D46391.diff
No OneTemporary
Actions

Size

3 KB

Referenced Files

None

Subscribers

None

D46391.diff
View Options

	diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
	--- a/sys/netpfil/pf/pf.c
	+++ b/sys/netpfil/pf/pf.c
	@@ -4365,6 +4365,13 @@
	r = TAILQ_FIRST(rules);
	rm = NULL;

	+ if (__predict_false(m->m_len < sizeof(struct ether_header)) &&
	+ (m = m0 = m_pullup(m0, sizeof(struct ether_header))) == NULL) {
	+ DPFPRINTF(PF_DEBUG_URGENT,
	+ ("pf_test_eth_rule: m_len < sizeof(struct ether_header)"
	+ ", pullup failed\n"));
	+ return (PF_DROP);
	+ }
	e = mtod(m, struct ether_header *);
	proto = ntohs(e->ether_type);

	diff --git a/tests/sys/netpfil/pf/mbuf.sh b/tests/sys/netpfil/pf/mbuf.sh
	--- a/tests/sys/netpfil/pf/mbuf.sh
	+++ b/tests/sys/netpfil/pf/mbuf.sh
	@@ -151,8 +151,81 @@
	pft_cleanup
	}

	+atf_test_case "ethernet_in_mbuf_len" "cleanup"
	+ethernet_in_mbuf_len_head()
	+{
	+ atf_set descr 'Test that pf can handle inbound with the first mbuf with m_len < sizeof(struct ether_header)'
	+ atf_set require.user root
	+}
	+ethernet_in_mbuf_len_body()
	+{
	+ pft_init
	+ dummymbuf_init
	+
	+ epair=$(vnet_mkepair)
	+ epair_a_mac=$(ifconfig ${epair}a ether \| awk '/ether/ { print $2; }')
	+ ifconfig ${epair}a 192.0.2.1/24 up
	+
	+ # Set up a simple jail with one interface
	+ vnet_mkjail alcatraz ${epair}b
	+ jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up
	+ epair_b_mac=$(jexec alcatraz ifconfig ${epair}b ether \| awk '/ether/ { print $2; }')
	+
	+ # Sanity check
	+ atf_check -s exit:0 -o ignore ping -c1 192.0.2.2
	+
	+ # Should be denied
	+ jexec alcatraz pfctl -e
	+ pft_set_rules alcatraz \
	+ "ether block" \
	+ "pass"
	+ atf_check -s not-exit:0 -o ignore ping -c1 -t1 192.0.2.2
	+
	+ # Should be allowed by from/to addresses
	+ echo $epair_a_mac
	+ echo $epair_b_mac
	+ pft_set_rules alcatraz \
	+ "ether block" \
	+ "ether pass in from ${epair_a_mac} to ${epair_b_mac}" \
	+ "ether pass out from ${epair_b_mac} to ${epair_a_mac}" \
	+ "pass"
	+ atf_check -s exit:0 -o ignore ping -c1 192.0.2.2
	+
	+ # Should still work for m_len=0
	+ jexec alcatraz pfilctl link -i dummymbuf:ethernet ethernet
	+ jexec alcatraz sysctl net.dummymbuf.rules="ethernet in ${epair}b pull-head 0;"
	+ atf_check_equal "0" "$(jexec alcatraz sysctl -n net.dummymbuf.hits)"
	+ atf_check -s exit:0 -o ignore ping -c1 192.0.2.2
	+ atf_check_equal "1" "$(jexec alcatraz sysctl -n net.dummymbuf.hits)"
	+
	+ # m_len=1
	+ jexec alcatraz sysctl net.dummymbuf.rules="ethernet in ${epair}b pull-head 1;"
	+ jexec alcatraz sysctl net.dummymbuf.hits=0
	+ atf_check -s exit:0 -o ignore ping -c1 192.0.2.2
	+ atf_check_equal "1" "$(jexec alcatraz sysctl -n net.dummymbuf.hits)"
	+
	+ # m_len=11
	+ # for the simplest L2 Ethernet frame it should impact src field
	+ jexec alcatraz sysctl net.dummymbuf.rules="ethernet in ${epair}b pull-head 11;"
	+ jexec alcatraz sysctl net.dummymbuf.hits=0
	+ atf_check -s exit:0 -o ignore ping -c1 192.0.2.2
	+ atf_check_equal "1" "$(jexec alcatraz sysctl -n net.dummymbuf.hits)"
	+
	+ # m_len=13
	+ # provided L2 Ethernet simplest header is 14 bytes long, it should impact ethertype field
	+ jexec alcatraz sysctl net.dummymbuf.rules="ethernet in ${epair}b pull-head 13;"
	+ jexec alcatraz sysctl net.dummymbuf.hits=0
	+ atf_check -s exit:0 -o ignore ping -c1 192.0.2.2
	+ atf_check_equal "1" "$(jexec alcatraz sysctl -n net.dummymbuf.hits)"
	+}
	+ethernet_in_mbuf_len_cleanup()
	+{
	+ pft_cleanup
	+}
	+
	atf_init_test_cases()
	{
	atf_add_test_case "inet_in_mbuf_len"
	atf_add_test_case "inet6_in_mbuf_len"
	+ atf_add_test_case "ethernet_in_mbuf_len"
	}

File Metadata

Mime Type: text/plain
Expires: Thu, Nov 7, 5:45 AM (21 h, 8 m)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 14505412
Default Alt Text: D46391.diff (3 KB)

D46391.diffNo OneTemporaryActions

D46391.diffView Options

File Metadata

Event Timeline

D46391.diff
No OneTemporary
Actions

D46391.diff
View Options