xref: /freebsd/tests/sys/netpfil/pf/src_track.sh (revision e0fe26691fc98a16cdda9d4f4beea9c5698ac64a) 
1#
2# SPDX-License-Identifier: BSD-2-Clause
3#
4# Copyright (c) 2020 Kristof Provost <kp@FreeBSD.org>
5# Copyright (c) 2024 Kajetan Staszkiewicz <vegeta@tuxpowered.net>
6#
7# Redistribution and use in source and binary forms, with or without
8# modification, are permitted provided that the following conditions
9# are met:
10# 1. Redistributions of source code must retain the above copyright
11#    notice, this list of conditions and the following disclaimer.
12# 2. Redistributions in binary form must reproduce the above copyright
13#    notice, this list of conditions and the following disclaimer in the
14#    documentation and/or other materials provided with the distribution.
15#
16# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
17# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
20# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26# SUCH DAMAGE.
27
28. $(atf_get_srcdir)/utils.subr
29
30atf_test_case "source_track" "cleanup"
31source_track_head()
32{
33	atf_set descr 'Basic source tracking test'
34	atf_set require.user root
35}
36
37source_track_body()
38{
39	pft_init
40
41	epair=$(vnet_mkepair)
42
43	vnet_mkjail alcatraz ${epair}b
44
45	ifconfig ${epair}a 192.0.2.2/24 up
46	jexec alcatraz ifconfig ${epair}b 192.0.2.1/24 up
47
48	# Enable pf!
49	jexec alcatraz pfctl -e
50	pft_set_rules alcatraz \
51		"pass in keep state (source-track)" \
52		"pass out keep state (source-track)"
53
54	ping -c 3 192.0.2.1
55	atf_check -s exit:0 -o match:'192.0.2.2 -> 0.0.0.0 \( states 1,.*' \
56	    jexec alcatraz pfctl -sS
57
58	# Flush all source nodes
59	jexec alcatraz pfctl -FS
60
61	# We can't find the previous source node any more
62	atf_check -s exit:0 -o not-match:'192.0.2.2 -> 0.0.0.0 \( states 1,.*' \
63	    jexec alcatraz pfctl -sS
64
65	# But we still have the state
66	atf_check -s exit:0 -o match:'all icmp 192.0.2.1:8 <- 192.0.2.2:.*' \
67	    jexec alcatraz pfctl -ss
68}
69
70source_track_cleanup()
71{
72	pft_cleanup
73}
74
75atf_test_case "kill" "cleanup"
76kill_head()
77{
78	atf_set descr 'Test killing source nodes'
79	atf_set require.user root
80}
81
82kill_body()
83{
84	pft_init
85
86	epair=$(vnet_mkepair)
87	vnet_mkjail alcatraz ${epair}b
88
89	ifconfig ${epair}a 192.0.2.2/24 up
90	ifconfig ${epair}a inet alias 192.0.2.3/24 up
91	jexec alcatraz ifconfig ${epair}b 192.0.2.1/24 up
92
93	# Enable pf!
94	jexec alcatraz pfctl -e
95	pft_set_rules alcatraz \
96		"pass in keep state (source-track)" \
97		"pass out keep state (source-track)"
98
99	# Establish two sources
100	atf_check -s exit:0 -o ignore \
101	    ping -c 1 -S 192.0.2.2 192.0.2.1
102	atf_check -s exit:0 -o ignore \
103	    ping -c 1 -S 192.0.2.3 192.0.2.1
104
105	# Check that both source nodes exist
106	atf_check -s exit:0 -o match:'192.0.2.2 -> 0.0.0.0 \( states 1,.*' \
107	    jexec alcatraz pfctl -sS
108	atf_check -s exit:0 -o match:'192.0.2.3 -> 0.0.0.0 \( states 1,.*' \
109	    jexec alcatraz pfctl -sS
110
111
112jexec alcatraz pfctl -sS
113
114	# Kill the 192.0.2.2 source
115	jexec alcatraz pfctl -K 192.0.2.2
116
117	# The other source still exists
118	atf_check -s exit:0 -o match:'192.0.2.3 -> 0.0.0.0 \( states 1,.*' \
119	    jexec alcatraz pfctl -sS
120
121	# But not the one we killed
122	atf_check -s exit:0 -o not-match:'192.0.2.2 -> 0.0.0.0 \( states 1,.*' \
123	    jexec alcatraz pfctl -sS
124}
125
126kill_cleanup()
127{
128	pft_cleanup
129}
130
131max_src_conn_rule_head()
132{
133	atf_set descr 'Max connections per source per rule'
134	atf_set require.user root
135	atf_set require.progs python3 scapy
136}
137
138max_src_conn_rule_body()
139{
140	setup_router_server_ipv6
141
142	# Clients will connect from another network behind the router.
