138e2d5dbSKristof Provost# 24d846d26SWarner Losh# SPDX-License-Identifier: BSD-2-Clause 338e2d5dbSKristof Provost# 438e2d5dbSKristof Provost# Copyright (c) 2023 Kajetan Staszkiewicz <vegetga@tuxpowered.net> 538e2d5dbSKristof Provost# 638e2d5dbSKristof Provost# Redistribution and use in source and binary forms, with or without 738e2d5dbSKristof Provost# modification, are permitted provided that the following conditions 838e2d5dbSKristof Provost# are met: 938e2d5dbSKristof Provost# 1. Redistributions of source code must retain the above copyright 1038e2d5dbSKristof Provost# notice, this list of conditions and the following disclaimer. 1138e2d5dbSKristof Provost# 2. Redistributions in binary form must reproduce the above copyright 1238e2d5dbSKristof Provost# notice, this list of conditions and the following disclaimer in the 1338e2d5dbSKristof Provost# documentation and/or other materials provided with the distribution. 1438e2d5dbSKristof Provost# 1538e2d5dbSKristof Provost# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 1638e2d5dbSKristof Provost# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 1738e2d5dbSKristof Provost# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 1838e2d5dbSKristof Provost# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 1938e2d5dbSKristof Provost# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 2038e2d5dbSKristof Provost# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 2138e2d5dbSKristof Provost# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 2238e2d5dbSKristof Provost# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 2338e2d5dbSKristof Provost# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 2438e2d5dbSKristof Provost# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 2538e2d5dbSKristof Provost# SUCH DAMAGE. 2638e2d5dbSKristof Provost 2738e2d5dbSKristof Provost. $(atf_get_srcdir)/utils.subr 2838e2d5dbSKristof Provost 2938e2d5dbSKristof Provostatf_test_case "forward_v4" "cleanup" 3038e2d5dbSKristof Provostforward_v4_head() 3138e2d5dbSKristof Provost{ 3238e2d5dbSKristof Provost atf_set descr 'Test IPv4 forwarding with rtable' 3338e2d5dbSKristof Provost atf_set require.user root 34*c46af893SJose Luis Duran atf_set require.progs python3 scapy 3538e2d5dbSKristof Provost} 3638e2d5dbSKristof Provost 3738e2d5dbSKristof Provostforward_v4_body() 3838e2d5dbSKristof Provost{ 3938e2d5dbSKristof Provost setup_router_server_ipv4 4038e2d5dbSKristof Provost 4138e2d5dbSKristof Provost # Sanity check 4238e2d5dbSKristof Provost ping_server_check_reply exit:0 4338e2d5dbSKristof Provost 4438e2d5dbSKristof Provost jexec router sysctl net.fibs=2 4538e2d5dbSKristof Provost jexec router ifconfig ${epair_server}a fib 1 4638e2d5dbSKristof Provost jexec router route del -net ${net_server} 4738e2d5dbSKristof Provost jexec router route add -fib 1 -net ${net_server} -iface ${epair_server}a 4838e2d5dbSKristof Provost 4938e2d5dbSKristof Provost # Sanity check 5038e2d5dbSKristof Provost ping_server_check_reply exit:1 5138e2d5dbSKristof Provost 5238e2d5dbSKristof Provost # This rule is not enough. 5338e2d5dbSKristof Provost # Echo requests will be properly forwarded but replies can't be routed back. 5438e2d5dbSKristof Provost pft_set_rules router \ 5538e2d5dbSKristof Provost "pass in on ${epair_tester}b inet proto icmp all icmp-type echoreq rtable 1" 5638e2d5dbSKristof Provost ping_server_check_reply exit:1 5738e2d5dbSKristof Provost 5838e2d5dbSKristof Provost # Allow replies coming back to the tester properly via stateful filtering post-routing. 