Add tests for incoming route-to and outgoing reply-to rules. Disable

the cases that currently fail.

diff --git a/regress/sys/net/pf_forward/Makefile b/regress/sys/net/pf_forward/Makefile
index 6de8687..55b2ba0 100644 (file)
--- a/regress/sys/net/pf_forward/Makefile
+++ b/regress/sys/net/pf_forward/Makefile
@@ -1,4 +1,4 @@
-#      $OpenBSD: Makefile,v 1.24 2017/07/07 23:15:27 bluhm Exp $
+#      $OpenBSD: Makefile,v 1.25 2018/01/11 03:23:16 bluhm Exp $
 
 # The following ports must be installed:
 #
@@ -69,7 +69,9 @@ RDR_IN ?=     10.188.214.188
 RDR_OUT ?=     10.188.215.188
 AF_IN ?=       10.188.216.82           # /24 must be dec(ECO_IN6/120)
 RTT_IN ?=      10.188.217.52
-RPT_OUT ?=     10.188.218.10
+RTT_OUT ?=     10.188.218.52
+RPT_IN ?=      10.188.220.10
+RPT_OUT ?=     10.188.221.10
 
 SRC_OUT6 ?=    fdd7:e83e:66bc:210:fce1:baff:fed1:561f
 PF_IN6 ?=      fdd7:e83e:66bc:210:5054:ff:fe12:3450
@@ -82,7 +84,9 @@ RDR_IN6 ?=    fdd7:e83e:66bc:214::188
 RDR_OUT6 ?=    fdd7:e83e:66bc:215::188
 AF_IN6 ?=      fdd7:e83e:66bc:216::34  # /120 must be hex(ECO_IN/24)
 RTT_IN6 ?=     fdd7:e83e:66bc:217:5054:ff:fe12:3452
-RPT_OUT6 ?=    fdd7:e83e:66bc:1218:fce1:baff:fed1:561f
+RTT_OUT6 ?=    fdd7:e83e:66bc:218:5054:ff:fe12:3452
+RPT_IN6 ?=     fdd7:e83e:66bc:1220:fce1:baff:fed1:561f
+RPT_OUT6 ?=    fdd7:e83e:66bc:1221:fce1:baff:fed1:561f
 
 .if empty (PF_SSH) || empty (RT_SSH) || empty (ECO_SSH)
 regress:
@@ -114,7 +118,7 @@ addr.py: Makefile
        echo 'PF_IFOUT="${PF_IFOUT}"' >>$@.tmp
        echo 'PF_MAC="${PF_MAC}"' >>$@.tmp
 .for var in SRC_OUT PF_IN PF_OUT RT_IN RT_OUT ECO_IN ECO_OUT RDR_IN RDR_OUT\
-    AF_IN RTT_IN RPT_OUT
+    AF_IN RTT_IN RTT_OUT RPT_IN RPT_OUT
        echo '${var}="${${var}}"' >>$@.tmp
        echo '${var}6="${${var}6}"' >>$@.tmp
 .endfor
@@ -139,18 +143,47 @@ PYTHON =  PYTHONPATH=${.OBJDIR} python2.7 ${.CURDIR}/
 
 .for inet in inet inet6
 
+run-regress-ping-mtu-1400-${inet}-RPT_OUT:
+       @echo '\n======== $@ ========'
+       # RPT_OUT with locally generated ICMP time exceeded cannot work.
+       # The generated packet will not match the out rule with reply-to
+       # so it will be rejected by the route.
+       @echo DISABLED
+
+.for proto in icmp udp
+run-regress-traceroute-${proto}-${inet}-RPT_OUT:
+       @echo '\n======== $@ ========'
+       # RPT_OUT traceroute cannot work.  The ICMP time exceeded packet
+       # generated by IP forward will not match the out rule with reply-to
+       # so it will be rejected by the route.
+       @echo DISABLED
+
+run-regress-traceroute-${proto}-${inet}-RPT_IN:
+       @echo '\n======== $@ ========'
+       # RPT_IN traceroute is broken with PF ttl.  The ICMP packet has
+        # localhost as source address.  It is selected by reject route.
+       @echo DISABLED
+
+run-regress-traceroute-${proto}-${inet}-RTT_IN:
+       @echo '\n======== $@ ========'
+       # RTT_IN traceroute is broken with PF ttl.  The incoming rule has
+       # route-to and the packet never goes through IP forward.  So the TTL
+       # is not decremented.
+       @echo DISABLED
+.endfor # proto
+
 # Ping all addresses.  This ensures that the IP addresses are configured
 # and all routing table are set up to allow bidirectional packet flow.
 # Note that RDR does not exist physically.  So this traffic is rewritten
 # by PF and handled by ECO.
 
