From 9c227fce5b32acb0306e478582e204965cf4855f Mon Sep 17 00:00:00 2001 From: bluhm Date: Thu, 11 Jan 2018 03:23:16 +0000 Subject: [PATCH] Add tests for incoming route-to and outgoing reply-to rules. Disable the cases that currently fail. --- regress/sys/net/pf_forward/Makefile | 98 +++++++++++++++++++---------- regress/sys/net/pf_forward/pf.conf | 26 +++++--- 2 files changed, 82 insertions(+), 42 deletions(-) diff --git a/regress/sys/net/pf_forward/Makefile b/regress/sys/net/pf_forward/Makefile index 6de86873c6e..55b2ba08f52 100644 --- a/regress/sys/net/pf_forward/Makefile +++ b/regress/sys/net/pf_forward/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.24 2017/07/07 23:15:27 bluhm Exp $ +# $OpenBSD: Makefile,v 1.25 2018/01/11 03:23:16 bluhm Exp $ # The following ports must be installed: # @@ -69,7 +69,9 @@ RDR_IN ?= 10.188.214.188 RDR_OUT ?= 10.188.215.188 AF_IN ?= 10.188.216.82 # /24 must be dec(ECO_IN6/120) RTT_IN ?= 10.188.217.52 -RPT_OUT ?= 10.188.218.10 +RTT_OUT ?= 10.188.218.52 +RPT_IN ?= 10.188.220.10 +RPT_OUT ?= 10.188.221.10 SRC_OUT6 ?= fdd7:e83e:66bc:210:fce1:baff:fed1:561f PF_IN6 ?= fdd7:e83e:66bc:210:5054:ff:fe12:3450 @@ -82,7 +84,9 @@ RDR_IN6 ?= fdd7:e83e:66bc:214::188 RDR_OUT6 ?= fdd7:e83e:66bc:215::188 AF_IN6 ?= fdd7:e83e:66bc:216::34 # /120 must be hex(ECO_IN/24) RTT_IN6 ?= fdd7:e83e:66bc:217:5054:ff:fe12:3452 -RPT_OUT6 ?= fdd7:e83e:66bc:1218:fce1:baff:fed1:561f +RTT_OUT6 ?= fdd7:e83e:66bc:218:5054:ff:fe12:3452 +RPT_IN6 ?= fdd7:e83e:66bc:1220:fce1:baff:fed1:561f +RPT_OUT6 ?= fdd7:e83e:66bc:1221:fce1:baff:fed1:561f .if empty (PF_SSH) || empty (RT_SSH) || empty (ECO_SSH) regress: @@ -114,7 +118,7 @@ addr.py: Makefile echo 'PF_IFOUT="${PF_IFOUT}"' >>$@.tmp echo 'PF_MAC="${PF_MAC}"' >>$@.tmp .for var in SRC_OUT PF_IN PF_OUT RT_IN RT_OUT ECO_IN ECO_OUT RDR_IN RDR_OUT\ - AF_IN RTT_IN RPT_OUT + AF_IN RTT_IN RTT_OUT RPT_IN RPT_OUT echo '${var}="${${var}}"' >>$@.tmp echo '${var}6="${${var}6}"' >>$@.tmp .endfor @@ -139,18 +143,47 @@ PYTHON = PYTHONPATH=${.OBJDIR} python2.7 ${.CURDIR}/ .for inet in inet inet6 +run-regress-ping-mtu-1400-${inet}-RPT_OUT: + @echo '\n======== $@ ========' + # RPT_OUT with locally generated ICMP time exceeded cannot work. + # The generated packet will not match the out rule with reply-to + # so it will be rejected by the route. + @echo DISABLED + +.for proto in icmp udp +run-regress-traceroute-${proto}-${inet}-RPT_OUT: + @echo '\n======== $@ ========' + # RPT_OUT traceroute cannot work. The ICMP time exceeded packet + # generated by IP forward will not match the out rule with reply-to + # so it will be rejected by the route. + @echo DISABLED + +run-regress-traceroute-${proto}-${inet}-RPT_IN: + @echo '\n======== $@ ========' + # RPT_IN traceroute is broken with PF ttl. The ICMP packet has + # localhost as source address. It is selected by reject route. + @echo DISABLED + +run-regress-traceroute-${proto}-${inet}-RTT_IN: + @echo '\n======== $@ ========' + # RTT_IN traceroute is broken with PF ttl. The incoming rule has + # route-to and the packet never goes through IP forward. So the TTL + # is not decremented. + @echo DISABLED +.endfor # proto + # Ping all addresses. This ensures that the IP addresses are configured # and all routing table are set up to allow bidirectional packet flow. # Note that RDR does not exist physically. So this traffic is rewritten # by PF and handled by ECO. .for ip in SRC_OUT PF_IN PF_OUT RT_IN RT_OUT ECO_IN ECO_OUT RDR_IN RDR_OUT\ - AF_IN RTT_IN RPT_OUT + AF_IN RTT_IN RTT_OUT RPT_IN RPT_OUT TARGETS += ping-${inet}-${ip} run-regress-ping-${inet}-${ip}: stamp-pfctl @echo '\n======== $@ ========' @echo Check ping ${ip}${inet:S/inet//}: -.if "RPT_OUT" == ${ip} +.if "RPT_IN" == ${ip} || "RPT_OUT" == ${ip} ping${inet:S/inet//} -n -c 1 -I ${${ip}${inet:S/inet//}}\ ${ECO_IN${inet:S/inet//}} .else @@ -158,7 +191,7 @@ run-regress-ping-${inet}-${ip}: stamp-pfctl .endif .endfor # ip -.for ip in ECO_IN ECO_OUT RDR_IN RDR_OUT AF_IN RTT_IN RPT_OUT +.for ip in ECO_IN ECO_OUT RDR_IN RDR_OUT AF_IN RTT_IN RTT_OUT RPT_IN RPT_OUT # Send a large IPv4/ICMP-Echo-Request packet with enabled DF bit and # parse response packet to determine MTU of the packet filter. The @@ -170,7 +203,7 @@ TARGETS += ping-mtu-1400-${inet}-${ip} run-regress-ping-mtu-1400-${inet}-${ip}: stamp-pfctl @echo '\n======== $@ ========' @echo Check path MTU to ${ip}${inet:S/inet//} is 1400 -.if "RPT_OUT" == ${ip} +.if "RPT_IN" == ${ip} || "RPT_OUT" == ${ip} ${SUDO} ${PYTHON}ping${inet:S/inet//}_mtu.py ${${ip}${inet:S/inet//}}\ ${ECO_IN${inet:S/inet//}} 1500 1400 .elif "AF_IN" == ${ip} @@ -195,7 +228,7 @@ TARGETS += ping-mtu-1300-${inet}-${ip} run-regress-ping-mtu-1300-${inet}-${ip}: stamp-pfctl @echo '\n======== $@ ========' @echo Check path MTU from ${ip}${inet:S/inet//} is 1300 -.if "RPT_OUT" == ${ip} +.if "RPT_IN" == ${ip} || "RPT_OUT" == ${ip} ${SUDO} ${PYTHON}ping${inet:S/inet//}_mtu.py ${${ip}${inet:S/inet//}}\ ${ECO_IN${inet:S/inet//}} 1400 1300 .elif "AF_IN" == ${ip} @@ -216,7 +249,7 @@ TARGETS += udp-${inet}-${ip} run-regress-udp-${inet}-${ip}: stamp-pfctl @echo '\n======== $@ ========' @echo Check UDP ${ip${inet:S/inet//}}: -.if "RPT_OUT" == ${ip} +.if "RPT_IN" == ${ip} || "RPT_OUT" == ${ip} echo $$$$ | nc -n -u -W 1 -w 3 -s ${${ip}${inet:S/inet//}}\ ${ECO_IN${inet:S/inet//}} 7 | grep $$$$ .else @@ -233,7 +266,7 @@ run-regress-tcp-${inet}-${ip}: stamp-pfctl @echo '\n======== $@ ========' @echo Check tcp ${ip}${inet:S/inet//}: ${SUDO} route -n delete -host -inet ${${ip}${inet:S/inet//}} || true -.if "RPT_OUT" == ${ip} +.if "RPT_IN" == ${ip} || "RPT_OUT" == ${ip} openssl rand 200000 | nc -n -N -w 10 -s ${${ip}${inet:S/inet//}}\ ${ECO_IN${inet:S/inet//}} 7 | wc -c | grep '200000$$' .else @@ -254,19 +287,14 @@ TRACEROUTE_CHECK = awk \ END{ if (n!=3) { print "hopcount is not 3: "n; exit 1 } } \ END{ if (x!=0) { print "unanswered probes: "x; exit 1 } }' -.for ip in ECO_IN ECO_OUT RDR_IN RDR_OUT AF_IN RTT_IN RPT_OUT +.for ip in ECO_IN ECO_OUT RDR_IN RDR_OUT AF_IN RTT_IN RTT_OUT RPT_IN RPT_OUT .for proto in icmp udp -run-regress-traceroute-${proto}-${inet}-RPT_OUT: - @echo '\n======== $@ ========' - @echo 'RPT_OUT is broken with PF ttl.' - @echo DISABLED - TARGETS += traceroute-${proto}-${inet}-${ip} run-regress-traceroute-${proto}-${inet}-${ip}: stamp-pfctl @echo '\n======== $@ ========' @echo Check traceroute ${proto} ${ip${inet:S/inet//}}: -.if "RPT_OUT" == ${ip} - traceroute${inet:S/inet//} ${proto:S/icmp/-I/:S/udp//} +.if "RPT_IN" == ${ip} || "RPT_OUT" == ${ip} + traceroute${inet:S/inet//} ${proto:S/icmp/-I/:S/udp//}\ -s ${${ip}${inet:S/inet//}} ${ECO_IN${inet:S/inet//}} |\ ${TRACEROUTE_CHECK} .else @@ -289,25 +317,27 @@ check-setup: check-setup-src check-setup-pf check-setup-rt check-setup-eco check-setup-src: @echo '\n======== $@ ========' -.for ip in SRC_OUT RPT_OUT +.for ip in SRC_OUT RPT_IN RPT_OUT ping -n -c 1 ${${ip}} # ${ip} route -n get -inet ${${ip}} | grep -q 'flags: .*LOCAL' # ${ip} .endfor ping -n -c 1 ${PF_IN} # PF_IN route -n get -inet ${PF_IN} | fgrep -q 'interface: ${SRC_IF}' \ # PF_IN SRC_IF -.for ip in PF_OUT RT_IN RT_OUT ECO_IN ECO_OUT RDR_IN RDR_OUT AF_IN RTT_IN +.for ip in PF_OUT RT_IN RT_OUT ECO_IN ECO_OUT RDR_IN RDR_OUT AF_IN\ + RTT_IN RTT_OUT route -n get -inet ${${ip}} | fgrep -q 'gateway: ${PF_IN}' \ # ${ip} PF_IN .endfor -.for ip in SRC_OUT RPT_OUT +.for ip in SRC_OUT RPT_IN RPT_OUT ping6 -n -c 1 ${${ip}6} # ${ip}6 route -n get -inet6 ${${ip}6} | grep -q 'flags: .