Page MenuHomeFreeBSD
Differential D40269 Diff 122428 tests/sys/netinet/jail_bind.sh

Changeset View

Standalone View

View Options

tests/sys/netinet/jail_bind.sh

  • This file was added.
#!/usr/bin/env atf-sh
#-
# SPDX-License-Identifier: BSD-2-Clause
#
# Copyright (c) 2023 Mark Johnston <markj@FreeBSD.org>
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
#
#
# Test connection handling with classic jails. This exercises the inpcb
# lookup code in the kernel, which must how to handle incoming connections
# when multiple listeners are present.
#
# Each test case creates a vnet jail containing one or more classic jails.
# The vnet jail's lo0 interface is assigned a set of addresses, and the
# child jails inherit some of those addresses. Then we use nc(1) to listen
# on port 4242 both in and outside the classic jails and verify that the
# kernel routes incoming connections to the right place.
#
_listen()
{
local af jname port addr outf pid
af=$1
jname=$2
cjname=$3
addr=$4
port=$5
outf=$6
if [ "$addr" = "wild" ]; then
addr=""
fi
if [ "$cjname" != "none" ]; then
cjname="jexec $cjname"
else
cjname=""
fi
jexec $jname $cjname nc $af -k -l $addr $port > $outf 2>&1 &
pid=$!
# Give nc(1) a bit of time to bind.
sleep 0.1
echo $pid
}
listen4()
{
_listen -4 $*
}
listen6()
{
_listen -6 $*
}
stop_listen()
{
atf_check kill $@
wait $@
}
# Create the parent jail and initialize it. This should be called once per
# test case.
make_parent_jail()
{
local jname
jname=${1}; shift
atf_check jail -c name=$jname children.max=8 vnet persist $@
atf_check jexec $jname ifconfig lo0 inet 127.0.0.1
atf_check jexec $jname ifconfig lo0 alias 127.0.0.2
atf_check jexec $jname ifconfig lo0 alias 127.0.0.3
atf_check jexec $jname ifconfig lo0 alias 127.0.0.4
atf_check jexec $jname ifconfig lo0 inet6 fc00::1
atf_check jexec $jname ifconfig lo0 inet6 fc00::2
atf_check jexec $jname ifconfig lo0 inet6 fc00::3
atf_check jexec $jname ifconfig lo0 inet6 fc00::4
}
# Create a classic jail within the main vnet jail for the test.
make_classic_jail()
{
local pjname jname
pjname=${1}; shift
jname=${1}; shift
atf_check jexec $pjname jail -c name=$jname persist $@
}
atf_test_case "single_ip4" "cleanup"
single_ip4_head()
{
atf_set descr "Check handling of IPv4 in a jail with one address"
atf_set require.user root
}
single_ip4_body()
{
local nc1 nc2
make_parent_jail single_ip4
make_classic_jail single_ip4 foo ip4.addr=127.0.0.2
# Don't specify an address to bind to. The jailed socket will get
# precedence because the address will be rewritten for single-IP jails.
nc1=$(listen4 single_ip4 none wild 4242 nc1.out)
nc2=$(listen4 single_ip4 foo wild 4242 nc2.out)
echo 123 | jexec single_ip4 nc -N 127.0.0.1 4242
echo 456 | jexec single_ip4 nc -N 127.0.0.2 4242
stop_listen $nc1 $nc2
atf_check -o inline:"123\n" cat nc1.out
atf_check -o inline:"456\n" cat nc2.out
# Same test again, but bind in the other order.
nc2=$(listen4 single_ip4 foo wild 4242 nc2.out)
nc1=$(listen4 single_ip4 none wild 4242 nc1.out)
