1# 2# SPDX-License-Identifier: BSD-2-Clause-FreeBSD 3# 4# Copyright © 2023 Orange Business Services 5# 6# Redistribution and use in source and binary forms, with or without 7# modification, are permitted provided that the following conditions 8# are met: 9# 1. Redistributions of source code must retain the above copyright 10# notice, this list of conditions and the following disclaimer. 11# 2. Redistributions in binary form must reproduce the above copyright 12# notice, this list of conditions and the following disclaimer in the 13# documentation and/or other materials provided with the distribution. 14# 15# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 16# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 17# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 18# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 19# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 20# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 21# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 22# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 23# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 24# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 25# SUCH DAMAGE. 26 27. $(atf_get_srcdir)/utils.subr 28 29sctp_init() 30{ 31 pft_init 32 if ! kldstat -q -m sctp; then 33 atf_skip "This test requires SCTP" 34 fi 35} 36 37atf_test_case "basic_v4" "cleanup" 38basic_v4_head() 39{ 40 atf_set descr 'Basic SCTP connection over IPv4 passthrough' 41 atf_set require.user root 42} 43 44basic_v4_body() 45{ 46 sctp_init 47 48 j="sctp:basic_v4" 49 epair=$(vnet_mkepair) 50 51 vnet_mkjail ${j}a ${epair}a 52 vnet_mkjail ${j}b ${epair}b 53 54 jexec ${j}a ifconfig ${epair}a 192.0.2.1/24 up 55 jexec ${j}b ifconfig ${epair}b 192.0.2.2/24 up 56 # Sanity check 57 atf_check -s exit:0 -o ignore \ 58 jexec ${j}a ping -c 1 192.0.2.2 59 60 jexec ${j}a pfctl -e 61 pft_set_rules ${j}a \ 62 "block" \ 63 "pass in proto sctp to port 1234" 64 65 echo "foo" | jexec ${j}a nc --sctp -N -l 1234 & 66 67 # Wait for the server to start 68 sleep 1 69 70 out=$(jexec ${j}b nc --sctp -N -w 3 192.0.2.1 1234) 71 if [ "$out" != "foo" ]; then 72 atf_fail "SCTP connection failed" 73 fi 74 75 # Now with scrub rules present, so normalization is done 76 pft_set_rules ${j}a \ 77 "scrub on ${j}a" \ 78 "block" \ 79 "pass in proto sctp to port 1234" 80 81 echo "foo" | jexec ${j}a nc --sctp -N -l 1234 & 82 sleep 1 83 84 out=$(jexec ${j}b nc --sctp -N -w 3 192.0.2.1 1234) 85 if [ "$out" != "foo" ]; then 86 atf_fail "SCTP connection failed" 87 fi 88 89 # Now fail with a blocked port 90 echo "foo" | jexec ${j}a nc --sctp -N -l 1235 & 91 sleep 1 92 93 out=$(jexec ${j}b nc --sctp -N -w 3 192.0.2.1 1235) 94 if [ "$out" == "foo" ]; then 95 atf_fail "SCTP port block failed" 96 fi 97 98 # Now fail with a blocked port but passing source port 99 out=$(jexec ${j}b nc --sctp -N -w 3 -p 1234 192.0.2.1 1235) 100 if [ "$out" == "foo" ]; then 101 atf_fail "SCTP port block failed" 102 fi 103} 104 105basic_v4_cleanup() 106{ 107 pft_cleanup 108} 109 110atf_test_case "basic_v6" "cleanup" 111basic_v6_head() 112{ 113 atf_set descr 'Basic SCTP connection over