From a2e32536a0eeffafcb958591256e41de6022dd58 Mon Sep 17 00:00:00 2001 From: bluhm Date: Fri, 29 Apr 2022 09:45:05 +0000 Subject: [PATCH] Check that IGMP and ICMP6 MLD packets with router alert option pass. Other combinations with IP options are still blocked. --- regress/sys/net/pf_opts/Makefile | 64 +++++++++++++++++++----- regress/sys/net/pf_opts/icmp6_mld_bad.py | 28 +++++++++++ regress/sys/net/pf_opts/icmp6_mld_ra.py | 28 +++++++++++ regress/sys/net/pf_opts/icmp_bad.py | 2 +- regress/sys/net/pf_opts/icmp_eol.py | 2 +- regress/sys/net/pf_opts/icmp_pad.py | 2 +- regress/sys/net/pf_opts/icmp_ra.py | 2 +- regress/sys/net/pf_opts/igmp_bad.py | 24 +++++++++ regress/sys/net/pf_opts/igmp_ra.py | 24 +++++++++ 9 files changed, 160 insertions(+), 16 deletions(-) create mode 100644 regress/sys/net/pf_opts/icmp6_mld_bad.py create mode 100644 regress/sys/net/pf_opts/icmp6_mld_ra.py create mode 100644 regress/sys/net/pf_opts/igmp_bad.py create mode 100644 regress/sys/net/pf_opts/igmp_ra.py diff --git a/regress/sys/net/pf_opts/Makefile b/regress/sys/net/pf_opts/Makefile index 1b864e36d9a..a1d870b8586 100644 --- a/regress/sys/net/pf_opts/Makefile +++ b/regress/sys/net/pf_opts/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.2 2022/04/28 15:37:01 anton Exp $ +# $OpenBSD: Makefile,v 1.3 2022/04/29 09:45:05 bluhm Exp $ # Copyright (c) 2022 Alexander Bluhm # @@ -79,23 +79,23 @@ REGRESS_SETUP_ONCE += ifconfig ifconfig: unconfig # Create and configure loopback interfaces. .for n in ${NUMS} - ${SUDO} ifconfig lo$n rdomain $n - ${SUDO} ifconfig lo$n inet 127.0.0.1/8 - ${SUDO} ifconfig lo$n inet 127.0.0.$n alias - ${SUDO} ifconfig lo$n inet6 ::1/128 - ${SUDO} ifconfig lo$n inet6 fe80::$n/64 + ${SUDO} /sbin/ifconfig lo$n rdomain $n + ${SUDO} /sbin/ifconfig lo$n inet 127.0.0.1/8 + ${SUDO} /sbin/ifconfig lo$n inet 127.0.0.$n alias + ${SUDO} /sbin/ifconfig lo$n inet6 ::1/128 + ${SUDO} /sbin/ifconfig lo$n inet6 fe80::$n/64 .endfor - ${SUDO} route -n -T ${N1} add -inet -host 127.0.0.${N2} 127.0.0.1 - ${SUDO} route -n -T ${N2} add -inet -host 127.0.0.${N1} 127.0.0.1 + ${SUDO} /sbin/route -n -T ${N1} add -inet -host 127.0.0.${N2} 127.0.0.1 + ${SUDO} /sbin/route -n -T ${N2} add -inet -host 127.0.0.${N1} 127.0.0.1 REGRESS_CLEANUP += unconfig unconfig: stamp-stop # Destroy interfaces. .for n in ${NUMS} - -${SUDO} ifconfig lo$n inet 127.0.0.1 delete - -${SUDO} ifconfig lo$n inet 127.0.0.$n delete - -${SUDO} ifconfig lo$n inet6 ::1 delete - -${SUDO} ifconfig lo$n inet6 fe80::$n/64 delete + -${SUDO} /sbin/ifconfig lo$n inet 127.0.0.1 delete + -${SUDO} /sbin/ifconfig lo$n inet 127.0.0.$n delete + -${SUDO} /sbin/ifconfig lo$n inet6 ::1 delete + -${SUDO} /sbin/ifconfig lo$n inet6 fe80::$n/64 delete .endfor rm -f stamp-ifconfig @@ -281,6 +281,46 @@ run-bpf-opts: stamp-stop ! grep '127.0.0.