xref: /freebsd/tests/sys/netpfil/pf/route_to.sh (revision bc5304a006238115291e7568583632889dffbab9)
1# $FreeBSD$
2#
3# SPDX-License-Identifier: BSD-2-Clause-FreeBSD
4#
5# Copyright (c) 2018 Kristof Provost <kp@FreeBSD.org>
6#
7# Redistribution and use in source and binary forms, with or without
8# modification, are permitted provided that the following conditions
9# are met:
10# 1. Redistributions of source code must retain the above copyright
11#    notice, this list of conditions and the following disclaimer.
12# 2. Redistributions in binary form must reproduce the above copyright
13#    notice, this list of conditions and the following disclaimer in the
14#    documentation and/or other materials provided with the distribution.
15#
16# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
17# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
20# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26# SUCH DAMAGE.
27
28. $(atf_get_srcdir)/utils.subr
29
30atf_test_case "v4" "cleanup"
31v4_head()
32{
33	atf_set descr 'Basic route-to test'
34	atf_set require.user root
35}
36
37v4_body()
38{
39	pft_init
40
41	epair_send=$(vnet_mkepair)
42	ifconfig ${epair_send}a 192.0.2.1/24 up
43	epair_route=$(vnet_mkepair)
44	ifconfig ${epair_route}a 203.0.113.1/24 up
45
46	vnet_mkjail alcatraz ${epair_send}b ${epair_route}b
47	jexec alcatraz ifconfig ${epair_send}b 192.0.2.2/24 up
48	jexec alcatraz ifconfig ${epair_route}b 203.0.113.2/24 up
49	jexec alcatraz route add -net 198.51.100.0/24 192.0.2.1
50	jexec alcatraz pfctl -e
51
52	# Attempt to provoke PR 228782
53	pft_set_rules alcatraz "block all" "pass user 2" \
54		"pass out route-to (${epair_route}b 203.0.113.1) from 192.0.2.2 to 198.51.100.1 no state"
55	jexec alcatraz nc -w 3 -s 192.0.2.2 198.51.100.1 22
56
57	# atf wants us to not return an error, but our netcat will fail
58	true
59}
60
61v4_cleanup()
62{
63	pft_cleanup
64}
65
66atf_test_case "v6" "cleanup"
67v6_head()
68{
69	atf_set descr 'Basic route-to test (IPv6)'
70	atf_set require.user root
71}
72
73v6_body()
74{
75	pft_init
76
77	epair_send=$(vnet_mkepair)
78	ifconfig ${epair_send}a inet6 2001:db8:42::1/64 up no_dad -ifdisabled
79	epair_route=$(vnet_mkepair)
80	ifconfig ${epair_route}a inet6 2001:db8:43::1/64 up no_dad -ifdisabled
81
82	vnet_mkjail alcatraz ${epair_send}b ${epair_route}b
83	jexec alcatraz ifconfig ${epair_send}b inet6 2001:db8:42::2/64 up no_dad
84	jexec alcatraz ifconfig ${epair_route}b inet6 2001:db8:43::2/64 up no_dad
85	jexec alcatraz route add -6 2001:db8:666::/64 2001:db8:42::2
86	jexec alcatraz pfctl -e
87
88	# Attempt to provoke PR 228782
89	pft_set_rules alcatraz "block all" "pass user 2" \
90		"pass out route-to (${epair_route}b 2001:db8:43::1) from 2001:db8:42::2 to 2001:db8:666::1 no state"
91	jexec alcatraz nc -6 -w 3 -s 2001:db8:42::2 2001:db8:666::1 22
92
93	# atf wants us to not return an error, but our netcat will fail
94	true
95}
96
97v6_cleanup()
98{
99	pft_cleanup
100}
101
102atf_test_case "multiwan" "cleanup"
103multiwan_head()
104{
105	atf_set descr 'Multi-WAN redirection / reply-to test'
106	atf_set require.user root
107}
108
109multiwan_body()
110{
111	pft_init
112
113	epair_one=$(vnet_mkepair)
114	epair_two=$(vnet_mkepair)
115	epair_cl_one=$(vnet_mkepair)
116	epair_cl_two=$(vnet_mkepair)
117
118	vnet_mkjail srv ${epair_one}b ${epair_two}b
119	vnet_mkjail wan_one ${epair_one}a ${epair_cl_one}b
120	vnet_mkjail wan_two ${epair_two}a ${epair_cl_two}b
121	vnet_mkjail client ${epair_cl_one}a ${epair_cl_two}a
122
123	jexec client ifconfig ${epair_cl_one}a 203.0.113.1/25
124	jexec wan_one ifconfig ${epair_cl_one}b 203.0.113.2/25
125	jexec wan_one ifconfig ${epair_one}a 192.0.2.1/24 up
126	jexec wan_one sysctl net.inet.ip.forwarding=1
127	jexec srv ifconfig ${epair_one}b 192.0.2.2/24 up
128	jexec client route add 192.0.2.0/24 203.0.113.2
129
130	jexec client ifconfig ${epair_cl_two}a 203.0.113.128/25
131	jexec wan_two ifconfig ${epair_cl_two}b 203.0.113.129/25
132	jexec wan_two ifconfig ${epair_two}a 198.51.100.1/24 up
133	jexec wan_two sysctl net.inet.ip.forwarding=1
134	jexec srv ifconfig ${epair_two}b 198.51.100.2/24 up
135	jexec client route add 198.51.100.0/24 203.0.113.129
136
137	jexec srv ifconfig lo0 127.0.0.1/8 up
138	jexec srv route add default 192.0.2.1
139	jexec srv sysctl net.inet.ip.forwarding=1
140
141	# Run echo server in srv jail
142	jexec srv /usr/sbin/inetd -p multiwan.pid $(atf_get_srcdir)/echo_inetd.conf
143
144	jexec srv pfctl -e
145	pft_set_rules srv \
146		"nat on ${epair_one}b inet from 127.0.0.0/8 to any -> (${epair_one}b)" \
147		"nat on ${epair_two}b inet from 127.0.0.0/8 to any -> (${epair_two}b)" \
148		"rdr on ${epair_one}b inet proto tcp from any to 192.0.2.2 port 7 -> 127.0.0.1 port 7" \
149		"rdr on ${epair_two}b inet proto tcp from any to 198.51.100.2 port 7 -> 127.0.0.1 port 7" \
150		"block in"	\
151		"block out"	\
152		"pass in quick on ${epair_one}b reply-to (${epair_one}b 192.0.2.1) inet proto tcp from any to 127.0.0.1 port 7" \
153		"pass in quick on ${epair_two}b reply-to (${epair_two}b 198.51.100.1) inet proto tcp from any to 127.0.0.1 port 7"
154
155	# These will always succeed, because we don't change interface to route
156	# correctly here.
