1b800be97SKajetan Staszkiewicz# $FreeBSD$ 2b800be97SKajetan Staszkiewicz# 34d846d26SWarner Losh# SPDX-License-Identifier: BSD-2-Clause 4b800be97SKajetan Staszkiewicz# 5b800be97SKajetan Staszkiewicz# Copyright (c) 2017 Kristof Provost <kp@FreeBSD.org> 6b800be97SKajetan Staszkiewicz# 7b800be97SKajetan Staszkiewicz# Redistribution and use in source and binary forms, with or without 8b800be97SKajetan Staszkiewicz# modification, are permitted provided that the following conditions 9b800be97SKajetan Staszkiewicz# are met: 10b800be97SKajetan Staszkiewicz# 1. Redistributions of source code must retain the above copyright 11b800be97SKajetan Staszkiewicz# notice, this list of conditions and the following disclaimer. 12b800be97SKajetan Staszkiewicz# 2. Redistributions in binary form must reproduce the above copyright 13b800be97SKajetan Staszkiewicz# notice, this list of conditions and the following disclaimer in the 14b800be97SKajetan Staszkiewicz# documentation and/or other materials provided with the distribution. 15b800be97SKajetan Staszkiewicz# 16b800be97SKajetan Staszkiewicz# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 17b800be97SKajetan Staszkiewicz# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18b800be97SKajetan Staszkiewicz# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19b800be97SKajetan Staszkiewicz# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 20b800be97SKajetan Staszkiewicz# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21b800be97SKajetan Staszkiewicz# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22b800be97SKajetan Staszkiewicz# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23b800be97SKajetan Staszkiewicz# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24b800be97SKajetan Staszkiewicz# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25b800be97SKajetan Staszkiewicz# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26b800be97SKajetan Staszkiewicz# SUCH DAMAGE. 27b800be97SKajetan Staszkiewicz 28b800be97SKajetan Staszkiewicz. $(atf_get_srcdir)/utils.subr 29b800be97SKajetan Staszkiewicz 30b800be97SKajetan Staszkiewiczcommon_dir=$(atf_get_srcdir)/../common 31b800be97SKajetan Staszkiewicz 32b800be97SKajetan Staszkiewiczatf_test_case "too_many_fragments" "cleanup" 33b800be97SKajetan Staszkiewicz 34b800be97SKajetan Staszkiewicztoo_many_fragments_head() 35b800be97SKajetan Staszkiewicz{ 36b800be97SKajetan Staszkiewicz atf_set descr 'IPv4 fragment limitation test' 37b800be97SKajetan Staszkiewicz atf_set require.user root 38b800be97SKajetan Staszkiewicz} 39b800be97SKajetan Staszkiewicz 40b800be97SKajetan Staszkiewicztoo_many_fragments_body() 41b800be97SKajetan Staszkiewicz{ 42b800be97SKajetan Staszkiewicz pft_init 43b800be97SKajetan Staszkiewicz 44b800be97SKajetan Staszkiewicz epair=$(vnet_mkepair) 45b800be97SKajetan Staszkiewicz vnet_mkjail alcatraz ${epair}a 46b800be97SKajetan Staszkiewicz 47b800be97SKajetan Staszkiewicz ifconfig ${epair}b inet 192.0.2.1/24 up 48b800be97SKajetan Staszkiewicz jexec alcatraz ifconfig ${epair}a 192.0.2.2/24 up 49b800be97SKajetan Staszkiewicz 50b800be97SKajetan Staszkiewicz ifconfig ${epair}b mtu 200 51b800be97SKajetan Staszkiewicz jexec alcatraz ifconfig ${epair}a mtu 200 52b800be97SKajetan Staszkiewicz 53b800be97SKajetan Staszkiewicz jexec alcatraz pfctl -e 54b800be97SKajetan Staszkiewicz pft_set_rules alcatraz \ 