 .for ip in SRC_OUT PF_IN PF_OUT RT_IN RT_OUT ECO_IN ECO_OUT RDR_IN RDR_OUT\
-    AF_IN RTT_IN RPT_OUT
+    AF_IN RTT_IN RTT_OUT RPT_IN RPT_OUT
 TARGETS +=     ping-${inet}-${ip}
 run-regress-ping-${inet}-${ip}: stamp-pfctl
        @echo '\n======== $@ ========'
        @echo Check ping ${ip}${inet:S/inet//}:
-.if "RPT_OUT" == ${ip}
+.if "RPT_IN" == ${ip} || "RPT_OUT" == ${ip}
        ping${inet:S/inet//} -n -c 1 -I ${${ip}${inet:S/inet//}}\
            ${ECO_IN${inet:S/inet//}}
 .else
@@ -158,7 +191,7 @@ run-regress-ping-${inet}-${ip}: stamp-pfctl
 .endif
 .endfor # ip
 
-.for ip in ECO_IN ECO_OUT RDR_IN RDR_OUT AF_IN RTT_IN RPT_OUT
+.for ip in ECO_IN ECO_OUT RDR_IN RDR_OUT AF_IN RTT_IN RTT_OUT RPT_IN RPT_OUT
 
 # Send a large IPv4/ICMP-Echo-Request packet with enabled DF bit and
 # parse response packet to determine MTU of the packet filter.  The
@@ -170,7 +203,7 @@ TARGETS +=  ping-mtu-1400-${inet}-${ip}
 run-regress-ping-mtu-1400-${inet}-${ip}: stamp-pfctl
        @echo '\n======== $@ ========'
        @echo Check path MTU to ${ip}${inet:S/inet//} is 1400
-.if "RPT_OUT" == ${ip}
+.if "RPT_IN" == ${ip} || "RPT_OUT" == ${ip}
        ${SUDO} ${PYTHON}ping${inet:S/inet//}_mtu.py ${${ip}${inet:S/inet//}}\
            ${ECO_IN${inet:S/inet//}} 1500 1400
 .elif "AF_IN" == ${ip}
@@ -195,7 +228,7 @@ TARGETS +=  ping-mtu-1300-${inet}-${ip}
 run-regress-ping-mtu-1300-${inet}-${ip}: stamp-pfctl
        @echo '\n======== $@ ========'
        @echo Check path MTU from ${ip}${inet:S/inet//} is 1300
-.if "RPT_OUT" == ${ip}
+.if "RPT_IN" == ${ip} || "RPT_OUT" == ${ip}
        ${SUDO} ${PYTHON}ping${inet:S/inet//}_mtu.py ${${ip}${inet:S/inet//}}\
            ${ECO_IN${inet:S/inet//}} 1400 1300
 .elif "AF_IN" == ${ip}
@@ -216,7 +249,7 @@ TARGETS +=  udp-${inet}-${ip}
 run-regress-udp-${inet}-${ip}: stamp-pfctl
        @echo '\n======== $@ ========'
        @echo Check UDP ${ip${inet:S/inet//}}:
-.if "RPT_OUT" == ${ip}
+.if "RPT_IN" == ${ip} || "RPT_OUT" == ${ip}
        echo $$$$ | nc -n -u -W 1 -w 3 -s ${${ip}${inet:S/inet//}}\
            ${ECO_IN${inet:S/inet//}} 7 | grep $$$$
 .else
@@ -233,7 +266,7 @@ run-regress-tcp-${inet}-${ip}: stamp-pfctl
        @echo '\n======== $@ ========'
        @echo Check tcp ${ip}${inet:S/inet//}:
        ${SUDO} route -n delete -host -inet ${${ip}${inet:S/inet//}} || true
-.if "RPT_OUT" == ${ip}
+.if "RPT_IN" == ${ip} || "RPT_OUT" == ${ip}
        openssl rand 200000 | nc -n -N -w 10 -s ${${ip}${inet:S/inet//}}\
            ${ECO_IN${inet:S/inet//}} 7 | wc -c | grep '200000$$'
 .else
@@ -254,19 +287,14 @@ TRACEROUTE_CHECK =        awk \
     END{ if (n!=3) { print "hopcount is not 3: "n; exit 1 } } \
     END{ if (x!=0) { print "unanswered probes: "x; exit 1 } }'
 
