From eb4416b626a9f3cd9c5f2641cc31960110311401 Mon Sep 17 00:00:00 2001 From: kp Date: Mon, 16 Oct 2017 15:03:45 +0000 Subject: [PATCH] pf tests: Basic IPv6 forwarding tests Pass/block packets in the forwarding path with pf. Introduce the pft_set_rules() helper function, because we need to remember to flush states between individual tests. If not we can get packets passing despite rules blocking them because they match states created in a previous test. Extend pft_ping.py to be able to send IPv6 echo requests. --- tests/sys/netpfil/pf/forward.sh | 80 ++++++++++++++++++++++++++++++++ tests/sys/netpfil/pf/pft_ping.py | 42 ++++++++++++++++- tests/sys/netpfil/pf/utils.subr | 14 ++++++ 3 files changed, 135 insertions(+), 1 deletion(-) diff --git a/tests/sys/netpfil/pf/forward.sh b/tests/sys/netpfil/pf/forward.sh index 62ef97b09dc1..78bdef6b360d 100755 --- a/tests/sys/netpfil/pf/forward.sh +++ b/tests/sys/netpfil/pf/forward.sh @@ -61,7 +61,87 @@ v4_cleanup() pft_cleanup } +atf_test_case "v6" "cleanup" +v6_head() +{ + atf_set descr 'Basic IPv6 forwarding test' + atf_set require.user root + atf_set require.progs scapy +} + +v6_body() +{ + pft_init + + epair_send=$(pft_mkepair) + epair_recv=$(pft_mkepair) + + ifconfig ${epair_send}a inet6 2001:db8:42::1/64 up no_dad -ifdisabled + ifconfig ${epair_recv}a up + + pft_mkjail alcatraz ${epair_send}b ${epair_recv}b + + jexec alcatraz ifconfig ${epair_send}b inet6 2001:db8:42::2/64 up no_dad + jexec alcatraz ifconfig ${epair_recv}b inet6 2001:db8:43::2/64 up no_dad + jexec alcatraz sysctl net.inet6.ip6.forwarding=1 + jexec alcatraz ndp -s 2001:db8:43::3 00:01:02:03:04:05 + route add -6 2001:db8:43::/64 2001:db8:42::2 + + # Sanity check, can we forward ICMP echo requests without pf? + atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \ + --ip6 \ + --sendif ${epair_send}a \ + --to 2001:db8:43::3 \ + --recvif ${epair_recv}a + + jexec alcatraz pfctl -e + + # Block incoming echo request packets + pft_set_rules alcatraz \ + "block in inet6 proto icmp6 icmp6-type echoreq" + atf_check -s exit:1 $(atf_get_srcdir)/pft_ping.py \ + --ip6 \ + --sendif ${epair_send}a \ + --to 2001:db8:43::3 \ + --recvif ${epair_recv}a + + # Block outgoing echo request packets + pft_set_rules alcatraz \ + "block out inet6 proto icmp6 icmp6-type echoreq" + atf_check -s exit:1 -e ignore $(atf_get_srcdir)/pft_ping.py \ + --ip6 \ + --sendif ${epair_send}a \ + --to 2001:db8:43::3 \ + --recvif ${epair_recv}a + + # Allow ICMPv6 but nothing else + pft_set_rules alcatraz \ + "block out" \ + "pass out inet6 proto icmp6" + atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \ + --ip6 \ + --sendif ${epair_send}a \ + --to 2001:db8:43::3 \ + --recvif ${epair_recv}a + + # Allowing ICMPv4 does not allow ICMPv6 + pft_set_rules alcatraz \ + "block out inet6 proto icmp6 icmp6-type echoreq" \ + "pass in proto icmp" + atf_check -s exit:1 $(atf_get_srcdir)/pft_ping.py \ + --ip6 \ + --sendif ${epair_send}a \ + --to 2001:db8:43::3 \ + --recvif ${epair_recv}a +} + +v6_cleanup() +{ + pft_cleanup +} + atf_init_test_cases() { atf_add_test_case "v4" + atf_add_test_case "v6" } diff --git a/tests/sys/netpfil/pf/pft_ping.py b/tests/sys/netpfil/pf/pft_ping.py index f5b6a7c1e5ac..98bce2e0716f 100644 --- a/tests/sys/netpfil/pf/pft_ping.py +++ b/tests/sys/netpfil/pf/pft_ping.py @@ -19,6 +19,12 @@ class Sniffer(threading.Thread): self.packets = sp.sniff(iface=self._recvif, timeout=3) def check_ping_request(packet, dst_ip, args): + if args.ip6: + return check_ping6_request(packet, dst_ip, args) + else: + return check_ping4_request(packet, dst_ip, args) + +def check_ping4_request(packet, dst_ip, args): """ Verify that the packet matches what we'd have sent """ @@ -51,6 +57,24 @@ def check_ping_request(packet, dst_ip, args): return True +def check_ping6_request(packet, dst_ip, args): + """ + Verify that the packet matches what we'd have sent + """ + ip = packet.getlayer(sp.IPv6) + if not ip: + return False + if ip.dst != dst_ip: + return False + + icmp = packet.getlayer(sp.ICMPv6EchoRequest) + if not icmp: + return False + if icmp.data != str(PAYLOAD_MAGIC): + return False + + return True + def ping(send_if, dst_ip, args): ether = sp.Ether() ip = sp.IP(dst=dst_ip) @@ -63,6 +87,14 @@ def ping(send_if, dst_ip, args): req = ether / ip / icmp / raw sp.sendp(req, iface=send_if, verbose=False) +def ping6(send_if, dst_ip, args): + ether = sp.Ether() + ip6 = sp.IPv6(dst=dst_ip) + icmp = sp.ICMPv6EchoRequest(data=PAYLOAD_MAGIC) + + req = ether / ip6 / icmp + sp.sendp(req, iface=send_if, verbose=False) + def main(): parser = argparse.ArgumentParser("pft_ping.py", description="Ping test tool") @@ -71,6 +103,8 @@ def main(): help='The interface through which the packet(s) will be sent') parser.add_argument('--recvif', nargs=1, help='The interface on which to expect the ICMP echo response') + parser.add_argument('--ip6', action='store_true', + help='Use IPv6') parser.add_argument('--to', nargs=1, required=True, help='The destination IP address for the ICMP echo request') @@ -85,11 +119,17 @@ def main(): args = parser.parse_args() + # We may not have a default route. Tell scapy where to start looking for routes + sp.conf.iface6 = args.sendif[0] + sniffer = None if not args.recvif is None: sniffer = Sniffer(args.recvif[0]) - ping(args.sendif[0], args.to[0], args) + if args.ip6: + ping6(args.sendif[0], args.to[0], args) + else: + ping(args.sendif[0], args.to[0], args) if sniffer: sniffer.join() diff --git a/tests/sys/netpfil/pf/utils.subr b/tests/sys/netpfil/pf/utils.subr index 9d2f2bee95e4..375a9d55642b 100644 --- a/tests/sys/netpfil/pf/utils.subr +++ b/tests/sys/netpfil/pf/utils.subr @@ -35,6 +35,20 @@ pft_mkjail() echo $jailname >> created_jails.lst } +pft_set_rules() +{ + jname=$1 + shift + + # Flush all states, rules, fragments, ... + jexec ${jname} pfctl -F all + + while [ $# -gt 0 ]; do + printf "$1\n" + shift + done | jexec ${jname} pfctl -f - +} + pft_cleanup() { if [ -f created_interfaces.lst ]; then