xref: /freebsd/tests/sys/netpfil/pf/src_track.sh (revision 07e070ef086997590cd6d9d47908885c12947bd2) 
1#
2# SPDX-License-Identifier: BSD-2-Clause
3#
4# Copyright (c) 2020 Kristof Provost <kp@FreeBSD.org>
5# Copyright (c) 2024 Kajetan Staszkiewicz <vegeta@tuxpowered.net>
6#
7# Redistribution and use in source and binary forms, with or without
8# modification, are permitted provided that the following conditions
9# are met:
10# 1. Redistributions of source code must retain the above copyright
11#    notice, this list of conditions and the following disclaimer.
12# 2. Redistributions in binary form must reproduce the above copyright
13#    notice, this list of conditions and the following disclaimer in the
14#    documentation and/or other materials provided with the distribution.
15#
16# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
17# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
20# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26# SUCH DAMAGE.
27
28. $(atf_get_srcdir)/utils.subr
29
30atf_test_case "source_track" "cleanup"
31source_track_head()
32{
33	atf_set descr 'Basic source tracking test'
34	atf_set require.user root
35}
36
37source_track_body()
38{
39	pft_init
40
41	epair=$(vnet_mkepair)
42
43	vnet_mkjail alcatraz ${epair}b
44
45	ifconfig ${epair}a 192.0.2.2/24 up
46	jexec alcatraz ifconfig ${epair}b 192.0.2.1/24 up
47
48	# Enable pf!
49	jexec alcatraz pfctl -e
50	pft_set_rules alcatraz \
51		"pass in keep state (source-track)" \
52		"pass out keep state (source-track)"
53
54	ping -c 3 192.0.2.1
55	atf_check -s exit:0 -o match:'192.0.2.2 -> 0.0.0.0 \( states 1,.*' \
56	    jexec alcatraz pfctl -sS
57
58	# Flush all source nodes
59	jexec alcatraz pfctl -FS
60
61	# We can't find the previous source node any more
62	atf_check -s exit:0 -o not-match:'192.0.2.2 -> 0.0.0.0 \( states 1,.*' \
63	    jexec alcatraz pfctl -sS
64
65	# But we still have the state
66	atf_check -s exit:0 -o match:'all icmp 192.0.2.1:8 <- 192.0.2.2:.*' \
67	    jexec alcatraz pfctl -ss
68}
69
70source_track_cleanup()
71{
72	pft_cleanup
73}
74
75atf_test_case "kill" "cleanup"
76kill_head()
77{
78	atf_set descr 'Test killing source nodes'
79	atf_set require.user root
80}
81
82kill_body()
83{
84	pft_init
85
86	epair=$(vnet_mkepair)
87	vnet_mkjail alcatraz ${epair}b
88
89	ifconfig ${epair}a 192.0.2.2/24 up
90	ifconfig ${epair}a inet alias 192.0.2.3/24 up
91	jexec alcatraz ifconfig ${epair}b 192.0.2.1/24 up
92
93	# Enable pf!
94	jexec alcatraz pfctl -e
95	pft_set_rules alcatraz \
96		"pass in keep state (source-track)" \
97		"pass out keep state (source-track)"
98
99	# Establish two sources
100	atf_check -s exit:0 -o ignore \
101	    ping -c 1 -S 192.0.2.2 192.0.2.1
102	atf_check -s exit:0 -o ignore \
103	    ping -c 1 -S 192.0.2.3 192.0.2.1
104
105	# Check that both source nodes exist
106	atf_check -s exit:0 -o match:'192.0.2.2 -> 0.0.0.0 \( states 1,.*' \
107	    jexec alcatraz pfctl -sS
108	atf_check -s exit:0 -o match:'192.0.2.3 -> 0.0.0.0 \( states 1,.*' \
109	    jexec alcatraz pfctl -sS
110
111
112jexec alcatraz pfctl -sS
113
114	# Kill the 192.0.2.2 source
115	jexec alcatraz pfctl -K 192.0.2.2
116
117	# The other source still exists
118	atf_check -s exit:0 -o match:'192.0.2.3 -> 0.0.0.0 \( states 1,.*' \
119	    jexec alcatraz pfctl -sS
120
121	# But not the one we killed
122	atf_check -s exit:0 -o not-match:'192.0.2.2 -> 0.0.0.0 \( states 1,.*' \
123	    jexec alcatraz pfctl -sS
124}
125
126kill_cleanup()
127{
128	pft_cleanup
129}
130
131max_src_conn_rule_head()
132{
133	atf_set descr 'Max connections per source per rule'
134	atf_set require.user root
135	atf_set require.progs scapy
136}
137
138max_src_conn_rule_body()
139{
140	setup_router_server_ipv6
141
142	# Clients will connect from another network behind the router.
