Page MenuHomeFreeBSD
Files F136621420

D38126.id116038.diff
No OneTemporary
Actions

D38126.id116038.diff
View Options

diff --git a/tests/sys/netpfil/pf/Makefile b/tests/sys/netpfil/pf/Makefile
--- a/tests/sys/netpfil/pf/Makefile
+++ b/tests/sys/netpfil/pf/Makefile
@@ -7,7 +7,6 @@
ATF_TESTS_SH+= altq \
anchor \
- checksum \
dup \
ether \
forward \
@@ -18,6 +17,7 @@
macro \
map_e \
match \
+ modulate \
names \
nat \
pass_block \
@@ -27,7 +27,9 @@
rdr \
ridentifier \
route_to \
+ rtable \
rules_counter \
+ scrub \
set_skip \
set_tos \
src_track \
diff --git a/tests/sys/netpfil/pf/checksum.sh b/tests/sys/netpfil/pf/checksum.sh
deleted file mode 100644
--- a/tests/sys/netpfil/pf/checksum.sh
+++ /dev/null
@@ -1,86 +0,0 @@
-# SPDX-License-Identifier: BSD-2-Clause-FreeBSD
-#
-# Copyright (c) 2020 Kristof Provost <kp@FreeBSD.org>
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions
-# are met:
-# 1. Redistributions of source code must retain the above copyright
-# notice, this list of conditions and the following disclaimer.
-# 2. Redistributions in binary form must reproduce the above copyright
-# notice, this list of conditions and the following disclaimer in the
-# documentation and/or other materials provided with the distribution.
-#
-# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
-# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
-# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-# SUCH DAMAGE.
-
-. $(atf_get_srcdir)/utils.subr
-
-common_dir=$(atf_get_srcdir)/../common
-
-atf_test_case "unaligned" "cleanup"
-unaligned_head()
-{
- atf_set descr 'Test unaligned checksum updates'
- atf_set require.user root
- atf_set require.progs scapy
-}
-
-unaligned_body()
-{
- pft_init
-
- epair_in=$(vnet_mkepair)
- epair_out=$(vnet_mkepair)
-
- vnet_mkjail alcatraz ${epair_in}b ${epair_out}a
-
- ifconfig ${epair_in}a 192.0.2.2/24 up
- route add -net 198.51.100.0/24 192.0.2.1
-
- jexec alcatraz ifconfig ${epair_in}b 192.0.2.1/24 up
- jexec alcatraz sysctl net.inet.ip.forwarding=1
-
- jexec alcatraz ifconfig ${epair_out}a 198.51.100.1/24 up
- jexec alcatraz arp -s 198.51.100.2 00:01:02:03:04:05
-
- ifconfig ${epair_out}b up
-
- jexec alcatraz pfctl -e
- pft_set_rules alcatraz \
- "scrub on ${epair_in}b reassemble tcp max-mss 1200"
-
- # Check aligned
- atf_check -s exit:0 ${common_dir}/pft_ping.py \
- --sendif ${epair_in}a \
- --to 198.51.100.2 \
- --recvif ${epair_out}b \
- --ping-type tcpsyn
-
- # And unaligned
- atf_check -s exit:0 ${common_dir}/pft_ping.py \
- --sendif ${epair_in}a \
- --to 198.51.100.2 \
- --recvif ${epair_out}b \
- --ping-type tcpsyn \
- --send-tcpopt-unaligned
-}
-
-unaligned_cleanup()
-{
- pft_cleanup
-}
-
-atf_init_test_cases()
-{
- atf_add_test_case "unaligned"
-}
diff --git a/tests/sys/netpfil/pf/fragmentation.sh b/tests/sys/netpfil/pf/fragmentation.sh
--- a/tests/sys/netpfil/pf/fragmentation.sh
+++ b/tests/sys/netpfil/pf/fragmentation.sh
@@ -327,6 +327,43 @@
pft_cleanup
}
+atf_test_case "no_df" "cleanup"
+no_df_head()
+{
+ atf_set descr 'Test removing of DF flag'
+ atf_set require.user root
+}
+
+no_df_body()
+{
+ setup_router_server_ipv4
+
+ # Tester can send long packets which will get fragmented by the router.