55b800be97SKajetan Staszkiewicz "set reassemble yes" \ 56b800be97SKajetan Staszkiewicz "pass keep state" 57b800be97SKajetan Staszkiewicz 58b800be97SKajetan Staszkiewicz # So we know pf is limiting things 59b800be97SKajetan Staszkiewicz jexec alcatraz sysctl net.inet.ip.maxfragsperpacket=1024 60b800be97SKajetan Staszkiewicz 61b800be97SKajetan Staszkiewicz # Sanity check 62b800be97SKajetan Staszkiewicz atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2 63b800be97SKajetan Staszkiewicz 64b800be97SKajetan Staszkiewicz # We can ping with < 64 fragments 65b800be97SKajetan Staszkiewicz atf_check -s exit:0 -o ignore ping -c 1 -s 800 192.0.2.2 66b800be97SKajetan Staszkiewicz 67b800be97SKajetan Staszkiewicz # Too many fragments should fail 68b800be97SKajetan Staszkiewicz atf_check -s exit:2 -o ignore ping -c 1 -s 20000 192.0.2.2 69b800be97SKajetan Staszkiewicz} 70b800be97SKajetan Staszkiewicz 71b800be97SKajetan Staszkiewicztoo_many_fragments_cleanup() 72b800be97SKajetan Staszkiewicz{ 73b800be97SKajetan Staszkiewicz pft_cleanup 74b800be97SKajetan Staszkiewicz} 75b800be97SKajetan Staszkiewicz 76b800be97SKajetan Staszkiewiczatf_test_case "v6" "cleanup" 77b800be97SKajetan Staszkiewiczv6_head() 78b800be97SKajetan Staszkiewicz{ 79b800be97SKajetan Staszkiewicz atf_set descr 'IPv6 fragmentation test' 80b800be97SKajetan Staszkiewicz atf_set require.user root 81b800be97SKajetan Staszkiewicz atf_set require.progs scapy 82b800be97SKajetan Staszkiewicz} 83b800be97SKajetan Staszkiewicz 84b800be97SKajetan Staszkiewiczv6_body() 85b800be97SKajetan Staszkiewicz{ 86b800be97SKajetan Staszkiewicz pft_init 87b800be97SKajetan Staszkiewicz 88b800be97SKajetan Staszkiewicz epair_send=$(vnet_mkepair) 89b800be97SKajetan Staszkiewicz epair_link=$(vnet_mkepair) 90b800be97SKajetan Staszkiewicz 91b800be97SKajetan Staszkiewicz vnet_mkjail alcatraz ${epair_send}b ${epair_link}a 92b800be97SKajetan Staszkiewicz vnet_mkjail singsing ${epair_link}b 93b800be97SKajetan Staszkiewicz 94b800be97SKajetan Staszkiewicz ifconfig ${epair_send}a inet6 2001:db8:42::1/64 no_dad up 95b800be97SKajetan Staszkiewicz 96b800be97SKajetan Staszkiewicz jexec alcatraz ifconfig ${epair_send}b inet6 2001:db8:42::2/64 no_dad up 97b800be97SKajetan Staszkiewicz jexec alcatraz ifconfig ${epair_link}a inet6 2001:db8:43::2/64 no_dad up 98b800be97SKajetan Staszkiewicz jexec alcatraz sysctl net.inet6.ip6.forwarding=1 99b800be97SKajetan Staszkiewicz 100b800be97SKajetan Staszkiewicz jexec singsing ifconfig ${epair_link}b inet6 2001:db8:43::3/64 no_dad up 101b800be97SKajetan Staszkiewicz jexec singsing route add -6 2001:db8:42::/64 2001:db8:43::2 102b800be97SKajetan Staszkiewicz route add -6 2001:db8:43::/64 2001:db8:42::2 103b800be97SKajetan Staszkiewicz 104b800be97SKajetan Staszkiewicz jexec alcatraz ifconfig ${epair_send}b inet6 -ifdisabled 105b800be97SKajetan Staszkiewicz jexec alcatraz ifconfig ${epair_link}a inet6 -ifdisabled 106b800be97SKajetan Staszkiewicz jexec singsing ifconfig ${epair_link}b inet6 -ifdisabled 107b800be97SKajetan Staszkiewicz ifconfig ${epair_send}a inet6 -ifdisabled 108b800be97SKajetan Staszkiewicz 109b800be97SKajetan Staszkiewicz ifconfig ${epair_send}a 110b800be97SKajetan Staszkiewicz jexec alcatraz ifconfig ${epair_send}b 111b800be97SKajetan Staszkiewicz lladdr=$(jexec alcatraz ifconfig ${epair_send}b | awk '/ scopeid / { print($2); }' | cut -f 1 -d %) 112b800be97SKajetan Staszkiewicz 113b800be97SKajetan Staszkiewicz jexec alcatraz pfctl -e 114b800be97SKajetan Staszkiewicz pft_set_rules alcatraz \ 115b800be97SKajetan Staszkiewicz "set reassemble yes" \ 116b800be97SKajetan Staszkiewicz "pass keep state" \ 117b800be97SKajetan Staszkiewicz "block in" \ 118b800be97SKajetan Staszkiewicz "pass in inet6 proto icmp6 icmp6-type { neighbrsol, neighbradv }" \ 119b800be97SKajetan Staszkiewicz "pass in inet6 proto icmp6 icmp6-type { echoreq, echorep }" 120b800be97SKajetan Staszkiewicz 121b800be97SKajetan Staszkiewicz # Host test 122b800be97SKajetan Staszkiewicz atf_check -s exit:0 -o ignore \ 123b800be97SKajetan Staszkiewicz ping -6 -c 1 2001:db8:42::2 124b800be97SKajetan Staszkiewicz 125b800be97SKajetan Staszkiewicz atf_check -s exit:0 -o ignore \ 126b800be97SKajetan Staszkiewicz ping -6 -c 1 -s 4500 2001:db8:42::2 127b800be97SKajetan Staszkiewicz 128b800be97SKajetan Staszkiewicz atf_check -s exit:0 -o ignore\ 129b800be97SKajetan Staszkiewicz ping -6 -c 1 -b 70000 -s 65000 2001:db8:42::2 130b800be97SKajetan Staszkiewicz 131b800be97SKajetan Staszkiewicz # Force an NDP lookup 132b800be97SKajetan Staszkiewicz ping -6 -c 1 ${lladdr}%${epair_send}a 133b800be97SKajetan Staszkiewicz 134b800be97SKajetan Staszkiewicz atf_check -s exit:0 -o ignore\ 135b800be97SKajetan Staszkiewicz ping -6 -c 1 -b 70000 -s 65000 ${lladdr}%${epair_send}a 136b800be97SKajetan Staszkiewicz 137b800be97SKajetan Staszkiewicz # Forwarding test 138b800be97SKajetan Staszkiewicz atf_check -s exit:0 -o ignore \ 139b800be97SKajetan Staszkiewicz ping -6 -c 1 2001:db8:43::3 140b800be97SKajetan Staszkiewicz 141b800be97SKajetan Staszkiewicz atf_check -s exit:0 -o ignore \ 142b800be97SKajetan Staszkiewicz ping -6 -c 1 -s 4500 2001:db8:43::3 143b800be97SKajetan Staszkiewicz 144b800be97SKajetan Staszkiewicz atf_check -s exit:0 -o ignore\ 145b800be97SKajetan Staszkiewicz ping -6 -c 1 -b 70000 -s 65000 2001:db8:43::3 146b800be97SKajetan Staszkiewicz 147b800be97SKajetan Staszkiewicz $(atf_get_srcdir)/CVE-2019-5597.py \ 148b800be97SKajetan Staszkiewicz ${epair_send}a \ 149b800be97SKajetan Staszkiewicz 2001:db8:42::1 \ 150b800be97SKajetan Staszkiewicz 2001:db8:43::3 151b800be97SKajetan Staszkiewicz} 152b800be97SKajetan Staszkiewicz 153b800be97SKajetan Staszkiewiczv6_cleanup() 154b800be97SKajetan Staszkiewicz{ 155b800be97SKajetan Staszkiewicz pft_cleanup 156b800be97SKajetan Staszkiewicz} 157b800be97SKajetan Staszkiewicz 158b800be97SKajetan Staszkiewiczatf_test_case "mtu_diff" "cleanup" 159b800be97SKajetan Staszkiewiczmtu_diff_head() 160b800be97SKajetan Staszkiewicz{ 161b800be97SKajetan Staszkiewicz atf_set descr 'Test reassembly across different MTUs, PR #255432' 162b800be97SKajetan Staszkiewicz atf_set require.user root 163b800be97SKajetan Staszkiewicz} 164b800be97SKajetan Staszkiewicz 165b800be97SKajetan Staszkiewiczmtu_diff_body() 166b800be97SKajetan Staszkiewicz{ 167b800be97SKajetan Staszkiewicz pft_init 168b800be97SKajetan Staszkiewicz 169b800be97SKajetan Staszkiewicz epair_small=$(vnet_mkepair) 170b800be97SKajetan Staszkiewicz epair_large=$(vnet_mkepair) 171b800be97SKajetan Staszkiewicz 172b800be97SKajetan Staszkiewicz vnet_mkjail first ${epair_small}b ${epair_large}a 173b800be97SKajetan Staszkiewicz vnet_mkjail second ${epair_large}b 174b800be97SKajetan Staszkiewicz 175b800be97SKajetan