143	# This allows for using multiple source addresses and for tester jail
144	# to not respond with RST packets for SYN+ACKs.
145	jexec router route add -6 2001:db8:44::0/64 2001:db8:42::2
146	jexec server route add -6 2001:db8:44::0/64 2001:db8:43::1
147
148	pft_set_rules router \
149		"block" \
150		"pass inet6 proto icmp6 icmp6-type { neighbrsol, neighbradv }" \
151		"pass in  on ${epair_tester}b inet6 proto tcp keep state (max-src-conn 3 source-track rule overload <bad_hosts>)" \
152		"pass out on ${epair_server}a inet6 proto tcp keep state"
153
154	# Limiting of connections is done for connections which have successfully
155	# finished the 3-way handshake. Once the handshake is done, the state
156	# is moved to CLOSED state. We use pft_ping.py to check that the handshake
157	# was really successful and after that we check what is in pf state table.
158
159	# 3 connections from host ::1 will be allowed.
160	ping_server_check_reply exit:0 --ping-type=tcp3way --send-sport=4201 --fromaddr 2001:db8:44::1
161	ping_server_check_reply exit:0 --ping-type=tcp3way --send-sport=4202 --fromaddr 2001:db8:44::1
162	ping_server_check_reply exit:0 --ping-type=tcp3way --send-sport=4203 --fromaddr 2001:db8:44::1
163	# The 4th connection from host ::1 will have its state killed.
164	ping_server_check_reply exit:0 --ping-type=tcp3way --send-sport=4204 --fromaddr 2001:db8:44::1
165	# A connection from host :2 is will be allowed.
166	ping_server_check_reply exit:0 --ping-type=tcp3way --send-sport=4205 --fromaddr 2001:db8:44::2
167
168	states=$(mktemp) || exit 1
169	jexec router pfctl -qss | normalize_pfctl_s | grep 'tcp 2001:db8:43::2\[9\] <-' > $states
170
171	grep -qE '2001:db8:44::1\[4201\] ESTABLISHED:ESTABLISHED' $states || atf_fail "State for port 4201 not found or not established"
172	grep -qE '2001:db8:44::1\[4202\] ESTABLISHED:ESTABLISHED' $states || atf_fail "State for port 4202 not found or not established"
173	grep -qE '2001:db8:44::1\[4203\] ESTABLISHED:ESTABLISHED' $states || atf_fail "State for port 4203 not found or not established"
174	grep -qE '2001:db8:44::2\[4205\] ESTABLISHED:ESTABLISHED' $states || atf_fail "State for port 4205 not found or not established"
175
176	if (
177		grep -qE '2001:db8:44::1\[4204\] ' $states &&
178		! grep -qE '2001:db8:44::1\[4204\] CLOSED:CLOSED' $states
179	); then
180		atf_fail "State for port 4204 found but not closed"
181	fi
182
183	jexec router pfctl -T test -t bad_hosts 2001:db8:44::1 || atf_fail "Host not found in overload table"
184}
185
186max_src_conn_rule_cleanup()
187{
188	pft_cleanup
189}
190
191max_src_states_rule_head()
192{
193	atf_set descr 'Max states per source per rule'
194	atf_set require.user root
195	atf_set require.progs scapy
196}
197
198max_src_states_rule_body()
199{
200	setup_router_server_ipv6
201
202	# Clients will connect from another network behind the router.
