1*0d9da68fSTom Jones#- 2*0d9da68fSTom Jones# SPDX-License-Identifier: BSD-2-Clause-FreeBSD 3*0d9da68fSTom Jones# 4*0d9da68fSTom Jones# Copyright (c) 2019 Ahsan Barkati 5*0d9da68fSTom Jones# 6*0d9da68fSTom Jones# Redistribution and use in source and binary forms, with or without 7*0d9da68fSTom Jones# modification, are permitted provided that the following conditions 8*0d9da68fSTom Jones# are met: 9*0d9da68fSTom Jones# 1. Redistributions of source code must retain the above copyright 10*0d9da68fSTom Jones# notice, this list of conditions and the following disclaimer. 11*0d9da68fSTom Jones# 2. Redistributions in binary form must reproduce the above copyright 12*0d9da68fSTom Jones# notice, this list of conditions and the following disclaimer in the 13*0d9da68fSTom Jones# documentation and/or other materials provided with the distribution. 14*0d9da68fSTom Jones# 15*0d9da68fSTom Jones# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 16*0d9da68fSTom Jones# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 17*0d9da68fSTom Jones# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 18*0d9da68fSTom Jones# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 19*0d9da68fSTom Jones# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 20*0d9da68fSTom Jones# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 21*0d9da68fSTom Jones# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 22*0d9da68fSTom Jones# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 23*0d9da68fSTom Jones# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 24*0d9da68fSTom Jones# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 25*0d9da68fSTom Jones# SUCH DAMAGE. 26*0d9da68fSTom Jones# 27*0d9da68fSTom Jones# $FreeBSD$ 28*0d9da68fSTom Jones# 29*0d9da68fSTom Jones 30*0d9da68fSTom Jones. $(atf_get_srcdir)/utils.subr 31*0d9da68fSTom Jones. $(atf_get_srcdir)/runner.subr 32*0d9da68fSTom Jones 33*0d9da68fSTom Jonesbasic_head() 34*0d9da68fSTom Jones{ 35*0d9da68fSTom Jones atf_set descr 'Basic IPv4 NAT test' 36*0d9da68fSTom Jones atf_set require.user root 37*0d9da68fSTom Jones} 38*0d9da68fSTom Jones 39*0d9da68fSTom Jonesbasic_body() 40*0d9da68fSTom Jones{ 41*0d9da68fSTom Jones firewall=$1 42*0d9da68fSTom Jones firewall_init $firewall 43*0d9da68fSTom Jones nat_init $firewall 44*0d9da68fSTom Jones 45*0d9da68fSTom Jones epair_host_nat=$(vnet_mkepair) 46*0d9da68fSTom Jones epair_client1_nat=$(vnet_mkepair) 47*0d9da68fSTom Jones epair_client2_nat=$(vnet_mkepair) 48*0d9da68fSTom Jones 49*0d9da68fSTom Jones vnet_mkjail nat ${epair_host_nat}b ${epair_client1_nat}a ${epair_client2_nat}a 50*0d9da68fSTom Jones vnet_mkjail client1 ${epair_client1_nat}b 51*0d9da68fSTom Jones vnet_mkjail client2 ${epair_client2_nat}b 52*0d9da68fSTom Jones 53*0d9da68fSTom Jones ifconfig ${epair_host_nat}a 198.51.100.2/24 up 54*0d9da68fSTom Jones jexec nat ifconfig ${epair_host_nat}b 198.51.100.1/24 up 55*0d9da68fSTom Jones 56*0d9da68fSTom Jones jexec nat ifconfig ${epair_client1_nat}a 192.0.2.1/24 up 57*0d9da68fSTom Jones jexec client1 ifconfig ${epair_client1_nat}b 192.0.2.2/24 up 58*0d9da68fSTom Jones 59*0d9da68fSTom Jones jexec nat ifconfig ${epair_client2_nat}a 192.0.3.1/24 up 60*0d9da68fSTom Jones jexec client2 ifconfig ${epair_client2_nat}b 192.0.3.2/24 up 61*0d9da68fSTom Jones 62*0d9da68fSTom Jones jexec nat sysctl net.inet.ip.forwarding=1 63*0d9da68fSTom Jones 64*0d9da68fSTom Jones jexec client1 route add -net 198.51.100.0/24 192.0.2.1 65*0d9da68fSTom Jones jexec client2 route add -net 198.51.100.0/24 192.0.3.1 66*0d9da68fSTom Jones 67*0d9da68fSTom Jones # ping fails without NAT configuration 68*0d9da68fSTom Jones atf_check -s exit:2 -o ignore jexec client1 ping -t 1 -c 1 198.51.100.2 69*0d9da68fSTom Jones atf_check -s exit:2 -o ignore jexec client2 ping -t 1 -c 1 198.51.100.2 70*0d9da68fSTom Jones 71*0d9da68fSTom Jones firewall_config nat ${firewall} \ 72*0d9da68fSTom Jones "pf" \ 73*0d9da68fSTom Jones "nat pass on ${epair_host_nat}b inet from any to any -> (${epair_host_nat}b)" \ 