*LOCAL' # ${ip}6 .endfor ping6 -n -c 1 ${PF_IN6} # PF_IN6 route -n get -inet6 ${PF_IN6} | fgrep -q 'interface: ${SRC_IF}' \ # PF_IN6 SRC_IF -.for ip in PF_OUT RT_IN RT_OUT ECO_IN ECO_OUT RDR_IN RDR_OUT AF_IN RTT_IN +.for ip in PF_OUT RT_IN RT_OUT ECO_IN ECO_OUT RDR_IN RDR_OUT AF_IN\ + RTT_IN RTT_OUT route -n get -inet6 ${${ip}6} | fgrep -q 'gateway: ${PF_IN6}' \ # ${ip}6 PF_IN6 .endfor @@ -326,7 +356,7 @@ check-setup-pf: ssh ${PF_SSH} route -n get -inet ${${ip}} |\ fgrep -q 'gateway: ${RT_IN}' # ${ip} RT_IN .endfor -.for ip in RTT_IN RPT_OUT +.for ip in RTT_IN RTT_OUT RPT_IN RPT_OUT ssh ${PF_SSH} route -n get -inet ${${ip}} | grep -q 'flags: .*REJECT' \ # ${ip} reject .endfor @@ -342,7 +372,7 @@ check-setup-pf: ssh ${PF_SSH} route -n get -inet6 ${${ip}6} |\ fgrep -q 'gateway: ${RT_IN6}' # ${ip}6 RT_IN6 .endfor -.for ip in RTT_IN RPT_OUT +.for ip in RTT_IN RTT_OUT RPT_IN RPT_OUT ssh ${PF_SSH} route -n get -inet6 ${${ip}6} |\ grep -q 'flags: .*REJECT' # ${ip}6 reject .endfor @@ -358,7 +388,7 @@ check-setup-rt: ssh ${RT_SSH} route -n get -inet ${RT_IN} | grep -q 'flags: .*LOCAL' \ # RT_IN ssh ${RT_SSH} ping -n -c 1 ${PF_OUT} # PF_OUT -.for ip in PF_IN SRC_OUT RPT_OUT +.for ip in PF_IN SRC_OUT RPT_IN RPT_OUT ssh ${RT_SSH} route -n get -inet ${${ip}} |\ fgrep -q 'gateway: ${PF_OUT}' # ${ip} PF_OUT .endfor @@ -366,7 +396,7 @@ check-setup-rt: ssh ${RT_SSH} route -n get -inet ${RT_OUT} | grep -q 'flags: .*LOCAL' \ # RT_OUT ssh ${RT_SSH} ping -n -c 1 ${ECO_IN} # ECO_IN -.for ip in ECO_OUT RTT_IN +.for ip in ECO_OUT RTT_IN RTT_OUT ssh ${RT_SSH} route -n get -inet ${${ip}} |\ fgrep -q 'gateway: ${ECO_IN}' # ${ip} ECO_IN .endfor @@ -374,7 +404,7 @@ check-setup-rt: ssh ${RT_SSH} route -n get -inet6 ${RT_IN6} | grep -q 'flags: .*LOCAL' \ # RT_IN6 ssh ${RT_SSH} ping6 -n -c 1 ${PF_OUT6} # PF_OUT6 -.for ip in PF_IN SRC_OUT RPT_OUT +.for ip in PF_IN SRC_OUT RPT_IN RPT_OUT ssh ${RT_SSH} route -n get -inet6 ${${ip}6} |\ fgrep -q 'gateway: ${PF_OUT6}' # ${ip}6 PF_OUT6 .endfor @@ -382,7 +412,7 @@ check-setup-rt: ssh ${RT_SSH} route -n get -inet6 ${RT_OUT6} |\ grep -q 'flags: .*LOCAL' # RT_OUT6 ssh ${RT_SSH} ping6 -n -c 1 ${ECO_IN6} # ECO_IN6 -.for ip in ECO_OUT RTT_IN +.for ip in ECO_OUT RTT_IN RTT_OUT ssh ${RT_SSH} route -n get -inet6 ${${ip}6} |\ fgrep -q 'gateway: ${ECO_IN6}' # ${ip}6 ECO_IN6 .endfor @@ -392,23 +422,23 @@ check-setup-rt: check-setup-eco: @echo '\n======== $@ ========' -.for ip in ECO_IN ECO_OUT RTT_IN +.for ip in ECO_IN ECO_OUT RTT_IN RTT_OUT ssh ${ECO_SSH} ping -n -c 1 ${${ip}} # ${ip} ssh ${ECO_SSH} route -n get -inet ${${ip}} | grep -q 'flags: .