1239e24ebSIgor Ostapenko# 2239e24ebSIgor Ostapenko# SPDX-License-Identifier: BSD-2-Clause 3239e24ebSIgor Ostapenko# 4239e24ebSIgor Ostapenko# Copyright (c) 2024 Igor Ostapenko <pm@igoro.pro> 5239e24ebSIgor Ostapenko# 6239e24ebSIgor Ostapenko# Redistribution and use in source and binary forms, with or without 7239e24ebSIgor Ostapenko# modification, are permitted provided that the following conditions 8239e24ebSIgor Ostapenko# are met: 9239e24ebSIgor Ostapenko# 1. Redistributions of source code must retain the above copyright 10239e24ebSIgor Ostapenko# notice, this list of conditions and the following disclaimer. 11239e24ebSIgor Ostapenko# 2. Redistributions in binary form must reproduce the above copyright 12239e24ebSIgor Ostapenko# notice, this list of conditions and the following disclaimer in the 13239e24ebSIgor Ostapenko# documentation and/or other materials provided with the distribution. 14239e24ebSIgor Ostapenko# 15239e24ebSIgor Ostapenko# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 16239e24ebSIgor Ostapenko# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 17239e24ebSIgor Ostapenko# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 18239e24ebSIgor Ostapenko# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 19239e24ebSIgor Ostapenko# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 20239e24ebSIgor Ostapenko# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 21239e24ebSIgor Ostapenko# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 22239e24ebSIgor Ostapenko# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 23239e24ebSIgor Ostapenko# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 24239e24ebSIgor Ostapenko# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 25239e24ebSIgor Ostapenko# SUCH DAMAGE. 26239e24ebSIgor Ostapenko 27239e24ebSIgor Ostapenko. $(atf_get_srcdir)/utils.subr 28239e24ebSIgor Ostapenko 29239e24ebSIgor Ostapenko# 30239e24ebSIgor Ostapenko# The following network is used as a base for testing. 31239e24ebSIgor Ostapenko# 32239e24ebSIgor Ostapenko# 33239e24ebSIgor Ostapenko# ${awan}b |----------| ${bwan}b 34239e24ebSIgor Ostapenko# 2.0.0.1 | host wan | 3.0.0.1 35239e24ebSIgor Ostapenko# .---->| Internet |<----. 36239e24ebSIgor Ostapenko# A WAN | |----------| | B WAN 37239e24ebSIgor Ostapenko# | | 38239e24ebSIgor Ostapenko# Office A side | | Office B side 39239e24ebSIgor Ostapenko# | ${awan}a ${bwan}a | 40239e24ebSIgor Ostapenko# v 2.0.0.22 3.0.0.33 v 41239e24ebSIgor Ostapenko# ${alan}b |----------| |----------| ${blan}b 42239e24ebSIgor Ostapenko# 1.0.0.1 | host agw | | host bgw | 4.0.0.1 43239e24ebSIgor Ostapenko# .----------->| gateway | < IPsec > | gateway |<-----------. 44239e24ebSIgor Ostapenko# | A LAN |----------| tunnel |----------| B LAN | 45239e24ebSIgor Ostapenko# | | 46239e24ebSIgor Ostapenko# | | 47239e24ebSIgor Ostapenko# | ${alan}a ${blan}a | 48239e24ebSIgor Ostapenko# v 1.0.0.11 4.0.0.44 v 49239e24ebSIgor Ostapenko# |----------| |----------| 50239e24ebSIgor Ostapenko# | host a | | host b | 51239e24ebSIgor Ostapenko# | client | | client | 52239e24ebSIgor Ostapenko# |----------| |----------| 53239e24ebSIgor Ostapenko# 54239e24ebSIgor Ostapenko# 55239e24ebSIgor Ostapenko# There is routing between office A clients and office B ones. The traffic is 56239e24ebSIgor Ostapenko# encrypted, i.e. host wan should see IPsec flow (ESP packets). 