The branch main has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=30276ef12cbb47cdd302741096262041be30ec11
commit 30276ef12cbb47cdd302741096262041be30ec11
Author: Kristof Provost <k...@freebsd.org>
AuthorDate: 2021-10-19 11:52:21 +0000
Commit: Kristof Provost <k...@freebsd.org>
CommitDate: 2021-10-22 07:52:17 +0000
pf tests: test NAT-ed ICMP errors
Ensure that the ICMP error is returned with the correct
source and destination addresses.
MFC after: 3 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D32572
---
tests/sys/netpfil/common/Makefile | 2 +
tests/sys/netpfil/common/pft_icmp_check.py | 112 +++++++++++++++++++++++++++++
tests/sys/netpfil/pf/route_to.sh | 59 +++++++++++++++
3 files changed, 173 insertions(+)
diff --git a/tests/sys/netpfil/common/Makefile
b/tests/sys/netpfil/common/Makefile
index 749e0dd99469..189b8b44cfce 100644
--- a/tests/sys/netpfil/common/Makefile
+++ b/tests/sys/netpfil/common/Makefile
@@ -16,10 +16,12 @@ ATF_TESTS_SH+= \
${PACKAGE}FILES+= \
utils.subr \
runner.subr \
+ pft_icmp_check.py \
pft_ping.py \
pft_synflood.py \
sniffer.py
+${PACKAGE}FILESMODE_pft_icmp_check.py= 0555
${PACKAGE}FILESMODE_pft_ping.py= 0555
${PACKAGE}FILESMODE_pft_synflood.py= 0555
diff --git a/tests/sys/netpfil/common/pft_icmp_check.py
b/tests/sys/netpfil/common/pft_icmp_check.py
new file mode 100644
index 000000000000..e3c5b927aa63
--- /dev/null
+++ b/tests/sys/netpfil/common/pft_icmp_check.py
@@ -0,0 +1,112 @@
+#!/usr/bin/env python3
+#
+# SPDX-License-Identifier: BSD-2-Clause
+#
+# Copyright (c) 2021 Rubicon Communications, LLC (Netgate)
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+
+import argparse
+import logging
+logging.getLogger("scapy").setLevel(logging.CRITICAL)
+import random
+import scapy.all as sp
+import socket
+import sys
+from sniffer import Sniffer
+
+PAYLOAD_MAGIC = bytes.fromhex('42c0ffee')
+
+def ping(send_if, dst_ip, args):
+ ether = sp.Ether()
+ ip = sp.IP(dst=dst_ip, src=args.fromaddr[0])
+ icmp = sp.ICMP(type='echo-request')
+ raw = sp.raw(PAYLOAD_MAGIC * 250) # We want 1000 bytes payload, -ish
+
+ ip.flags = 2 # Don't fragment
+ icmp.seq = random.randint(0, 65535)
+ args.icmp_seq = icmp.seq
+
+ req = ether / ip / icmp / raw
+ sp.sendp(req, iface=send_if, verbose=False)
+
+def check_icmp_too_big(args, packet):
+ """
+ Verify that this is an ICMP packet too big error, and that the IP
addresses
+ in the payload packet match expectations.
