xref: /freebsd/tests/sys/netpfil/pf/sctp.sh (revision 7648d2ebda22fe21ed385cc7d76813a1a9c17c99) 
1#
2# SPDX-License-Identifier: BSD-2-Clause-FreeBSD
3#
4# Copyright © 2023 Orange Business Services
5#
6# Redistribution and use in source and binary forms, with or without
7# modification, are permitted provided that the following conditions
8# are met:
9# 1. Redistributions of source code must retain the above copyright
10#    notice, this list of conditions and the following disclaimer.
11# 2. Redistributions in binary form must reproduce the above copyright
12#    notice, this list of conditions and the following disclaimer in the
13#    documentation and/or other materials provided with the distribution.
14#
15# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
25# SUCH DAMAGE.
26
27. $(atf_get_srcdir)/utils.subr
28
29sctp_init()
30{
31	pft_init
32}
33
34atf_test_case "basic_v4" "cleanup"
35basic_v4_head()
36{
37	atf_set descr 'Basic SCTP connection over IPv4 passthrough'
38	atf_set require.user root
39	atf_set require.kmods sctp
40}
41
42basic_v4_body()
43{
44	sctp_init
45
46	j="sctp:basic_v4"
47	epair=$(vnet_mkepair)
48
49	vnet_mkjail ${j}a ${epair}a
50	vnet_mkjail ${j}b ${epair}b
51
52	jexec ${j}a ifconfig ${epair}a 192.0.2.1/24 up
53	jexec ${j}b ifconfig ${epair}b 192.0.2.2/24 up
54	# Sanity check
55	atf_check -s exit:0 -o ignore \
56	    jexec ${j}a ping -c 1 192.0.2.2
57
58	jexec ${j}a pfctl -e
59	pft_set_rules ${j}a \
60		"block" \
61		"pass in proto sctp to port 1234"
62
63	echo "foo" | jexec ${j}a nc --sctp -N -l 1234 &
64
65	# Wait for the server to start
66	sleep 1
67
68	out=$(jexec ${j}b nc --sctp -N -w 3 192.0.2.1 1234)
69	if [ "$out" != "foo" ]; then
70		atf_fail "SCTP connection failed"
71	fi
72
73	# Now with scrub rules present, so normalization is done
74	pft_set_rules ${j}a \
75		"scrub on ${j}a" \
76		"block" \
77		"pass in proto sctp to port 1234"
78
79	echo "foo" | jexec ${j}a nc --sctp -N -l 1234 &
80	sleep 1
81
82	out=$(jexec ${j}b nc --sctp -N -w 3 192.0.2.1 1234)
83	if [ "$out" != "foo" ]; then
84		atf_fail "SCTP connection failed"
85	fi
86
87	# Now fail with a blocked port
88	echo "foo" | jexec ${j}a nc --sctp -N -l 1235 &
89	sleep 1
90
91	out=$(jexec ${j}b nc --sctp -N -w 3 192.0.2.1 1235)
92	if [ "$out" == "foo" ]; then
93		atf_fail "SCTP port block failed"
94	fi
95
96	# Now fail with a blocked port but passing source port
97	out=$(jexec ${j}b nc --sctp -N -w 3 -p 1234 192.0.2.1 1235)
98	if [ "$out" == "foo" ]; then
99		atf_fail "SCTP port block failed"
100	fi
101}
102
103basic_v4_cleanup()
104{
105	pft_cleanup
106}
107
108atf_test_case "basic_v6" "cleanup"
109basic_v6_head()
110{
111	atf_set descr 'Basic SCTP connection over IPv6'
112	atf_set require.user root
113	atf_set require.kmods sctp
114}
115
116basic_v6_body()
117{
118	sctp_init
119
120	j="sctp:basic_v6"