Staszkiewicz ifconfig ${epair_small}a 192.0.2.1/25 up 176b800be97SKajetan Staszkiewicz jexec first ifconfig ${epair_small}b 192.0.2.2/25 up 177b800be97SKajetan Staszkiewicz 178b800be97SKajetan Staszkiewicz jexec first sysctl net.inet.ip.forwarding=1 179b800be97SKajetan Staszkiewicz jexec first ifconfig ${epair_large}a 192.0.2.130/25 up 180b800be97SKajetan Staszkiewicz jexec first ifconfig ${epair_large}a mtu 9000 181b800be97SKajetan Staszkiewicz jexec second ifconfig ${epair_large}b 192.0.2.131/25 up 182b800be97SKajetan Staszkiewicz jexec second ifconfig ${epair_large}b mtu 9000 183b800be97SKajetan Staszkiewicz jexec second route add default 192.0.2.130 184b800be97SKajetan Staszkiewicz 185b800be97SKajetan Staszkiewicz route add 192.0.2.128/25 192.0.2.2 186b800be97SKajetan Staszkiewicz 187b800be97SKajetan Staszkiewicz jexec first pfctl -e 188b800be97SKajetan Staszkiewicz pft_set_rules first \ 189b800be97SKajetan Staszkiewicz "set reassemble yes" \ 190b800be97SKajetan Staszkiewicz "pass keep state" 191b800be97SKajetan Staszkiewicz 192b800be97SKajetan Staszkiewicz # Sanity checks 193b800be97SKajetan Staszkiewicz atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2 194b800be97SKajetan Staszkiewicz atf_check -s exit:0 -o ignore ping -c 1 192.0.2.130 195b800be97SKajetan Staszkiewicz atf_check -s exit:0 -o ignore ping -c 1 192.0.2.131 196b800be97SKajetan Staszkiewicz 197b800be97SKajetan Staszkiewicz # Large packet that'll get reassembled and sent out in one on the large 198b800be97SKajetan Staszkiewicz # epair 199b800be97SKajetan Staszkiewicz atf_check -s exit:0 -o ignore ping -c 1 -s 8000 192.0.2.131 200b800be97SKajetan Staszkiewicz} 201b800be97SKajetan Staszkiewicz 202b800be97SKajetan Staszkiewiczmtu_diff_cleanup() 203b800be97SKajetan Staszkiewicz{ 204b800be97SKajetan Staszkiewicz pft_cleanup 205b800be97SKajetan Staszkiewicz} 206b800be97SKajetan Staszkiewicz 207b800be97SKajetan Staszkiewiczfrag_common() 208b800be97SKajetan Staszkiewicz{ 209b800be97SKajetan Staszkiewicz name=$1 210b800be97SKajetan Staszkiewicz 211b800be97SKajetan Staszkiewicz pft_init 212b800be97SKajetan Staszkiewicz 213b800be97SKajetan Staszkiewicz epair=$(vnet_mkepair) 214b800be97SKajetan Staszkiewicz vnet_mkjail alcatraz ${epair}a 215b800be97SKajetan Staszkiewicz 216b800be97SKajetan Staszkiewicz ifconfig ${epair}b inet 192.0.2.1/24 up 217b800be97SKajetan Staszkiewicz jexec alcatraz ifconfig ${epair}a 192.0.2.2/24 up 218b800be97SKajetan Staszkiewicz 219b800be97SKajetan Staszkiewicz jexec alcatraz pfctl -e 220b800be97SKajetan Staszkiewicz pft_set_rules alcatraz \ 221b800be97SKajetan Staszkiewicz "set reassemble yes" \ 222b800be97SKajetan Staszkiewicz "pass keep state" 223b800be97SKajetan Staszkiewicz 224b800be97SKajetan Staszkiewicz # Sanity check 225b800be97SKajetan Staszkiewicz atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2 226b800be97SKajetan Staszkiewicz 227b800be97SKajetan Staszkiewicz atf_check -s exit:0 -o ignore $(atf_get_srcdir)/frag-${1}.py \ 228b800be97SKajetan Staszkiewicz --to 192.0.2.2 \ 229b800be97SKajetan Staszkiewicz --fromaddr 192.0.2.1 \ 230b800be97SKajetan Staszkiewicz --sendif ${epair}b \ 231b800be97SKajetan Staszkiewicz --recvif ${epair}b 232b800be97SKajetan Staszkiewicz} 233b800be97SKajetan Staszkiewicz 234b800be97SKajetan Staszkiewiczatf_test_case "overreplace" "cleanup" 235b800be97SKajetan