10656a680SKristof Provost# 20656a680SKristof Provost# SPDX-License-Identifier: BSD-2-Clause 30656a680SKristof Provost# 40656a680SKristof Provost# Copyright (c) 2024 Rubicon Communications, LLC (Netgate) 50656a680SKristof Provost# 60656a680SKristof Provost# Redistribution and use in source and binary forms, with or without 70656a680SKristof Provost# modification, are permitted provided that the following conditions 80656a680SKristof Provost# are met: 90656a680SKristof Provost# 1. Redistributions of source code must retain the above copyright 100656a680SKristof Provost# notice, this list of conditions and the following disclaimer. 110656a680SKristof Provost# 2. Redistributions in binary form must reproduce the above copyright 120656a680SKristof Provost# notice, this list of conditions and the following disclaimer in the 130656a680SKristof Provost# documentation and/or other materials provided with the distribution. 140656a680SKristof Provost# 150656a680SKristof Provost# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 160656a680SKristof Provost# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 170656a680SKristof Provost# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 180656a680SKristof Provost# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 190656a680SKristof Provost# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 200656a680SKristof Provost# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 210656a680SKristof Provost# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 220656a680SKristof Provost# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 230656a680SKristof Provost# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 240656a680SKristof Provost# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 250656a680SKristof Provost# SUCH DAMAGE. 260656a680SKristof Provost 270656a680SKristof Provost. $(atf_get_srcdir)/utils.subr 280656a680SKristof Provost 29*f6f116cdSKajetan Staszkiewicznat64_setup_base() 300656a680SKristof Provost{ 310656a680SKristof Provost pft_init 320656a680SKristof Provost 330656a680SKristof Provost epair_link=$(vnet_mkepair) 340656a680SKristof Provost epair=$(vnet_mkepair) 350656a680SKristof Provost 360656a680SKristof Provost ifconfig ${epair}a inet6 2001:db8::2/64 up no_dad 370656a680SKristof Provost route -6 add default 2001:db8::1 380656a680SKristof Provost 390656a680SKristof Provost vnet_mkjail rtr ${epair}b ${epair_link}a 400656a680SKristof Provost jexec rtr ifconfig ${epair}b inet6 2001:db8::1/64 up no_dad 410656a680SKristof Provost jexec rtr ifconfig ${epair_link}a 192.0.2.1/24 up 420656a680SKristof Provost 430656a680SKristof Provost vnet_mkjail dst ${epair_link}b 440656a680SKristof Provost jexec dst ifconfig ${epair_link}b 192.0.2.2/24 up 450656a680SKristof Provost jexec dst route add default 192.0.2.1 460656a680SKristof Provost 470656a680SKristof Provost # Sanity checks 480656a680SKristof Provost atf_check -s exit:0 -o ignore \ 490656a680SKristof Provost ping6 -c 1 2001:db8::1 500656a680SKristof Provost atf_check -s exit:0 -o ignore \ 510656a680SKristof Provost jexec dst ping -c 1 192.0.2.1 520656a680SKristof Provost 530656a680SKristof Provost jexec rtr pfctl -e 54*f6f116cdSKajetan Staszkiewicz} 55*f6f116cdSKajetan Staszkiewicz 56*f6f116cdSKajetan Staszkiewicznat64_setup_in() 57*f6f116cdSKajetan Staszkiewicz{ 58*f6f116cdSKajetan Staszkiewicz nat64_setup_base 590656a680SKristof Provost pft_set_rules rtr \ 60e128e988SKristof Provost "set reassemble yes" \ 61c6210cfdSKristof Provost "set state-policy if-bound" \ 620656a680SKristof Provost "pass in on ${epair}b inet6 from any to 64:ff9b::/96 af-to inet from (${epair_link}a)" 6322c63490SKristof Provost} 6422c63490SKristof Provost 65*f6f116cdSKajetan Staszkiewicznat64_setup_out() 6622c63490SKristof Provost{ 67*f6f116cdSKajetan Staszkiewicz nat64_setup_base 68*f6f116cdSKajetan Staszkiewicz jexec rtr sysctl net.inet6.ip6.forwarding=1 69*f6f116cdSKajetan Staszkiewicz # AF translation happens post-routing, traffic must be directed 70*f6f116cdSKajetan Staszkiewicz # towards the outbound interface using routes for the original AF. 71*f6f116cdSKajetan Staszkiewicz # jexec rtr ifconfig ${epair_link}a inet6 2001:db8:2::1/64 up no_dad 72*f6f116cdSKajetan Staszkiewicz jexec rtr route add -inet6 64:ff9b::/96 -iface ${epair_link}a; 73*f6f116cdSKajetan Staszkiewicz pft_set_rules rtr \ 74*f6f116cdSKajetan Staszkiewicz "set reassemble yes" \ 75*f6f116cdSKajetan Staszkiewicz "set state-policy if-bound" \ 76*f6f116cdSKajetan Staszkiewicz "pass quick inet6 proto icmp6 icmp6-type { neighbrsol, neighbradv }" \ 77*f6f116cdSKajetan Staszkiewicz "pass in quick on ${epair}b from any to 64:ff9b::/96" \ 78*f6f116cdSKajetan Staszkiewicz "pass out quick on ${epair_link}a from any to 64:ff9b::/96 af-to inet from (${epair_link}a)" \ 79*f6f116cdSKajetan Staszkiewicz "block" 80*f6f116cdSKajetan Staszkiewicz} 81*f6f116cdSKajetan Staszkiewicz 82*f6f116cdSKajetan Staszkiewiczatf_test_case "icmp_echo_in" "cleanup" 83*f6f116cdSKajetan Staszkiewiczicmp_echo_in_head() 84*f6f116cdSKajetan Staszkiewicz{ 85*f6f116cdSKajetan Staszkiewicz atf_set descr 'Basic NAT64 ICMP echo test on inbound interface' 8622c63490SKristof Provost atf_set require.user root 8722c63490SKristof Provost} 8822c63490SKristof Provost 89*f6f116cdSKajetan Staszkiewiczicmp_echo_in_body() 9022c63490SKristof Provost{ 91*f6f116cdSKajetan Staszkiewicz nat64_setup_in 920656a680SKristof Provost 930656a680SKristof Provost # One ping 940656a680SKristof Provost atf_check -s exit:0 -o ignore \ 950656a680SKristof Provost ping6 -c 1 64:ff9b::192.0.2.2 960656a680SKristof Provost 970656a680SKristof Provost # Make sure packets make it even when state is established 980656a680SKristof Provost atf_check -s exit:0 \ 990656a680SKristof Provost -o match:'5 packets transmitted, 5 packets received, 0.0% packet loss' \ 1000656a680SKristof Provost ping6 -c 5 64:ff9b::192.0.2.2 1010656a680SKristof Provost} 1020656a680SKristof Provost 103*f6f116cdSKajetan Staszkiewiczicmp_echo_in_cleanup() 1040656a680SKristof Provost{ 1050656a680SKristof Provost pft_cleanup 1060656a680SKristof Provost} 1070656a680SKristof Provost 108*f6f116cdSKajetan Staszkiewiczatf_test_case "icmp_echo_out" "cleanup" 109*f6f116cdSKajetan Staszkiewiczicmp_echo_out_head() 110e128e988SKristof Provost{ 111*f6f116cdSKajetan Staszkiewicz atf_set descr 'Basic NAT64 ICMP echo test on outbound interface' 112e128e988SKristof Provost atf_set require.user root 113e128e988SKristof Provost} 114e128e988SKristof Provost 115*f6f116cdSKajetan Staszkiewiczicmp_echo_out_body() 116e128e988SKristof Provost{ 117*f6f116cdSKajetan Staszkiewicz nat64_setup_out 118*f6f116cdSKajetan Staszkiewicz 119*f6f116cdSKajetan Staszkiewicz # One ping 120*f6f116cdSKajetan Staszkiewicz atf_check -s exit:0 -o ignore \ 121*f6f116cdSKajetan Staszkiewicz ping6 -c 1 64:ff9b::192.0.2.2 122*f6f116cdSKajetan Staszkiewicz 123*f6f116cdSKajetan Staszkiewicz # Make sure packets make it even when state is established 124*f6f116cdSKajetan Staszkiewicz atf_check -s exit:0 \ 125*f6f116cdSKajetan Staszkiewicz -o match:'5 packets transmitted, 5 packets received, 0.0% packet loss' \ 126*f6f116cdSKajetan Staszkiewicz ping6 -c 5 64:ff9b::192.0.2.2 127*f6f116cdSKajetan Staszkiewicz} 128*f6f116cdSKajetan Staszkiewicz 129*f6f116cdSKajetan Staszkiewiczicmp_echo_out_cleanup() 130*f6f116cdSKajetan Staszkiewicz{ 131*f6f116cdSKajetan Staszkiewicz pft_cleanup 132*f6f116cdSKajetan Staszkiewicz} 133*f6f116cdSKajetan Staszkiewicz 134*f6f116cdSKajetan Staszkiewiczatf_test_case "fragmentation_in" "cleanup" 135*f6f116cdSKajetan Staszkiewiczfragmentation_in_head() 136*f6f116cdSKajetan Staszkiewicz{ 137*f6f116cdSKajetan Staszkiewicz atf_set descr 'Test fragmented packets on inbound interface' 138*f6f116cdSKajetan Staszkiewicz atf_set require.user root 139*f6f116cdSKajetan Staszkiewicz} 140*f6f116cdSKajetan Staszkiewicz 141*f6f116cdSKajetan Staszkiewiczfragmentation_in_body() 142*f6f116cdSKajetan Staszkiewicz{ 143*f6f116cdSKajetan Staszkiewicz nat64_setup_in 144e128e988SKristof Provost 145e128e988SKristof Provost atf_check -s exit:0 -o ignore \ 146e128e988SKristof Provost ping6 -c 1 -s 1280 64:ff9b::192.0.2.2 147e128e988SKristof Provost 148e128e988SKristof Provost atf_check -s exit:0 \ 149e128e988SKristof Provost -o match:'3 packets transmitted, 3 packets received, 0.0% packet loss' \ 150e128e988SKristof Provost ping6 -c 3 -s 2000 64:ff9b::192.0.2.2 151e128e988SKristof Provost atf_check -s exit:0 \ 152e128e988SKristof Provost -o match:'3 packets transmitted, 3 packets received, 0.0% packet loss' \ 153e128e988SKristof Provost ping6 -c 3 -s 10000 -b 20000 64:ff9b::192.0.2.2 154e128e988SKristof Provost} 155e128e988SKristof Provost 156*f6f116cdSKajetan Staszkiewiczfragmentation_in_cleanup() 157e128e988SKristof Provost{ 158e128e988SKristof Provost pft_cleanup 159e128e988SKristof Provost} 160e128e988SKristof Provost 161*f6f116cdSKajetan Staszkiewiczatf_test_case "fragmentation_out" "cleanup" 162*f6f116cdSKajetan Staszkiewiczfragmentation_out_head() 16322c63490SKristof Provost{ 164*f6f116cdSKajetan Staszkiewicz atf_set descr 'Test fragmented packets on outbound interface' 16522c63490SKristof Provost atf_set require.user root 16622c63490SKristof Provost} 16722c63490SKristof Provost 168*f6f116cdSKajetan Staszkiewiczfragmentation_out_body() 16922c63490SKristof Provost{ 170*f6f116cdSKajetan Staszkiewicz nat64_setup_out 171*f6f116cdSKajetan Staszkiewicz 172*f6f116cdSKajetan Staszkiewicz atf_check -s exit:0 -o ignore \ 173*f6f116cdSKajetan Staszkiewicz ping6 -c 1 -s 1280 64:ff9b::192.0.2.2 174*f6f116cdSKajetan Staszkiewicz 175*f6f116cdSKajetan Staszkiewicz atf_check -s exit:0 \ 176*f6f116cdSKajetan Staszkiewicz -o match:'3 packets transmitted, 3 packets received, 0.0% packet loss' \ 177*f6f116cdSKajetan Staszkiewicz ping6 -c 3 -s 2000 64:ff9b::192.0.2.2 178*f6f116cdSKajetan Staszkiewicz atf_check -s exit:0 \ 179*f6f116cdSKajetan Staszkiewicz -o match:'3 packets transmitted, 3 packets received, 0.0% packet loss' \ 180*f6f116cdSKajetan Staszkiewicz ping6 -c 3 -s 10000 -b 20000 64:ff9b::192.0.2.2 181*f6f116cdSKajetan Staszkiewicz} 182*f6f116cdSKajetan Staszkiewicz 183*f6f116cdSKajetan Staszkiewiczfragmentation_out_cleanup() 184*f6f116cdSKajetan Staszkiewicz{ 185*f6f116cdSKajetan Staszkiewicz pft_cleanup 186*f6f116cdSKajetan Staszkiewicz} 187*f6f116cdSKajetan Staszkiewicz 188*f6f116cdSKajetan Staszkiewiczatf_test_case "tcp_in" "cleanup" 189*f6f116cdSKajetan Staszkiewicztcp_in_head() 190*f6f116cdSKajetan Staszkiewicz{ 191*f6f116cdSKajetan Staszkiewicz atf_set descr 'TCP NAT64 test on inbound interface' 192*f6f116cdSKajetan Staszkiewicz atf_set require.user root 193*f6f116cdSKajetan Staszkiewicz} 194*f6f116cdSKajetan Staszkiewicz 195*f6f116cdSKajetan Staszkiewicztcp_in_body() 196*f6f116cdSKajetan Staszkiewicz{ 197*f6f116cdSKajetan Staszkiewicz nat64_setup_in 19822c63490SKristof Provost 19922c63490SKristof Provost echo "foo" | jexec dst nc -l 1234 & 20022c63490SKristof Provost 20122c63490SKristof Provost # Sanity check & delay for nc startup 20222c63490SKristof Provost atf_check -s exit:0 -o ignore \ 20322c63490SKristof Provost ping6 -c 1 64:ff9b::192.0.2.2 20422c63490SKristof Provost 20522c63490SKristof Provost rcv=$(nc -w 3 -6 64:ff9b::c000:202 1234) 20622c63490SKristof Provost if [ "${rcv}" != "foo" ]; 20722c63490SKristof Provost then 20822c63490SKristof Provost echo "rcv=${rcv}" 20922c63490SKristof Provost atf_fail "Failed to connect to TCP server" 21022c63490SKristof Provost fi 21122c63490SKristof Provost} 21222c63490SKristof Provost 213*f6f116cdSKajetan Staszkiewicztcp_in_cleanup() 21422c63490SKristof Provost{ 21522c63490SKristof Provost pft_cleanup 21622c63490SKristof Provost} 21722c63490SKristof Provost 218*f6f116cdSKajetan Staszkiewiczatf_test_case "tcp_out" "cleanup" 219*f6f116cdSKajetan Staszkiewicztcp_out_head() 2207e309356SKristof Provost{ 221*f6f116cdSKajetan Staszkiewicz atf_set descr 'TCP NAT64 test on outbound interface' 2227e309356SKristof Provost atf_set require.user root 2237e309356SKristof Provost} 2247e309356SKristof Provost 225*f6f116cdSKajetan Staszkiewicztcp_out_body() 2267e309356SKristof Provost{ 227*f6f116cdSKajetan Staszkiewicz nat64_setup_out 228*f6f116cdSKajetan Staszkiewicz 229*f6f116cdSKajetan Staszkiewicz echo "foo" | jexec dst nc -l 1234 & 230*f6f116cdSKajetan Staszkiewicz 231*f6f116cdSKajetan Staszkiewicz # Sanity check & delay for nc startup 232*f6f116cdSKajetan Staszkiewicz atf_check -s exit:0 -o ignore \ 233*f6f116cdSKajetan Staszkiewicz ping6 -c 1 64:ff9b::192.0.2.2 234*f6f116cdSKajetan Staszkiewicz 235*f6f116cdSKajetan Staszkiewicz rcv=$(nc -w 3 -6 64:ff9b::c000:202 1234) 236*f6f116cdSKajetan Staszkiewicz if [ "${rcv}" != "foo" ]; 237*f6f116cdSKajetan Staszkiewicz then 238*f6f116cdSKajetan Staszkiewicz echo "rcv=${rcv}" 239*f6f116cdSKajetan Staszkiewicz atf_fail "Failed to connect to TCP server" 240*f6f116cdSKajetan Staszkiewicz fi 241*f6f116cdSKajetan Staszkiewicz} 242*f6f116cdSKajetan Staszkiewicz 243*f6f116cdSKajetan Staszkiewicztcp_out_cleanup() 244*f6f116cdSKajetan Staszkiewicz{ 245*f6f116cdSKajetan Staszkiewicz pft_cleanup 246*f6f116cdSKajetan Staszkiewicz} 247*f6f116cdSKajetan Staszkiewicz 248*f6f116cdSKajetan Staszkiewiczatf_test_case "udp_in" "cleanup" 249*f6f116cdSKajetan Staszkiewiczudp_in_head() 250*f6f116cdSKajetan Staszkiewicz{ 251*f6f116cdSKajetan Staszkiewicz atf_set descr 'UDP NAT64 test on inbound interface' 252*f6f116cdSKajetan Staszkiewicz atf_set require.user root 253*f6f116cdSKajetan Staszkiewicz} 254*f6f116cdSKajetan Staszkiewicz 255*f6f116cdSKajetan Staszkiewiczudp_in_body() 256*f6f116cdSKajetan Staszkiewicz{ 257*f6f116cdSKajetan Staszkiewicz nat64_setup_in 2587e309356SKristof Provost 2597e309356SKristof Provost echo "foo" | jexec dst nc -u -l 1234 & 2607e309356SKristof Provost 2617e309356SKristof Provost # Sanity check & delay for nc startup 2627e309356SKristof Provost atf_check -s exit:0 -o ignore \ 2637e309356SKristof Provost ping6 -c 1 64:ff9b::192.0.2.2 2647e309356SKristof Provost 2657e309356SKristof Provost rcv=$(echo bar | nc -w 3 -6 -u 64:ff9b::c000:202 1234) 2667e309356SKristof Provost if [ "${rcv}" != "foo" ]; 2677e309356SKristof Provost then 2687e309356SKristof Provost echo "rcv=${rcv}" 2697e309356SKristof Provost atf_fail "Failed to connect to UDP server" 2707e309356SKristof Provost fi 2717e309356SKristof Provost} 2727e309356SKristof Provost 273*f6f116cdSKajetan Staszkiewiczudp_in_cleanup() 2747e309356SKristof Provost{ 2757e309356SKristof Provost pft_cleanup 2767e309356SKristof Provost} 2777e309356SKristof Provost 278*f6f116cdSKajetan Staszkiewiczatf_test_case "udp_out" "cleanup" 279*f6f116cdSKajetan Staszkiewiczudp_out_head() 280a43589dcSKristof Provost{ 281*f6f116cdSKajetan Staszkiewicz atf_set descr 'UDP NAT64 test on outbound interface' 282a43589dcSKristof Provost atf_set require.user root 283a43589dcSKristof Provost} 284a43589dcSKristof Provost 285*f6f116cdSKajetan Staszkiewiczudp_out_body() 286a43589dcSKristof Provost{ 287*f6f116cdSKajetan Staszkiewicz nat64_setup_out 288*f6f116cdSKajetan Staszkiewicz 289*f6f116cdSKajetan Staszkiewicz echo "foo" | jexec dst nc -u -l 1234 & 290*f6f116cdSKajetan Staszkiewicz 291*f6f116cdSKajetan Staszkiewicz # Sanity check & delay for nc startup 292*f6f116cdSKajetan Staszkiewicz atf_check -s exit:0 -o ignore \ 293*f6f116cdSKajetan Staszkiewicz ping6 -c 1 64:ff9b::192.0.2.2 294*f6f116cdSKajetan Staszkiewicz 295*f6f116cdSKajetan Staszkiewicz rcv=$(echo bar | nc -w 3 -6 -u 64:ff9b::c000:202 1234) 296*f6f116cdSKajetan Staszkiewicz if [ "${rcv}" != "foo" ]; 297*f6f116cdSKajetan Staszkiewicz then 298*f6f116cdSKajetan Staszkiewicz echo "rcv=${rcv}" 299*f6f116cdSKajetan Staszkiewicz atf_fail "Failed to connect to UDP server" 300*f6f116cdSKajetan Staszkiewicz fi 301*f6f116cdSKajetan Staszkiewicz} 302*f6f116cdSKajetan Staszkiewicz 303*f6f116cdSKajetan Staszkiewiczudp_out_cleanup() 304*f6f116cdSKajetan Staszkiewicz{ 305*f6f116cdSKajetan Staszkiewicz pft_cleanup 306*f6f116cdSKajetan Staszkiewicz} 307*f6f116cdSKajetan Staszkiewicz 308*f6f116cdSKajetan Staszkiewiczatf_test_case "sctp_in" "cleanup" 309*f6f116cdSKajetan Staszkiewiczsctp_in_head() 310*f6f116cdSKajetan Staszkiewicz{ 311*f6f116cdSKajetan Staszkiewicz atf_set descr 'SCTP NAT64 test on inbound interface' 312*f6f116cdSKajetan Staszkiewicz atf_set require.user root 313*f6f116cdSKajetan Staszkiewicz} 314*f6f116cdSKajetan Staszkiewicz 315*f6f116cdSKajetan Staszkiewiczsctp_in_body() 316*f6f116cdSKajetan Staszkiewicz{ 317*f6f116cdSKajetan Staszkiewicz nat64_setup_in 318a43589dcSKristof Provost if ! kldstat -q -m sctp; then 319a43589dcSKristof Provost atf_skip "This test requires SCTP" 320a43589dcSKristof Provost fi 321a43589dcSKristof Provost 322a43589dcSKristof Provost echo "foo" | jexec dst nc --sctp -N -l 1234 & 323a43589dcSKristof Provost 324a43589dcSKristof Provost # Sanity check & delay for nc startup 325a43589dcSKristof Provost atf_check -s exit:0 -o ignore \ 326a43589dcSKristof Provost ping6 -c 1 64:ff9b::192.0.2.2 327a43589dcSKristof Provost 328a43589dcSKristof Provost rcv=$(echo bar | nc --sctp -w 3 -6 64:ff9b::c000:202 1234) 329a43589dcSKristof Provost if [ "${rcv}" != "foo" ]; 330a43589dcSKristof Provost then 331a43589dcSKristof Provost echo "rcv=${rcv}" 332a43589dcSKristof Provost atf_fail "Failed to connect to SCTP server" 333a43589dcSKristof Provost fi 334a43589dcSKristof Provost} 335a43589dcSKristof Provost 336*f6f116cdSKajetan Staszkiewiczsctp_in_cleanup() 337*f6f116cdSKajetan Staszkiewicz{ 338*f6f116cdSKajetan Staszkiewicz pft_cleanup 339*f6f116cdSKajetan Staszkiewicz} 340*f6f116cdSKajetan Staszkiewicz 341*f6f116cdSKajetan Staszkiewiczatf_test_case "sctp_out" "cleanup" 342*f6f116cdSKajetan Staszkiewiczsctp_out_head() 343*f6f116cdSKajetan Staszkiewicz{ 344*f6f116cdSKajetan Staszkiewicz atf_set descr 'SCTP NAT64 test on outbound interface' 345*f6f116cdSKajetan Staszkiewicz atf_set require.user root 346*f6f116cdSKajetan Staszkiewicz} 347*f6f116cdSKajetan Staszkiewicz 348*f6f116cdSKajetan Staszkiewiczsctp_out_body() 349*f6f116cdSKajetan Staszkiewicz{ 350*f6f116cdSKajetan Staszkiewicz nat64_setup_out 351*f6f116cdSKajetan Staszkiewicz if ! kldstat -q -m sctp; then 352*f6f116cdSKajetan Staszkiewicz atf_skip "This test requires SCTP" 353*f6f116cdSKajetan Staszkiewicz fi 354*f6f116cdSKajetan Staszkiewicz 355*f6f116cdSKajetan Staszkiewicz echo "foo" | jexec dst nc --sctp -N -l 1234 & 356*f6f116cdSKajetan Staszkiewicz 357*f6f116cdSKajetan Staszkiewicz # Sanity check & delay for nc startup 358*f6f116cdSKajetan Staszkiewicz atf_check -s exit:0 -o ignore \ 359*f6f116cdSKajetan Staszkiewicz ping6 -c 1 64:ff9b::192.0.2.2 360*f6f116cdSKajetan Staszkiewicz 361*f6f116cdSKajetan Staszkiewicz rcv=$(echo bar | nc --sctp -w 3 -6 64:ff9b::c000:202 1234) 362*f6f116cdSKajetan Staszkiewicz if [ "${rcv}" != "foo" ]; 363*f6f116cdSKajetan Staszkiewicz then 364*f6f116cdSKajetan Staszkiewicz echo "rcv=${rcv}" 365*f6f116cdSKajetan Staszkiewicz atf_fail "Failed to connect to SCTP server" 366*f6f116cdSKajetan Staszkiewicz fi 367*f6f116cdSKajetan Staszkiewicz} 368*f6f116cdSKajetan Staszkiewicz 369*f6f116cdSKajetan Staszkiewiczsctp_out_cleanup() 370a43589dcSKristof Provost{ 371a43589dcSKristof Provost pft_cleanup 372a43589dcSKristof Provost} 373a43589dcSKristof Provost 37427fca150SKristof Provostatf_test_case "tos" "cleanup" 37527fca150SKristof Provosttos_head() 37627fca150SKristof Provost{ 37727fca150SKristof Provost atf_set descr 'ToS translation test' 37827fca150SKristof Provost atf_set require.user root 37927fca150SKristof Provost} 38027fca150SKristof Provost 38127fca150SKristof Provosttos_body() 38227fca150SKristof Provost{ 383*f6f116cdSKajetan Staszkiewicz nat64_setup_in 38427fca150SKristof Provost 38527fca150SKristof Provost # Ensure we can distinguish ToS on the destination 38627fca150SKristof Provost jexec dst pfctl -e 38727fca150SKristof Provost pft_set_rules dst \ 38827fca150SKristof Provost "pass" \ 38927fca150SKristof Provost "block in inet tos 8" 39027fca150SKristof Provost 39127fca150SKristof Provost atf_check -s exit:0 -o ignore \ 39227fca150SKristof Provost ping6 -c 1 -z 4 64:ff9b::192.0.2.2 39327fca150SKristof Provost atf_check -s exit:2 -o ignore \ 39427fca150SKristof Provost ping6 -c 1 -z 8 64:ff9b::192.0.2.2 39527fca150SKristof Provost atf_check -s exit:0 -o ignore \ 39627fca150SKristof Provost ping6 -c 1 -z 16 64:ff9b::192.0.2.2 39727fca150SKristof Provost 39827fca150SKristof Provost jexec dst pfctl -sr -vv 39927fca150SKristof Provost} 40027fca150SKristof Provost 40127fca150SKristof Provosttos_cleanup() 40227fca150SKristof Provost{ 40327fca150SKristof Provost pft_cleanup 40427fca150SKristof Provost} 40527fca150SKristof Provost 406125e3952SKristof Provostatf_test_case "no_v4" "cleanup" 407125e3952SKristof Provostno_v4_head() 408125e3952SKristof Provost{ 409125e3952SKristof Provost atf_set descr 'Test error handling when there is no IPv4 address to translate to' 410125e3952SKristof Provost atf_set require.user root 411125e3952SKristof Provost} 412125e3952SKristof Provost 413125e3952SKristof Provostno_v4_body() 414125e3952SKristof Provost{ 415125e3952SKristof Provost pft_init 416125e3952SKristof Provost 417125e3952SKristof Provost epair_link=$(vnet_mkepair) 418125e3952SKristof Provost epair=$(vnet_mkepair) 419125e3952SKristof Provost 420125e3952SKristof Provost ifconfig ${epair}a inet6 2001:db8::2/64 up no_dad 421125e3952SKristof Provost route -6 add default 2001:db8::1 422125e3952SKristof Provost 423125e3952SKristof Provost vnet_mkjail rtr ${epair}b ${epair_link}a 424125e3952SKristof Provost jexec rtr ifconfig ${epair}b inet6 2001:db8::1/64 up no_dad 425125e3952SKristof Provost 426125e3952SKristof Provost vnet_mkjail dst ${epair_link}b 427125e3952SKristof Provost jexec dst ifconfig ${epair_link}b 192.0.2.2/24 up 428125e3952SKristof Provost jexec dst route add default 192.0.2.1 429125e3952SKristof Provost 430125e3952SKristof Provost # Sanity check 431125e3952SKristof Provost atf_check -s exit:0 -o ignore \ 432125e3952SKristof Provost ping6 -c 1 2001:db8::1 433125e3952SKristof Provost 434125e3952SKristof Provost jexec rtr pfctl -e 435125e3952SKristof Provost pft_set_rules rtr \ 436125e3952SKristof Provost "pass in on ${epair}b inet6 from any to 64:ff9b::/96 af-to inet from (${epair_link}a)" 437125e3952SKristof Provost 438125e3952SKristof Provost atf_check -s exit:2 -o ignore \ 439125e3952SKristof Provost ping6 -c 3 64:ff9b::192.0.2.2 440125e3952SKristof Provost} 441125e3952SKristof Provost 442125e3952SKristof Provostno_v4_cleanup() 443125e3952SKristof Provost{ 444125e3952SKristof Provost pft_cleanup 445125e3952SKristof Provost} 4469e039875SKristof Provost 447bdb583afSKristof Provostatf_test_case "range" "cleanup" 448bdb583afSKristof Provostrange_head() 449bdb583afSKristof Provost{ 450bdb583afSKristof Provost atf_set descr 'Test using an address range for the IPv4 side' 451bdb583afSKristof Provost atf_set require.user root 452bdb583afSKristof Provost} 453bdb583afSKristof Provost 454bdb583afSKristof Provostrange_body() 455bdb583afSKristof Provost{ 456bdb583afSKristof Provost pft_init 457bdb583afSKristof Provost 458bdb583afSKristof Provost epair_link=$(vnet_mkepair) 459bdb583afSKristof Provost epair=$(vnet_mkepair) 460bdb583afSKristof Provost 461bdb583afSKristof Provost ifconfig ${epair}a inet6 2001:db8::2/64 up no_dad 462bdb583afSKristof Provost route -6 add default 2001:db8::1 463bdb583afSKristof Provost 464bdb583afSKristof Provost vnet_mkjail rtr ${epair}b ${epair_link}a 465bdb583afSKristof Provost jexec rtr ifconfig ${epair}b inet6 2001:db8::1/64 up no_dad 466bdb583afSKristof Provost jexec rtr ifconfig ${epair_link}a 192.0.2.2/24 up 467bdb583afSKristof Provost jexec rtr ifconfig ${epair_link}a inet alias 192.0.2.3/24 up 468bdb583afSKristof Provost 469bdb583afSKristof Provost vnet_mkjail dst ${epair_link}b 470bdb583afSKristof Provost jexec dst ifconfig ${epair_link}b 192.0.2.254/24 up 471bdb583afSKristof Provost jexec dst route add default 192.0.2.2 472bdb583afSKristof Provost 473bdb583afSKristof Provost # Sanity checks 474bdb583afSKristof Provost atf_check -s exit:0 -o ignore \ 475bdb583afSKristof Provost jexec rtr ping -c 1 192.0.2.254 476bdb583afSKristof Provost atf_check -s exit:0 -o ignore \ 477bdb583afSKristof Provost ping6 -c 1 2001:db8::1 478bdb583afSKristof Provost atf_check -s exit:0 -o ignore \ 479bdb583afSKristof Provost jexec dst ping -c 1 192.0.2.2 480bdb583afSKristof Provost atf_check -s exit:0 -o ignore \ 481bdb583afSKristof Provost jexec dst ping -c 1 192.0.2.3 482bdb583afSKristof Provost 483bdb583afSKristof Provost jexec rtr pfctl -e 484bdb583afSKristof Provost pft_set_rules rtr \ 485bdb583afSKristof Provost "set reassemble yes" \ 486bdb583afSKristof Provost "set state-policy if-bound" \ 487bdb583afSKristof Provost "pass in on ${epair}b inet6 from any to 64:ff9b::/96 af-to inet from 192.0.2.2/31 round-robin" 488bdb583afSKristof Provost 489bdb583afSKristof Provost # Use pf to count sources 490bdb583afSKristof Provost jexec dst pfctl -e 491bdb583afSKristof Provost pft_set_rules dst \ 492bdb583afSKristof Provost "pass" 493bdb583afSKristof Provost 494bdb583afSKristof Provost atf_check -s exit:0 -o ignore \ 495bdb583afSKristof Provost ping6 -c 1 64:ff9b::192.0.2.254 496bdb583afSKristof Provost atf_check -s exit:0 -o ignore \ 497bdb583afSKristof Provost ping6 -c 1 64:ff9b::192.0.2.254 498bdb583afSKristof Provost 499bdb583afSKristof Provost # Verify on dst that we saw different source addresses 500bdb583afSKristof Provost atf_check -s exit:0 -o match:".*192.0.2.2.*" \ 501bdb583afSKristof Provost jexec dst pfctl -ss 502bdb583afSKristof Provost atf_check -s exit:0 -o match:".*192.0.2.3.*" \ 503bdb583afSKristof Provost jexec dst pfctl -ss 504bdb583afSKristof Provost} 505bdb583afSKristof Provost 506bdb583afSKristof Provostrange_cleanup() 507bdb583afSKristof Provost{ 508bdb583afSKristof Provost pft_cleanup 509bdb583afSKristof Provost} 510bdb583afSKristof Provost 5119e039875SKristof Provostatf_test_case "pool" "cleanup" 5129e039875SKristof Provostpool_head() 5139e039875SKristof Provost{ 5149e039875SKristof Provost atf_set descr 'Use a pool of IPv4 addresses' 5159e039875SKristof Provost atf_set require.user root 5169e039875SKristof Provost} 5179e039875SKristof Provost 5189e039875SKristof Provostpool_body() 5199e039875SKristof Provost{ 5209e039875SKristof Provost pft_init 5219e039875SKristof Provost 5229e039875SKristof Provost epair_link=$(vnet_mkepair) 5239e039875SKristof Provost epair=$(vnet_mkepair) 5249e039875SKristof Provost 5259e039875SKristof Provost ifconfig ${epair}a inet6 2001:db8::2/64 up no_dad 5269e039875SKristof Provost route -6 add default 2001:db8::1 5279e039875SKristof Provost 5289e039875SKristof Provost vnet_mkjail rtr ${epair}b ${epair_link}a 5299e039875SKristof Provost jexec rtr ifconfig ${epair}b inet6 2001:db8::1/64 up no_dad 5309e039875SKristof Provost jexec rtr ifconfig ${epair_link}a 192.0.2.1/24 up 5319e039875SKristof Provost jexec rtr ifconfig ${epair_link}a inet alias 192.0.2.3/24 up 5329e039875SKristof Provost jexec rtr ifconfig ${epair_link}a inet alias 192.0.2.4/24 up 5339e039875SKristof Provost 5349e039875SKristof Provost vnet_mkjail dst ${epair_link}b 5359e039875SKristof Provost jexec dst ifconfig ${epair_link}b 192.0.2.2/24 up 5369e039875SKristof Provost jexec dst route add default 192.0.2.1 5379e039875SKristof Provost 5389e039875SKristof Provost # Sanity checks 5399e039875SKristof Provost atf_check -s exit:0 -o ignore \ 5409e039875SKristof Provost ping6 -c 1 2001:db8::1 5419e039875SKristof Provost atf_check -s exit:0 -o ignore \ 5429e039875SKristof Provost jexec dst ping -c 1 192.0.2.1 5439e039875SKristof Provost 5449e039875SKristof Provost jexec rtr pfctl -e 5459e039875SKristof Provost pft_set_rules rtr \ 5469e039875SKristof Provost "set reassemble yes" \ 5479e039875SKristof Provost "set state-policy if-bound" \ 5489e039875SKristof Provost "pass in on ${epair}b inet6 from any to 64:ff9b::/96 af-to inet from { 192.0.2.1, 192.0.2.3, 192.0.2.4 } round-robin" 5499e039875SKristof Provost 5509e039875SKristof Provost # Use pf to count sources 5519e039875SKristof Provost jexec dst pfctl -e 5529e039875SKristof Provost pft_set_rules dst \ 5539e039875SKristof Provost "pass" 5549e039875SKristof Provost 5559e039875SKristof Provost atf_check -s exit:0 -o ignore \ 5569e039875SKristof Provost ping6 -c 1 64:ff9b::192.0.2.2 5579e039875SKristof Provost atf_check -s exit:0 -o ignore \ 5589e039875SKristof Provost ping6 -c 1 64:ff9b::192.0.2.2 5599e039875SKristof Provost atf_check -s exit:0 -o ignore \ 5609e039875SKristof Provost ping6 -c 1 64:ff9b::192.0.2.2 5619e039875SKristof Provost 5629e039875SKristof Provost # Verify on dst that we saw different source addresses 5639e039875SKristof Provost atf_check -s exit:0 -o match:".*192.0.2.1.*" \ 5649e039875SKristof Provost jexec dst pfctl -ss 5659e039875SKristof Provost atf_check -s exit:0 -o match:".*192.0.2.3.*" \ 5669e039875SKristof Provost jexec dst pfctl -ss 5679e039875SKristof Provost atf_check -s exit:0 -o match:".*192.0.2.4.*" \ 5689e039875SKristof Provost jexec dst pfctl -ss 5699e039875SKristof Provost} 5709e039875SKristof Provost 5719e039875SKristof Provostpool_cleanup() 5729e039875SKristof Provost{ 5739e039875SKristof Provost pft_cleanup 5749e039875SKristof Provost} 5759e039875SKristof Provost 576e0dcc51dSKristof Provost 577e0dcc51dSKristof Provostatf_test_case "table" 578e0dcc51dSKristof Provosttable_head() 579e0dcc51dSKristof Provost{ 580c2346c3dSKristof Provost atf_set descr 'Check table restrictions' 581e0dcc51dSKristof Provost atf_set require.user root 582e0dcc51dSKristof Provost} 583e0dcc51dSKristof Provost 584e0dcc51dSKristof Provosttable_body() 585e0dcc51dSKristof Provost{ 586e0dcc51dSKristof Provost pft_init 587e0dcc51dSKristof Provost 588c2346c3dSKristof Provost # Round-robin and random are allowed 589c2346c3dSKristof Provost echo "pass in on epair inet6 from any to 64:ff9b::/96 af-to inet from <wanaddr> round-robin" | \ 590c2346c3dSKristof Provost atf_check -s exit:0 \ 591c2346c3dSKristof Provost pfctl -f - 592c2346c3dSKristof Provost echo "pass in on epair inet6 from any to 64:ff9b::/96 af-to inet from <wanaddr> random" | \ 593c2346c3dSKristof Provost atf_check -s exit:0 \ 594c2346c3dSKristof Provost pfctl -f - 595c2346c3dSKristof Provost 596c2346c3dSKristof Provost # bitmask is not 597c2346c3dSKristof Provost echo "pass in on epair inet6 from any to 64:ff9b::/96 af-to inet from <wanaddr> bitmask" | \ 598e0dcc51dSKristof Provost atf_check -s exit:1 \ 599c2346c3dSKristof Provost -e match:"tables are not supported by pool type" \ 600e0dcc51dSKristof Provost pfctl -f - 601e0dcc51dSKristof Provost} 602e0dcc51dSKristof Provost 603e0dcc51dSKristof Provosttable_cleanup() 604e0dcc51dSKristof Provost{ 605e0dcc51dSKristof Provost pft_cleanup 606e0dcc51dSKristof Provost} 6077f3d159bSKristof Provost 6087f3d159bSKristof Provostatf_test_case "table_range" "cleanup" 6097f3d159bSKristof Provosttable_range_head() 6107f3d159bSKristof Provost{ 6117f3d159bSKristof Provost atf_set descr 'Test using an address range within a table for the IPv4 side' 6127f3d159bSKristof Provost atf_set require.user root 6137f3d159bSKristof Provost} 6147f3d159bSKristof Provost 6157f3d159bSKristof Provosttable_range_body() 6167f3d159bSKristof Provost{ 6177f3d159bSKristof Provost pft_init 6187f3d159bSKristof Provost 6197f3d159bSKristof Provost epair_link=$(vnet_mkepair) 6207f3d159bSKristof Provost epair=$(vnet_mkepair) 6217f3d159bSKristof Provost 6227f3d159bSKristof Provost ifconfig ${epair}a inet6 2001:db8::2/64 up no_dad 6237f3d159bSKristof Provost route -6 add default 2001:db8::1 6247f3d159bSKristof Provost 6257f3d159bSKristof Provost vnet_mkjail rtr ${epair}b ${epair_link}a 6267f3d159bSKristof Provost jexec rtr ifconfig ${epair}b inet6 2001:db8::1/64 up no_dad 6277f3d159bSKristof Provost jexec rtr ifconfig ${epair_link}a 192.0.2.2/24 up 6287f3d159bSKristof Provost jexec rtr ifconfig ${epair_link}a inet alias 192.0.2.3/24 up 6297f3d159bSKristof Provost 6307f3d159bSKristof Provost vnet_mkjail dst ${epair_link}b 6317f3d159bSKristof Provost jexec dst ifconfig ${epair_link}b 192.0.2.254/24 up 6327f3d159bSKristof Provost jexec dst route add default 192.0.2.2 6337f3d159bSKristof Provost 6347f3d159bSKristof Provost # Sanity checks 6357f3d159bSKristof Provost atf_check -s exit:0 -o ignore \ 6367f3d159bSKristof Provost ping6 -c 1 2001:db8::1 6377f3d159bSKristof Provost atf_check -s exit:0 -o ignore \ 6387f3d159bSKristof Provost jexec dst ping -c 1 192.0.2.2 6397f3d159bSKristof Provost 6407f3d159bSKristof Provost jexec rtr pfctl -e 6417f3d159bSKristof Provost pft_set_rules rtr \ 6427f3d159bSKristof Provost "set reassemble yes" \ 6437f3d159bSKristof Provost "set state-policy if-bound" \ 6447f3d159bSKristof Provost "table <wanaddrs> { 192.0.2.2/31 }" \ 6457f3d159bSKristof Provost "pass in on ${epair}b inet6 from any to 64:ff9b::/96 af-to inet from <wanaddrs> round-robin" 6467f3d159bSKristof Provost 6477f3d159bSKristof Provost # Use pf to count sources 6487f3d159bSKristof Provost jexec dst pfctl -e 6497f3d159bSKristof Provost pft_set_rules dst \ 6507f3d159bSKristof Provost "pass" 6517f3d159bSKristof Provost 6527f3d159bSKristof Provost atf_check -s exit:0 -o ignore \ 6537f3d159bSKristof Provost ping6 -c 1 64:ff9b::192.0.2.254 6547f3d159bSKristof Provost atf_check -s exit:0 -o ignore \ 6557f3d159bSKristof Provost ping6 -c 1 64:ff9b::192.0.2.254 6567f3d159bSKristof Provost 6577f3d159bSKristof Provost # Verify on dst that we saw different source addresses 6587f3d159bSKristof Provost atf_check -s exit:0 -o match:".*192.0.2.2.*" \ 6597f3d159bSKristof Provost jexec dst pfctl -ss 6607f3d159bSKristof Provost atf_check -s exit:0 -o match:".*192.0.2.3.