Changeset View
Changeset View
Standalone View
Standalone View
tests/sys/netpfil/pf/src_track.sh
| Show First 20 Lines • Show All 301 Lines • ▼ Show 20 Lines | max_src_states_global_body() | ||||
| grep -qE "$node_regexp" $nodes || atf_fail "Source nodes not matching expected output" | grep -qE "$node_regexp" $nodes || atf_fail "Source nodes not matching expected output" | ||||
| } | } | ||||
| max_src_states_global_cleanup() | max_src_states_global_cleanup() | ||||
| { | { | ||||
| pft_cleanup | pft_cleanup | ||||
| } | } | ||||
| route_to_head() | sn_types_compat_head() | ||||
| { | { | ||||
| atf_set descr 'Max states per source per rule with route-to' | atf_set descr 'Combination of source node types with compat NAT rules' | ||||
| atf_set require.user root | atf_set require.user root | ||||
| atf_set require.progs python3 scapy | atf_set require.progs python3 scapy | ||||
| } | } | ||||
| route_to_body() | sn_types_compat_body() | ||||
| { | { | ||||
| setup_router_dummy_ipv6 | setup_router_dummy_ipv6 | ||||
| # Clients will connect from another network behind the router. | # Clients will connect from another network behind the router. | ||||
| # This allows for using multiple source addresses. | # This allows for using multiple source addresses. | ||||
| jexec router route add -6 2001:db8:44::0/64 2001:db8:42::2 | jexec router route add -6 2001:db8:44::0/64 2001:db8:42::2 | ||||
| # Additional gateways for route-to. | # Additional gateways for route-to. | ||||
| ▲ Show 20 Lines • Show All 67 Lines • ▼ Show 20 Lines | for node_regexp in \ | ||||
| '2001:db8:44::14 -> :: \( states 1, connections 0, rate 0.0/0s \) age [0-9:]+, 1 pkts, 76 bytes, filter rule 6, limit source-track' \ | '2001:db8:44::14 -> :: \( states 1, connections 0, rate 0.0/0s \) age [0-9:]+, 1 pkts, 76 bytes, filter rule 6, limit source-track' \ | ||||
| ; do | ; do | ||||
| grep -qE "${node_regexp}" $nodes || atf_fail "Source node not found for '${node_regexp}'" | grep -qE "${node_regexp}" $nodes || atf_fail "Source node not found for '${node_regexp}'" | ||||
| done | done | ||||
| ! grep -q 'filter rule 3' $nodes || atf_fail "Source node found for rule 3" | ! grep -q 'filter rule 3' $nodes || atf_fail "Source node found for rule 3" | ||||
| } | } | ||||
| route_to_cleanup() | sn_types_compat_cleanup() | ||||
| { | { | ||||
| pft_cleanup | pft_cleanup | ||||
| } | } | ||||
| sn_types_pass_head() | |||||
| { | |||||
| atf_set descr 'Combination of source node types with pass NAT rules' | |||||
| atf_set require.user root | |||||
| atf_set require.progs python3 scapy | |||||
| } | |||||
| sn_types_pass_body() | |||||
| { | |||||
| setup_router_dummy_ipv6 | |||||
| # Clients will connect from another network behind the router. | |||||
| # This allows for using multiple source addresses. | |||||
| jexec router route add -6 2001:db8:44::0/64 2001:db8:42::2 | |||||
| # Additional gateways for route-to. | |||||
| rtgw=${net_server_host_server%::*}::2:1 | |||||
| jexec router ndp -s ${rtgw} 00:01:02:03:04:05 | |||||
| # This test will check for proper source node creation for: | |||||
| # max-src-states -> PF_SN_LIMIT | |||||
| # sticky-address -> PF_SN_NAT | |||||
| # route-to -> PF_SN_ROUTE | |||||
| # The test expands to all 8 combinations of those source nodes being | |||||
| # present or not. | |||||
| pft_set_rules router \ | |||||
| "table <rtgws> { ${rtgw} }" \ | |||||
