1# 2# SPDX-License-Identifier: BSD-2-Clause 3# 4# Copyright (c) 2018 Kristof Provost <kp@FreeBSD.org> 5# 6# Redistribution and use in source and binary forms, with or without 7# modification, are permitted provided that the following conditions 8# are met: 9# 1. Redistributions of source code must retain the above copyright 10# notice, this list of conditions and the following disclaimer. 11# 2. Redistributions in binary form must reproduce the above copyright 12# notice, this list of conditions and the following disclaimer in the 13# documentation and/or other materials provided with the distribution. 14# 15# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 16# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 17# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 18# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 19# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 20# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 21# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 22# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 23# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 24# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 25# SUCH DAMAGE. 26 27. $(atf_get_srcdir)/utils.subr 28 29atf_test_case "exhaust" "cleanup" 30exhaust_head() 31{ 32 atf_set descr 'Test exhausting the NAT pool' 33 atf_set require.user root 34} 35 36exhaust_body() 37{ 38 pft_init 39 40 epair_nat=$(vnet_mkepair) 41 epair_echo=$(vnet_mkepair) 42 43 vnet_mkjail nat ${epair_nat}b ${epair_echo}a 44 vnet_mkjail echo ${epair_echo}b 45 46 ifconfig ${epair_nat}a 192.0.2.2/24 up 47 route add -net 198.51.100.0/24 192.0.2.1 48 49 jexec nat ifconfig ${epair_nat}b 192.0.2.1/24 up 50 jexec nat ifconfig ${epair_echo}a 198.51.100.1/24 up 51 jexec nat sysctl net.inet.ip.forwarding=1 52 53 jexec echo ifconfig ${epair_echo}b 198.51.100.2/24 up 54 jexec echo /usr/sbin/inetd -p inetd-echo.pid $(atf_get_srcdir)/echo_inetd.conf 55 56 # Enable pf! 57 jexec nat pfctl -e 58 pft_set_rules nat \ 59 "nat pass on ${epair_echo}a inet from 192.0.2.0/24 to any -> (${epair_echo}a) port 30000:30001 sticky-address" 60 61 # Sanity check 62 atf_check -s exit:0 -o ignore ping -c 3 198.51.100.2 63 64 atf_check -s exit:0 -o match:foo* echo "foo" | nc -N 198.51.100.2 7 65 atf_check -s exit:0 -o match:foo* echo "foo" | nc -N 198.51.100.2 7 66 67 # This one will fail, but that's expected 68 echo "foo" | nc -N 198.51.100.2 7 & 69 70 sleep 1 71 72 # If the kernel is stuck in pf_get_sport() this will not succeed either. 73 timeout 2 jexec nat pfctl -sa 74 if [ $? -eq 124 ]; then 75 # Timed out 76 atf_fail "pfctl timeout" 77 fi 78} 79 80exhaust_cleanup() 81{ 82 rm -f inetd-echo.pid 83 pft_cleanup 84} 85 86atf_test_case "nested_anchor" "cleanup" 87nested_anchor_head() 88{ 89 atf_set descr 'Test setting and retrieving nested nat anchors' 90 atf_set require.user root 91} 92 93nested_anchor_body() 94{ 95 pft_init 96 97 epair=$(vnet_mkepair) 98 99 vnet_mkjail nat ${epair}a 100 101 pft_set_rules nat \ 102 "nat-anchor \"foo\"" 103 104 echo "nat-anchor \"bar\"" | jexec nat pfctl -g -a foo -f - 105 echo "nat on ${epair}a from any to any -> (${epair}a)" | jexec nat pfctl -g -a "foo/bar" -f - 106 107 atf_check -s exit:0 -o inline:"nat-anchor \"foo\" all { 108 nat-anchor \"bar\" all { 109 nat on ${epair}a all -> (${epair}a) round-robin 110 } 111} 112" jexec nat pfctl -sn -a "*" 113 114} 115 116nested_anchor_cleanup() 117{ 118 pft_cleanup 119} 120 121atf_init_test_cases() 122{ 123 atf_add_test_case "exhaust" 124 atf_add_test_case "nested_anchor" 125} 126