From nobody Mon Aug 21 13:25:01 2023
X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RTtWL3BsSz4qmtm;
	Mon, 21 Aug 2023 13:25:02 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4RTtWL1Bhpz3MkT;
	Mon, 21 Aug 2023 13:25:02 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1692624302;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=HtrzlvbHNBlgOfAwKVu3nwb3OG/yX9sEgb4FPsZIN9I=;
	b=VFKvTU7Upa6yeSk5tbsFu+SmE4qcLyFufKclR880pbkiNzYyz55jc5FjEr7K3dJUPvF41d
	SIzyjXBv8xDRx4HF3okGh17HND9lR1Pk3O4snfvwlg1/7FIuxodT4pIkw99mTar+g/nqmj
	weDLACUHuCU5ClAzVpaO+uuuaJQqFDldNtLVDW3iP2uEeCoyH7FKZ+smj+I9e+kfpRu3aY
	z4DBmCuXmvvscYnpz4XEh3Q/TrRC1/Ijx2oTxNxnwBBdonPUOLXR7q+NKcFSi6i6Vx+V5j
	XSmxN+YsWLXMT+N+XlWAwymPvFST814s0dncDqUtsw/s1pMZvT06bXPZUEGYlg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1692624302;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=HtrzlvbHNBlgOfAwKVu3nwb3OG/yX9sEgb4FPsZIN9I=;
	b=YS7DLU71xY1rpDLESfNrkLmLBiYvTBn/SRF0iA8s8M3ShmYq/++uGIf3+nxtMCiC3kRwJ6
	ZnVgqambsLY82WaoKGFlnkuc/RtKOVEPmry/PUlDuAfrt/yAii+Lo1I+maabIziOK1MzJW
	lAMJ5i8/UUQBH4yE3On3QisutqZf+g0e+si3FPDIrkkeA/QG/TqFfrEi0dFmpgjm/jXIA8
	1AWxamcq1hKyI2URtj9xAey8qeHd0aEswGAB1MD7To/jYo5iwoxb3hZ0awsbkgXP7vZy/8
	IUJ6Pba2t0XYGKcXxVf2RHzoSTr9Su5oY1JJxBtR8S5bkcvA99rkGvRvunZd1g==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1692624302; a=rsa-sha256; cv=none;
	b=gYYLVqfMaMxv9Ex/z8hd0KUpSC68UjA96VjulpuHJxYpZI0XsgiE+T+VsxIfNo8rKQmcDi
	Vcrk0q519eSRBKcMsJeds89ns3smAGrlYC6Yu7tstmQqTbeLOowY8apsALZ88fL5aIyXfe
	HOUz4UaLzkWTdEkwxkFBeGZ2RcnC33wgBD5WtllnH8FYAWwBa84cMEvuIiGHPbOyybobP1
	DrGGRA0ZIPEDvaKwFVumVnE1+THEYelSV/uosCyYIMCSD5TmhP6bX8t2M+x7eWfUINv7KJ
	PNu424ii4WCFED80OuDCOIMrfEsR7lZbdIReru8mTI6DYPvTOem7t3QOkWzXGQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4RTtWL0Hj8z6NC;
	Mon, 21 Aug 2023 13:25:02 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 37LDP1nm014330;
	Mon, 21 Aug 2023 13:25:01 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 37LDP1uO014327;
	Mon, 21 Aug 2023 13:25:01 GMT
	(envelope-from git)
Date: Mon, 21 Aug 2023 13:25:01 GMT
Message-Id: <202308211325.37LDP1uO014327@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: Kristof Provost <kp@FreeBSD.org>
Subject: git: 1fd8c845b8b7 - main - pf tests: test syncookies on
  IPv6
List-Id: Commit messages for the main branch of the src repository <dev-commits-src-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main
List-Help: <mailto:dev-commits-src-main+help@freebsd.org>
List-Post: <mailto:dev-commits-src-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-main+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-main@freebsd.org
X-BeenThere: dev-commits-src-main@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: kp
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 1fd8c845b8b77f208f481901823fb87df04f8add
Auto-Submitted: auto-generated