-.for ip in ECO_IN ECO_OUT RDR_IN RDR_OUT AF_IN RTT_IN RPT_OUT
+.for ip in ECO_IN ECO_OUT RDR_IN RDR_OUT AF_IN RTT_IN RTT_OUT RPT_IN RPT_OUT
 .for proto in icmp udp
-run-regress-traceroute-${proto}-${inet}-RPT_OUT:
-       @echo '\n======== $@ ========'
-       @echo 'RPT_OUT is broken with PF ttl.'
-       @echo DISABLED
-
 TARGETS +=     traceroute-${proto}-${inet}-${ip}
 run-regress-traceroute-${proto}-${inet}-${ip}: stamp-pfctl
        @echo '\n======== $@ ========'
        @echo Check traceroute ${proto} ${ip${inet:S/inet//}}:
-.if "RPT_OUT" == ${ip}
-       traceroute${inet:S/inet//} ${proto:S/icmp/-I/:S/udp//}
+.if "RPT_IN" == ${ip} || "RPT_OUT" == ${ip}
+       traceroute${inet:S/inet//} ${proto:S/icmp/-I/:S/udp//}\
            -s ${${ip}${inet:S/inet//}} ${ECO_IN${inet:S/inet//}} |\
            ${TRACEROUTE_CHECK}
 .else
@@ -289,25 +317,27 @@ check-setup: check-setup-src check-setup-pf check-setup-rt check-setup-eco
 
