Page MenuHomeFreeBSD
Files F160270251

D51797.id.diff
No OneTemporary
Actions

D51797.id.diff
View Options

diff --git a/tests/sys/netpfil/pf/syncookie.sh b/tests/sys/netpfil/pf/syncookie.sh
--- a/tests/sys/netpfil/pf/syncookie.sh
+++ b/tests/sys/netpfil/pf/syncookie.sh
@@ -561,6 +561,67 @@
pft_cleanup
}
+route_to_v4_head()
+{
+ atf_set descr 'Syncookie with route-to for IPv4'
+ atf_set require.user root
+}
+
+route_to_v4_body()
+{
+ pft_init
+ setup_router_server_ipv4
+
+ # Check if the recreated syn gets properly routed and tagged
+ pft_set_rules router \
+ "set syncookies always" \
+ "block" \
+ "pass in on ${epair_tester}b route-to ( ${epair_server}a ${net_server_host_server}) inet proto tcp tag sometag" \
+ "pass out on ${epair_server}a inet proto tcp tagged sometag"
+
+ # The usual test pft_ping --ping-type=3way is not enough.
+ # We need to ensure that packets can really flow both ways.
+ # That includes both "real" packets and the ones created by pf_synproxy().
+ atf_check -s exit:0 -o match:"This is a test" -x \
+ "echo 'This is a test' | nc -Nw3 ${net_routeto_host_server} echo"
+}
+
+route_to_v4_cleanup()
+{
+ pft_cleanup
+}
+
+route_to_v6_head()
+{
+ atf_set descr 'Syncookie with route-to for IPv6'
+ atf_set require.user root
+}
+
+route_to_v6_body()
+{
+ pft_init
+ setup_router_server_ipv6
+
+ # Check if the recreated syn gets properly routed and tagged
+ pft_set_rules router \
+ "set syncookies always" \
+ "block" \
+ "pass inet6 proto icmp6 icmp6-type { neighbrsol, neighbradv }" \
+ "pass in on ${epair_tester}b route-to ( ${epair_server}a ${net_server_host_server}) inet6 proto tcp tag sometag" \
+ "pass out on ${epair_server}a inet6 proto tcp tagged sometag"
+
+ # The usual test pft_ping --ping-type=3way is not enough.
+ # We need to ensure that packets can really flow both ways.
+ # That includes both "real" packets and the ones created by pf_synproxy().
+ atf_check -s exit:0 -o match:"This is a test" -x \
+ "echo 'This is a test' | nc -Nw3 ${net_routeto_host_server} echo"
+}
+
+route_to_v6_cleanup()
+{
+ pft_cleanup
+}
+
atf_init_test_cases()
{
atf_add_test_case "basic"
@@ -574,4 +635,6 @@
atf_add_test_case "adaptive"
atf_add_test_case "limits"
atf_add_test_case "port_reuse"
+ atf_add_test_case "route_to_v4"
+ atf_add_test_case "route_to_v6"
}
diff --git a/tests/sys/netpfil/pf/synproxy.sh b/tests/sys/netpfil/pf/synproxy.sh
--- a/tests/sys/netpfil/pf/synproxy.sh
+++ b/tests/sys/netpfil/pf/synproxy.sh
@@ -156,9 +156,70 @@
pft_cleanup
}
+route_to_v4_head()
+{
+ atf_set descr 'Synproxy with route-to for IPv4'
+ atf_set require.user root
+}
+
+route_to_v4_body()
+{
+ pft_init
+ setup_router_server_ipv4
+
+ # Check if the recreated syn gets properly routed and tagged
+ pft_set_rules router \
+ "block" \
+ "pass in on ${epair_tester}b route-to ( ${epair_server}a ${net_server_host_server}) inet proto tcp tag sometag synproxy state" \
+ "pass out on ${epair_server}a inet proto tcp tagged sometag"
+
+ # The usual test pft_ping --ping-type=3way is not enough.
+ # We need to ensure that packets can really flow both ways.
+ # That includes both "real" packets and the ones created by pf_synproxy().
+ atf_check -s exit:0 -o match:"This is a test" -x \
+ "echo 'This is a test' | nc -Nw3 ${net_routeto_host_server} echo"
+}
+
+route_to_v4_cleanup()
+{
+ pft_cleanup
+}
+
+route_to_v6_head()
+{
+ atf_set descr 'Synproxy with route-to for IPv6'
+ atf_set require.user root
+}
+
+route_to_v6_body()
+{
+ pft_init
+ setup_router_server_ipv6