+ # Replies from server will come in fragments which might get
+ # reassemblied resulting in a long reply packet sent back to tester.
+ ifconfig ${epair_tester}a mtu 9000
+ jexec router ifconfig ${epair_tester}b mtu 9000
+ jexec router ifconfig ${epair_server}a mtu 1500
+ jexec server ifconfig ${epair_server}b mtu 1500
+
+ # Sanity check.
+ ping_server_check_reply 0 --ping-type=icmp
+
+ # Enable packet reassembly with clearing of the no-df flag.
+ pft_set_rules router \
+ "scrub all fragment reassemble no-df" \
+ "block" \
+ "pass inet proto icmp all icmp-type echoreq"
+ # Ping with non-fragmentable packets.
+ # pf will strip the DF flag resulting in fragmentation and packets
+ # getting properly forwarded.
+ ping_server_check_reply 0 --ping-type=icmp --send-length=2000 --send-flags DF
+}
+no_df_cleanup()
+{
+ pft_cleanup
+}
+
atf_init_test_cases()
{
atf_add_test_case "too_many_fragments"
@@ -336,4 +373,5 @@
atf_add_test_case "overindex"
atf_add_test_case "overlimit"
atf_add_test_case "reassemble"
+ atf_add_test_case "no_df"
}
diff --git a/tests/sys/netpfil/pf/modulate.sh b/tests/sys/netpfil/pf/modulate.sh
new file mode 100644
--- /dev/null
+++ b/tests/sys/netpfil/pf/modulate.sh
@@ -0,0 +1,80 @@
+# $FreeBSD$
+#
+# SPDX-License-Identifier: BSD-2-Clause-FreeBSD
+#
+# Copyright (c) 2023 Kajetan Staszkiewicz <vegetga@tuxpowered.net>
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+
+. $(atf_get_srcdir)/utils.subr
+
+atf_test_case "modulate_v4" "cleanup"
+modulate_v4_head()
+{
+ atf_set descr 'IPv4 TCP sequence number modulation'
+ atf_set require.user root
+ atf_set require.progs scapy
+}
+
+modulate_v4_body()
+{
+ setup_router_dummy_ipv4
+
+ pft_set_rules router \
+ "pass in on ${epair_tester}b modulate state"
+ ping_dummy_check_request 0 --ping-type=tcpsyn --send-seq 42 # Sanity check
+ ping_dummy_check_request 1 --ping-type=tcpsyn --send-seq 42 --expect-seq 42
+}
+
+modulate_v4_cleanup()
+{
+ pft_cleanup
+}
+
+atf_test_case "modulate_v6" "cleanup"
+modulate_v6_head()
+{
+ atf_set descr 'IPv6 TCP sequence number modulation'
+ atf_set require.user root
+ atf_set require.progs scapy
+}
+
+modulate_v6_body()
+{
+ setup_router_dummy_ipv6
+
+ pft_set_rules router \
+ "pass in on ${epair_tester}b modulate state"
+ ping_dummy_check_request 0 --ping-type=tcpsyn --send-seq 42 # Sanity check
+ ping_dummy_check_request 1 --ping-type=tcpsyn --send-seq 42 --expect-seq 42
+}
+
+modulate_v6_cleanup()
+{
+ pft_cleanup
+}
+
+atf_init_test_cases()
+{
+ atf_add_test_case "modulate_v4"
+ atf_add_test_case "modulate_v6"
+}
diff --git a/tests/sys/netpfil/pf/rtable.sh b/tests/sys/netpfil/pf/rtable.sh
new file mode 100644
--- /dev/null
+++ b/tests/sys/netpfil/pf/rtable.sh
@@ -0,0 +1,131 @@
+# $FreeBSD$
+#
+# SPDX-License-Identifier: BSD-2-Clause-FreeBSD
+#
+# Copyright (c) 2023 Kajetan Staszkiewicz <vegetga@tuxpowered.net>
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+
+. $(atf_get_srcdir)/utils.subr
+
+atf_test_case "forward_v4" "cleanup"
+forward_v4_head()
+{
+ atf_set descr 'Test IPv4 forwarding with rtable'
+ atf_set require.user root
+ atf_set require.progs scapy
+}
+
+forward_v4_body()
+{
+ setup_router_server_ipv4
+
+ # Sanity check
+ ping_server_check_reply 0
+
+ jexec router sysctl net.fibs=2
+ jexec router ifconfig ${epair_server}a fib 1
+ jexec router route del -net ${net_server}
+ jexec router route add -fib 1 -net ${net_server} -iface ${epair_server}a
+
+ # Sanity check
+ ping_server_check_reply 1
+
+ # This rule is not enough.