121	epair=$(vnet_mkepair)
122
123	vnet_mkjail ${j}a ${epair}a
124	vnet_mkjail ${j}b ${epair}b
125
126	jexec ${j}a ifconfig ${epair}a inet6 2001:db8::a/64 up no_dad
127	jexec ${j}b ifconfig ${epair}b inet6 2001:db8::b/64 up no_dad
128
129	# Sanity check
130	atf_check -s exit:0 -o ignore \
131	    jexec ${j}a ping -6 -c 1 2001:db8::b
132
133	jexec ${j}a pfctl -e
134	pft_set_rules ${j}a \
135		"block proto sctp" \
136		"pass in proto sctp to port 1234"
137
138	echo "foo" | jexec ${j}a nc -6 --sctp -N -l 1234 &
139
140	# Wait for the server to start
141	sleep 1
142
143	out=$(jexec ${j}b nc --sctp -N -w 3 2001:db8::a 1234)
144	if [ "$out" != "foo" ]; then
145		atf_fail "SCTP connection failed"
146	fi
147
148	# Now with scrub rules present, so normalization is done
149	pft_set_rules ${j}a \
150		"scrub on ${j}a" \
151		"block proto sctp" \
152		"pass in proto sctp to port 1234"
153
154	echo "foo" | jexec ${j}a nc -6 --sctp -N -l 1234 &
155	sleep 1
156
157	out=$(jexec ${j}b nc --sctp -N -w 3 2001:db8::a 1234)
158	if [ "$out" != "foo" ]; then
159		atf_fail "SCTP connection failed"
160	fi
161
162	# Now fail with a blocked port
163	echo "foo" | jexec ${j}a nc -6 --sctp -N -l 1235 &
164	sleep 1
165
166	out=$(jexec ${j}b nc --sctp -N -w 3 2001:db8::a 1235)
167	if [ "$out" == "foo" ]; then
168		atf_fail "SCTP port block failed"
169	fi
170
171	# Now fail with a blocked port but passing source port
172	out=$(jexec ${j}b nc --sctp -N -w 3 -p 1234 2001:db8::a 1235)
173	if [ "$out" == "foo" ]; then
174		atf_fail "SCTP port block failed"
175	fi
176}
177
178basic_v6_cleanup()
179{
180	pft_cleanup
181}
182
183atf_test_case "reuse" "cleanup"
184reuse_head()
185{
186	atf_set descr 'Test handling dumb clients that reuse source ports'
187	atf_set require.user root
188	atf_set require.kmods sctp
189}
190
191reuse_body()
192{
193	sctp_init
194
195	j="sctp:reuse"
196	epair=$(vnet_mkepair)
197
198	vnet_mkjail ${j}a ${epair}a
199	vnet_mkjail ${j}b ${epair}b
200
201	jexec ${j}a ifconfig ${epair}a 192.0.2.1/24 up
202	jexec ${j}b ifconfig ${epair}b 192.0.2.2/24 up
203	# Sanity check
204	atf_check -s exit:0 -o ignore \
205	    jexec ${j}a ping -c 1 192.0.2.2
206
207	jexec ${j}a pfctl -e
208	pft_set_rules ${j}a \
209		"block" \
210		"pass in proto sctp to port 1234"
211
212	echo "foo" | jexec ${j}a nc --sctp -N -l 1234 &
213
214	# Wait for the server to start
215	sleep 1
216
217	out=$(jexec ${j}b nc --sctp -N -w 3 -p 1234 192.0.2.1 1234)
218	if [ "$out" != "foo" ]; then
219		atf_fail "SCTP connection failed"
220	fi
221
222	# Now do the same thing again, with the same port numbers
223	jexec ${j}a pfctl -ss -v
224
225	echo "foo" | jexec ${j}a nc --sctp -N -l 1234 &
226
227	# Wait for the server to start
228	sleep 1
229
230	out=$(jexec ${j}b nc --sctp -N -w 3 -p 1234 192.0.2.1 1234)
231	if [ "$out" != "foo" ]; then
