195363473SKristof Provost# 295363473SKristof Provost# SPDX-License-Identifier: BSD-2-Clause-FreeBSD 395363473SKristof Provost# 495363473SKristof Provost# Copyright © 2023 Orange Business Services 595363473SKristof Provost# 695363473SKristof Provost# Redistribution and use in source and binary forms, with or without 795363473SKristof Provost# modification, are permitted provided that the following conditions 895363473SKristof Provost# are met: 995363473SKristof Provost# 1. Redistributions of source code must retain the above copyright 1095363473SKristof Provost# notice, this list of conditions and the following disclaimer. 1195363473SKristof Provost# 2. Redistributions in binary form must reproduce the above copyright 1295363473SKristof Provost# notice, this list of conditions and the following disclaimer in the 1395363473SKristof Provost# documentation and/or other materials provided with the distribution. 1495363473SKristof Provost# 1595363473SKristof Provost# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 1695363473SKristof Provost# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 1795363473SKristof Provost# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 1895363473SKristof Provost# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 1995363473SKristof Provost# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 2095363473SKristof Provost# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 2195363473SKristof Provost# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 2295363473SKristof Provost# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 2395363473SKristof Provost# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 2495363473SKristof Provost# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 2595363473SKristof Provost# SUCH DAMAGE. 2695363473SKristof Provost 2795363473SKristof Provost. $(atf_get_srcdir)/utils.subr 2895363473SKristof Provost 2995363473SKristof Provostsctp_init() 3095363473SKristof Provost{ 3195363473SKristof Provost pft_init 3295363473SKristof Provost if ! kldstat -q -m sctp; then 3395363473SKristof Provost atf_skip "This test requires SCTP" 3495363473SKristof Provost fi 3595363473SKristof Provost} 3695363473SKristof Provost 3795363473SKristof Provostatf_test_case "basic_v4" "cleanup" 3895363473SKristof Provostbasic_v4_head() 3995363473SKristof Provost{ 4095363473SKristof Provost atf_set descr 'Basic SCTP connection over IPv4 passthrough' 4195363473SKristof Provost atf_set require.user root 4295363473SKristof Provost} 4395363473SKristof Provost 4495363473SKristof Provostbasic_v4_body() 4595363473SKristof Provost{ 4695363473SKristof Provost sctp_init 4795363473SKristof Provost 4895363473SKristof Provost j="sctp:basic_v4" 4995363473SKristof Provost epair=$(vnet_mkepair) 5095363473SKristof Provost 5195363473SKristof Provost vnet_mkjail ${j}a ${epair}a 5295363473SKristof Provost vnet_mkjail ${j}b ${epair}b 5395363473SKristof Provost 5495363473SKristof Provost jexec ${j}a ifconfig ${epair}a 192.0.2.1/24 up 5595363473SKristof Provost jexec ${j}b ifconfig ${epair}b 192.0.2.2/24 up 5695363473SKristof Provost # Sanity check 5795363473SKristof Provost atf_check -s exit:0 -o ignore \ 5895363473SKristof Provost jexec ${j}a ping -c 1 192.0.2.2 5995363473SKristof Provost 6095363473SKristof Provost jexec ${j}a pfctl -e 6195363473SKristof Provost pft_set_rules ${j}a \ 6295363473SKristof Provost "block" \ 6395363473SKristof Provost "pass in proto sctp to port 1234" 6495363473SKristof Provost 6595363473SKristof Provost echo "foo" | jexec ${j}a nc --sctp -N -l 1234 & 6695363473SKristof Provost 6795363473SKristof Provost # Wait for the server to start 6895363473SKristof Provost sleep 1 6995363473SKristof Provost 7095363473SKristof Provost out=$(jexec ${j}b nc --sctp -N -w 3 192.0.2.1 1234) 7195363473SKristof Provost if [ "$out" != "foo" ]; then 7295363473SKristof Provost atf_fail "SCTP connection failed" 7395363473SKristof Provost fi 7495363473SKristof Provost 7595363473SKristof Provost # Now with scrub rules present, so normalization is done 7695363473SKristof Provost pft_set_rules ${j}a \ 7795363473SKristof Provost "scrub on ${j}a" \ 7895363473SKristof Provost "block" \ 7995363473SKristof Provost "pass in proto sctp to port 1234" 8095363473SKristof Provost 8195363473SKristof Provost echo "foo" | jexec ${j}a nc --sctp -N -l 1234 & 8295363473SKristof Provost sleep 1 8395363473SKristof Provost 8495363473SKristof Provost out=$(jexec ${j}b nc --sctp -N -w 3 192.0.2.1 1234) 8595363473SKristof Provost if [ "$out" != "foo" ]; then 8695363473SKristof Provost atf_fail "SCTP connection failed" 8795363473SKristof Provost fi 8895363473SKristof Provost 8995363473SKristof Provost # Now fail with a blocked port 9095363473SKristof Provost echo "foo" | jexec ${j}a nc --sctp -N -l 1235 & 9195363473SKristof Provost sleep 1 9295363473SKristof Provost 9395363473SKristof Provost out=$(jexec ${j}b nc --sctp -N -w 3 192.0.2.1 1235) 9495363473SKristof Provost if [ "$out" == "foo" ]; then 9595363473SKristof Provost atf_fail "SCTP port block failed" 9695363473SKristof Provost fi 9795363473SKristof Provost 9895363473SKristof Provost # Now fail with a blocked port but passing source port 9995363473SKristof Provost out=$(jexec ${j}b nc --sctp -N -w 3 -p 1234 192.0.2.1 1235) 10095363473SKristof Provost