1b9f0dbc3SKristof Provost# 2b9f0dbc3SKristof Provost# SPDX-License-Identifier: BSD-2-Clause 3b9f0dbc3SKristof Provost# 4b9f0dbc3SKristof Provost# Copyright (c) 2024 Rubicon Communications, LLC (Netgate) 5b9f0dbc3SKristof Provost# 6b9f0dbc3SKristof Provost# Redistribution and use in source and binary forms, with or without 7b9f0dbc3SKristof Provost# modification, are permitted provided that the following conditions 8b9f0dbc3SKristof Provost# are met: 9b9f0dbc3SKristof Provost# 1. Redistributions of source code must retain the above copyright 10b9f0dbc3SKristof Provost# notice, this list of conditions and the following disclaimer. 11b9f0dbc3SKristof Provost# 2. Redistributions in binary form must reproduce the above copyright 12b9f0dbc3SKristof Provost# notice, this list of conditions and the following disclaimer in the 13b9f0dbc3SKristof Provost# documentation and/or other materials provided with the distribution. 14b9f0dbc3SKristof Provost# 15b9f0dbc3SKristof Provost# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 16b9f0dbc3SKristof Provost# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 17b9f0dbc3SKristof Provost# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 18b9f0dbc3SKristof Provost# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 19b9f0dbc3SKristof Provost# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 20b9f0dbc3SKristof Provost# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 21b9f0dbc3SKristof Provost# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 22b9f0dbc3SKristof Provost# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 23b9f0dbc3SKristof Provost# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 24b9f0dbc3SKristof Provost# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 25b9f0dbc3SKristof Provost# SUCH DAMAGE. 26b9f0dbc3SKristof Provost 27b9f0dbc3SKristof Provost. $(atf_get_srcdir)/utils.subr 28b9f0dbc3SKristof Provost 29b9f0dbc3SKristof Provostcommon_dir=$(atf_get_srcdir)/../common 30b9f0dbc3SKristof Provost 31b9f0dbc3SKristof Provostatf_test_case "zero_id" "cleanup" 32b9f0dbc3SKristof Provostzero_id_head() 33b9f0dbc3SKristof Provost{ 34b9f0dbc3SKristof Provost atf_set descr 'Test ICMPv6 echo with ID 0 keep being blocked' 35b9f0dbc3SKristof Provost atf_set require.user root 36b9f0dbc3SKristof Provost atf_set require.progs scapy 37b9f0dbc3SKristof Provost} 38b9f0dbc3SKristof Provost 39b9f0dbc3SKristof Provostzero_id_body() 40b9f0dbc3SKristof Provost{ 41b9f0dbc3SKristof Provost pft_init 42b9f0dbc3SKristof Provost 43b9f0dbc3SKristof Provost epair=$(vnet_mkepair) 44b9f0dbc3SKristof Provost ifconfig ${epair}a inet6 2001:db8::2/64 up no_dad 45b9f0dbc3SKristof Provost 46b9f0dbc3SKristof Provost vnet_mkjail alcatraz ${epair}b 47b9f0dbc3SKristof Provost jexec alcatraz ifconfig ${epair}b inet6 2001:db8::1/64 up no_dad 48b9f0dbc3SKristof Provost 49b9f0dbc3SKristof Provost # Sanity check 50b9f0dbc3SKristof Provost atf_check -s exit:0 -o ignore \ 51b9f0dbc3SKristof Provost ping -c 1 2001:db8::1 52b9f0dbc3SKristof Provost 53b9f0dbc3SKristof Provost jexec alcatraz pfctl -e 54b9f0dbc3SKristof Provost pft_set_rules alcatraz \ 55b9f0dbc3SKristof Provost "set block-policy drop" \ 56b9f0dbc3SKristof Provost "antispoof quick for { egress ${epair}b }" \ 57b9f0dbc3SKristof Provost "block all" \ 58b9f0dbc3SKristof Provost "pass out" \ 59b9f0dbc3SKristof Provost "pass in quick inet6 proto IPV6-ICMP icmp6-type 135" \ 60b9f0dbc3SKristof Provost "pass in quick inet6 proto IPV6-ICMP icmp6-type 136" \ 61b9f0dbc3SKristof Provost "pass out quick inet6 proto IPV6 from self to any" 62b9f0dbc3SKristof Provost 63b9f0dbc3SKristof Provost # Now we can't ping 64b9f0dbc3SKristof Provost atf_check -s exit:2 -o ignore \ 65b9f0dbc3SKristof Provost ping -c 1 2001:db8::1 66b9f0dbc3SKristof Provost 67b9f0dbc3SKristof Provost # Force neighbour discovery 68b9f0dbc3SKristof Provost ndp -d 2001:db8::1 69b9f0dbc3SKristof Provost 70b9f0dbc3SKristof Provost # Verify that we don't confuse echo request with ID 0 for neighbour discovery 71b9f0dbc3SKristof Provost atf_check -s exit:1 -o ignore \ 72b9f0dbc3SKristof Provost ${common_dir}/pft_ping.py \ 73b9f0dbc3SKristof Provost --sendif ${epair}a \ 