+ # Echo requests will be properly forwarded but replies can't be routed back.
+ pft_set_rules router \
+ "pass in on ${epair_tester}b inet proto icmp all icmp-type echoreq rtable 1"
+ ping_server_check_reply 1
+
+ # Allow replies coming back to the tester properly via stateful filtering post-routing.
+ pft_set_rules router \
+ "pass in on ${epair_tester}b inet proto icmp all icmp-type echoreq rtable 1" \
+ "pass out on ${epair_server}a inet proto icmp all icmp-type echoreq rtable 0"
+ ping_server_check_reply 0
+
+ # Allow replies coming back to the tester properly via provding extra routes in rtable 1
+ pft_set_rules router \
+ "pass in on ${epair_tester}b inet proto icmp all icmp-type echoreq rtable 1"
+ jexec router route add -fib 1 -net ${net_tester} -iface ${epair_tester}b
+ ping_server_check_reply 0
+}
+
+forward_v4_cleanup()
+{
+ pft_cleanup
+}
+
+atf_test_case "forward_v6" "cleanup"
+forward_v6_head()
+{
+ atf_set descr 'Test IPv6 forwarding with rtable'
+ atf_set require.user root
+ atf_set require.progs scapy
+}
+
+forward_v6_body()
+{
+ setup_router_server_ipv6
+
+ # Sanity check
+ ping_server_check_reply 0
+
+ jexec router sysctl net.fibs=2
+ jexec router ifconfig ${epair_server}a fib 1
+ jexec router route del -6 ${net_server}
+ jexec router route add -fib 1 -6 ${net_server} -iface ${epair_server}a
+
+ # Sanity check
+ ping_server_check_reply 1
+
+ # This rule is not enough.
+ # Echo requests will be properly forwarded but replies can't be routed back.
+ pft_set_rules router \
+ "pass inet6 proto icmp6 icmp6-type { neighbrsol, neighbradv }" \
+ "pass in on ${epair_tester}b inet6 proto icmp6 icmp6-type echoreq"
+ ping_server_check_reply 1
+
+ # Allow replies coming back to the tester properly via stateful filtering post-routing.
+ pft_set_rules router \
+ "pass inet6 proto icmp6 icmp6-type { neighbrsol, neighbradv }" \
+ "pass in on ${epair_tester}b inet6 proto icmp6 icmp6-type echoreq rtable 1" \
+ "pass out on ${epair_server}a inet6 proto icmp6 icmp6-type echoreq rtable 0"
+ ping_server_check_reply 0
+
+ # Allow replies coming back to the tester properly via provding extra routes in rtable 1
+ pft_set_rules router \
+ "pass inet6 proto icmp6 icmp6-type { neighbrsol, neighbradv }" \
+ "pass in on ${epair_tester}b inet6 proto icmp6 icmp6-type echoreq rtable 1"
+ jexec router route add -fib 1 -6 ${net_tester} -iface ${epair_tester}b
+ ping_server_check_reply 0
+}
+
+forward_v6_cleanup()
+{
+ pft_cleanup
+}
+
+atf_init_test_cases()
+{
+ atf_add_test_case "forward_v4"
+ atf_add_test_case "forward_v6"
+}
diff --git a/tests/sys/netpfil/pf/scrub.sh b/tests/sys/netpfil/pf/scrub.sh
new file mode 100644
--- /dev/null
+++ b/tests/sys/netpfil/pf/scrub.sh
@@ -0,0 +1,221 @@
+# $FreeBSD$
+#
+# SPDX-License-Identifier: BSD-2-Clause-FreeBSD
+#