203	# This allows for using multiple source addresses and for tester jail
204	# to not respond with RST packets for SYN+ACKs.
205	jexec router route add -6 2001:db8:44::0/64 2001:db8:42::2
206	jexec server route add -6 2001:db8:44::0/64 2001:db8:43::1
207
208	pft_set_rules router \
209		"block" \
210		"pass inet6 proto icmp6 icmp6-type { neighbrsol, neighbradv }" \
211		"pass in  on ${epair_tester}b inet6 proto tcp from port 4210:4219 keep state (max-src-states 3 source-track rule) label rule_A" \
212		"pass in  on ${epair_tester}b inet6 proto tcp from port 4220:4229 keep state (max-src-states 3 source-track rule) label rule_B" \
213		"pass out on ${epair_server}a keep state"
214
215	# The option max-src-states prevents even the initial SYN packet going
216	# through. It's enough that we check ping_server_check_reply, no need to
217	# bother checking created states.
218
219	# 2 connections from host ::1 matching rule_A will be allowed, 1 will fail to create a state.
220	ping_server_check_reply exit:0 --ping-type=tcp3way --send-sport=4211 --fromaddr 2001:db8:44::1
221	ping_server_check_reply exit:0 --ping-type=tcp3way --send-sport=4212 --fromaddr 2001:db8:44::1
222	ping_server_check_reply exit:0 --ping-type=tcp3way --send-sport=4213 --fromaddr 2001:db8:44::1
223	ping_server_check_reply exit:1 --ping-type=tcp3way --send-sport=4214 --fromaddr 2001:db8:44::1
224
225	# 2 connections from host ::1 matching rule_B will be allowed, 1 will fail to create a state.
226	# Limits from rule_A don't interfere with rule_B.
227	ping_server_check_reply exit:0 --ping-type=tcp3way --send-sport=4221 --fromaddr 2001:db8:44::1
228	ping_server_check_reply exit:0 --ping-type=tcp3way --send-sport=4222 --fromaddr 2001:db8:44::1
229	ping_server_check_reply exit:0 --ping-type=tcp3way --send-sport=4223 --fromaddr 2001:db8:44::1
230	ping_server_check_reply exit:1 --ping-type=tcp3way --send-sport=4224 --fromaddr 2001:db8:44::1
231
232	# 2 connections from host ::2 matching rule_B will be allowed, 1 will fail to create a state.
233	# Limits for host ::1 will not interfere with host ::2.
234	ping_server_check_reply exit:0 --ping-type=tcp3way --send-sport=4224 --fromaddr 2001:db8:44::2
235	ping_server_check_reply exit:0 --ping-type=tcp3way --send-sport=4225 --fromaddr 2001:db8:44::2
236	ping_server_check_reply exit:0 --ping-type=tcp3way --send-sport=4226 --fromaddr 2001:db8:44::2
237	ping_server_check_reply exit:1 --ping-type=tcp3way --send-sport=4227 --fromaddr 2001:db8:44::2
238
239	# We will check the resulting source nodes, though.
240	# Order of source nodes in output is not guaranteed, find each one separately.
241	nodes=$(mktemp) || exit 1
242	jexec router pfctl -qvsS | normalize_pfctl_s > $nodes
243	for node_regexp in \
244		'2001:db8:44::1 -> :: \( states 3, connections 3, rate [0-9/\.]+s \) age [0-9:]+, 9 pkts, [0-9]+ bytes, filter rule 3, limit source-track$' \
245		'2001:db8:44::1 -> :: \( states 3, connections 3, rate [0-9/\.]+s \) age [0-9:]+, 9 pkts, [0-9]+ bytes, filter rule 4, limit source-track$' \
246		'2001:db8:44::2 -> :: \( states 3, connections 3, rate [0-9/\.]+s \) age [0-9:]+, 9 pkts, [0-9]+ bytes, filter rule 4, limit source-track$' \
247	; do
248		grep -qE "${node_regexp}" $nodes || atf_fail "Source node not found for '${node_regexp}'"
249	done
250
251	# Check if limit counters have been properly set.