| "table <rdrgws> { 2001:db8:45::1 }" \ | |||||
| "block" \ | |||||
| "pass inet6 proto icmp6 icmp6-type { neighbrsol, neighbradv }" \ | |||||
| "match in on ${epair_tester}b inet6 proto tcp from 2001:db8:44::10/124 to 2001:db8:45::1 rdr-to <rdrgws> port 4242 sticky-address label rule_3" \ | |||||
| "pass in quick on ${epair_tester}b route-to ( ${epair_server}a <rtgws>) inet6 proto tcp from port 4211 keep state label rule_4" \ | |||||
| "pass in quick on ${epair_tester}b route-to ( ${epair_server}a <rtgws>) sticky-address inet6 proto tcp from port 4212 keep state label rule_5" \ | |||||
| "pass in quick on ${epair_tester}b route-to ( ${epair_server}a <rtgws>) inet6 proto tcp from port 4213 keep state (max-src-states 3 source-track rule) label rule_6" \ | |||||
| "pass in quick on ${epair_tester}b route-to ( ${epair_server}a <rtgws>) sticky-address inet6 proto tcp from port 4214 keep state (max-src-states 3 source-track rule) label rule_7" \ | |||||
| "pass out quick on ${epair_server}a keep state" | |||||
| # We don't check if state limits are properly enforced, this is tested | |||||
| # by other tests in this file. | |||||
| # Source address will not match the NAT rule | |||||
| ping_dummy_check_request exit:0 --ping-type=tcpsyn --send-sport=4211 --fromaddr 2001:db8:44::01 --to 2001:db8:45::1 | |||||
| ping_dummy_check_request exit:0 --ping-type=tcpsyn --send-sport=4212 --fromaddr 2001:db8:44::02 --to 2001:db8:45::1 | |||||
| ping_dummy_check_request exit:0 --ping-type=tcpsyn --send-sport=4213 --fromaddr 2001:db8:44::03 --to 2001:db8:45::1 | |||||
| ping_dummy_check_request exit:0 --ping-type=tcpsyn --send-sport=4214 --fromaddr 2001:db8:44::04 --to 2001:db8:45::1 | |||||
| # Source address will match the NAT rule | |||||
| ping_dummy_check_request exit:0 --ping-type=tcpsyn --send-sport=4211 --fromaddr 2001:db8:44::11 --to 2001:db8:45::1 | |||||
| ping_dummy_check_request exit:0 --ping-type=tcpsyn --send-sport=4212 --fromaddr 2001:db8:44::12 --to 2001:db8:45::1 | |||||
| ping_dummy_check_request exit:0 --ping-type=tcpsyn --send-sport=4213 --fromaddr 2001:db8:44::13 --to 2001:db8:45::1 | |||||
| ping_dummy_check_request exit:0 --ping-type=tcpsyn --send-sport=4214 --fromaddr 2001:db8:44::14 --to 2001:db8:45::1 | |||||
| states=$(mktemp) || exit 1 | |||||
| jexec router pfctl -qvss | normalize_pfctl_s > $states | |||||
| nodes=$(mktemp) || exit 1 | |||||
| jexec router pfctl -qvvsS | normalize_pfctl_s > $nodes | |||||
| echo " === states ===" | |||||
| cat $states | |||||
| echo " === nodes ===" | |||||
| cat $nodes | |||||
| echo " === end === " | |||||
| # Order of states in output is not guaranteed, find each one separately. | |||||
| for state_regexp in \ | |||||
| 'all tcp 2001:db8:45::1\[9\] <- 2001:db8:44::1\[4211\] .* 1:0 pkts, 76:0 bytes, rule 4$' \ | |||||
| 'all tcp 2001:db8:45::1\[9\] <- 2001:db8:44::2\[4212\] .* 1:0 pkts, 76:0 bytes, rule 5, route sticky-address$' \ | |||||
| 'all tcp 2001:db8:45::1\[9\] <- 2001:db8:44::3\[4213\] .* 1:0 pkts, 76:0 bytes, rule 6, limit source-track$' \ | |||||
| 'all tcp 2001:db8:45::1\[9\] <- 2001:db8:44::4\[4214\] .* 1:0 pkts, 76:0 bytes, rule 7, limit source-track, route sticky-address$' \ | |||||
| 'all tcp 2001:db8:45::1\[4242\] \(2001:db8:45::1\[9\]\) <- 2001:db8:44::11\[4211\] .* 1:0 pkts, 76:0 bytes, rule 4, NAT/RDR sticky-address' \ | |||||
