Index: tests/sys/netpfil/common/Makefile =================================================================== --- tests/sys/netpfil/common/Makefile +++ tests/sys/netpfil/common/Makefile @@ -16,10 +16,12 @@ ${PACKAGE}FILES+= \ utils.subr \ runner.subr \ + pft_icmp_check.py \ pft_ping.py \ pft_synflood.py \ sniffer.py +${PACKAGE}FILESMODE_pft_icmp_check.py= 0555 ${PACKAGE}FILESMODE_pft_ping.py= 0555 ${PACKAGE}FILESMODE_pft_synflood.py= 0555 Index: tests/sys/netpfil/common/pft_icmp_check.py =================================================================== --- /dev/null +++ tests/sys/netpfil/common/pft_icmp_check.py @@ -0,0 +1,112 @@ +#!/usr/bin/env python3 +# +# SPDX-License-Identifier: BSD-2-Clause +# +# Copyright (c) 2021 Rubicon Communications, LLC (Netgate) +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# + +import argparse +import logging +logging.getLogger("scapy").setLevel(logging.CRITICAL) +import random +import scapy.all as sp +import socket +import sys +from sniffer import Sniffer + +PAYLOAD_MAGIC = bytes.fromhex('42c0ffee') + +def ping(send_if, dst_ip, args): + ether = sp.Ether() + ip = sp.IP(dst=dst_ip, src=args.fromaddr[0]) + icmp = sp.ICMP(type='echo-request') + raw = sp.raw(PAYLOAD_MAGIC * 250) # We want 1000 bytes payload, -ish + + ip.flags = 2 # Don't fragment + icmp.seq = random.randint(0, 65535) + args.icmp_seq = icmp.seq + + req = ether / ip / icmp / raw + sp.sendp(req, iface=send_if, verbose=False) + +def check_icmp_too_big(args, packet): + """ + Verify that this is an ICMP packet too big error, and that the IP addresses + in the payload packet match expectations. + """ + icmp = packet.getlayer(sp.ICMP) + if not icmp: + return False + + if not icmp.type == 3: + return False + ip = packet.getlayer(sp.IPerror) + if not ip: + return False + + if ip.src != args.fromaddr[0]: + print("Incorrect src addr %s" % ip.src) + return False + if ip.dst != args.to[0]: + print("Incorrect dst addr %s" % ip.dst) + return False + + icmp2 = packet.getlayer(sp.ICMPerror) + if not icmp2: + print("IPerror doesn't contain ICMP") + return False + if icmp2.seq != args.icmp_seq: + print("Incorrect icmp seq %d != %d" % (icmp2.seq, args.icmp_seq)) + return False + return True + +def main(): + parser = argparse.ArgumentParser("pft_icmp_check.py", + description="ICMP error validation tool") + parser.add_argument('--to', nargs=1, required=True, + help='The destination IP address') + parser.add_argument('--fromaddr', nargs=1, required=True, + help='The source IP address') + parser.add_argument('--sendif', nargs=1, required=True, + help='The interface through which the packet(s) will be sent') + parser.add_argument('--recvif', nargs=1, + help='The interface on which to expect the ICMP error') + + args = parser.parse_args() + sniffer = None + if not args.recvif is None: + sniffer = Sniffer(args, check_icmp_too_big) + + ping(args.sendif[0], args.to[0], args) + + if sniffer: + sniffer.join() + + if sniffer.foundCorrectPacket: + sys.exit(0) + else: + sys.exit(1) + +if __name__ == '__main__': + main() Index: tests/sys/netpfil/pf/route_to.sh =================================================================== --- tests/sys/netpfil/pf/route_to.sh +++ tests/sys/netpfil/pf/route_to.sh @@ -27,6 +27,8 @@ . $(atf_get_srcdir)/utils.subr +common_dir=$(atf_get_srcdir)/../common + atf_test_case "v4" "cleanup" v4_head() { @@ -250,10 +252,67 @@ pft_cleanup } +atf_test_case "icmp_nat" "cleanup" +icmp_nat_head() +{ + atf_set descr 'Test that ICMP packets are correct for route-to + NAT' + atf_set require.user root +} + +icmp_nat_body() +{ + pft_init + + epair_one=$(vnet_mkepair) + epair_two=$(vnet_mkepair) + epair_three=$(vnet_mkepair) + + vnet_mkjail gw ${epair_one}b ${epair_two}a ${epair_three}a + vnet_mkjail srv ${epair_two}b + vnet_mkjail srv2 ${epair_three}b + + ifconfig ${epair_one}a 192.0.2.2/24 up + route add -net 198.51.100.0/24 192.0.2.1 + jexec gw sysctl net.inet.ip.forwarding=1 + jexec gw ifconfig ${epair_one}b 192.0.2.1/24 up + jexec gw ifconfig ${epair_two}a 198.51.100.1/24 up + jexec gw ifconfig ${epair_three}a 203.0.113.1/24 up mtu 500 + jexec srv ifconfig ${epair_two}b 198.51.100.2/24 up + jexec srv route add default 198.51.100.1 + jexec srv2 ifconfig ${epair_three}b 203.0.113.2/24 up mtu 500 + jexec srv2 route add default 203.0.113.1 + + # Sanity check + atf_check -s exit:0 -o ignore ping -c 1 198.51.100.2 + + jexec gw pfctl -e + pft_set_rules gw \ + "nat on ${epair_two}a inet from 192.0.2.0/24 to any -> (${epair_two}a)" \ + "nat on ${epair_three}a inet from 192.0.2.0/24 to any -> (${epair_three}a)" \ + "pass out route-to (${epair_three}a 203.0.113.2) proto icmp icmp-type echoreq" + + # Now ensure that we get an ICMP error with the correct IP addresses in it. + atf_check -s exit:0 ${common_dir}/pft_icmp_check.py \ + --to 198.51.100.2 \ + --fromaddr 192.0.2.2 \ + --recvif ${epair_one}a \ + --sendif ${epair_one}a + + # ping reports the ICMP error, so check of that too. + atf_check -s exit:2 -o match:'frag needed and DF set' \ + ping -D -c 1 -s 1000 198.51.100.2 +} + +icmp_nat_cleanup() +{ + pft_cleanup +} + atf_init_test_cases() { atf_add_test_case "v4" atf_add_test_case "v6" atf_add_test_case "multiwan" atf_add_test_case "multiwanlocal" + atf_add_test_case "icmp_nat" }