From nobody Fri Aug 4 14:08:25 2023 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RHSHG4jhCz4kW04; Fri, 4 Aug 2023 14:08:26 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4RHSHF6XjVz3H49; Fri, 4 Aug 2023 14:08:25 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1691158106; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=XqjWv79rl1A5H7rVsPqYpVHZlKP0LCwXZxRlTcSmdUg=; b=PahedTV+3LBYKNSHiXQVT5d1PjG6WWK6aTmGg3PYWXi1ADeFbih+7rqZgocfwrLs3HjuzP eTtPEaCvx8rFJbOc7xYfVSdWPI5giFblZ2Nn5Zjv1q5pqcKzuLlL1w7Wwu+Kk+jp0SApqa MOW5R4+aYFJ0Ye/qT5OgcjpesqZDyr+dd7kINsOxapLOk8oXzwXgDQ1LAXk+7oPCLySFje 2fRuMzIoJU+1w9C7i6h+/zdEs5MvzPkjGbc2PVEyY+gc1LwjsT3jyoAmePsvnlB9nBiPcH TkMLbHvC/jgHFLW7qIHZN37wn2S0DWGC47i9TYYNjJ3mQ15TFRzrF+IerjkmqA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1691158106; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=XqjWv79rl1A5H7rVsPqYpVHZlKP0LCwXZxRlTcSmdUg=; b=ZvYalBC7iy+B79dIcVnR6xomSrbQpkV0YEjUDObYF0VL/bYc0QroVXceppcwA+t4fEhypW UCd+MHQcIw+OCwNpWTsUhasGTHC2sSyrnZswjsRJ2qKbVt+0WR2S0Ees5APSgCGZq3QTU2 uJexlfmER4pW24aYElnrkKXo5xZQTEHSB12s8lRA+kymBrIEmvTzRABhjhFWocpDUwHi/G q6dmuhJa8fmudl0iWEMpvvYgw6jd1qHy1S+kwP/GjfL2ETa+tDhCr0jTVTULh8LpSp6sop PfhyrPyoVtgBRmnlkvuJQp3xdx10sgqHvlXcdW5+awkdj7MsyMdfKR3X34bXEA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1691158106; a=rsa-sha256; cv=none; b=lncKbLZFkWekxb5kfPX5Dbxr21kPAcwptvSRasUMzJxV8vTK6t4l6IwLzvzphZFtZguGha TwLL8i7ipmscpirpNL1+b/inShs3dBfm2LqTMqCaIbH3p+akVhrK5dGj67K54FjvgnHuHA MpwBoMvqZnkWHmfoRv6gMjLcVhaSqk9VBP5FN3KG+MT8y1efg4B9uq6/nxL8vC1xSa9Ttp V/6Wm31XytGjKyX2OdWklpTtgIqwi/ozXp9kvGrlAYYxO9+PSoLhghXHxyvG2wKpFdu3KL JytOsmdM9CwbJL0n0uCZsMWzPYORY1JB5Yjyy+FUTgbLlIno8KXDIQtM4d02rw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4RHSHF5Wmfz14L2; Fri, 4 Aug 2023 14:08:25 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 374E8PpY087549; Fri, 4 Aug 2023 14:08:25 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 374E8PJj087548; Fri, 4 Aug 2023 14:08:25 GMT (envelope-from git) Date: Fri, 4 Aug 2023 14:08:25 GMT Message-Id: <202308041408.374E8PJj087548@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Kristof Provost Subject: git: 0607df059582 - stable/13 - pf: test rules evaluation in the face of multiple IPv6 fragment headers List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-branches@freebsd.org X-BeenThere: dev-commits-src-branches@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/stable/13 X-Git-Reftype: branch X-Git-Commit: 0607df059582abc970b21cc3ce6e297dec1d5eeb Auto-Submitted: auto-generated The branch stable/13 has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=0607df059582abc970b21cc3ce6e297dec1d5eeb commit 0607df059582abc970b21cc3ce6e297dec1d5eeb Author: Kristof Provost AuthorDate: 2023-07-13 06:34:54 +0000 Commit: Kristof Provost CommitDate: 2023-08-04 14:08:05 +0000 pf: test rules evaluation in the face of multiple IPv6 fragment headers Send an ICMPv6 echo request packet with multiple IPv6 fragment headers. Set rules to pass all packets, except for ICMPv6 echo requests. pf ought to drop the echo request, but doesn't because it reassembles the packet, and then doesn't handle the second fragment header. In other words: it fails to detect the ICMPv6 echo header. Reported by: Enrico Bassetti bassetti@di.uniroma1.it (NetSecurityLab @ Sapienza University of Rome) MFC after: instant Sponsored by: Rubicon Communications, LLC ("Netgate") (cherry picked from commit b23dbabb7f3edb3f323a64f03e37be2c9a8b2a45) --- tests/atf_python/sys/net/tools.py | 21 ++++++++++++++ tests/sys/netpfil/pf/Makefile | 2 ++ tests/sys/netpfil/pf/frag6.py | 60 +++++++++++++++++++++++++++++++++++++++ 3 files changed, 83 insertions(+) diff --git a/tests/atf_python/sys/net/tools.py b/tests/atf_python/sys/net/tools.py index 567d9d4b21ac..44bd74d8578f 100644 --- a/tests/atf_python/sys/net/tools.py +++ b/tests/atf_python/sys/net/tools.py @@ -1,6 +1,7 @@ #!