232		atf_fail "SCTP connection failed"
233	fi
234	jexec ${j}a pfctl -ss -v
235}
236
237reuse_cleanup()
238{
239	pft_cleanup
240}
241
242atf_test_case "abort_v4" "cleanup"
243abort_v4_head()
244{
245	atf_set descr 'Test sending ABORT messages'
246	atf_set require.user root
247	atf_set require.kmods sctp
248}
249
250abort_v4_body()
251{
252	sctp_init
253
254	j="sctp:abort_v4"
255	epair=$(vnet_mkepair)
256
257	vnet_mkjail ${j}a ${epair}a
258	vnet_mkjail ${j}b ${epair}b
259
260	jexec ${j}a ifconfig ${epair}a 192.0.2.1/24 up
261	jexec ${j}b ifconfig ${epair}b 192.0.2.2/24 up
262
263	# Sanity check
264	atf_check -s exit:0 -o ignore \
265	    jexec ${j}a ping -c 1 192.0.2.2
266
267	jexec ${j}a pfctl -e
268	pft_set_rules ${j}a \
269		"block return in proto sctp to port 1234"
270
271	echo "foo" | jexec ${j}a nc --sctp -N -l 1234 &
272
273	# Wait for the server to start
274	sleep 1
275
276	# If we get the abort we'll exit immediately, if we don't timeout will
277	# stop nc.
278	out=$(jexec ${j}b timeout 3 nc --sctp -N 192.0.2.1 1234)
279	if [ $? -eq 124 ]; then
280		atf_fail 'Abort not received'
281	fi
282	if [ "$out" == "foo" ]; then
283		atf_fail "block failed entirely"
284	fi
285
286	# Without 'return' we will time out.
287	pft_set_rules ${j}a \
288		"block in proto sctp to port 1234"
289
290	out=$(jexec ${j}b timeout 3 nc --sctp -N 192.0.2.1 1234)
291	if [ $? -ne 124 ]; then
292		atf_fail 'Abort sent anyway?'
293	fi
294}
295
296abort_v4_cleanup()
297{
298	pft_cleanup
299}
300
301atf_test_case "abort_v6" "cleanup"
302abort_v6_head()
303{
304	atf_set descr 'Test sending ABORT messages over IPv6'
305	atf_set require.user root
306	atf_set require.kmods sctp
307}
308
309abort_v6_body()
310{
311	sctp_init
312
313	j="sctp:abort_v6"
314	epair=$(vnet_mkepair)
315
316	vnet_mkjail ${j}a ${epair}a
317	vnet_mkjail ${j}b ${epair}b
318
319	jexec ${j}a ifconfig ${epair}a inet6 2001:db8::a/64 no_dad
320	jexec ${j}b ifconfig ${epair}b inet6 2001:db8::b/64 no_dad
321
322	# Sanity check
323	atf_check -s exit:0 -o ignore \
324	    jexec ${j}a ping -6 -c 1 2001:db8::b
325
326	jexec ${j}a pfctl -e
327	pft_set_rules ${j}a \
328		"block return in proto sctp to port 1234"
329
330	echo "foo" | jexec ${j}a nc -6 --sctp -N -l 1234 &
331
332	# Wait for the server to start
333	sleep 1
334
335	# If we get the abort we'll exit immediately, if we don't timeout will
336	# stop nc.
337	out=$(jexec ${j}b timeout 3 nc --sctp -N 2001:db8::a 1234)
338	if [ $? -eq 124 ]; then
339		atf_fail 'Abort not received'
340	fi
341	if [ "$out" == "foo" ]; then
342		atf_fail "block failed entirely"
343	fi
344
345	# Without 'return' we will time out.
346	pft_set_rules ${j}a \
347		"block in proto sctp to port 1234"
348
349	out=$(jexec ${j}b timeout 3 nc --sctp -N 2001:db8::a 1234)
350	if [ $? -ne 124 ]; then
351		atf_fail 'Abort sent anyway?'
