xref: /freebsd/tests/sys/netinet/libalias/2_natout.c (revision 35c0a8c449fd2b7f75029ebed5e10852240f0865)
1 /*
2  * SPDX-License-Identifier: BSD-3-Clause
3  *
4  * Copyright 2021 Lutz Donnerhacke
5  *
6  * Redistribution and use in source and binary forms, with or without
7  * modification, are permitted provided that the following conditions
8  * are met:
9  *
10  * 1. Redistributions of source code must retain the above copyright
11  *    notice, this list of conditions and the following disclaimer.
12  * 2. Redistributions in binary form must reproduce the above
13  *    copyright notice, this list of conditions and the following
14  *    disclaimer in the documentation and/or other materials provided
15  *    with the distribution.
16  * 3. Neither the name of the copyright holder nor the names of its
17  *    contributors may be used to endorse or promote products derived
18  *    from this software without specific prior written permission.
19  *
20  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND
21  * CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
22  * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
23  * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
24  * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS
25  * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
26  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
27  * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
28  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
29  * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
30  * TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
31  * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32  * SUCH DAMAGE.
33  */
34 #include <atf-c.h>
35 #include <alias.h>
36 #include <stdio.h>
37 #include <stdlib.h>
38 
39 #include "util.h"
40 
41 ATF_TC_WITHOUT_HEAD(1_simplemasq);
42 ATF_TC_BODY(1_simplemasq, dummy)
43 {
44 	struct libalias *la = LibAliasInit(NULL);
45 	struct ip *pip;
46 
47 	ATF_REQUIRE(la != NULL);
48 	LibAliasSetAddress(la, masq);
49 	LibAliasSetMode(la, 0, ~0);
50 
51 	pip = ip_packet(254, 64);
52 	NAT_CHECK(pip, prv1, ext, masq);
53 	NAT_CHECK(pip, prv2, ext, masq);
54 	NAT_CHECK(pip, prv3, ext, masq);
55 	NAT_CHECK(pip, cgn,  ext, masq);
56 	NAT_CHECK(pip, pub,  ext, masq);
57 
58 	free(pip);
59 	LibAliasUninit(la);
60 }
61 
62 ATF_TC_WITHOUT_HEAD(2_unregistered);
63 ATF_TC_BODY(2_unregistered, dummy)
64 {
65 	struct libalias *la = LibAliasInit(NULL);
66 	struct ip *pip;
67 
68 	ATF_REQUIRE(la != NULL);
69 	LibAliasSetAddress(la, masq);
70 	LibAliasSetMode(la, PKT_ALIAS_UNREGISTERED_ONLY, ~0);
71 
72 	pip = ip_packet(254, 64);
73 	NAT_CHECK(pip, prv1, ext, masq);
74 	NAT_CHECK(pip, prv2, ext, masq);
75 	NAT_CHECK(pip, prv3, ext, masq);
76 	NAT_CHECK(pip, cgn,  ext, cgn);
77 	NAT_CHECK(pip, pub,  ext, pub);
78 