if [ "$out" == "foo" ]; then 10195363473SKristof Provost atf_fail "SCTP port block failed" 10295363473SKristof Provost fi 10395363473SKristof Provost} 10495363473SKristof Provost 10595363473SKristof Provostbasic_v4_cleanup() 10695363473SKristof Provost{ 10795363473SKristof Provost pft_cleanup 10895363473SKristof Provost} 10995363473SKristof Provost 11095363473SKristof Provostatf_test_case "basic_v6" "cleanup" 11195363473SKristof Provostbasic_v6_head() 11295363473SKristof Provost{ 11395363473SKristof Provost atf_set descr 'Basic SCTP connection over IPv6' 11495363473SKristof Provost atf_set require.user root 11595363473SKristof Provost} 11695363473SKristof Provost 11795363473SKristof Provostbasic_v6_body() 11895363473SKristof Provost{ 11995363473SKristof Provost sctp_init 12095363473SKristof Provost 12195363473SKristof Provost j="sctp:basic_v6" 12295363473SKristof Provost epair=$(vnet_mkepair) 12395363473SKristof Provost 12495363473SKristof Provost vnet_mkjail ${j}a ${epair}a 12595363473SKristof Provost vnet_mkjail ${j}b ${epair}b 12695363473SKristof Provost 12795363473SKristof Provost jexec ${j}a ifconfig ${epair}a inet6 2001:db8::a/64 up no_dad 12895363473SKristof Provost jexec ${j}b ifconfig ${epair}b inet6 2001:db8::b/64 up no_dad 12995363473SKristof Provost 13095363473SKristof Provost # Sanity check 13195363473SKristof Provost atf_check -s exit:0 -o ignore \ 13295363473SKristof Provost jexec ${j}a ping -6 -c 1 2001:db8::b 13395363473SKristof Provost 13495363473SKristof Provost jexec ${j}a pfctl -e 13595363473SKristof Provost pft_set_rules ${j}a \ 13695363473SKristof Provost "block proto sctp" \ 13795363473SKristof Provost "pass in proto sctp to port 1234" 13895363473SKristof Provost 13995363473SKristof Provost echo "foo" | jexec ${j}a nc -6 --sctp -N -l 1234 & 14095363473SKristof Provost 14195363473SKristof Provost # Wait for the server to start 14295363473SKristof Provost sleep 1 14395363473SKristof Provost 14495363473SKristof Provost out=$(jexec ${j}b nc --sctp -N -w 3 2001:db8::a 1234) 14595363473SKristof Provost if [ "$out" != "foo" ]; then 14695363473SKristof Provost atf_fail "SCTP connection failed" 14795363473SKristof Provost fi 14895363473SKristof Provost 14995363473SKristof Provost # Now with scrub rules present, so normalization is done 15095363473SKristof Provost pft_set_rules ${j}a \ 15195363473SKristof Provost "scrub on ${j}a" \ 15295363473SKristof Provost "block proto sctp" \ 15395363473SKristof Provost "pass in proto sctp to port 1234" 15495363473SKristof Provost 15595363473SKristof Provost echo "foo" | jexec ${j}a nc -6 --sctp -N -l 1234 & 15695363473SKristof Provost sleep 1 15795363473SKristof Provost 15895363473SKristof Provost out=$(jexec ${j}b nc --sctp -N -w 3 2001:db8::a 1234) 15995363473SKristof Provost if [ "$out" != "foo" ]; then 16095363473SKristof Provost atf_fail "SCTP connection failed" 16195363473SKristof Provost fi 16295363473SKristof Provost 16395363473SKristof Provost # Now fail with a blocked port 16495363473SKristof Provost echo "foo" | jexec ${j}a nc -6 --sctp -N -l 1235 & 16595363473SKristof Provost sleep 1 16695363473SKristof Provost 16795363473SKristof Provost out=$(jexec ${j}b nc --sctp -N -w 3 2001:db8::a 1235) 16895363473SKristof Provost if [ "$out" == "foo" ]; then 16995363473SKristof Provost atf_fail "SCTP port block failed" 17095363473SKristof Provost fi 17195363473SKristof Provost 17295363473SKristof Provost # Now fail with a blocked port but passing source port 17395363473SKristof Provost out=$(jexec ${j}b nc --sctp -N -w 3 -p 1234 2001:db8::a 1235) 17495363473SKristof Provost if [ "$out" == "foo" ]; then 17595363473SKristof Provost atf_fail "SCTP port block failed" 17695363473SKristof Provost fi 17795363473SKristof Provost} 17895363473SKristof Provost 17995363473SKristof Provostbasic_v6_cleanup() 18095363473SKristof Provost{ 18195363473SKristof Provost pft_cleanup 18295363473SKristof Provost} 18395363473SKristof Provost 18482e02144SKristof Provostatf_test_case "reuse" "cleanup" 18582e02144SKristof Provostreuse_head() 18682e02144SKristof Provost{ 18782e02144SKristof Provost atf_set descr 'Test handling dumb clients that reuse source ports' 18882e02144SKristof Provost atf_set require.user root 18982e02144SKristof Provost} 19082e02144SKristof Provost 19182e02144SKristof Provostreuse_body() 19282e02144SKristof Provost{ 19382e02144SKristof Provost sctp_init 19482e02144SKristof Provost 19582e02144SKristof Provost j="sctp:reuse" 19682e02144SKristof Provost epair=$(vnet_mkepair) 19782e02144SKristof Provost 19882e02144SKristof Provost vnet_mkjail ${j}a ${epair}a 19982e02144SKristof Provost vnet_mkjail ${j}b ${epair}b 20082e02144SKristof Provost 20182e02144SKristof Provost jexec ${j}a ifconfig ${epair}a 192.0.2.1/24 up 20282e02144SKristof Provost jexec ${j}b ifconfig ${epair}b 192.0.2.2/24 up 20382e02144SKristof Provost # Sanity check 20482e02144SKristof Provost atf_check -s exit:0 -o ignore \ 20582e02144SKristof Provost jexec ${j}a ping -c 1 192.0.2.2 20682e02144SKristof Provost 20782e02144SKristof Provost jexec ${j}a pfctl -e 20882e02144SKristof Provost pft_set_rules ${j}a \ 20982e02144SKristof Provost "block" \ 21082e02144SKristof Provost "pass in proto sctp to port 1234" 21182e02144SKristof Provost 21282e02144SKristof Provost echo "foo" | jexec ${j}a nc --sctp -N -l 1234 & 21382e02144SKristof Provost 21482e02144SKristof Provost # Wait for the server to start 21582e02144SKristof Provost sleep 1 21682e02144SKristof Provost 21782e02144SKristof Provost out=$(jexec ${j}b nc --sctp -N -w 3 -p 1234 192.0.2.1 1234) 21882e02144SKristof Provost if [ "$out" != "foo" ]; then 21982e02144SKristof Provost atf_fail "SCTP connection failed" 22082e02144SKristof Provost fi 22182e02144SKristof Provost 22282e02144SKristof Provost # Now do the same thing again, with the same port numbers 22382e02144SKristof Provost jexec ${j}a pfctl -ss -v 22482e02144SKristof Provost 22582e02144SKristof Provost echo "foo" | jexec ${j}a nc --sctp -N -l 1234 & 22682e02144SKristof Provost 22782e02144SKristof Provost # Wait for the server to start 22882e02144SKristof Provost sleep 1 22982e02144SKristof Provost 23082e02144SKristof Provost out=$(jexec ${j}b nc --sctp -N -w 3 -p 1234 192.0.2.1 1234) 23182e02144SKristof Provost if [ "$out" != "foo" ]; then 23282e02144SKristof Provost atf_fail "SCTP connection failed" 23382e02144SKristof Provost fi 23482e02144SKristof Provost jexec ${j}a pfctl -ss -v 23582e02144SKristof Provost} 23682e02144SKristof Provost 23782e02144SKristof Provostreuse_cleanup() 23882e02144SKristof Provost{ 23982e02144SKristof Provost pft_cleanup 24082e02144SKristof Provost} 24182e02144SKristof Provost 2422d42aa9dSKristof Provostatf_test_case "abort_v4" "cleanup" 2432d42aa9dSKristof Provostabort_v4_head() 2442d42aa9dSKristof Provost{ 2452d42aa9dSKristof Provost atf_set descr 'Test sending ABORT messages' 2462d42aa9dSKristof Provost atf_set require.user root 2472d42aa9dSKristof Provost} 2482d42aa9dSKristof Provost 2492d42aa9dSKristof Provostabort_v4_body() 2502d42aa9dSKristof Provost{ 2512d42aa9dSKristof Provost sctp_init 2522d42aa9dSKristof Provost 2532d42aa9dSKristof Provost j="sctp:abort_v4" 2542d42aa9dSKristof Provost epair=$(vnet_mkepair) 2552d42aa9dSKristof Provost 2562d42aa9dSKristof Provost vnet_mkjail ${j}a ${epair}a 2572d42aa9dSKristof Provost vnet_mkjail ${j}b ${epair}b 2582d42aa9dSKristof Provost 2592d42aa9dSKristof Provost jexec ${j}a ifconfig ${epair}a 192.0.2.1/24 up 2602d42aa9dSKristof Provost jexec ${j}b ifconfig ${epair}b 192.0.2.2/24 up 2612d42aa9dSKristof Provost 2622d42aa9dSKristof Provost # Sanity check 2632d42aa9dSKristof Provost atf_check -s exit:0 -o ignore \ 2642d42aa9dSKristof Provost jexec ${j}a ping -c 1 192.0.2.2 2652d42aa9dSKristof Provost 2662d42aa9dSKristof Provost jexec ${j}a pfctl -e 2672d42aa9dSKristof Provost pft_set_rules ${j}a \ 2682d42aa9dSKristof Provost "block return in proto sctp to port 1234" 2692d42aa9dSKristof Provost 2702d42aa9dSKristof Provost echo "foo" | jexec ${j}a nc --sctp -N -l 1234 & 2712d42aa9dSKristof Provost 2722d42aa9dSKristof Provost # Wait for the server to start 2732d42aa9dSKristof Provost sleep 1 2742d42aa9dSKristof Provost 2752d42aa9dSKristof Provost # If we get the abort we'll exit immediately, if we don't timeout will 2762d42aa9dSKristof Provost # stop nc. 2772d42aa9dSKristof Provost out=$(jexec ${j}b timeout 3 nc --sctp -N 192.0.2.1 1234) 2782d42aa9dSKristof Provost if [ $? -eq 124 ]; then 2792d42aa9dSKristof Provost atf_fail 'Abort not received' 2802d42aa9dSKristof Provost fi 2812d42aa9dSKristof Provost if [ "$out" == "foo" ]; then 2822d42aa9dSKristof Provost atf_fail "block failed entirely" 2832d42aa9dSKristof Provost fi 2842d42aa9dSKristof Provost 2852d42aa9dSKristof Provost # Without 'return' we will time out. 2862d42aa9dSKristof Provost pft_set_rules ${j}a \ 2872d42aa9dSKristof Provost "block in proto sctp to port 1234" 2882d42aa9dSKristof Provost 2892d42aa9dSKristof Provost out=$(jexec ${j}b timeout 3 nc --sctp -N 192.0.2.1 1234) 2902d42aa9dSKristof Provost if [ $? -ne 124 ]; then 2912d42aa9dSKristof Provost atf_fail 'Abort sent anyway?' 2922d42aa9dSKristof Provost fi 2932d42aa9dSKristof Provost} 2942d42aa9dSKristof Provost 2952d42aa9dSKristof Provostabort_v4_cleanup() 2962d42aa9dSKristof Provost{ 2972d42aa9dSKristof Provost pft_cleanup 2982d42aa9dSKristof Provost} 2992d42aa9dSKristof Provost 3002d42aa9dSKristof Provostatf_test_case "abort_v6" "cleanup" 3018fab83d2SKristof Provostabort_v6_head() 3022d42aa9dSKristof Provost{ 3032d42aa9dSKristof Provost atf_set descr 'Test sending ABORT messages over IPv6' 3042d42aa9dSKristof Provost atf_set require.user root 3052d42aa9dSKristof Provost} 3062d42aa9dSKristof Provost 3072d42aa9dSKristof Provostabort_v6_body() 3082d42aa9dSKristof Provost{ 3092d42aa9dSKristof Provost sctp_init 3102d42aa9dSKristof Provost 3112d42aa9dSKristof Provost j="sctp:abort_v6" 3122d42aa9dSKristof Provost epair=$(vnet_mkepair) 3132d42aa9dSKristof Provost 3142d42aa9dSKristof Provost vnet_mkjail ${j}a ${epair}a 3152d42aa9dSKristof Provost vnet_mkjail ${j}b ${epair}b 3162d42aa9dSKristof Provost 3172d42aa9dSKristof Provost jexec ${j}a ifconfig ${epair}a inet6 2001:db8::a/64 no_dad 3182d42aa9dSKristof Provost jexec ${j}b ifconfig ${epair}b inet6 2001:db8::b/64 no_dad 3192d42aa9dSKristof Provost 3202d42aa9dSKristof Provost # Sanity check 3212d42aa9dSKristof Provost atf_check -s exit:0 -o ignore \ 3222d42aa9dSKristof Provost jexec ${j}a ping -6 -c 1 2001:db8::b 3232d42aa9dSKristof Provost 3242d42aa9dSKristof Provost jexec ${j}a pfctl -e 3252d42aa9dSKristof Provost pft_set_rules ${j}a \ 3262d42aa9dSKristof Provost "block return in proto sctp to port 1234" 3272d42aa9dSKristof Provost 3282d42aa9dSKristof Provost echo "foo" | jexec ${j}a nc -6 --sctp -N -l 1234 & 3292d42aa9dSKristof Provost 3302d42aa9dSKristof Provost # Wait for the server to start 3312d42aa9dSKristof Provost sleep 1 3322d42aa9dSKristof Provost 3332d42aa9dSKristof Provost # If we get the abort we'll exit immediately, if we don't timeout will 3342d42aa9dSKristof Provost # stop nc. 3352d42aa9dSKristof Provost out=$(jexec ${j}b timeout 3 nc --sctp -N 2001:db8::a 1234) 3362d42aa9dSKristof Provost if [ $? -eq 124 ]; then 3372d42aa9dSKristof Provost atf_fail 'Abort not received' 3382d42aa9dSKristof Provost fi 3392d42aa9dSKristof Provost if [ "$out" == "foo" ]; then 3402d42aa9dSKristof Provost atf_fail "block failed entirely" 3412d42aa9dSKristof Provost fi 3422d42aa9dSKristof Provost 3432d42aa9dSKristof Provost # Without 'return' we will time out. 3442d42aa9dSKristof Provost pft_set_rules ${j}a \ 3452d42aa9dSKristof Provost "block in proto sctp to port 1234" 3462d42aa9dSKristof Provost 3472d42aa9dSKristof Provost out=$(jexec ${j}b timeout 3 nc --sctp -N 2001:db8::a 1234) 3482d42aa9dSKristof Provost if [ $? -ne 124 ]; then 3492d42aa9dSKristof Provost atf_fail 'Abort sent anyway?' 3502d42aa9dSKristof Provost fi 3512d42aa9dSKristof Provost} 3522d42aa9dSKristof Provost 3538fab83d2SKristof Provostabort_v6_cleanup() 3542d42aa9dSKristof Provost{ 3552d42aa9dSKristof Provost pft_cleanup 3562d42aa9dSKristof Provost} 35795363473SKristof Provost 3581e02b7cbSKristof Provostatf_test_case "nat_v4" "cleanup" 3591e02b7cbSKristof Provostnat_v4_head() 3601e02b7cbSKristof Provost{ 3611e02b7cbSKristof Provost atf_set descr 'Test NAT-ing SCTP over IPv4' 3621e02b7cbSKristof Provost atf_set require.user root 3631e02b7cbSKristof Provost} 3641e02b7cbSKristof Provost 3651e02b7cbSKristof Provostnat_v4_body() 3661e02b7cbSKristof Provost{ 3671e02b7cbSKristof Provost sctp_init 3681e02b7cbSKristof Provost 3691e02b7cbSKristof Provost j="sctp:nat_v4" 3701e02b7cbSKristof Provost epair_c=$(vnet_mkepair) 3711e02b7cbSKristof Provost epair_srv=$(vnet_mkepair) 3721e02b7cbSKristof Provost 3731e02b7cbSKristof Provost vnet_mkjail ${j}srv ${epair_srv}a 3741e02b7cbSKristof Provost vnet_mkjail ${j}gw ${epair_srv}b ${epair_c}a 3751e02b7cbSKristof Provost vnet_mkjail ${j}c ${epair_c}b 3761e02b7cbSKristof Provost 3771e02b7cbSKristof Provost jexec ${j}srv ifconfig ${epair_srv}a 198.51.100.1/24 up 3781e02b7cbSKristof Provost # No default route in srv jail, to ensure we're NAT-ing 3791e02b7cbSKristof Provost jexec ${j}gw ifconfig ${epair_srv}b 198.51.100.2/24 up 3801e02b7cbSKristof Provost jexec ${j}gw ifconfig ${epair_c}a 192.0.2.1/24 up 3811e02b7cbSKristof Provost jexec ${j}gw sysctl net.inet.ip.forwarding=1 3821e02b7cbSKristof Provost jexec ${j}c ifconfig ${epair_c}b 192.0.2.2/24 up 3831e02b7cbSKristof Provost jexec ${j}c route add default 192.0.2.1 3841e02b7cbSKristof Provost 3851e02b7cbSKristof Provost jexec ${j}gw pfctl -e 3861e02b7cbSKristof Provost pft_set_rules ${j}gw \ 3871e02b7cbSKristof Provost "nat on ${epair_srv}b from 192.0.2.0/24 -> (${epair_srv}b)" \ 3881e02b7cbSKristof Provost "pass" 3891e02b7cbSKristof Provost 3901e02b7cbSKristof Provost # Sanity check 3911e02b7cbSKristof Provost atf_check -s exit:0 -o ignore \ 3921e02b7cbSKristof Provost jexec ${j}c ping -c 1 198.51.100.1 3931e02b7cbSKristof Provost 3941e02b7cbSKristof Provost echo "foo" | jexec ${j}srv nc --sctp -N -l 1234 & 3951e02b7cbSKristof Provost 3961e02b7cbSKristof Provost # Wait for the server to start 3971e02b7cbSKristof Provost sleep 1 3981e02b7cbSKristof Provost 3991e02b7cbSKristof Provost out=$(jexec ${j}c nc --sctp -N -w 3 198.51.100.1 1234) 4001e02b7cbSKristof Provost if [ "$out" != "foo" ]; then 4011e02b7cbSKristof Provost atf_fail "SCTP connection failed" 4021e02b7cbSKristof Provost fi 4031e02b7cbSKristof Provost} 4041e02b7cbSKristof Provost 4051e02b7cbSKristof Provostnat_v4_cleanup() 4061e02b7cbSKristof Provost{ 4071e02b7cbSKristof Provost pft_cleanup 4081e02b7cbSKristof Provost} 4091e02b7cbSKristof Provost 4101e02b7cbSKristof Provostatf_test_case "nat_v6" "cleanup" 4111e02b7cbSKristof Provostnat_v6_head() 4121e02b7cbSKristof Provost{ 4131e02b7cbSKristof Provost atf_set descr 'Test NAT-ing SCTP over IPv6' 4141e02b7cbSKristof Provost atf_set require.user root 4151e02b7cbSKristof Provost} 4161e02b7cbSKristof Provost 4171e02b7cbSKristof Provostnat_v6_body() 4181e02b7cbSKristof Provost{ 4191e02b7cbSKristof Provost sctp_init 4201e02b7cbSKristof Provost 4211e02b7cbSKristof Provost j="sctp:nat_v6" 4221e02b7cbSKristof Provost epair_c=$(vnet_mkepair) 4231e02b7cbSKristof Provost epair_srv=$(vnet_mkepair) 4241e02b7cbSKristof Provost 4251e02b7cbSKristof Provost vnet_mkjail ${j}srv ${epair_srv}a 4261e02b7cbSKristof Provost vnet_mkjail ${j}gw ${epair_srv}b ${epair_c}a 4271e02b7cbSKristof Provost vnet_mkjail ${j}c ${epair_c}b 4281e02b7cbSKristof Provost 4291e02b7cbSKristof Provost jexec ${j}srv ifconfig ${epair_srv}a inet6 2001:db8::1/64 up no_dad 4301e02b7cbSKristof Provost # No default route in srv jail, to ensure we're NAT-ing 4311e02b7cbSKristof Provost jexec ${j}gw ifconfig ${epair_srv}b inet6 2001:db8::2/64 up no_dad 4321e02b7cbSKristof Provost jexec ${j}gw ifconfig ${epair_c}a inet6 2001:db8:1::1/64 up no_dad 4331e02b7cbSKristof