+# Copyright (c) 2020 Kristof Provost <kp@FreeBSD.org>
+# Copyright (c) 2023 Kajetan Staszkiewicz <vegeta@tuxpowered.net>
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+
+. $(atf_get_srcdir)/utils.subr
+
+atf_test_case "max_mss_v4" "cleanup"
+max_mss_v4_head()
+{
+ atf_set descr 'Test IPv4 scrub "mss" rule'
+ atf_set require.user root
+ atf_set require.progs scapy
+}
+
+max_mss_v4_body()
+{
+ setup_router_dummy_ipv4
+ pft_set_rules router "scrub on ${epair_tester}b max-mss 1300"
+ # Check aligned
+ ping_dummy_check_request 0 --ping-type=tcpsyn --send-mss=1400 --expect-mss=1300
+ # And unaligned
+ ping_dummy_check_request 0 --ping-type=tcpsyn --send-mss=1400 --expect-mss=1300 \
+ --send-tcpopt-unaligned
+}
+
+max_mss_v4_cleanup()
+{
+ pft_cleanup
+}
+
+
+atf_test_case "max_mss_v6" "cleanup"
+max_mss_v6_head()
+{
+ atf_set descr 'Test IPv6 scrub "mss" rule'
+ atf_set require.user root
+ atf_set require.progs scapy
+}
+
+max_mss_v6_body()
+{
+ setup_router_dummy_ipv6
+ pft_set_rules router "scrub on ${epair_tester}b max-mss 1300"
+ # Check aligned
+ ping_dummy_check_request 0 --ping-type=tcpsyn --send-mss=1400 --expect-mss=1300
+ # And unaligned
+ ping_dummy_check_request 0 --ping-type=tcpsyn --send-mss=1400 --expect-mss=1300 \
+ --send-tcpopt-unaligned
+}
+
+max_mss_v6_cleanup()
+{
+ pft_cleanup
+}
+
+
+atf_test_case "set_tos_v4" "cleanup"
+set_tos_v4_head()
+{
+ atf_set descr 'Test IPv4 scub "set-tos" rule'
+ atf_set require.user root
+ atf_set require.progs scapy
+}
+
+set_tos_v4_body()
+{
+ setup_router_dummy_ipv4
+ pft_set_rules router "scrub on ${epair_tester}b set-tos 0x42"
+ ping_dummy_check_request 0 --send-tc=0 --expect-tc=66
+}
+
+set_tos_v4_cleanup()
+{
+ pft_cleanup
+}
+
+
+atf_test_case "set_tos_v6" "cleanup"
+set_tos_v6_head()
+{
+ atf_set descr 'Test IPv6 scub "set-tos" rule'
+ atf_set require.user root
+ atf_set require.progs scapy
+}
+
+set_tos_v6_body()
+{
+ setup_router_dummy_ipv6
+ pft_set_rules router "scrub on ${epair_tester}b set-tos 0x42"
+ ping_dummy_check_request 0 --ping-type=tcpsyn --send-tc=0 --expect-tc=66
+}
+
+set_tos_v6_cleanup()
+{
+ pft_cleanup
+}
+
+
+atf_test_case "min_ttl_v4" "cleanup"
+min_ttl_v4_head()
+{
+ atf_set descr 'Test IPv4 scub "min-ttl" rule'
+ atf_set require.user root
+ atf_set require.progs scapy
+}
+
+min_ttl_v4_body()
+{
+ setup_router_dummy_ipv4
+ pft_set_rules router "scrub on ${epair_tester}b min-ttl 50"
+ ping_dummy_check_request 0 --ping-type=tcpsyn --send-hlim=40 --expect-hlim=49
+}
+
+min_ttl_v4_cleanup()
+{
+ pft_cleanup
+}
+
+
+atf_test_case "min_ttl_v6" "cleanup"
+min_ttl_v6_head()
+{
+ atf_set descr 'Test IPv6 scub "min-ttl" rule'
+ atf_set require.user root
+ atf_set require.progs scapy
+}
+
+min_ttl_v6_body()
+{
+ setup_router_dummy_ipv6
+ pft_set_rules router "scrub on ${epair_tester}b min-ttl 50"