352	fi
353}
354
355abort_v6_cleanup()
356{
357	pft_cleanup
358}
359
360atf_test_case "nat_v4" "cleanup"
361nat_v4_head()
362{
363	atf_set descr 'Test NAT-ing SCTP over IPv4'
364	atf_set require.user root
365	atf_set require.kmods sctp
366}
367
368nat_v4_body()
369{
370	sctp_init
371
372	j="sctp:nat_v4"
373	epair_c=$(vnet_mkepair)
374	epair_srv=$(vnet_mkepair)
375
376	vnet_mkjail ${j}srv ${epair_srv}a
377	vnet_mkjail ${j}gw ${epair_srv}b ${epair_c}a
378	vnet_mkjail ${j}c ${epair_c}b
379
380	jexec ${j}srv ifconfig ${epair_srv}a 198.51.100.1/24 up
381	# No default route in srv jail, to ensure we're NAT-ing
382	jexec ${j}gw ifconfig ${epair_srv}b 198.51.100.2/24 up
383	jexec ${j}gw ifconfig ${epair_c}a 192.0.2.1/24 up
384	jexec ${j}gw sysctl net.inet.ip.forwarding=1
385	jexec ${j}c ifconfig ${epair_c}b 192.0.2.2/24 up
386	jexec ${j}c route add default 192.0.2.1
387
388	jexec ${j}gw pfctl -e
389	pft_set_rules ${j}gw \
390		"nat on ${epair_srv}b from 192.0.2.0/24 -> (${epair_srv}b)" \
391		"pass"
392
393	# Sanity check
394	atf_check -s exit:0 -o ignore \
395	    jexec ${j}c ping -c 1 198.51.100.1
396
397	echo "foo" | jexec ${j}srv nc --sctp -N -l 1234 &
398
399	# Wait for the server to start
400	sleep 1
401
402	out=$(jexec ${j}c nc --sctp -N -w 3 198.51.100.1 1234)
403	if [ "$out" != "foo" ]; then
404		atf_fail "SCTP connection failed"
405	fi
406}
407
408nat_v4_cleanup()
409{
410	pft_cleanup
411}
412
413atf_test_case "nat_v6" "cleanup"
414nat_v6_head()
415{
416	atf_set descr 'Test NAT-ing SCTP over IPv6'
417	atf_set require.user root
418	atf_set require.kmods sctp
419}
420
421nat_v6_body()
422{
423	sctp_init
424
425	j="sctp:nat_v6"
426	epair_c=$(vnet_mkepair)
427	epair_srv=$(vnet_mkepair)
428
429	vnet_mkjail ${j}srv ${epair_srv}a
430	vnet_mkjail ${j}gw ${epair_srv}b ${epair_c}a
431	vnet_mkjail ${j}c ${epair_c}b
432
433	jexec ${j}srv ifconfig ${epair_srv}a inet6 2001:db8::1/64 up no_dad
434	# No default route in srv jail, to ensure we're NAT-ing
435	jexec ${j}gw ifconfig ${epair_srv}b inet6 2001:db8::2/64 up no_dad
436	jexec ${j}gw ifconfig ${epair_c}a inet6 2001:db8:1::1/64 up no_dad
437	jexec ${j}gw sysctl net.inet6.ip6.forwarding=1
438	jexec ${j}c ifconfig ${epair_c}b inet6 2001:db8:1::2/64 up no_dad
439	jexec ${j}c route add -6 default 2001:db8:1::1
440
441	jexec ${j}gw pfctl -e
442	pft_set_rules ${j}gw \
443		"nat on ${epair_srv}b from 2001:db8:1::/64 -> (${epair_srv}b)" \
444		"pass"
445
446	# Sanity check
447	atf_check -s exit:0 -o ignore \
448	    jexec ${j}c ping -6 -c 1 2001:db8::1
449
450	echo "foo" | jexec ${j}srv nc -6 --sctp -N -l 1234 &