143	# This allows for using multiple source addresses and for tester jail
144	# to not respond with RST packets for SYN+ACKs.
145	jexec router route add -6 2001:db8:44::0/64 2001:db8:42::2
146	jexec server route add -6 2001:db8:44::0/64 2001:db8:43::1
147
148	pft_set_rules router \
149		"block" \
150		"pass inet6 proto icmp6 icmp6-type { neighbrsol, neighbradv }" \
151		"pass in  on ${epair_tester}b inet6 proto tcp keep state (max-src-conn 3 source-track rule overload <bad_hosts>)" \
152		"pass out on ${epair_server}a inet6 proto tcp keep state"
153
154	# Limiting of connections is done for connections which have successfully
155	# finished the 3-way handshake. Once the handshake is done, the state
156	# is moved to CLOSED state. We use pft_ping.py to check that the handshake
157	# was really successful and after that we check what is in pf state table.
158
159	# 3 connections from host ::1 will be allowed.
160	ping_server_check_reply exit:0 --ping-type=tcp3way --send-sport=4201 --fromaddr 2001:db8:44::1
161	ping_server_check_reply exit:0 --ping-type=tcp3way --send-sport=4202 --fromaddr 2001:db8:44::1
162	ping_server_check_reply exit:0 --ping-type=tcp3way --send-sport=4203 --fromaddr 2001:db8:44::1
163	# The 4th connection from host ::1 will have its state killed.
164	ping_server_check_reply exit:0 --ping-type=tcp3way --send-sport=4204 --fromaddr 2001:db8:44::1
165	# A connection from host :2 is will be allowed.
166	ping_server_check_reply exit:0 --ping-type=tcp3way --send-sport=4205 --fromaddr 2001:db8:44::2
167
168	states=$(mktemp) || exit 1
169	jexec router pfctl -qss | normalize_pfctl_s | grep 'tcp 2001:db8:43::2\[9\] <-' > $states
170
171	grep -qE '2001:db8:44::1\[4201\] ESTABLISHED:ESTABLISHED' $states || atf_fail "State for port 4201 not found or not established"
172	grep -qE '2001:db8:44::1\[4202\] ESTABLISHED:ESTABLISHED' $states || atf_fail "State for port 4202 not found or not established"
173	grep -qE '2001:db8:44::1\[4203\] ESTABLISHED:ESTABLISHED' $states || atf_fail "State for port 4203 not found or not established"
174	grep -qE '2001:db8:44::2\[4205\] ESTABLISHED:ESTABLISHED' $states || atf_fail "State for port 4205 not found or not established"
175
176	if (
177		grep -qE '2001:db8:44::1\[4204\] ' $states &&
178		! grep -qE '2001:db8:44::1\[4204\] CLOSED:CLOSED' $states
179	); then
180		atf_fail "State for port 4204 found but not closed"
181	fi
182
183	jexec router pfctl -T test -t bad_hosts 2001:db8:44::1 || atf_fail "Host not found in overload table"
184}
185
186max_src_conn_rule_cleanup()
187{
188	pft_cleanup
189}
190
191max_src_states_rule_head()
192{
193	atf_set descr 'Max states per source per rule'
194	atf_set require.user root
195	atf_set require.progs python3 scapy
196}
197
198max_src_states_rule_body()
199{
200	setup_router_server_ipv6
201
202	# Clients will connect from another network behind the router.
203	# This allows for using multiple source addresses and for tester jail
204	# to not respond with RST packets for SYN+ACKs.
