git: 9746c1e28877 - main - pf tests: ensure we don't NAT to link-local addresses

Thu, 19 Sep 2024 13:23:03 -0700 

The branch main has been updated by kp:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=9746c1e28877ffb5fd9dc60bb6524df9fa1b6918

commit 9746c1e28877ffb5fd9dc60bb6524df9fa1b6918
Author:     Kristof Provost <k...@freebsd.org>
AuthorDate: 2024-09-05 15:23:57 +0000
Commit:     Kristof Provost <k...@freebsd.org>
CommitDate: 2024-09-19 20:20:15 +0000

    pf tests: ensure we don't NAT to link-local addresses
    
    Reviewed by:    zlei
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
    Differential Revision:  https://reviews.freebsd.org/D46595
---
 tests/sys/netpfil/pf/nat.sh | 52 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 52 insertions(+)

diff --git a/tests/sys/netpfil/pf/nat.sh b/tests/sys/netpfil/pf/nat.sh
index aaa49805c772..19dd39fe5848 100644
--- a/tests/sys/netpfil/pf/nat.sh
+++ b/tests/sys/netpfil/pf/nat.sh
@@ -250,9 +250,61 @@ nested_anchor_cleanup()
        pft_cleanup
 }
 
+atf_test_case "nat6_nolinklocal" "cleanup"
+nat6_nolinklocal_head()
+{
+       atf_set descr 'Ensure we do not use link-local addresses'
+       atf_set require.user root
+}
+
+nat6_nolinklocal_body()
+{
+       pft_init
+
+       epair_nat=$(vnet_mkepair)
+       epair_echo=$(vnet_mkepair)
+
+       vnet_mkjail nat ${epair_nat}b ${epair_echo}a
+       vnet_mkjail echo ${epair_echo}b
+
+       ifconfig ${epair_nat}a inet6 2001:db8::2/64 no_dad up
+       route add -6 -net 2001:db8:1::/64 2001:db8::1
+
+       jexec nat ifconfig ${epair_nat}b inet6 2001:db8::1/64 no_dad up
+       jexec nat ifconfig ${epair_echo}a inet6 2001:db8:1::1/64 no_dad up
+       jexec nat sysctl net.inet6.ip6.forwarding=1
+
+       jexec echo ifconfig ${epair_echo}b inet6 2001:db8:1::2/64 no_dad up
+       # Ensure we can't reply to link-local pings
+       jexec echo pfctl -e
+       pft_set_rules echo \
+           "pass" \
+           "block in inet6 proto icmp6 from fe80::/10 to any icmp6-type 
echoreq"
+
+       jexec nat pfctl -e
+       pft_set_rules nat \
+           "nat pass on ${epair_echo}a inet6 from 2001:db8::/64 to any -> 
(${epair_echo}a)" \
+           "pass"
+
+       # Sanity check
+       atf_check -s exit:0 -o ignore \
+           ping -6 -c 1 2001:db8::1
+       for i in `seq 0 10`
+       do
+               atf_check -s exit:0 -o ignore \
+                   ping -6 -c 1 2001:db8:1::2
+       done
+}
+
+nat6_nolinklocal_cleanup()
+{
+       pft_cleanup
+}
+
 atf_init_test_cases()
 {
        atf_add_test_case "exhaust"
        atf_add_test_case "nested_anchor"
        atf_add_test_case "endpoint_independent"
+       atf_add_test_case "nat6_nolinklocal"
 }

Reply via email to