From owner-svn-src-all@freebsd.org Mon Aug 19 10:48:29 2019 Return-Path: Delivered-To: svn-src-all@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id CCF71C1768; Mon, 19 Aug 2019 10:48:29 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 46BrHx50lyz4dVb; Mon, 19 Aug 2019 10:48:29 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 8D2A6196B6; Mon, 19 Aug 2019 10:48:29 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x7JAmTZt033417; Mon, 19 Aug 2019 10:48:29 GMT (envelope-from kp@FreeBSD.org) Received: (from kp@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x7JAmSgl033410; Mon, 19 Aug 2019 10:48:28 GMT (envelope-from kp@FreeBSD.org) Message-Id: <201908191048.x7JAmSgl033410@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: kp set sender to kp@FreeBSD.org using -f From: Kristof Provost Date: Mon, 19 Aug 2019 10:48:28 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r351212 - in head: . tests/sys/netpfil/common tests/sys/netpfil/pf X-SVN-Group: head X-SVN-Commit-Author: kp X-SVN-Commit-Paths: in head: . tests/sys/netpfil/common tests/sys/netpfil/pf X-SVN-Commit-Revision: 351212 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Aug 2019 10:48:29 -0000 Author: kp Date: Mon Aug 19 10:48:27 2019 New Revision: 351212 URL: https://svnweb.freebsd.org/changeset/base/351212 Log: netpfil tests: Move pft_ping.py and sniffer.py to the common test directory The pft_ping.py and sniffer.py tool is moved from tests/sys/netpfil/pf to tests/sys/netpfil/common directory because these tools are to be used in common for all the firewalls. Submitted by: Ahsan Barkati Reviewed by: kp, thj Sponsored by: Google, Inc. (GSoC 2019) Differential Revision: https://reviews.freebsd.org/D21276 Added: head/tests/sys/netpfil/common/pft_ping.py - copied unchanged from r351211, head/tests/sys/netpfil/pf/pft_ping.py head/tests/sys/netpfil/common/sniffer.py - copied unchanged from r351211, head/tests/sys/netpfil/pf/sniffer.py Deleted: head/tests/sys/netpfil/pf/pft_ping.py head/tests/sys/netpfil/pf/sniffer.py Modified: head/ObsoleteFiles.inc head/tests/sys/netpfil/common/Makefile head/tests/sys/netpfil/pf/Makefile head/tests/sys/netpfil/pf/forward.sh head/tests/sys/netpfil/pf/set_tos.sh Modified: head/ObsoleteFiles.inc ============================================================================== --- head/ObsoleteFiles.inc Mon Aug 19 09:33:09 2019 (r351211) +++ head/ObsoleteFiles.inc Mon Aug 19 10:48:27 2019 (r351212) @@ -38,6 +38,9 @@ # xargs -n1 | sort | uniq -d; # done +# 20190817: pft_ping.py and sniffer.py moved to /usr/tests/sys/netpfil/common +OLD_FILES+=usr/tests/sys/netpfil/pf/sniffer.py +OLD_FILES+=usr/tests/sys/netpfil/pf/pft_ping.py # 20190816: dir.h removed from POSIX OLD_FILES+=usr/include/sys/dir.h # 20190729: gzip'ed a.out support removed Modified: head/tests/sys/netpfil/common/Makefile ============================================================================== --- head/tests/sys/netpfil/common/Makefile Mon Aug 19 09:33:09 2019 (r351211) +++ head/tests/sys/netpfil/common/Makefile Mon Aug 19 10:48:27 2019 (r351212) @@ -11,6 +11,10 @@ ATF_TESTS_SH+= \ ${PACKAGE}FILES+= \ utils.subr \ - runner.subr + runner.subr \ + pft_ping.py \ + sniffer.py + +${PACKAGE}FILESMODE_pft_ping.py= 0555 .include Copied: head/tests/sys/netpfil/common/pft_ping.py (from r351211, head/tests/sys/netpfil/pf/pft_ping.py) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/tests/sys/netpfil/common/pft_ping.py Mon Aug 19 10:48:27 2019 (r351212, copy of r351211, head/tests/sys/netpfil/pf/pft_ping.py) @@ -0,0 +1,135 @@ +#!