/usr/local/bin/python3 import json import os +import subprocess class ToolsHelper(object): @@ -13,6 +14,26 @@ class ToolsHelper(object): print("run: '{}'".format(cmd)) return os.popen(cmd).read() + @classmethod + def pf_rules(cls, rules, verbose=True): + pf_conf = "" + for r in rules: + pf_conf = pf_conf + r + "\n" + + if verbose: + print("Set rules:") + print(pf_conf) + + ps = subprocess.Popen("/sbin/pfctl -g -f -", shell=True, + stdin=subprocess.PIPE) + ps.communicate(bytes(pf_conf, 'utf-8')) + ret = ps.wait() + if ret != 0: + raise Exception("Failed to set pf rules %d" % ret) + + if verbose: + cls.print_output("/sbin/pfctl -sr") + @classmethod def print_output(cls, cmd: str, verbose=True): if verbose: diff --git a/tests/sys/netpfil/pf/Makefile b/tests/sys/netpfil/pf/Makefile index 8f6b57797e23..26e5710d6f81 100644 --- a/tests/sys/netpfil/pf/Makefile +++ b/tests/sys/netpfil/pf/Makefile @@ -32,6 +32,8 @@ ATF_TESTS_SH+= altq \ table \ tos +ATF_TESTS_PYTEST+= frag6.py + # Tests reuse jail names and so cannot run in parallel. TEST_METADATA+= is_exclusive=true diff --git a/tests/sys/netpfil/pf/frag6.py b/tests/sys/netpfil/pf/frag6.py new file mode 100644 index 000000000000..28b1829d418c --- /dev/null +++ b/tests/sys/netpfil/pf/frag6.py @@ -0,0 +1,60 @@ +import pytest +import logging +import threading +import time +logging.getLogger("scapy").setLevel(logging.CRITICAL) +from atf_python.sys.net.tools import ToolsHelper +from atf_python.sys.net.vnet import VnetTestTemplate + +class DelayedSend(threading.Thread): + def __init__(self, packet): + threading.Thread.__init__(self) + self._packet = packet + + self.start() + + def run(self): + import scapy.all as sp + time.sleep(1) + sp.send(self._packet) + +class TestFrag6(VnetTestTemplate): + REQUIRED_MODULES = ["pf"] + TOPOLOGY = { + "vnet1": {"ifaces": ["if1"]}, + "vnet2": {"ifaces": ["if1"]}, + "if1": {"prefixes6": [("2001:db8::1/64", "2001:db8::2/64")]}, + } + + def vnet2_handler(self, vnet): + ToolsHelper.print_output("/sbin/pfctl -e") + ToolsHelper.pf_rules([ + "scrub fragment reassemble", + "pass", + "block in inet6 proto icmp6 icmp6-type echoreq", + ]) + + def check_ping_reply(self, packet): + print(packet) + return False + + @pytest.mark.require_user("root") + def test_dup_frag_hdr(self): + "Test packets with duplicate fragment headers" + srv_vnet = self.vnet_map["vnet2"] + + # Import in the correct vnet, so at to not confuse Scapy + import scapy.all as sp + + packet = sp.IPv6(src="2001:db8::1", dst="2001:db8::2") \ + / sp.IPv6ExtHdrFragment(offset = 0, m = 0) \ + / sp.IPv6ExtHdrFragment(offset = 0, m = 0) \ + / sp.ICMPv6EchoRequest(data=sp.raw(bytes.fromhex('f00f') * 128)) + + # Delay the send so the sniffer is running when we transmit. + s = DelayedSend(packet) + + packets = sp.sniff(iface=self.vnet.iface_alias_map["if1"].name, + timeout=3) + for p in packets: + assert not p.getlayer(sp.ICMPv6EchoReply)