diff options
author | Doug Rabson <dfr@FreeBSD.org> | 2023-05-24 13:11:37 +0000 |
---|---|---|
committer | Doug Rabson <dfr@FreeBSD.org> | 2023-05-31 10:11:05 +0000 |
commit | 5ab151574c8a1824c6cd8eded28506cb983284bc (patch) | |
tree | 222ab0c9eb502a801ea49a18d66f1f5175fbf7ac /tests/sys | |
parent | dc103686348d3205733a2c77e7d2ccbff6691022 (diff) | |
download | src-5ab151574c8a1824c6cd8eded28506cb983284bc.tar.gz src-5ab151574c8a1824c6cd8eded28506cb983284bc.zip |
Diffstat (limited to 'tests/sys')
-rw-r--r-- | tests/sys/netpfil/common/Makefile | 1 | ||||
-rw-r--r-- | tests/sys/netpfil/common/rdr.sh (renamed from tests/sys/netpfil/pf/rdr.sh) | 84 | ||||
-rw-r--r-- | tests/sys/netpfil/common/utils.subr | 4 | ||||
-rw-r--r-- | tests/sys/netpfil/pf/Makefile | 1 |
4 files changed, 79 insertions, 11 deletions
diff --git a/tests/sys/netpfil/common/Makefile b/tests/sys/netpfil/common/Makefile index 5ea3e7d9b687..99c81de3462e 100644 --- a/tests/sys/netpfil/common/Makefile +++ b/tests/sys/netpfil/common/Makefile @@ -9,6 +9,7 @@ ATF_TESTS_SH+= \ dummynet \ pass_block \ nat \ + rdr \ tos \ fragments \ forward diff --git a/tests/sys/netpfil/pf/rdr.sh b/tests/sys/netpfil/common/rdr.sh index a41b7cf57209..c66a3a012098 100644 --- a/tests/sys/netpfil/pf/rdr.sh +++ b/tests/sys/netpfil/common/rdr.sh @@ -26,17 +26,19 @@ # SUCH DAMAGE. . $(atf_get_srcdir)/utils.subr +. $(atf_get_srcdir)/runner.subr -atf_test_case "basic" "cleanup" basic_head() { - atf_set descr 'Basic rdr test' + atf_set descr 'Basic IPv4 NAT test' atf_set require.user root } basic_body() { - pft_init + firewall=$1 + firewall_init $firewall + nat_init $firewall epair=$(vnet_mkepair) @@ -48,10 +50,13 @@ basic_body() jexec alcatraz ifconfig ${epair}b 192.0.2.1/24 up jexec alcatraz sysctl net.inet.ip.forwarding=1 - # Enable pf! - jexec alcatraz pfctl -e - pft_set_rules alcatraz \ - "rdr pass on ${epair}b proto tcp from any to 198.51.100.0/24 port 1234 -> 192.0.2.1 port 4321" + # Enable redirect filter rule + firewall_config alcatraz ${firewall} \ + "pf" \ + "rdr pass on ${epair}b proto tcp from any to 198.51.100.0/24 port 1234 -> 192.0.2.1 port 4321" \ + "ipfnat" \ + "rdr ${epair}b from any to 198.51.100.0/24 port = 1234 -> 192.0.2.1 port 4321 tcp" + echo "foo" | jexec alcatraz nc -N -l 4321 & sleep 1 @@ -64,10 +69,69 @@ basic_body() basic_cleanup() { - pft_cleanup + firewall=$1 + firewall_cleanup $firewall } -atf_init_test_cases() +local_redirect_head() { - atf_add_test_case "basic" + atf_set descr 'Redirect local traffic test' + atf_set require.user root } + +local_redirect_body() +{ + firewall=$1 + firewall_init $firewall + nat_init $firewall + + bridge=$(vnet_mkbridge) + ifconfig ${bridge} 192.0.2.1/24 up + + epair1=$(vnet_mkepair) + epair2=$(vnet_mkepair) + + vnet_mkjail first ${epair1}b + ifconfig ${epair1}a up + ifconfig ${bridge} addm ${epair1}a + jexec first ifconfig ${epair1}b 192.0.2.2/24 up + jexec first ifconfig lo0 127.0.0.1/8 up + + vnet_mkjail second ${epair2}b + ifconfig ${epair2}a up + ifconfig ${bridge} addm ${epair2}a + jexec second ifconfig ${epair2}b 192.0.2.3/24 up + jexec second ifconfig lo0 127.0.0.1/8 up + jexec second sysctl net.inet.ip.forwarding=1 + + # Enable redirect filter rule + firewall_config second ${firewall} \ + "pf" \ + "rdr pass proto tcp from any to 192.0.2.3/24 port 1234 -> 192.0.2.2 port 4321" \ + "ipfnat" \ + "rdr '*' from any to 192.0.2.3/24 port = 1234 -> 192.0.2.2 port 4321 tcp" + + echo "foo" | jexec first nc -N -l 4321 & + sleep 1 + + # Verify that second can use its rule to redirect local connections to first + result=$(jexec second nc -N -w 3 192.0.2.3 1234) + if [ "$result" != "foo" ]; then + atf_fail "Redirect failed" + fi +} + +local_redirect_cleanup() +{ + firewall=$1 + firewall_cleanup $firewall +} + +setup_tests \ + basic \ + pf \ + ipfnat \ + local_redirect \ + pf \ + ipfnat + diff --git a/tests/sys/netpfil/common/utils.subr b/tests/sys/netpfil/common/utils.subr index 3475dc23bf65..f4eec24618a7 100644 --- a/tests/sys/netpfil/common/utils.subr +++ b/tests/sys/netpfil/common/utils.subr @@ -58,12 +58,16 @@ firewall_config() jexec ${jname} pfctl -e jexec ${jname} pfctl -F all jexec ${jname} pfctl -f $cwd/pf.rule + jexec ${jname} pfilctl link -o pf:default-out inet-local + jexec ${jname} pfilctl link -o pf:default-out6 inet6-local elif [ ${fw} == "ipf" ]; then jexec ${jname} ipf -E jexec ${jname} ipf -Fa -f $cwd/ipf.rule elif [ ${fw} == "ipfnat" ]; then jexec ${jname} service ipfilter start jexec ${jname} ipnat -CF -f $cwd/ipfnat.rule + jexec ${jname} pfilctl link -o ipfilter:default-ip4 inet-local + jexec ${jname} pfilctl link -o ipfilter:default-ip6 inet6-local else atf_fail "$fw is not a valid firewall to configure" fi diff --git a/tests/sys/netpfil/pf/Makefile b/tests/sys/netpfil/pf/Makefile index 1117f0dcc239..8e923b6971b8 100644 --- a/tests/sys/netpfil/pf/Makefile +++ b/tests/sys/netpfil/pf/Makefile @@ -25,7 +25,6 @@ ATF_TESTS_SH+= altq \ pfsync \ prio \ proxy \ - rdr \ ridentifier \ route_to \ rtable \ |