+ ping_dummy_check_request 0 --ping-type=tcpsyn --send-hlim=40 --expect-hlim=49
+}
+
+min_ttl_v6_cleanup()
+{
+ pft_cleanup
+}
+
+
+atf_test_case "no_scrub_v4" "cleanup"
+no_scrub_v4_head()
+{
+ atf_set descr 'Test IPv4 "no scrub" rule'
+ atf_set require.user root
+ atf_set require.progs scapy
+}
+
+no_scrub_v4_body()
+{
+ setup_router_dummy_ipv4
+ pft_set_rules router\
+ "no scrub on ${epair_tester}b to ${net_server_host_server}"
+ "scrub on ${epair_tester}b set-tos 0x42"
+ ping_dummy_check_request 0 --send-tc=0 --expect-tc=0
+}
+
+no_scrub_v4_cleanup()
+{
+ pft_cleanup
+}
+
+
+atf_test_case "no_scrub_v6" "cleanup"
+no_scrub_v6_head()
+{
+ atf_set descr 'Test IPv6 "no scrub" rule'
+ atf_set require.user root
+ atf_set require.progs scapy
+}
+
+no_scrub_v6_body()
+{
+ setup_router_dummy_ipv6
+ pft_set_rules router \
+ "no scrub on ${epair_tester}b to ${net_server_host_server}"
+ "scrub on ${epair_tester}b set-tos 0x42"
+ ping_dummy_check_request 0 --send-tc=0 --expect-tc=0
+}
+
+no_scrub_v6_cleanup()
+{
+ pft_cleanup
+}
+
+
+atf_init_test_cases()
+{
+ atf_add_test_case "max_mss_v4"
+ atf_add_test_case "max_mss_v6"
+ atf_add_test_case "set_tos_v4"
+ atf_add_test_case "set_tos_v6"
+ atf_add_test_case "min_ttl_v4"
+ atf_add_test_case "min_ttl_v6"
+ atf_add_test_case "no_scrub_v4"
+ atf_add_test_case "no_scrub_v6"
+}
diff --git a/tests/sys/netpfil/pf/utils.subr b/tests/sys/netpfil/pf/utils.subr
--- a/tests/sys/netpfil/pf/utils.subr
+++ b/tests/sys/netpfil/pf/utils.subr
@@ -4,6 +4,7 @@
# SPDX-License-Identifier: BSD-2-Clause-FreeBSD
#
# Copyright (c) 2017 Kristof Provost <kp@FreeBSD.org>
+# Copyright (c) 2023 Kajetan Staszkiewicz <vegeta@tuxpowered.net>
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
@@ -27,6 +28,7 @@
# SUCH DAMAGE.
. $(atf_get_srcdir)/../../common/vnet.subr
+common_dir=$(atf_get_srcdir)/../common
pft_onerror()
{
@@ -153,3 +155,137 @@
{
pft_cleanup
}
+
+# Create a bare router jail.
+# This function lacks target configuration.
+setup_router_ipv4()
+{
+ pft_init
+
+ epair_tester=$(vnet_mkepair)
+ epair_server=$(vnet_mkepair)
+
+ net_tester=192.0.2.0/24
+ net_tester_mask=24
+ net_tester_host_router=192.0.2.1
+ net_tester_host_tester=192.0.2.2
+
+ net_server=198.51.100.0/24
+ net_server_mask=24
+ net_server_host_router=198.51.100.1
+ net_server_host_server=198.51.100.2
+
+ vnet_mkjail router ${epair_tester}b ${epair_server}a
+
+ ifconfig ${epair_tester}a ${net_tester_host_tester}/${net_tester_mask} up
+ route add -net ${net_server} ${net_tester_host_router}
+
+ jexec router ifconfig ${epair_tester}b ${net_tester_host_router}/${net_tester_mask} up
+ jexec router sysctl net.inet.ip.forwarding=1
+ jexec router ifconfig ${epair_server}a ${net_server_host_router}/${net_server_mask} up
+
+ jexec router pfctl -e
+}
+
+# Create a router jail.
