From 1a65535d50f6e9f97a307062be690057714d0f6e Mon Sep 17 00:00:00 2001 From: bluhm Date: Mon, 16 May 2022 16:54:18 +0000 Subject: [PATCH] The pf IPv4 option and IPv6 extension header filter has stricter checks for IGMP and ICMP6 MLD packets. Use ttl, hlim, link-local, and multicast features in test where necessary. --- regress/sys/net/pf_opts/Makefile | 17 ++++++++++++----- regress/sys/net/pf_opts/icmp6_mld_bad.py | 2 +- regress/sys/net/pf_opts/icmp6_mld_ra.py | 2 +- regress/sys/net/pf_opts/igmp_bad.py | 2 +- regress/sys/net/pf_opts/igmp_ra.py | 2 +- 5 files changed, 16 insertions(+), 9 deletions(-) diff --git a/regress/sys/net/pf_opts/Makefile b/regress/sys/net/pf_opts/Makefile index 55088a8596c..ade0b5f48a6 100644 --- a/regress/sys/net/pf_opts/Makefile +++ b/regress/sys/net/pf_opts/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.5 2022/04/29 18:58:33 bluhm Exp $ +# $OpenBSD: Makefile,v 1.6 2022/05/16 16:54:18 bluhm Exp $ # Copyright (c) 2022 Alexander Bluhm # @@ -85,6 +85,7 @@ ifconfig: unconfig ${SUDO} /sbin/ifconfig lo$n inet 127.0.0.$n alias ${SUDO} /sbin/ifconfig lo$n inet6 ::1/128 ${SUDO} /sbin/ifconfig lo$n inet6 fe80::$n/64 + ${SUDO} /sbin/route -n -T $n add -inet 224.0.0.0/4 127.0.0.1 .endfor # Wait until IPv6 addresses are no longer tentative. for i in `jot 50`; do\ @@ -316,12 +317,16 @@ run-icmp6-mld: stamp-bpf REGRESS_TARGETS += run-bpf-mcast run-bpf-mcast: stamp-stop # Check that multicast protocol packet with router alert passed - grep ' 127.0.0.${N2}: igmp query .* IPOPT-148{4}' lo${N2}.tcpdump - grep ' fe80::${N2}: HBH (rtalert:.* icmp6: multicast ' lo${N2}.tcpdump + grep '127.0.0.${N2} > 224.0.0.1:\ + igmp query .* IPOPT-148{4}' lo${N2}.tcpdump + grep 'fe80::${N2} > ff02::1:\ + HBH (rtalert:.* icmp6: multicast ' lo${N2}.tcpdump ! grep '127.0.0.${N1}' pflog0.tcpdump ! grep 'fe80::${N1}' pflog0.tcpdump ! grep '127.0.0.${N2}' pflog0.tcpdump ! grep 'fe80::${N2}' pflog0.tcpdump + ! grep '224.0.0.1' pflog0.tcpdump + ! grep 'ff02::1' pflog0.tcpdump REGRESS_TARGETS += run-igmp-bad run-igmp-bad: stamp-bpf @@ -336,8 +341,10 @@ run-icmp6-mld-bad: stamp-bpf REGRESS_TARGETS += run-bpf-mcast-bad run-bpf-mcast-bad: stamp-stop # Check that multicast protocol packet with options were blocked - grep ' 127.0.0.${N2}: igmp query .* IPOPT-3{4}' pflog0.tcpdump - grep ' fe80::${N2}: HBH (type 0x03:.* icmp6: multicast ' pflog0.tcpdump + grep '127.0.0.${N2} > 224.0.0.1:\ + igmp query .* IPOPT-3{4}' pflog0.tcpdump + grep 'fe80::${N2} > ff02::1:\ + HBH (type 0x03:.* icmp6: multicast ' pflog0.tcpdump ! grep '127.0.0.${N1}' pflog0.tcpdump ! grep 'fe80::${N1}' pflog0.tcpdump diff --git a/regress/sys/net/pf_opts/icmp6_mld_bad.py b/regress/sys/net/pf_opts/icmp6_mld_bad.py index db11587236c..9182ccafa5e 100644 --- a/regress/sys/net/pf_opts/icmp6_mld_bad.py +++ b/regress/sys/net/pf_opts/icmp6_mld_bad.py @@ -18,7 +18,7 @@ ADDR6=eval("ADDR6_"+N); pid=os.getpid() eid=pid & 0xffff -packet=IPv6(src=ADDR6, dst=ADDR6)/ \ +packet=IPv6(src=ADDR6, dst="ff02::1", hlim=1)/ \ IPv6ExtHdrHopByHop(options=HBHOptUnknown(otype=3))/ \ ICMPv6MLQuery() diff --git a/regress/sys/net/pf_opts/icmp6_mld_ra.py b/regress/sys/net/pf_opts/icmp6_mld_ra.py index a156796eb03..b540a036d39 100644 --- a/regress/sys/net/pf_opts/icmp6_mld_ra.py +++ b/regress/sys/net/pf_opts/icmp6_mld_ra.py @@ -18,7 +18,7 @@ ADDR6=eval("ADDR6_"+N); pid=os.getpid() eid=pid & 0xffff -packet=IPv6(src=ADDR6, dst=ADDR6)/ \ +packet=IPv6(src=ADDR6, dst="ff02::1", hlim=1)/ \ IPv6ExtHdrHopByHop(options=RouterAlert())/ \ ICMPv6MLQuery() diff --git a/regress/sys/net/pf_opts/igmp_bad.py b/regress/sys/net/pf_opts/igmp_bad.py index 752093931d6..58714f293bf 100644 --- a/regress/sys/net/pf_opts/igmp_bad.py +++ b/regress/sys/net/pf_opts/igmp_bad.py @@ -18,7 +18,7 @@ ADDR=eval("ADDR_"+N); pid=os.getpid() eid=pid & 0xffff -packet=IP(src=ADDR, dst=ADDR, options=b"\003\004\000\000")/ \ +packet=IP(src=ADDR, dst="224.0.0.1", ttl=1, options=b"\003\004\000\000")/ \ IGMP(type=0x11) send(packet, iface=IF) diff --git a/regress/sys/net/pf_opts/igmp_ra.py b/regress/sys/net/pf_opts/igmp_ra.py index 8ac0b0e6ae5..92a2ebcf575 100644 --- a/regress/sys/net/pf_opts/igmp_ra.py +++ b/regress/sys/net/pf_opts/igmp_ra.py @@ -18,7 +18,7 @@ ADDR=eval("ADDR_"+N); pid=os.getpid() eid=pid & 0xffff -packet=IP(src=ADDR, dst=ADDR, options=b"\224\004\000\000")/ \ +packet=IP(src=ADDR, dst="224.0.0.1", ttl=1, options=b"\224\004\000\000")/ \ IGMP(type=0x11) send(packet, iface=IF) -- 2.20.1