451
452	# Wait for the server to start
453	sleep 1
454
455	out=$(jexec ${j}c nc --sctp -N -w 3 2001:db8::1 1234)
456	if [ "$out" != "foo" ]; then
457		atf_fail "SCTP connection failed"
458	fi
459}
460
461nat_v6_cleanup()
462{
463	pft_cleanup
464}
465
466atf_test_case "rdr_v4" "cleanup"
467rdr_v4_head()
468{
469	atf_set descr 'Test rdr SCTP over IPv4'
470	atf_set require.user root
471	atf_set require.kmods sctp
472}
473
474rdr_v4_body()
475{
476	sctp_init
477
478	j="sctp:rdr_v4"
479	epair_c=$(vnet_mkepair)
480	epair_srv=$(vnet_mkepair)
481
482	vnet_mkjail ${j}srv ${epair_srv}a
483	vnet_mkjail ${j}gw ${epair_srv}b ${epair_c}a
484	vnet_mkjail ${j}c ${epair_c}b
485
486	jexec ${j}srv ifconfig ${epair_srv}a 198.51.100.1/24 up
487	# No default route in srv jail, to ensure we're NAT-ing
488	jexec ${j}gw ifconfig ${epair_srv}b 198.51.100.2/24 up
489	jexec ${j}gw ifconfig ${epair_c}a 192.0.2.1/24 up
490	jexec ${j}gw sysctl net.inet.ip.forwarding=1
491	jexec ${j}c ifconfig ${epair_c}b 192.0.2.2/24 up
492	jexec ${j}c route add default 192.0.2.1
493
494	jexec ${j}gw pfctl -e
495	pft_set_rules ${j}gw \
496		"rdr pass on ${epair_srv}b proto sctp from 198.51.100.0/24 to any port 1234 -> 192.0.2.2 port 1234" \
497		"pass"
498
499	echo "foo" | jexec ${j}c nc --sctp -N -l 1234 &
500
501	# Wait for the server to start
502	sleep 1
503
504	out=$(jexec ${j}srv nc --sctp -N -w 3 198.51.100.2 1234)
505	if [ "$out" != "foo" ]; then
506		atf_fail "SCTP connection failed"
507	fi
508
509	# Despite configuring port changes pf will not do so.
510	echo "bar" | jexec ${j}c nc --sctp -N -l 1234 &
511
512	pft_set_rules ${j}gw \
513		"rdr pass on ${epair_srv}b proto sctp from 198.51.100.0/24 to any port 1234 -> 192.0.2.2 port 4321" \
514		"pass"
515
516	# This will fail
517	out=$(jexec ${j}srv nc --sctp -N -w 3 198.51.100.2 4321)
518	if [ "$out" == "bar" ]; then
519		atf_fail "Port was unexpectedly changed."
520	fi
521
522	# This succeeds
523	out=$(jexec ${j}srv nc --sctp -N -w 3 198.51.100.2 1234)
524	if [ "$out" != "bar" ]; then
525		atf_fail "Port was unexpectedly changed."
526	fi
527}
528
529rdr_v4_cleanup()
530{
531	pft_cleanup
532}
533
534atf_test_case "pfsync" "cleanup"
535pfsync_head()
536{
537	atf_set descr 'Test pfsync-ing SCTP connections'
538	atf_set require.user root
539	atf_set require.kmods carp sctp
540}
541
542pfsync_body()
543{
544	# + Builds bellow topology and initiate an SCTP connection
545	#   from client to server.
546	# + Tests that the connection remains open when we fail over from
547	#   router one to router two.