157	result=$(echo "one" | jexec wan_one nc -N -w 3 192.0.2.2 7)
158	if [ "${result}" != "one" ]; then
159		atf_fail "Redirect on one failed"
160	fi
161	result=$(echo "two" | jexec wan_two nc -N -w 3 198.51.100.2 7)
162	if [ "${result}" != "two" ]; then
163		atf_fail "Redirect on two failed"
164	fi
165
166	result=$(echo "one" | jexec client nc -N -w 3 192.0.2.2 7)
167	if [ "${result}" != "one" ]; then
168		atf_fail "Redirect from client on one failed"
169	fi
170
171	# This should trigger the issue fixed in 829a69db855b48ff7e8242b95e193a0783c489d9
172	result=$(echo "two" | jexec client nc -N -w 3 198.51.100.2 7)
173	if [ "${result}" != "two" ]; then
174		atf_fail "Redirect from client on two failed"
175	fi
176}
177
178multiwan_cleanup()
179{
180	rm -f multiwan.pid
181	pft_cleanup
182}
183
184atf_test_case "multiwanlocal" "cleanup"
185multiwanlocal_head()
186{
187	atf_set descr 'Multi-WAN local origin source-based redirection / route-to test'
188	atf_set require.user root
189}
190
191multiwanlocal_body()
192{
193	pft_init
194
195	epair_one=$(vnet_mkepair)
196	epair_two=$(vnet_mkepair)
197	epair_cl_one=$(vnet_mkepair)
198	epair_cl_two=$(vnet_mkepair)
199
200	vnet_mkjail srv1 ${epair_one}b
201	vnet_mkjail srv2 ${epair_two}b
202	vnet_mkjail wan_one ${epair_one}a ${epair_cl_one}b
203	vnet_mkjail wan_two ${epair_two}a ${epair_cl_two}b
204	vnet_mkjail client ${epair_cl_one}a ${epair_cl_two}a
205
206	jexec client ifconfig ${epair_cl_one}a 203.0.113.1/25
207	jexec wan_one ifconfig ${epair_cl_one}b 203.0.113.2/25
208	jexec wan_one ifconfig ${epair_one}a 192.0.2.1/24 up
209	jexec wan_one sysctl net.inet.ip.forwarding=1
210	jexec srv1 ifconfig ${epair_one}b 192.0.2.2/24 up
211
212	jexec client ifconfig ${epair_cl_two}a 203.0.113.128/25
213	jexec wan_two ifconfig ${epair_cl_two}b 203.0.113.129/25
214	jexec wan_two ifconfig ${epair_two}a 198.51.100.1/24 up
215	jexec wan_two sysctl net.inet.ip.forwarding=1
216	jexec srv2 ifconfig ${epair_two}b 198.51.100.2/24 up
217
218	jexec client route add default 203.0.113.2
219	jexec srv1 route add default 192.0.2.1
220	jexec srv2 route add default 198.51.100.1
221
222	# Run data source in srv1 and srv2
223	jexec srv1 sh -c 'dd if=/dev/zero bs=1024 count=100 | nc -l 7 -w 2 -N &'
224	jexec srv2 sh -c 'dd if=/dev/zero bs=1024 count=100 | nc -l 7 -w 2 -N &'
225
226	jexec client pfctl -e
227	pft_set_rules client \
228		"block in"	\
229		"block out"	\
230		"pass out quick route-to (${epair_cl_two}a 203.0.113.129) inet proto tcp from 203.0.113.128 to any port 7" \
231		"pass out on ${epair_cl_one}a inet proto tcp from any to any port 7"
232
233	# This should work
234	result=$(jexec client nc -N -w 1 192.0.2.2 7 | wc -c)
235	if [ ${result} -ne 102400 ]; then
236		jexec client pfctl -ss
237		atf_fail "Redirect from client on one failed: ${result}"
238	fi
239
240	# This should trigger the issue
241	result=$(jexec client nc -N -w 1 -s 203.0.113.128 198.51.100.2 7 | wc -c)
242	jexec client pfctl -ss
243	if [ ${result} -ne 102400 ]; then
244		atf_fail "Redirect from client on two failed: ${result}"
245	fi
246}
247
248multiwanlocal_cleanup()
249{
250	pft_cleanup
251}
252
253atf_init_test_cases()
254{
255	atf_add_test_case "v4"
256	atf_add_test_case "v6"
257	atf_add_test_case "multiwan"
258	atf_add_test_case "multiwanlocal"
259}
260