79 	/*
80 	 * State is only for new connections
81 	 * Because they are now active,
82 	 * the mode setting should be ignored
83 	 */
84 	LibAliasSetMode(la, 0, PKT_ALIAS_UNREGISTERED_ONLY);
85 	NAT_CHECK(pip, prv1, ext, masq);
86 	NAT_CHECK(pip, prv2, ext, masq);
87 	NAT_CHECK(pip, prv3, ext, masq);
88 	NAT_CHECK(pip, cgn,  ext, cgn);
89 	NAT_CHECK(pip, pub,  ext, pub);
90 
91 	free(pip);
92 	LibAliasUninit(la);
93 }
94 
95 ATF_TC_WITHOUT_HEAD(3_cgn);
96 ATF_TC_BODY(3_cgn, dummy)
97 {
98 	struct libalias *la = LibAliasInit(NULL);
99 	struct ip *pip;
100 
101 	ATF_REQUIRE(la != NULL);
102 	LibAliasSetAddress(la, masq);
103 	LibAliasSetMode(la, PKT_ALIAS_UNREGISTERED_CGN, ~0);
104 
105 	pip = ip_packet(254, 64);
106 	NAT_CHECK(pip, prv1, ext, masq);
107 	NAT_CHECK(pip, prv2, ext, masq);
108 	NAT_CHECK(pip, prv3, ext, masq);
109 	NAT_CHECK(pip, cgn,  ext, masq);
110 	NAT_CHECK(pip, pub,  ext, pub);
111 
112 	/*
113 	 * State is only for new connections
114 	 * Because they are now active,
115 	 * the mode setting should be ignored
116 	 */
117 	LibAliasSetMode(la, 0, PKT_ALIAS_UNREGISTERED_CGN);
118 	NAT_CHECK(pip, prv1, ext, masq);
119 	NAT_CHECK(pip, prv2, ext, masq);
120 	NAT_CHECK(pip, prv3, ext, masq);
121 	NAT_CHECK(pip, cgn,  ext, masq);
122 	NAT_CHECK(pip, pub,  ext, pub);
123 
124 	free(pip);
125 	LibAliasUninit(la);
126 }
127 
128 ATF_TC_WITHOUT_HEAD(4_udp);
129 ATF_TC_BODY(4_udp, dummy)
130 {
131 	struct libalias *la = LibAliasInit(NULL);
132 	struct ip  *po, *pi;
133 	struct udphdr *ui, *uo;
134 	uint16_t sport = 0x1234;
135 	uint16_t dport = 0x5678;
136 	uint16_t aport;
137 
138 	ATF_REQUIRE(la != NULL);
139 	LibAliasSetAddress(la, masq);
140 	LibAliasSetMode(la, 0, ~0);
141 
142 	/* Query from prv1 */
143 	po = ip_packet(0, 64);
144 	UDP_NAT_CHECK(po, uo, prv1, sport, ext, dport, masq);
145 	aport = ntohs(uo->uh_sport);
146 	/* should use a different external port */
147 	ATF_CHECK(aport != sport);
148 
149 	/* Response */
150 	pi = ip_packet(0, 64);
151 	UDP_UNNAT_CHECK(pi, ui, ext, dport, masq, aport, prv1, sport);
152 
153 	/* Query from different source with same ports */
154 	UDP_NAT_CHECK(po, uo, prv2, sport, ext, dport, masq);
155 	/* should use a different external port */
156 	ATF_CHECK(uo->uh_sport != htons(aport));
157 
158 	/* Response to prv2 */
159 	ui->uh_dport = uo->uh_sport;
160 	UDP_UNNAT_CHECK(pi, ui, ext, dport, masq, htons(uo->uh_sport), prv2, sport);
161 
162 	/* Response to prv1 again */
163 	UDP_UNNAT_CHECK(pi, ui, ext, dport, masq, aport, prv1, sport);
164 
165 	free(pi);
166 	free(po);
167 	LibAliasUninit(la);
168 }
169 
170 ATF_TC_WITHOUT_HEAD(5_sameport);
171 ATF_TC_BODY(5_sameport, dummy)
172 {
173 	struct libalias *la = LibAliasInit(NULL);
174 	struct ip  *p;
175 	struct udphdr *u;
176 	uint16_t sport = 0x1234;
177 	uint16_t dport = 0x5678;