Provost jexec ${j}gw sysctl net.inet6.ip6.forwarding=1 4341e02b7cbSKristof Provost jexec ${j}c ifconfig ${epair_c}b inet6 2001:db8:1::2/64 up no_dad 4351e02b7cbSKristof Provost jexec ${j}c route add -6 default 2001:db8:1::1 4361e02b7cbSKristof Provost 4371e02b7cbSKristof Provost jexec ${j}gw pfctl -e 4381e02b7cbSKristof Provost pft_set_rules ${j}gw \ 4391e02b7cbSKristof Provost "nat on ${epair_srv}b from 2001:db8:1::/64 -> (${epair_srv}b)" \ 4401e02b7cbSKristof Provost "pass" 4411e02b7cbSKristof Provost 4421e02b7cbSKristof Provost # Sanity check 4431e02b7cbSKristof Provost atf_check -s exit:0 -o ignore \ 4441e02b7cbSKristof Provost jexec ${j}c ping -6 -c 1 2001:db8::1 4451e02b7cbSKristof Provost 4461e02b7cbSKristof Provost echo "foo" | jexec ${j}srv nc -6 --sctp -N -l 1234 & 4471e02b7cbSKristof Provost 4481e02b7cbSKristof Provost # Wait for the server to start 4491e02b7cbSKristof Provost sleep 1 4501e02b7cbSKristof Provost 4511e02b7cbSKristof Provost out=$(jexec ${j}c nc --sctp -N -w 3 2001:db8::1 1234) 4521e02b7cbSKristof Provost if [ "$out" != "foo" ]; then 4531e02b7cbSKristof Provost atf_fail "SCTP connection failed" 4541e02b7cbSKristof Provost fi 4551e02b7cbSKristof Provost} 4561e02b7cbSKristof Provost 4571e02b7cbSKristof Provostnat_v6_cleanup() 4581e02b7cbSKristof Provost{ 4591e02b7cbSKristof Provost pft_cleanup 4601e02b7cbSKristof Provost} 4611e02b7cbSKristof Provost 4624369a575SKristof Provostatf_test_case "rdr_v4" "cleanup" 4634369a575SKristof Provostrdr_v4_head() 4644369a575SKristof Provost{ 4654369a575SKristof Provost atf_set descr 'Test rdr SCTP over IPv4' 4664369a575SKristof Provost atf_set require.user root 4674369a575SKristof Provost} 4684369a575SKristof Provost 4694369a575SKristof Provostrdr_v4_body() 4704369a575SKristof Provost{ 4714369a575SKristof Provost sctp_init 4724369a575SKristof Provost 4734369a575SKristof Provost j="sctp:rdr_v4" 4744369a575SKristof Provost epair_c=$(vnet_mkepair) 4754369a575SKristof Provost epair_srv=$(vnet_mkepair) 4764369a575SKristof Provost 4774369a575SKristof Provost vnet_mkjail ${j}srv ${epair_srv}a 4784369a575SKristof Provost vnet_mkjail ${j}gw ${epair_srv}b ${epair_c}a 4794369a575SKristof Provost vnet_mkjail ${j}c ${epair_c}b 4804369a575SKristof Provost 4814369a575SKristof Provost jexec ${j}srv ifconfig ${epair_srv}a 198.51.100.1/24 up 4824369a575SKristof Provost # No default route in srv jail, to ensure we're NAT-ing 4834369a575SKristof Provost jexec ${j}gw ifconfig ${epair_srv}b 198.51.100.2/24 up 4844369a575SKristof Provost jexec ${j}gw ifconfig ${epair_c}a 192.0.2.1/24 up 4854369a575SKristof Provost jexec ${j}gw sysctl net.inet.ip.forwarding=1 4864369a575SKristof Provost jexec ${j}c ifconfig ${epair_c}b 192.0.2.2/24 up 4874369a575SKristof Provost jexec ${j}c route add default 192.0.2.1 4884369a575SKristof Provost 4894369a575SKristof Provost jexec ${j}gw pfctl -e 4904369a575SKristof Provost pft_set_rules ${j}gw \ 4914369a575SKristof Provost "rdr pass on ${epair_srv}b proto sctp from 198.51.100.0/24 to any port 1234 -> 192.0.2.2 port 1234" \ 4924369a575SKristof Provost "pass" 4934369a575SKristof Provost 4944369a575SKristof Provost echo "foo" | jexec ${j}c nc --sctp -N -l 1234 & 4954369a575SKristof Provost 4964369a575SKristof Provost # Wait for the server to start 4974369a575SKristof Provost sleep 1 4984369a575SKristof Provost 4994369a575SKristof Provost out=$(jexec ${j}srv nc --sctp -N -w 3 198.51.100.2 1234) 5004369a575SKristof Provost if [ "$out" != "foo" ]; then 5014369a575SKristof Provost atf_fail "SCTP connection failed" 5024369a575SKristof Provost fi 5034369a575SKristof Provost 5044369a575SKristof Provost # Despite configuring port changes pf will not do so. 5054369a575SKristof Provost echo "bar" | jexec ${j}c nc --sctp -N -l 1234 & 5064369a575SKristof Provost 5074369a575SKristof Provost pft_set_rules ${j}gw \ 5084369a575SKristof Provost "rdr pass on ${epair_srv}b proto sctp from 198.51.100.0/24 to any port 1234 -> 192.0.2.2 port 4321" \ 5094369a575SKristof Provost "pass" 5104369a575SKristof Provost 5114369a575SKristof Provost # This will fail 5124369a575SKristof Provost out=$(jexec ${j}srv nc --sctp -N -w 3 198.51.100.2 4321) 5134369a575SKristof Provost if [ "$out" == "bar" ]; then 5144369a575SKristof Provost atf_fail "Port was unexpectedly changed." 5154369a575SKristof Provost fi 5164369a575SKristof Provost 5174369a575SKristof Provost # This succeeds 5184369a575SKristof Provost out=$(jexec ${j}srv nc --sctp -N -w 3 198.51.100.2 1234) 5194369a575SKristof Provost if [ "$out" != "bar" ]; then 5204369a575SKristof Provost atf_fail "Port was unexpectedly changed." 5214369a575SKristof Provost fi 5224369a575SKristof Provost} 5234369a575SKristof Provost 5244369a575SKristof Provostrdr_v4_cleanup() 5254369a575SKristof Provost{ 5264369a575SKristof Provost pft_cleanup 5274369a575SKristof Provost} 5284369a575SKristof Provost 529b7a9a577SKristof Provostatf_test_case "pfsync" "cleanup" 530b7a9a577SKristof Provostpfsync_head() 531b7a9a577SKristof Provost{ 532b7a9a577SKristof Provost atf_set descr 'Test pfsync-ing SCTP connections' 533b7a9a577SKristof Provost atf_set require.user root 534b7a9a577SKristof Provost} 535b7a9a577SKristof Provost 536b7a9a577SKristof Provostpfsync_body() 537b7a9a577SKristof Provost{ 538b7a9a577SKristof Provost # + Builds bellow topology and initiate an SCTP connection 539b7a9a577SKristof Provost # from client to server. 