 check-setup-src:
        @echo '\n======== $@ ========'
-.for ip in SRC_OUT RPT_OUT
+.for ip in SRC_OUT RPT_IN RPT_OUT
        ping -n -c 1 ${${ip}}  # ${ip}
        route -n get -inet ${${ip}} | grep -q 'flags: .*LOCAL'  # ${ip}
 .endfor
        ping -n -c 1 ${PF_IN}  # PF_IN
        route -n get -inet ${PF_IN} | fgrep -q 'interface: ${SRC_IF}' \
            # PF_IN SRC_IF
-.for ip in PF_OUT RT_IN RT_OUT ECO_IN ECO_OUT RDR_IN RDR_OUT AF_IN RTT_IN
+.for ip in PF_OUT RT_IN RT_OUT ECO_IN ECO_OUT RDR_IN RDR_OUT AF_IN\
+    RTT_IN RTT_OUT
        route -n get -inet ${${ip}} | fgrep -q 'gateway: ${PF_IN}' \
            # ${ip} PF_IN
 .endfor
-.for ip in SRC_OUT RPT_OUT
+.for ip in SRC_OUT RPT_IN RPT_OUT
        ping6 -n -c 1 ${${ip}6}  # ${ip}6
        route -n get -inet6 ${${ip}6} | grep -q 'flags: .*LOCAL'  # ${ip}6
 .endfor
        ping6 -n -c 1 ${PF_IN6}  # PF_IN6
        route -n get -inet6 ${PF_IN6} | fgrep -q 'interface: ${SRC_IF}' \
            # PF_IN6 SRC_IF
-.for ip in PF_OUT RT_IN RT_OUT ECO_IN ECO_OUT RDR_IN RDR_OUT AF_IN RTT_IN
+.for ip in PF_OUT RT_IN RT_OUT ECO_IN ECO_OUT RDR_IN RDR_OUT AF_IN\
+    RTT_IN RTT_OUT
        route -n get -inet6 ${${ip}6} | fgrep -q 'gateway: ${PF_IN6}' \
            # ${ip}6 PF_IN6
 .endfor
@@ -326,7 +356,7 @@ check-setup-pf:
        ssh ${PF_SSH} route -n get -inet ${${ip}} |\
            fgrep -q 'gateway: ${RT_IN}'  # ${ip} RT_IN
 .endfor
-.for ip in RTT_IN RPT_OUT
+.for ip in RTT_IN RTT_OUT RPT_IN RPT_OUT
        ssh ${PF_SSH} route -n get -inet ${${ip}} | grep -q 'flags: .*REJECT' \
            # ${ip} reject
 .endfor
@@ -342,7 +372,7 @@ check-setup-pf:
        ssh ${PF_SSH} route -n get -inet6 ${${ip}6} |\
            fgrep -q 'gateway: ${RT_IN6}'  # ${ip}6 RT_IN6
 .endfor
-.for ip in RTT_IN RPT_OUT
+.for ip in RTT_IN RTT_OUT RPT_IN RPT_OUT
        ssh ${PF_SSH} route -n get -inet6 ${${ip}6} |\
            grep -q 'flags: .*REJECT'  # ${ip}6 reject
 .endfor
@@ -358,7 +388,7 @@ check-setup-rt:
        ssh ${RT_SSH} route -n get -inet ${RT_IN} | grep -q 'flags: .*LOCAL' \
            # RT_IN
        ssh ${RT_SSH} ping -n -c 1 ${PF_OUT}  # PF_OUT
-.for ip in PF_IN SRC_OUT RPT_OUT
+.for ip in PF_IN SRC_OUT RPT_IN RPT_OUT
        ssh ${RT_SSH} route -n get -inet ${${ip}} |\
            fgrep -q 'gateway: ${PF_OUT}'  # ${ip} PF_OUT
 .endfor
@@ -366,7 +396,7 @@ check-setup-rt:
        ssh ${RT_SSH} route -n get -inet ${RT_OUT} | grep -q 'flags: .*LOCAL' \
            # RT_OUT
        ssh ${RT_SSH} ping -n -c 1 ${ECO_IN}  # ECO_IN
-.for ip in ECO_OUT RTT_IN
+.for ip in ECO_OUT RTT_IN RTT_OUT
        ssh ${RT_SSH} route -n get -inet ${${ip}} |\
            fgrep -q 'gateway: ${ECO_IN}'  # ${ip} ECO_IN
 .endfor
@@ -374,7 +404,7 @@ check-setup-rt:
        ssh ${RT_SSH} route -n get -inet6 ${RT_IN6} | grep -q 'flags: .*LOCAL' \
            # RT_IN6
        ssh ${RT_SSH} ping6 -n -c 1 ${PF_OUT6}  # PF_OUT6
-.for ip in PF_IN SRC_OUT RPT_OUT
+.for ip in PF_IN SRC_OUT RPT_IN RPT_OUT
        ssh ${RT_SSH} route -n get -inet6 ${${ip}6} |\
            fgrep -q 'gateway: ${PF_OUT6}'  # ${ip}6 PF_OUT6
 .endfor
@@ -382,7 +412,7 @@ check-setup-rt:
        ssh ${RT_SSH} route -n get -inet6 ${RT_OUT6} |\
            grep -q 'flags: .*LOCAL'  # RT_OUT6
        ssh ${RT_SSH} ping6 -n -c 1 ${ECO_IN6}  # ECO_IN6
-.for ip in ECO_OUT RTT_IN
+.for ip in ECO_OUT RTT_IN RTT_OUT
        ssh ${RT_SSH} route -n get -inet6 ${${ip}6} |\
            fgrep -q 'gateway: ${ECO_IN6}'  # ${ip}6 ECO_IN6
 .endfor
@@ -392,23 +422,23 @@ check-setup-rt:
 
