From f38031e63fc64201054602063f8d5af21da3aacc Mon Sep 17 00:00:00 2001 From: Alexander Bluhm Date: Tue, 28 Feb 2017 16:14:37 +0000 Subject: IPv6 packets with routing header 0 are dropped by pf, but answered with ICMP6 parameter problem by the network stack. This test expects the ICMP6 packets, so disable pf on the remote machine temporarily. --- regress/sys/netinet6/rh0/LICENSE | 13 ++++ regress/sys/netinet6/rh0/Makefile | 101 +++++++++++------------------ regress/sys/netinet6/rh0/rh0_empty.py | 2 + regress/sys/netinet6/rh0/rh0_final.py | 2 + regress/sys/netinet6/rh0/rh0_frag2.py | 2 + regress/sys/netinet6/rh0/rh0_frag_empty.py | 2 + regress/sys/netinet6/rh0/rh0_frag_final.py | 2 + regress/sys/netinet6/rh0/rh0_frag_route.py | 2 + regress/sys/netinet6/rh0/rh0_none.py | 2 + regress/sys/netinet6/rh0/rh0_route.py | 2 + 10 files changed, 68 insertions(+), 62 deletions(-) create mode 100644 regress/sys/netinet6/rh0/LICENSE (limited to 'regress') diff --git a/regress/sys/netinet6/rh0/LICENSE b/regress/sys/netinet6/rh0/LICENSE new file mode 100644 index 00000000000..8132b495a44 --- /dev/null +++ b/regress/sys/netinet6/rh0/LICENSE @@ -0,0 +1,13 @@ +# Copyright (c) 2012-2017 Alexander Bluhm +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. diff --git a/regress/sys/netinet6/rh0/Makefile b/regress/sys/netinet6/rh0/Makefile index 473af6b5055..86181628e07 100644 --- a/regress/sys/netinet6/rh0/Makefile +++ b/regress/sys/netinet6/rh0/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.7 2016/10/19 14:31:19 tb Exp $ +# $OpenBSD: Makefile,v 1.8 2017/02/28 16:14:35 bluhm Exp $ # The following ports must be installed: # @@ -9,12 +9,13 @@ .if ! (make(clean) || make(cleandir) || make(obj)) # Check wether all required python packages are installed. If some # are missing print a warning and skip the tests, but do not fail. -PYTHON_IMPORT != python2.7 -c 'from scapy.all import *' 2>&1 || true +PYTHON_IMPORT !!= python2.7 -c 'from scapy.all import *' 2>&1 || true .endif + .if ! empty(PYTHON_IMPORT) regress: @echo '${PYTHON_IMPORT}' - @echo install python and the scapy module for additional tests + @echo Install python and the scapy module for additional tests. @echo SKIPPED .endif @@ -45,15 +46,24 @@ SRT_OUT6 ?= .if empty (SRC_IF) || empty (SRC_MAC) || empty (DST_MAC) || \ empty (SRC_OUT6) || empty (DST_IN6) || empty (DST_OUT6) || \ - empty (SRT_IN6) || empty (SRT_OUT6) + empty (SRT_IN6) || empty (SRT_OUT6) || empty (REMOTE_SSH) regress: - @echo this tests needs a remote machine to operate on + @echo This tests needs a remote machine to operate on. @echo SRC_IF SRC_MAC DST_MAC SRC_OUT6 DST_IN6 DST_OUT6 - @echo SRT_IN6 SRT_OUT6 are empty - @echo fill out these variables for additional tests + @echo SRT_IN6 SRT_OUT6 REMOTE_SSH are empty. + @echo Fill out these variables for additional tests. @echo SKIPPED .endif +.MAIN: all + +.if make (regress) || make (all) +.BEGIN: addr.py + @echo + ${SUDO} true + rm -f stamp-stack stamp-pf +.endif + depend: addr.py # Create python include file containing the addresses. @@ -75,65 +85,35 @@ PYTHON = python2.7 ./ PYTHON = PYTHONPATH=${.OBJDIR} python2.7 ${.CURDIR}/ .endif -# Send ping6 packet without routing header type 0 -TARGETS += rh0-none -run-regress-rh0-none: addr.py - @echo '\n======== $@ ========' - @echo Check without routing header type 0 - ${SUDO} ${PYTHON}rh0_none.py - -# Send ping6 packet with routing