Bug #15042 » 0001-pf-tests-test-that-we-validate-sequence-numbers-on-T.patch
| tests/sys/netpfil/common/Makefile | ||
|---|---|---|
| 21 | 21 |
runner.subr \ |
| 22 | 22 |
pft_icmp_check.py \ |
| 23 | 23 |
pft_ping.py \ |
| 24 |
pft_rst.py \ |
|
| 24 | 25 |
pft_synflood.py \ |
| 25 | 26 |
sniffer.py |
| 26 | 27 | |
| 27 | 28 |
${PACKAGE}FILESMODE_pft_icmp_check.py= 0555
|
| 28 | 29 |
${PACKAGE}FILESMODE_pft_ping.py= 0555
|
| 30 |
${PACKAGE}FILESMODE_pft_rst.py= 0555
|
|
| 29 | 31 |
${PACKAGE}FILESMODE_pft_synflood.py= 0555
|
| 30 | 32 | |
| 31 | 33 |
.include <bsd.test.mk> |
| tests/sys/netpfil/common/pft_rst.py | ||
|---|---|---|
| 1 |
#!/usr/bin/env python3 |
|
| 2 |
# |
|
| 3 |
# SPDX-License-Identifier: BSD-2-Clause |
|
| 4 |
# |
|
| 5 |
# Copyright (c) 2023 Rubicon Communications, LLC (Netgate) |
|
| 6 |
# |
|
| 7 |
# Redistribution and use in source and binary forms, with or without |
|
| 8 |
# modification, are permitted provided that the following conditions |
|
| 9 |
# are met: |
|
| 10 |
# 1. Redistributions of source code must retain the above copyright |
|
| 11 |
# notice, this list of conditions and the following disclaimer. |
|
| 12 |
# 2. Redistributions in binary form must reproduce the above copyright |
|
| 13 |
# notice, this list of conditions and the following disclaimer in the |
|
| 14 |
# documentation and/or other materials provided with the distribution. |
|
| 15 |
# |
|
| 16 |
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND |
|
| 17 |
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
|
| 18 |
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
|
| 19 |
# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE |
|
| 20 |
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
|
| 21 |
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
|
| 22 |
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
|
| 23 |
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
|
| 24 |
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
|
| 25 |
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
|
| 26 |
# SUCH DAMAGE. |
|
| 27 |
# |
|
| 28 | ||
| 29 |
import logging |
|
| 30 |
logging.getLogger("scapy").setLevel(logging.CRITICAL)
|
|
| 31 |
import math |
|
| 32 |
import scapy.all as sp |
|
| 33 |
import sys |
|
| 34 | ||
| 35 |
def send_rst(src_ip, src_port, dst_ip, dst_port): |
|
| 36 |
sp.send(sp.IP(src=src_ip, dst=dst_ip) / |
|
| 37 |
sp.TCP(sport=src_port, dport=dst_port, seq=1, flags="R")) |
|
| 38 | ||
| 39 |
send_rst(sys.argv[1], int(sys.argv[2]), sys.argv[3], int(sys.argv[4])) |
|
| tests/sys/netpfil/pf/Makefile | ||
|---|---|---|
| 40 | 40 |
syncookie \ |
| 41 | 41 |
synproxy \ |
| 42 | 42 |
table \ |
| 43 |
tcp \ |
|
| 43 | 44 |
tos |
| 44 | 45 | |
| 45 | 46 |
ATF_TESTS_PYTEST+= frag6.py |
| tests/sys/netpfil/pf/tcp.sh | ||
|---|---|---|
| 1 |
# |
|
| 2 |
# SPDX-License-Identifier: BSD-2-Clause |
|
| 3 |
# |
|
| 4 |
# Copyright (c) 2023 Rubicon Communications, LLC (Netgate) |
|
| 5 |
# |
|
| 6 |
# Redistribution and use in source and binary forms, with or without |
|
| 7 |
# modification, are permitted provided that the following conditions |
|
| 8 |
# are met: |
|
| 9 |
# 1. Redistributions of source code must retain the above copyright |
|
| 10 |
# notice, this list of conditions and the following disclaimer. |
|
| 11 |
# 2. Redistributions in binary form must reproduce the above copyright |
|
| 12 |