252	jexec router pfctl -qvvsi | grep -qE 'max-src-states\s+3\s+' || atf_fail "max-src-states not set to 3"
253}
254
255max_src_states_rule_cleanup()
256{
257	pft_cleanup
258}
259
260max_src_states_global_head()
261{
262	atf_set descr 'Max states per source global'
263	atf_set require.user root
264}
265
266max_src_states_global_body()
267{
268	setup_router_server_ipv6
269
270	# Clients will connect from another network behind the router.
271	# This allows for using multiple source addresses and for tester jail
272	# to not respond with RST packets for SYN+ACKs.
273	jexec router route add -6 2001:db8:44::0/64 2001:db8:42::2
274	jexec server route add -6 2001:db8:44::0/64 2001:db8:43::1
275
276	pft_set_rules router \
277		"block" \
278		"pass inet6 proto icmp6 icmp6-type { neighbrsol, neighbradv }" \
279		"pass in  on ${epair_tester}b inet6 proto tcp from port 4210:4219 keep state (max-src-states 3 source-track global) label rule_A" \
280		"pass in  on ${epair_tester}b inet6 proto tcp from port 4220:4229 keep state (max-src-states 3 source-track global) label rule_B" \
281		"pass out on ${epair_server}a keep state"
282
283	# Global source tracking creates a single source node shared between all
284	# rules for each connecting source IP address and counts states created
285	# by all rules. Each rule has its own max-src-conn value checked against
286	# that single source node.
287
288	# 3 connections from host …::1 matching rule_A will be allowed.
289	ping_server_check_reply exit:0 --ping-type=tcp3way --send-sport=4211 --fromaddr 2001:db8:44::1
290	ping_server_check_reply exit:0 --ping-type=tcp3way --send-sport=4212 --fromaddr 2001:db8:44::1
291	ping_server_check_reply exit:0 --ping-type=tcp3way --send-sport=4213 --fromaddr 2001:db8:44::1
292	# The 4th connection matching rule_A from host …::1 will have its state killed.
293	ping_server_check_reply exit:1 --ping-type=tcp3way --send-sport=4214 --fromaddr 2001:db8:44::1
294	# A connection matching rule_B from host …::1 will have its state killed too.
295	ping_server_check_reply exit:1 --ping-type=tcp3way --send-sport=4221 --fromaddr 2001:db8:44::1
296
297	nodes=$(mktemp) || exit 1
298	jexec router pfctl -qvsS | normalize_pfctl_s > $nodes
299	cat $nodes
300	node_regexp='2001:db8:44::1 -> :: \( states 3, connections 3, rate [0-9/\.]+s \) age [0-9:]+, 9 pkts, [0-9]+ bytes, limit source-track'
301	grep -qE "$node_regexp" $nodes || atf_fail "Source nodes not matching expected output"
302}
303
304max_src_states_global_cleanup()
305{
306	pft_cleanup
307}
308
309route_to_head()
310{
311	atf_set descr 'Max states per source per rule with route-to'
312	atf_set require.user root
313}
314
315route_to_body()
316{
317	setup_router_dummy_ipv6
318
319	# Clients will connect from another network behind the router.
320	# This allows for using multiple source addresses.
321	jexec router route add -6 2001:db8:44::0/64 2001:db8:42::2
322
323	# Additional gateways for route-to.
324	rtgw=${net_server_host_server%::*}::2:1
325	jexec router ndp -s ${rtgw} 00:01:02:03:04:05
326
327	# This test will check for proper source node creation for:
328	# max-src-states -> PF_SN_LIMIT
329	# sticky-address -> PF_SN_NAT
330	# route-to -> PF_SN_ROUTE
331	# The test expands to all 8 combinations of those source nodes being
332	# present or not.
