From nobody Wed Mar 5 09:38:12 2025 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Z76tD50C0z5pWkt; Wed, 05 Mar 2025 09:38:12 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Z76tD3Dl9z40tJ; Wed, 05 Mar 2025 09:38:12 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1741167492; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Oam/PQNofK8ZHAK2V57+dplOt+NsXUZ6tnvlr/AWoXg=; b=xNQ1SI9astsxDDgiiHE7HCcgcINlXfpwQnJQ1powNBB2ErjSxYusLTmCPV6dsrapV3q1Ic dGVjRoLfJBHtWwZMTGlz99ZBWWL6OQq6fO2Se/iOhyFzjvTz5Bbf+4eiDpgip1Dl/H+kXN ghCwLThicioy2SEyOkr4SYJBUKZvJTPBiSfRyyRZRFlFuVG9erpq+XOjnhmt4OkS4PnpyH MDUKtsUyiOBWmk/FQs2/oKevpV8SoNSS8rAlFeUcUJ+TykDDyKRy4M17GG04bUV3+0ot9J B1Hn60iGe25FWeCCaV3GzuRj37Siwh6jEpTv7rA9nmcuKp7CqZGu04wy3x4GWw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1741167492; a=rsa-sha256; cv=none; b=t9qz06luFgow6kM56nc64yCrI9g/XArmFu7Uw6Fsn3HAbb3PSsPTJriAbS9qpDZjPihD4Y n7rdjUqAA+cSlVKlIY2PV+XOCHEZw21P2Z4fKKz5thc31PfJ5LxxNGjn35c/CE7/b0/3w8 9e+ud7+d7u8B3Ty/b1Vpre4ZaqBzLhgzfPJW/XWM6eWktNy/UZiTMbVvtM1XbiW3EoG2oC wlU70y9uP1cY3Wqz+mP4U3vemfsRiwcBtRyoQFRGAjhNvYwow2FGmLk+TvzMCtmGQ9D92w E3toXIFpOQHLJwfyc7L+6mjW5BkRfyZbSnnHu1mcxVxuKfqx5OSpclCS++SzxA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1741167492; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Oam/PQNofK8ZHAK2V57+dplOt+NsXUZ6tnvlr/AWoXg=; b=euXCOG1S0CI1FN++cB/tUvqnh+z8x7qQ+cQH6yo3LPfFzTHQIbRmt5bEFKQDne5ARYm8Jb 0XKUgs3+smssii9KHE9gHDSWLtE13bWDvl0VZ630AVAU5w3gmvv0ta4wvuhZxjg2mQ98Nk ICfEIG3veoCiQNFhefH1fmmDONEGfkfh6sP8g6kZ3BC2qs8EXZ8I75l2ZWmRS2NfK6hobv 5QPFW4TNB81Eso3lSGBUNT3l8pV5GlqVCyuCEhvEnbXH1cEt0J3Nsq1jyE3yvNni0ue8tB /SssDcWVjzGQzRD8n+vzAsTnx91yS1y5b25uuHdXcFqvrJ+Ijo6mrSsrvmlfVg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Z76tD2qnSzySh; Wed, 05 Mar 2025 09:38:12 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 5259cC93053587; Wed, 5 Mar 2025 09:38:12 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 5259cCKd053584; Wed, 5 Mar 2025 09:38:12 GMT (envelope-from git) Date: Wed, 5 Mar 2025 09:38:12 GMT Message-Id: <202503050938.5259cCKd053584@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Kristof Provost Subject: git: 2f77491169ca - main - pf tests: test ICMP error translation with nat64 List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 2f77491169cacafd269fb653bec11087d85af035 Auto-Submitted: auto-generated The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=2f77491169cacafd269fb653bec11087d85af035 commit 2f77491169cacafd269fb653bec11087d85af035 Author: Kristof Provost AuthorDate: 2025-02-25 13:20:18 +0000 Commit: Kristof Provost CommitDate: 2025-03-05 09:37:57 +0000 pf tests: test ICMP error translation with nat64 Ensure that when we translate an ICMPv4 to ICMPv6 message we set the correct source IP address. PR: 284944 Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D49144 --- tests/sys/netpfil/pf/nat64.py | 94 ++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 92 insertions(+), 2 deletions(-) diff --git a/tests/sys/netpfil/pf/nat64.py b/tests/sys/netpfil/pf/nat64.py index 070b7a82e6d9..42ab29a5aa0a 100644 --- a/tests/sys/netpfil/pf/nat64.py +++ b/tests/sys/netpfil/pf/nat64.py @@ -28,19 +28,38 @@ import pytest import selectors import socket import sys +import threading +import time from atf_python.sys.net.tools import ToolsHelper from atf_python.sys.net.vnet import VnetTestTemplate +class DelayedSend(threading.Thread): + def __init__(self, packet): + threading.Thread.