205	jexec router route add -6 2001:db8:44::0/64 2001:db8:42::2
206	jexec server route add -6 2001:db8:44::0/64 2001:db8:43::1
207
208	pft_set_rules router \
209		"block" \
210		"pass inet6 proto icmp6 icmp6-type { neighbrsol, neighbradv }" \
211		"pass in  on ${epair_tester}b inet6 proto tcp from port 4210:4219 keep state (max-src-states 3 source-track rule) label rule_A" \
212		"pass in  on ${epair_tester}b inet6 proto tcp from port 4220:4229 keep state (max-src-states 3 source-track rule) label rule_B" \
213		"pass out on ${epair_server}a keep state"
214
215	# The option max-src-states prevents even the initial SYN packet going
216	# through. It's enough that we check ping_server_check_reply, no need to
217	# bother checking created states.
218
219	# 2 connections from host ::1 matching rule_A will be allowed, 1 will fail to create a state.
220	ping_server_check_reply exit:0 --ping-type=tcp3way --send-sport=4211 --fromaddr 2001:db8:44::1
221	ping_server_check_reply exit:0 --ping-type=tcp3way --send-sport=4212 --fromaddr 2001:db8:44::1
222	ping_server_check_reply exit:0 --ping-type=tcp3way --send-sport=4213 --fromaddr 2001:db8:44::1
223	ping_server_check_reply exit:1 --ping-type=tcp3way --send-sport=4214 --fromaddr 2001:db8:44::1
224
225	# 2 connections from host ::1 matching rule_B will be allowed, 1 will fail to create a state.
226	# Limits from rule_A don't interfere with rule_B.
227	ping_server_check_reply exit:0 --ping-type=tcp3way --send-sport=4221 --fromaddr 2001:db8:44::1
228	ping_server_check_reply exit:0 --ping-type=tcp3way --send-sport=4222 --fromaddr 2001:db8:44::1
229	ping_server_check_reply exit:0 --ping-type=tcp3way --send-sport=4223 --fromaddr 2001:db8:44::1
230	ping_server_check_reply exit:1 --ping-type=tcp3way --send-sport=4224 --fromaddr 2001:db8:44::1
231
232	# 2 connections from host ::2 matching rule_B will be allowed, 1 will fail to create a state.
233	# Limits for host ::1 will not interfere with host ::2.
234	ping_server_check_reply exit:0 --ping-type=tcp3way --send-sport=4224 --fromaddr 2001:db8:44::2
235	ping_server_check_reply exit:0 --ping-type=tcp3way --send-sport=4225 --fromaddr 2001:db8:44::2
236	ping_server_check_reply exit:0 --ping-type=tcp3way --send-sport=4226 --fromaddr 2001:db8:44::2
237	ping_server_check_reply exit:1 --ping-type=tcp3way --send-sport=4227 --fromaddr 2001:db8:44::2
238
239	# We will check the resulting source nodes, though.
240	# Order of source nodes in output is not guaranteed, find each one separately.
241	nodes=$(mktemp) || exit 1
242	jexec router pfctl -qvsS | normalize_pfctl_s > $nodes
243	for node_regexp in \
244		'2001:db8:44::1 -> :: \( states 3, connections 3, rate [0-9/\.]+s \) age [0-9:]+, 9 pkts, [0-9]+ bytes, filter rule 3, limit source-track$' \
245		'2001:db8:44::1 -> :: \( states 3, connections 3, rate [0-9/\.]+s \) age [0-9:]+, 9 pkts, [0-9]+ bytes, filter rule 4, limit source-track$' \
246		'2001:db8:44::2 -> :: \( states 3, connections 3, rate [0-9/\.]+s \) age [0-9:]+, 9 pkts, [0-9]+ bytes, filter rule 4, limit source-track$' \
247	; do
248		grep -qE "${node_regexp}" $nodes || atf_fail "Source node not found for '${node_regexp}'"
249	done
250
251	# Check if limit counters have been properly set.
252	jexec router pfctl -qvvsi | grep -qE 'max-src-states\s+3\s+' || atf_fail "max-src-states not set to 3"
253}
254
255max_src_states_rule_cleanup()
256{
257	pft_cleanup
258}
259
260max_src_states_global_head()
261{
262	atf_set descr 'Max states per source global'
263	atf_set require.user root
264	atf_set require.progs python3 scapy
265}
266
267max_src_states_global_body()
268{
269	setup_router_server_ipv6
270
271	# Clients will connect from another network behind the router.