178 	uint16_t aport;
179 
180 	ATF_REQUIRE(la != NULL);
181 	LibAliasSetAddress(la, masq);
182 	LibAliasSetMode(la, PKT_ALIAS_SAME_PORTS, ~0);
183 
184 	/* Query from prv1 */
185 	p = ip_packet(0, 64);
186 	UDP_NAT_CHECK(p, u, prv1, sport, ext, dport, masq);
187 	aport = ntohs(u->uh_sport);
188 	/* should use the same external port */
189 	ATF_CHECK(aport == sport);
190 
191 	/* Query from different source with same ports */
192 	UDP_NAT_CHECK(p, u, prv2, sport, ext, dport, masq);
193 	/* should use a different external port */
194 	ATF_CHECK(u->uh_sport != htons(aport));
195 
196 	free(p);
197 	LibAliasUninit(la);
198 }
199 
200 ATF_TC_WITHOUT_HEAD(6_cleartable);
201 ATF_TC_BODY(6_cleartable, dummy)
202 {
203 	struct libalias *la = LibAliasInit(NULL);
204 	struct ip  *po, *pi;
205 	struct udphdr *ui __unused, *uo;
206 	uint16_t sport = 0x1234;
207 	uint16_t dport = 0x5678;
208 	uint16_t aport;
209 
210 	ATF_REQUIRE(la != NULL);
211 	LibAliasSetAddress(la, masq);
212 	LibAliasSetMode(la, PKT_ALIAS_RESET_ON_ADDR_CHANGE, ~0);
213 	LibAliasSetMode(la, PKT_ALIAS_SAME_PORTS, PKT_ALIAS_SAME_PORTS);
214 	LibAliasSetMode(la, PKT_ALIAS_DENY_INCOMING, PKT_ALIAS_DENY_INCOMING);
215 
216 	/* Query from prv1 */
217 	po = ip_packet(0, 64);
218 	UDP_NAT_CHECK(po, uo, prv1, sport, ext, dport, masq);
219 	aport = ntohs(uo->uh_sport);
220 	/* should use the same external port */
221 	ATF_CHECK(aport == sport);
222 
223 	/* Response */
224 	pi = ip_packet(0, 64);
225 	UDP_UNNAT_CHECK(po, uo, ext, dport, masq, aport, prv1, sport);
226 
227 	/* clear table by keeping the address */
228 	LibAliasSetAddress(la, ext);
229 	LibAliasSetAddress(la, masq);
230 
231 	/* Response to prv1 again -> DENY_INCOMING */
232 	UDP_UNNAT_FAIL(pi, ui, ext, dport, masq, aport);
233 
234 	/* Query from different source with same ports */
235 	UDP_NAT_CHECK(po, uo, prv2, sport, ext, dport, masq);
236 	/* should use the same external port, because it's free */
237 	ATF_CHECK(uo->uh_sport == htons(aport));
238 
239 	/* Response to prv2 */
240 	UDP_UNNAT_CHECK(po, uo, ext, dport, masq, htons(uo->uh_sport), prv2, sport);
241 
242 	free(pi);
243 	free(po);
244 	LibAliasUninit(la);
245 }
246 
247 ATF_TC_WITHOUT_HEAD(7_stress);
248 ATF_TC_BODY(7_stress, dummy)
249 {
250 	struct libalias *la = LibAliasInit(NULL);
251 	struct ip *p;
252 	struct udphdr *u;
253 	struct {
254 		struct in_addr src, dst;
255 		uint16_t sport, dport, aport;
256 	} *batch;
257 	size_t const batch_size = 1200;
258 	size_t const rounds = 25;
259 	size_t i, j;
260 
261 	ATF_REQUIRE(la != NULL);
262 	LibAliasSetAddress(la, masq);
263 
264 	p = ip_packet(0, 64);
265 
266 	batch = calloc(batch_size, sizeof(*batch));
267 	ATF_REQUIRE(batch != NULL);
268 	for (j = 0; j < rounds; j++) {
269 		for (i = 0; i < batch_size; i++) {
270 			struct in_addr s, d;
271 			switch (i&3) {