Staszkiewiczoverreplace_head() 236b800be97SKajetan Staszkiewicz{ 237b800be97SKajetan Staszkiewicz atf_set descr 'ping fragment that overlaps fragment at index boundary and replace it' 238b800be97SKajetan Staszkiewicz atf_set require.user root 239b800be97SKajetan Staszkiewicz atf_set require.progs scapy 240b800be97SKajetan Staszkiewicz} 241b800be97SKajetan Staszkiewicz 242b800be97SKajetan Staszkiewiczoverreplace_body() 243b800be97SKajetan Staszkiewicz{ 244b800be97SKajetan Staszkiewicz frag_common overreplace 245b800be97SKajetan Staszkiewicz} 246b800be97SKajetan Staszkiewicz 247b800be97SKajetan Staszkiewiczoverreplace_cleanup() 248b800be97SKajetan Staszkiewicz{ 249b800be97SKajetan Staszkiewicz pft_cleanup 250b800be97SKajetan Staszkiewicz} 251b800be97SKajetan Staszkiewicz 252b800be97SKajetan Staszkiewiczatf_test_case "overindex" "cleanup" 253b800be97SKajetan Staszkiewiczoverindex_head() 254b800be97SKajetan Staszkiewicz{ 255b800be97SKajetan Staszkiewicz atf_set descr 'ping fragment that overlaps the first fragment at index boundary' 256b800be97SKajetan Staszkiewicz atf_set require.user root 257b800be97SKajetan Staszkiewicz atf_set require.progs scapy 258b800be97SKajetan Staszkiewicz} 259b800be97SKajetan Staszkiewicz 260b800be97SKajetan Staszkiewiczoverindex_body() 261b800be97SKajetan Staszkiewicz{ 262b800be97SKajetan Staszkiewicz frag_common overindex 263b800be97SKajetan Staszkiewicz} 264b800be97SKajetan Staszkiewicz 265b800be97SKajetan Staszkiewiczoverindex_cleanup() 266b800be97SKajetan Staszkiewicz{ 267b800be97SKajetan Staszkiewicz pft_cleanup 268b800be97SKajetan Staszkiewicz} 269b800be97SKajetan Staszkiewicz 270b800be97SKajetan Staszkiewiczatf_test_case "overlimit" "cleanup" 271b800be97SKajetan Staszkiewiczoverlimit_head() 272b800be97SKajetan Staszkiewicz{ 273b800be97SKajetan Staszkiewicz atf_set descr 'ping fragment at index boundary that cannot be requeued' 274b800be97SKajetan Staszkiewicz atf_set require.user root 275b800be97SKajetan Staszkiewicz atf_set require.progs scapy 276b800be97SKajetan Staszkiewicz} 277b800be97SKajetan Staszkiewicz 278b800be97SKajetan Staszkiewiczoverlimit_body() 279b800be97SKajetan Staszkiewicz{ 280b800be97SKajetan Staszkiewicz frag_common overlimit 281b800be97SKajetan Staszkiewicz} 282b800be97SKajetan Staszkiewicz 283b800be97SKajetan Staszkiewiczoverlimit_cleanup() 284b800be97SKajetan Staszkiewicz{ 285b800be97SKajetan Staszkiewicz pft_cleanup 286b800be97SKajetan Staszkiewicz} 287b800be97SKajetan Staszkiewicz 288b800be97SKajetan Staszkiewiczatf_test_case "reassemble" "cleanup" 289b800be97SKajetan Staszkiewiczreassemble_head() 290b800be97SKajetan Staszkiewicz{ 291b800be97SKajetan Staszkiewicz atf_set descr 'Test reassembly' 292b800be97SKajetan Staszkiewicz atf_set require.user root 293b800be97SKajetan Staszkiewicz} 294b800be97SKajetan Staszkiewicz 295b800be97SKajetan Staszkiewiczreassemble_body() 296b800be97SKajetan Staszkiewicz{ 297b800be97SKajetan Staszkiewicz pft_init 298b800be97SKajetan Staszkiewicz 299b800be97SKajetan Staszkiewicz epair=$(vnet_mkepair) 300b800be97SKajetan Staszkiewicz vnet_mkjail alcatraz ${epair}a 301b800be97SKajetan Staszkiewicz 302b800be97SKajetan Staszkiewicz ifconfig ${epair}b inet 192.0.2.1/24 up 303b800be97SKajetan Staszkiewicz jexec alcatraz ifconfig ${epair}a 192.0.2.2/24 up 304b800be97SKajetan Staszkiewicz 305b800be97SKajetan Staszkiewicz # Sanity