57239e24ebSIgor Ostapenko# 58239e24ebSIgor Ostapenko 59239e24ebSIgor Ostapenkoipsec_init() 60239e24ebSIgor Ostapenko{ 61239e24ebSIgor Ostapenko if ! sysctl -q kern.features.ipsec >/dev/null ; then 62239e24ebSIgor Ostapenko atf_skip "This test requires ipsec" 63239e24ebSIgor Ostapenko fi 64239e24ebSIgor Ostapenko} 65239e24ebSIgor Ostapenko 66239e24ebSIgor Ostapenkoif_enc_init() 67239e24ebSIgor Ostapenko{ 68239e24ebSIgor Ostapenko ipsec_init 69239e24ebSIgor Ostapenko if ! kldstat -q -m if_enc; then 70239e24ebSIgor Ostapenko atf_skip "This test requires if_enc" 71239e24ebSIgor Ostapenko fi 72239e24ebSIgor Ostapenko} 73239e24ebSIgor Ostapenko 74239e24ebSIgor Ostapenkobuild_test_network() 75239e24ebSIgor Ostapenko{ 76239e24ebSIgor Ostapenko alan=$(vnet_mkepair) 77239e24ebSIgor Ostapenko awan=$(vnet_mkepair) 78239e24ebSIgor Ostapenko bwan=$(vnet_mkepair) 79239e24ebSIgor Ostapenko blan=$(vnet_mkepair) 80239e24ebSIgor Ostapenko 81239e24ebSIgor Ostapenko # host a 82239e24ebSIgor Ostapenko vnet_mkjail a ${alan}a 83239e24ebSIgor Ostapenko jexec a ifconfig ${alan}a 1.0.0.11/24 up 84239e24ebSIgor Ostapenko jexec a route add default 1.0.0.1 85239e24ebSIgor Ostapenko 86239e24ebSIgor Ostapenko # host agw 87239e24ebSIgor Ostapenko vnet_mkjail agw ${alan}b ${awan}a 88239e24ebSIgor Ostapenko jexec agw ifconfig ${alan}b 1.0.0.1/24 up 89239e24ebSIgor Ostapenko jexec agw ifconfig ${awan}a 2.0.0.22/24 up 90239e24ebSIgor Ostapenko jexec agw route add default 2.0.0.1 91239e24ebSIgor Ostapenko jexec agw sysctl net.inet.ip.forwarding=1 92239e24ebSIgor Ostapenko 93239e24ebSIgor Ostapenko # host wan 94239e24ebSIgor Ostapenko vnet_mkjail wan ${awan}b ${bwan}b 95239e24ebSIgor Ostapenko jexec wan ifconfig ${awan}b 2.0.0.1/24 up 96239e24ebSIgor Ostapenko jexec wan ifconfig ${bwan}b 3.0.0.1/24 up 97239e24ebSIgor Ostapenko jexec wan sysctl net.inet.ip.forwarding=1 98239e24ebSIgor Ostapenko 99239e24ebSIgor Ostapenko # host bgw 100239e24ebSIgor Ostapenko vnet_mkjail bgw ${bwan}a ${blan}b 101239e24ebSIgor Ostapenko jexec bgw ifconfig ${bwan}a 3.0.0.33/24 up 102239e24ebSIgor Ostapenko jexec bgw ifconfig ${blan}b 4.0.0.1/24 up 103239e24ebSIgor Ostapenko jexec bgw route add default 3.0.0.1 104239e24ebSIgor Ostapenko jexec bgw sysctl net.inet.ip.forwarding=1 105239e24ebSIgor Ostapenko 106239e24ebSIgor Ostapenko # host b 107239e24ebSIgor Ostapenko vnet_mkjail b ${blan}a 108239e24ebSIgor Ostapenko jexec b ifconfig ${blan}a 4.0.0.44/24 up 109239e24ebSIgor Ostapenko jexec b route add default 4.0.0.1 110239e24ebSIgor Ostapenko 111239e24ebSIgor Ostapenko # Office A VPN setup 112239e24ebSIgor Ostapenko echo ' 113239e24ebSIgor Ostapenko spdadd 1.0.0.0/24 4.0.0.0/24 any -P out ipsec esp/tunnel/2.0.0.22-3.0.0.33/require; 114239e24ebSIgor Ostapenko spdadd 4.0.0.0/24 1.0.0.0/24 any -P in ipsec esp/tunnel/3.0.0.33-2.0.0.22/require; 115239e24ebSIgor Ostapenko add 2.0.0.22 3.0.0.33 esp 0x203 -E aes-gcm-16 "123456789012345678901234567890123456"; 116239e24ebSIgor Ostapenko add 3.0.0.33 2.0.0.22 esp 0x302 -E aes-gcm-16 "123456789012345678901234567890123456"; 117239e24ebSIgor Ostapenko ' | jexec agw setkey -c 118239e24ebSIgor Ostapenko 119239e24ebSIgor Ostapenko # Office B VPN setup 120239e24ebSIgor Ostapenko echo ' 121239e24ebSIgor Ostapenko spdadd 4.0.0.0/24 1.0.0.0/24 any -P out ipsec esp/tunnel/3.0.0.33-2.0.0.22/require; 122239e24ebSIgor Ostapenko spdadd 1.0.0.0/24 4.0.0.0/24 any -P in ipsec esp/tunnel/2.0.0.22-3.0.0.33/require; 123239e24ebSIgor Ostapenko add 2.0.0.22 3.0.0.33 esp 0x203 -E aes-gcm-16 "123456789012345678901234567890123456"; 124239e24ebSIgor Ostapenko add 3.0.0.33 2.0.0.22 esp 0x302 -E aes-gcm-16 "123456789012345678901234567890123456"; 125239e24ebSIgor Ostapenko ' | jexec bgw setkey -c 126239e24ebSIgor Ostapenko} 127239e24ebSIgor Ostapenko 128*641fbfc8SIgor Ostapenkoatf_test_case "ip4_pfil_in_after_stripping" "cleanup" 129*641fbfc8SIgor Ostapenkoip4_pfil_in_after_stripping_head() 130239e24ebSIgor Ostapenko{ 131*641fbfc8SIgor Ostapenko atf_set descr 'Test that pf pulls up mbuf if m_len==0 after stripping the outer header' 132239e24ebSIgor Ostapenko atf_set require.user root 133239e24ebSIgor Ostapenko atf_set require.progs nc 134239e24ebSIgor Ostapenko} 135*641fbfc8SIgor Ostapenkoip4_pfil_in_after_stripping_body() 136239e24ebSIgor Ostapenko{ 137239e24ebSIgor Ostapenko pft_init 138239e24ebSIgor Ostapenko if_enc_init 139239e24ebSIgor Ostapenko 140*641fbfc8SIgor Ostapenko build_test_network 141239e24ebSIgor Ostapenko 142239e24ebSIgor Ostapenko # Sanity check 143239e24ebSIgor Ostapenko atf_check -s exit:0 -o ignore jexec a ping -c3 4.0.0.44 144239e24ebSIgor Ostapenko 145239e24ebSIgor Ostapenko # Configure port forwarding on host bgw 146239e24ebSIgor Ostapenko jexec bgw ifconfig enc0 up 147239e24ebSIgor Ostapenko jexec bgw sysctl net.inet.ipsec.filtertunnel=0 148239e24ebSIgor Ostapenko jexec bgw sysctl net.enc.in.ipsec_filter_mask=2 # after stripping 149239e24ebSIgor Ostapenko jexec bgw sysctl net.enc.out.ipsec_filter_mask=1 # before outer header 150d1deb682SIgor Ostapenko jexec bgw pfctl -e 151d1deb682SIgor Ostapenko pft_set_rules bgw \ 152d1deb682SIgor Ostapenko "rdr on enc0 proto tcp to 4.0.0.1 port 666 -> 4.0.0.44" \ 153d1deb682SIgor Ostapenko "pass" 154239e24ebSIgor Ostapenko 155239e24ebSIgor Ostapenko # Prepare the catcher on host b 156239e24ebSIgor Ostapenko echo "unexpected" > ./receiver 157239e24ebSIgor Ostapenko jexec b nc -n4l -N 666 > ./receiver & 158239e24ebSIgor Ostapenko nc_pid=$! 159239e24ebSIgor Ostapenko sleep 1 160239e24ebSIgor Ostapenko 161239e24ebSIgor Ostapenko # Poke it from host a to host bgw 162239e24ebSIgor Ostapenko spell="Ak Ohum Oktay Weez Barsoom." 163239e24ebSIgor Ostapenko echo $spell | jexec a nc -w3 4.0.0.1 666 164239e24ebSIgor Ostapenko 165239e24ebSIgor Ostapenko # Expect it to hit host b instead 166239e24ebSIgor Ostapenko sleep 1 # let the catcher finish 167239e24ebSIgor Ostapenko jexec b kill -KILL $nc_pid # in a fail case the catcher may listen forever 168239e24ebSIgor Ostapenko atf_check_equal "$spell" "$(cat ./receiver)" 169239e24ebSIgor Ostapenko} 170*641fbfc8SIgor Ostapenkoip4_pfil_in_after_stripping_cleanup() 171239e24ebSIgor Ostapenko{ 172239e24ebSIgor Ostapenko pft_cleanup 173239e24ebSIgor Ostapenko} 174239e24ebSIgor Ostapenko 175239e24ebSIgor Ostapenkoatf_init_test_cases() 176239e24ebSIgor Ostapenko{ 177*641fbfc8SIgor Ostapenko atf_add_test_case "ip4_pfil_in_after_stripping" 178239e24ebSIgor Ostapenko} 179