333
334	pft_set_rules router \
335		"table <rtgws> { ${rtgw} }" \
336		"table <rdrgws> { 2001:db8:45::1 }" \
337		"rdr on ${epair_tester}b inet6 proto tcp from 2001:db8:44::10/124 to 2001:db8:45::1 -> <rdrgws> port 4242 sticky-address" \
338		"block" \
339		"pass inet6 proto icmp6 icmp6-type { neighbrsol, neighbradv }" \
340		"pass in  quick  on ${epair_tester}b route-to ( ${epair_server}a <rtgws>)                inet6 proto tcp from port 4211 keep state                                      label rule_3" \
341		"pass in  quick  on ${epair_tester}b route-to ( ${epair_server}a <rtgws>) sticky-address inet6 proto tcp from port 4212 keep state                                      label rule_4" \
342		"pass in  quick  on ${epair_tester}b route-to ( ${epair_server}a <rtgws>)                inet6 proto tcp from port 4213 keep state (max-src-states 3 source-track rule) label rule_5" \
343		"pass in  quick  on ${epair_tester}b route-to ( ${epair_server}a <rtgws>) sticky-address inet6 proto tcp from port 4214 keep state (max-src-states 3 source-track rule) label rule_6" \
344		"pass out quick  on ${epair_server}a keep state"
345
346	# We don't check if state limits are properly enforced, this is tested
347	# by other tests in this file.
348	# Source address will not match the NAT rule
349	ping_dummy_check_request exit:0 --ping-type=tcpsyn --send-sport=4211 --fromaddr 2001:db8:44::01 --to 2001:db8:45::1
350	ping_dummy_check_request exit:0 --ping-type=tcpsyn --send-sport=4212 --fromaddr 2001:db8:44::02 --to 2001:db8:45::1
351	ping_dummy_check_request exit:0 --ping-type=tcpsyn --send-sport=4213 --fromaddr 2001:db8:44::03 --to 2001:db8:45::1
352	ping_dummy_check_request exit:0 --ping-type=tcpsyn --send-sport=4214 --fromaddr 2001:db8:44::04 --to 2001:db8:45::1
353	# Source address will match the NAT rule
354	ping_dummy_check_request exit:0 --ping-type=tcpsyn --send-sport=4211 --fromaddr 2001:db8:44::11 --to 2001:db8:45::1
355	ping_dummy_check_request exit:0 --ping-type=tcpsyn --send-sport=4212 --fromaddr 2001:db8:44::12 --to 2001:db8:45::1
356	ping_dummy_check_request exit:0 --ping-type=tcpsyn --send-sport=4213 --fromaddr 2001:db8:44::13 --to 2001:db8:45::1
357	ping_dummy_check_request exit:0 --ping-type=tcpsyn --send-sport=4214 --fromaddr 2001:db8:44::14 --to 2001:db8:45::1
358
359	states=$(mktemp) || exit 1
360	jexec router pfctl -qvss | normalize_pfctl_s > $states
361	nodes=$(mktemp) || exit 1
362	jexec router pfctl -qvvsS | normalize_pfctl_s > $nodes
363
364	# Order of states in output is not guaranteed, find each one separately.
365	for state_regexp in \
366		'all tcp 2001:db8:45::1\[9\] <- 2001:db8:44::1\[4211\] .* 1:0 pkts, 76:0 bytes, rule 3$' \
367		'all tcp 2001:db8:45::1\[9\] <- 2001:db8:44::2\[4212\] .* 1:0 pkts, 76:0 bytes, rule 4, route sticky-address$' \
368		'all tcp 2001:db8:45::1\[9\] <- 2001:db8:44::3\[4213\] .* 1:0 pkts, 76:0 bytes, rule 5, limit source-track$' \
369		'all tcp 2001:db8:45::1\[9\] <- 2001:db8:44::4\[4214\] .* 1:0 pkts, 76:0 bytes, rule 6, limit source-track, route sticky-address$' \
370		'all tcp 2001:db8:45::1\[4242\] \(2001:db8:45::1\[9\]\) <- 2001:db8:44::11\[4211\] .* 1:0 pkts, 76:0 bytes, rule 3, NAT/RDR sticky-address' \
371		'all tcp 2001:db8:45::1\[4242\] \(2001:db8:45::1\[9\]\) <- 2001:db8:44::12\[4212\] .* 1:0 pkts, 76:0 bytes, rule 4, NAT/RDR sticky-address, route sticky-address' \
372		'all tcp 2001:db8:45::1\[4242\] \(2001:db8:45::1\[9\]\) <- 2001:db8:44::13\[4213\] .* 1:0 pkts, 76:0 bytes, rule 5, limit source-track, NAT/RDR sticky-address' \
373		'all tcp 2001:db8:45::1\[4242\] \(2001:db8:45::1\[9\]\) <- 2001:db8:44::14\[4214\] .* 1:0 pkts, 76:0 bytes, rule 6, limit source-track, NAT/RDR sticky-address, route sticky-address' \
374	; do
375		grep -qE "${state_regexp}" $states || atf_fail "State not found for '${state_regexp}'"
376	done
377
378	# Order of source nodes in output is not guaranteed, find each one separately.