check 306b800be97SKajetan Staszkiewicz atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2 307b800be97SKajetan Staszkiewicz 308b800be97SKajetan Staszkiewicz jexec alcatraz pfctl -e 309b800be97SKajetan Staszkiewicz pft_set_rules alcatraz \ 310b800be97SKajetan Staszkiewicz "pass out" \ 311b800be97SKajetan Staszkiewicz "block in" \ 312b800be97SKajetan Staszkiewicz "pass in inet proto icmp all icmp-type echoreq" 313b800be97SKajetan Staszkiewicz 314b800be97SKajetan Staszkiewicz # Single fragment passes 315b800be97SKajetan Staszkiewicz atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2 316b800be97SKajetan Staszkiewicz 317b800be97SKajetan Staszkiewicz # But a fragmented ping does not 318b800be97SKajetan Staszkiewicz atf_check -s exit:2 -o ignore ping -c 1 -s 2000 192.0.2.2 319b800be97SKajetan Staszkiewicz 320b800be97SKajetan Staszkiewicz pft_set_rules alcatraz \ 321b800be97SKajetan Staszkiewicz "set reassemble yes" \ 322b800be97SKajetan Staszkiewicz "pass out" \ 323b800be97SKajetan Staszkiewicz "block in" \ 324b800be97SKajetan Staszkiewicz "pass in inet proto icmp all icmp-type echoreq" 325b800be97SKajetan Staszkiewicz 326b800be97SKajetan Staszkiewicz # Both single packet & fragmented pass when we scrub 327b800be97SKajetan Staszkiewicz atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2 328b800be97SKajetan Staszkiewicz atf_check -s exit:0 -o ignore ping -c 1 -s 2000 192.0.2.2 329b800be97SKajetan Staszkiewicz} 330b800be97SKajetan Staszkiewicz 331b800be97SKajetan Staszkiewiczreassemble_cleanup() 332b800be97SKajetan Staszkiewicz{ 333b800be97SKajetan Staszkiewicz pft_cleanup 334b800be97SKajetan Staszkiewicz} 335b800be97SKajetan Staszkiewicz 336b800be97SKajetan Staszkiewiczatf_test_case "no_df" "cleanup" 337b800be97SKajetan Staszkiewiczno_df_head() 338b800be97SKajetan Staszkiewicz{ 339b800be97SKajetan Staszkiewicz atf_set descr 'Test removing of DF flag' 340b800be97SKajetan Staszkiewicz atf_set require.user root 341b800be97SKajetan Staszkiewicz} 342b800be97SKajetan Staszkiewicz 343b800be97SKajetan Staszkiewiczno_df_body() 344b800be97SKajetan Staszkiewicz{ 345b800be97SKajetan Staszkiewicz setup_router_server_ipv4 346b800be97SKajetan Staszkiewicz 347b800be97SKajetan Staszkiewicz ifconfig ${epair_tester}a mtu 9000 348b800be97SKajetan Staszkiewicz jexec router ifconfig ${epair_tester}b mtu 9000 349b800be97SKajetan Staszkiewicz jexec router ifconfig ${epair_server}a mtu 1500 350b800be97SKajetan Staszkiewicz jexec server ifconfig ${epair_server}b mtu 1500 351b800be97SKajetan Staszkiewicz 352b800be97SKajetan Staszkiewicz # Sanity check. 353b800be97SKajetan Staszkiewicz ping_server_check_reply exit:0 --ping-type=icmp 354b800be97SKajetan Staszkiewicz 355b800be97SKajetan Staszkiewicz pft_set_rules router \ 356b800be97SKajetan Staszkiewicz "set reassemble no" \ 357b800be97SKajetan Staszkiewicz "pass out" \ 358b800be97SKajetan Staszkiewicz "block in" \ 359b800be97SKajetan Staszkiewicz "pass in inet proto icmp all icmp-type echoreq" 360b800be97SKajetan Staszkiewicz 361b800be97SKajetan Staszkiewicz # Ping with normal, fragmentable packets. 362b800be97SKajetan Staszkiewicz ping_server_check_reply exit:1 --ping-type=icmp --send-length=2000 363b800be97SKajetan Staszkiewicz 364b800be97SKajetan Staszkiewicz pft_set_rules router \ 365b800be97SKajetan Staszkiewicz "set reassemble yes" \ 366b800be97SKajetan Staszkiewicz "pass out" \ 367b800be97SKajetan Staszkiewicz "block in" \ 368b800be97SKajetan Staszkiewicz "pass in inet proto icmp all icmp-type echoreq" 369b800be97SKajetan Staszkiewicz 370b800be97SKajetan Staszkiewicz # Ping with normal, fragmentable packets. 