1# 2# SPDX-License-Identifier: BSD-2-Clause 3# 4# Copyright (c) 2024 Igor Ostapenko <pm@igoro.pro> 5# 6# Redistribution and use in source and binary forms, with or without 7# modification, are permitted provided that the following conditions 8# are met: 9# 1. Redistributions of source code must retain the above copyright 10# notice, this list of conditions and the following disclaimer. 11# 2. Redistributions in binary form must reproduce the above copyright 12# notice, this list of conditions and the following disclaimer in the 13# documentation and/or other materials provided with the distribution. 14# 15# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 16# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 17# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 18# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 19# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 20# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 21# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 22# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 23# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 24# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 25# SUCH DAMAGE. 26 27. $(atf_get_srcdir)/utils.subr 28 29dummymbuf_init() 30{ 31 if ! kldstat -q -m dummymbuf; then 32 atf_skip "This test requires dummymbuf" 33 fi 34} 35 36atf_test_case "inet_in_mbuf_len" "cleanup" 37inet_in_mbuf_len_head() 38{ 39 atf_set descr 'Test that pf can handle inbound with the first mbuf with m_len < sizeof(struct ip)' 40 atf_set require.user root 41} 42inet_in_mbuf_len_body() 43{ 44 pft_init 45 dummymbuf_init 46 47 epair=$(vnet_mkepair) 48 ifconfig ${epair}a 192.0.2.1/24 up 49 50 # Set up a simple jail with one interface 51 vnet_mkjail alcatraz ${epair}b 52 jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up 53 54 # Sanity check 55 atf_check -s exit:0 -o ignore ping -c1 192.0.2.2 56 57 # Should be denied 58 jexec alcatraz pfctl -e 59 pft_set_rules alcatraz \ 60 "block" 61 atf_check -s not-exit:0 -o ignore ping -c1 -t1 192.0.2.2 62 63 # Should be allowed by from/to addresses 64 pft_set_rules alcatraz \ 65 "block" \ 66 "pass in from 192.0.2.1 to 192.0.2.2" 67 atf_check -s exit:0 -o ignore ping -c1 192.0.2.2 68 69 # Should still work for m_len=0 70 jexec alcatraz pfilctl link -i dummymbuf:inet inet 71 jexec alcatraz sysctl net.dummymbuf.rules="inet in ${epair}b pull-head 0;" 72 atf_check_equal "0" "$(jexec alcatraz sysctl -n net.dummymbuf.hits)" 73 atf_check -s exit:0 -o ignore ping -c1 192.0.2.2 74 atf_check_equal "1" "$(jexec alcatraz sysctl -n net.dummymbuf.hits)" 75 76 # m_len=1 77 jexec alcatraz sysctl net.dummymbuf.rules="inet in ${epair}b pull-head 1;" 78 jexec alcatraz sysctl net.dummymbuf.hits=0 79 atf_check -s exit:0 -o ignore ping -c1 192.0.2.2 80 atf_check_equal "1" "$(jexec alcatraz sysctl -n net.dummymbuf.hits)" 81 82 # m_len=19 83 # provided IPv4 basic header is 20 bytes long, it should impact the dst addr 84 jexec alcatraz sysctl net.dummymbuf.rules="inet in ${epair}b pull-head 19;" 85 jexec alcatraz sysctl net.dummymbuf.hits=0 86 atf_check -s exit:0 -o ignore ping -c1 192.0.2.2 87 atf_check_equal "1" "$(jexec alcatraz sysctl -n net.dummymbuf.hits)" 88} 89inet_in_mbuf_len_cleanup() 90{ 91 pft_cleanup 92} 93 94atf_init_test_cases() 95{ 96 atf_add_test_case "inet_in_mbuf_len" 97} 98