1# 2# SPDX-License-Identifier: BSD-2-Clause 3# 4# Copyright (c) 2024 Igor Ostapenko <pm@igoro.pro> 5# 6# Redistribution and use in source and binary forms, with or without 7# modification, are permitted provided that the following conditions 8# are met: 9# 1. Redistributions of source code must retain the above copyright 10# notice, this list of conditions and the following disclaimer. 11# 2. Redistributions in binary form must reproduce the above copyright 12# notice, this list of conditions and the following disclaimer in the 13# documentation and/or other materials provided with the distribution. 14# 15# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 16# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 17# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 18# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 19# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 20# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 21# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 22# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 23# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 24# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 25# SUCH DAMAGE. 26 27. $(atf_get_srcdir)/utils.subr 28 29# 30# The following network is used as a base for testing. 31# 32# 33# ${awan}b |----------| ${bwan}b 34# 2.0.0.1 | host wan | 3.0.0.1 35# .---->| Internet |<----. 36# A WAN | |----------| | B WAN 37# | | 38# Office A side | | Office B side 39# | ${awan}a ${bwan}a | 40# v 2.0.0.22 3.0.0.33 v 41# ${alan}b |----------| |----------| ${blan}b 42# 1.0.0.1 | host agw | | host bgw | 4.0.0.1 43# .----------->| gateway | < IPsec > | gateway |<-----------. 44# | A LAN |----------| tunnel |----------| B LAN | 45# | | 46# | | 47# | ${alan}a ${blan}a | 48# v 1.0.0.11 4.0.0.44 v 49# |----------| |----------| 50# | host a | | host b | 51# | client | | client | 52# |----------| |----------| 53# 54# 55# There is routing between office A clients and office B ones. The traffic is 56# encrypted, i.e. host wan should see IPsec flow (ESP packets). 57# 58 59ipsec_init() 60{ 61 if ! sysctl -q kern.features.ipsec >/dev/null ; then 62 atf_skip "This test requires ipsec" 63 fi 64} 65 66if_enc_init() 67{ 68 ipsec_init 69 if ! kldstat -q -m if_enc; then 70 atf_skip "This test requires if_enc" 71 fi 72} 73 74ipfw_init() 75{ 76 if ! kldstat -q -m ipfw; then 77 atf_skip "This test requires ipfw" 78 fi 79} 80 81assert_ipfw_is_off() 82{ 83 if kldstat -q -m ipfw; then 84 atf_skip "This test is for the case when ipfw is not loaded" 85 fi 86} 87 88build_test_network() 89{ 90 local ipfwon=$1 91 92 alan=$(vnet_mkepair) 93 awan=$(vnet_mkepair) 94 bwan=$(vnet_mkepair) 95 blan=$(vnet_mkepair) 96 97 # host a 98 vnet_mkjail a ${alan}a 99 jexec a ifconfig ${alan}a 1.0.0.11/24 up 100 jexec a route add default 1.0.0.1 101 test $ipfwon && jexec a ipfw add 65534 allow all from any to any 102 103 # host agw 104 vnet_mkjail agw ${alan}b ${awan}a 105 jexec agw ifconfig ${alan}b 1.0.0.1/24 up 106 jexec agw ifconfig ${awan}a 2.0.0.22/24 up 107 jexec agw route add default 2.0.0.1 108 jexec agw sysctl net.inet.ip.forwarding=1 109 test $ipfwon && jexec agw ipfw add 65534 allow all from any to any 110 111 # host wan 112 vnet_mkjail wan ${awan}b ${bwan}b 113 jexec wan ifconfig ${awan}b 2.0.0.1/24 up 114 jexec wan ifconfig ${bwan}b 3.0.0.1/24 up 115 jexec wan sysctl net.inet.ip.forwarding=1 116 test $ipfwon && jexec wan ipfw add 65534 allow all from any to any 117 118 # host bgw 119 vnet_mkjail