371b800be97SKajetan Staszkiewicz ping_server_check_reply exit:0 --ping-type=icmp --send-length=2000 372b800be97SKajetan Staszkiewicz 373b800be97SKajetan Staszkiewicz # Ping with non-fragmentable packets. 374b800be97SKajetan Staszkiewicz ping_server_check_reply exit:1 --ping-type=icmp --send-length=2000 --send-flags DF 375b800be97SKajetan Staszkiewicz 376b800be97SKajetan Staszkiewicz pft_set_rules router \ 377b800be97SKajetan Staszkiewicz "set reassemble yes no-df" \ 378b800be97SKajetan Staszkiewicz "pass out" \ 379b800be97SKajetan Staszkiewicz "block in" \ 380b800be97SKajetan Staszkiewicz "pass in inet proto icmp all icmp-type echoreq" 381b800be97SKajetan Staszkiewicz 382b800be97SKajetan Staszkiewicz # Ping with non-fragmentable packets again. 383b800be97SKajetan Staszkiewicz # This time pf will strip the DF flag. 384b800be97SKajetan Staszkiewicz ping_server_check_reply exit:0 --ping-type=icmp --send-length=2000 --send-flags DF 385b800be97SKajetan Staszkiewicz} 386b800be97SKajetan Staszkiewiczno_df_cleanup() 387b800be97SKajetan Staszkiewicz{ 388b800be97SKajetan Staszkiewicz pft_cleanup 389b800be97SKajetan Staszkiewicz} 390b800be97SKajetan Staszkiewicz 391b800be97SKajetan Staszkiewiczatf_test_case "no_df" "cleanup" 392b800be97SKajetan Staszkiewiczno_df_head() 393b800be97SKajetan Staszkiewicz{ 394b800be97SKajetan Staszkiewicz atf_set descr 'Test removing of DF flag' 395b800be97SKajetan Staszkiewicz atf_set require.user root 396b800be97SKajetan Staszkiewicz} 397b800be97SKajetan Staszkiewicz 398b800be97SKajetan Staszkiewiczno_df_body() 399b800be97SKajetan Staszkiewicz{ 400b800be97SKajetan Staszkiewicz setup_router_server_ipv4 401b800be97SKajetan Staszkiewicz 402b800be97SKajetan Staszkiewicz # Tester can send long packets which will get fragmented by the router. 403b800be97SKajetan Staszkiewicz # Replies from server will come in fragments which might get 404b800be97SKajetan Staszkiewicz # reassembled resulting in a long reply packet sent back to tester. 405b800be97SKajetan Staszkiewicz ifconfig ${epair_tester}a mtu 9000 406b800be97SKajetan Staszkiewicz jexec router ifconfig ${epair_tester}b mtu 9000 407b800be97SKajetan Staszkiewicz jexec router ifconfig ${epair_server}a mtu 1500 408b800be97SKajetan Staszkiewicz jexec server ifconfig ${epair_server}b mtu 1500 409b800be97SKajetan Staszkiewicz 410b800be97SKajetan Staszkiewicz # Sanity check. 411b800be97SKajetan Staszkiewicz ping_server_check_reply exit:0 --ping-type=icmp 412b800be97SKajetan Staszkiewicz 413b800be97SKajetan Staszkiewicz # Enable packet reassembly with clearing of the no-df flag. 414b800be97SKajetan Staszkiewicz pft_set_rules router \ 415b800be97SKajetan Staszkiewicz "scrub all fragment reassemble no-df" \ 416b800be97SKajetan Staszkiewicz "block" \ 417b800be97SKajetan Staszkiewicz "pass inet proto icmp all icmp-type echoreq" 418b800be97SKajetan Staszkiewicz # Ping with non-fragmentable packets. 419b800be97SKajetan Staszkiewicz # pf will strip the DF flag resulting in fragmentation and packets 420b800be97SKajetan Staszkiewicz # getting properly forwarded. 