IPv6' 114 atf_set require.user root 115} 116 117basic_v6_body() 118{ 119 sctp_init 120 121 j="sctp:basic_v6" 122 epair=$(vnet_mkepair) 123 124 vnet_mkjail ${j}a ${epair}a 125 vnet_mkjail ${j}b ${epair}b 126 127 jexec ${j}a ifconfig ${epair}a inet6 2001:db8::a/64 up no_dad 128 jexec ${j}b ifconfig ${epair}b inet6 2001:db8::b/64 up no_dad 129 130 # Sanity check 131 atf_check -s exit:0 -o ignore \ 132 jexec ${j}a ping -6 -c 1 2001:db8::b 133 134 jexec ${j}a pfctl -e 135 pft_set_rules ${j}a \ 136 "block proto sctp" \ 137 "pass in proto sctp to port 1234" 138 139 echo "foo" | jexec ${j}a nc -6 --sctp -N -l 1234 & 140 141 # Wait for the server to start 142 sleep 1 143 144 out=$(jexec ${j}b nc --sctp -N -w 3 2001:db8::a 1234) 145 if [ "$out" != "foo" ]; then 146 atf_fail "SCTP connection failed" 147 fi 148 149 # Now with scrub rules present, so normalization is done 150 pft_set_rules ${j}a \ 151 "scrub on ${j}a" \ 152 "block proto sctp" \ 153 "pass in proto sctp to port 1234" 154 155 echo "foo" | jexec ${j}a nc -6 --sctp -N -l 1234 & 156 sleep 1 157 158 out=$(jexec ${j}b nc --sctp -N -w 3 2001:db8::a 1234) 159 if [ "$out" != "foo" ]; then 160 atf_fail "SCTP connection failed" 161 fi 162 163 # Now fail with a blocked port 164 echo "foo" | jexec ${j}a nc -6 --sctp -N -l 1235 & 165 sleep 1 166 167 out=$(jexec ${j}b nc --sctp -N -w 3 2001:db8::a 1235) 168 if [ "$out" == "foo" ]; then 169 atf_fail "SCTP port block failed" 170 fi 171 172 # Now fail with a blocked port but passing source port 173 out=$(jexec ${j}b nc --sctp -N -w 3 -p 1234 2001:db8::a 1235) 174 if [ "$out" == "foo" ]; then 175 atf_fail "SCTP port block failed" 176 fi 177} 178 179basic_v6_cleanup() 180{ 181 pft_cleanup 182} 183 184atf_test_case "reuse" "cleanup" 185reuse_head() 186{ 187 atf_set descr 'Test handling dumb clients that reuse source ports' 188 atf_set require.user root 189} 190 191reuse_body() 192{ 193 sctp_init 194 195 j="sctp:reuse" 196 epair=$(vnet_mkepair) 197 198 vnet_mkjail ${j}a ${epair}a 199 vnet_mkjail ${j}b ${epair}b 200 201 jexec ${j}a ifconfig ${epair}a 192.0.2.1/24 up 202 jexec ${j}b ifconfig ${epair}b 192.0.2.2/24 up 203 # Sanity check 204 atf_check -s exit:0 -o ignore \ 205 jexec ${j}a ping -c 1 192.0.2.2 206 207 jexec ${j}a pfctl -e 208 pft_set_rules ${j}a \ 209 "block" \ 210 "pass in proto sctp to port 1234" 211 212 echo "foo" | jexec ${j}a nc --sctp -N -l 1234 & 213 214 # Wait for the server to start 215 sleep 1 216 217 out=$(jexec ${j}b nc --sctp -N -w 3 -p 1234 192.0.2.1 1234) 218 if [ "$out" != "foo" ]; then 219 atf_fail "SCTP connection failed" 220 fi 221 222 # Now do the same thing again, with the same port numbers 223 jexec ${j}a pfctl -ss -v 224 225 echo "foo" | jexec ${j}a nc --sctp -N -l 1234 & 226 227 # Wait for the server to start 228 sleep 1 229 230 out=$(jexec ${j}b nc --sctp -N -w 3 -p 1234 192.0.2.1 1234) 231 if [ "$out" != "foo" ]; then 232 atf_fail "SCTP connection failed" 233 fi 234 jexec ${j}a pfctl -ss -v 235} 236 237reuse_cleanup() 238{ 239 pft_cleanup 240} 241 242atf_test_case "abort_v4" "cleanup" 243abort_v4_head() 244{ 245 atf_set descr 'Test sending ABORT messages' 246 atf_set require.user