*" \ 6617f3d159bSKristof Provost jexec dst pfctl -ss 6627f3d159bSKristof Provost} 6637f3d159bSKristof Provost 6647f3d159bSKristof Provosttable_range_cleanup() 6657f3d159bSKristof Provost{ 6667f3d159bSKristof Provost pft_cleanup 6677f3d159bSKristof Provost} 6687f3d159bSKristof Provost 669c2346c3dSKristof Provosttable_common_body() 670b0e3fb7eSKristof Provost{ 671c2346c3dSKristof Provost pool_type=$1 672b0e3fb7eSKristof Provost 673b0e3fb7eSKristof Provost pft_init 674b0e3fb7eSKristof Provost 675b0e3fb7eSKristof Provost epair_link=$(vnet_mkepair) 676b0e3fb7eSKristof Provost epair=$(vnet_mkepair) 677b0e3fb7eSKristof Provost 678b0e3fb7eSKristof Provost ifconfig ${epair}a inet6 2001:db8::2/64 up no_dad 679b0e3fb7eSKristof Provost route -6 add default 2001:db8::1 680b0e3fb7eSKristof Provost 681b0e3fb7eSKristof Provost vnet_mkjail rtr ${epair}b ${epair_link}a 682b0e3fb7eSKristof Provost jexec rtr ifconfig ${epair}b inet6 2001:db8::1/64 up no_dad 683b0e3fb7eSKristof Provost jexec rtr ifconfig ${epair_link}a 192.0.2.1/24 up 684b0e3fb7eSKristof Provost jexec rtr ifconfig ${epair_link}a inet alias 192.0.2.3/24 up 685b0e3fb7eSKristof Provost jexec rtr ifconfig ${epair_link}a inet alias 192.0.2.4/24 up 686b0e3fb7eSKristof Provost 687b0e3fb7eSKristof Provost vnet_mkjail dst ${epair_link}b 688b0e3fb7eSKristof Provost jexec dst ifconfig ${epair_link}b 192.0.2.2/24 up 689b0e3fb7eSKristof Provost jexec dst route add default 192.0.2.1 690b0e3fb7eSKristof Provost 691b0e3fb7eSKristof Provost # Sanity checks 692b0e3fb7eSKristof Provost atf_check -s exit:0 -o ignore \ 693b0e3fb7eSKristof Provost ping6 -c 1 2001:db8::1 694b0e3fb7eSKristof Provost atf_check -s exit:0 -o ignore \ 695b0e3fb7eSKristof Provost jexec dst ping -c 1 192.0.2.1 696b0e3fb7eSKristof Provost 697b0e3fb7eSKristof Provost jexec rtr pfctl -e 698b0e3fb7eSKristof Provost pft_set_rules rtr \ 699b0e3fb7eSKristof Provost "set reassemble yes" \ 700b0e3fb7eSKristof Provost "set state-policy if-bound" \ 701b0e3fb7eSKristof Provost "table <wanaddrs> { 192.0.2.1, 192.0.2.3, 192.0.2.4 }" \ 702c2346c3dSKristof Provost "pass in on ${epair}b inet6 from any to 64:ff9b::/96 af-to inet from <wanaddrs> ${pool_type}" 703b0e3fb7eSKristof Provost 704b0e3fb7eSKristof Provost # Use pf to count sources 705b0e3fb7eSKristof Provost jexec dst pfctl -e 706b0e3fb7eSKristof Provost pft_set_rules dst \ 707b0e3fb7eSKristof Provost "pass" 708b0e3fb7eSKristof Provost 709b0e3fb7eSKristof Provost atf_check -s exit:0 -o ignore \ 710b0e3fb7eSKristof Provost ping6 -c 1 64:ff9b::192.0.2.2 711b0e3fb7eSKristof Provost atf_check -s exit:0 -o ignore \ 712b0e3fb7eSKristof Provost ping6 -c 1 64:ff9b::192.0.2.2 713b0e3fb7eSKristof Provost atf_check -s exit:0 -o ignore \ 714b0e3fb7eSKristof Provost ping6 -c 1 64:ff9b::192.0.2.2 715b0e3fb7eSKristof Provost 716c2346c3dSKristof Provost # XXX We can't reasonably check pool type random because it's random. It may end 717c2346c3dSKristof Provost # up choosing the same source IP for all three connections. 718c2346c3dSKristof Provost if [ "${pool_type}" == "round-robin" ]; 719c2346c3dSKristof Provost then 720b0e3fb7eSKristof Provost # Verify on dst that we saw different source addresses 721b0e3fb7eSKristof Provost atf_check -s exit:0 -o match:".*192.0.2.1.*" \ 722b0e3fb7eSKristof Provost jexec dst pfctl -ss 723b0e3fb7eSKristof Provost atf_check -s exit:0 -o match:".*192.0.2.3.*" \ 724b0e3fb7eSKristof Provost jexec dst pfctl -ss 725b0e3fb7eSKristof Provost atf_check -s exit:0 -o match:".*192.0.2.4.*" \ 726b0e3fb7eSKristof Provost jexec dst pfctl -ss 727c2346c3dSKristof Provost fi 728c2346c3dSKristof Provost} 729c2346c3dSKristof Provost 730c2346c3dSKristof Provostatf_test_case "table_round_robin" "cleanup" 731c2346c3dSKristof Provosttable_round_robin_head() 732c2346c3dSKristof Provost{ 733c2346c3dSKristof Provost atf_set descr 'Use a table of IPv4 addresses in round-robin mode' 734c2346c3dSKristof Provost atf_set require.user root 735c2346c3dSKristof Provost} 736c2346c3dSKristof Provost 737c2346c3dSKristof Provosttable_round_robin_body() 738c2346c3dSKristof Provost{ 739c2346c3dSKristof Provost table_common_body round-robin 740b0e3fb7eSKristof Provost} 741b0e3fb7eSKristof Provost 742b0e3fb7eSKristof Provosttable_round_robin_cleanup() 743b0e3fb7eSKristof Provost{ 744b0e3fb7eSKristof Provost pft_cleanup 745b0e3fb7eSKristof Provost} 746b0e3fb7eSKristof Provost 747c2346c3dSKristof Provostatf_test_case "table_random" "cleanup" 748c2346c3dSKristof Provosttable_random_head() 749c2346c3dSKristof Provost{ 750c2346c3dSKristof Provost atf_set descr 'Use a table of IPv4 addresses in random mode' 751c2346c3dSKristof Provost atf_set require.user root 752c2346c3dSKristof Provost} 753c2346c3dSKristof Provost 754c2346c3dSKristof Provosttable_random_body() 755c2346c3dSKristof Provost{ 756c2346c3dSKristof Provost table_common_body random 757c2346c3dSKristof Provost} 758c2346c3dSKristof Provost 759c2346c3dSKristof Provosttable_random_cleanup() 760c2346c3dSKristof Provost{ 761c2346c3dSKristof Provost pft_cleanup 762c2346c3dSKristof Provost} 763c2346c3dSKristof Provost 76432cac604SKristof Provostatf_test_case "dummynet" "cleanup" 76532cac604SKristof Provostdummynet_head() 76632cac604SKristof Provost{ 76732cac604SKristof Provost atf_set descr 'Test dummynet on af-to rules' 76832cac604SKristof Provost atf_set require.user root 76932cac604SKristof Provost} 77032cac604SKristof Provost 77132cac604SKristof Provostdummynet_body() 77232cac604SKristof Provost{ 77332cac604SKristof Provost pft_init 77432cac604SKristof Provost dummynet_init 77532cac604SKristof Provost 77632cac604SKristof Provost epair_link=$(vnet_mkepair) 77732cac604SKristof Provost epair=$(vnet_mkepair) 77832cac604SKristof Provost 77932cac604SKristof Provost ifconfig ${epair}a inet6 2001:db8::2/64 up no_dad 78032cac604SKristof Provost route -6 add default 2001:db8::1 78132cac604SKristof Provost 78232cac604SKristof Provost vnet_mkjail rtr ${epair}b ${epair_link}a 78332cac604SKristof Provost jexec rtr ifconfig ${epair}b inet6 2001:db8::1/64 up no_dad 78432cac604SKristof Provost jexec rtr ifconfig ${epair_link}a 192.0.2.1/24 up 78532cac604SKristof Provost 78632cac604SKristof Provost vnet_mkjail dst ${epair_link}b 78732cac604SKristof Provost jexec dst ifconfig ${epair_link}b 192.0.2.2/24 up 78832cac604SKristof Provost jexec dst route add default 192.0.2.1 78932cac604SKristof Provost 79032cac604SKristof Provost # Sanity checks 79132cac604SKristof Provost atf_check -s exit:0 -o ignore \ 79232cac604SKristof Provost ping6 -c 1 2001:db8::1 79332cac604SKristof Provost atf_check -s exit:0 -o ignore \ 79432cac604SKristof Provost jexec dst ping -c 1 192.0.2.1 79532cac604SKristof Provost 79632cac604SKristof Provost jexec rtr pfctl -e 79732cac604SKristof Provost jexec rtr dnctl pipe 1 config delay 600 79832cac604SKristof Provost pft_set_rules rtr \ 79932cac604SKristof Provost "set reassemble yes" \ 80032cac604SKristof Provost "set state-policy if-bound" \ 80132cac604SKristof Provost "pass in on ${epair}b inet6 from any to 64:ff9b::/96 dnpipe 1 af-to inet from (${epair_link}a)" 80232cac604SKristof Provost 80332cac604SKristof Provost # The ping request will pass, but take 1.2 seconds (.6 in, .6 out) 80432cac604SKristof Provost # So this works: 80532cac604SKristof Provost atf_check -s exit:0 -o ignore \ 80632cac604SKristof Provost ping6 -c 1 -t 2 64:ff9b::192.0.2.2 80732cac604SKristof Provost 80832cac604SKristof Provost # But this times out: 80932cac604SKristof Provost atf_check -s exit:2 -o ignore \ 81032cac604SKristof Provost ping6 -c 1 -t 1 64:ff9b::192.0.2.2 81132cac604SKristof Provost} 81232cac604SKristof Provost 81332cac604SKristof Provostdummynet_cleanup() 81432cac604SKristof Provost{ 81532cac604SKristof Provost pft_cleanup 81632cac604SKristof Provost} 81732cac604SKristof Provost 818697c1568SKristof Provostatf_test_case "gateway6" "cleanup" 819697c1568SKristof Provostgateway6_head() 820697c1568SKristof Provost{ 821697c1568SKristof Provost atf_set descr 'NAT64 with a routing hop on the v6 side' 822697c1568SKristof Provost atf_set require.user root 823697c1568SKristof Provost} 824697c1568SKristof Provost 825697c1568SKristof Provostgateway6_body() 826697c1568SKristof Provost{ 827697c1568SKristof Provost pft_init 828697c1568SKristof Provost 829697c1568SKristof Provost epair_lan_link=$(vnet_mkepair) 830697c1568SKristof Provost epair_link=$(vnet_mkepair) 831697c1568SKristof Provost epair=$(vnet_mkepair) 832697c1568SKristof Provost 833697c1568SKristof Provost ifconfig ${epair}a inet6 2001:db8:1::2/64 up no_dad 834697c1568SKristof Provost route -6 add default 2001:db8:1::1 835697c1568SKristof Provost 836697c1568SKristof Provost vnet_mkjail lan_rtr ${epair}b ${epair_lan_link}a 837697c1568SKristof Provost jexec lan_rtr ifconfig ${epair}b inet6 2001:db8:1::1/64 up no_dad 838697c1568SKristof Provost jexec lan_rtr ifconfig ${epair_lan_link}a inet6 2001:db8::2/64 up no_dad 839697c1568SKristof Provost jexec lan_rtr route -6 add default 2001:db8::1 840697c1568SKristof Provost jexec lan_rtr sysctl net.inet6.ip6.forwarding=1 841697c1568SKristof Provost 842697c1568SKristof Provost vnet_mkjail rtr ${epair_lan_link}b ${epair_link}a 843697c1568SKristof Provost jexec rtr ifconfig ${epair_lan_link}b inet6 2001:db8::1/64 up no_dad 844697c1568SKristof Provost jexec rtr ifconfig ${epair_link}a 192.0.2.1/24 up 845697c1568SKristof Provost jexec rtr route -6 add default 2001:db8::2 846697c1568SKristof Provost 847697c1568SKristof Provost vnet_mkjail dst ${epair_link}b 848697c1568SKristof Provost jexec dst ifconfig ${epair_link}b 192.0.2.2/24 up 849697c1568SKristof Provost jexec dst route add default 192.0.2.1 850697c1568SKristof Provost 851697c1568SKristof Provost # Sanity checks 852697c1568SKristof Provost atf_check -s exit:0 -o ignore \ 853697c1568SKristof Provost ping6 -c 1 2001:db8:1::1 854697c1568SKristof Provost atf_check -s exit:0 -o ignore \ 855697c1568SKristof Provost ping6 -c 1 2001:db8::1 856697c1568SKristof Provost atf_check -s exit:0 -o ignore \ 857697c1568SKristof Provost jexec dst ping -c 1 192.0.2.1 858697c1568SKristof Provost 859697c1568SKristof Provost jexec rtr pfctl -e 860697c1568SKristof Provost pft_set_rules rtr \ 861697c1568SKristof Provost "set reassemble yes" \ 862697c1568SKristof Provost "set state-policy if-bound" \ 863697c1568SKristof Provost "pass in on ${epair_lan_link}b inet6 from any to 64:ff9b::/96 af-to inet from (${epair_link}a)" 864697c1568SKristof Provost 865697c1568SKristof Provost # One ping 866697c1568SKristof Provost atf_check -s exit:0 -o ignore \ 867697c1568SKristof Provost ping6 -c 1 64:ff9b::192.0.2.2 868697c1568SKristof Provost 869697c1568SKristof Provost # Make sure packets make it even when state is established 870697c1568SKristof Provost atf_check -s exit:0 \ 871697c1568SKristof Provost -o match:'5 packets transmitted, 5 packets received, 0.0% packet loss' \ 872697c1568SKristof Provost ping6 -c 5 64:ff9b::192.0.2.2 873697c1568SKristof Provost} 874697c1568SKristof Provost 875697c1568SKristof Provostgateway6_cleanup() 876697c1568SKristof Provost{ 877697c1568SKristof Provost pft_cleanup 878697c1568SKristof Provost} 879697c1568SKristof Provost 880ca0e6934SKristof Provostatf_test_case "route_to" "cleanup" 881ca0e6934SKristof Provostroute_to_head() 882ca0e6934SKristof Provost{ 883ca0e6934SKristof Provost atf_set descr 'Test route-to on af-to rules' 884ca0e6934SKristof Provost atf_set require.user root 885ca0e6934SKristof Provost} 886ca0e6934SKristof Provost 887ca0e6934SKristof Provostroute_to_body() 888ca0e6934SKristof Provost{ 889ca0e6934SKristof Provost pft_init 890ca0e6934SKristof Provost 891ca0e6934SKristof Provost epair_link=$(vnet_mkepair) 892ca0e6934SKristof Provost epair_null=$(vnet_mkepair) 893ca0e6934SKristof Provost epair=$(vnet_mkepair) 894ca0e6934SKristof Provost 895ca0e6934SKristof Provost ifconfig ${epair}a inet6 2001:db8::2/64 up no_dad 896ca0e6934SKristof Provost route -6 add default 2001:db8::1 897ca0e6934SKristof Provost 898ca0e6934SKristof Provost vnet_mkjail rtr ${epair}b ${epair_link}a ${epair_null}a 899ca0e6934SKristof Provost jexec rtr ifconfig ${epair}b inet6 2001:db8::1/64 up no_dad 900ca0e6934SKristof Provost jexec rtr ifconfig ${epair_null}a 192.0.2.3/24 up 901ca0e6934SKristof Provost jexec rtr ifconfig ${epair_link}a 192.0.2.1/24 up 902ca0e6934SKristof Provost 903ca0e6934SKristof Provost vnet_mkjail dst ${epair_link}b 904ca0e6934SKristof Provost jexec dst ifconfig ${epair_link}b 192.0.2.2/24 up 905ca0e6934SKristof Provost jexec dst route add default 192.0.2.1 906ca0e6934SKristof Provost 907ca0e6934SKristof Provost # Sanity checks 908ca0e6934SKristof Provost atf_check -s exit:0 -o ignore \ 909ca0e6934SKristof Provost ping6 -c 1 2001:db8::1 910ca0e6934SKristof Provost 911ca0e6934SKristof Provost jexec rtr pfctl -e 912ca0e6934SKristof Provost pft_set_rules rtr \ 913ca0e6934SKristof Provost "set reassemble yes" \ 914ca0e6934SKristof Provost "set state-policy if-bound" \ 915ca0e6934SKristof Provost "pass in on ${epair}b route-to (${epair_link}a 192.0.2.2) inet6 from any to 64:ff9b::/96 af-to inet from (${epair_link}a)" 916ca0e6934SKristof Provost 917ca0e6934SKristof Provost atf_check -s exit:0 -o ignore \ 918ca0e6934SKristof Provost ping6 -c 3 64:ff9b::192.0.2.2 919ca0e6934SKristof Provost} 920ca0e6934SKristof Provost 921ca0e6934SKristof Provostroute_to_cleanup() 922ca0e6934SKristof Provost{ 923ca0e6934SKristof Provost pft_cleanup 924ca0e6934SKristof Provost} 925ca0e6934SKristof Provost 9267a372bdeSKristof Provostatf_test_case "reply_to" "cleanup" 9277a372bdeSKristof Provostreply_to_head() 9287a372bdeSKristof Provost{ 9297a372bdeSKristof Provost atf_set descr 'Test reply-to on af-to rules' 9307a372bdeSKristof Provost atf_set require.user root 9317a372bdeSKristof Provost} 9327a372bdeSKristof Provost 