From owner-dev-commits-src-branches@freebsd.org Tue Sep 14 20:01:38 2021 Return-Path: Delivered-To: dev-commits-src-branches@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 52CCF66FDEF; Tue, 14 Sep 2021 20:01:38 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4H8Dkn3SBDz4pwQ; Tue, 14 Sep 2021 20:01:37 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4F34C20A36; Tue, 14 Sep 2021 20:01:36 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 18EK1ad2089638; Tue, 14 Sep 2021 20:01:36 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 18EK1aYg089637; Tue, 14 Sep 2021 20:01:36 GMT (envelope-from git) Date: Tue, 14 Sep 2021 20:01:36 GMT Message-Id: <202109142001.18EK1aYg089637@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Kristof Provost Subject: git: b10cd461a58b - stable/12 - Add basic NAT test for pf, ipf and ipfw MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/stable/12 X-Git-Reftype: branch X-Git-Commit: b10cd461a58bb3b8b80ae1405d9c88d2af74d547 Auto-Submitted: auto-generated X-BeenThere: dev-commits-src-branches@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commits to the stable branches of the FreeBSD src repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Sep 2021 20:01:38 -0000 The branch stable/12 has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=b10cd461a58bb3b8b80ae1405d9c88d2af74d547 commit b10cd461a58bb3b8b80ae1405d9c88d2af74d547 Author: Tom Jones AuthorDate: 2019-08-17 06:44:11 +0000 Commit: Kristof Provost CommitDate: 2021-09-14 08:27:23 +0000 Add basic NAT test for pf, ipf and ipfw Add common firewall NAT tests for pf, ipf and ipfw (using both in-kernel and userspace NAT). Submitted by: Ahsan Barkati Sponsored by: Google, Inc. (GSoC 2019) Reviewed by: kp Approved by: bz (mentor) MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D21199 (cherry picked from commit 0d9da68f01510ae4c5bb33b744f1e0b3711c7fb9) --- tests/sys/netpfil/common/Makefile | 4 +- tests/sys/netpfil/common/nat.sh | 156 ++++++++++++++++++++++++++++++++++++ tests/sys/netpfil/common/utils.subr | 18 ++++- 3 files changed, 173 insertions(+), 5 deletions(-) diff --git a/tests/sys/netpfil/common/Makefile b/tests/sys/netpfil/common/Makefile index a4c135dbce08..9e1efc924c6e 100644 --- a/tests/sys/netpfil/common/Makefile +++ b/tests/sys/netpfil/common/Makefile @@ -4,7 +4,9 @@ PACKAGE= tests TESTSDIR= ${TESTSBASE}/sys/netpfil/common -ATF_TESTS_SH+= pass_block +ATF_TESTS_SH+= \ + nat \ + pass_block ${PACKAGE}FILES+= \ pft_ping.py \ diff --git a/tests/sys/netpfil/common/nat.sh b/tests/sys/netpfil/common/nat.sh new file mode 100644 index 000000000000..f74467dce062 --- /dev/null +++ b/tests/sys/netpfil/common/nat.sh @@ -0,0 +1,156 @@ +#- +# SPDX-License-Identifier: BSD-2-Clause-FreeBSD +# +# Copyright (c) 2019 Ahsan Barkati +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + +. $(atf_get_srcdir)/utils.subr +. $(atf_get_srcdir)/runner.subr + +basic_head() +{ + atf_set descr 'Basic IPv4 NAT test' + atf_set require.user root +} + +basic_body() +{ + firewall=$1 + firewall_init $firewall + nat_init $firewall + + epair_host_nat=$(vnet_mkepair) + epair_client1_nat=$(vnet_mkepair) + epair_client2_nat=$(vnet_mkepair) + + vnet_mkjail nat ${epair_host_nat}b ${epair_client1_nat}a ${epair_client2_nat}a + vnet_mkjail client1 ${epair_client1_nat}b + vnet_mkjail client2 ${epair_client2_nat}b + + ifconfig ${epair_host_nat}a 198.51.100.2/24 up + jexec nat ifconfig ${epair_host_nat}b 198.51.100.1/24 up + + jexec nat ifconfig ${epair_client1_nat}a 192.0.2.1/24 up + jexec client1 ifconfig ${epair_client1_nat}b 192.0.2.2/24 up + + jexec nat ifconfig ${epair_client2_nat}a 192.0.3.1/24 up + jexec client2 ifconfig ${epair_client2_nat}b 192.0.3.2/24 up + + jexec nat sysctl net.inet.ip.forwarding=1 + + jexec client1 route add -net 