echo 123 | jexec single_ip4 nc -N 127.0.0.1 4242
echo 456 | jexec single_ip4 nc -N 127.0.0.2 4242
stop_listen $nc1 $nc2
atf_check -o inline:"123\n" cat nc1.out
atf_check -o inline:"456\n" cat nc2.out
# Bind to the jail address. The jailed socket should receive the
# connection.
nc1=$(listen4 single_ip4 foo 127.0.0.2 4242 nc1.out)
nc2=$(listen4 single_ip4 none 127.0.0.2 4242 nc2.out)
echo 123 | jexec single_ip4 nc -N 127.0.0.2 4242
stop_listen $nc1 $nc2
atf_check -o inline:"123\n" cat nc1.out
# Same test again, but bind in the other order.
nc2=$(listen4 single_ip4 none 127.0.0.2 4242 nc2.out)
nc1=$(listen4 single_ip4 foo 127.0.0.2 4242 nc1.out)
echo 123 | jexec single_ip4 nc -N 127.0.0.2 4242
stop_listen $nc1 $nc2
atf_check -o inline:"123\n" cat nc1.out
}
single_ip4_cleanup()
{
jexec single_ip4 jail -r foo
jail -r single_ip4
}
atf_test_case "single_ip6" "cleanup"
single_ip6_head()
{
atf_set descr "Check handling of IPv6 in a jail with one address"
atf_set require.user root
}
single_ip6_body()
{
local nc1 nc2
make_parent_jail single_ip6
make_classic_jail single_ip6 foo ip6.addr=fc00::2
# Don't specify an address to bind to. The jailed socket will get
# precedence because the address will be rewritten for single-IP jails.
nc1=$(listen6 single_ip6 none wild 4242 nc1.out)
nc2=$(listen6 single_ip6 foo wild 4242 nc2.out)
echo 123 | jexec single_ip6 nc -N fc00::1 4242
echo 456 | jexec single_ip6 nc -N fc00::2 4242
stop_listen $nc1 $nc2
atf_check -o inline:"123\n" cat nc1.out
atf_check -o inline:"456\n" cat nc2.out
# Same test again, but bind in the other order.
nc2=$(listen6 single_ip6 foo wild 4242 nc2.out)
nc1=$(listen6 single_ip6 none wild 4242 nc1.out)
echo 123 | jexec single_ip6 nc -N fc00::1 4242
echo 456 | jexec single_ip6 nc -N fc00::2 4242
stop_listen $nc1 $nc2
atf_check -o inline:"123\n" cat nc1.out
atf_check -o inline:"456\n" cat nc2.out
# Bind to the jail address. The jailed socket should receive the
# connection.
nc1=$(listen6 single_ip6 foo fc00::2 4242 nc1.out)
nc2=$(listen6 single_ip6 none fc00::2 4242 nc2.out)
echo 123 | jexec single_ip6 nc -N fc00::2 4242
stop_listen $nc1 $nc2
atf_check -o inline:"123\n" cat nc1.out
# Same test again, but bind in the other order.
nc2=$(listen6 single_ip6 none fc00::2 4242 nc2.out)
nc1=$(listen6 single_ip6 foo fc00::2 4242 nc1.out)
echo 123 | jexec single_ip6 nc -N fc00::2 4242
stop_listen $nc1 $nc2
atf_check -o inline:"123\n" cat nc1.out
}
single_ip6_cleanup()
{
jexec single_ip6 jail -r foo
jail -r single_ip6
}
atf_test_case "multi_ip4" "cleanup"
multi_ip4_head()
{
atf_set descr "Check handling of IPv4 in a jail with multiple addresses"
atf_set require.user root
}
multi_ip4_body()
{
local nc1 nc2
make_parent_jail multi_ip4
make_classic_jail multi_ip4 foo ip4.addr=127.0.0.2,127.0.0.3
# Non-jailed wildcard sockets are preferred over jailed wildcard
# sockets.
nc1=$(listen4 multi_ip4 none wild 4242 nc1.out)
nc2=$(listen4 multi_ip4 foo wild 4242 nc2.out)