The branch main has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=1fd8c845b8b77f208f481901823fb87df04f8add

commit 1fd8c845b8b77f208f481901823fb87df04f8add
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2023-08-21 06:06:50 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2023-08-21 11:19:41 +0000

    pf tests: test syncookies on IPv6
    
    MFC after:      1 week
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
---
 tests/sys/netpfil/common/pft_synflood.py |   8 +-
 tests/sys/netpfil/pf/syncookie.sh        | 151 ++++++++++++++++++++++++++++++-
 2 files changed, 157 insertions(+), 2 deletions(-)

diff --git a/tests/sys/netpfil/common/pft_synflood.py b/tests/sys/netpfil/common/pft_synflood.py
index 67a5bba0def7..f73caa1b6aa6 100644
--- a/tests/sys/netpfil/common/pft_synflood.py
+++ b/tests/sys/netpfil/common/pft_synflood.py
@@ -35,7 +35,10 @@ def syn_flood(args):
 
 	# Set a src mac, to avoid doing lookups which really slow us down.
 	ether = sp.Ether(src='01:02:03:04:05')
-	ip = sp.IP(dst=args.to[0])
+	if args.ip6:
+		ip = sp.IPv6(dst=args.to[0])
+	else:
+		ip = sp.IP(dst=args.to[0])
 	for i in range(int(args.count[0])):
 		tcp = sp.TCP(flags='S', sport=1+i, dport=22, seq=500+i)
 		pkt = ether / ip / tcp
@@ -44,6 +47,9 @@ def syn_flood(args):
 def main():
 	parser = argparse.ArgumentParser("pft_synflood.py",
 		description="SYN flooding tool")
+	parser.add_argument('--ip6',
+		action='store_true',
+		help='Use IPv6 rather than IPv4')
 	parser.add_argument('--sendif', nargs=1,
 		required=True,
 		help='The interface through which the packet(s) will be sent')
diff --git a/tests/sys/netpfil/pf/syncookie.sh b/tests/sys/netpfil/pf/syncookie.sh
index 131a4eac5eb3..8feb2816f589 100644
--- a/tests/sys/netpfil/pf/syncookie.sh
+++ b/tests/sys/netpfil/pf/syncookie.sh
@@ -71,7 +71,6 @@ basic_body()
 		atf_fail "Failed to connect to syncookie protected echo daemon"
 	fi
 
-
 	# Check that status shows syncookies as being active
 	active=$(syncookie_state alcatraz)
 	if [ "$active" != "active" ];
@@ -86,6 +85,55 @@ basic_cleanup()
 	pft_cleanup
 }
 
+atf_test_case "basic_v6" "cleanup"
+basic_v6_head()
+{
+	atf_set descr 'Basic syncookie IPv6 test'
+	atf_set require.user root
+}
+
+basic_v6_body()
+{
+	pft_init
+
+	epair=$(vnet_mkepair)
+
+	vnet_mkjail alcatraz ${epair}b
+	jexec alcatraz ifconfig ${epair}b inet6 2001:db8::1/64 up no_dad
+	jexec alcatraz /usr/sbin/inetd -p inetd-alcatraz.pid \
+	    $(atf_get_srcdir)/echo_inetd.conf
+
+	ifconfig ${epair}a inet6 2001:db8::2/64 up no_dad
+
+	jexec alcatraz pfctl -e
+	pft_set_rules alcatraz \
+		"set syncookies always" \
+		"pass in" \
+		"pass out"
+
+	# Sanity check
+	atf_check -s exit:0 -o ignore ping6 -c 1 2001:db8::1
+
+	reply=$(echo foo | nc -N -w 5 2001:db8::1 7)
+	if [ "${reply}" != "foo" ];
+	then
+		atf_fail "Failed to connect to syncookie protected echo daemon"
+	fi
+
+	# Check that status shows syncookies as being active
+	active=$(syncookie_state alcatraz)
+	if [ "$active" != "active" ];
+	then
+		atf_fail "syncookies not active"
+	fi
+}
+
+basic_v6_cleanup()
+{
+	rm -f inetd-alcatraz.pid
+	pft_cleanup
+}
+
 atf_test_case "forward" "cleanup"
 forward_head()
 {
@@ -137,6 +185,57 @@ forward_cleanup()
 	pft_cleanup
 }
 