| 'all tcp 2001:db8:45::1\[4242\] \(2001:db8:45::1\[9\]\) <- 2001:db8:44::12\[4212\] .* 1:0 pkts, 76:0 bytes, rule 5, NAT/RDR sticky-address, route sticky-address' \ | |||||
| 'all tcp 2001:db8:45::1\[4242\] \(2001:db8:45::1\[9\]\) <- 2001:db8:44::13\[4213\] .* 1:0 pkts, 76:0 bytes, rule 6, limit source-track, NAT/RDR sticky-address' \ | |||||
| 'all tcp 2001:db8:45::1\[4242\] \(2001:db8:45::1\[9\]\) <- 2001:db8:44::14\[4214\] .* 1:0 pkts, 76:0 bytes, rule 7, limit source-track, NAT/RDR sticky-address, route sticky-address' \ | |||||
| ; do | |||||
| grep -qE "${state_regexp}" $states || atf_fail "State not found for '${state_regexp}'" | |||||
| done | |||||
| # Order of source nodes in output is not guaranteed, find each one separately. | |||||
| for node_regexp in \ | |||||
| '2001:db8:44::2 -> 2001:db8:43::2:1 \( states 1, connections 0, rate 0.0/0s \) age [0-9:]+, 1 pkts, 76 bytes, filter rule 5, route sticky-address' \ | |||||
| '2001:db8:44::3 -> :: \( states 1, connections 0, rate 0.0/0s \) age [0-9:]+, 1 pkts, 76 bytes, filter rule 6, limit source-track' \ | |||||
| '2001:db8:44::4 -> 2001:db8:43::2:1 \( states 1, connections 0, rate 0.0/0s ) age [0-9:]+, 1 pkts, 76 bytes, filter rule 7, route sticky-address' \ | |||||
| '2001:db8:44::4 -> :: \( states 1, connections 0, rate 0.0/0s \) age [0-9:]+, 1 pkts, 76 bytes, filter rule 7, limit source-track' \ | |||||
| '2001:db8:44::11 -> 2001:db8:45::1 \( states 1, connections 0, rate 0.0/0s \) age [0-9:]+, 1 pkts, 76 bytes, filter rule 3, NAT/RDR sticky-address' \ | |||||
| '2001:db8:44::12 -> 2001:db8:45::1 \( states 1, connections 0, rate 0.0/0s \) age [0-9:]+, 1 pkts, 76 bytes, filter rule 3, NAT/RDR sticky-address' \ | |||||
| '2001:db8:44::12 -> 2001:db8:43::2:1 \( states 1, connections 0, rate 0.0/0s \) age [0-9:]+, 1 pkts, 76 bytes, filter rule 5, route sticky-address' \ | |||||
| '2001:db8:44::13 -> 2001:db8:45::1 \( states 1, connections 0, rate 0.0/0s \) age [0-9:]+, 1 pkts, 76 bytes, filter rule 3, NAT/RDR sticky-address' \ | |||||
| '2001:db8:44::13 -> :: \( states 1, connections 0, rate 0.0/0s \) age [0-9:]+, 1 pkts, 76 bytes, filter rule 6, limit source-track' \ | |||||
| '2001:db8:44::14 -> 2001:db8:45::1 \( states 1, connections 0, rate 0.0/0s \) age [0-9:]+, 1 pkts, 76 bytes, filter rule 3, NAT/RDR sticky-address' \ | |||||
| '2001:db8:44::14 -> 2001:db8:43::2:1 \( states 1, connections 0, rate 0.0/0s ) age [0-9:]+, 1 pkts, 76 bytes, filter rule 7, route sticky-address' \ | |||||
| '2001:db8:44::14 -> :: \( states 1, connections 0, rate 0.0/0s \) age [0-9:]+, 1 pkts, 76 bytes, filter rule 7, limit source-track' \ | |||||
| ; do | |||||
| grep -qE "${node_regexp}" $nodes || atf_fail "Source node not found for '${node_regexp}'" | |||||
| done | |||||
| } | |||||
| sn_types_pass_cleanup() | |||||
| { | |||||
| pft_cleanup | |||||
| } | |||||
| atf_init_test_cases() | atf_init_test_cases() | ||||
| { | { | ||||
| atf_add_test_case "source_track" | atf_add_test_case "source_track" | ||||
| atf_add_test_case "kill" | atf_add_test_case "kill" | ||||
| atf_add_test_case "max_src_conn_rule" | atf_add_test_case "max_src_conn_rule" | ||||
| atf_add_test_case "max_src_states_rule" | atf_add_test_case "max_src_states_rule" | ||||
| atf_add_test_case "max_src_states_global" | atf_add_test_case "max_src_states_global" | ||||
| atf_add_test_case "route_to" | atf_add_test_case "sn_types_compat" | ||||
| atf_add_test_case "sn_types_pass" | |||||
| } | } | ||||