+ """
+ icmp = packet.getlayer(sp.ICMP)
+ if not icmp:
+ return False
+
+ if not icmp.type == 3:
+ return False
+ ip = packet.getlayer(sp.IPerror)
+ if not ip:
+ return False
+
+ if ip.src != args.fromaddr[0]:
+ print("Incorrect src addr %s" % ip.src)
+ return False
+ if ip.dst != args.to[0]:
+ print("Incorrect dst addr %s" % ip.dst)
+ return False
+
+ icmp2 = packet.getlayer(sp.ICMPerror)
+ if not icmp2:
+ print("IPerror doesn't contain ICMP")
+ return False
+ if icmp2.seq != args.icmp_seq:
+ print("Incorrect icmp seq %d != %d" % (icmp2.seq,
args.icmp_seq))
+ return False
+ return True
+
+def main():
+ parser = argparse.ArgumentParser("pft_icmp_check.py",
+ description="ICMP error validation tool")
+ parser.add_argument('--to', nargs=1, required=True,
+ help='The destination IP address')
+ parser.add_argument('--fromaddr', nargs=1, required=True,
+ help='The source IP address')
+ parser.add_argument('--sendif', nargs=1, required=True,
+ help='The interface through which the packet(s) will be sent')
+ parser.add_argument('--recvif', nargs=1,
+ help='The interface on which to expect the ICMP error')
+
+ args = parser.parse_args()
+ sniffer = None
+ if not args.recvif is None:
+ sniffer = Sniffer(args, check_icmp_too_big)
+
+ ping(args.sendif[0], args.to[0], args)
+
+ if sniffer:
+ sniffer.join()
+
+ if sniffer.foundCorrectPacket:
+ sys.exit(0)
+ else:
+ sys.exit(1)
+
+if __name__ == '__main__':
+ main()
diff --git a/tests/sys/netpfil/pf/route_to.sh b/tests/sys/netpfil/pf/route_to.sh
index 957317eb462e..e7646a5fb7f7 100644
--- a/tests/sys/netpfil/pf/route_to.sh
+++ b/tests/sys/netpfil/pf/route_to.sh
@@ -27,6 +27,8 @@
. $(atf_get_srcdir)/utils.subr
+common_dir=$(atf_get_srcdir)/../common
+
atf_test_case "v4" "cleanup"
v4_head()
{
@@ -250,10 +252,67 @@ multiwanlocal_cleanup()
pft_cleanup
}
+atf_test_case "icmp_nat" "cleanup"
+icmp_nat_head()
+{
+ atf_set descr 'Test that ICMP packets are correct for route-to + NAT'
+ atf_set require.user root
+}
+
+icmp_nat_body()
+{
+ pft_init
+
+ epair_one=$(vnet_mkepair)
+ epair_two=$(vnet_mkepair)
+ epair_three=$(vnet_mkepair)
+
+ vnet_mkjail gw ${epair_one}b ${epair_two}a ${epair_three}a
+ vnet_mkjail srv ${epair_two}b
+ vnet_mkjail srv2 ${epair_three}b
+
+ ifconfig ${epair_one}a 192.0.2.2/24 up
+ route add -net 198.51.100.0/24 192.0.2.1
+ jexec gw sysctl net.inet.ip.forwarding=1
+ jexec gw ifconfig ${epair_one}b 192.0.2.1/24 up
+ jexec gw ifconfig ${epair_two}a 198.51.100.1/24 up
+ jexec gw ifconfig ${epair_three}a 203.0.113.1/24 up mtu 500
+ jexec srv ifconfig ${epair_two}b 198.51.100.2/24 up
+ jexec srv route add default 198.51.100.1
+ jexec srv2 ifconfig ${epair_three}b 203.0.113.2/24 up mtu 500
+ jexec srv2 route add default 203.0.113.1
+
+ # Sanity check
+ atf_check -s exit:0 -o ignore ping -c 1 198.51.100.2
+
+ jexec gw pfctl -e
+ pft_set_rules gw \
+ "nat on ${epair_two}a inet from 192.0.2.0/24 to any ->
(${epair_two}a)" \
+ "nat on ${epair_three}a inet from 192.0.2.0/24 to any ->
(${epair_three}a)" \
+ "pass out route-to (${epair_three}a 203.0.113.2) proto icmp
icmp-type echoreq"
+
+ # Now ensure that we get an ICMP error with the correct IP addresses in
it.
+ atf_check -s exit:0 ${common_dir}/pft_icmp_check.py \
+ --to 198.51.100.2 \
+ --fromaddr 192.0.2.2 \
+ --recvif ${epair_one}a \
+ --sendif ${epair_one}a
+
+ # ping reports the ICMP error, so check of that too.
+ atf_check -s exit:2 -o match:'frag needed and DF set' \
+ ping -D -c 1 -s 1000 198.51.100.2
+}
+
+icmp_nat_cleanup()
+{
+ pft_cleanup
+}
+
atf_init_test_cases()
{
atf_add_test_case "v4"
atf_add_test_case "v6"
atf_add_test_case "multiwan"
atf_add_test_case "multiwanlocal"
+ atf_add_test_case "icmp_nat"
}