272	# This allows for using multiple source addresses and for tester jail
273	# to not respond with RST packets for SYN+ACKs.
274	jexec router route add -6 2001:db8:44::0/64 2001:db8:42::2
275	jexec server route add -6 2001:db8:44::0/64 2001:db8:43::1
276
277	pft_set_rules router \
278		"block" \
279		"pass inet6 proto icmp6 icmp6-type { neighbrsol, neighbradv }" \
280		"pass in  on ${epair_tester}b inet6 proto tcp from port 4210:4219 keep state (max-src-states 3 source-track global) label rule_A" \
281		"pass in  on ${epair_tester}b inet6 proto tcp from port 4220:4229 keep state (max-src-states 3 source-track global) label rule_B" \
282		"pass out on ${epair_server}a keep state"
283
284	# Global source tracking creates a single source node shared between all
285	# rules for each connecting source IP address and counts states created
286	# by all rules. Each rule has its own max-src-conn value checked against
287	# that single source node.
288
289	# 3 connections from host …::1 matching rule_A will be allowed.
290	ping_server_check_reply exit:0 --ping-type=tcp3way --send-sport=4211 --fromaddr 2001:db8:44::1
291	ping_server_check_reply exit:0 --ping-type=tcp3way --send-sport=4212 --fromaddr 2001:db8:44::1
292	ping_server_check_reply exit:0 --ping-type=tcp3way --send-sport=4213 --fromaddr 2001:db8:44::1
293	# The 4th connection matching rule_A from host …::1 will have its state killed.
294	ping_server_check_reply exit:1 --ping-type=tcp3way --send-sport=4214 --fromaddr 2001:db8:44::1
295	# A connection matching rule_B from host …::1 will have its state killed too.
296	ping_server_check_reply exit:1 --ping-type=tcp3way --send-sport=4221 --fromaddr 2001:db8:44::1
297
298	nodes=$(mktemp) || exit 1
299	jexec router pfctl -qvsS | normalize_pfctl_s > $nodes
300	cat $nodes
301	node_regexp='2001:db8:44::1 -> :: \( states 3, connections 3, rate [0-9/\.]+s \) age [0-9:]+, 9 pkts, [0-9]+ bytes, limit source-track'
302	grep -qE "$node_regexp" $nodes || atf_fail "Source nodes not matching expected output"
303}
304
305max_src_states_global_cleanup()
306{
307	pft_cleanup
308}
309
310sn_types_compat_head()
311{
312	atf_set descr 'Combination of source node types with compat NAT rules'
313	atf_set require.user root
314	atf_set require.progs python3 scapy
315}
316
317sn_types_compat_body()
318{
319	setup_router_dummy_ipv6
320
321	# Clients will connect from another network behind the router.
322	# This allows for using multiple source addresses.
323	jexec router route add -6 2001:db8:44::0/64 2001:db8:42::2
324
325	# Additional gateways for route-to.
326	rtgw=${net_server_host_server%::*}::2:1
327	jexec router ndp -s ${rtgw} 00:01:02:03:04:05
328
329	# This test will check for proper source node creation for:
330	# max-src-states -> PF_SN_LIMIT
331	# sticky-address -> PF_SN_NAT
332	# route-to -> PF_SN_ROUTE
333	# The test expands to all 8 combinations of those source nodes being
334	# present or not.
335
336	pft_set_rules router \
337		"table <rtgws> { ${rtgw} }" \
338		"table <rdrgws> { 2001:db8:45::1 }" \
339		"rdr on ${epair_tester}b inet6 proto tcp from 2001:db8:44::10/124 to 2001:db8:45::1 -> <rdrgws> port 4242 sticky-address" \
340		"block" \
341		"pass inet6 proto icmp6 icmp6-type { neighbrsol, neighbradv }" \
342		"pass in  quick  on ${epair_tester}b route-to ( ${epair_server}a <rtgws>)                inet6 proto tcp from port 4211 keep state                                      label rule_3" \
343		"pass in  quick  on ${epair_tester}b route-to ( ${epair_server}a <rtgws>) sticky-address inet6 proto tcp from port 4212 keep state                                      label rule_4" \
344		"pass in  quick  on ${epair_tester}b route-to ( ${epair_server}a <rtgws>)                inet6 proto tcp from port 4213 keep state (max-src-states 3 source-track rule) label rule_5" \
345		"pass in  quick  on ${epair_tester}b route-to ( ${epair_server}a <rtgws>) sticky-address inet6 proto tcp from port 4214 keep state (max-src-states 3 source-track rule) label rule_6" \
346		"pass out quick  on ${epair_server}a keep state"
347
348	# We don't check if state limits are properly enforced, this is tested
349	# by other tests in this file.
