xref: /freebsd/tests/sys/netpfil/pf/icmp.sh (revision 87b759f0fa1f7554d50ce640c40138512bbded44)
1#
2# SPDX-License-Identifier: BSD-2-Clause
3#
4# Copyright (c) 2019 Kristof Provost <kp@FreeBSD.org>
5#
6# Redistribution and use in source and binary forms, with or without
7# modification, are permitted provided that the following conditions
8# are met:
9# 1. Redistributions of source code must retain the above copyright
10#    notice, this list of conditions and the following disclaimer.
11# 2. Redistributions in binary form must reproduce the above copyright
12#    notice, this list of conditions and the following disclaimer in the
13#    documentation and/or other materials provided with the distribution.
14#
15# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
25# SUCH DAMAGE.
26
27. $(atf_get_srcdir)/utils.subr
28
29common_dir=$(atf_get_srcdir)/../common
30
31atf_test_case "cve_2019_5598" "cleanup"
32cve_2019_5598_head()
33{
34	atf_set descr 'Test CVE-2019-5598'
35	atf_set require.user root
36	atf_set require.progs scapy
37}
38
39cve_2019_5598_body()
40{
41	pft_init
42
43	epair_in=$(vnet_mkepair)
44	epair_out=$(vnet_mkepair)
45	ifconfig ${epair_in}a 192.0.2.1/24 up
46	ifconfig ${epair_out}a up
47
48	vnet_mkjail alcatraz ${epair_in}b ${epair_out}b
49	jexec alcatraz ifconfig ${epair_in}b 192.0.2.2/24 up
50	jexec alcatraz ifconfig ${epair_out}b 198.51.100.2/24 up
51	jexec alcatraz sysctl net.inet.ip.forwarding=1
52	jexec alcatraz arp -s 198.51.100.3 00:01:02:03:04:05
53	jexec alcatraz route add default 198.51.100.3
54	route add -net 198.51.100.0/24 192.0.2.2
55
56	jexec alcatraz pfctl -e
57	pft_set_rules alcatraz "block all" \
58		"pass in proto udp to 198.51.100.3 port 53" \
59		"pass out proto udp to 198.51.100.3 port 53"
60
61	atf_check -s exit:0 env PYTHONPATH=${common_dir} \
62		$(atf_get_srcdir)/CVE-2019-5598.py \
63		--sendif ${epair_in}a \
64		--recvif ${epair_out}a \
65		--src 192.0.2.1 \
66		--to 198.51.100.3
67}
68
69cve_2019_5598_cleanup()
70{
71	pft_cleanup
72}
73
74atf_test_case "ttl_exceeded" "cleanup"
75ttl_exceeded_head()
76{
77	atf_set descr 'Test that we correctly translate TTL exceeded back'
78	atf_set require.user root
79}
80
81ttl_exceeded_body()
82{
83	pft_init
84
85	epair_srv=$(vnet_mkepair)
86	epair_int=$(vnet_mkepair)
87	epair_cl=$(vnet_mkepair)
88
89	vnet_mkjail srv ${epair_srv}a
90	jexec srv ifconfig ${epair_srv}a 192.0.2.1/24 up
91	jexec srv route add default 192.0.2.2
92
93	vnet_mkjail int ${epair_srv}b ${epair_int}a
94	jexec int sysctl net.inet.ip.forwarding=1
95	jexec int ifconfig ${epair_srv}b 192.0.2.2/24 up
96	jexec int ifconfig ${epair_int}a 203.0.113.2/24 up
97
98	vnet_mkjail nat ${epair_int}b ${epair_cl}b
99	jexec nat ifconfig ${epair_int}b 203.0.113.1/24 up
100	jexec nat ifconfig ${epair_cl}b 198.51.100.2/24 up
101	jexec nat sysctl net.inet.ip.forwarding=1
102	jexec nat route add default 203.0.113.2
103
104	vnet_mkjail cl ${epair_cl}a
105	jexec cl ifconfig ${epair_cl}a 198.51.100.1/24 up
106	jexec cl route add default 198.51.100.2
107
108	jexec nat pfctl -e
109	pft_set_rules nat \
110	    "nat on ${epair_int}b from 198.51.100.0/24 -> (${epair_int}b)" \
111	    "block" \
112	    "pass inet proto udp" \
113	    "pass inet proto icmp icmp-type { echoreq }"
114
115	# Sanity checks
116	atf_check -s exit:0 -o ignore \
117	    jexec cl ping -c 1 198.51.100.2
118	atf_check -s exit:0 -o ignore \
119	    jexec cl ping -c 1 203.0.113.1
120	atf_check -s exit:0 -o ignore \
121	    jexec cl ping -c 1 203.0.113.2
122	atf_check -s exit:0 -o ignore \
123	    jexec cl ping -c 1 192.0.2.1
124
125	echo "UDP"
126	atf_check -s exit:0 -e ignore -o match:".*203.0.113.2.*" \
127	    jexec cl traceroute 192.0.2.1
128	jexec nat pfctl -Fs
129
130	echo "ICMP"
131	atf_check -s exit:0 -e ignore -o match:".*203.0.113.2.*" \
132	    jexec cl traceroute -I 192.0.2.1
133}
134
135ttl_exceeded_cleanup()
136{
137	pft_cleanup
138}
139
140atf_init_test_cases()
141{
142	atf_add_test_case "cve_2019_5598"
143	atf_add_test_case "ttl_exceeded"
144}
145