74*0d9da68fSTom Jones "ipfw" \ 75*0d9da68fSTom Jones "ipfw -q nat 123 config if ${epair_host_nat}b" \ 76*0d9da68fSTom Jones "ipfw -q add 1000 nat 123 all from any to any" \ 77*0d9da68fSTom Jones "ipfnat" \ 78*0d9da68fSTom Jones "map ${epair_host_nat}b 192.0.3.0/24 -> 0/32" \ 79*0d9da68fSTom Jones "map ${epair_host_nat}b 192.0.2.0/24 -> 0/32" \ 80*0d9da68fSTom Jones 81*0d9da68fSTom Jones 82*0d9da68fSTom Jones # ping is successful now 83*0d9da68fSTom Jones atf_check -s exit:0 -o ignore jexec client1 ping -t 1 -c 1 198.51.100.2 84*0d9da68fSTom Jones atf_check -s exit:0 -o ignore jexec client2 ping -t 1 -c 1 198.51.100.2 85*0d9da68fSTom Jones 86*0d9da68fSTom Jones} 87*0d9da68fSTom Jones 88*0d9da68fSTom Jonesbasic_cleanup() 89*0d9da68fSTom Jones{ 90*0d9da68fSTom Jones firewall=$1 91*0d9da68fSTom Jones firewall_cleanup $firewall 92*0d9da68fSTom Jones} 93*0d9da68fSTom Jones 94*0d9da68fSTom Jonesuserspace_nat_head() 95*0d9da68fSTom Jones{ 96*0d9da68fSTom Jones atf_set descr 'Nat test for ipfw using userspace natd' 97*0d9da68fSTom Jones atf_set require.user root 98*0d9da68fSTom Jones} 99*0d9da68fSTom Jonesuserspace_nat_body() 100*0d9da68fSTom Jones{ 101*0d9da68fSTom Jones firewall=$1 102*0d9da68fSTom Jones firewall_init $firewall 103*0d9da68fSTom Jones 104*0d9da68fSTom Jones if ! kldstat -q -m ipdivert; then 105*0d9da68fSTom Jones atf_skip "This test requires ipdivert module loaded" 106*0d9da68fSTom Jones fi 107*0d9da68fSTom Jones 108*0d9da68fSTom Jones epair_host_nat=$(vnet_mkepair) 109*0d9da68fSTom Jones epair_client1_nat=$(vnet_mkepair) 110*0d9da68fSTom Jones epair_client2_nat=$(vnet_mkepair) 111*0d9da68fSTom Jones 112*0d9da68fSTom Jones vnet_mkjail nat ${epair_host_nat}b ${epair_client1_nat}a ${epair_client2_nat}a 113*0d9da68fSTom Jones vnet_mkjail client1 ${epair_client1_nat}b 114*0d9da68fSTom Jones vnet_mkjail client2 ${epair_client2_nat}b 115*0d9da68fSTom Jones 116*0d9da68fSTom Jones ifconfig ${epair_host_nat}a 198.51.100.2/24 up 117*0d9da68fSTom Jones jexec nat ifconfig ${epair_host_nat}b 198.51.100.1/24 up 118*0d9da68fSTom Jones 119*0d9da68fSTom Jones jexec nat ifconfig ${epair_client1_nat}a 192.0.2.1/24 up 120*0d9da68fSTom Jones jexec client1 ifconfig ${epair_client1_nat}b 192.0.2.2/24 up 121*0d9da68fSTom Jones 122*0d9da68fSTom Jones jexec nat ifconfig ${epair_client2_nat}a 192.0.3.1/24 up 123*0d9da68fSTom Jones jexec client2 ifconfig ${epair_client2_nat}b 192.0.3.2/24 up 124*0d9da68fSTom Jones 125*0d9da68fSTom Jones jexec nat sysctl net.inet.ip.forwarding=1 126*0d9da68fSTom Jones 127*0d9da68fSTom Jones jexec client1 route add -net 198.51.100.0/24 192.0.2.1 128*0d9da68fSTom Jones jexec client2 route add -net 198.51.100.0/24 192.0.3.1 129*0d9da68fSTom Jones # Test the userspace NAT of ipfw 130*0d9da68fSTom Jones # ping fails without NAT configuration 131*0d9da68fSTom Jones atf_check -s exit:2 -o ignore jexec client1 ping -t 1 -c 1 198.51.100.2 132*0d9da68fSTom Jones atf_check -s exit:2 -o ignore jexec client2 ping -t 1 -c 1 198.51.100.2 133*0d9da68fSTom Jones 134*0d9da68fSTom Jones firewall_config nat ${firewall} \ 135*0d9da68fSTom Jones "ipfw" \ 136*0d9da68fSTom Jones "natd -interface ${epair_host_nat}b" \ 137*0d9da68fSTom Jones "ipfw -q add divert natd all from any to any via ${epair_host_nat}b" \ 138*0d9da68fSTom Jones 139*0d9da68fSTom Jones # ping is successful now 140*0d9da68fSTom Jones atf_check -s exit:0 -o ignore jexec client1 ping -t 1 -c 1 198.51.100.2 141*0d9da68fSTom Jones atf_check -s exit:0 -o ignore jexec client2 ping -t 1 -c 1 198.51.100.2 142*0d9da68fSTom Jones} 143*0d9da68fSTom Jones 144*0d9da68fSTom Jonesuserspace_nat_cleanup() 145*0d9da68fSTom Jones{ 146*0d9da68fSTom Jones firewall=$1 147*0d9da68fSTom Jones firewall_cleanup $firewall 148*0d9da68fSTom Jones} 149*0d9da68fSTom Jones 150*0d9da68fSTom Jonessetup_tests \ 151*0d9da68fSTom Jones basic \ 152*0d9da68fSTom Jones pf \ 153*0d9da68fSTom Jones ipfw \ 154*0d9da68fSTom Jones ipfnat \ 155*0d9da68fSTom Jones userspace_nat \ 156*0d9da68fSTom Jones ipfw