3 . $(atf_get_srcdir)/utils.subr
5 atf_test_case "too_many_fragments" "cleanup"
7 too_many_fragments_head()
9 atf_set descr 'IPv4 fragment limitation test'
10 atf_set require.user root
13 too_many_fragments_body()
18 vnet_mkjail alcatraz ${epair}a
20 ifconfig ${epair}b inet 192.0.2.1/24 up
21 jexec alcatraz ifconfig ${epair}a 192.0.2.2/24 up
23 ifconfig ${epair}b mtu 200
24 jexec alcatraz ifconfig ${epair}a mtu 200
26 jexec alcatraz pfctl -e
27 pft_set_rules alcatraz \
28 "scrub all fragment reassemble"
30 # So we know pf is limiting things
31 jexec alcatraz sysctl net.inet.ip.maxfragsperpacket=1024
34 atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2
36 # We can ping with < 64 fragments
37 atf_check -s exit:0 -o ignore ping -c 1 -s 800 192.0.2.2
39 # Too many fragments should fail
40 atf_check -s exit:2 -o ignore ping -c 1 -s 20000 192.0.2.2
43 too_many_fragments_cleanup()
48 atf_test_case "v6" "cleanup"
51 atf_set descr 'IPv6 fragmentation test'
52 atf_set require.user root
53 atf_set require.progs scapy
60 epair_send=$(vnet_mkepair)
61 epair_link=$(vnet_mkepair)
63 vnet_mkjail alcatraz ${epair_send}b ${epair_link}a
64 vnet_mkjail singsing ${epair_link}b
66 ifconfig ${epair_send}a inet6 2001:db8:42::1/64 no_dad up
68 jexec alcatraz ifconfig ${epair_send}b inet6 2001:db8:42::2/64 no_dad up
69 jexec alcatraz ifconfig ${epair_link}a inet6 2001:db8:43::2/64 no_dad up
70 jexec alcatraz sysctl net.inet6.ip6.forwarding=1
72 jexec singsing ifconfig ${epair_link}b inet6 2001:db8:43::3/64 no_dad up
73 jexec singsing route add -6 2001:db8:42::/64 2001:db8:43::2
74 route add -6 2001:db8:43::/64 2001:db8:42::2
76 jexec alcatraz ifconfig ${epair_send}b inet6 -ifdisabled
77 jexec alcatraz ifconfig ${epair_link}a inet6 -ifdisabled
78 jexec singsing ifconfig ${epair_link}b inet6 -ifdisabled
79 ifconfig ${epair_send}a inet6 -ifdisabled
81 jexec alcatraz pfctl -e
82 pft_set_rules alcatraz \
83 "scrub fragment reassemble" \
85 "pass in inet6 proto icmp6 icmp6-type { neighbrsol, neighbradv }" \
86 "pass in inet6 proto icmp6 icmp6-type { echoreq, echorep }"
89 atf_check -s exit:0 -o ignore \
90 ping6 -c 1 2001:db8:42::2
92 atf_check -s exit:0 -o ignore \
93 ping6 -c 1 -s 4500 2001:db8:42::2
95 atf_check -s exit:0 -o ignore\
96 ping6 -c 1 -b 70000 -s 65000 2001:db8:42::2
99 atf_check -s exit:0 -o ignore \
100 ping6 -c 1 2001:db8:43::3
102 atf_check -s exit:0 -o ignore \
103 ping6 -c 1 -s 4500 2001:db8:43::3
105 atf_check -s exit:0 -o ignore\
106 ping6 -c 1 -b 70000 -s 65000 2001:db8:43::3
108 $(atf_get_srcdir)/CVE-2019-5597.py \
119 atf_test_case "mtu_diff" "cleanup"
122 atf_set descr 'Test reassembly across different MTUs, PR #255432'
123 atf_set require.user root
130 epair_small=$(vnet_mkepair)
131 epair_large=$(vnet_mkepair)
133 vnet_mkjail first ${epair_small}b ${epair_large}a
134 vnet_mkjail second ${epair_large}b
136 ifconfig ${epair_small}a 192.0.2.1/25 up
137 jexec first ifconfig ${epair_small}b 192.0.2.2/25 up
139 jexec first sysctl net.inet.ip.forwarding=1
140 jexec first ifconfig ${epair_large}a 192.0.2.130/25 up
141 jexec first ifconfig ${epair_large}a mtu 9000
142 jexec second ifconfig ${epair_large}b 192.0.2.131/25 up
143 jexec second ifconfig ${epair_large}b mtu 9000
144 jexec second route add default 192.0.2.130
146 route add 192.0.2.128/25 192.0.2.2
149 pft_set_rules first \
150 "scrub all fragment reassemble"
153 atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2
154 atf_check -s exit:0 -o ignore ping -c 1 192.0.2.130
155 atf_check -s exit:0 -o ignore ping -c 1 192.0.2.131
157 # Large packet that'll get reassembled and sent out in one on the large
159 atf_check -s exit:0 -o ignore ping -c 1 -s 8000 192.0.2.131
167 atf_init_test_cases()
169 atf_add_test_case "too_many_fragments"
170 atf_add_test_case "v6"
171 atf_add_test_case "mtu_diff"