350	# Source address will not match the NAT rule
351	ping_dummy_check_request exit:0 --ping-type=tcpsyn --send-sport=4211 --fromaddr 2001:db8:44::01 --to 2001:db8:45::1
352	ping_dummy_check_request exit:0 --ping-type=tcpsyn --send-sport=4212 --fromaddr 2001:db8:44::02 --to 2001:db8:45::1
353	ping_dummy_check_request exit:0 --ping-type=tcpsyn --send-sport=4213 --fromaddr 2001:db8:44::03 --to 2001:db8:45::1
354	ping_dummy_check_request exit:0 --ping-type=tcpsyn --send-sport=4214 --fromaddr 2001:db8:44::04 --to 2001:db8:45::1
355	# Source address will match the NAT rule
356	ping_dummy_check_request exit:0 --ping-type=tcpsyn --send-sport=4211 --fromaddr 2001:db8:44::11 --to 2001:db8:45::1
357	ping_dummy_check_request exit:0 --ping-type=tcpsyn --send-sport=4212 --fromaddr 2001:db8:44::12 --to 2001:db8:45::1
358	ping_dummy_check_request exit:0 --ping-type=tcpsyn --send-sport=4213 --fromaddr 2001:db8:44::13 --to 2001:db8:45::1
359	ping_dummy_check_request exit:0 --ping-type=tcpsyn --send-sport=4214 --fromaddr 2001:db8:44::14 --to 2001:db8:45::1
360
361	states=$(mktemp) || exit 1
362	jexec router pfctl -qvss | normalize_pfctl_s > $states
363	nodes=$(mktemp) || exit 1
364	jexec router pfctl -qvvsS | normalize_pfctl_s > $nodes
365
366	# Order of states in output is not guaranteed, find each one separately.
367	for state_regexp in \
368		'all tcp 2001:db8:45::1\[9\] <- 2001:db8:44::1\[4211\] .* 1:0 pkts, 76:0 bytes, rule 3$' \
369		'all tcp 2001:db8:45::1\[9\] <- 2001:db8:44::2\[4212\] .* 1:0 pkts, 76:0 bytes, rule 4, route sticky-address$' \
370		'all tcp 2001:db8:45::1\[9\] <- 2001:db8:44::3\[4213\] .* 1:0 pkts, 76:0 bytes, rule 5, limit source-track$' \
371		'all tcp 2001:db8:45::1\[9\] <- 2001:db8:44::4\[4214\] .* 1:0 pkts, 76:0 bytes, rule 6, limit source-track, route sticky-address$' \
372		'all tcp 2001:db8:45::1\[4242\] \(2001:db8:45::1\[9\]\) <- 2001:db8:44::11\[4211\] .* 1:0 pkts, 76:0 bytes, rule 3, NAT/RDR sticky-address' \
373		'all tcp 2001:db8:45::1\[4242\] \(2001:db8:45::1\[9\]\) <- 2001:db8:44::12\[4212\] .* 1:0 pkts, 76:0 bytes, rule 4, NAT/RDR sticky-address, route sticky-address' \
374		'all tcp 2001:db8:45::1\[4242\] \(2001:db8:45::1\[9\]\) <- 2001:db8:44::13\[4213\] .* 1:0 pkts, 76:0 bytes, rule 5, limit source-track, NAT/RDR sticky-address' \
375		'all tcp 2001:db8:45::1\[4242\] \(2001:db8:45::1\[9\]\) <- 2001:db8:44::14\[4214\] .* 1:0 pkts, 76:0 bytes, rule 6, limit source-track, NAT/RDR sticky-address, route sticky-address' \
376	; do
377		grep -qE "${state_regexp}" $states || atf_fail "State not found for '${state_regexp}'"
378	done
379
380	# Order of source nodes in output is not guaranteed, find each one separately.
