Commit Graph

7 Commits

Author SHA1 Message Date
Bjoern A. Zeeb
c1131de6f1 frag6: properly handle atomic fragments according to RFCs.
RFC 8200 says:
	"If the fragment is a whole datagram (that is, both the Fragment
         Offset field and the M flag are zero), then it does not need
         any further reassembly and should be processed as a fully
         reassembled packet (i.e., updating Next Header, adjust Payload
         Length, removing the Fragment header, etc.).  .."

That means we should remove the fragment header and make all the adjustments
rather than just skipping over the fragment header.  The difference should
be noticeable in that a properly handled atomic fragment triggering an ICMPv6
message at an upper layer (e.g. dest unreach, unreachable port) will not
include the fragment header.

Update the test cases to also test for an unfragmentable part.  That is
needed so that the next header is properly updated (not just lengths).

MFC after:	3 weeks
Sponsored by:	Netflix
Differential Revision:	https://reviews.freebsd.org/D22155
2019-11-08 14:36:44 +00:00
Bjoern A. Zeeb
f21d32079f ipv6 tests: cleanup
Remove mentions of fragmentation tests from extension header test.
Remove setting an MTU > IF_MAXMTU from the test cases to avoid warnings;
this was only possible in a local research tree.

MFC after:		2 weeks
Sponsored by:		Netflix
2019-11-06 14:30:56 +00:00
Bjoern A. Zeeb
cc07e75f30 frag6 tests: set end to catch timeout as error
There are times when we have to wait for reply packets.  There are
either an ICMPv6 (error) reply or the expiration timeout.
In these cases synchonous ICMPv6 replies should arrive, always,
unless the packet is lost.  Due to errors experienced with the
test software sending an invlaid request on at least i386 (*) these
packets are not generated.  That means we are waiting for a long time
for the replies or even timeout the test case.

Manually set the "End" flag on these test cases as well, so they do
fail rather than timeout as the sniffer timeout happens.  This improves
debugging options, reflects the error properly, and saves time on each
test suit run.

(*) The real cause for that is still to be found (see the referenced PRs)

PR:			241493, 239380
MFC after:		2 weeks
Sponsored by:		Netflix
2019-11-05 10:53:55 +00:00
Bjoern A. Zeeb
c0750d9d04 frag6-test: update for r354046, conform to 8200 for overlapping fragments
The change to conform to RFC 8200 for overlapping fragments now frees
the entire reassembly queue if the overlapping fragments are not an
exact match.
As a result we do see one less packet in the timeout statistics from
expiry.  No other statistics change as the event is not counted.
It can be argued that we should improve the statistics counters in
that case.
This test case update should have been committed alongside the original
commit.

Pointyhat to:	bz
MFC after:	3 weeks
X-MFC with:	r354046
Sponsored by:	Netflix
2019-10-25 17:41:08 +00:00
Bjoern A. Zeeb
619456bb59 frag6: prevent overwriting initial fragoff=0 packet meta-data.
When we receive the packet with the first fragmented part (fragoff=0)
we remember the length of the unfragmentable part and the next header
(and should probably also remember ECN) as meta-data on the reassembly
queue.
Someone replying this packet so far could change these 2 (3) values.
While changing the next header seems more severe, for a full size
fragmented UDP packet, for example, adding an extension header to the
unfragmentable part would go unnoticed (as the framented part would be
considered an exact duplicate) but make reassembly fail.
So do not allow updating the meta-data after we have seen the first
fragmented part anymore.

The frag6_20 test case is added which failed before triggering an
ICMPv6 "param prob" due to the check for each queued fragment for
a max-size violation if a fragoff=0 packet was received.

MFC after:	3 weeks
Sponsored by:	Netflix
2019-10-24 22:07:45 +00:00
Bjoern A. Zeeb
4527b28baf frag6 test cases: check more counters, wait for expiry
When done with tests check that both the per-VNET and the global-fragmented-
packets-in-system counters are zero to make sure we do not leak counters or
queue entries.

This implies that for all test cases we either have to check for the ICMPv6
packet sent in case of TLL=0 expiry (if it is sent) or sleep at least long
enough for the TTL to expire for all packets (e.g., fragments where we do not
have the off=0 packet).

This also means that statistics are now updated to include all the expired
packets.

There are cases when we do not check for counters to be zero and this is
when testing VNET teardown to behave properly and not panic, when we are
intentionally leaving fragments in the system.

MFC after:	3 weeks
Sponsored by:	Netflix
2019-10-24 20:08:33 +00:00
Bjoern A. Zeeb
f74e6e494f frag6: import a set of test cases
In order to ensure that changing the frag6 code does not change behaviour
or break code a set of test cases were implemented.

Like some other test cases these use Scapy to generate packets and possibly
wait for expected answers.  In most cases we do check the global and
per interface (netstat) statistics output using the libxo output and grep
to validate fields and numbers.  This is a bit hackish but we currently have
no better way to match a selected number of stats only (we have to ignore
some of the ND6 variables; otherwise we could use the entire list).

Test cases include atomic fragments, single fragments, multi-fragments,
and try to cover most error cases in the code currently.
In addition vnet teardown is tested to not panic.

A separate set (not in-tree currently) of probes were used in order to
make sure that the test cases actually test what they should.

The "sniffer" code was copied and adjusted from the netpfil version
as we sometimes will not get packets or have longer timeouts to deal with.

Sponsored by:	Netflix
2019-10-21 09:33:45 +00:00