*LOCAL' \ # ${ip} .endfor ssh ${ECO_SSH} ping -n -c 1 ${RT_OUT} # RT_OUT -.for ip in RT_IN PF_OUT PF_IN SRC_OUT RPT_OUT +.for ip in RT_IN PF_OUT PF_IN SRC_OUT RPT_IN RPT_OUT ssh ${ECO_SSH} route -n get -inet ${${ip}} |\ fgrep -q 'gateway: ${RT_OUT}' # ${ip} RT_OUT .endfor -.for ip in ECO_IN ECO_OUT RTT_IN +.for ip in ECO_IN ECO_OUT RTT_IN RTT_OUT ssh ${ECO_SSH} ping6 -n -c 1 ${${ip}6} # ${ip}6 ssh ${ECO_SSH} route -n get -inet6 ${${ip}6} |\ grep -q 'flags: .*LOCAL' # ${ip}6 .endfor ssh ${ECO_SSH} ping6 -n -c 1 ${RT_OUT6} # RT_OUT6 -.for ip in RT_IN PF_OUT PF_IN SRC_OUT RPT_OUT +.for ip in RT_IN PF_OUT PF_IN SRC_OUT RPT_IN RPT_OUT ssh ${ECO_SSH} route -n get -inet6 ${${ip}6} |\ fgrep -q 'gateway: ${RT_OUT6}' # ${ip}6 RT_OUT6 .endfor @@ -417,7 +447,7 @@ check-setup-eco: ssh ${ECO_SSH} netstat -na -f ${inet} -p ${proto} | fgrep ' *.7 ' .endfor .endfor -.for ip in ECO_IN ECO_OUT RTT_IN +.for ip in ECO_IN ECO_OUT RTT_IN RTT_OUT ssh ${ECO_SSH} netstat -nav -f inet -p udp | fgrep ' ${${ip}}.7 ' ssh ${ECO_SSH} netstat -nav -f inet6 -p udp | fgrep ' ${${ip}6}.7 ' .endfor diff --git a/regress/sys/net/pf_forward/pf.conf b/regress/sys/net/pf_forward/pf.conf index cfbaca9a80e..2ad0e50bcbc 100644 --- a/regress/sys/net/pf_forward/pf.conf +++ b/regress/sys/net/pf_forward/pf.conf @@ -17,12 +17,22 @@ pass out inet6 tagged af pass in to $AF_IN6/64 af-to inet from $PF_OUT to $ECO_IN/24 tag af pass out inet tagged af -pass in to $RTT_IN/24 tag rtt -pass out route-to $RT_IN@$PF_IFOUT tagged rtt -pass in to $RTT_IN6/64 tag rtt -pass out route-to $RT_IN6@$PF_IFOUT tagged rtt +pass in to $RTT_IN/24 route-to $RT_IN@$PF_IFOUT tag rttin +pass out tagged rttin +pass in to $RTT_IN6/64 route-to $RT_IN6@$PF_IFOUT tag rttin +pass out tagged rttin -pass in from $RPT_OUT/24 reply-to $SRC_OUT@$PF_IFIN tag rpt -pass out tagged rpt -pass in from $RPT_OUT6/64 reply-to $SRC_OUT6@$PF_IFIN tag rpt -pass out tagged rpt +pass in to $RTT_OUT/24 tag rttout +pass out route-to $RT_IN@$PF_IFOUT tagged rttout +pass in to $RTT_OUT6/64 tag rttout +pass out route-to $RT_IN6@$PF_IFOUT tagged rttout + +pass in from $RPT_IN/24 reply-to $SRC_OUT@$PF_IFIN tag rptin +pass out tagged rptin +pass in from $RPT_IN6/64 reply-to $SRC_OUT6@$PF_IFIN tag rptin +pass out tagged rptin + +pass in from $RPT_OUT/24 tag rptout +pass out reply-to $SRC_OUT@$PF_IFIN tagged rptout +pass in from $RPT_OUT6/64 tag rptout +pass out reply-to $SRC_OUT6@$PF_IFIN tagged rptout -- 2.20.1