+atf_test_case "forward_v6" "cleanup"
+forward_v6_head()
+{
+	atf_set descr 'Syncookies for forwarded hosts'
+	atf_set require.user root
+}
+
+forward_v6_body()
+{
+	pft_init
+
+	epair_in=$(vnet_mkepair)
+	epair_out=$(vnet_mkepair)
+
+	vnet_mkjail fwd ${epair_in}b ${epair_out}a
+	vnet_mkjail srv ${epair_out}b
+
+	jexec fwd ifconfig ${epair_in}b inet6 2001:db8::1/64 up no_dad
+	jexec fwd ifconfig ${epair_out}a inet6 2001:db8:1::1/64 up no_dad
+	jexec fwd sysctl net.inet6.ip6.forwarding=1
+
+	jexec srv ifconfig ${epair_out}b inet6 2001:db8:1::2/64 up no_dad
+	jexec srv route -6 add default 2001:db8:1::1
+	jexec srv /usr/sbin/inetd -p inetd-alcatraz.pid \
+	    $(atf_get_srcdir)/echo_inetd.conf
+
+	ifconfig ${epair_in}a inet6 2001:db8::2/64 up no_dad
+	route -6 add -net 2001:db8:1::/64 2001:db8::1
+
+	jexec fwd pfctl -e
+	pft_set_rules fwd \
+		"set syncookies always" \
+		"pass in" \
+		"pass out"
+
+	# Sanity check
+	atf_check -s exit:0 -o ignore ping6 -c 1 2001:db8:1::2
+
+	reply=$(echo foo | nc -N -w 5 2001:db8:1::2 7)
+	if [ "${reply}" != "foo" ];
+	then
+		atf_fail "Failed to connect to syncookie protected echo daemon"
+	fi
+}
+
+forward_v6_cleanup()
+{
+	rm -f inetd-alcatraz.pid
+	pft_cleanup
+}
+
 atf_test_case "nostate" "cleanup"
 nostate_head()
 {
@@ -183,6 +282,53 @@ nostate_cleanup()
 	pft_cleanup
 }
 
+atf_test_case "nostate_v6" "cleanup"
+nostate_v6_head()
+{
+	atf_set descr 'Ensure that we do not create until SYN|ACK'
+	atf_set require.user root
+	atf_set require.progs scapy
+}
+
+nostate_v6_body()
+{
+	pft_init
+
+	epair=$(vnet_mkepair)
+	ifconfig ${epair}a inet6 2001:db8::2/64 up no_dad
+
+	vnet_mkjail alcatraz ${epair}b
+	jexec alcatraz ifconfig ${epair}b inet6 2001:db8::1/64 up no_dad
+
+	jexec alcatraz pfctl -e
+	pft_set_rules alcatraz \
+		"set syncookies always" \
+		"pass in" \
+		"pass out"
+
+	# Sanity check
+	atf_check -s exit:0 -o ignore ping6 -c 1 2001:db8::1
+
+	# Now syn flood to create many states
+	${common_dir}/pft_synflood.py \
+        --ip6 \
+		--sendif ${epair}a \
+		--to 2001:db8::2 \
+		--count 20
+
+	states=$(jexec alcatraz pfctl -ss | grep tcp)
+	if [ -n "$states" ];
+	then
+		echo "$states"
+		atf_fail "Found unexpected state"
+	fi
+}
+
+nostate_v6_cleanup()
+{
+	pft_cleanup
+}
+
 atf_test_case "adaptive" "cleanup"
 adaptive_head()
 {
@@ -337,8 +483,11 @@ port_reuse_cleanup()
 atf_init_test_cases()
 {
 	atf_add_test_case "basic"
+	atf_add_test_case "basic_v6"
 	atf_add_test_case "forward"
+	atf_add_test_case "forward_v6"
 	atf_add_test_case "nostate"
+	atf_add_test_case "nostate_v6"
 	atf_add_test_case "adaptive"
 	atf_add_test_case "limits"
 	atf_add_test_case "port_reuse"