diff options
author | Kristof Provost <kp@FreeBSD.org> | 2023-10-03 15:11:44 +0000 |
---|---|---|
committer | Kristof Provost <kp@FreeBSD.org> | 2023-10-07 07:39:04 +0000 |
commit | f69181e9de1b021f4689ce50b420f9c694268ec8 (patch) | |
tree | 1fb3e6a39c8f4ede1f001c3e4183155b9b6d06d2 /tests | |
parent | 7ec227367ed748011a97540296b0935de877cc5a (diff) | |
download | src-f69181e9de1b021f4689ce50b420f9c694268ec8.tar.gz src-f69181e9de1b021f4689ce50b420f9c694268ec8.zip |
pf: cope with missing rpool.cur
If we're evaluating a pfsync'd state (and have different rules on both
ends) our state may point to the default rule, which does not have
rpool.cur set. As a result we can end up dereferencing a NULL pointer.
Explicitly check for this when we try to re-construct the route-to interface.
Also add a test case which can trigger this issue.
MFC after: 3 days
See also: https://redmine.pfsense.org/issues/14804
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit 74c2461386ea5eeb41e674df6b16a44b0509a882)
Diffstat (limited to 'tests')
-rw-r--r-- | tests/sys/netpfil/pf/pfsync.sh | 96 |
1 files changed, 96 insertions, 0 deletions
diff --git a/tests/sys/netpfil/pf/pfsync.sh b/tests/sys/netpfil/pf/pfsync.sh index d62cdddd504a..91c7b8410a08 100644 --- a/tests/sys/netpfil/pf/pfsync.sh +++ b/tests/sys/netpfil/pf/pfsync.sh @@ -825,6 +825,101 @@ basic_ipv6_cleanup() pfsynct_cleanup } +atf_test_case "route_to" "cleanup" +route_to_head() +{ + atf_set descr 'Test route-to with default rule' + atf_set require.user root + atf_set require.progs scapy +} + +route_to_body() +{ + pfsynct_init + + epair_sync=$(vnet_mkepair) + epair_one=$(vnet_mkepair) + epair_two=$(vnet_mkepair) + epair_out_one=$(vnet_mkepair) + epair_out_two=$(vnet_mkepair) + + vnet_mkjail one ${epair_one}a ${epair_sync}a ${epair_out_one}a + vnet_mkjail two ${epair_two}a ${epair_sync}b ${epair_out_two}a + + # pfsync interface + jexec one ifconfig ${epair_sync}a 192.0.2.1/24 up + jexec one ifconfig ${epair_one}a 198.51.100.1/24 up + jexec one ifconfig ${epair_out_one}a 203.0.113.1/24 up + jexec one ifconfig ${epair_out_one}a name outif + jexec one sysctl net.inet.ip.forwarding=1 + jexec one arp -s 203.0.113.254 00:01:02:03:04:05 + jexec one ifconfig pfsync0 \ + syncdev ${epair_sync}a \ + maxupd 1 \ + up + + jexec two ifconfig ${epair_sync}b 192.0.2.2/24 up + jexec two ifconfig ${epair_two}a 198.51.100.2/24 up + jexec two ifconfig ${epair_out_two}a 203.0.113.2/24 up + #jexec two ifconfig ${epair_out_two}a name outif + jexec two sysctl net.inet.ip.forwarding=1 + jexec two arp -s 203.0.113.254 00:01:02:03:04:05 + jexec two ifconfig pfsync0 \ + syncdev ${epair_sync}b \ + maxupd 1 \ + up + + # Enable pf! + jexec one pfctl -e + pft_set_rules one \ + "set skip on ${epair_sync}a" \ + "pass out route-to (outif 203.0.113.254)" + jexec two pfctl -e + + # Make sure we have different rulesets so the synced state is associated with + # V_pf_default_rule + pft_set_rules two \ + "set skip on ${epair_sync}b" \ + "pass out route-to (outif 203.0.113.254)" \ + "pass out proto tcp" + + ifconfig ${epair_one}b 198.51.100.254/24 up + ifconfig ${epair_two}b 198.51.100.253/24 up + route add -net 203.0.113.0/24 198.51.100.1 + ifconfig ${epair_two}b up + ifconfig ${epair_out_one}b up + ifconfig ${epair_out_two}b up + + atf_check -s exit:0 env PYTHONPATH=${common_dir} \ + ${common_dir}/pft_ping.py \ + --sendif ${epair_one}b \ + --fromaddr 198.51.100.254 \ + --to 203.0.113.254 \ + --recvif ${epair_out_one}b + + # Allow time for sync + ifconfig ${epair_one}b inet 198.51.100.254 -alias + route del -net 203.0.113.0/24 198.51.100.1 + route add -net 203.0.113.0/24 198.51.100.2 + + sleep 2 + + # Now try to trigger the state on the other pfsync member + env PYTHONPATH=${common_dir} \ + ${common_dir}/pft_ping.py \ + --sendif ${epair_two}b \ + --fromaddr 198.51.100.254 \ + --to 203.0.113.254 \ + --recvif ${epair_out_two}b + + true +} + +route_to_cleanup() +{ + pfsynct_cleanup +} + atf_init_test_cases() { atf_add_test_case "basic" @@ -837,4 +932,5 @@ atf_init_test_cases() atf_add_test_case "timeout" atf_add_test_case "basic_ipv6_unicast" atf_add_test_case "basic_ipv6" + atf_add_test_case "route_to" } |