Changeset View
Changeset View
Standalone View
Standalone View
tests/sys/netpfil/common/nat.sh
Show First 20 Lines • Show All 141 Lines • ▼ Show 20 Lines | |||||
} | } | ||||
userspace_nat_cleanup() | userspace_nat_cleanup() | ||||
{ | { | ||||
firewall=$1 | firewall=$1 | ||||
firewall_cleanup $firewall | firewall_cleanup $firewall | ||||
} | } | ||||
common_cgn() { | |||||
firewall=$1 | |||||
portalias=$2 | |||||
firewall_init $firewall | |||||
nat_init $firewall | |||||
epair_host_nat=$(vnet_mkepair) | |||||
epair_client1_nat=$(vnet_mkepair) | |||||
epair_client2_nat=$(vnet_mkepair) | |||||
vnet_mkjail nat ${epair_host_nat}b ${epair_client1_nat}a ${epair_client2_nat}a | |||||
vnet_mkjail client1 ${epair_client1_nat}b | |||||
vnet_mkjail client2 ${epair_client2_nat}b | |||||
ifconfig ${epair_host_nat}a 198.51.100.2/24 up | |||||
jexec nat ifconfig ${epair_host_nat}b 198.51.100.1/24 up | |||||
jexec nat ifconfig ${epair_client1_nat}a 100.64.0.1/24 up | |||||
jexec client1 ifconfig ${epair_client1_nat}b 100.64.0.2/24 up | |||||
jexec nat ifconfig ${epair_client2_nat}a 100.64.1.1/24 up | |||||
jexec client2 ifconfig ${epair_client2_nat}b 100.64.1.2/24 up | |||||
jexec nat sysctl net.inet.ip.forwarding=1 | |||||
jexec client1 route add -net 198.51.100.0/24 100.64.0.1 | |||||
jexec client2 route add -net 198.51.100.0/24 100.64.1.1 | |||||
# ping fails without NAT configuration | |||||
atf_check -s exit:2 -o ignore jexec client1 ping -t 1 -c 1 198.51.100.2 | |||||
atf_check -s exit:2 -o ignore jexec client2 ping -t 1 -c 1 198.51.100.2 | |||||
if [[ $portalias ]]; then | |||||
firewall_config nat $firewall \ | |||||
"ipfw" \ | |||||
"ipfw -q nat 123 config if ${epair_host_nat}b unreg_cgn port_alias 2000 2999" \ | |||||
"ipfw -q nat 456 config if ${epair_host_nat}b unreg_cgn port_alias 3000 3999" \ | |||||
donner: Without knowing exactly the bounds of the interval (half open) the configuration raises… | |||||
Done Inline ActionsFixed it. nc: Fixed it. | |||||
Done Inline ActionsNo no. The concern is only valid as long as the documentation about the half open interval was missing. The configuration you need (using half open intervals) is 2000 3000 and 3000 4000 in order to match the port ranges in lines 187-188 below. donner: No no. The concern is only valid as long as the documentation about the half open interval was… | |||||
"ipfw -q add 1000 nat 123 all from any to 198.51.100.2 in via ${epair_host_nat}b" \ | |||||
"ipfw -q add 2000 nat 456 all from any to 198.51.100.2 in via ${epair_host_nat}b" \ | |||||
Done Inline ActionsWhere are the rules for dealiasing packets? donner: Where are the rules for dealiasing packets? | |||||
Done Inline ActionsI'm not sure if this would work, but here it is. nc: I'm not sure if this would work, but here it is. | |||||
Done Inline ActionsLine 187 and 188 have exactly the same match, so only 187 is invoked. 188 will never be used. Furthermore they are only outgoing (for aliasing), they do not match incoming packets (for dealiasing) donner: Line 187 and 188 have exactly the same match, so only 187 is invoked. 188 will never be used. | |||||
"ipfw -q add 3000 nat 123 all from 100.64.0.2 to any out via ${epair_host_nat}b" \ | |||||
"ipfw -q add 4000 nat 456 all from 100.64.1.2 to any out via ${epair_host_nat}b" | |||||
else | |||||
firewall_config nat $firewall \ | |||||
"ipfw" \ | |||||
"ipfw -q nat 123 config if ${epair_host_nat}b unreg_cgn" \ | |||||
"ipfw -q add 1000 nat 123 all from any to any" | |||||
fi | |||||
# ping is successful now | |||||
atf_check -s exit:0 -o ignore jexec client1 ping -t 1 -c 1 198.51.100.2 | |||||
atf_check -s exit:0 -o ignore jexec client2 ping -t 1 -c 1 198.51.100.2 | |||||
# if portalias, test a tcp server/client with nc | |||||
if [[ $portalias ]]; then | |||||
for inst in 1 2; do | |||||
daemon nc -p 198.51.100.2 7 | |||||
atf_check -s exit:0 -o ignore jexec client$inst sh -c "echo | nc -N 198.51.100.2 7" | |||||
done | |||||
fi | |||||
} | |||||
cgn_head() | |||||
{ | |||||
atf_set descr 'IPv4 CGN (RFC 6598) test' | |||||
atf_set require.user root | |||||
} | |||||
cgn_body() | |||||
{ | |||||
common_cgn $1 false | |||||
} | |||||
cgn_cleanup() | |||||
{ | |||||
firewall_cleanup ipfw | |||||
} | |||||
portalias_head() | |||||
{ | |||||
atf_set descr 'IPv4 CGN (RFC 6598) port aliasing test' | |||||
atf_set require.user root | |||||
} | |||||
portalias_body() | |||||
{ | |||||
common_cgn $1 true | |||||
} | |||||
portalias_cleanup() | |||||
{ | |||||
firewall_cleanup ipfw | |||||
} | |||||
setup_tests \ | setup_tests \ | ||||
basic \ | basic \ | ||||
pf \ | pf \ | ||||
ipfw \ | ipfw \ | ||||
ipfnat \ | ipfnat \ | ||||
userspace_nat \ | userspace_nat \ | ||||
ipfw | ipfw \ | ||||
No newline at end of file | cgn \ | ||||
ipfw \ | |||||
portalias \ | |||||
ipfw |
Without knowing exactly the bounds of the interval (half open) the configuration raises concerns due to overlapping.