root 247} 248 249abort_v4_body() 250{ 251 sctp_init 252 253 j="sctp:abort_v4" 254 epair=$(vnet_mkepair) 255 256 vnet_mkjail ${j}a ${epair}a 257 vnet_mkjail ${j}b ${epair}b 258 259 jexec ${j}a ifconfig ${epair}a 192.0.2.1/24 up 260 jexec ${j}b ifconfig ${epair}b 192.0.2.2/24 up 261 262 # Sanity check 263 atf_check -s exit:0 -o ignore \ 264 jexec ${j}a ping -c 1 192.0.2.2 265 266 jexec ${j}a pfctl -e 267 pft_set_rules ${j}a \ 268 "block return in proto sctp to port 1234" 269 270 echo "foo" | jexec ${j}a nc --sctp -N -l 1234 & 271 272 # Wait for the server to start 273 sleep 1 274 275 # If we get the abort we'll exit immediately, if we don't timeout will 276 # stop nc. 277 out=$(jexec ${j}b timeout 3 nc --sctp -N 192.0.2.1 1234) 278 if [ $? -eq 124 ]; then 279 atf_fail 'Abort not received' 280 fi 281 if [ "$out" == "foo" ]; then 282 atf_fail "block failed entirely" 283 fi 284 285 # Without 'return' we will time out. 286 pft_set_rules ${j}a \ 287 "block in proto sctp to port 1234" 288 289 out=$(jexec ${j}b timeout 3 nc --sctp -N 192.0.2.1 1234) 290 if [ $? -ne 124 ]; then 291 atf_fail 'Abort sent anyway?' 292 fi 293} 294 295abort_v4_cleanup() 296{ 297 pft_cleanup 298} 299 300atf_test_case "abort_v6" "cleanup" 301abort_v6_head() 302{ 303 atf_set descr 'Test sending ABORT messages over IPv6' 304 atf_set require.user root 305} 306 307abort_v6_body() 308{ 309 sctp_init 310 311 j="sctp:abort_v6" 312 epair=$(vnet_mkepair) 313 314 vnet_mkjail ${j}a ${epair}a 315 vnet_mkjail ${j}b ${epair}b 316 317 jexec ${j}a ifconfig ${epair}a inet6 2001:db8::a/64 no_dad 318 jexec ${j}b ifconfig ${epair}b inet6 2001:db8::b/64 no_dad 319 320 # Sanity check 321 atf_check -s exit:0 -o ignore \ 322 jexec ${j}a ping -6 -c 1 2001:db8::b 323 324 jexec ${j}a pfctl -e 325 pft_set_rules ${j}a \ 326 "block return in proto sctp to port 1234" 327 328 echo "foo" | jexec ${j}a nc -6 --sctp -N -l 1234 & 329 330 # Wait for the server to start 331 sleep 1 332 333 # If we get the abort we'll exit immediately, if we don't timeout will 334 # stop nc. 335 out=$(jexec ${j}b timeout 3 nc --sctp -N 2001:db8::a 1234) 336 if [ $? -eq 124 ]; then 337 atf_fail 'Abort not received' 338 fi 339 if [ "$out" == "foo" ]; then 340 atf_fail "block failed entirely" 341 fi 342 343 # Without 'return' we will time out. 344 pft_set_rules ${j}a \ 345 "block in proto sctp to port 1234" 346 347 out=$(jexec ${j}b timeout 3 nc --sctp -N 2001:db8::a 1234) 348 if [ $? -ne 124 ]; then 349 atf_fail 'Abort sent anyway?' 350 fi 351} 352 353abort_v6_cleanup() 354{ 355 pft_cleanup 356} 357 358atf_test_case "nat_v4" "cleanup" 359nat_v4_head() 360{ 361 atf_set descr 'Test NAT-ing SCTP over IPv4' 362 atf_set require.user root 363} 364 365nat_v4_body() 366{ 367 sctp_init 368 369 j="sctp:nat_v4" 370 epair_c=$(vnet_mkepair) 371 epair_srv=$(vnet_mkepair) 372 373 vnet_mkjail ${j}srv ${epair_srv}a 374 vnet_mkjail ${j}gw ${epair_srv}b ${epair_c}a 375 vnet_mkjail ${j}c ${epair_c}b 376 377 jexec ${j}srv ifconfig ${epair_srv}a 198.51.100.1/24 up 378 # No default route in srv jail, to ensure we're NAT-ing 379 jexec ${j}gw ifconfig ${epair_srv}b 198.51.100.2/24 up 380 jexec ${j}gw ifconfig ${epair_c}a 192.0.2.1/24 up 381 jexec ${j}gw sysctl net.inet.ip.forwarding=1 382 jexec ${j}c ifconfig ${epair_c}b 192.0.2.2/24 up 383 jexec ${j}c route add default 192.0.2.1 384 385 jexec ${j}gw pfctl -e 386 pft_set_rules ${j}gw \ 387 "nat on ${epair_srv}b from 192.0.2.0/24 -> (${epair_srv}b)" \ 388 "pass" 389 390 # Sanity check 391 atf_check -s exit:0 -o ignore \ 392 jexec ${j}c ping -c 1 198.51.100.1 393 394 echo "foo" | jexec ${j}srv nc --sctp -N -l 1234 & 395 396 # Wait for the server to start 397 sleep 1 398 399 out=$(jexec ${j}c nc --sctp -N -w 3 198.51.100.1 1234) 400 if [ "$out" != "foo" ]; then 401 atf_fail "SCTP connection failed" 402 fi 403} 404 405nat_v4_cleanup() 406{ 407 pft_cleanup 408} 409 410atf_test_case "nat_v6" "cleanup" 411nat_v6_head() 412{ 413 atf_set descr 'Test NAT-ing SCTP over IPv6' 414 atf_set require.user root 415} 416 417nat_v6_body() 418{ 419 sctp_init 420 421 j="sctp:nat_v6" 422 epair_c=$(vnet_mkepair) 423 epair_srv=$(vnet_mkepair) 424 425 vnet_mkjail ${j}srv ${epair_srv}a 426 vnet_mkjail ${j}gw ${epair_srv}b ${epair_c}a 427 vnet_mkjail ${j}c ${epair_c}b 428 429 jexec ${j}srv ifconfig ${epair_srv}a inet6 2001:db8::1/64 up no_dad 430 # No default route in srv jail, to ensure we're NAT-ing 431 jexec ${j}gw ifconfig ${epair_srv}b inet6 2001:db8::2/64 up no_dad 432 jexec ${j}gw ifconfig ${epair_c}a inet6 2001:db8:1::1/64 up no_dad 433 jexec ${j}gw sysctl net.inet6.ip6.forwarding=1 434 jexec ${j}c ifconfig ${epair_c}b inet6 2001:db8:1::2/64 up no_dad 435 jexec ${j}c route add -6 default 2001:db8:1::1 436 437 jexec ${j}gw pfctl -e 438 pft_set_rules ${j}gw \ 439 "nat on ${epair_srv}b from 2001:db8:1::/64 -> (${epair_srv}b)" \ 440 "pass" 441 442 # Sanity check 443 atf_check -s exit:0 -o ignore \ 444 jexec ${j}c ping -6 -c 1 2001:db8::1 445 446 echo "foo" | jexec ${j}srv nc -6 --sctp -N -l 1234 & 447 448 # Wait for the server to start 449 sleep 1 450 451 out=$(jexec ${j}c nc --sctp -N -w 3 2001:db8::1 1234) 452 if [ "$out" != "foo" ]; then 453 atf_fail "SCTP connection failed" 454 fi 455} 456 457nat_v6_cleanup() 458{ 459 pft_cleanup 460} 461 462atf_test_case "rdr_v4" "cleanup" 463rdr_v4_head() 464{ 465 atf_set descr 'Test rdr SCTP over IPv4' 466 atf_set require.user root 467} 468 469rdr_v4_body() 470{ 471 sctp_init 472 473 j="sctp:rdr_v4" 474 epair_c=$(vnet_mkepair) 475 epair_srv=$(vnet_mkepair) 476 477 vnet_mkjail ${j}srv ${epair_srv}a 478 vnet_mkjail ${j}gw ${epair_srv}b ${epair_c}a 479 vnet_mkjail ${j}c ${epair_c}b 480 481 jexec ${j}srv ifconfig ${epair_srv}a 198.51.100.1/24 up 482 # No default route in srv jail, to ensure we're NAT-ing 483 jexec ${j}gw ifconfig ${epair_srv}b 198.51.100.2/24 up 484 jexec ${j}gw ifconfig ${epair_c}a 192.0.2.1/24 up 485 jexec ${j}gw sysctl net.inet.ip.forwarding=1 486 jexec ${j}c ifconfig ${epair_c}b 192.0.2.2/24 up 487 jexec ${j}c route add default 192.0.2.1 488 489 jexec ${j}gw pfctl -e 490 pft_set_rules ${j}gw \ 491 "rdr pass on ${epair_srv}b proto sctp from 198.51.100.0/24 to any port 1234 -> 192.0.2.2 port 1234" \ 492 "pass" 493 494 echo "foo" | jexec ${j}c nc --sctp -N -l 1234 & 495 496 # Wait for the server to start 497 sleep 