Index: nat.sh =================================================================== --- nat.sh +++ nat.sh @@ -147,10 +147,107 @@ firewall_cleanup $firewall } +common_cgn() { + firewall=$1 + portalias=$2 + firewall_init $firewall + nat_init $firewall + + epair_host_nat=$(vnet_mkepair) + epair_client1_nat=$(vnet_mkepair) + epair_client2_nat=$(vnet_mkepair) + + vnet_mkjail nat ${epair_host_nat}b ${epair_client1_nat}a ${epair_client2_nat}a + vnet_mkjail client1 ${epair_client1_nat}b + vnet_mkjail client2 ${epair_client2_nat}b + + ifconfig ${epair_host_nat}a 198.51.100.2/24 up + jexec nat ifconfig ${epair_host_nat}b 198.51.100.1/24 up + + jexec nat ifconfig ${epair_client1_nat}a 100.64.0.1/24 up + jexec client1 ifconfig ${epair_client1_nat}b 100.64.0.2/24 up + + jexec nat ifconfig ${epair_client2_nat}a 100.64.1.1/24 up + jexec client2 ifconfig ${epair_client2_nat}b 100.64.1.2/24 up + + jexec nat sysctl net.inet.ip.forwarding=1 + + jexec client1 route add -net 198.51.100.0/24 100.64.0.1 + jexec client2 route add -net 198.51.100.0/24 100.64.1.1 + + # ping fails without NAT configuration + atf_check -s exit:2 -o ignore jexec client1 ping -t 1 -c 1 198.51.100.2 + atf_check -s exit:2 -o ignore jexec client2 ping -t 1 -c 1 198.51.100.2 + + if [[ $portalias ]]; then + firewall_config nat $firewall \ + "ipfw" \ + "ipfw -q nat 123 config if ${epair_host_nat}b unreg_cgn port_alias 2000 2999" \ + "ipfw -q nat 456 config if ${epair_host_nat}b unreg_cgn port_alias 3000 3999" \ + "ipfw -q add 1000 nat 123 all from any to 198.51.100.2 in via ${epair_host_nat}b" \ + "ipfw -q add 2000 nat 456 all from any to 198.51.100.2 in via ${epair_host_nat}b" \ + "ipfw -q add 3000 nat 123 all from 100.64.0.2 to any out via ${epair_host_nat}b" \ + "ipfw -q add 4000 nat 456 all from 100.64.1.2 to any out via ${epair_host_nat}b" + else + firewall_config nat $firewall \ + "ipfw" \ + "ipfw -q nat 123 config if ${epair_host_nat}b unreg_cgn" \ + "ipfw -q add 1000 nat 123 all from any to any" + fi + + # ping is successful now + atf_check -s exit:0 -o ignore jexec client1 ping -t 1 -c 1 198.51.100.2 + atf_check -s exit:0 -o ignore jexec client2 ping -t 1 -c 1 198.51.100.2 + + # if portalias, test a tcp server/client with nc + if [[ $portalias ]]; then + for inst in 1 2; do + daemon nc -p 198.51.100.2 7 + atf_check -s exit:0 -o ignore jexec client$inst sh -c "echo | nc -N 198.51.100.2 7" + done + fi +} + +cgn_head() +{ + atf_set descr 'IPv4 CGN (RFC 6598) test' + atf_set require.user root +} + +cgn_body() +{ + common_cgn $1 false +} + +cgn_cleanup() +{ + firewall_cleanup ipfw +} + +portalias_head() +{ + atf_set descr 'IPv4 CGN (RFC 6598) port aliasing test' + atf_set require.user root +} + +portalias_body() +{ + common_cgn $1 true +} + +portalias_cleanup() +{ + firewall_cleanup ipfw +} + setup_tests \ basic \ pf \ ipfw \ ipfnat \ userspace_nat \ - ipfw \ No newline at end of file + ipfw \ + cgn \ + ipfw \ + portalias \ + ipfw