5938e2d5dbSKristof Provost pft_set_rules router \ 6038e2d5dbSKristof Provost "pass in on ${epair_tester}b inet proto icmp all icmp-type echoreq rtable 1" \ 6138e2d5dbSKristof Provost "pass out on ${epair_server}a inet proto icmp all icmp-type echoreq rtable 0" 6238e2d5dbSKristof Provost ping_server_check_reply exit:0 6338e2d5dbSKristof Provost 6438e2d5dbSKristof Provost # Allow replies coming back to the tester properly via provding extra routes in rtable 1 6538e2d5dbSKristof Provost pft_set_rules router \ 6638e2d5dbSKristof Provost "pass in on ${epair_tester}b inet proto icmp all icmp-type echoreq rtable 1" 6738e2d5dbSKristof Provost jexec router route add -fib 1 -net ${net_tester} -iface ${epair_tester}b 6838e2d5dbSKristof Provost ping_server_check_reply exit:0 6938e2d5dbSKristof Provost} 7038e2d5dbSKristof Provost 7138e2d5dbSKristof Provostforward_v4_cleanup() 7238e2d5dbSKristof Provost{ 7338e2d5dbSKristof Provost pft_cleanup 7438e2d5dbSKristof Provost} 7538e2d5dbSKristof Provost 7638e2d5dbSKristof Provostatf_test_case "forward_v6" "cleanup" 7738e2d5dbSKristof Provostforward_v6_head() 7838e2d5dbSKristof Provost{ 7938e2d5dbSKristof Provost atf_set descr 'Test IPv6 forwarding with rtable' 8038e2d5dbSKristof Provost atf_set require.user root 81*c46af893SJose Luis Duran atf_set require.progs python3 scapy 8238e2d5dbSKristof Provost} 8338e2d5dbSKristof Provost 8438e2d5dbSKristof Provostforward_v6_body() 8538e2d5dbSKristof Provost{ 8638e2d5dbSKristof Provost setup_router_server_ipv6 8738e2d5dbSKristof Provost 8838e2d5dbSKristof Provost # Sanity check 8938e2d5dbSKristof Provost ping_server_check_reply exit:0 9038e2d5dbSKristof Provost 9138e2d5dbSKristof Provost jexec router sysctl net.fibs=2 9238e2d5dbSKristof Provost jexec router ifconfig ${epair_server}a fib 1 9338e2d5dbSKristof Provost jexec router route del -6 ${net_server} 9438e2d5dbSKristof Provost jexec router route add -fib 1 -6 ${net_server} -iface ${epair_server}a 9538e2d5dbSKristof Provost 9638e2d5dbSKristof Provost # Sanity check 9738e2d5dbSKristof Provost ping_server_check_reply exit:1 9838e2d5dbSKristof Provost 9938e2d5dbSKristof Provost # This rule is not enough. 10038e2d5dbSKristof Provost # Echo requests will be properly forwarded but replies can't be routed back. 10138e2d5dbSKristof Provost pft_set_rules router \ 10238e2d5dbSKristof Provost "pass inet6 proto icmp6 icmp6-type { neighbrsol, neighbradv }" \ 10338e2d5dbSKristof Provost "pass in on ${epair_tester}b inet6 proto icmp6 icmp6-type echoreq" 10438e2d5dbSKristof Provost ping_server_check_reply exit:1 10538e2d5dbSKristof Provost 10638e2d5dbSKristof Provost # Allow replies coming back to the tester properly via stateful filtering post-routing. 10738e2d5dbSKristof Provost pft_set_rules router \ 10838e2d5dbSKristof Provost "pass inet6 proto icmp6 icmp6-type { neighbrsol, neighbradv }" \ 10938e2d5dbSKristof Provost "pass in on ${epair_tester}b inet6 proto icmp6 icmp6-type echoreq rtable 1" \ 11038e2d5dbSKristof Provost "pass out on ${epair_server}a inet6 proto icmp6 icmp6-type echoreq rtable 0" 11138e2d5dbSKristof Provost ping_server_check_reply exit:0 11238e2d5dbSKristof Provost 11338e2d5dbSKristof Provost # Allow replies coming back to the tester properly via provding extra routes in rtable 1 11438e2d5dbSKristof Provost pft_set_rules router \ 11538e2d5dbSKristof Provost "pass inet6 proto icmp6 icmp6-type { neighbrsol, neighbradv }" \ 11638e2d5dbSKristof Provost "pass in on ${epair_tester}b inet6 proto icmp6 icmp6-type echoreq rtable 1" 11738e2d5dbSKristof Provost jexec router route add -fib 1 -6 ${net_tester} -iface ${epair_tester}b 11838e2d5dbSKristof Provost ping_server_check_reply exit:0 11938e2d5dbSKristof Provost} 12038e2d5dbSKristof Provost 12138e2d5dbSKristof Provostforward_v6_cleanup() 12238e2d5dbSKristof Provost{ 12338e2d5dbSKristof Provost pft_cleanup 12438e2d5dbSKristof Provost} 12538e2d5dbSKristof Provost 12638e2d5dbSKristof Provostatf_init_test_cases() 12738e2d5dbSKristof Provost{ 12838e2d5dbSKristof Provost atf_add_test_case "forward_v4" 12938e2d5dbSKristof Provost atf_add_test_case "forward_v6" 13038e2d5dbSKristof Provost} 131