bgw ${bwan}a ${blan}b 120 jexec bgw ifconfig ${bwan}a 3.0.0.33/24 up 121 jexec bgw ifconfig ${blan}b 4.0.0.1/24 up 122 jexec bgw route add default 3.0.0.1 123 jexec bgw sysctl net.inet.ip.forwarding=1 124 test $ipfwon && jexec bgw ipfw add 65534 allow all from any to any 125 126 # host b 127 vnet_mkjail b ${blan}a 128 jexec b ifconfig ${blan}a 4.0.0.44/24 up 129 jexec b route add default 4.0.0.1 130 test $ipfwon && jexec b ipfw add 65534 allow all from any to any 131 132 # Office A VPN setup 133 echo ' 134 spdadd 1.0.0.0/24 4.0.0.0/24 any -P out ipsec esp/tunnel/2.0.0.22-3.0.0.33/require; 135 spdadd 4.0.0.0/24 1.0.0.0/24 any -P in ipsec esp/tunnel/3.0.0.33-2.0.0.22/require; 136 add 2.0.0.22 3.0.0.33 esp 0x203 -E aes-gcm-16 "123456789012345678901234567890123456"; 137 add 3.0.0.33 2.0.0.22 esp 0x302 -E aes-gcm-16 "123456789012345678901234567890123456"; 138 ' | jexec agw setkey -c 139 140 # Office B VPN setup 141 echo ' 142 spdadd 4.0.0.0/24 1.0.0.0/24 any -P out ipsec esp/tunnel/3.0.0.33-2.0.0.22/require; 143 spdadd 1.0.0.0/24 4.0.0.0/24 any -P in ipsec esp/tunnel/2.0.0.22-3.0.0.33/require; 144 add 2.0.0.22 3.0.0.33 esp 0x203 -E aes-gcm-16 "123456789012345678901234567890123456"; 145 add 3.0.0.33 2.0.0.22 esp 0x302 -E aes-gcm-16 "123456789012345678901234567890123456"; 146 ' | jexec bgw setkey -c 147} 148 149atf_test_case "ipfwoff_ip4_pfil_in_after_stripping" "cleanup" 150ipfwoff_ip4_pfil_in_after_stripping_head() 151{ 152 atf_set descr 'Test that pf pulls up mbuf if m_len==0 after stripping the outer header, with ipfw disabled' 153 atf_set require.user root 154 atf_set require.progs nc 155} 156ipfwoff_ip4_pfil_in_after_stripping_body() 157{ 158 local ipfwon 159 160 pft_init 161 if_enc_init 162 test "$1" == "ipfwon" && ipfwon="yes" 163 test $ipfwon && ipfw_init || assert_ipfw_is_off 164 165 build_test_network $ipfwon 166 167 # Sanity check 168 atf_check -s exit:0 -o ignore jexec a ping -c3 4.0.0.44 169 170 # Configure port forwarding on host bgw 171 jexec bgw ifconfig enc0 up 172 jexec bgw sysctl net.inet.ipsec.filtertunnel=0 173 jexec bgw sysctl net.enc.in.ipsec_filter_mask=2 # after stripping 174 jexec bgw sysctl net.enc.out.ipsec_filter_mask=1 # before outer header 175 jexec bgw pfctl -e 176 pft_set_rules bgw \ 177 "rdr on enc0 proto tcp to 4.0.0.1 port 666 -> 4.0.0.44" \ 178 "pass" 179 180 # Prepare the catcher on host b 181 echo "unexpected" > ./receiver 182 jexec b nc -n4l -N 666 > ./receiver & 183 nc_pid=$! 184 sleep 1 185 186 # Poke it from host a to host bgw 187 spell="Ak Ohum Oktay Weez Barsoom." 188 echo $spell | jexec a nc -w3 4.0.0.1 666 189 190 # Expect it to hit host b instead 191 sleep 1 # let the catcher finish 192 jexec b kill -KILL $nc_pid # in a fail case the catcher may listen forever 193 atf_check_equal "$spell" "$(cat ./receiver)" 194} 195ipfwoff_ip4_pfil_in_after_stripping_cleanup() 196{ 197 pft_cleanup 198} 199 200atf_test_case "ipfwon_ip4_pfil_in_after_stripping" "cleanup" 201ipfwon_ip4_pfil_in_after_stripping_head() 202{ 203 atf_set descr 'Test that pf pulls up mbuf if m_len==0 after stripping the outer header, with ipfw enabled' 204 atf_set require.user root 205 atf_set require.progs nc 206} 207ipfwon_ip4_pfil_in_after_stripping_body() 208{ 209 ipfwoff_ip4_pfil_in_after_stripping_body "ipfwon" 210} 211ipfwon_ip4_pfil_in_after_stripping_cleanup() 212{ 213 pft_cleanup 214} 215 216atf_init_test_cases() 217{ 218 atf_add_test_case "ipfwoff_ip4_pfil_in_after_stripping" 219 atf_add_test_case "ipfwon_ip4_pfil_in_after_stripping" 220} 221