Hi FreeBSD developers, There is a need to test firewalls for a case when the first mbuf in a chain has m_len == 0. It comes from a real issue found recently -- a specific mix of kernel modules reveals a defect in the firewalls' behavior.
The proposal is to provide a source of non-usual mbuf chains for the testing purposes in the scope of system/e2e type of tests. The idea is straightforward -- we could put another pfil(9) user in front of a firewall, which would alter a mbuf chain according to the given configuration before it hits a firewall. There is a working prototype, the current design of which is as follows: - A brand new module, dummymbuf, provides special pfil hooks. Such hooks are meant to be linked manually via pfilctl(8). - Newly added "net.dummymbuf.rules" sysctl is used for configuration, which is a list of rules applied sequentially. Each rule filters a packet by PFIL type (inet, inet6, ethernet), direction (in, out), and interface. Upon matching a specified operation is applied to a mbuf chain. Currently, there is a single operation named "pull-head", which always allocates a new cluster in front of the chain and pulls a given number of bytes. Zero bytes pulled means to create a situation with the first mbuf of zero length. Non-matching packets are passed without modification. - It's designed to fail fast by dropping a packet in case of misconfiguration or other issues. - Additionally, there is "net.dummymbuf.hits" counter sysctl revealing the number of times any rule has been applied. It's expected to be used for extra checks to lower the chances of false positives if the module has defects or is misconfigured. - This is a VNET based solution. Parallel testing should be applicable. - A quick sneak peek to get use case intuition, for an atf-sh test case: pfilctl link -i dummymbuf:inet inet sysctl net.dummymbuf.rules='inet in epair0b pull-head 0;' atf_check_equal "0" "$(sysctl -n net.dummymbuf.hits)" atf_check -s exit:0 -o ignore ping -c1 192.0.2.2 atf_check_equal "1" "$(sysctl -n net.dummymbuf.hits)" It would be very appreciated to hear opinions and suggestions. There may be high level organizational questions like whether it should hit the base or should be part of the test suite only, and so on. The WIP patch: https://reviews.freebsd.org/D45928 The usage example: https://reviews.freebsd.org/D45927 Best regards, Igor.