421b800be97SKajetan Staszkiewicz ping_server_check_reply exit:0 --ping-type=icmp --send-length=2000 --send-flags DF 422b800be97SKajetan Staszkiewicz} 423b800be97SKajetan Staszkiewiczno_df_cleanup() 424b800be97SKajetan Staszkiewicz{ 425b800be97SKajetan Staszkiewicz pft_cleanup 426b800be97SKajetan Staszkiewicz} 427b800be97SKajetan Staszkiewicz 428*657aec45SKristof Provostatf_test_case "reassemble_slowpath" "cleanup" 429*657aec45SKristof Provostreassemble_slowpath_head() 430*657aec45SKristof Provost{ 431*657aec45SKristof Provost atf_set descr 'Test reassembly on the slow path' 432*657aec45SKristof Provost atf_set require.user root 433*657aec45SKristof Provost} 434*657aec45SKristof Provost 435*657aec45SKristof Provostreassemble_slowpath_body() 436*657aec45SKristof Provost{ 437*657aec45SKristof Provost if ! sysctl -q kern.features.ipsec >/dev/null ; then 438*657aec45SKristof Provost atf_skip "This test requires ipsec" 439*657aec45SKristof Provost fi 440*657aec45SKristof Provost 441*657aec45SKristof Provost setup_router_server_ipv4 442*657aec45SKristof Provost 443*657aec45SKristof Provost # Now define an ipsec policy so we end up taking the slow path. 444*657aec45SKristof Provost # We don't actually need the traffic to go through ipsec, we just don't 445*657aec45SKristof Provost # want to go through ip_tryforward(). 446*657aec45SKristof Provost echo "flush; 447*657aec45SKristof Provost spdflush; 448*657aec45SKristof Provost spdadd 203.0.113.1/32 203.0.113.2/32 any -P out ipsec esp/transport//require; 449*657aec45SKristof Provost add 203.0.113.1 203.0.113.2 esp 0x1001 -E aes-gcm-16 \"12345678901234567890\";" \ 450*657aec45SKristof Provost | jexec router setkey -c 451*657aec45SKristof Provost 452*657aec45SKristof Provost # Sanity check. 453*657aec45SKristof Provost ping_server_check_reply exit:0 --ping-type=icmp 454*657aec45SKristof Provost 455*657aec45SKristof Provost # Enable packet reassembly with clearing of the no-df flag. 456*657aec45SKristof Provost pft_set_rules router \ 457*657aec45SKristof Provost "scrub in on ${epair_tester}b fragment no reassemble" \ 458*657aec45SKristof Provost "scrub on ${epair_server}a fragment reassemble" \ 459*657aec45SKristof Provost "pass" 460*657aec45SKristof Provost 461*657aec45SKristof Provost # Ensure that the packet makes it through the slow path 462*657aec45SKristof Provost atf_check -s exit:0 -o ignore \ 463*657aec45SKristof Provost ping -c 1 -s 2000 198.51.100.2 464*657aec45SKristof Provost} 465*657aec45SKristof Provost 466*657aec45SKristof Provostreassemble_slowpath_cleanup() 467*657aec45SKristof Provost{ 468*657aec45SKristof Provost pft_cleanup 469*657aec45SKristof Provost} 470*657aec45SKristof Provost 471b800be97SKajetan Staszkiewiczatf_init_test_cases() 472b800be97SKajetan Staszkiewicz{ 473b800be97SKajetan Staszkiewicz atf_add_test_case "too_many_fragments" 474b800be97SKajetan Staszkiewicz atf_add_test_case "v6" 475b800be97SKajetan Staszkiewicz atf_add_test_case "mtu_diff" 476b800be97SKajetan Staszkiewicz atf_add_test_case "overreplace" 477b800be97SKajetan Staszkiewicz atf_add_test_case "overindex" 478b800be97SKajetan Staszkiewicz atf_add_test_case "overlimit" 479b800be97SKajetan Staszkiewicz atf_add_test_case "reassemble" 480b800be97SKajetan Staszkiewicz atf_add_test_case "no_df" 481*657aec45SKristof Provost atf_add_test_case "reassemble_slowpath" 482b800be97SKajetan Staszkiewicz} 483