echo 123 | jexec multi_ip4 nc -N 127.0.0.1 4242
echo 456 | jexec multi_ip4 nc -N 127.0.0.2 4242
echo 789 | jexec multi_ip4 nc -N 127.0.0.3 4242
stop_listen $nc1 $nc2
atf_check -o inline:"123\n456\n789\n" cat nc1.out
# Same test again, but bind in the other order.
nc2=$(listen4 multi_ip4 foo wild 4242 nc2.out)
nc1=$(listen4 multi_ip4 none wild 4242 nc1.out)
echo 123 | jexec multi_ip4 nc -N 127.0.0.1 4242
echo 456 | jexec multi_ip4 nc -N 127.0.0.2 4242
echo 789 | jexec multi_ip4 nc -N 127.0.0.3 4242
stop_listen $nc1 $nc2
atf_check -o inline:"123\n456\n789\n" cat nc1.out
# Within the jail, the socket bound to a jail address is preferred.
nc1=$(listen4 multi_ip4 foo 127.0.0.2 4242 nc1.out)
nc2=$(listen4 multi_ip4 foo wild 4242 nc2.out)
echo 123 | jexec multi_ip4 nc -N 127.0.0.1 4242 # Dropped.
echo 456 | jexec multi_ip4 nc -N 127.0.0.2 4242
echo 789 | jexec multi_ip4 nc -N 127.0.0.3 4242
stop_listen $nc1 $nc2
atf_check -o inline:"456\n" cat nc1.out
atf_check -o inline:"789\n" cat nc2.out
# Same test again, but bind in the other order.
nc2=$(listen4 multi_ip4 foo wild 4242 nc2.out)
nc1=$(listen4 multi_ip4 foo 127.0.0.2 4242 nc1.out)
echo 123 | jexec multi_ip4 nc -N 127.0.0.1 4242 # Dropped.
echo 456 | jexec multi_ip4 nc -N 127.0.0.2 4242
echo 789 | jexec multi_ip4 nc -N 127.0.0.3 4242
stop_listen $nc1 $nc2
atf_check -o inline:"456\n" cat nc1.out
atf_check -o inline:"789\n" cat nc2.out
# A non-wildcard socket in the host must have preference over a
# wildcard socket in the jail.
nc1=$(listen4 multi_ip4 foo wild 4242 nc1.out)
nc2=$(listen4 multi_ip4 none 127.0.0.2 4242 nc2.out)
echo 123 | jexec multi_ip4 nc -N 127.0.0.1 4242 # Dropped.
echo 456 | jexec multi_ip4 nc -N 127.0.0.2 4242
echo 789 | jexec multi_ip4 nc -N 127.0.0.3 4242
stop_listen $nc1 $nc2
atf_check -o inline:"456\n" cat nc2.out
atf_check -o inline:"789\n" cat nc1.out
# Same test again, but bind in the other order.
nc2=$(listen4 multi_ip4 none 127.0.0.2 4242 nc2.out)
nc1=$(listen4 multi_ip4 foo wild 4242 nc1.out)
echo 123 | jexec multi_ip4 nc -N 127.0.0.1 4242 # Dropped.
echo 456 | jexec multi_ip4 nc -N 127.0.0.2 4242
echo 789 | jexec multi_ip4 nc -N 127.0.0.3 4242
stop_listen $nc1 $nc2
atf_check -o inline:"456\n" cat nc2.out
atf_check -o inline:"789\n" cat nc1.out
# If two sockets are bound to the same address, the jailed socket is
# preferred.
nc1=$(listen4 multi_ip4 foo 127.0.0.2 4242 nc1.out)
nc2=$(listen4 multi_ip4 none 127.0.0.2 4242 nc2.out)
echo 123 | jexec multi_ip4 nc -N 127.0.0.1 4242 # Dropped.
echo 456 | jexec multi_ip4 nc -N 127.0.0.2 4242
stop_listen $nc1 $nc2
atf_check -o inline:"456\n" cat nc1.out
atf_check -o empty cat nc2.out
# Same test again, but bind in the other order.
nc2=$(listen4 multi_ip4 none 127.0.0.2 4242 nc2.out)
nc1=$(listen4 multi_ip4 foo 127.0.0.2 4242 nc1.out)
echo 123 | jexec multi_ip4 nc -N 127.0.0.1 4242 # Dropped.