548	#
549	#                   ┌──────┐
550	#                   │client│
551	#                   └───┬──┘
552	#                       │
553	#                   ┌───┴───┐
554	#                   │bridge0│
555	#                   └┬─────┬┘
556	#                    │     │
557	#   ┌────────────────┴─┐ ┌─┴────────────────┐
558	#   │        one       ├─┤       two        │
559	#   └────────────────┬─┘ └─┬────────────────┘
560	#                    │     │
561	#                   ┌┴─────┴┐
562	#                   │bridge1│
563	#                   └───┬───┘
564	#                       │
565	#                   ┌───┴──┐
566	#                   │server│
567	#                   └──────┘
568
569	sctp_init
570	pfsynct_init
571	vnet_init_bridge
572
573	j="sctp:pfsync"
574
575	tmp=`pwd`
576
577	bridge0=$(vnet_mkbridge)
578	bridge1=$(vnet_mkbridge)
579
580	epair_c=$(vnet_mkepair)
581	epair_one0=$(vnet_mkepair)
582	epair_two0=$(vnet_mkepair)
583	epair_sync=$(vnet_mkepair)
584	epair_one1=$(vnet_mkepair)
585	epair_two1=$(vnet_mkepair)
586	epair_srv=$(vnet_mkepair)
587
588	ifconfig ${bridge0} addm ${epair_c}a addm ${epair_one0}a addm ${epair_two0}a
589	ifconfig ${epair_one0}a up
590	ifconfig ${epair_two0}a up
591	ifconfig ${epair_c}a up
592	ifconfig ${bridge0} up
593
594	ifconfig ${bridge1} addm ${epair_srv}a addm ${epair_one1}a addm ${epair_two1}a
595	ifconfig ${epair_one1}a up
596	ifconfig ${epair_two1}a up
597	ifconfig ${epair_srv}a up
598	ifconfig ${bridge1} up
599
600	vnet_mkjail ${j}c ${epair_c}b
601	jexec ${j}c ifconfig ${epair_c}b 192.0.2.2/24 up
602	jexec ${j}c route add default 192.0.2.1
603
604	vnet_mkjail ${j}one ${epair_one0}b ${epair_one1}b ${epair_sync}a
605	jexec ${j}one ifconfig ${epair_one0}b 192.0.2.3/24 up
606	jexec ${j}one ifconfig ${epair_one0}b \
607	    alias 192.0.2.1/32 vhid 1 pass 1234
608	jexec ${j}one ifconfig ${epair_one1}b 198.51.100.3/24 up
609	jexec ${j}one ifconfig ${epair_one1}b \
610	    alias 198.51.100.2/32 vhid 2 pass 4321
611	jexec ${j}one ifconfig ${epair_sync}a 203.0.113.1/24 up
612	jexec ${j}one ifconfig pfsync0 \
613		syncdev ${epair_sync}a \
614		maxupd 1 \
615		up
616	jexec ${j}one sysctl net.inet.ip.forwarding=1
617
618	vnet_mkjail ${j}two ${epair_two0}b ${epair_two1}b ${epair_sync}b
619	jexec ${j}two ifconfig ${epair_two0}b 192.0.2.4/24 up
620	jexec ${j}two ifconfig ${epair_two0}b \
621	    alias 192.0.2.1/32 vhid 1 pass 1234
622	jexec ${j}two ifconfig ${epair_two1}b 198.51.100.4/24 up
623	jexec ${j}two ifconfig ${epair_two1}b \
624	    alias 198.51.100.2/32 vhid 2 pass 4321
625	jexec ${j}two ifconfig ${epair_sync}b 203.0.113.2/24 up
626	jexec ${j}two ifconfig pfsync0 \
627		syncdev ${epair_sync}b \
628		maxupd 1 \
629		up
630	jexec ${j}two sysctl net.inet.ip.forwarding=1
631
632	vnet_mkjail ${j}srv ${epair_srv}b
633	jexec ${j}srv ifconfig ${epair_srv}b 198.51.100.1/24 up
634	jexec ${j}srv route add default 198.51.100.2
635