379	for node_regexp in \
380		'2001:db8:44::2 -> 2001:db8:43::2:1 \( states 1, connections 0, rate 0.0/0s \) age [0-9:]+, 1 pkts, 76 bytes, filter rule 4, route sticky-address' \
381		'2001:db8:44::3 -> :: \( states 1, connections 0, rate 0.0/0s \) age [0-9:]+, 1 pkts, 76 bytes, filter rule 5, limit source-track' \
382		'2001:db8:44::4 -> 2001:db8:43::2:1 \( states 1, connections 0, rate 0.0/0s ) age [0-9:]+, 1 pkts, 76 bytes, filter rule 6, route sticky-address' \
383		'2001:db8:44::4 -> :: \( states 1, connections 0, rate 0.0/0s \) age [0-9:]+, 1 pkts, 76 bytes, filter rule 6, limit source-track' \
384		'2001:db8:44::11 -> 2001:db8:45::1 \( states 1, connections 0, rate 0.0/0s \) age [0-9:]+, 1 pkts, 76 bytes, rdr rule 0, NAT/RDR sticky-address' \
385		'2001:db8:44::12 -> 2001:db8:45::1 \( states 1, connections 0, rate 0.0/0s \) age [0-9:]+, 1 pkts, 76 bytes, rdr rule 0, NAT/RDR sticky-address' \
386		'2001:db8:44::12 -> 2001:db8:43::2:1 \( states 1, connections 0, rate 0.0/0s \) age [0-9:]+, 1 pkts, 76 bytes, filter rule 4, route sticky-address' \
387		'2001:db8:44::13 -> 2001:db8:45::1 \( states 1, connections 0, rate 0.0/0s \) age [0-9:]+, 1 pkts, 76 bytes, rdr rule 0, NAT/RDR sticky-address' \
388		'2001:db8:44::13 -> :: \( states 1, connections 0, rate 0.0/0s \) age [0-9:]+, 1 pkts, 76 bytes, filter rule 5, limit source-track' \
389		'2001:db8:44::14 -> 2001:db8:45::1 \( states 1, connections 0, rate 0.0/0s \) age [0-9:]+, 1 pkts, 76 bytes, rdr rule 0, NAT/RDR sticky-address' \
390		'2001:db8:44::14 -> 2001:db8:43::2:1 \( states 1, connections 0, rate 0.0/0s ) age [0-9:]+, 1 pkts, 76 bytes, filter rule 6, route sticky-address' \
391		'2001:db8:44::14 -> :: \( states 1, connections 0, rate 0.0/0s \) age [0-9:]+, 1 pkts, 76 bytes, filter rule 6, limit source-track' \
392	; do
393		grep -qE "${node_regexp}" $nodes || atf_fail "Source node not found for '${node_regexp}'"
394	done
395
396	! grep -q 'filter rule 3' $nodes || atf_fail "Source node found for rule 3"
397}
398
399route_to_cleanup()
400{
401	pft_cleanup
402}
403
404
405atf_init_test_cases()
406{
407	atf_add_test_case "source_track"
408	atf_add_test_case "kill"
409	atf_add_test_case "max_src_conn_rule"
410	atf_add_test_case "max_src_states_rule"
411	atf_add_test_case "max_src_states_global"
412	atf_add_test_case "route_to"
413}
414