header type 0 but empty address list -TARGETS += rh0-empty -run-regress-rh0-empty: addr.py - @echo '\n======== $@ ========' - @echo Check routing header type 0 with empty address list - ${SUDO} ${PYTHON}rh0_empty.py - -TARGETS += rh0-final -# Send ping6 packet with routing header type 0 to the final destination -run-regress-rh0-final: addr.py - @echo '\n======== $@ ========' - @echo Check routing header type 0 to the final destination - ${SUDO} ${PYTHON}rh0_final.py - -TARGETS += rh0-route -# Send ping6 packet with routing header type 0 to be source routed -run-regress-rh0-route: addr.py - @echo '\n======== $@ ========' - @echo Check routing header type 0 to be source routed - ${SUDO} ${PYTHON}rh0_route.py +stamp-stack: + rm -f stamp-stack stamp-pf + -ssh -t ${REMOTE_SSH} ${SUDO} pfctl -d + ssh -t ${REMOTE_SSH} ${SUDO} pfctl -a regress -Fr + date >$@ -# Send with fragment and routing header type 0 but empty address list -TARGETS += rh0-frag-empty -run-regress-rh0-frag-empty: addr.py - @echo '\n======== $@ ========' - @echo Check fragment and routing header type 0 with empty address list - ${SUDO} ${PYTHON}rh0_frag_empty.py +stamp-pf: + rm -f stamp-stack stamp-pf + echo 'pass proto tcp from port ssh no state\n'\ + 'pass proto tcp to port ssh no state'|\ + ssh -t ${REMOTE_SSH} ${SUDO} pfctl -a regress -f - + -ssh -t ${REMOTE_SSH} ${SUDO} pfctl -e + date >$@ -TARGETS += rh0-frag-final -# Send with fragment and routing header type 0 to the final destination -run-regress-rh0-frag-final: addr.py - @echo '\n======== $@ ========' - @echo Check fragment and routing header type 0 to the final destination - ${SUDO} ${PYTHON}rh0_frag_final.py +RH0_SCRIPTS !!= cd ${.CURDIR} && ls -1 rh0*.py -TARGETS += rh0-frag-route -# Send with fragment and routing header type 0 to be source routed -run-regress-rh0-frag-route: addr.py +.for s in ${RH0_SCRIPTS} +run-regress-${s}: addr.py stamp-stack @echo '\n======== $@ ========' - @echo Check fragment and routing header type 0 to be source routed - ${SUDO} ${PYTHON}rh0_frag_route.py + ${SUDO} ${PYTHON}${s} +.endfor -TARGETS += rh0-frag2 -# Send with fragment and routing header type 0 to be source routed -run-regress-rh0-frag2: addr.py - @echo '\n======== $@ ========' - @echo Check routing header type 0 in the second fragment - ${SUDO} ${PYTHON}rh0_frag2.py +REGRESS_TARGETS = ${RH0_SCRIPTS:S/^/run-regress-/} -REGRESS_TARGETS = ${TARGETS:S/^/run-regress-/} +# After running the tests, turn on pf on remote machine. +# This is the expected default configuration. +REGRESS_TARGETS += stamp-pf -CLEANFILES += addr.py *.pyc *.log +CLEANFILES += addr.py *.pyc *.log stamp-* .PHONY: check-setup @@ -148,8 +128,5 @@ check-setup: ping6 -n -c 1 ${DST_OUT6} route -n get -inet6 ${SRT_IN6} | grep -q 'gateway: ${DST_IN6}$$' ndp -n ${DST_IN6} | grep -q ' ${DST_MAC} ' -.if defined(REMOTE_SSH) - ssh ${REMOTE_SSH} ${SUDO} pfctl -si | grep '^Status: Disabled ' -.endif .include diff --git a/regress/sys/netinet6/rh0/rh0_empty.py b/regress/sys/netinet6/rh0/rh0_empty.py index 954d1e15553..e087131a717 100644 --- a/regress/sys/netinet6/rh0/rh0_empty.py +++ b/regress/sys/netinet6/rh0/rh0_empty.py @@ -3,6 +3,8 @@ # the address list is empty # we expect a parameter problem from header scanning +print "send ping6 packet with routing header type 0 but empty address list" + import os from addr import * from scapy.all import * diff --git