__init__(self) + self._packet = packet + + self.start() + + def run(self): + import scapy.all as sp + time.sleep(1) + sp.send(self._packet) + class TestNAT64(VnetTestTemplate): REQUIRED_MODULES = [ "pf" ] TOPOLOGY = { "vnet1": {"ifaces": ["if1"]}, "vnet2": {"ifaces": ["if1", "if2"]}, - "vnet3": {"ifaces": ["if2"]}, + "vnet3": {"ifaces": ["if2", "if3"]}, + "vnet4": {"ifaces": ["if3"]}, "if1": {"prefixes6": [("2001:db8::2/64", "2001:db8::1/64")]}, "if2": {"prefixes4": [("192.0.2.1/24", "192.0.2.2/24")]}, + "if3": {"prefixes4": [("198.51.100.1/24", "198.51.100.2/24")]} } + def vnet4_handler(self, vnet): + ToolsHelper.print_output("/sbin/route add default 198.51.100.1") + def vnet3_handler(self, vnet): ToolsHelper.print_output("/sbin/sysctl net.inet.ip.forwarding=1") ToolsHelper.print_output("/sbin/sysctl net.inet.ip.ttl=62") @@ -155,7 +174,7 @@ class TestNAT64(VnetTestTemplate): import scapy.all as sp - packet = sp.IPv6(dst="64:ff9b::198.51.100.3") \ + packet = sp.IPv6(dst="64:ff9b::203.0.113.2") \ / sp.UDP(dport=1222) / sp.Raw("bar") reply = sp.sr1(packet, timeout=3) print(reply.show()) @@ -193,3 +212,74 @@ class TestNAT64(VnetTestTemplate): udp = reply.getlayer(sp.UDP) assert udp assert udp.chksum != 0 + + def common_test_source_addr(self, packet): + vnet = self.vnet_map["vnet1"] + sendif = vnet.iface_alias_map["if1"].name + + import scapy.all as sp + + print("Outbound:\n") + packet.show() + + s = DelayedSend(packet) + + # We expect an ICMPv6 error here, where we'll verify the source address of + # the outer packet + packets = sp.sniff(iface=sendif, timeout=5) + + for reply in packets: + print("Reply:\n") + reply.show() + icmp = reply.getlayer(sp.ICMPv6TimeExceeded) + if not icmp: + continue + + ip = reply.getlayer(sp.IPv6) + assert icmp + assert ip.src == "64:ff9b::c000:202" + return + + # If we don't find the packet we expect to see + assert False + + @pytest.mark.require_user("root") + @pytest.mark.require_progs(["scapy"]) + def test_source_addr_tcp(self): + ToolsHelper.print_output("/sbin/route -6 add default 2001:db8::1") + import scapy.all as sp + + packet = sp.IPv6(dst="64:ff9b::198.51.100.2", hlim=1) \ + / sp.TCP(sport=1111, dport=2222, flags="S") + self.common_test_source_addr(packet) + + @pytest.mark.require_user("root") + @pytest.mark.require_progs(["scapy"]) + def test_source_addr_udp(self): + ToolsHelper.print_output("/sbin/route -6 add default 2001:db8::1") + import scapy.all as sp + + packet = sp.IPv6(dst="64:ff9b::198.51.100.2", hlim=1) \ + / sp.UDP(sport=1111, dport=2222) / sp.Raw("foo") + self.common_test_source_addr(packet) + + @pytest.mark.require_user("root") + @pytest.mark.require_progs(["scapy"]) + def test_source_addr_sctp(self): + ToolsHelper.print_output("/sbin/route -6 add default 2001:db8::1") + import scapy.all as sp + + packet = sp.IPv6(dst="64:ff9b::198.51.100.2", hlim=1) \ + / sp.SCTP(sport=1111, dport=2222) \ + / sp.SCTPChunkInit(init_tag=1, n_in_streams=1, n_out_streams=1, a_rwnd=1500) + self.common_test_source_addr(packet) + + @pytest.mark.require_user("root") + @pytest.mark.require_progs(["scapy"]) + def test_source_addr_icmp(self): + ToolsHelper.print_output("/sbin/route -6 add default 2001:db8::1") + import scapy.all as sp + + packet = sp.IPv6(dst="64:ff9b::198.51.100.2", hlim=1) \ + / sp.ICMPv6EchoRequest() / sp.Raw("foo") + self.common_test_source_addr(packet)