echo 456 | jexec multi_ip4 nc -N 127.0.0.2 4242
stop_listen $nc1 $nc2
atf_check -o inline:"456\n" cat nc1.out
atf_check -o empty cat nc2.out
# A jailed socket with a specified address is preferred to a non-jailed
# wildcard socket.
nc1=$(listen4 multi_ip4 foo 127.0.0.3 4242 nc1.out)
nc2=$(listen4 multi_ip4 none wild 4242 nc2.out)
echo 123 | jexec multi_ip4 nc -N 127.0.0.1 4242
echo 456 | jexec multi_ip4 nc -N 127.0.0.2 4242
echo 789 | jexec multi_ip4 nc -N 127.0.0.3 4242
stop_listen $nc1 $nc2
atf_check -o inline:"789\n" cat nc1.out
atf_check -o inline:"123\n456\n" cat nc2.out
# Same test again, but bind in the other order.
nc2=$(listen4 multi_ip4 none wild 4242 nc2.out)
nc1=$(listen4 multi_ip4 foo 127.0.0.3 4242 nc1.out)
echo 123 | jexec multi_ip4 nc -N 127.0.0.1 4242
echo 456 | jexec multi_ip4 nc -N 127.0.0.2 4242
echo 789 | jexec multi_ip4 nc -N 127.0.0.3 4242
stop_listen $nc1 $nc2
atf_check -o inline:"789\n" cat nc1.out
atf_check -o inline:"123\n456\n" cat nc2.out
# Make sure that we can reach the jailed socket if nothing in the
# parent has bound to the same port.
nc1=$(listen4 multi_ip4 foo wild 4242 nc1.out)
echo 123 | jexec multi_ip4 nc -N 127.0.0.1 4242 # Dropped.
echo 456 | jexec multi_ip4 nc -N 127.0.0.2 4242
echo 789 | jexec multi_ip4 nc -N 127.0.0.3 4242
stop_listen $nc1
atf_check -o inline:"456\n789\n" cat nc1.out
}
multi_ip4_cleanup()
{
jail -r multi_ip4
}
atf_test_case "multi_ip6" "cleanup"
multi_ip6_head()
{
atf_set descr "Check handling of IPv6 in a jail with multiple addresses"
atf_set require.user root
}
multi_ip6_body()
{
local nc1 nc2
make_parent_jail multi_ip6
make_classic_jail multi_ip6 foo ip6.addr=fc00::2,fc00::3
# Non-jailed wildcard sockets are preferred over jailed wildcard
# sockets.
nc1=$(listen6 multi_ip6 none wild 4242 nc1.out)
nc2=$(listen6 multi_ip6 foo wild 4242 nc2.out)
echo 123 | jexec multi_ip6 nc -N fc00::1 4242
echo 456 | jexec multi_ip6 nc -N fc00::2 4242
echo 789 | jexec multi_ip6 nc -N fc00::3 4242
stop_listen $nc1 $nc2
atf_check -o inline:"123\n456\n789\n" cat nc1.out
# Same test again, but bind in the other order.
nc2=$(listen6 multi_ip6 foo wild 4242 nc2.out)
nc1=$(listen6 multi_ip6 none wild 4242 nc1.out)
echo 123 | jexec multi_ip6 nc -N fc00::1 4242
echo 456 | jexec multi_ip6 nc -N fc00::2 4242
echo 789 | jexec multi_ip6 nc -N fc00::3 4242
stop_listen $nc1 $nc2
atf_check -o inline:"123\n456\n789\n" cat nc1.out
# Within the jail, the socket bound to a jail address is preferred.
nc1=$(listen6 multi_ip6 foo fc00::2 4242 nc1.out)
nc2=$(listen6 multi_ip6 foo wild 4242 nc2.out)
echo 123 | jexec multi_ip6 nc -N fc00::1 4242 # Dropped.