1 498 499 out=$(jexec ${j}srv nc --sctp -N -w 3 198.51.100.2 1234) 500 if [ "$out" != "foo" ]; then 501 atf_fail "SCTP connection failed" 502 fi 503 504 # Despite configuring port changes pf will not do so. 505 echo "bar" | jexec ${j}c nc --sctp -N -l 1234 & 506 507 pft_set_rules ${j}gw \ 508 "rdr pass on ${epair_srv}b proto sctp from 198.51.100.0/24 to any port 1234 -> 192.0.2.2 port 4321" \ 509 "pass" 510 511 # This will fail 512 out=$(jexec ${j}srv nc --sctp -N -w 3 198.51.100.2 4321) 513 if [ "$out" == "bar" ]; then 514 atf_fail "Port was unexpectedly changed." 515 fi 516 517 # This succeeds 518 out=$(jexec ${j}srv nc --sctp -N -w 3 198.51.100.2 1234) 519 if [ "$out" != "bar" ]; then 520 atf_fail "Port was unexpectedly changed." 521 fi 522} 523 524rdr_v4_cleanup() 525{ 526 pft_cleanup 527} 528 529atf_test_case "pfsync" "cleanup" 530pfsync_head() 531{ 532 atf_set descr 'Test pfsync-ing SCTP connections' 533 atf_set require.user root 534} 535 536pfsync_body() 537{ 538 # + Builds bellow topology and initiate an SCTP connection 539 # from client to server. 540 # + Tests that the connection remains open when we fail over from 541 # router one to router two. 542 # 543 # ┌──────┐ 544 # │client│ 545 # └───┬──┘ 546 # │ 547 # ┌───┴───┐ 548 # │bridge0│ 549 # └┬─────┬┘ 550 # │ │ 551 # ┌────────────────┴─┐ ┌─┴────────────────┐ 552 # │ one ├─┤ two │ 553 # └────────────────┬─┘ └─┬────────────────┘ 554 # │ │ 555 # ┌┴─────┴┐ 556 # │bridge1│ 557 # └───┬───┘ 558 # │ 559 # ┌───┴──┐ 560 # │server│ 561 # └──────┘ 562 563 sctp_init 564 pfsynct_init 565 vnet_init_bridge 566 if ! kldstat -q -m carp 567 then 568 atf_skip "This test requires carp" 569 fi 570 571 j="sctp:pfsync" 572 573 tmp=`pwd` 574 575 bridge0=$(vnet_mkbridge) 576 bridge1=$(vnet_mkbridge) 577 578 epair_c=$(vnet_mkepair) 579 epair_one0=$(vnet_mkepair) 580 epair_two0=$(vnet_mkepair) 581 epair_sync=$(vnet_mkepair) 582 epair_one1=$(vnet_mkepair) 583 epair_two1=$(vnet_mkepair) 584 epair_srv=$(vnet_mkepair) 585 586 ifconfig ${bridge0} addm ${epair_c}a addm ${epair_one0}a addm ${epair_two0}a 587 ifconfig ${epair_one0}a up 588 ifconfig ${epair_two0}a up 589 ifconfig ${epair_c}a up 590 ifconfig ${bridge0} up 591 592 ifconfig ${bridge1} addm ${epair_srv}a addm ${epair_one1}a addm ${epair_two1}a 593 ifconfig ${epair_one1}a up 594 ifconfig ${epair_two1}a up 595 ifconfig ${epair_srv}a up 596 ifconfig ${bridge1} up 597 598 vnet_mkjail ${j}c ${epair_c}b 599 jexec ${j}c ifconfig ${epair_c}b 192.0.2.2/24 up 600 jexec ${j}c route add default 192.0.2.1 601 602 vnet_mkjail ${j}one ${epair_one0}b ${epair_one1}b ${epair_sync}a 603 jexec ${j}one ifconfig ${epair_one0}b 192.0.2.3/24 up 604 jexec ${j}one ifconfig ${epair_one0}b \ 605 alias 192.0.2.1/32 vhid 1 pass 1234 606 jexec ${j}one ifconfig ${epair_one1}b 198.51.100.3/24 up 607 jexec ${j}one ifconfig ${epair_one1}b \ 608 alias 198.51.100.2/32 vhid 2 pass 4321 609 jexec ${j}one ifconfig ${epair_sync}a 203.0.113.1/24 up 610 jexec ${j}one ifconfig pfsync0 \ 611 syncdev ${epair_sync}a \ 612 maxupd 1 \ 613 up 614 jexec ${j}one sysctl net.inet.ip.forwarding=1 615 616 vnet_mkjail ${j}two ${epair_two0}b ${epair_two1}b ${epair_sync}b 617 jexec ${j}two ifconfig ${epair_two0}b 192.0.2.4/24 up 618 jexec ${j}two ifconfig ${epair_two0}b \ 619 alias 192.0.2.1/32 vhid 1 pass 1234 620 jexec ${j}two ifconfig ${epair_two1}b 198.51.100.4/24 up 621 jexec ${j}two ifconfig ${epair_two1}b \ 622 alias 198.51.100.2/32 vhid 2 pass 4321 623 jexec ${j}two ifconfig ${epair_sync}b 203.0.113.2/24 up 624 jexec ${j}two ifconfig pfsync0 \ 625 syncdev ${epair_sync}b \ 626 maxupd 1 \ 627 up 628 jexec ${j}two sysctl net.inet.ip.forwarding=1 629 630 vnet_mkjail ${j}srv ${epair_srv}b 631 jexec ${j}srv ifconfig ${epair_srv}b 198.51.100.1/24 up 632 jexec ${j}srv route add default 198.51.100.2 633 634 # Demote two, to avoid dealing with asymmetric routing 635 jexec ${j}two sysctl net.inet.carp.demotion=50 636 637 jexec ${j}one pfctl -e 638 pft_set_rules ${j}one \ 639 "block all" \ 640 "pass proto { icmp, pfsync, carp }" \ 641 "pass proto sctp to port 1234" \ 642 "pass proto tcp to port 1234" 643 644 jexec ${j}two pfctl -e 645 pft_set_rules ${j}two \ 646 "block all" \ 647 "pass proto { icmp, pfsync, carp }" \ 648 "pass proto sctp to port 1234" \ 649 "pass proto tcp to port 1234" 650 651 # Give carp time to get set up 652 sleep 2 653 654 # Sanity check 655 atf_check -s exit:0 -o ignore \ 656 jexec ${j}c ping -c 1 198.51.100.1 657 658 # Now start up an SCTP connection 659 touch ${tmp}/input 660 tail -F ${tmp}/input | jexec ${j}srv nc --sctp -l 1234 & 661 sleep 1 662 663 jexec ${j}c nc --sctp 198.51.100.1 1234 > ${tmp}/output & 664 echo "1" >> ${tmp}/input 665 666 # Give time for the traffic to arrive 667 sleep 1 668 line=$(tail -n -1 ${tmp}/output) 669 if [ "${line}" != "1" ]; 670 then 671 echo "Found ${line}" 672 cat ${tmp}/output 673 atf_fail "Initial SCTP connection failed" 674 fi 675 676 # Verify that two has the connection too 677 state=$(jexec ${j}two pfctl -ss | grep sctp) 678 if [ -z "${state}" ]; 679 then 680 jexec ${j}two pfctl -ss 681 atf_fail "Failed to find SCTP state on secondary pfsync host" 682 fi 683 684 # Now fail over (both carp IPs should switch here) 685 jexec ${j}one sysctl net.inet.carp.demotion=100 686 687 while ! jexec ${j}one ifconfig ${epair_one0}b | grep MASTER; 688 do 689 sleep 1 690 done 691 while ! jexec ${j}one ifconfig ${epair_one1}b | grep MASTER; 692 do 693 sleep 1 694 done 695 696 # Sanity check 697 atf_check -s exit:0 -o ignore \ 698 jexec ${j}c ping -c 1 198.51.100.1 699 700 # And check that the connection is still live 701 echo "2" >> ${tmp}/input 702 sleep 1 703 line=$(tail -n -1 ${tmp}/output) 704 if [ "${line}" != "2" ]; 705 then 706 echo "Found ${line}" 707 cat ${tmp}/output 708 atf_fail "SCTP failover failed" 709 fi 710} 711 712pfsync_cleanup() 713{ 714 pfsynct_cleanup 715} 716 717atf_test_case "timeout" "cleanup" 718timeout_head() 719{ 720 atf_set descr 'Test setting and retrieving timeout values' 721 atf_set require.user root 722} 723 724timeout_body() 725{ 726 sctp_init 727 728 vnet_mkjail timeout 729 730 pft_set_rules timeout \ 731 "set timeout sctp.first 13" \ 732 "set timeout sctp.opening 14" 733 734 atf_check -s exit:0 -o match:"sctp.first.*13" \ 735 jexec timeout pfctl -st 736 atf_check -s exit:0 -o match:"sctp.opening.