pf: test rules evaluation in the face of multiple IPv6 fragment headers

Send an ICMPv6 echo request packet with multiple IPv6 fragment headers.
Set rules to pass all packets, except for ICMPv6 echo requests.

pf ought to drop the echo request, but doesn't because it reassembles
the packet, and then doesn't handle the second fragment header. In other
words: it fails to detect the ICMPv6 echo header.

Reported by:	Enrico Bassetti bassetti@di.uniroma1.it (NetSecurityLab @ Sapienza University of Rome)
MFC after:	instant
Sponsored by:	Rubicon Communications, LLC ("Netgate")
This commit is contained in:
Kristof Provost
2023-07-13 08:34:54 +02:00
parent 76afcbb524
commit b23dbabb7f
3 changed files with 83 additions and 0 deletions
+21
View File
@@ -1,6 +1,7 @@
#!/usr/local/bin/python3
import json
import os
import subprocess
class ToolsHelper(object):
@@ -13,6 +14,26 @@ def get_output(cls, cmd: str, verbose=False) -> str:
print("run: '{}'".format(cmd))
return os.popen(cmd).read()
@classmethod
def pf_rules(cls, rules, verbose=True):
pf_conf = ""
for r in rules:
pf_conf = pf_conf + r + "\n"
if verbose:
print("Set rules:")
print(pf_conf)
ps = subprocess.Popen("/sbin/pfctl -g -f -", shell=True,
stdin=subprocess.PIPE)
ps.communicate(bytes(pf_conf, 'utf-8'))
ret = ps.wait()
if ret != 0:
raise Exception("Failed to set pf rules %d" % ret)
if verbose:
cls.print_output("/sbin/pfctl -sr")
@classmethod
def print_output(cls, cmd: str, verbose=True):
if verbose: