From cd579b6fba46b9f5005358d1e82def7b26703224 Mon Sep 17 00:00:00 2001 From: Kristof Provost Date: Thu, 28 Jan 2021 11:02:20 +0100 Subject: [PATCH] pf tests: Test that dup-to doesn't produce extra duplicate packets --- tests/sys/netpfil/common/pft_ping.py | 32 +++++++++++ tests/sys/netpfil/common/sniffer.py | 7 ++- tests/sys/netpfil/pf/Makefile | 1 + tests/sys/netpfil/pf/dup.sh | 81 ++++++++++++++++++++++++++++ 4 files changed, 119 insertions(+), 2 deletions(-) create mode 100644 tests/sys/netpfil/pf/dup.sh diff --git a/tests/sys/netpfil/common/pft_ping.py b/tests/sys/netpfil/common/pft_ping.py index d960426e4b42..812250803309 100644 --- a/tests/sys/netpfil/common/pft_ping.py +++ b/tests/sys/netpfil/common/pft_ping.py @@ -34,6 +34,27 @@ PAYLOAD_MAGIC = bytes.fromhex('42c0ffee') +dup_found = 0 + +def check_dup(args, packet): + """ + Verify that this is an ICMP packet, and that we only see one + """ + global dup_found + + icmp = packet.getlayer(sp.ICMP) + if not icmp: + return False + + raw = packet.getlayer(sp.Raw) + if not raw: + return False + if raw.load != PAYLOAD_MAGIC: + return False + + dup_found = dup_found + 1 + return False + def check_ping_request(args, packet): if args.ip6: return check_ping6_request(args, packet) @@ -169,6 +190,8 @@ def main(): help='The interface through which the packet(s) will be sent') parser.add_argument('--recvif', nargs=1, help='The interface on which to expect the ICMP echo response') + parser.add_argument('--checkdup', nargs=1, + help='The interface on which to expect the duplicated ICMP packets') parser.add_argument('--ip6', action='store_true', help='Use IPv6') parser.add_argument('--to', nargs=1, @@ -202,6 +225,10 @@ def main(): sniffer = Sniffer(args, checkfn) + dupsniffer = None + if args.checkdup is not None: + dupsniffer = Sniffer(args, check_dup, recvif=args.checkdup[0]) + if args.tcpsyn: tcpsyn(args.sendif[0], args.to[0], args) else: @@ -210,6 +237,11 @@ def main(): else: ping(args.sendif[0], args.to[0], args) + if dupsniffer: + dupsniffer.join() + if dup_found != 1: + sys.exit(1) + if sniffer: sniffer.join() diff --git a/tests/sys/netpfil/common/sniffer.py b/tests/sys/netpfil/common/sniffer.py index 58df32cce276..200ac750dd7f 100644 --- a/tests/sys/netpfil/common/sniffer.py +++ b/tests/sys/netpfil/common/sniffer.py @@ -30,11 +30,14 @@ import scapy.all as sp class Sniffer(threading.Thread): - def __init__(self, args, check_function): + def __init__(self, args, check_function, recvif=None): threading.Thread.__init__(self) self._args = args - self._recvif = args.recvif[0] + if recvif is not None: + self._recvif = recvif + else: + self._recvif = args.recvif[0] self._check_function = check_function self.foundCorrectPacket = False diff --git a/tests/sys/netpfil/pf/Makefile b/tests/sys/netpfil/pf/Makefile index 99b22399231e..f00f64d849d2 100644 --- a/tests/sys/netpfil/pf/Makefile +++ b/tests/sys/netpfil/pf/Makefile @@ -8,6 +8,7 @@ TESTS_SUBDIRS+= ioctl ATF_TESTS_SH+= altq \ anchor \ checksum \ + dup \ forward \ fragmentation \ icmp \ diff --git a/tests/sys/netpfil/pf/dup.sh b/tests/sys/netpfil/pf/dup.sh new file mode 100644 index 000000000000..7b9a91804e96 --- /dev/null +++ b/tests/sys/netpfil/pf/dup.sh @@ -0,0 +1,81 @@ +# $FreeBSD$ +# +# SPDX-License-Identifier: BSD-2-Clause-FreeBSD +# +# Copyright (c) 2021 Kristof Provost +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. + +. $(atf_get_srcdir)/utils.subr + +common_dir=$(atf_get_srcdir)/../common + +atf_test_case "dup_to" "cleanup" +do_to_head() +{ + atf_set descr 'dup-to test' + atf_set require.user root +} + +dup_to_body() +{ + pft_init + + epair_send=$(vnet_mkepair) + ifconfig ${epair_send}a 192.0.2.1/24 up + + epair_recv=$(vnet_mkepair) + ifconfig ${epair_recv}a up + + epair_dupto=$(vnet_mkepair) + ifconfig ${epair_dupto}a up + + vnet_mkjail alcatraz ${epair_send}b ${epair_recv}b ${epair_dupto}b + jexec alcatraz ifconfig ${epair_send}b 192.0.2.2/24 up + jexec alcatraz ifconfig ${epair_recv}b 198.51.100.2/24 up + jexec alcatraz ifconfig ${epair_dupto}b 203.0.113.2/24 up + jexec alcatraz sysctl net.inet.ip.forwarding=1 + jexec alcatraz arp -s 198.51.100.3 00:01:02:03:04:05 + jexec alcatraz arp -s 203.0.113.3 01:02:03:04:05:06 + route add -net 198.51.100.0/24 192.0.2.2 + + jexec alcatraz pfctl -e + + pft_set_rules alcatraz "pass out on { ${epair_recv}b } \ + dup-to (${epair_dupto}b 203.0.113.3)" + + atf_check -s exit:0 ${common_dir}/pft_ping.py \ + --sendif ${epair_send}a \ + --to 198.51.100.3 \ + --recv ${epair_recv}a \ + --checkdup ${epair_dupto}a +} + +dup_to_cleanup() +{ + pft_cleanup +} + +atf_init_test_cases() +{ + atf_add_test_case "dup_to" +}