*14" \ 737 jexec timeout pfctl -st 738 # We've not changed other timeouts 739 atf_check -s exit:0 -o match:"sctp.established.*86400" \ 740 jexec timeout pfctl -st 741} 742 743timeout_cleanup() 744{ 745 pft_cleanup 746} 747 748atf_test_case "related_icmp" "cleanup" 749related_icmp_head() 750{ 751 atf_set descr 'Verify that ICMP messages related to an SCTP connection are allowed' 752 atf_set require.user root 753} 754 755related_icmp_body() 756{ 757 sctp_init 758 759 epair_cl=$(vnet_mkepair) 760 epair_rtr=$(vnet_mkepair) 761 epair_srv=$(vnet_mkepair) 762 763 ifconfig ${epair_cl}a 192.0.2.1/24 up 764 route add default 192.0.2.2 765 766 vnet_mkjail rtr ${epair_cl}b ${epair_rtr}a 767 jexec rtr ifconfig ${epair_cl}b 192.0.2.2/24 up 768 jexec rtr ifconfig ${epair_rtr}a 198.51.100.1/24 up 769 jexec rtr sysctl net.inet.ip.forwarding=1 770 jexec rtr route add default 198.51.100.2 771 772 vnet_mkjail rtr2 ${epair_rtr}b ${epair_srv}a 773 jexec rtr2 ifconfig ${epair_rtr}b 198.51.100.2/24 up 774 jexec rtr2 ifconfig ${epair_srv}a 203.0.113.1/24 up 775 jexec rtr2 ifconfig ${epair_srv}a mtu 1300 776 jexec rtr2 sysctl net.inet.ip.forwarding=1 777 jexec rtr2 route add default 198.51.100.1 778 779 vnet_mkjail srv ${epair_srv}b 780 jexec srv ifconfig ${epair_srv}b 203.0.113.2/24 up 781 jexec srv ifconfig ${epair_srv}b mtu 1300 782 jexec srv route add default 203.0.113.1 783 784 # Sanity checks 785 atf_check -s exit:0 -o ignore \ 786 ping -c 1 192.0.2.2 787 atf_check -s exit:0 -o ignore \ 788 ping -c 1 198.51.100.1 789 atf_check -s exit:0 -o ignore \ 790 ping -c 1 198.51.100.2 791 atf_check -s exit:0 -o ignore \ 792 ping -c 1 203.0.113.1 793 atf_check -s exit:0 -o ignore \ 794 ping -c 1 203.0.113.2 795 796 jexec rtr pfctl -e 797 pft_set_rules rtr \ 798 "block proto icmp" \ 799 "pass proto sctp" 800 801 # Make sure SCTP traffic passes 802 echo "foo" | jexec srv nc --sctp -N -l 1234 & 803 sleep 1 804 805 out=$(nc --sctp -N -w 3 203.0.113.2 1234) 806 if [ "$out" != "foo" ]; then 807 jexec rtr pfctl -ss -vv 808 jexec rtr pfctl -sr -vv 809 atf_fail "SCTP connection failed" 810 fi 811 812 # Do we see ICMP traffic if we send overly large traffic? 813 echo "foo" | jexec srv nc --sctp -N -l 1234 >/dev/null & 814 sleep 1 815 816 atf_check -s exit:0 -o not-match:".*destination unreachable:.*" \ 817 netstat -s -p icmp 818 819 # Generate traffic that will be fragmented by rtr2, and will provoke an 820 # ICMP unreachable - need to frag (mtu 1300) message 821 dd if=/dev/random bs=1600 count=1 | nc --sctp -N -w 3 203.0.113.2 1234 822 823 # We'd expect to see an ICMP message 824 atf_check -s exit:0 -o match:".*destination unreachable: 1" \ 825 netstat -s -p icmp 826} 827 828related_icmp_cleanup() 829{ 830 pft_cleanup 831} 832 833atf_init_test_cases() 834{ 835 atf_add_test_case "basic_v4" 836 atf_add_test_case "basic_v6" 837 atf_add_test_case "reuse" 838 atf_add_test_case "abort_v4" 839 atf_add_test_case "abort_v6" 840 atf_add_test_case "nat_v4" 841 atf_add_test_case "nat_v6" 842 atf_add_test_case "rdr_v4" 843 atf_add_test_case "pfsync" 844 atf_add_test_case "timeout" 845 atf_add_test_case "related_icmp" 846} 847