/usr/local/bin/python2.7 + +import argparse +import scapy.all as sp +import sys +from sniffer import Sniffer + +PAYLOAD_MAGIC = 0x42c0ffee + +def check_ping_request(args, packet): + if args.ip6: + return check_ping6_request(args, packet) + else: + return check_ping4_request(args, packet) + +def check_ping4_request(args, packet): + """ + Verify that the packet matches what we'd have sent + """ + dst_ip = args.to[0] + + ip = packet.getlayer(sp.IP) + if not ip: + return False + if ip.dst != dst_ip: + return False + + icmp = packet.getlayer(sp.ICMP) + if not icmp: + return False + if sp.icmptypes[icmp.type] != 'echo-request': + return False + + raw = packet.getlayer(sp.Raw) + if not raw: + return False + if raw.load != str(PAYLOAD_MAGIC): + return False + + # Wait to check expectations until we've established this is the packet we + # sent. + if args.expect_tos: + if ip.tos != int(args.expect_tos[0]): + print "Unexpected ToS value %d, expected %s" \ + % (ip.tos, args.expect_tos[0]) + return False + + return True + +def check_ping6_request(args, packet): + """ + Verify that the packet matches what we'd have sent + """ + dst_ip = args.to[0] + + ip = packet.getlayer(sp.IPv6) + if not ip: + return False + if ip.dst != dst_ip: + return False + + icmp = packet.getlayer(sp.ICMPv6EchoRequest) + if not icmp: + return False + if icmp.data != str(PAYLOAD_MAGIC): + return False + + return True + +def ping(send_if, dst_ip, args): + ether = sp.Ether() + ip = sp.IP(dst=dst_ip) + icmp = sp.ICMP(type='echo-request') + raw = sp.Raw(str(PAYLOAD_MAGIC)) + + if args.send_tos: + ip.tos = int(args.send_tos[0]) + + req = ether / ip / icmp / raw + sp.sendp(req, iface=send_if, verbose=False) + +def ping6(send_if, dst_ip, args): + ether = sp.Ether() + ip6 = sp.IPv6(dst=dst_ip) + icmp = sp.ICMPv6EchoRequest(data=PAYLOAD_MAGIC) + + req = ether / ip6 / icmp + sp.sendp(req, iface=send_if, verbose=False) + +def main(): + parser = argparse.ArgumentParser("pft_ping.py", + description="Ping test tool") + parser.add_argument('--sendif', nargs=1, + required=True, + help='The interface through which the packet(s) will be sent') + parser.add_argument('--recvif', nargs=1, + help='The interface on which to expect the ICMP echo response') + parser.add_argument('--ip6', action='store_true', + help='Use IPv6') + parser.add_argument('--to', nargs=1, + required=True, + help='The destination IP address for the ICMP echo request') + + # Packet settings + parser.add_argument('--send-tos', nargs=1, + help='Set the ToS value for the transmitted packet') + + # Expectations + parser.add_argument('--expect-tos', nargs=1, + help='The expected ToS value in the received packet') + + args = parser.parse_args() + + # We may not have a default route. Tell scapy where to start looking for routes + sp.conf.iface6 = args.sendif[0] + + sniffer = None + if not args.recvif is None: + sniffer = Sniffer(args, check_ping_request) + + if args.ip6: + ping6(args.sendif[0], args.to[0], args) + else: + ping(args.sendif[0], args.to[0], args) + + if sniffer: + sniffer.join() + + if sniffer.foundCorrectPacket: + sys.exit(0) + else: + sys.exit(1) + +if __name__ == '__main__': + main() Copied: head/tests/sys/netpfil/common/sniffer.py (from r351211, head/tests/sys/netpfil/pf/sniffer.py) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/tests/sys/netpfil/common/sniffer.py Mon Aug 19 10:48:27 2019 (r351212, copy of r351211, head/tests/sys/netpfil/pf/sniffer.py) @@ -0,0 +1,25 @@ +# $FreeBSD$ + +import threading +import scapy.all as sp + +class Sniffer(threading.Thread): + def __init__(self, args, check_function): + threading.Thread.__init__(self) + + self._args = args + self._recvif = args.recvif[0] + self._check_function = check_function + self.foundCorrectPacket = False + + self.start() + + def _checkPacket(self, packet): + ret = self._check_function(self._args, packet) + if ret: + self.foundCorrectPacket = True + return ret + + def run(self): + self.packets = sp.sniff(iface=self._recvif, + stop_filter=self._checkPacket, timeout=3) Modified: head/tests/sys/netpfil/pf/Makefile ============================================================================== --- head/tests/sys/netpfil/pf/Makefile Mon Aug 19 09:33:09 2019 (r351211) +++ head/tests/sys/netpfil/pf/Makefile Mon Aug 19 10:48:27 2019 (r351212) @@ -21,12 +21,9 @@ ATF_TESTS_SH+= anchor \ ${PACKAGE}FILES+= utils.subr \ echo_inetd.conf \ - sniffer.py \ - pft_ping.py \ CVE-2019-5597.py \ CVE-2019-5598.py -${PACKAGE}FILESMODE_pft_ping.py= 0555 ${PACKAGE}FILESMODE_CVE-2019-5597.py= 0555 ${PACKAGE}FILESMODE_CVE-2019-5598.py= 0555 Modified: head/tests/sys/netpfil/pf/forward.sh ============================================================================== --- head/tests/sys/netpfil/pf/forward.sh Mon Aug 19 09:33:09 2019 (r351211) +++ head/tests/sys/netpfil/pf/forward.sh Mon Aug 19 10:48:27 2019 (r351212) @@ -2,6 +2,8 @@ . $(atf_get_srcdir)/utils.subr +common_dir=$(atf_get_srcdir)/../common + atf_test_case "v4" "cleanup" v4_head() { @@ -43,20 +45,20 @@ v4_body() # Forward with pf enabled pft_set_rules alcatraz "block in" - atf_check -s exit:1 $(atf_get_srcdir)/pft_ping.py \ + atf_check -s exit:1 ${common_dir}/pft_ping.py \ --sendif ${epair_send}a \ --to 198.51.100.3 \ --recvif ${epair_recv}a pft_set_rules alcatraz "block out" - atf_check -s exit:1 $(atf_get_srcdir)/pft_ping.py \ + atf_check -s exit:1 ${common_dir}/pft_ping.py \ --sendif ${epair_send}a \ --to 198.51.100.3 \ --recv ${epair_recv}a # Allow ICMP pft_set_rules alcatraz "block in" "pass in proto icmp" - atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \ + atf_check -s exit:0 ${common_dir}/pft_ping.py \ --sendif ${epair_send}a \ --to 198.51.100.3 \ --recvif ${epair_recv}a @@ -98,7 +100,7 @@ v6_body() route add -6 2001:db8:43::/64 2001:db8:42::2 # Sanity check, can we forward ICMP echo requests without pf? - atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \ + atf_check -s exit:0 ${common_dir}/pft_ping.py \ --ip6 \ --sendif ${epair_send}a \ --to 2001:db8:43::3 \ @@ -109,7 +111,7 @@ v6_body() # Block incoming echo request packets pft_set_rules alcatraz \ "block in inet6 proto icmp6 icmp6-type echoreq" - atf_check -s exit:1 $(atf_get_srcdir)/pft_ping.py \ + atf_check -s exit:1 ${common_dir}/pft_ping.py \ --ip6 \ --sendif ${epair_send}a \ --to 2001:db8:43::3 \ @@ -118,7 +120,7 @@ v6_body() # Block outgoing echo request packets pft_set_rules alcatraz \ "block out inet6 proto icmp6 icmp6-type echoreq" - atf_check -s exit:1 -e ignore $(atf_get_srcdir)/pft_ping.py \ + atf_check -s exit:1 -e ignore ${common_dir}/pft_ping.py \ --ip6 \ --sendif ${epair_send}a \ --to 2001:db8:43::3 \ @@ -128,7 +130,7 @@ v6_body() pft_set_rules alcatraz \ "block out" \ "pass out inet6 proto icmp6" - atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \ + atf_check -s exit:0 ${common_dir}/pft_ping.py \ --ip6 \ --sendif ${epair_send}a \ --to 2001:db8:43::3 \ @@ -138,7 +140,7 @@ v6_body() pft_set_rules alcatraz \ "block out inet6 proto icmp6 icmp6-type echoreq" \ "pass in proto icmp" - atf_check -s exit:1 $(atf_get_srcdir)/pft_ping.py \ + atf_check -s exit:1 ${common_dir}/pft_ping.py \ --ip6 \ --sendif ${epair_send}a \ --to 2001:db8:43::3 \ Modified: head/tests/sys/netpfil/pf/set_tos.sh ============================================================================== --- head/tests/sys/netpfil/pf/set_tos.sh Mon Aug 19 09:33:09 2019 (r351211) +++ head/tests/sys/netpfil/pf/set_tos.sh Mon Aug 19 10:48:27 2019 (r351212) @@ -2,6 +2,8 @@ . $(atf_get_srcdir)/utils.subr +common_dir=$(atf_get_srcdir)/../common + atf_test_case "v4" "cleanup" v4_head() { @@ -37,7 +39,7 @@ v4_body() # No change is done if not requested pft_set_rules alcatraz "scrub out proto icmp" - atf_check -s exit:1 -o ignore $(atf_get_srcdir)/pft_ping.py \ + atf_check -s exit:1 -o ignore ${common_dir}/pft_ping.py \ --sendif ${epair_send}a \ --to 198.51.100.3 \ --recvif ${epair_recv}a \ @@ -45,7 +47,7 @@ v4_body() # The requested ToS is set pft_set_rules alcatraz "scrub out proto icmp set-tos 42" - atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \ + atf_check -s exit:0 ${common_dir}/pft_ping.py \ --sendif ${epair_send}a \ --to 198.51.100.3 \ --recvif ${epair_recv}a \ @@ -53,7 +55,7 @@ v4_body() # ToS is not changed if the scrub rule does not match pft_set_rules alcatraz "scrub out proto tcp set-tos 42" - atf_check -s exit:1 -o ignore $(atf_get_srcdir)/pft_ping.py \ + atf_check -s exit:1 -o ignore ${common_dir}/pft_ping.py \ --sendif ${epair_send}a \ --to 198.51.100.3 \ --recvif ${epair_recv}a \ @@ -62,14 +64,14 @@ v4_body() # Multiple scrub rules match as expected pft_set_rules alcatraz "scrub out proto tcp set-tos 13" \ "scrub out proto icmp set-tos 14" - atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \ + atf_check -s exit:0 ${common_dir}/pft_ping.py \ --sendif ${epair_send}a \ --to 198.51.100.3 \ --recvif ${epair_recv}a \ --expect-tos 14 # And this works even if the packet already has ToS values set - atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \ + atf_check -s exit:0 ${common_dir}/pft_ping.py \ --sendif ${epair_send}a \ --to 198.51.100.3 \ --recvif ${epair_recv}a \ @@ -78,7 +80,7 @@ v4_body() # ToS values are unmolested if the packets do not match a scrub rule pft_set_rules alcatraz "scrub out proto tcp set-tos 13" - atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \ + atf_check -s exit:0 ${common_dir}/pft_ping.py \ --sendif ${epair_send}a \ --to 198.51.100.3 \ --recvif ${epair_recv}a \