14c84c69bSKristof Provost# 24c84c69bSKristof Provost# SPDX-License-Identifier: BSD-2-Clause 34c84c69bSKristof Provost# 44c84c69bSKristof Provost# Copyright (c) 2023 Rubicon Communications, LLC (Netgate) 54c84c69bSKristof Provost# 64c84c69bSKristof Provost# Redistribution and use in source and binary forms, with or without 74c84c69bSKristof Provost# modification, are permitted provided that the following conditions 84c84c69bSKristof Provost# are met: 94c84c69bSKristof Provost# 1. Redistributions of source code must retain the above copyright 104c84c69bSKristof Provost# notice, this list of conditions and the following disclaimer. 114c84c69bSKristof Provost# 2. Redistributions in binary form must reproduce the above copyright 124c84c69bSKristof Provost# notice, this list of conditions and the following disclaimer in the 134c84c69bSKristof Provost# documentation and/or other materials provided with the distribution. 144c84c69bSKristof Provost# 154c84c69bSKristof Provost# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 164c84c69bSKristof Provost# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 174c84c69bSKristof Provost# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 184c84c69bSKristof Provost# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 194c84c69bSKristof Provost# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 204c84c69bSKristof Provost# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 214c84c69bSKristof Provost# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 224c84c69bSKristof Provost# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 234c84c69bSKristof Provost# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 244c84c69bSKristof Provost# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 254c84c69bSKristof Provost# SUCH DAMAGE. 264c84c69bSKristof Provost 274c84c69bSKristof Provost. $(atf_get_srcdir)/utils.subr 284c84c69bSKristof Provost 294c84c69bSKristof Provostcommon_dir=$(atf_get_srcdir)/../common 304c84c69bSKristof Provost 314c84c69bSKristof Provostatf_test_case "rst" "cleanup" 324c84c69bSKristof Provostrst_head() 334c84c69bSKristof Provost{ 344c84c69bSKristof Provost atf_set descr 'Check sequence number validation in RST packets' 354c84c69bSKristof Provost atf_set require.user root 36*c46af893SJose Luis Duran atf_set require.progs python3 scapy 374c84c69bSKristof Provost} 384c84c69bSKristof Provost 394c84c69bSKristof Provostrst_body() 404c84c69bSKristof Provost{ 414c84c69bSKristof Provost pft_init 42480ad405SKristof Provost vnet_init_bridge 434c84c69bSKristof Provost 444c84c69bSKristof Provost epair_srv=$(vnet_mkepair) 454c84c69bSKristof Provost epair_cl=$(vnet_mkepair) 464c84c69bSKristof Provost epair_attack=$(vnet_mkepair) 474c84c69bSKristof Provost 484c84c69bSKristof Provost br=$(vnet_mkbridge) 494c84c69bSKristof Provost ifconfig ${br} addm ${epair_srv}a 504c84c69bSKristof Provost ifconfig ${epair_srv}a up 514c84c69bSKristof Provost ifconfig ${br} addm ${epair_cl}a 524c84c69bSKristof Provost ifconfig ${epair_cl}a up 534c84c69bSKristof Provost ifconfig ${br} addm ${epair_attack}a 544c84c69bSKristof Provost ifconfig ${epair_attack}a up 554c84c69bSKristof Provost ifconfig ${br} up 564c84c69bSKristof Provost 574c84c69bSKristof Provost vnet_mkjail srv ${epair_srv}b 584c84c69bSKristof Provost jexec srv ifconfig ${epair_srv}b 192.0.2.1/24 up 594c84c69bSKristof Provost jexec srv ifconfig lo0 inet 127.0.0.1/8 up 604c84c69bSKristof Provost 614c84c69bSKristof Provost vnet_mkjail cl ${epair_cl}b 624c84c69bSKristof Provost jexec cl ifconfig ${epair_cl}b 192.0.2.2/24 up 634c84c69bSKristof Provost jexec cl ifconfig lo0 inet 127.0.0.1/8 up 644c84c69bSKristof Provost 654c84c69bSKristof Provost jexec cl pfctl -e 664c84c69bSKristof Provost pft_set_rules cl \ 674c84c69bSKristof Provost "pass keep state" 684c84c69bSKristof Provost 694c84c69bSKristof Provost # Not required, but pf should log the bad RST packet with this set. 704c84c69bSKristof Provost jexec cl pfctl -x loud 714c84c69bSKristof Provost 724c84c69bSKristof Provost vnet_mkjail attack ${epair_attack}b 734c84c69bSKristof Provost jexec attack ifconfig ${epair_attack}b 192.0.2.3/24 up 744c84c69bSKristof Provost 754c84c69bSKristof Provost # Sanity check 764c84c69bSKristof Provost atf_check -s exit:0 -o ignore \ 774c84c69bSKristof Provost jexec cl ping -c 1 192.0.2.1 784c84c69bSKristof Provost 794c84c69bSKristof Provost echo "bar" | jexec srv nc -l 1234 & 804c84c69bSKristof Provost # Allow server time to start 814c84c69bSKristof Provost sleep 1 824c84c69bSKristof Provost 834c84c69bSKristof Provost echo "foo" | jexec cl nc -p 4321 192.0.2.1 1234 & 844c84c69bSKristof Provost # Allow connection time to set up 854c84c69bSKristof Provost sleep 1 864c84c69bSKristof Provost 874c84c69bSKristof Provost # Connection should be established now 884c84c69bSKristof Provost atf_check -s exit:0 -e ignore \ 894c84c69bSKristof Provost -o match:"ESTABLISHED:ESTABLISHED" \ 904c84c69bSKristof Provost jexec cl pfctl -ss -v 914c84c69bSKristof Provost 924c84c69bSKristof Provost # Now insert a fake RST 934c84c69bSKristof Provost atf_check -s exit:0 -o ignore \ 944c84c69bSKristof Provost jexec attack ${common_dir}/pft_rst.py 192.0.2.1 1234 192.0.2.2 4321 954c84c69bSKristof Provost 964c84c69bSKristof Provost # Connection should remain established 974c84c69bSKristof Provost atf_check -s exit:0 -e ignore \ 984c84c69bSKristof Provost -o match:"ESTABLISHED:ESTABLISHED" \ 994c84c69bSKristof Provost jexec cl pfctl -ss -v 1004c84c69bSKristof Provost} 1014c84c69bSKristof Provost 1024c84c69bSKristof Provostrst_cleanup() 1034c84c69bSKristof Provost{ 1044c84c69bSKristof Provost pft_cleanup 1054c84c69bSKristof Provost} 1064c84c69bSKristof Provost 1074c84c69bSKristof Provostatf_init_test_cases() 1084c84c69bSKristof Provost{ 1094c84c69bSKristof Provost atf_add_test_case "rst" 1104c84c69bSKristof Provost} 111