diff options
| author | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2012-01-13 11:32:44 +0000 |
|---|---|---|
| committer | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2012-01-13 11:32:44 +0000 |
| commit | 863208c7673847ffc9685646aaafa5e4faf3f5a6 (patch) | |
| tree | d642db99605b63b2e3b67151a673c12eced723e6 | |
| parent | 585b8d8d82aa9952cf8f4691e0e2d03aa74401c5 (diff) | |
According to RFC 5722 we drop all IPv6 fragments that belong to a
packet with overlaps. Adapt existing tests.
| -rw-r--r-- | regress/sys/net/pf_fragment/frag6_cutnew.py | 15 | ||||
| -rw-r--r-- | regress/sys/net/pf_fragment/frag6_cutold.py | 16 | ||||
| -rw-r--r-- | regress/sys/net/pf_fragment/frag6_dropnew.py | 14 | ||||
| -rw-r--r-- | regress/sys/net/pf_fragment/frag6_dropold.py | 14 |
4 files changed, 30 insertions, 29 deletions
diff --git a/regress/sys/net/pf_fragment/frag6_cutnew.py b/regress/sys/net/pf_fragment/frag6_cutnew.py index 4413d0668b3..300fb296627 100644 --- a/regress/sys/net/pf_fragment/frag6_cutnew.py +++ b/regress/sys/net/pf_fragment/frag6_cutnew.py @@ -2,12 +2,9 @@ # start of new fragment overlaps old one # |--------| -# |>>>>>----| +# |XXXXX----| -# If the tail of an older fragment overlaps the beginning of the -# current fragment, cut the newer fragment. -# m_adj(frent->fe_m, precut); -# Newer data wins. +# RFC 5722 drop overlapping fragments import os from addr import * @@ -33,6 +30,9 @@ if os.fork() == 0: ans=sniff(iface=SRC_IF, timeout=3, filter= "ip6 and src "+dstaddr+" and dst "+SRC_OUT6+" and icmp6") +if len(ans) == 0: + print "no reply" + exit(0) a=ans[0] if a and a.type == scapy.layers.dot11.ETHER_TYPES.IPv6 and \ ipv6nh[a.payload.nh] == 'ICMPv6' and \ @@ -45,8 +45,9 @@ if a and a.type == scapy.layers.dot11.ETHER_TYPES.IPv6 and \ data=a.payload.payload.data print "payload=%s" % (data) if data == payload: - exit(0) + print "ECHO REPLY" + exit(1) print "PAYLOAD!=%s" % (payload) - exit(1) + exit(2) print "NO ECHO REPLY" exit(2) diff --git a/regress/sys/net/pf_fragment/frag6_cutold.py b/regress/sys/net/pf_fragment/frag6_cutold.py index 24cb41722ad..aba852c1ac5 100644 --- a/regress/sys/net/pf_fragment/frag6_cutold.py +++ b/regress/sys/net/pf_fragment/frag6_cutold.py @@ -1,14 +1,10 @@ #!/usr/local/bin/python2.7 # end of new fragment overlaps old one -# |>>>>>----| +# |XXXXX----| # |--------| -# If the tail of the current framgent overlaps the beginning of an -# older fragment, cut the older fragment. -# m_adj(after->fe_m, aftercut); -# The older data becomes more suspect, and we essentially cause it -# to be dropped in the end, meaning it will come again. +# RFC 5722 drop overlapping fragments import os from addr import * @@ -34,6 +30,9 @@ if os.fork() == 0: ans=sniff(iface=SRC_IF, timeout=3, filter= "ip6 and src "+dstaddr+" and dst "+SRC_OUT6+" and icmp6") +if len(ans) == 0: + print "no reply" + exit(0) a=ans[0] if a and a.type == scapy.layers.dot11.ETHER_TYPES.IPv6 and \ ipv6nh[a.payload.nh] == 'ICMPv6' and \ @@ -46,8 +45,9 @@ if a and a.type == scapy.layers.dot11.ETHER_TYPES.IPv6 and \ data=a.payload.payload.data print "payload=%s" % (data) if data == payload: - exit(0) + print "ECHO REPLY" + exit(1) print "PAYLOAD!=%s" % (payload) - exit(1) + exit(2) print "NO ECHO REPLY" exit(2) diff --git a/regress/sys/net/pf_fragment/frag6_dropnew.py b/regress/sys/net/pf_fragment/frag6_dropnew.py index 5275af43c1a..85a401e64a6 100644 --- a/regress/sys/net/pf_fragment/frag6_dropnew.py +++ b/regress/sys/net/pf_fragment/frag6_dropnew.py @@ -5,11 +5,7 @@ # |XXXX| # |----| -# If the current fragment is completely overlapped by existing ones, -# drop the newer fragment. -# if (precut >= frent->fe_len) -# goto bad_fragment; -# 'Nearer' traffic wins. +# RFC 5722 drop overlapping fragments import os from addr import * @@ -38,6 +34,9 @@ if os.fork() == 0: ans=sniff(iface=SRC_IF, timeout=3, filter= "ip6 and src "+dstaddr+" and dst "+SRC_OUT6+" and icmp6") +if len(ans) == 0: + print "no reply" + exit(0) a=ans[0] if a and a.type == scapy.layers.dot11.ETHER_TYPES.IPv6 and \ ipv6nh[a.payload.nh] == 'ICMPv6' and \ @@ -50,8 +49,9 @@ if a and a.type == scapy.layers.dot11.ETHER_TYPES.IPv6 and \ data=a.payload.payload.data print "payload=%s" % (data) if data == payload: - exit(0) + print "ECHO REPLY" + exit(1) print "PAYLOAD!=%s" % (payload) - exit(1) + exit(2) print "NO ECHO REPLY" exit(2) diff --git a/regress/sys/net/pf_fragment/frag6_dropold.py b/regress/sys/net/pf_fragment/frag6_dropold.py index b3b1573c2e4..9dfc2e6a9cb 100644 --- a/regress/sys/net/pf_fragment/frag6_dropold.py +++ b/regress/sys/net/pf_fragment/frag6_dropold.py @@ -5,11 +5,7 @@ # |XXXX| # |------------| -# If an existing fragment is completely overlapped by the current -# one, drop the older fragment. -# TAILQ_REMOVE(&frag->fr_queue, after, fr_next); -# Smaller older fragments might not have been nearer, and might be -# trying to overwrite a very small part of the full packet. +# RFC 5722 drop overlapping fragments import os from addr import * @@ -38,6 +34,9 @@ if os.fork() == 0: ans=sniff(iface=SRC_IF, timeout=3, filter= "ip6 and src "+dstaddr+" and dst "+SRC_OUT6+" and icmp6") +if len(ans) == 0: + print "no reply" + exit(0) a=ans[0] if a and a.type == scapy.layers.dot11.ETHER_TYPES.IPv6 and \ ipv6nh[a.payload.nh] == 'ICMPv6' and \ @@ -50,8 +49,9 @@ if a and a.type == scapy.layers.dot11.ETHER_TYPES.IPv6 and \ data=a.payload.payload.data print "payload=%s" % (data) if data == payload: - exit(0) + print "ECHO REPLY" + exit(1) print "PAYLOAD!=%s" % (payload) - exit(1) + exit(2) print "NO ECHO REPLY" exit(2) |