540b7a9a577SKristof Provost # + Tests that the connection remains open when we fail over from 541b7a9a577SKristof Provost # router one to router two. 542b7a9a577SKristof Provost # 543b7a9a577SKristof Provost # ┌──────┐ 544b7a9a577SKristof Provost # │client│ 545b7a9a577SKristof Provost # └───┬──┘ 546b7a9a577SKristof Provost # │ 547b7a9a577SKristof Provost # ┌───┴───┐ 548b7a9a577SKristof Provost # │bridge0│ 549b7a9a577SKristof Provost # └┬─────┬┘ 550b7a9a577SKristof Provost # │ │ 551b7a9a577SKristof Provost # ┌────────────────┴─┐ ┌─┴────────────────┐ 552b7a9a577SKristof Provost # │ one ├─┤ two │ 553b7a9a577SKristof Provost # └────────────────┬─┘ └─┬────────────────┘ 554b7a9a577SKristof Provost # │ │ 555b7a9a577SKristof Provost # ┌┴─────┴┐ 556b7a9a577SKristof Provost # │bridge1│ 557b7a9a577SKristof Provost # └───┬───┘ 558b7a9a577SKristof Provost # │ 559b7a9a577SKristof Provost # ┌───┴──┐ 560b7a9a577SKristof Provost # │server│ 561b7a9a577SKristof Provost # └──────┘ 562b7a9a577SKristof Provost 563b7a9a577SKristof Provost sctp_init 564b7a9a577SKristof Provost pfsynct_init 565480ad405SKristof Provost vnet_init_bridge 566b7a9a577SKristof Provost if ! kldstat -q -m carp 567b7a9a577SKristof Provost then 568b7a9a577SKristof Provost atf_skip "This test requires carp" 569b7a9a577SKristof Provost fi 570b7a9a577SKristof Provost 571b7a9a577SKristof Provost j="sctp:pfsync" 572b7a9a577SKristof Provost 573b7a9a577SKristof Provost tmp=`pwd` 574b7a9a577SKristof Provost 575b7a9a577SKristof Provost bridge0=$(vnet_mkbridge) 576b7a9a577SKristof Provost bridge1=$(vnet_mkbridge) 577b7a9a577SKristof Provost 578b7a9a577SKristof Provost epair_c=$(vnet_mkepair) 579b7a9a577SKristof Provost epair_one0=$(vnet_mkepair) 580b7a9a577SKristof Provost epair_two0=$(vnet_mkepair) 581b7a9a577SKristof Provost epair_sync=$(vnet_mkepair) 582b7a9a577SKristof Provost epair_one1=$(vnet_mkepair) 583b7a9a577SKristof Provost epair_two1=$(vnet_mkepair) 584b7a9a577SKristof Provost epair_srv=$(vnet_mkepair) 585b7a9a577SKristof Provost 586b7a9a577SKristof Provost ifconfig ${bridge0} addm ${epair_c}a addm ${epair_one0}a addm ${epair_two0}a 587b7a9a577SKristof Provost ifconfig ${epair_one0}a up 588b7a9a577SKristof Provost ifconfig ${epair_two0}a up 589b7a9a577SKristof Provost ifconfig ${epair_c}a up 590b7a9a577SKristof Provost ifconfig ${bridge0} up 591b7a9a577SKristof Provost 592b7a9a577SKristof Provost ifconfig ${bridge1} addm ${epair_srv}a addm ${epair_one1}a addm ${epair_two1}a 593b7a9a577SKristof Provost ifconfig ${epair_one1}a up 594b7a9a577SKristof Provost ifconfig ${epair_two1}a up 595b7a9a577SKristof Provost ifconfig ${epair_srv}a up 596b7a9a577SKristof Provost ifconfig ${bridge1} up 597b7a9a577SKristof Provost 598b7a9a577SKristof Provost vnet_mkjail ${j}c ${epair_c}b 599b7a9a577SKristof Provost jexec ${j}c ifconfig ${epair_c}b 192.0.2.2/24 up 600b7a9a577SKristof Provost jexec ${j}c route add default 192.0.2.1 601b7a9a577SKristof Provost 602b7a9a577SKristof Provost vnet_mkjail ${j}one ${epair_one0}b ${epair_one1}b ${epair_sync}a 603b7a9a577SKristof Provost jexec ${j}one ifconfig ${epair_one0}b 192.0.2.3/24 up 604b7a9a577SKristof Provost jexec ${j}one ifconfig ${epair_one0}b \ 605b7a9a577SKristof Provost alias 192.0.2.1/32 vhid 1 pass 1234 606b7a9a577SKristof Provost jexec ${j}one ifconfig ${epair_one1}b 198.51.100.3/24 up 607b7a9a577SKristof Provost jexec ${j}one ifconfig ${epair_one1}b \ 608b7a9a577SKristof Provost alias 198.51.100.2/32 vhid 2 pass 4321 609b7a9a577SKristof Provost jexec ${j}one ifconfig ${epair_sync}a 203.0.113.1/24 up 610b7a9a577SKristof Provost jexec ${j}one ifconfig pfsync0 \ 611b7a9a577SKristof Provost syncdev ${epair_sync}a \ 612b7a9a577SKristof Provost maxupd 1 \ 613b7a9a577SKristof Provost up 614b7a9a577SKristof Provost jexec ${j}one sysctl net.inet.ip.forwarding=1 615b7a9a577SKristof Provost 616b7a9a577SKristof Provost vnet_mkjail ${j}two ${epair_two0}b ${epair_two1}b ${epair_sync}b 617b7a9a577SKristof Provost jexec ${j}two ifconfig ${epair_two0}b 192.0.2.4/24 up 618b7a9a577SKristof Provost jexec ${j}two ifconfig ${epair_two0}b \ 619b7a9a577SKristof Provost alias 192.0.2.1/32 vhid 1 pass 1234 620b7a9a577SKristof Provost jexec ${j}two ifconfig ${epair_two1}b 198.51.100.4/24 up 621b7a9a577SKristof Provost jexec ${j}two ifconfig ${epair_two1}b \ 622b7a9a577SKristof Provost alias 198.51.100.2/32 vhid 2 pass 4321 623b7a9a577SKristof Provost jexec ${j}two ifconfig ${epair_sync}b 203.0.113.2/24 up 624b7a9a577SKristof Provost jexec ${j}two ifconfig pfsync0 \ 625b7a9a577SKristof Provost syncdev ${epair_sync}b \ 626b7a9a577SKristof Provost maxupd 1 \ 627b7a9a577SKristof Provost up 628b7a9a577SKristof Provost jexec ${j}two sysctl net.inet.ip.forwarding=1 629b7a9a577SKristof Provost 630b7a9a577SKristof Provost vnet_mkjail ${j}srv ${epair_srv}b 631b7a9a577SKristof Provost jexec ${j}srv ifconfig ${epair_srv}b 198.51.100.1/24 up 632b7a9a577SKristof Provost jexec ${j}srv route add default 198.51.100.2 633b7a9a577SKristof Provost 634b7a9a577SKristof Provost # Demote two, to avoid dealing with asymmetric routing 635b7a9a577SKristof Provost jexec ${j}two sysctl net.inet.carp.demotion=50 636b7a9a577SKristof Provost 637b7a9a577SKristof Provost jexec ${j}one pfctl -e 