${N1}' pflog0.tcpdump ! grep 'fe80::${N1}' pflog0.tcpdump +# multicast with router alert + +REGRESS_TARGETS += run-igmp +run-igmp: stamp-bpf + ${SUDO} env ${PYPATH} /sbin/route -T ${N1} exec ${PYTHON}igmp_ra.py N1 + ${SUDO} env ${PYPATH} /sbin/route -T ${N2} exec ${PYTHON}igmp_ra.py N2 + +REGRESS_TARGETS += run-icmp6-mld +run-icmp6-mld: stamp-bpf + ${SUDO} env ${PYPATH} /sbin/route -T ${N1} exec ${PYTHON}icmp6_mld_ra.py N1 + ${SUDO} env ${PYPATH} /sbin/route -T ${N2} exec ${PYTHON}icmp6_mld_ra.py N2 + +REGRESS_TARGETS += run-bpf-mcast +run-bpf-mcast: stamp-stop + # Check that multicast protocol packet with router alert passed + grep ' 127.0.0.${N2}: igmp query .* IPOPT-148{4}' lo${N2}.tcpdump + grep ' fe80::${N2}: HBH (rtalert:.* icmp6: multicast ' lo${N2}.tcpdump + ! grep '127.0.0.${N1}' pflog0.tcpdump + ! grep 'fe80::${N1}' pflog0.tcpdump + ! grep '127.0.0.${N2}' pflog0.tcpdump + ! grep 'fe80::${N2}' pflog0.tcpdump + +REGRESS_TARGETS += run-igmp-bad +run-igmp-bad: stamp-bpf + ${SUDO} env ${PYPATH} /sbin/route -T ${N1} exec ${PYTHON}igmp_bad.py N1 + ${SUDO} env ${PYPATH} /sbin/route -T ${N2} exec ${PYTHON}igmp_bad.py N2 + +REGRESS_TARGETS += run-icmp6-mld-bad +run-icmp6-mld-bad: stamp-bpf + ${SUDO} env ${PYPATH} /sbin/route -T ${N1} exec ${PYTHON}icmp6_mld_bad.py N1 + ${SUDO} env ${PYPATH} /sbin/route -T ${N2} exec ${PYTHON}icmp6_mld_bad.py N2 + +REGRESS_TARGETS += run-bpf-mcast-bad +run-bpf-mcast-bad: stamp-stop + # Check that multicast protocol packet with options were blocked + grep ' 127.0.0.${N2}: igmp query .* IPOPT-3{4}' pflog0.tcpdump + grep ' fe80::${N2}: HBH (type 0x03:.* icmp6: multicast ' pflog0.tcpdump + ! grep '127.0.0.${N1}' pflog0.tcpdump + ! grep 'fe80::${N1}' pflog0.tcpdump + CLEANFILES += addr.py *.pyc *.tcpdump *.log stamp-* .include diff --git a/regress/sys/net/pf_opts/icmp6_mld_bad.py b/regress/sys/net/pf_opts/icmp6_mld_bad.py new file mode 100644 index 00000000000..db11587236c --- /dev/null +++ b/regress/sys/net/pf_opts/icmp6_mld_bad.py @@ -0,0 +1,28 @@ +#!/usr/local/bin/python3 + +print("send icmp6 multicast listener discovery with unknown option") + +import os +import sys +from struct import pack +from addr import * +from scapy.all import * + +if len(sys.argv) != 2: + print("usage: icmp6_mld_ra.py Nn") + exit(2) + +N=sys.argv[1] +IF=eval("IF_"+N); +ADDR6=eval("ADDR6_"+N); + +pid=os.getpid() +eid=pid & 0xffff +packet=IPv6(src=ADDR6, dst=ADDR6)/ \ + IPv6ExtHdrHopByHop(options=HBHOptUnknown(otype=3))/ \ + ICMPv6MLQuery() + +# send does not work for some reason, add the bpf loopback layer manually +#send(packet) +bpf=pack('!I', 24) + bytes(packet) +sendp(bpf, iface=IF) diff --git a/regress/sys/net/pf_opts/icmp6_mld_ra.py b/regress/sys/net/pf_opts/icmp6_mld_ra.py new file mode 100644 index 00000000000..a156796eb03 --- /dev/null +++ b/regress/sys/net/pf_opts/icmp6_mld_ra.py @@ -0,0 +1,28 @@ +#!