 check-setup-eco:
        @echo '\n======== $@ ========'
-.for ip in ECO_IN ECO_OUT RTT_IN
+.for ip in ECO_IN ECO_OUT RTT_IN RTT_OUT
        ssh ${ECO_SSH} ping -n -c 1 ${${ip}}  # ${ip}
        ssh ${ECO_SSH} route -n get -inet ${${ip}} | grep -q 'flags: .*LOCAL' \
            # ${ip}
 .endfor
        ssh ${ECO_SSH} ping -n -c 1 ${RT_OUT}  # RT_OUT
-.for ip in RT_IN PF_OUT PF_IN SRC_OUT RPT_OUT
+.for ip in RT_IN PF_OUT PF_IN SRC_OUT RPT_IN RPT_OUT
        ssh ${ECO_SSH} route -n get -inet ${${ip}} |\
            fgrep -q 'gateway: ${RT_OUT}'  # ${ip} RT_OUT
 .endfor
-.for ip in ECO_IN ECO_OUT RTT_IN
+.for ip in ECO_IN ECO_OUT RTT_IN RTT_OUT
        ssh ${ECO_SSH} ping6 -n -c 1 ${${ip}6}  # ${ip}6
        ssh ${ECO_SSH} route -n get -inet6 ${${ip}6} |\
            grep -q 'flags: .*LOCAL'  # ${ip}6
 .endfor
        ssh ${ECO_SSH} ping6 -n -c 1 ${RT_OUT6}  # RT_OUT6
-.for ip in RT_IN PF_OUT PF_IN SRC_OUT RPT_OUT
+.for ip in RT_IN PF_OUT PF_IN SRC_OUT RPT_IN RPT_OUT
        ssh ${ECO_SSH} route -n get -inet6 ${${ip}6} |\
            fgrep -q 'gateway: ${RT_OUT6}'  # ${ip}6 RT_OUT6
 .endfor
@@ -417,7 +447,7 @@ check-setup-eco:
        ssh ${ECO_SSH} netstat -na -f ${inet} -p ${proto} | fgrep ' *.7 '
 .endfor
 .endfor
-.for ip in ECO_IN ECO_OUT RTT_IN
+.for ip in ECO_IN ECO_OUT RTT_IN RTT_OUT
        ssh ${ECO_SSH} netstat -nav -f inet -p udp | fgrep ' ${${ip}}.7 '
        ssh ${ECO_SSH} netstat -nav -f inet6 -p udp | fgrep ' ${${ip}6}.7 '
 .endfor

diff --git a/regress/sys/net/pf_forward/pf.conf b/regress/sys/net/pf_forward/pf.conf
index cfbaca9..2ad0e50 100644 (file)
--- a/regress/sys/net/pf_forward/pf.conf
+++ b/regress/sys/net/pf_forward/pf.conf
@@ -17,12 +17,22 @@ pass out                     inet6                               tagged af
 pass in  to $AF_IN6/64 af-to inet  from $PF_OUT  to $ECO_IN/24   tag af
 pass out                     inet                                tagged af
 
-pass in  to $RTT_IN/24                             tag rtt
-pass out                route-to $RT_IN@$PF_IFOUT  tagged rtt
-pass in  to $RTT_IN6/64                            tag rtt
-pass out                route-to $RT_IN6@$PF_IFOUT tagged rtt
+pass in  to $RTT_IN/24  route-to $RT_IN@$PF_IFOUT  tag rttin
+pass out                                           tagged rttin
+pass in  to $RTT_IN6/64 route-to $RT_IN6@$PF_IFOUT tag rttin
+pass out                                           tagged rttin
 
-pass in  from $RPT_OUT/24  reply-to $SRC_OUT@$PF_IFIN  tag rpt
-pass out                                               tagged rpt
-pass in  from $RPT_OUT6/64 reply-to $SRC_OUT6@$PF_IFIN tag rpt
-pass out                                               tagged rpt
+pass in  to $RTT_OUT/24                             tag rttout
+pass out                 route-to $RT_IN@$PF_IFOUT  tagged rttout
+pass in  to $RTT_OUT6/64                            tag rttout
+pass out                 route-to $RT_IN6@$PF_IFOUT tagged rttout
+
+pass in  from $RPT_IN/24  reply-to $SRC_OUT@$PF_IFIN  tag rptin
+pass out                                              tagged rptin
+pass in  from $RPT_IN6/64 reply-to $SRC_OUT6@$PF_IFIN tag rptin
+pass out                                              tagged rptin
+
+pass in  from $RPT_OUT/24                              tag rptout
+pass out                   reply-to $SRC_OUT@$PF_IFIN  tagged rptout
+pass in  from $RPT_OUT6/64                             tag rptout
+pass out                   reply-to $SRC_OUT6@$PF_IFIN tagged rptout