272 			case 0: s = prv1; d = ext; break;
273 			case 1: s = prv2; d = pub; break;
274 			case 2: s = prv3; d = ext; break;
275 			case 3: s = cgn;  d = pub; break;
276 			}
277 			s.s_addr &= htonl(0xffff0000);
278 			d.s_addr &= htonl(0xffff0000);
279 			batch[i].src.s_addr = s.s_addr | htonl(rand_range(0, 0xffff));
280 			batch[i].dst.s_addr = d.s_addr | htonl(rand_range(0, 0xffff));
281 			batch[i].sport = rand_range(1000, 60000);
282 			batch[i].dport = rand_range(1000, 60000);
283 		}
284 
285 		for (i = 0; i < batch_size; i++) {
286 			UDP_NAT_CHECK(p, u,
287 			    batch[i].src, batch[i].sport,
288 			    batch[i].dst, batch[i].dport,
289 			    masq);
290 			batch[i].aport = htons(u->uh_sport);
291 		}
292 
293 		qsort(batch, batch_size, sizeof(*batch), randcmp);
294 
295 		for (i = 0; i < batch_size; i++) {
296 			UDP_UNNAT_CHECK(p, u,
297 			    batch[i].dst,  batch[i].dport,
298 			    masq, batch[i].aport,
299 			    batch[i].src, batch[i].sport);
300 		}
301 	}
302 
303 	free(batch);
304 	free(p);
305 	LibAliasUninit(la);
306 }
307 
308 ATF_TC_WITHOUT_HEAD(8_portrange);
309 ATF_TC_BODY(8_portrange, dummy)
310 {
311 	struct libalias *la = LibAliasInit(NULL);
312 	struct ip  *po;
313 	struct udphdr *uo;
314 	uint16_t sport = 0x1234;
315 	uint16_t dport = 0x5678;
316 	uint16_t aport;
317 
318 	ATF_REQUIRE(la != NULL);
319 	LibAliasSetAddress(la, masq);
320 	LibAliasSetMode(la, 0, ~0);
321 	po = ip_packet(0, 64);
322 
323 	LibAliasSetAliasPortRange(la, 0, 0); /* reinit like ipfw */
324 	UDP_NAT_CHECK(po, uo, prv1, sport, ext, dport, masq);
325 	aport = ntohs(uo->uh_sport);
326 	ATF_CHECK(aport >= 0x8000);
327 
328 	/* Different larger range */
329 	LibAliasSetAliasPortRange(la, 2000, 3000);
330 	dport++;
331 	UDP_NAT_CHECK(po, uo, prv1, sport, ext, dport, masq);
332 	aport = ntohs(uo->uh_sport);
333 	ATF_CHECK(aport >= 2000 && aport < 3000);
334 
335 	/* Different small range (contains two ports) */
336 	LibAliasSetAliasPortRange(la, 4000, 4001);
337 	dport++;
338 	UDP_NAT_CHECK(po, uo, prv1, sport, ext, dport, masq);
339 	aport = ntohs(uo->uh_sport);
340 	ATF_CHECK(aport >= 4000 && aport <= 4001);
341 
342 	sport++;
343 	UDP_NAT_CHECK(po, uo, prv1, sport, ext, dport, masq);
344 	aport = ntohs(uo->uh_sport);
345 	ATF_CHECK(aport >= 4000 && aport <= 4001);
346 
347 	/* Third port not available in the range */
348 	sport++;
349 	UDP_NAT_FAIL(po, uo, prv1, sport, ext, dport);
350 
351 	/* Back to normal */
352 	LibAliasSetAliasPortRange(la, 0, 0);
353 	dport++;
354 	UDP_NAT_CHECK(po, uo, prv1, sport, ext, dport, masq);
355 	aport = ntohs(uo->uh_sport);
356 	ATF_CHECK(aport >= 0x8000);
357 
358 	free(po);
359 	LibAliasUninit(la);
360 }
361 
362 ATF_TC_WITHOUT_HEAD(9_udp_eim_mapping);
363 ATF_TC_BODY(9_udp_eim_mapping, dummy)
364 {
365 	struct libalias *la = LibAliasInit(NULL);