381	for node_regexp in \
382		'2001:db8:44::2 -> 2001:db8:43::2:1 \( states 1, connections 0, rate 0.0/0s \) age [0-9:]+, 1 pkts, 76 bytes, filter rule 4, route sticky-address' \
383		'2001:db8:44::3 -> :: \( states 1, connections 0, rate 0.0/0s \) age [0-9:]+, 1 pkts, 76 bytes, filter rule 5, limit source-track' \
384		'2001:db8:44::4 -> 2001:db8:43::2:1 \( states 1, connections 0, rate 0.0/0s ) age [0-9:]+, 1 pkts, 76 bytes, filter rule 6, route sticky-address' \
385		'2001:db8:44::4 -> :: \( states 1, connections 0, rate 0.0/0s \) age [0-9:]+, 1 pkts, 76 bytes, filter rule 6, limit source-track' \
386		'2001:db8:44::11 -> 2001:db8:45::1 \( states 1, connections 0, rate 0.0/0s \) age [0-9:]+, 1 pkts, 76 bytes, rdr rule 0, NAT/RDR sticky-address' \
387		'2001:db8:44::12 -> 2001:db8:45::1 \( states 1, connections 0, rate 0.0/0s \) age [0-9:]+, 1 pkts, 76 bytes, rdr rule 0, NAT/RDR sticky-address' \
388		'2001:db8:44::12 -> 2001:db8:43::2:1 \( states 1, connections 0, rate 0.0/0s \) age [0-9:]+, 1 pkts, 76 bytes, filter rule 4, route sticky-address' \
389		'2001:db8:44::13 -> 2001:db8:45::1 \( states 1, connections 0, rate 0.0/0s \) age [0-9:]+, 1 pkts, 76 bytes, rdr rule 0, NAT/RDR sticky-address' \
390		'2001:db8:44::13 -> :: \( states 1, connections 0, rate 0.0/0s \) age [0-9:]+, 1 pkts, 76 bytes, filter rule 5, limit source-track' \
391		'2001:db8:44::14 -> 2001:db8:45::1 \( states 1, connections 0, rate 0.0/0s \) age [0-9:]+, 1 pkts, 76 bytes, rdr rule 0, NAT/RDR sticky-address' \
392		'2001:db8:44::14 -> 2001:db8:43::2:1 \( states 1, connections 0, rate 0.0/0s ) age [0-9:]+, 1 pkts, 76 bytes, filter rule 6, route sticky-address' \
393		'2001:db8:44::14 -> :: \( states 1, connections 0, rate 0.0/0s \) age [0-9:]+, 1 pkts, 76 bytes, filter rule 6, limit source-track' \
394	; do
395		grep -qE "${node_regexp}" $nodes || atf_fail "Source node not found for '${node_regexp}'"
396	done
397
398	! grep -q 'filter rule 3' $nodes || atf_fail "Source node found for rule 3"
399}
400
401sn_types_compat_cleanup()
402{
403	pft_cleanup
404}
405
406sn_types_pass_head()
407{
408	atf_set descr 'Combination of source node types with pass NAT rules'
409	atf_set require.user root
410	atf_set require.progs python3 scapy
411}
412
413sn_types_pass_body()
414{
415	setup_router_dummy_ipv6
416
417	# Clients will connect from another network behind the router.
418	# This allows for using multiple source addresses.
419	jexec router route add -6 2001:db8:44::0/64 2001:db8:42::2
420
421	# Additional gateways for route-to.
422	rtgw=${net_server_host_server%::*}::2:1
423	jexec router ndp -s ${rtgw} 00:01:02:03:04:05
424
425	# This test will check for proper source node creation for:
426	# max-src-states -> PF_SN_LIMIT
427	# sticky-address -> PF_SN_NAT
428	# route-to -> PF_SN_ROUTE
429	# The test expands to all 8 combinations of those source nodes being
430	# present or not.
