pf tests: test short packets

Test sending very short packets (i.e. too short for an IP header)
packets in the Ethernet filtering code.

Sponsored by:	Rubicon Communications, LLC ("Netgate")

tests/sys/netpfil/pf/Makefile

@@ -45,6 +45,7 @@ ${PACKAGE}FILES+=	CVE-2019-5597.py \
 			frag-overlimit.py \
 			frag-overreplace.py \
 			pfsync_defer.py \
+			pft_ether.py \
 			utils.subr
 
 ${PACKAGE}FILESMODE_CVE-2019-5597.py=	0555
@@ -54,5 +55,6 @@ ${PACKAGE}FILESMODE_frag-overindex.py=	0555
 ${PACKAGE}FILESMODE_frag-overlimit.py=	0555
 ${PACKAGE}FILESMODE_frag-overreplace.py=	0555
 ${PACKAGE}FILESMODE_pfsync_defer.py=	0555
+${PACKAGE}FILESMODE_pft_ether.py=	0555
 
 .include <bsd.test.mk>

tests/sys/netpfil/pf/ether.sh

@@ -634,6 +634,51 @@ match_tag_cleanup()
 	pft_cleanup
 }
 
+atf_test_case "short_pkt" "cleanup"
+short_pkt_head()
+{
+	atf_set descr 'Test overly short Ethernet packets'
+	atf_set require.user root
+}
+
+short_pkt_body()
+{
+	pft_init
+
+	epair=$(vnet_mkepair)
+	ifconfig ${epair}a 192.0.2.1/24 up
+
+	vnet_mkjail alcatraz ${epair}b
+	jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up
+
+	jexec alcatraz pfctl -e
+	pft_set_rules alcatraz \
+		"ether pass in" \
+		"ether pass out" \
+		"ether pass in l3 from 192.0.2.1"
+
+	# Sanity check
+	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2
+
+	jexec alcatraz pfctl -se -v
+
+	# Try sending ever shorter ping requests
+	# BPF won't let us send anything shorter than an Ethernet header, but
+	# that's good enough for this test
+	for i in `seq 46 14`
+	do
+		$(atf_get_srcdir)/pft_ether.py \
+		    --sendif ${epair}a \
+		    --to 192.0.2.2 \
+		    --len ${i}
+	done
+}
+
+short_pkt_cleanup()
+{
+	pft_cleanup
+}
+
 atf_init_test_cases()
 {
 	atf_add_test_case "mac"
@@ -646,4 +691,5 @@ atf_init_test_cases()
 	atf_add_test_case "ip"
 	atf_add_test_case "tag"
 	atf_add_test_case "match_tag"
+	atf_add_test_case "short_pkt"
 }

tests/sys/netpfil/pf/pft_ether.py

@@ -0,0 +1,67 @@
+#!/usr/bin/env python3
+#
+# SPDX-License-Identifier: BSD-2-Clause
+#
+# Copyright © 2022. Rubicon Communications, LLC (Netgate). All Rights Reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+
+import argparse
+import logging
+logging.getLogger("scapy").setLevel(logging.CRITICAL)
+import scapy.all as sp
+import socket
+import sys
+
+PAYLOAD_MAGIC = bytes.fromhex('42c0ffee')
+
+def ping(send_if, dst_ip, length):
+	ether = sp.Ether()
+	ip = sp.IP(dst=dst_ip)
+	icmp = sp.ICMP(type='echo-request')
+	raw = sp.raw(PAYLOAD_MAGIC)
+
+	req = ether / ip / icmp / raw
+	req = req.build()[0:length]
+
+	sp.sendp(req, iface=send_if, verbose=False)
+
+def main():
+	parser = argparse.ArgumentParser("pft_ether.py",
+		description="Ethernet test tool")
+	parser.add_argument('--sendif', nargs=1,
+		required=True,
+		help='The interface through which the packet(s) will be sent')
+	parser.add_argument('--to', nargs=1,
+		required=True,
+		help='The destination IP address for the ICMP echo request')
+	parser.add_argument('--len', nargs=1,
+		required=True,
+		help='The length of the packet')
+
+	args = parser.parse_args()
+
+	ping(args.sendif[0], args.to[0], int(args.len[0]))
+
+if __name__ == '__main__':
+	main()