366 	struct ip  *po, *po2, *po3;
367 	struct udphdr *uo, *uo2, *uo3;
368 	uint16_t sport = 0x1234;
369 	uint16_t dport = 0x5678;
370 	uint16_t dport2 = 0x6789;
371 	uint16_t aport, aport2, aport3;
372 
373 	ATF_REQUIRE(la != NULL);
374 	LibAliasSetAddress(la, masq);
375 	LibAliasSetMode(la, PKT_ALIAS_UDP_EIM, ~0);
376 
377 	po = ip_packet(0, 64);
378 	UDP_NAT_CHECK(po, uo, prv1, sport, ext, dport, masq);
379 	aport = ntohs(uo->uh_sport);
380 
381 	/* Change of dst port shouldn't change alias port */
382 	po2 = ip_packet(0, 64);
383 	UDP_NAT_CHECK(po2, uo2, prv1, sport, ext, dport2, masq);
384 	aport2 = ntohs(uo2->uh_sport);
385 	ATF_CHECK_EQ_MSG(aport, aport2,
386 	    "NAT uses address- and port-dependent mapping (%uh -> %uh)",
387 	    aport, aport2);
388 
389 	/* Change of dst address shouldn't change alias port */
390 	po3 = ip_packet(0, 64);
391 	UDP_NAT_CHECK(po3, uo3, prv1, sport, pub, dport, masq);
392 	aport3 = ntohs(uo3->uh_sport);
393 	ATF_CHECK_EQ_MSG(aport, aport3, "NAT uses address-dependent mapping");
394 
395 	free(po);
396 	free(po2);
397 	free(po3);
398 	LibAliasUninit(la);
399 }
400 
401 ATF_TC_WITHOUT_HEAD(10_udp_eim_out_in);
402 ATF_TC_BODY(10_udp_eim_out_in, dummy)
403 {
404 	struct libalias *la = LibAliasInit(NULL);
405 	struct ip *po, *po2, *po3;
406 	struct udphdr *uo, *uo2, *uo3;
407 	uint16_t sport = 0x1234;
408 	uint16_t dport = 0x5678;
409 	uint16_t dport2 = 0x6789;
410 	uint16_t aport;
411 
412 	ATF_REQUIRE(la != NULL);
413 	LibAliasSetAddress(la, masq);
414 	LibAliasSetMode(la, PKT_ALIAS_UDP_EIM, ~0);
415 
416 	po = ip_packet(0, 64);
417 	UDP_NAT_CHECK(po, uo, prv1, sport, pub, dport, masq);
418 	aport = ntohs(uo->uh_sport);
419 
420 	/* Accepts inbound packets from different port */
421 	po2 = ip_packet(0, 64);
422 	UDP_UNNAT_CHECK(po2, uo2, pub, dport2, masq, aport, prv1, sport);
423 
424 	/* Accepts inbound packets from differerent host and port */
425 	po3 = ip_packet(0, 64);
426 	UDP_UNNAT_CHECK(po3, uo3, pub2, dport2, masq, aport, prv1, sport);
427 
428 	free(po);
429 	free(po2);
430 	free(po3);
431 	LibAliasUninit(la);
432 }
433 
434 ATF_TC_WITHOUT_HEAD(11_udp_eim_with_deny_incoming);
435 ATF_TC_BODY(11_udp_eim_with_deny_incoming, dummy)
436 {
437 	struct libalias *la = LibAliasInit(NULL);
438 	struct ip *po, *po2, *po3, *po4;
439 	struct udphdr *uo;
440 	uint16_t sport = 0x1234;
441 	uint16_t dport = 0x5678;
442 	uint16_t dport2 = 0x6789;
443 	uint16_t aport;
444 	int ret;
445 
446 	ATF_REQUIRE(la != NULL);
447 	LibAliasSetAddress(la, masq);
448 	LibAliasSetMode(la,
449 	    PKT_ALIAS_UDP_EIM | PKT_ALIAS_DENY_INCOMING,
450 	    ~0);
451 
452 	po = ip_packet(0, 64);
453 	UDP_NAT_CHECK(po, uo, prv1, sport, pub, dport, masq);
454 	aport = ntohs(uo->uh_sport);
455 
456 	po2 = ip_packet(0, 64);
457 	po2->ip_src = pub;
458 	po2->ip_dst = masq;