636	# Demote two, to avoid dealing with asymmetric routing
637	jexec ${j}two sysctl net.inet.carp.demotion=50
638
639	jexec ${j}one pfctl -e
640	pft_set_rules ${j}one \
641		"block all" \
642		"pass proto { icmp, pfsync, carp }" \
643		"pass proto sctp to port 1234" \
644		"pass proto tcp to port 1234"
645
646	jexec ${j}two pfctl -e
647	pft_set_rules ${j}two \
648		"block all" \
649		"pass proto { icmp, pfsync, carp }" \
650		"pass proto sctp to port 1234" \
651		"pass proto tcp to port 1234"
652
653	# Give carp time to get set up
654	sleep 2
655
656	# Sanity check
657	atf_check -s exit:0 -o ignore \
658	    jexec ${j}c ping -c 1 198.51.100.1
659
660	# Now start up an SCTP connection
661	touch ${tmp}/input
662	tail -F ${tmp}/input | jexec ${j}srv nc --sctp -l 1234 &
663	sleep 1
664
665	jexec ${j}c nc --sctp 198.51.100.1 1234 > ${tmp}/output &
666	echo "1" >> ${tmp}/input
667
668	# Give time for the traffic to arrive
669	sleep 1
670	line=$(tail -n -1 ${tmp}/output)
671	if [ "${line}" != "1" ];
672	then
673		echo "Found ${line}"
674		cat ${tmp}/output
675		atf_fail "Initial SCTP connection failed"
676	fi
677
678	# Give pfsync some time to do its thing
679	sleep 1
680
681	# Verify that two has the connection too
682	state=$(jexec ${j}two pfctl -ss | grep sctp)
683	if [ -z "${state}" ];
684	then
685		jexec ${j}two pfctl -ss
686		atf_fail "Failed to find SCTP state on secondary pfsync host"
687	fi
688
689	# Now fail over (both carp IPs should switch here)
690	jexec ${j}one sysctl net.inet.carp.demotion=100
691
692	while ! jexec ${j}one ifconfig ${epair_one0}b | grep MASTER;
693	do
694		sleep 1
695	done
696	while ! jexec ${j}one ifconfig ${epair_one1}b | grep MASTER;
697	do
698		sleep 1
699	done
700
701	# Sanity check
702	atf_check -s exit:0 -o ignore \
703	    jexec ${j}c ping -c 1 198.51.100.1
704
705	# And check that the connection is still live
706	echo "2" >> ${tmp}/input
707	sleep 1
708	line=$(tail -n -1 ${tmp}/output)
709	if [ "${line}" != "2" ];
710	then
711		echo "Found ${line}"
712		cat ${tmp}/output
713		atf_fail "SCTP failover failed"
714	fi
715}
716
717pfsync_cleanup()
718{
719	pfsynct_cleanup
720}
721
722atf_test_case "timeout" "cleanup"
723timeout_head()
724{
725	atf_set descr 'Test setting and retrieving timeout values'
726	atf_set require.user root
727	atf_set require.kmods sctp
728}
729
730timeout_body()
731{
732	sctp_init
733
734	vnet_mkjail timeout
735
736	pft_set_rules timeout \
737		"set timeout sctp.first 13" \
738		"set timeout sctp.opening 14"
739
740	atf_check -s exit:0 -o match:"sctp.first.*13" \
741	    jexec timeout pfctl -st
742	atf_check -s exit:0 -o match:"sctp.opening.*14" \
743	    jexec timeout pfctl -st
744	# We've not changed other timeouts
745	atf_check -s exit:0 -o match:"sctp.established.*86400" \
746	    jexec timeout pfctl -st
747}
748
749timeout_cleanup()
750{
751	pft_cleanup
752}
753
754atf_test_case "related_icmp" "cleanup"
755related_icmp_head()