a/regress/sys/netinet6/rh0/rh0_final.py b/regress/sys/netinet6/rh0/rh0_final.py index 881c8910099..7bb179f8ff3 100644 --- a/regress/sys/netinet6/rh0/rh0_final.py +++ b/regress/sys/netinet6/rh0/rh0_final.py @@ -3,6 +3,8 @@ # the address pointer is at the final destination # we expect a parameter problem from header scanning +print "send ping6 packet with routing header type 0 to the final destination" + import os from addr import * from scapy.all import * diff --git a/regress/sys/netinet6/rh0/rh0_frag2.py b/regress/sys/netinet6/rh0/rh0_frag2.py index 04c6773284b..7054c3fe4a3 100644 --- a/regress/sys/netinet6/rh0/rh0_frag2.py +++ b/regress/sys/netinet6/rh0/rh0_frag2.py @@ -4,6 +4,8 @@ # hide the routing header in a second fragment to preclude header scan # we expect an echo reply, as there are no more hops +print "send with fragment and routing header type 0 to be source routed" + import os from addr import * from scapy.all import * diff --git a/regress/sys/netinet6/rh0/rh0_frag_empty.py b/regress/sys/netinet6/rh0/rh0_frag_empty.py index a9f3636ba5e..03eb969ee21 100644 --- a/regress/sys/netinet6/rh0/rh0_frag_empty.py +++ b/regress/sys/netinet6/rh0/rh0_frag_empty.py @@ -4,6 +4,8 @@ # hide the routing header behind a fragment header to avoid header scan # we expect an echo reply, as there are no more hops +print "send with fragment and routing header type 0 but empty address list" + import os from addr import * from scapy.all import * diff --git a/regress/sys/netinet6/rh0/rh0_frag_final.py b/regress/sys/netinet6/rh0/rh0_frag_final.py index 63d5f40a68e..62ae301f3b8 100644 --- a/regress/sys/netinet6/rh0/rh0_frag_final.py +++ b/regress/sys/netinet6/rh0/rh0_frag_final.py @@ -4,6 +4,8 @@ # hide the routing header behind a fragment header to avoid header scan # we expect an echo reply, as there are no more hops +print "send with fragment and routing header type 0 to the final destination" + import os from addr import * from scapy.all import * diff --git a/regress/sys/netinet6/rh0/rh0_frag_route.py b/regress/sys/netinet6/rh0/rh0_frag_route.py index 8632c4f4fe5..3b55ae49fd9 100644 --- a/regress/sys/netinet6/rh0/rh0_frag_route.py +++ b/regress/sys/netinet6/rh0/rh0_frag_route.py @@ -4,6 +4,8 @@ # hide the routing header behind a fragment header to avoid header scan # we expect an ICMP6 error, as we do not support source routing +print "send with fragment and routing header type 0 to be source routed" + import os from addr import * from scapy.all import * diff --git a/regress/sys/netinet6/rh0/rh0_none.py b/regress/sys/netinet6/rh0/rh0_none.py index 328fa296436..694a9277fa4 100644 --- a/regress/sys/netinet6/rh0/rh0_none.py +++ b/regress/sys/netinet6/rh0/rh0_none.py @@ -2,6 +2,8 @@ # send a ping6 packet without routing header type 0 # we expect an echo reply, as there is no routing header +print "send ping6 packet without routing header type 0" + import os from addr import * from scapy.all import * diff --git a/regress/sys/netinet6/rh0/rh0_route.py b/regress/sys/netinet6/rh0/rh0_route.py index 0a248af90b6..71d4144063a 100644 --- a/regress/sys/netinet6/rh0/rh0_route.py +++ b/regress/sys/netinet6/rh0/rh0_route.py @@ -3,6 +3,8 @@ # try to source route # we expect an ICMP6 error, as we do not support source routing +print "send ping6 packet with routing header type 0 to be source routed" + import os from addr import * from scapy.all import * -- cgit v1.2.3