/usr/local/bin/python3 + +print("send icmp6 multicast listener discovery with router alert") + +import os +import sys +from struct import pack +from addr import * +from scapy.all import * + +if len(sys.argv) != 2: + print("usage: icmp6_mld_ra.py Nn") + exit(2) + +N=sys.argv[1] +IF=eval("IF_"+N); +ADDR6=eval("ADDR6_"+N); + +pid=os.getpid() +eid=pid & 0xffff +packet=IPv6(src=ADDR6, dst=ADDR6)/ \ + IPv6ExtHdrHopByHop(options=RouterAlert())/ \ + ICMPv6MLQuery() + +# send does not work for some reason, add the bpf loopback layer manually +#send(packet) +bpf=pack('!I', 24) + bytes(packet) +sendp(bpf, iface=IF) diff --git a/regress/sys/net/pf_opts/icmp_bad.py b/regress/sys/net/pf_opts/icmp_bad.py index 27c662c2d64..ea3536959ed 100644 --- a/regress/sys/net/pf_opts/icmp_bad.py +++ b/regress/sys/net/pf_opts/icmp_bad.py @@ -1,6 +1,6 @@ #!/usr/local/bin/python3 -print("send icmp unknown option") +print("send icmp with unknown option") import os import sys diff --git a/regress/sys/net/pf_opts/icmp_eol.py b/regress/sys/net/pf_opts/icmp_eol.py index 6c44e883dc8..f0047d7e314 100644 --- a/regress/sys/net/pf_opts/icmp_eol.py +++ b/regress/sys/net/pf_opts/icmp_eol.py @@ -1,6 +1,6 @@ #!/usr/local/bin/python3 -print("send icmp option end of list") +print("send icmp with option end of list") import os import sys diff --git a/regress/sys/net/pf_opts/icmp_pad.py b/regress/sys/net/pf_opts/icmp_pad.py index 3e4a9f6d96b..119050eff1d 100644 --- a/regress/sys/net/pf_opts/icmp_pad.py +++ b/regress/sys/net/pf_opts/icmp_pad.py @@ -1,6 +1,6 @@ #!/usr/local/bin/python3 -print("send icmp options padding") +print("send icmp with options padding") import os import sys diff --git a/regress/sys/net/pf_opts/icmp_ra.py b/regress/sys/net/pf_opts/icmp_ra.py index 4eb2979a328..a9c4bc3bf9f 100644 --- a/regress/sys/net/pf_opts/icmp_ra.py +++ b/regress/sys/net/pf_opts/icmp_ra.py @@ -1,6 +1,6 @@ #!/usr/local/bin/python3 -print("send icmp option router alert") +print("send icmp with router alert") import os import sys diff --git a/regress/sys/net/pf_opts/igmp_bad.py b/regress/sys/net/pf_opts/igmp_bad.py new file mode 100644 index 00000000000..752093931d6 --- /dev/null +++ b/regress/sys/net/pf_opts/igmp_bad.py @@ -0,0 +1,24 @@ +#!/usr/local/bin/python3 + +print("send internet group management protocol with unknown option") + +import os +import sys +from addr import * +from scapy.all import * +from scapy.contrib.igmp import * + +if len(sys.argv) != 2: + print("usage: igmp_bad.py Nn") + exit(2) + +N=sys.argv[1] +IF=eval("IF_"+N); +ADDR=eval("ADDR_"+N); + +pid=os.getpid() +eid=pid & 0xffff +packet=IP(src=ADDR, dst=ADDR, options=b"\003\004\000\000")/ \ + IGMP(type=0x11) + +send(packet, iface=IF) diff --git a/regress/sys/net/pf_opts/igmp_ra.py b/regress/sys/net/pf_opts/igmp_ra.py new file mode 100644 index 00000000000..8ac0b0e6ae5 --- /dev/null +++ b/regress/sys/net/pf_opts/igmp_ra.py @@ -0,0 +1,24 @@ +#!/usr/local/bin/python3 + +print("send internet group management protocol with router alert") + +import os +import sys +from addr import * +from scapy.all import * +from scapy.contrib.igmp import * + +if len(sys.argv) != 2: + print("usage: igmp_ra.py Nn") + exit(2) + +N=sys.argv[1] +IF=eval("IF_"+N); +ADDR=eval("ADDR_"+N); + +pid=os.getpid() +eid=pid & 0xffff +packet=IP(src=ADDR, dst=ADDR, options=b"\224\004\000\000")/ \ + IGMP(type=0x11) + +send(packet, iface=IF) -- 2.20.1