756{
757	atf_set descr 'Verify that ICMP messages related to an SCTP connection are allowed'
758	atf_set require.user root
759	atf_set require.kmods sctp
760}
761
762related_icmp_body()
763{
764	sctp_init
765
766	epair_cl=$(vnet_mkepair)
767	epair_rtr=$(vnet_mkepair)
768	epair_srv=$(vnet_mkepair)
769
770	ifconfig ${epair_cl}a 192.0.2.1/24 up
771	route add default 192.0.2.2
772
773	vnet_mkjail rtr ${epair_cl}b ${epair_rtr}a
774	jexec rtr ifconfig ${epair_cl}b 192.0.2.2/24 up
775	jexec rtr ifconfig ${epair_rtr}a 198.51.100.1/24 up
776	jexec rtr sysctl net.inet.ip.forwarding=1
777	jexec rtr route add default 198.51.100.2
778
779	vnet_mkjail rtr2 ${epair_rtr}b ${epair_srv}a
780	jexec rtr2 ifconfig ${epair_rtr}b 198.51.100.2/24 up
781	jexec rtr2 ifconfig ${epair_srv}a 203.0.113.1/24 up
782	jexec rtr2 ifconfig ${epair_srv}a mtu 1300
783	jexec rtr2 sysctl net.inet.ip.forwarding=1
784	jexec rtr2 route add default 198.51.100.1
785
786	vnet_mkjail srv ${epair_srv}b
787	jexec srv ifconfig ${epair_srv}b 203.0.113.2/24 up
788	jexec srv ifconfig ${epair_srv}b mtu 1300
789	jexec srv route add default 203.0.113.1
790
791	# Sanity checks
792	atf_check -s exit:0 -o ignore \
793	    ping -c 1 192.0.2.2
794	atf_check -s exit:0 -o ignore \
795	    ping -c 1 198.51.100.1
796	atf_check -s exit:0 -o ignore \
797	    ping -c 1 198.51.100.2
798	atf_check -s exit:0 -o ignore \
799	    ping -c 1 203.0.113.1
800	atf_check -s exit:0 -o ignore \
801	    ping -c 1 203.0.113.2
802
803	jexec rtr pfctl -e
804	pft_set_rules rtr \
805	    "block proto icmp" \
806	    "pass proto sctp"
807
808	# Make sure SCTP traffic passes
809	echo "foo" | jexec srv nc --sctp -N -l 1234 &
810	sleep 1
811
812	out=$(nc --sctp -N -w 3 203.0.113.2 1234)
813	if [ "$out" != "foo" ]; then
814		jexec rtr pfctl -ss -vv
815		jexec rtr pfctl -sr -vv
816		atf_fail "SCTP connection failed"
817	fi
818
819	# Do we see ICMP traffic if we send overly large traffic?
820	echo "foo" | jexec srv nc --sctp -l 1234 >/dev/null &
821	sleep 1
822
823	atf_check -s exit:0 -o not-match:".*destination unreachable:.*" \
824	    netstat -s -p icmp
825
826	# Generate traffic that will be fragmented by rtr2, and will provoke an
827	# ICMP unreachable - need to frag (mtu 1300) message
828	dd if=/dev/random bs=10000 count=1 | nc --sctp -N -w 3 203.0.113.2 1234
829
830	# We'd expect to see an ICMP message
831	atf_check -s exit:0 -o match:".*destination unreachable: [1-9]" \
832	    netstat -s -p icmp
833}
834
835related_icmp_cleanup()
836{
837	pft_cleanup
838}
839
840atf_init_test_cases()
841{
842	atf_add_test_case "basic_v4"
843	atf_add_test_case "basic_v6"
844	atf_add_test_case "reuse"
845	atf_add_test_case "abort_v4"
846	atf_add_test_case "abort_v6"
847	atf_add_test_case "nat_v4"
848	atf_add_test_case "nat_v6"
849	atf_add_test_case "rdr_v4"
850	atf_add_test_case "pfsync"
851	atf_add_test_case "timeout"
852	atf_add_test_case "related_icmp"
853}
854