638b7a9a577SKristof Provost pft_set_rules ${j}one \ 639b7a9a577SKristof Provost "block all" \ 640b7a9a577SKristof Provost "pass proto { icmp, pfsync, carp }" \ 641b7a9a577SKristof Provost "pass proto sctp to port 1234" \ 642b7a9a577SKristof Provost "pass proto tcp to port 1234" 643b7a9a577SKristof Provost 644b7a9a577SKristof Provost jexec ${j}two pfctl -e 645b7a9a577SKristof Provost pft_set_rules ${j}two \ 646b7a9a577SKristof Provost "block all" \ 647b7a9a577SKristof Provost "pass proto { icmp, pfsync, carp }" \ 648b7a9a577SKristof Provost "pass proto sctp to port 1234" \ 649b7a9a577SKristof Provost "pass proto tcp to port 1234" 650b7a9a577SKristof Provost 651b7a9a577SKristof Provost # Give carp time to get set up 652b7a9a577SKristof Provost sleep 2 653b7a9a577SKristof Provost 654b7a9a577SKristof Provost # Sanity check 655b7a9a577SKristof Provost atf_check -s exit:0 -o ignore \ 656b7a9a577SKristof Provost jexec ${j}c ping -c 1 198.51.100.1 657b7a9a577SKristof Provost 658b7a9a577SKristof Provost # Now start up an SCTP connection 659b7a9a577SKristof Provost touch ${tmp}/input 660b7a9a577SKristof Provost tail -F ${tmp}/input | jexec ${j}srv nc --sctp -l 1234 & 661b7a9a577SKristof Provost sleep 1 662b7a9a577SKristof Provost 663b7a9a577SKristof Provost jexec ${j}c nc --sctp 198.51.100.1 1234 > ${tmp}/output & 664b7a9a577SKristof Provost echo "1" >> ${tmp}/input 665b7a9a577SKristof Provost 666b7a9a577SKristof Provost # Give time for the traffic to arrive 667b7a9a577SKristof Provost sleep 1 668b7a9a577SKristof Provost line=$(tail -n -1 ${tmp}/output) 669b7a9a577SKristof Provost if [ "${line}" != "1" ]; 670b7a9a577SKristof Provost then 671b7a9a577SKristof Provost echo "Found ${line}" 672b7a9a577SKristof Provost cat ${tmp}/output 673b7a9a577SKristof Provost atf_fail "Initial SCTP connection failed" 674b7a9a577SKristof Provost fi 675b7a9a577SKristof Provost 676b7a9a577SKristof Provost # Verify that two has the connection too 677b7a9a577SKristof Provost state=$(jexec ${j}two pfctl -ss | grep sctp) 678b7a9a577SKristof Provost if [ -z "${state}" ]; 679b7a9a577SKristof Provost then 680b7a9a577SKristof Provost jexec ${j}two pfctl -ss 681b7a9a577SKristof Provost atf_fail "Failed to find SCTP state on secondary pfsync host" 682b7a9a577SKristof Provost fi 683b7a9a577SKristof Provost 684b7a9a577SKristof Provost # Now fail over (both carp IPs should switch here) 685b7a9a577SKristof Provost jexec ${j}one sysctl net.inet.carp.demotion=100 686b7a9a577SKristof Provost 687b7a9a577SKristof Provost while ! jexec ${j}one ifconfig ${epair_one0}b | grep MASTER; 688b7a9a577SKristof Provost do 689b7a9a577SKristof Provost sleep 1 690b7a9a577SKristof Provost done 691b7a9a577SKristof Provost while ! jexec ${j}one ifconfig ${epair_one1}b | grep MASTER; 692b7a9a577SKristof Provost do 693b7a9a577SKristof Provost sleep 1 694b7a9a577SKristof Provost done 695b7a9a577SKristof Provost 696b7a9a577SKristof Provost # Sanity check 697b7a9a577SKristof Provost atf_check -s exit:0 -o ignore \ 698b7a9a577SKristof Provost jexec ${j}c ping -c 1 198.51.100.1 699b7a9a577SKristof Provost 700b7a9a577SKristof Provost # And check that the connection is still live 701b7a9a577SKristof Provost echo "2" >> ${tmp}/input 702b7a9a577SKristof Provost sleep 1 703b7a9a577SKristof Provost line=$(tail -n -1 ${tmp}/output) 704b7a9a577SKristof Provost if [ "${line}" != "2" ]; 705b7a9a577SKristof Provost then 706b7a9a577SKristof Provost echo "Found ${line}" 707b7a9a577SKristof Provost cat ${tmp}/output 708b7a9a577SKristof Provost atf_fail "SCTP failover failed" 709b7a9a577SKristof Provost fi 710b7a9a577SKristof Provost} 711b7a9a577SKristof Provost 712b7a9a577SKristof Provostpfsync_cleanup() 713b7a9a577SKristof Provost{ 714b7a9a577SKristof Provost pfsynct_cleanup 715b7a9a577SKristof Provost} 716b7a9a577SKristof Provost 7178ed5170cSKristof Provostatf_test_case "timeout" "cleanup" 7188ed5170cSKristof Provosttimeout_head() 7198ed5170cSKristof Provost{ 7208ed5170cSKristof Provost atf_set descr 'Test setting and retrieving timeout values' 7218ed5170cSKristof Provost atf_set require.user root 7228ed5170cSKristof Provost} 7238ed5170cSKristof Provost 7248ed5170cSKristof Provosttimeout_body() 7258ed5170cSKristof Provost{ 7268ed5170cSKristof Provost sctp_init 7278ed5170cSKristof Provost 7288ed5170cSKristof Provost vnet_mkjail timeout 7298ed5170cSKristof Provost 7308ed5170cSKristof Provost pft_set_rules timeout \ 7318ed5170cSKristof Provost "set timeout sctp.first 13" \ 7328ed5170cSKristof Provost "set timeout sctp.opening 14" 7338ed5170cSKristof Provost 7348ed5170cSKristof Provost atf_check -s exit:0 -o match:"sctp.first.*13" \ 7358ed5170cSKristof Provost jexec timeout pfctl -st 7368ed5170cSKristof Provost atf_check -s exit:0 -o match:"sctp.opening.*14" \ 7378ed5170cSKristof Provost jexec timeout pfctl -st 7388ed5170cSKristof Provost # We've not changed other timeouts 7398ed5170cSKristof Provost atf_check -s exit:0 -o match:"sctp.established.