+
+ # Check if the recreated syn gets properly routed and tagged
+ pft_set_rules router \
+ "block" \
+ "pass inet6 proto icmp6 icmp6-type { neighbrsol, neighbradv }" \
+ "pass in on ${epair_tester}b route-to ( ${epair_server}a ${net_server_host_server}) inet6 proto tcp tag sometag synproxy state" \
+ "pass out on ${epair_server}a inet6 proto tcp tagged sometag"
+
+ # The usual test pft_ping --ping-type=3way is not enough.
+ # We need to ensure that packets can really flow both ways.
+ # That includes both "real" packets and the ones created by pf_synproxy().
+ atf_check -s exit:0 -o match:"This is a test" -x \
+ "echo 'This is a test' | nc -Nw3 ${net_routeto_host_server} echo"
+}
+
+route_to_v6_cleanup()
+{
+ pft_cleanup
+}
+
atf_init_test_cases()
{
atf_add_test_case "synproxy"
atf_add_test_case "local"
atf_add_test_case "local_v6"
+ atf_add_test_case "route_to_v4"
+ atf_add_test_case "route_to_v6"
}
diff --git a/tests/sys/netpfil/pf/utils.subr b/tests/sys/netpfil/pf/utils.subr
--- a/tests/sys/netpfil/pf/utils.subr
+++ b/tests/sys/netpfil/pf/utils.subr
@@ -185,10 +185,14 @@
net_server_host_router=198.51.100.1
net_server_host_server=198.51.100.2
+ net_routeto=203.0.113.100/24
+ net_routeto_host_server=203.0.113.100
+
vnet_mkjail router ${epair_tester}b ${epair_server}a
ifconfig ${epair_tester}a ${net_tester_host_tester}/${net_tester_mask} up
route add -net ${net_server} ${net_tester_host_router}
+ route add -net ${net_routeto} ${net_tester_host_router}
jexec router ifconfig ${epair_tester}b ${net_tester_host_router}/${net_tester_mask} up
jexec router sysctl net.inet.ip.forwarding=1
@@ -214,9 +218,12 @@
setup_router_ipv4
vnet_mkjail server ${epair_server}b
jexec server ifconfig ${epair_server}b ${net_server_host_server}/${net_server_mask} up
+ jexec server ifconfig lo0 ${net_routeto_host_server} alias
jexec server route add -net ${net_tester} ${net_server_host_router}
inetd_conf=$(mktemp)
echo "discard stream tcp nowait root internal" > $inetd_conf
+ echo "daytime stream tcp nowait root internal" >> $inetd_conf
+ echo "echo stream tcp nowait root internal" >> $inetd_conf
jexec server inetd -p ${PWD}/inetd.pid $inetd_conf
}
@@ -239,10 +246,14 @@
net_server_host_router=2001:db8:43::1
net_server_host_server=2001:db8:43::2
+ net_routeto=2001:db8:45::/64
+ net_routeto_host_server=2001:db8:45::100
+
vnet_mkjail router ${epair_tester}b ${epair_server}a
ifconfig ${epair_tester}a inet6 ${net_tester_host_tester}/${net_tester_mask}up no_dad
route add -6 ${net_server} ${net_tester_host_router}
+ route add -6 ${net_routeto} ${net_tester_host_router}
jexec router ifconfig ${epair_tester}b inet6 ${net_tester_host_router}/${net_tester_mask} up no_dad
jexec router sysctl net.inet6.ip6.forwarding=1
@@ -268,9 +279,12 @@
setup_router_ipv6
vnet_mkjail server ${epair_server}b
jexec server ifconfig ${epair_server}b inet6 ${net_server_host_server}/${net_server_mask} up no_dad
+ jexec server ifconfig lo0 inet6 ${net_routeto_host_server} alias
jexec server route add -6 ${net_tester} ${net_server_host_router}
inetd_conf=$(mktemp)
echo "discard stream tcp6 nowait root internal" > $inetd_conf
+ echo "daytime stream tcp6 nowait root internal" >> $inetd_conf
+ echo "echo stream tcp6 nowait root internal" >> $inetd_conf
jexec server inetd -p ${PWD}/inetd.pid $inetd_conf
}

File Metadata

Mime Type
text/plain
Expires
Tue, Jun 23, 6:44 PM (8 h, 12 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
34227847
Default Alt Text
D51797.id.diff (6 KB)

Event Timeline