9337a372bdeSKristof Provostreply_to_body() 9347a372bdeSKristof Provost{ 9357a372bdeSKristof Provost pft_init 9367a372bdeSKristof Provost 9377a372bdeSKristof Provost epair_link=$(vnet_mkepair) 9387a372bdeSKristof Provost epair=$(vnet_mkepair) 9397a372bdeSKristof Provost 9407a372bdeSKristof Provost ifconfig ${epair}a inet6 2001:db8::2/64 up no_dad 9417a372bdeSKristof Provost route -6 add default 2001:db8::1 9427a372bdeSKristof Provost 9437a372bdeSKristof Provost vnet_mkjail rtr ${epair}b ${epair_link}a 9447a372bdeSKristof Provost jexec rtr ifconfig ${epair}b inet6 2001:db8::1/64 up no_dad 9457a372bdeSKristof Provost jexec rtr ifconfig ${epair_link}a 192.0.2.1/24 up 9467a372bdeSKristof Provost 9477a372bdeSKristof Provost vnet_mkjail dst ${epair_link}b 9487a372bdeSKristof Provost jexec dst ifconfig ${epair_link}b 192.0.2.2/24 up 9497a372bdeSKristof Provost jexec dst route add default 192.0.2.1 9507a372bdeSKristof Provost 9517a372bdeSKristof Provost # Sanity checks 9527a372bdeSKristof Provost atf_check -s exit:0 -o ignore \ 9537a372bdeSKristof Provost ping6 -c 1 2001:db8::1 9547a372bdeSKristof Provost 9557a372bdeSKristof Provost jexec rtr pfctl -e 9567a372bdeSKristof Provost pft_set_rules rtr \ 9577a372bdeSKristof Provost "set reassemble yes" \ 9587a372bdeSKristof Provost "set state-policy if-bound" \ 9597a372bdeSKristof Provost "pass in on ${epair}b reply-to (${epair}b 2001:db8::2) inet6 from any to 64:ff9b::/96 af-to inet from 192.0.2.1" 9607a372bdeSKristof Provost 9617a372bdeSKristof Provost atf_check -s exit:0 -o ignore \ 9627a372bdeSKristof Provost ping6 -c 3 64:ff9b::192.0.2.2 9637a372bdeSKristof Provost} 9647a372bdeSKristof Provost 9657a372bdeSKristof Provostreply_to_cleanup() 9667a372bdeSKristof Provost{ 9677a372bdeSKristof Provost pft_cleanup 9687a372bdeSKristof Provost} 9697a372bdeSKristof Provost 97041265f65SKristof Provostatf_test_case "v6_gateway" "cleanup" 97141265f65SKristof Provostv6_gateway_head() 97241265f65SKristof Provost{ 97341265f65SKristof Provost atf_set descr 'nat64 when the IPv4 gateway is given by an IPv6 address' 97441265f65SKristof Provost atf_set require.user root 97541265f65SKristof Provost} 97641265f65SKristof Provost 97741265f65SKristof Provostv6_gateway_body() 97841265f65SKristof Provost{ 97941265f65SKristof Provost pft_init 98041265f65SKristof Provost 98141265f65SKristof Provost epair_wan_two=$(vnet_mkepair) 98241265f65SKristof Provost epair_wan_one=$(vnet_mkepair) 98341265f65SKristof Provost epair_lan=$(vnet_mkepair) 98441265f65SKristof Provost 98541265f65SKristof Provost ifconfig ${epair_lan}a inet6 2001:db8::2/64 up no_dad 98641265f65SKristof Provost route -6 add default 2001:db8::1 98741265f65SKristof Provost 98841265f65SKristof Provost vnet_mkjail rtr ${epair_lan}b ${epair_wan_one}a 98941265f65SKristof Provost jexec rtr ifconfig ${epair_lan}b inet6 2001:db8::1/64 up no_dad 99041265f65SKristof Provost jexec rtr ifconfig ${epair_wan_one}a 192.0.2.1/24 up 99141265f65SKristof Provost jexec rtr ifconfig ${epair_wan_one}a inet6 -ifdisabled 99241265f65SKristof Provost jexec rtr route add default -inet6 fe80::1%${epair_wan_one}a 99341265f65SKristof Provost #jexec rtr route add default 192.0.2.2 99441265f65SKristof Provost 99541265f65SKristof Provost vnet_mkjail wan_one ${epair_wan_one}b ${epair_wan_two}a 99641265f65SKristof Provost jexec wan_one ifconfig ${epair_wan_one}b 192.0.2.2/24 up 99741265f65SKristof Provost jexec wan_one ifconfig ${epair_wan_one}b inet6 fe80::1/64 99841265f65SKristof Provost jexec wan_one ifconfig ${epair_wan_two}a 198.51.100.2/24 up 99941265f65SKristof Provost jexec wan_one route add default 192.0.2.1 100041265f65SKristof Provost jexec wan_one sysctl net.inet.ip.forwarding=1 100141265f65SKristof Provost 100241265f65SKristof Provost vnet_mkjail wan_two ${epair_wan_two}b 100341265f65SKristof Provost jexec wan_two ifconfig ${epair_wan_two}b 198.51.100.1/24 up 100441265f65SKristof Provost jexec wan_two route add default 198.51.100.2 100541265f65SKristof Provost 100641265f65SKristof Provost # Sanity checks 100741265f65SKristof Provost atf_check -s exit:0 -o ignore \ 100841265f65SKristof Provost ping6 -c 1 2001:db8::1 100941265f65SKristof Provost atf_check -s exit:0 -o ignore \ 101041265f65SKristof Provost jexec rtr ping -c 1 192.0.2.2 101141265f65SKristof Provost atf_check -s exit:0 -o ignore \ 101241265f65SKristof Provost jexec rtr ping -c 1 198.51.100.1 101341265f65SKristof Provost 101441265f65SKristof Provost jexec rtr pfctl -e 101541265f65SKristof Provost pft_set_rules rtr \ 101641265f65SKristof Provost "set reassemble yes" \ 101741265f65SKristof Provost "set state-policy if-bound" \ 101841265f65SKristof Provost "pass in on ${epair_lan}b inet6 from any to 64:ff9b::/96 af-to inet from (${epair_wan_one}a)" 101941265f65SKristof Provost 102041265f65SKristof Provost atf_check -s exit:0 -o ignore \ 102141265f65SKristof Provost ping6 -c 3 64:ff9b::192.0.2.2 102241265f65SKristof Provost atf_check -s exit:0 -o ignore \ 102341265f65SKristof Provost ping6 -c 3 64:ff9b::198.51.100.1 102441265f65SKristof Provost} 102541265f65SKristof Provost 102641265f65SKristof Provostv6_gateway_cleanup() 102741265f65SKristof Provost{ 102841265f65SKristof Provost pft_cleanup 102941265f65SKristof Provost} 103041265f65SKristof Provost 10310656a680SKristof Provostatf_init_test_cases() 10320656a680SKristof Provost{ 1033*f6f116cdSKajetan Staszkiewicz atf_add_test_case "icmp_echo_in" 1034*f6f116cdSKajetan Staszkiewicz atf_add_test_case "icmp_echo_out" 1035*f6f116cdSKajetan Staszkiewicz atf_add_test_case "fragmentation_in" 1036*f6f116cdSKajetan Staszkiewicz atf_add_test_case "fragmentation_out" 1037*f6f116cdSKajetan Staszkiewicz atf_add_test_case "tcp_in" 1038*f6f116cdSKajetan Staszkiewicz atf_add_test_case "tcp_out" 1039*f6f116cdSKajetan Staszkiewicz atf_add_test_case "udp_in" 1040*f6f116cdSKajetan Staszkiewicz atf_add_test_case "udp_out" 1041*f6f116cdSKajetan Staszkiewicz atf_add_test_case "sctp_in" 1042*f6f116cdSKajetan Staszkiewicz atf_add_test_case "sctp_out" 104327fca150SKristof Provost atf_add_test_case "tos" 1044125e3952SKristof Provost atf_add_test_case "no_v4" 1045bdb583afSKristof Provost atf_add_test_case "range" 10469e039875SKristof Provost atf_add_test_case "pool" 1047e0dcc51dSKristof Provost atf_add_test_case "table" 10487f3d159bSKristof Provost atf_add_test_case "table_range" 1049b0e3fb7eSKristof Provost atf_add_test_case "table_round_robin" 1050c2346c3dSKristof Provost atf_add_test_case "table_random" 105132cac604SKristof Provost atf_add_test_case "dummynet" 1052697c1568SKristof Provost atf_add_test_case "gateway6" 1053ca0e6934SKristof Provost atf_add_test_case "route_to" 10547a372bdeSKristof Provost atf_add_test_case "reply_to" 105541265f65SKristof Provost atf_add_test_case "v6_gateway" 10560656a680SKristof Provost} 1057