echo 456 | jexec multi_ip6 nc -N fc00::2 4242
echo 789 | jexec multi_ip6 nc -N fc00::3 4242
stop_listen $nc1 $nc2
atf_check -o inline:"456\n" cat nc1.out
atf_check -o inline:"789\n" cat nc2.out
# Same test again, but bind in the other order.
nc2=$(listen6 multi_ip6 foo wild 4242 nc2.out)
nc1=$(listen6 multi_ip6 foo fc00::2 4242 nc1.out)
echo 123 | jexec multi_ip6 nc -N fc00::1 4242 # Dropped.
echo 456 | jexec multi_ip6 nc -N fc00::2 4242
echo 789 | jexec multi_ip6 nc -N fc00::3 4242
stop_listen $nc1 $nc2
atf_check -o inline:"456\n" cat nc1.out
atf_check -o inline:"789\n" cat nc2.out
# A non-wildcard socket in the host must have preference over a
# wildcard socket in the jail.
nc1=$(listen6 multi_ip6 foo wild 4242 nc1.out)
nc2=$(listen6 multi_ip6 none fc00::2 4242 nc2.out)
echo 123 | jexec multi_ip6 nc -N fc00::1 4242 # Dropped.
echo 456 | jexec multi_ip6 nc -N fc00::2 4242
echo 789 | jexec multi_ip6 nc -N fc00::3 4242
stop_listen $nc1 $nc2
atf_check -o inline:"456\n" cat nc2.out
atf_check -o inline:"789\n" cat nc1.out
# Same test again, but bind in the other order.
nc2=$(listen6 multi_ip6 none fc00::2 4242 nc2.out)
nc1=$(listen6 multi_ip6 foo wild 4242 nc1.out)
echo 123 | jexec multi_ip6 nc -N fc00::1 4242 # Dropped.
echo 456 | jexec multi_ip6 nc -N fc00::2 4242
echo 789 | jexec multi_ip6 nc -N fc00::3 4242
stop_listen $nc1 $nc2
atf_check -o inline:"456\n" cat nc2.out
atf_check -o inline:"789\n" cat nc1.out
# If two sockets are bound to the same address, the jailed socket is
# preferred.
nc1=$(listen6 multi_ip6 foo fc00::2 4242 nc1.out)
nc2=$(listen6 multi_ip6 none fc00::2 4242 nc2.out)
echo 123 | jexec multi_ip6 nc -N fc00::1 4242 # Dropped.
echo 456 | jexec multi_ip6 nc -N fc00::2 4242
stop_listen $nc1 $nc2
atf_check -o inline:"456\n" cat nc1.out
atf_check -o empty cat nc2.out
# Same test again, but bind in the other order.
nc2=$(listen6 multi_ip6 none fc00::2 4242 nc2.out)
nc1=$(listen6 multi_ip6 foo fc00::2 4242 nc1.out)
echo 123 | jexec multi_ip6 nc -N fc00::1 4242 # Dropped.
echo 456 | jexec multi_ip6 nc -N fc00::2 4242
stop_listen $nc1 $nc2
atf_check -o inline:"456\n" cat nc1.out
atf_check -o empty cat nc2.out
# A jailed socket with a specified address is preferred to a non-jailed
# wildcard socket.
nc1=$(listen6 multi_ip6 foo fc00::3 4242 nc1.out)
nc2=$(listen6 multi_ip6 none wild 4242 nc2.out)
echo 123 | jexec multi_ip6 nc -N fc00::1 4242
echo 456 | jexec multi_ip6 nc -N fc00::2 4242
echo 789 | jexec multi_ip6 nc -N fc00::3 4242
stop_listen $nc1 $nc2
atf_check -o inline:"789\n" cat nc1.out
atf_check -o inline:"123\n456\n" cat nc2.out
# Same test again, but bind in the other order.
nc2=$(listen6 multi_ip6 none wild 4242 nc2.out)
nc1=$(listen6 multi_ip6 foo fc00::3 4242 nc1.out)
echo 123 | jexec multi_ip6 nc -N fc00::1 4242
echo 456 | jexec multi_ip6 nc -N fc00::2 4242
echo 789 | jexec multi_ip6 nc -N fc00::3 4242
stop_listen $nc1 $nc2
atf_check -o inline:"789\n" cat nc1.out
atf_check -o inline:"123\n456\n" cat nc2.out
# Make sure that we can reach the jailed socket if nothing in the
# parent has bound to the same port.
nc1=$(listen6 multi_ip6 foo wild 4242 nc1.out)
echo 123 | jexec multi_ip6 nc -N fc00::1 4242 # Dropped.
echo 456 | jexec multi_ip6 nc -N fc00::2 4242
echo 789 | jexec multi_ip6 nc -N fc00::3 4242
stop_listen $nc1
atf_check -o inline:"456\n789\n" cat nc1.out
}
multi_ip6_cleanup()
{
jail -r multi_ip6
}
atf_test_case "wild_match_ip4" "cleanup"
wild_match_ip4_head()
{
atf_set descr "Check handling of IPv4 wild-card addresses"
atf_set require.user root
}
wild_match_ip4_body()
{
local nc1 nc2
make_parent_jail wild_match_ip4
# The socket with a specified local address gets precedence over
# a wildcard match.
nc1=$(listen4 wild_match_ip4 none 127.0.0.1 4242 nc1.out)
nc2=$(listen4 wild_match_ip4 none wild 4242 nc2.out)
echo 123 | jexec wild_match_ip4 nc -N 127.0.0.1 4242
echo 456 | jexec wild_match_ip4 nc -N 127.0.0.2 4242
atf_check kill $nc1 $nc2
atf_check -o inline:"123\n" cat nc1.out
atf_check -o inline:"456\n" cat nc2.out
# Same test again, but bind in the other order.
nc2=$(listen4 wild_match_ip4 none wild 4242 nc2.out)
nc1=$(listen4 wild_match_ip4 none 127.0.0.1 4242 nc1.out)
echo 123 | jexec wild_match_ip4 nc -N 127.0.0.1 4242
echo 456 | jexec wild_match_ip4 nc -N 127.0.0.2 4242
atf_check kill $nc1 $nc2
atf_check -o inline:"123\n" cat nc1.out
atf_check -o inline:"456\n" cat nc2.out
}
wild_match_ip4_cleanup()
{
jail -r wild_match_ip4
}
atf_test_case "wild_match_ip6" "cleanup"
wild_match_ip6_head()
{
atf_set descr "Check handling of IPv6 wild-card addresses"
atf_set require.user root
}
wild_match_ip6_body()
{
local nc1 nc2
make_parent_jail wild_match_ip6
# The socket with a specified local address gets precedence over
# a wildcard match.
nc1=$(listen6 wild_match_ip6 none fc00::1 4242 nc1.out)
nc2=$(listen6 wild_match_ip6 none wild 4242 nc2.out)
echo 123 | jexec wild_match_ip6 nc -N fc00::1 4242
echo 456 | jexec wild_match_ip6 nc -N fc00::2 4242
atf_check kill $nc1 $nc2
atf_check -o inline:"123\n" cat nc1.out
atf_check -o inline:"456\n" cat nc2.out
# Same test again, but bind in the other order.
nc2=$(listen6 wild_match_ip6 none wild 4242 nc2.out)
nc1=$(listen6 wild_match_ip6 none fc00::1 4242 nc1.out)
echo 123 | jexec wild_match_ip6 nc -N fc00::1 4242
echo 456 | jexec wild_match_ip6 nc -N fc00::2 4242
atf_check kill $nc1 $nc2
atf_check -o inline:"123\n" cat nc1.out
atf_check -o inline:"456\n" cat nc2.out
}
wild_match_ip6_cleanup()
{
jail -r wild_match_ip6
}
atf_init_test_cases()
{
atf_add_test_case "single_ip4"
atf_add_test_case "single_ip6"
atf_add_test_case "multi_ip4"
atf_add_test_case "multi_ip6"
atf_add_test_case "wild_match_ip4"
atf_add_test_case "wild_match_ip6"
}