74b9f0dbc3SKristof Provost --to 2001:db8::1 \ 75b9f0dbc3SKristof Provost --replyif ${epair}a 76b9f0dbc3SKristof Provost 77b9f0dbc3SKristof Provost jexec alcatraz pfctl -ss -vv 78b9f0dbc3SKristof Provost jexec alcatraz pfctl -sr -vv 79b9f0dbc3SKristof Provost} 80b9f0dbc3SKristof Provost 81b9f0dbc3SKristof Provostzero_id_cleanup() 82b9f0dbc3SKristof Provost{ 83b9f0dbc3SKristof Provost pft_cleanup 84b9f0dbc3SKristof Provost} 85b9f0dbc3SKristof Provost 86*34063cb7SKristof Provostatf_test_case "ttl_exceeded" "cleanup" 87*34063cb7SKristof Provostttl_exceeded_head() 88*34063cb7SKristof Provost{ 89*34063cb7SKristof Provost atf_set descr 'Test that we correctly translate TTL exceeded back' 90*34063cb7SKristof Provost atf_set require.user root 91*34063cb7SKristof Provost} 92*34063cb7SKristof Provost 93*34063cb7SKristof Provostttl_exceeded_body() 94*34063cb7SKristof Provost{ 95*34063cb7SKristof Provost pft_init 96*34063cb7SKristof Provost 97*34063cb7SKristof Provost epair_srv=$(vnet_mkepair) 98*34063cb7SKristof Provost epair_int=$(vnet_mkepair) 99*34063cb7SKristof Provost epair_cl=$(vnet_mkepair) 100*34063cb7SKristof Provost 101*34063cb7SKristof Provost vnet_mkjail srv ${epair_srv}a 102*34063cb7SKristof Provost jexec srv ifconfig ${epair_srv}a inet6 2001:db8:1::1/64 no_dad up 103*34063cb7SKristof Provost jexec srv route add -6 default 2001:db8:1::2 104*34063cb7SKristof Provost 105*34063cb7SKristof Provost vnet_mkjail int ${epair_srv}b ${epair_int}a 106*34063cb7SKristof Provost jexec int sysctl net.inet6.ip6.forwarding=1 107*34063cb7SKristof Provost jexec int ifconfig ${epair_srv}b inet6 2001:db8:1::2/64 no_dad up 108*34063cb7SKristof Provost jexec int ifconfig ${epair_int}a inet6 2001:db8:2::2/64 no_dad up 109*34063cb7SKristof Provost 110*34063cb7SKristof Provost vnet_mkjail nat ${epair_int}b ${epair_cl}b 111*34063cb7SKristof Provost jexec nat ifconfig ${epair_int}b inet6 2001:db8:2::1 no_dad up 112*34063cb7SKristof Provost jexec nat ifconfig ${epair_cl}b inet6 2001:db8:3::2/64 no_dad up 113*34063cb7SKristof Provost jexec nat sysctl net.inet6.ip6.forwarding=1 114*34063cb7SKristof Provost jexec nat route add -6 default 2001:db8:2::2 115*34063cb7SKristof Provost 116*34063cb7SKristof Provost vnet_mkjail cl ${epair_cl}a 117*34063cb7SKristof Provost jexec cl ifconfig ${epair_cl}a inet6 2001:db8:3::1/64 no_dad up 118*34063cb7SKristof Provost jexec cl route add -6 default 2001:db8:3::2 119*34063cb7SKristof Provost 120*34063cb7SKristof Provost jexec nat pfctl -e 121*34063cb7SKristof Provost pft_set_rules nat \ 122*34063cb7SKristof Provost "nat on ${epair_int}b from 2001:db8:3::/64 -> (${epair_int}b:0)" \ 123*34063cb7SKristof Provost "pass" 124*34063cb7SKristof Provost 125*34063cb7SKristof Provost # Sanity checks 126*34063cb7SKristof Provost atf_check -s exit:0 -o ignore \ 127*34063cb7SKristof Provost jexec cl ping -c 1 2001:db8:3::2 128*34063cb7SKristof Provost atf_check -s exit:0 -o ignore \ 129*34063cb7SKristof Provost jexec cl ping -c 1 2001:db8:2::1 130*34063cb7SKristof Provost atf_check -s exit:0 -o ignore \ 131*34063cb7SKristof Provost jexec cl ping -c 1 2001:db8:2::2 132*34063cb7SKristof Provost atf_check -s exit:0 -o ignore \ 133*34063cb7SKristof Provost jexec cl ping -c 1 2001:db8:1::1 134*34063cb7SKristof Provost 135*34063cb7SKristof Provost echo "UDP" 136*34063cb7SKristof Provost atf_check -s exit:0 -e ignore -o match:".*2001:db8:2::2.*" \ 137*34063cb7SKristof Provost jexec cl traceroute6 2001:db8:1::1 138*34063cb7SKristof Provost jexec nat pfctl -Fs 139*34063cb7SKristof Provost 140*34063cb7SKristof Provost echo "ICMP" 141*34063cb7SKristof Provost atf_check -s exit:0 -e ignore -o match:".*2001:db8:2::2.*" \ 142*34063cb7SKristof Provost jexec cl traceroute6 -I 2001:db8:1::1 143*34063cb7SKristof Provost} 144*34063cb7SKristof Provost 145*34063cb7SKristof Provostttl_exceeded_cleanup() 146*34063cb7SKristof Provost{ 147*34063cb7SKristof Provost pft_cleanup 148*34063cb7SKristof Provost} 149*34063cb7SKristof Provost 150b9f0dbc3SKristof Provostatf_init_test_cases() 151b9f0dbc3SKristof Provost{ 152b9f0dbc3SKristof Provost atf_add_test_case "zero_id" 153*34063cb7SKristof Provost atf_add_test_case "ttl_exceeded" 154b9f0dbc3SKristof Provost} 155