*86400" \ 7408ed5170cSKristof Provost jexec timeout pfctl -st 7418ed5170cSKristof Provost} 7428ed5170cSKristof Provost 743fe0c82a6SKristof Provosttimeout_cleanup() 744fe0c82a6SKristof Provost{ 745fe0c82a6SKristof Provost pft_cleanup 746fe0c82a6SKristof Provost} 747fe0c82a6SKristof Provost 748*7d5e02b0SKristof Provostatf_test_case "related_icmp" "cleanup" 749*7d5e02b0SKristof Provostrelated_icmp_head() 750*7d5e02b0SKristof Provost{ 751*7d5e02b0SKristof Provost atf_set descr 'Verify that ICMP messages related to an SCTP connection are allowed' 752*7d5e02b0SKristof Provost atf_set require.user root 753*7d5e02b0SKristof Provost} 754*7d5e02b0SKristof Provost 755*7d5e02b0SKristof Provostrelated_icmp_body() 756*7d5e02b0SKristof Provost{ 757*7d5e02b0SKristof Provost sctp_init 758*7d5e02b0SKristof Provost 759*7d5e02b0SKristof Provost epair_cl=$(vnet_mkepair) 760*7d5e02b0SKristof Provost epair_rtr=$(vnet_mkepair) 761*7d5e02b0SKristof Provost epair_srv=$(vnet_mkepair) 762*7d5e02b0SKristof Provost 763*7d5e02b0SKristof Provost ifconfig ${epair_cl}a 192.0.2.1/24 up 764*7d5e02b0SKristof Provost route add default 192.0.2.2 765*7d5e02b0SKristof Provost 766*7d5e02b0SKristof Provost vnet_mkjail rtr ${epair_cl}b ${epair_rtr}a 767*7d5e02b0SKristof Provost jexec rtr ifconfig ${epair_cl}b 192.0.2.2/24 up 768*7d5e02b0SKristof Provost jexec rtr ifconfig ${epair_rtr}a 198.51.100.1/24 up 769*7d5e02b0SKristof Provost jexec rtr sysctl net.inet.ip.forwarding=1 770*7d5e02b0SKristof Provost jexec rtr route add default 198.51.100.2 771*7d5e02b0SKristof Provost 772*7d5e02b0SKristof Provost vnet_mkjail rtr2 ${epair_rtr}b ${epair_srv}a 773*7d5e02b0SKristof Provost jexec rtr2 ifconfig ${epair_rtr}b 198.51.100.2/24 up 774*7d5e02b0SKristof Provost jexec rtr2 ifconfig ${epair_srv}a 203.0.113.1/24 up 775*7d5e02b0SKristof Provost jexec rtr2 ifconfig ${epair_srv}a mtu 1300 776*7d5e02b0SKristof Provost jexec rtr2 sysctl net.inet.ip.forwarding=1 777*7d5e02b0SKristof Provost jexec rtr2 route add default 198.51.100.1 778*7d5e02b0SKristof Provost 779*7d5e02b0SKristof Provost vnet_mkjail srv ${epair_srv}b 780*7d5e02b0SKristof Provost jexec srv ifconfig ${epair_srv}b 203.0.113.2/24 up 781*7d5e02b0SKristof Provost jexec srv ifconfig ${epair_srv}b mtu 1300 782*7d5e02b0SKristof Provost jexec srv route add default 203.0.113.1 783*7d5e02b0SKristof Provost 784*7d5e02b0SKristof Provost # Sanity checks 785*7d5e02b0SKristof Provost atf_check -s exit:0 -o ignore \ 786*7d5e02b0SKristof Provost ping -c 1 192.0.2.2 787*7d5e02b0SKristof Provost atf_check -s exit:0 -o ignore \ 788*7d5e02b0SKristof Provost ping -c 1 198.51.100.1 789*7d5e02b0SKristof Provost atf_check -s exit:0 -o ignore \ 790*7d5e02b0SKristof Provost ping -c 1 198.51.100.2 791*7d5e02b0SKristof Provost atf_check -s exit:0 -o ignore \ 792*7d5e02b0SKristof Provost ping -c 1 203.0.113.1 793*7d5e02b0SKristof Provost atf_check -s exit:0 -o ignore \ 794*7d5e02b0SKristof Provost ping -c 1 203.0.113.2 795*7d5e02b0SKristof Provost 796*7d5e02b0SKristof Provost jexec rtr pfctl -e 797*7d5e02b0SKristof Provost pft_set_rules rtr \ 798*7d5e02b0SKristof Provost "block proto icmp" \ 799*7d5e02b0SKristof Provost "pass proto sctp" 800*7d5e02b0SKristof Provost 801*7d5e02b0SKristof Provost # Make sure SCTP traffic passes 802*7d5e02b0SKristof Provost echo "foo" | jexec srv nc --sctp -N -l 1234 & 803*7d5e02b0SKristof Provost sleep 1 804*7d5e02b0SKristof Provost 805*7d5e02b0SKristof Provost out=$(nc --sctp -N -w 3 203.0.113.2 1234) 806*7d5e02b0SKristof Provost if [ "$out" != "foo" ]; then 807*7d5e02b0SKristof Provost jexec rtr pfctl -ss -vv 808*7d5e02b0SKristof Provost jexec rtr pfctl -sr -vv 809*7d5e02b0SKristof Provost atf_fail "SCTP connection failed" 810*7d5e02b0SKristof Provost fi 811*7d5e02b0SKristof Provost 812*7d5e02b0SKristof Provost # Do we see ICMP traffic if we send overly large traffic? 813*7d5e02b0SKristof Provost echo "foo" | jexec srv nc --sctp -N -l 1234 >/dev/null & 814*7d5e02b0SKristof Provost sleep 1 815*7d5e02b0SKristof Provost 816*7d5e02b0SKristof Provost atf_check -s exit:0 -o not-match:".*destination unreachable:.*" \ 817*7d5e02b0SKristof Provost netstat -s -p icmp 818*7d5e02b0SKristof Provost 819*7d5e02b0SKristof Provost # Generate traffic that will be fragmented by rtr2, and will provoke an 820*7d5e02b0SKristof Provost # ICMP unreachable - need to frag (mtu 1300) message 821*7d5e02b0SKristof Provost dd if=/dev/random bs=1600 count=1 | nc --sctp -N -w 3 203.0.113.2 1234 822*7d5e02b0SKristof Provost 823*7d5e02b0SKristof Provost # We'd expect to see an ICMP message 824*7d5e02b0SKristof Provost atf_check -s exit:0 -o match:".*destination unreachable: 1" \ 825*7d5e02b0SKristof Provost netstat -s -p icmp 826*7d5e02b0SKristof Provost} 827*7d5e02b0SKristof Provost 828*7d5e02b0SKristof Provostrelated_icmp_cleanup() 829*7d5e02b0SKristof Provost{ 830*7d5e02b0SKristof Provost pft_cleanup 831*7d5e02b0SKristof Provost} 832*7d5e02b0SKristof Provost 83395363473SKristof Provostatf_init_test_cases() 83495363473SKristof Provost{ 83595363473SKristof Provost atf_add_test_case "basic_v4" 83695363473SKristof Provost atf_add_test_case "basic_v6" 83782e02144SKristof Provost atf_add_test_case "reuse" 8382d42aa9dSKristof Provost atf_add_test_case "abort_v4" 8392d42aa9dSKristof Provost atf_add_test_case "abort_v6" 8401e02b7cbSKristof Provost atf_add_test_case "nat_v4" 8411e02b7cbSKristof Provost atf_add_test_case "nat_v6" 8424369a575SKristof Provost atf_add_test_case "rdr_v4" 843b7a9a577SKristof Provost atf_add_test_case "pfsync" 8448ed5170cSKristof Provost atf_add_test_case "timeout" 845*7d5e02b0SKristof Provost atf_add_test_case "related_icmp" 84695363473SKristof Provost} 847