431
432	pft_set_rules router \
433		"table <rtgws> { ${rtgw} }" \
434		"table <rdrgws> { 2001:db8:45::1 }" \
435		"block" \
436		"pass inet6 proto icmp6 icmp6-type { neighbrsol, neighbradv }" \
437		"match in       on ${epair_tester}b inet6 proto tcp from 2001:db8:44::10/124 to 2001:db8:45::1 rdr-to <rdrgws> port 4242 sticky-address                                label rule_3" \
438		"pass  in quick on ${epair_tester}b route-to ( ${epair_server}a <rtgws>)                inet6 proto tcp from port 4211 keep state                                      label rule_4" \
439		"pass  in quick on ${epair_tester}b route-to ( ${epair_server}a <rtgws>) sticky-address inet6 proto tcp from port 4212 keep state                                      label rule_5" \
440		"pass  in quick on ${epair_tester}b route-to ( ${epair_server}a <rtgws>)                inet6 proto tcp from port 4213 keep state (max-src-states 3 source-track rule) label rule_6" \
441		"pass  in quick on ${epair_tester}b route-to ( ${epair_server}a <rtgws>) sticky-address inet6 proto tcp from port 4214 keep state (max-src-states 3 source-track rule) label rule_7" \
442		"pass out quick on ${epair_server}a keep state"
443
444	# We don't check if state limits are properly enforced, this is tested
445	# by other tests in this file.
446	# Source address will not match the NAT rule
447	ping_dummy_check_request exit:0 --ping-type=tcpsyn --send-sport=4211 --fromaddr 2001:db8:44::01 --to 2001:db8:45::1
448	ping_dummy_check_request exit:0 --ping-type=tcpsyn --send-sport=4212 --fromaddr 2001:db8:44::02 --to 2001:db8:45::1
449	ping_dummy_check_request exit:0 --ping-type=tcpsyn --send-sport=4213 --fromaddr 2001:db8:44::03 --to 2001:db8:45::1
450	ping_dummy_check_request exit:0 --ping-type=tcpsyn --send-sport=4214 --fromaddr 2001:db8:44::04 --to 2001:db8:45::1
451	# Source address will match the NAT rule
452	ping_dummy_check_request exit:0 --ping-type=tcpsyn --send-sport=4211 --fromaddr 2001:db8:44::11 --to 2001:db8:45::1
453	ping_dummy_check_request exit:0 --ping-type=tcpsyn --send-sport=4212 --fromaddr 2001:db8:44::12 --to 2001:db8:45::1
454	ping_dummy_check_request exit:0 --ping-type=tcpsyn --send-sport=4213 --fromaddr 2001:db8:44::13 --to 2001:db8:45::1
455	ping_dummy_check_request exit:0 --ping-type=tcpsyn --send-sport=4214 --fromaddr 2001:db8:44::14 --to 2001:db8:45::1
456
457	states=$(mktemp) || exit 1
458	jexec router pfctl -qvss | normalize_pfctl_s > $states
459	nodes=$(mktemp) || exit 1
460	jexec router pfctl -qvvsS | normalize_pfctl_s > $nodes
461
462	echo " === states ==="
463	cat $states
464	echo " === nodes ==="
465	cat $nodes
466	echo " === end === "
467
468	# Order of states in output is not guaranteed, find each one separately.
469	for state_regexp in \
470		'all tcp 2001:db8:45::1\[9\] <- 2001:db8:44::1\[4211\] .* 1:0 pkts, 76:0 bytes, rule 4$' \
471		'all tcp 2001:db8:45::1\[9\] <- 2001:db8:44::2\[4212\] .* 1:0 pkts, 76:0 bytes, rule 5, route sticky-address$' \
472		'all tcp 2001:db8:45::1\[9\] <- 2001:db8:44::3\[4213\] .* 1:0 pkts, 76:0 bytes, rule 6, limit source-track$' \
473		'all tcp 2001:db8:45::1\[9\] <- 2001:db8:44::4\[4214\] .* 1:0 pkts, 76:0 bytes, rule 7, limit source-track, route sticky-address$' \
474		'all tcp 2001:db8:45::1\[4242\] \(2001:db8:45::1\[9\]\) <- 2001:db8:44::11\[4211\] .* 1:0 pkts, 76:0 bytes, rule 4, NAT/RDR sticky-address' \
475		'all tcp 2001:db8:45::1\[4242\] \(2001:db8:45::1\[9\]\) <- 2001:db8:44::12\[4212\] .* 1:0 pkts, 76:0 bytes, rule 5, NAT/RDR sticky-address, route sticky-address' \
476		'all tcp 2001:db8:45::1\[4242\] \(2001:db8:45::1\[9\]\) <- 2001:db8:44::13\[4213\] .* 1:0 pkts, 76:0 bytes, rule 6, limit source-track, NAT/RDR sticky-address' \
477		'all tcp 2001:db8:45::1\[4242\] \(2001:db8:45::1\[9\]\) <- 2001:db8:44::14\[4214\] .* 1:0 pkts, 76:0 bytes, rule 7, limit source-track, NAT/RDR sticky-address, route sticky-address' \
478	; do
479		grep -qE "${state_regexp}" $states || atf_fail "State not found for '${state_regexp}'"
480	done
481
482	# Order of source nodes in output is not guaranteed, find each one separately.
