWIZCLpbKSTAFIaFK0aSqOhWbz24DMyzCc0XtRb2aI2QEVqpvCKd6nx5fQmre+q7jHv tUn6vqo4uMfcXKg/ym0rKe13c9WWOf3Tmq6RS1KyBUKL3HY8uGleeVvJ3QRnIb+zwsp0r0 vfl6psSIKtOPW1lNILzLIf6Jny6KksgfwYYOsIea3K0GHVrPuFh6l9tMAuzPdg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4NLb2L4d5gzpgv; Mon, 28 Nov 2022 19:22:18 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 2ASJMIop052086; Mon, 28 Nov 2022 19:22:18 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 2ASJMIxX052085; Mon, 28 Nov 2022 19:22:18 GMT (envelope-from git) Date: Mon, 28 Nov 2022 19:22:18 GMT Message-Id: <202211281922.2ASJMIxX052085@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Kristof Provost Subject: git: 7a6bcfb44dc0 - main - pf tests: test that reassembly is or is not performed as expected List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-main@freebsd.org X-BeenThere: dev-commits-src-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 7a6bcfb44dc0bbdeaa5f701bcf98e80e3bf64a13 Auto-Submitted: auto-generated X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=7a6bcfb44dc0bbdeaa5f701bcf98e80e3bf64a13 commit 7a6bcfb44dc0bbdeaa5f701bcf98e80e3bf64a13 Author: Kristof Provost AuthorDate: 2022-11-24 09:25:40 +0000 Commit: Kristof Provost CommitDate: 2022-11-28 19:19:12 +0000 pf tests: test that reassembly is or is not performed as expected We can now tell scrub rules to not reassemble packets. Test that this affects packets being passed or dropped as expected. Sponsored by: Rubicon Communications, LLC ("Netgate") --- tests/sys/netpfil/pf/fragmentation.sh | 59 +++++++++++++++++++++++++++++++++++ 1 file changed, 59 insertions(+) diff --git a/tests/sys/netpfil/pf/fragmentation.sh b/tests/sys/netpfil/pf/fragmentation.sh index 8b16c9655d08..fb57cc62d54b 100644 --- a/tests/sys/netpfil/pf/fragmentation.sh +++ b/tests/sys/netpfil/pf/fragmentation.sh @@ -269,6 +269,64 @@ overlimit_cleanup() pft_cleanup } +atf_test_case "reassemble" "cleanup" +reassemble_head() +{ + atf_set descr 'Test reassembly' + atf_set require.user root +} + +reassemble_body() +{ + pft_init + + epair=$(vnet_mkepair) + vnet_mkjail alcatraz ${epair}a + + ifconfig ${epair}b inet 192.0.2.1/24 up + jexec alcatraz ifconfig ${epair}a 192.0.2.2/24 up + + # Sanity check + atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2 + + jexec alcatraz pfctl -e + pft_set_rules alcatraz \ + "pass out" \ + "block in" \ + "pass in inet proto icmp all icmp-type echoreq" + + # Single fragment passes + atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2 + + # But a fragmented ping does not + atf_check -s exit:2 -o ignore ping -c 1 -s 2000 192.0.2.2 + + pft_set_rules alcatraz \ + "scrub in" \ + "pass out" \ + "block in" \ + "pass in inet proto icmp all icmp-type echoreq" + + # Both single packet & fragmented pass when we scrub + atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2 + atf_check -s exit:0 -o ignore ping -c 1 -s 2000 192.0.2.2 + + pft_set_rules alcatraz \ + "scrub in fragment no reassemble" \ + "pass out" \ + "block in" \ + "pass in inet proto icmp all icmp-type echoreq" + + # And the fragmented ping doesn't pass if we do not reassemble + atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2 + atf_check -s exit:2 -o ignore ping -c 1 -s 2000 192.0.2.2 +} + +reassemble_cleanup() +{ + pft_cleanup +} + atf_init_test_cases() { atf_add_test_case "too_many_fragments" @@ -277,4 +335,5 @@ atf_init_test_cases() atf_add_test_case "overreplace" atf_add_test_case "overindex" atf_add_test_case "overlimit" + atf_add_test_case "reassemble" }