xref: /freebsd/tests/sys/netpfil/pf/rdr.sh (revision 5ca8e32633c4ffbbcd6762e5888b6a4ba0708c6c)
1#
2#
3# SPDX-License-Identifier: BSD-2-Clause
4#
5# Copyright © 2023 Tom Jones <thj@freebsd.org>
6#
7# Redistribution and use in source and binary forms, with or without
8# modification, are permitted provided that the following conditions
9# are met:
10# 1. Redistributions of source code must retain the above copyright
11#    notice, this list of conditions and the following disclaimer.
12# 2. Redistributions in binary form must reproduce the above copyright
13#    notice, this list of conditions and the following disclaimer in the
14#    documentation and/or other materials provided with the distribution.
15#
16# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
17# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
20# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26# SUCH DAMAGE.
27
28. $(atf_get_srcdir)/utils.subr
29
30atf_test_case "tcp_v6" "cleanup"
31tcp_v6_head()
32{
33	atf_set descr 'TCP rdr with IPv6'
34	atf_set require.user root
35	atf_set require.progs scapy python3
36}
37
38#
39# Test that rdr works for TCP with IPv6.
40#
41#	a <-----> b <-----> c
42#
43# Test configures three jails (a, b and c) and connects them together with b as
44# a router between a and c.
45#
46# TCP traffic to b on port 80 is redirected to c on port 8000
47#
48# Test for incorrect checksums after the rewrite by looking at a packet capture (see bug 210860)
49#
50tcp_v6_body()
51{
52	pft_init
53
54	j="rdr:tcp_v6"
55	epair_one=$(vnet_mkepair)
56	epair_two=$(vnet_mkepair)
57
58	echo $epair_one
59	echo $epair_two
60
61	vnet_mkjail ${j}a ${epair_one}b
62	vnet_mkjail ${j}b ${epair_one}a ${epair_two}a
63	vnet_mkjail ${j}c ${epair_two}b
64
65	# configure addresses for b
66	jexec ${j}b ifconfig lo0 up
67	jexec ${j}b ifconfig ${epair_one}a inet6 2001:db8:a::1/64 up no_dad
68	jexec ${j}b ifconfig ${epair_two}a inet6 2001:db8:b::1/64 up no_dad
69
70	# configure addresses for a
71	jexec ${j}a ifconfig lo0 up
72	jexec ${j}a ifconfig ${epair_one}b inet6 2001:db8:a::2/64 up no_dad
73
74	# configure addresses for c
75	jexec ${j}c ifconfig lo0 up
76	jexec ${j}c ifconfig ${epair_two}b inet6 2001:db8:b::2/64 up no_dad
77
78	# enable forwarding in the b jail
79	jexec ${j}b sysctl net.inet6.ip6.forwarding=1
80
81	# add routes so a and c can find each other
82	jexec ${j}a route add -inet6 2001:db8:b::0/64 2001:db8:a::1
83	jexec ${j}c route add -inet6 2001:db8:a::0/64 2001:db8:b::1
84
85	jexec ${j}b pfctl -e
86
87	pft_set_rules ${j}b \
88		"rdr on ${epair_one}a proto tcp from any to any port 80 -> 2001:db8:b::2 port 8000"
89
90	# Check that a can reach c over the router
91	atf_check -s exit:0 -o ignore \
92	    jexec ${j}a ping -6 -c 1 2001:db8:b::2
93
94	# capture packets on c so we can look for incorrect checksums
95	jexec ${j}c tcpdump --immediate-mode -w ${j}.pcap tcp and port 8000 &
96	tcpdumppid=$!
97
98	# start a web server and give it a second to start
99	jexec ${j}c python3 -m http.server &
100	sleep 1
101
102	# http directly from a to c -> a ---> b
103	atf_check -s exit:0 -o ignore \
104		jexec ${j}a fetch -T 1 -o /dev/null -q "http://[2001:db8:b::2]:8000"
105
106	# http from a to b with a redirect  -> a ---> b
107	atf_check -s exit:0 -o ignore \
108		jexec ${j}a fetch -T 1 -o /dev/null -q "http://[2001:db8:a::1]:80"
109
110	# ask tcpdump to stop so we can check the packet capture
111	jexec ${j}c kill -s SIGINT $tcpdumppid
112
113	# Check for 'incorrect' in packet capture, this should tell us if
114	# checksums are bad with rdr rules
115	count=$(jexec ${j}c tcpdump -vvvv -r ${j}.pcap | grep incorrect | wc -l)
116	atf_check_equal "       0" "$count"
117}
118
119tcp_v6_cleanup()
120{
121	pft_cleanup
122}
123
124atf_init_test_cases()
125{
126	atf_add_test_case "tcp_v6"
127}
128