483	for node_regexp in \
484		'2001:db8:44::2 -> 2001:db8:43::2:1 \( states 1, connections 0, rate 0.0/0s \) age [0-9:]+, 1 pkts, 76 bytes, filter rule 5, route sticky-address' \
485		'2001:db8:44::3 -> :: \( states 1, connections 0, rate 0.0/0s \) age [0-9:]+, 1 pkts, 76 bytes, filter rule 6, limit source-track' \
486		'2001:db8:44::4 -> 2001:db8:43::2:1 \( states 1, connections 0, rate 0.0/0s ) age [0-9:]+, 1 pkts, 76 bytes, filter rule 7, route sticky-address' \
487		'2001:db8:44::4 -> :: \( states 1, connections 0, rate 0.0/0s \) age [0-9:]+, 1 pkts, 76 bytes, filter rule 7, limit source-track' \
488		'2001:db8:44::11 -> 2001:db8:45::1 \( states 1, connections 0, rate 0.0/0s \) age [0-9:]+, 1 pkts, 76 bytes, filter rule 3, NAT/RDR sticky-address' \
489		'2001:db8:44::12 -> 2001:db8:45::1 \( states 1, connections 0, rate 0.0/0s \) age [0-9:]+, 1 pkts, 76 bytes, filter rule 3, NAT/RDR sticky-address' \
490		'2001:db8:44::12 -> 2001:db8:43::2:1 \( states 1, connections 0, rate 0.0/0s \) age [0-9:]+, 1 pkts, 76 bytes, filter rule 5, route sticky-address' \
491		'2001:db8:44::13 -> 2001:db8:45::1 \( states 1, connections 0, rate 0.0/0s \) age [0-9:]+, 1 pkts, 76 bytes, filter rule 3, NAT/RDR sticky-address' \
492		'2001:db8:44::13 -> :: \( states 1, connections 0, rate 0.0/0s \) age [0-9:]+, 1 pkts, 76 bytes, filter rule 6, limit source-track' \
493		'2001:db8:44::14 -> 2001:db8:45::1 \( states 1, connections 0, rate 0.0/0s \) age [0-9:]+, 1 pkts, 76 bytes, filter rule 3, NAT/RDR sticky-address' \
494		'2001:db8:44::14 -> 2001:db8:43::2:1 \( states 1, connections 0, rate 0.0/0s ) age [0-9:]+, 1 pkts, 76 bytes, filter rule 7, route sticky-address' \
495		'2001:db8:44::14 -> :: \( states 1, connections 0, rate 0.0/0s \) age [0-9:]+, 1 pkts, 76 bytes, filter rule 7, limit source-track' \
496	; do
497		grep -qE "${node_regexp}" $nodes || atf_fail "Source node not found for '${node_regexp}'"
498	done
499}
500
501sn_types_pass_cleanup()
502{
503	pft_cleanup
504}
505
506atf_init_test_cases()
507{
508	atf_add_test_case "source_track"
509	atf_add_test_case "kill"
510	atf_add_test_case "max_src_conn_rule"
511	atf_add_test_case "max_src_states_rule"
512	atf_add_test_case "max_src_states_global"
513	atf_add_test_case "sn_types_compat"
514	atf_add_test_case "sn_types_pass"
515}
516