198.51.100.0/24 192.0.2.1 + jexec client2 route add -net 198.51.100.0/24 192.0.3.1 + + # ping fails without NAT configuration + atf_check -s exit:2 -o ignore jexec client1 ping -t 1 -c 1 198.51.100.2 + atf_check -s exit:2 -o ignore jexec client2 ping -t 1 -c 1 198.51.100.2 + + firewall_config nat ${firewall} \ + "pf" \ + "nat pass on ${epair_host_nat}b inet from any to any -> (${epair_host_nat}b)" \ + "ipfw" \ + "ipfw -q nat 123 config if ${epair_host_nat}b" \ + "ipfw -q add 1000 nat 123 all from any to any" \ + "ipfnat" \ + "map ${epair_host_nat}b 192.0.3.0/24 -> 0/32" \ + "map ${epair_host_nat}b 192.0.2.0/24 -> 0/32" \ + + + # ping is successful now + atf_check -s exit:0 -o ignore jexec client1 ping -t 1 -c 1 198.51.100.2 + atf_check -s exit:0 -o ignore jexec client2 ping -t 1 -c 1 198.51.100.2 + +} + +basic_cleanup() +{ + firewall=$1 + firewall_cleanup $firewall +} + +userspace_nat_head() +{ + atf_set descr 'Nat test for ipfw using userspace natd' + atf_set require.user root +} +userspace_nat_body() +{ + firewall=$1 + firewall_init $firewall + + if ! kldstat -q -m ipdivert; then + atf_skip "This test requires ipdivert module loaded" + fi + + epair_host_nat=$(vnet_mkepair) + epair_client1_nat=$(vnet_mkepair) + epair_client2_nat=$(vnet_mkepair) + + vnet_mkjail nat ${epair_host_nat}b ${epair_client1_nat}a ${epair_client2_nat}a + vnet_mkjail client1 ${epair_client1_nat}b + vnet_mkjail client2 ${epair_client2_nat}b + + ifconfig ${epair_host_nat}a 198.51.100.2/24 up + jexec nat ifconfig ${epair_host_nat}b 198.51.100.1/24 up + + jexec nat ifconfig ${epair_client1_nat}a 192.0.2.1/24 up + jexec client1 ifconfig ${epair_client1_nat}b 192.0.2.2/24 up + + jexec nat ifconfig ${epair_client2_nat}a 192.0.3.1/24 up + jexec client2 ifconfig ${epair_client2_nat}b 192.0.3.2/24 up + + jexec nat sysctl net.inet.ip.forwarding=1 + + jexec client1 route add -net 198.51.100.0/24 192.0.2.1 + jexec client2 route add -net 198.51.100.0/24 192.0.3.1 + # Test the userspace NAT of ipfw + # ping fails without NAT configuration + atf_check -s exit:2 -o ignore jexec client1 ping -t 1 -c 1 198.51.100.2 + atf_check -s exit:2 -o ignore jexec client2 ping -t 1 -c 1 198.51.100.2 + + firewall_config nat ${firewall} \ + "ipfw" \ + "natd -interface ${epair_host_nat}b" \ + "ipfw -q add divert natd all from any to any via ${epair_host_nat}b" \ + + # ping is successful now + atf_check -s exit:0 -o ignore jexec client1 ping -t 1 -c 1 198.51.100.2 + atf_check -s exit:0 -o ignore jexec client2 ping -t 1 -c 1 198.51.100.2 +} + +userspace_nat_cleanup() +{ + firewall=$1 + firewall_cleanup $firewall +} + +setup_tests \ + basic \ + pf \ + ipfw \ + ipfnat \ + userspace_nat \ + ipfw \ No newline at end of file diff --git a/tests/sys/netpfil/common/utils.subr b/tests/sys/netpfil/common/utils.subr index d871962f5341..3f9d6b40183a 100644 --- a/tests/sys/netpfil/common/utils.subr +++ b/tests/sys/netpfil/common/utils.subr @@ -37,7 +37,7 @@ firewall_config() shift while [ $# -gt 0 ]; do - if [ $(is_firewall $fw) -eq 1 ]; then + if [ $(is_firewall "$1") -eq 1 ]; then current_fw="$1" shift filename=${current_fw}.rule @@ -94,8 +94,8 @@ firewall_init() atf_skip "This test requires ipf" fi elif [ ${firewall} == "ipfnat" ]; then - if ! kldstat -q -m ipfw_nat; then - atf_skip "This test requires ipfw_nat" + if ! kldstat -q -m ipfilter; then + atf_skip "This test requires ipf" fi else atf_fail "$fw is not a valid firewall to initialize" @@ -103,6 +103,16 @@ firewall_init() } +nat_init() +{ + firewall=$1 + if [ ${firewall} == "ipfw" ]; then + if ! kldstat -q -m ipfw_nat; then + atf_skip "This test requires ipfw_nat" + fi + fi +} + is_firewall() { if [ "$1" = "pf" -o "$1" = "ipfw" -o "$1" = "ipf" -o "$1" = "ipfnat" ]; then @@ -110,4 +120,4 @@ is_firewall() else echo 0 fi -} \ No newline at end of file +}