From 1fd8c845b8b77f208f481901823fb87df04f8add Mon Sep 17 00:00:00 2001 From: Kristof Provost Date: Mon, 21 Aug 2023 08:06:50 +0200 Subject: [PATCH] pf tests: test syncookies on IPv6 MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") --- tests/sys/netpfil/common/pft_synflood.py | 8 +- tests/sys/netpfil/pf/syncookie.sh | 151 ++++++++++++++++++++++- 2 files changed, 157 insertions(+), 2 deletions(-) diff --git a/tests/sys/netpfil/common/pft_synflood.py b/tests/sys/netpfil/common/pft_synflood.py index 67a5bba0def..f73caa1b6aa 100644 --- a/tests/sys/netpfil/common/pft_synflood.py +++ b/tests/sys/netpfil/common/pft_synflood.py @@ -35,7 +35,10 @@ def syn_flood(args): # Set a src mac, to avoid doing lookups which really slow us down. ether = sp.Ether(src='01:02:03:04:05') - ip = sp.IP(dst=args.to[0]) + if args.ip6: + ip = sp.IPv6(dst=args.to[0]) + else: + ip = sp.IP(dst=args.to[0]) for i in range(int(args.count[0])): tcp = sp.TCP(flags='S', sport=1+i, dport=22, seq=500+i) pkt = ether / ip / tcp @@ -44,6 +47,9 @@ def syn_flood(args): def main(): parser = argparse.ArgumentParser("pft_synflood.py", description="SYN flooding tool") + parser.add_argument('--ip6', + action='store_true', + help='Use IPv6 rather than IPv4') parser.add_argument('--sendif', nargs=1, required=True, help='The interface through which the packet(s) will be sent') diff --git a/tests/sys/netpfil/pf/syncookie.sh b/tests/sys/netpfil/pf/syncookie.sh index 131a4eac5eb..8feb2816f58 100644 --- a/tests/sys/netpfil/pf/syncookie.sh +++ b/tests/sys/netpfil/pf/syncookie.sh @@ -71,7 +71,6 @@ basic_body() atf_fail "Failed to connect to syncookie protected echo daemon" fi - # Check that status shows syncookies as being active active=$(syncookie_state alcatraz) if [ "$active" != "active" ]; @@ -86,6 +85,55 @@ basic_cleanup() pft_cleanup } +atf_test_case "basic_v6" "cleanup" +basic_v6_head() +{ + atf_set descr 'Basic syncookie IPv6 test' + atf_set require.user root +} + +basic_v6_body() +{ + pft_init + + epair=$(vnet_mkepair) + + vnet_mkjail alcatraz ${epair}b + jexec alcatraz ifconfig ${epair}b inet6 2001:db8::1/64 up no_dad + jexec alcatraz /usr/sbin/inetd -p inetd-alcatraz.pid \ + $(atf_get_srcdir)/echo_inetd.conf + + ifconfig ${epair}a inet6 2001:db8::2/64 up no_dad + + jexec alcatraz pfctl -e + pft_set_rules alcatraz \ + "set syncookies always" \ + "pass in" \ + "pass out" + + # Sanity check + atf_check -s exit:0 -o ignore ping6 -c 1 2001:db8::1 + + reply=$(echo foo | nc -N -w 5 2001:db8::1 7) + if [ "${reply}" != "foo" ]; + then + atf_fail "Failed to connect to syncookie protected echo daemon" + fi + + # Check that status shows syncookies as being active + active=$(syncookie_state alcatraz) + if [ "$active" != "active" ]; + then + atf_fail "syncookies not active" + fi +} + +basic_v6_cleanup() +{ + rm -f inetd-alcatraz.pid + pft_cleanup +} + atf_test_case "forward" "cleanup" forward_head() { @@ -137,6 +185,57 @@ forward_cleanup() pft_cleanup } +atf_test_case "forward_v6" "cleanup" +forward_v6_head() +{ + atf_set descr 'Syncookies for forwarded hosts' + atf_set require.user root +} + +forward_v6_body() +{ + pft_init + + epair_in=$(vnet_mkepair) + epair_out=$(vnet_mkepair) + + vnet_mkjail fwd ${epair_in}b ${epair_out}a + vnet_mkjail srv ${epair_out}b + + jexec fwd ifconfig ${epair_in}b inet6 2001:db8::1/64 up no_dad + jexec fwd ifconfig ${epair_out}a inet6 2001:db8:1::1/64 up no_dad + jexec fwd sysctl net.inet6.ip6.forwarding=1 + + jexec srv ifconfig ${epair_out}b inet6 2001:db8:1::2/64 up no_dad + jexec srv route -6 add default 2001:db8:1::1 + jexec srv /usr/sbin/inetd -p inetd-alcatraz.pid \ + $(atf_get_srcdir)/echo_inetd.conf + + ifconfig ${epair_in}a inet6 2001:db8::2/64 up no_dad + route -6 add -net 2001:db8:1::/64 2001:db8::1 + + jexec fwd pfctl -e + pft_set_rules fwd \ + "set syncookies always" \ + "pass in" \ + "pass out" + + # Sanity check + atf_check -s exit:0 -o ignore ping6 -c 1 2001:db8:1::2 + + reply=$(echo foo | nc -N -w 5 2001:db8:1::2 7) + if [ "${reply}" != "foo" ]; + then + atf_fail "Failed to connect to syncookie protected echo daemon" + fi +} + +forward_v6_cleanup() +{ + rm -f inetd-alcatraz.pid + pft_cleanup +} + atf_test_case "nostate" "cleanup" nostate_head() { @@ -183,6 +282,53 @@ nostate_cleanup() pft_cleanup } +atf_test_case "nostate_v6" "cleanup" +nostate_v6_head() +{ + atf_set descr 'Ensure that we do not create until SYN|ACK' + atf_set require.user root + atf_set require.progs scapy +} + +nostate_v6_body() +{ + pft_init + + epair=$(vnet_mkepair) + ifconfig ${epair}a inet6 2001:db8::2/64 up no_dad + + vnet_mkjail alcatraz ${epair}b + jexec alcatraz ifconfig ${epair}b inet6 2001:db8::1/64 up no_dad + + jexec alcatraz pfctl -e + pft_set_rules alcatraz \ + "set syncookies always" \ + "pass in" \ + "pass out" + + # Sanity check + atf_check -s exit:0 -o ignore ping6 -c 1 2001:db8::1 + + # Now syn flood to create many states + ${common_dir}/pft_synflood.py \ + --ip6 \ + --sendif ${epair}a \ + --to 2001:db8::2 \ + --count 20 + + states=$(jexec alcatraz pfctl -ss | grep tcp) + if [ -n "$states" ]; + then + echo "$states" + atf_fail "Found unexpected state" + fi +} + +nostate_v6_cleanup() +{ + pft_cleanup +} + atf_test_case "adaptive" "cleanup" adaptive_head() { @@ -337,8 +483,11 @@ port_reuse_cleanup() atf_init_test_cases() { atf_add_test_case "basic" + atf_add_test_case "basic_v6" atf_add_test_case "forward" + atf_add_test_case "forward_v6" atf_add_test_case "nostate" + atf_add_test_case "nostate_v6" atf_add_test_case "adaptive" atf_add_test_case "limits" atf_add_test_case "port_reuse"