# notice, this list of conditions and the following disclaimer in the |
|
| 13 |
# documentation and/or other materials provided with the distribution. |
|
| 14 |
# |
|
| 15 |
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND |
|
| 16 |
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
|
| 17 |
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
|
| 18 |
# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE |
|
| 19 |
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
|
| 20 |
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
|
| 21 |
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
|
| 22 |
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
|
| 23 |
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
|
| 24 |
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
|
| 25 |
# SUCH DAMAGE. |
|
| 26 | ||
| 27 |
. $(atf_get_srcdir)/utils.subr |
|
| 28 | ||
| 29 |
common_dir=$(atf_get_srcdir)/../common |
|
| 30 | ||
| 31 |
atf_test_case "rst" "cleanup" |
|
| 32 |
rst_head() |
|
| 33 |
{
|
|
| 34 |
atf_set descr 'Check sequence number validation in RST packets' |
|
| 35 |
atf_set require.user root |
|
| 36 |
atf_set require.progs scapy |
|
| 37 |
} |
|
| 38 | ||
| 39 |
rst_body() |
|
| 40 |
{
|
|
| 41 |
pft_init |
|
| 42 | ||
| 43 |
epair_srv=$(vnet_mkepair) |
|
| 44 |
epair_cl=$(vnet_mkepair) |
|
| 45 |
epair_attack=$(vnet_mkepair) |
|
| 46 | ||
| 47 |
br=$(vnet_mkbridge) |
|
| 48 |
ifconfig ${br} addm ${epair_srv}a
|
|
| 49 |
ifconfig ${epair_srv}a up
|
|
| 50 |
ifconfig ${br} addm ${epair_cl}a
|
|
| 51 |
ifconfig ${epair_cl}a up
|
|
| 52 |
ifconfig ${br} addm ${epair_attack}a
|
|
| 53 |
ifconfig ${epair_attack}a up
|
|
| 54 |
ifconfig ${br} up
|
|
| 55 | ||
| 56 |
vnet_mkjail srv ${epair_srv}b
|
|
| 57 |
jexec srv ifconfig ${epair_srv}b 192.0.2.1/24 up
|
|
| 58 |
jexec srv ifconfig lo0 inet 127.0.0.1/8 up |
|
| 59 | ||
| 60 |
vnet_mkjail cl ${epair_cl}b
|
|
| 61 |
jexec cl ifconfig ${epair_cl}b 192.0.2.2/24 up
|
|
| 62 |
jexec cl ifconfig lo0 inet 127.0.0.1/8 up |
|
| 63 | ||
| 64 |
jexec cl pfctl -e |
|
| 65 |
pft_set_rules cl \ |
|
| 66 |
"pass keep state" |
|
| 67 |
jexec cl pfctl -x loud |
|
| 68 |
|
|
| 69 |
vnet_mkjail attack ${epair_attack}b
|
|
| 70 |
jexec attack ifconfig ${epair_attack}b 192.0.2.3/24 up
|
|
| 71 | ||
| 72 |
# Sanity check |
|
| 73 |
atf_check -s exit:0 -o ignore \ |
|
| 74 |
jexec cl ping -c 1 192.0.2.1 |
|
| 75 |
|
|
| 76 |
echo "bar" | jexec srv nc -l 1234 & |
|
| 77 |
# Allow server time to start |
|
| 78 |
sleep 1 |
|
| 79 | ||
| 80 |
echo "foo" | jexec cl nc -p 4321 192.0.2.1 1234 & |
|
| 81 |
# Allow connection time to set up |
|
| 82 |
sleep 1 |
|
| 83 | ||
| 84 |
# Connection should be established now |
|
| 85 |
atf_check -s exit:0 -e ignore \ |
|
| 86 |
-o match:"ESTABLISHED:ESTABLISHED" \ |
|
| 87 |
jexec cl pfctl -ss -v |
|
| 88 | ||
| 89 |
# Now insert a fake RST |
|
| 90 |
atf_check -s exit:0 -o ignore \ |
|
| 91 |
jexec attack ${common_dir}/pft_rst.py 192.0.2.1 1234 192.0.2.2 4321
|
|
| 92 | ||
| 93 |
# Connection should remain established |
|
| 94 |
atf_check -s exit:0 -e ignore \ |
|
| 95 |
-o match:"ESTABLISHED:ESTABLISHED" \ |
|
| 96 |
jexec cl pfctl -ss -v |
|
| 97 |
jexec cl pfctl -ss -v |
|
| 98 |
} |
|
| 99 | ||
| 100 |
rst_cleanup() |
|
| 101 |
{
|
|
| 102 |
pft_cleanup |
|
| 103 |
} |
|
| 104 | ||
| 105 |
atf_init_test_cases() |
|
| 106 |
{
|
|
| 107 |
atf_add_test_case "rst" |
|
| 108 |
} |
|