459 	set_udp(po2, dport, aport);
460 	ret = LibAliasIn(la, po2, 64);
461 	ATF_CHECK_EQ_MSG(PKT_ALIAS_OK, ret,
462 	    "LibAliasIn failed with error %d\n", ret);
463 
464 	po3 = ip_packet(0, 64);
465 	po3->ip_src = pub;
466 	po3->ip_dst = masq;
467 	set_udp(po3, dport2, aport);
468 	ret = LibAliasIn(la, po3, 64);
469 	ATF_CHECK_EQ_MSG(PKT_ALIAS_IGNORED, ret,
470 	    "incoming packet from different port not ignored "
471 	    "with PKT_ALIAS_DENY_INCOMING");
472 
473 	po4 = ip_packet(0, 64);
474 	po4->ip_src = pub2;
475 	po4->ip_dst = masq;
476 	set_udp(po4, dport2, aport);
477 	ret = LibAliasIn(la, po4, 64);
478 	ATF_CHECK_EQ_MSG(PKT_ALIAS_IGNORED, ret,
479 	    "incoming packet from different address and port not ignored "
480 	    "with PKT_ALIAS_DENY_INCOMING");
481 
482 	free(po);
483 	free(po2);
484 	free(po3);
485 	free(po4);
486 	LibAliasUninit(la);
487 }
488 
489 ATF_TC_WITHOUT_HEAD(12_udp_eim_hairpinning);
490 ATF_TC_BODY(12_udp_eim_hairpinning, dummy)
491 {
492 	struct libalias *la = LibAliasInit(NULL);
493 	struct ip *po, *po2, *po3;
494 	struct udphdr *uo, *uo2, *uo3;
495 	uint16_t sport1 = 0x1234;
496 	uint16_t sport2 = 0x2345;
497 	uint16_t dport = 0x5678;
498 	uint16_t extport1, extport2;
499 
500 	ATF_REQUIRE(la != NULL);
501 	LibAliasSetAddress(la, masq);
502 	LibAliasSetMode(la, PKT_ALIAS_UDP_EIM, ~0);
503 
504 	/* prv1 sends out somewhere (eg. a STUN server) */
505 	po = ip_packet(0, 64);
506 	UDP_NAT_CHECK(po, uo, prv1, sport1, pub, dport, masq);
507 	extport1 = ntohs(uo->uh_sport);
508 
509 	/* prv2, behind the same NAT as prv1, also sends out somewhere */
510 	po2 = ip_packet(0, 64);
511 	UDP_NAT_CHECK(po2, uo2, prv2, sport2, pub, dport, masq);
512 	extport2 = ntohs(uo2->uh_sport);
513 
514 	/* hairpin: prv1 sends to prv2's external NAT mapping
515 	 * (unaware it could address it internally instead).
516 	 */
517 	po3 = ip_packet(0, 64);
518 	UDP_NAT_CHECK(po3, uo3, prv1, sport1, masq, extport2, masq);
519 	UDP_UNNAT_CHECK(po3, uo3, masq, extport1, masq, extport2,
520 	    prv2, sport2);
521 
522 	free(po);
523 	free(po2);
524 	free(po3);
525 	LibAliasUninit(la);
526 }
527 
528 ATF_TP_ADD_TCS(natout)
529 {
530 	/* Use "dd if=/dev/random bs=2 count=1 | od -x" to reproduce */
531 	srand(0x0b61);
532 
533 	ATF_TP_ADD_TC(natout, 1_simplemasq);
534 	ATF_TP_ADD_TC(natout, 2_unregistered);
535 	ATF_TP_ADD_TC(natout, 3_cgn);
536 	ATF_TP_ADD_TC(natout, 4_udp);
537 	ATF_TP_ADD_TC(natout, 5_sameport);
538 	ATF_TP_ADD_TC(natout, 6_cleartable);
539 	ATF_TP_ADD_TC(natout, 7_stress);
540 	ATF_TP_ADD_TC(natout, 8_portrange);
541 	ATF_TP_ADD_TC(natout, 9_udp_eim_mapping);
542 	ATF_TP_ADD_TC(natout, 10_udp_eim_out_in);
543 	ATF_TP_ADD_TC(natout, 11_udp_eim_with_deny_incoming);
544 	ATF_TP_ADD_TC(natout, 12_udp_eim_hairpinning);
545 
546 	return atf_no_error();
547 }
548