+# The target for tests does not exist but a static ARP entry does
+# so packets to it can be properly routed.
+setup_router_dummy_ipv4()
+{
+ setup_router_ipv4
+ jexec router arp -s ${net_server_host_server} 00:01:02:03:04:05
+ ifconfig ${epair_server}b up
+}
+
+# Create a router and a server jail.
+# The server is capable of responding to pings from the tester.
+setup_router_server_ipv4()
+{
+ setup_router_ipv4
+ vnet_mkjail server ${epair_server}b
+ jexec server ifconfig ${epair_server}b ${net_server_host_server}/${net_server_mask} up
+ jexec server route add -net ${net_tester} ${net_server_host_router}
+ jexec server nc -4l 666 &
+ sleep 1 # Give nc time to start and listen
+}
+
+# Create a bare router jail.
+# This function lacks target configuration.
+setup_router_ipv6()
+{
+ pft_init
+
+ epair_tester=$(vnet_mkepair)
+ epair_server=$(vnet_mkepair)
+
+ net_tester=2001:db8:42::/64
+ net_tester_mask=64
+ net_tester_host_router=2001:db8:42::1
+ net_tester_host_tester=2001:db8:42::2
+
+ net_server=2001:db8:43::/64
+ net_server_mask=64
+ net_server_host_router=2001:db8:43::1
+ net_server_host_server=2001:db8:43::2
+
+ vnet_mkjail router ${epair_tester}b ${epair_server}a
+
+ ifconfig ${epair_tester}a inet6 ${net_tester_host_tester}/${net_tester_mask}up no_dad
+ route add -6 ${net_server} ${net_tester_host_router}
+
+ jexec router ifconfig ${epair_tester}b inet6 ${net_tester_host_router}/${net_tester_mask} up no_dad
+ jexec router sysctl net.inet6.ip6.forwarding=1
+ jexec router ifconfig ${epair_server}a inet6 ${net_server_host_router}/${net_server_mask} up no_dad
+
+ jexec router pfctl -e
+}
+
+# Create a router jail.
+# The target for tests does not exist but a static NDP entry does
+# so packets to it can be properly routed.
+setup_router_dummy_ipv6()
+{
+ setup_router_ipv6
+ jexec router ndp -s ${net_server_host_server} 00:01:02:03:04:05
+ ifconfig ${epair_server}b up
+}
+
+# Create a router and a server jail.
+# The server is capable of responding to pings from tester.
+setup_router_server_ipv6()
+{
+ setup_router_ipv6
+ vnet_mkjail server ${epair_server}b
+ jexec server ifconfig ${epair_server}b inet6 ${net_server_host_server}/${net_server_mask} up no_dad
+ jexec server route add -6 ${net_tester} ${net_server_host_router}
+ jexec server nc -6l 666 &
+ sleep 1 # Give nc time to start and listen
+}
+
+# Ping the dummy static NDP target.
+# Check for pings being forwarded through the router towards the target.
+ping_dummy_check_request()
+{
+ exit_code=$1
+ shift
+ params=$@
+ atf_check -s exit:${exit_code} ${common_dir}/pft_ping.py \
+ --sendif ${epair_tester}a \
+ --to ${net_server_host_server} \
+ --recvif ${epair_server}b \
+ $params
+}
+
+# Ping the server jail.
+# Check for responses coming back throught the router back to the tester.
+ping_server_check_reply()
+{
+ exit_code=$1
+ shift
+ params=$@
+ atf_check -s exit:${exit_code} ${common_dir}/pft_ping.py \
+ --sendif ${epair_tester}a \
+ --to ${net_server_host_server} \
+ --replyif ${epair_tester}a \
+ $params
+}

File Metadata

Mime Type
text/plain
Expires
Wed, Nov 19, 3:11 PM (5 h, 33 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
25645926
Default Alt Text
D38126.id116038.diff (22 KB)

Event Timeline