From b7dc679724c8d297e83905debc203ecca1875ab0 Mon Sep 17 00:00:00 2001 From: bluhm Date: Sat, 12 Jul 2014 22:43:31 +0000 Subject: [PATCH] Automatically load the required pf rules into the kernel of the remote test machine. --- regress/sys/net/pf_forward/Makefile | 51 +++++++++---------- regress/sys/net/pf_forward/pf.conf | 16 ++++++ regress/sys/net/pf_fragment/Makefile | 74 +++++++++++++++------------- regress/sys/net/pf_fragment/pf.conf | 11 +++++ 4 files changed, 93 insertions(+), 59 deletions(-) create mode 100644 regress/sys/net/pf_forward/pf.conf create mode 100644 regress/sys/net/pf_fragment/pf.conf diff --git a/regress/sys/net/pf_forward/Makefile b/regress/sys/net/pf_forward/Makefile index 6bbc790a9ea..341ffecd02c 100644 --- a/regress/sys/net/pf_forward/Makefile +++ b/regress/sys/net/pf_forward/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.5 2014/07/12 21:41:49 bluhm Exp $ +# $OpenBSD: Makefile,v 1.6 2014/07/12 22:43:31 bluhm Exp $ # The following ports must be installed: # @@ -72,22 +72,17 @@ regress: @echo check wether your test machines are set up properly .endif -# pf rules on PF must look like this: -# -# pass to { $PF_IN/24 $PF_IN6/64 } -# pass to { $RT_IN/24 $RT_IN6/64 } -# pass to { $ECO_IN/24 $DST_IN6/64 } -# pass to { $RDR_IN/24 $RDR_IN6/64 } -# -# pass in to $RDR_IN/24 rdr-to $ECO_IN tag rdr -# pass out nat-to $PF_OUT tagged rdr -# pass in to $RDR_IN6/64 rdr-to $ECO_IN6 tag rdr -# pass out nat-to $PF_OUT6 tagged rdr +.MAIN: all -# pass in to $AF_IN/24 af-to inet6 from $PF_OUT6 to $ECO_IN6/120 tag af -# pass out inet6 tagged af -# pass in to $AF_IN6/64 af-to inet from $PF_OUT to $ECO_IN/24 tag af -# pass out inet tagged af +.if ! empty (PF_SSH) +.if make (regress) || make (all) +.BEGIN: pf.conf addr.py + @echo + ${SUDO} true + ssh -t ${PF_SSH} ${SUDO} true + rm -f stamp-pfctl +.endif +.endif # Currently these test fail as pf does not fix the checksum of # NATed packets inside of icmp packets. @@ -107,6 +102,12 @@ addr.py: Makefile .endfor mv $@.tmp $@ +# load the pf rules into the kernel of the PF machine +stamp-pfctl: addr.py + cat addr.py ${.CURDIR}/pf.conf | \ + ssh ${PF_SSH} ${SUDO} pfctl -a regress -f - + @date >$@ + # Set variables so that make runs with and without obj directory. # Only do that if necessary to keep visible output short. .if ${.CURDIR} == ${.OBJDIR} @@ -121,14 +122,14 @@ PYTHON = PYTHONPATH=${.OBJDIR} python2.7 ${.CURDIR}/ # by PF and handled by ECO. TARGETS += ping ping6 -run-regress-ping: +run-regress-ping: stamp-pfctl @echo '\n======== $@ ========' .for ip in SRC_OUT PF_IN PF_OUT RT_IN RT_OUT ECO_IN RDR_IN AF_IN @echo Check ping ${ip}: ping -n -c 1 ${${ip}} .endfor -run-regress-ping6: +run-regress-ping6: stamp-pfctl @echo '\n======== $@ ========' .for ip in SRC_OUT PF_IN PF_OUT RT_IN RT_OUT ECO_IN RDR_IN AF_IN @echo Check ping ${ip}6: @@ -143,7 +144,7 @@ run-regress-ping6: # quoted packet are the same. TARGETS += ping-mtu ping6-mtu -run-regress-ping-mtu: addr.py +run-regress-ping-mtu: addr.py stamp-pfctl @echo '\n======== $@ ========' .for ip in ECO_IN RDR_IN @echo Check path MTU to ${ip} is 1300 @@ -152,7 +153,7 @@ run-regress-ping-mtu: addr.py @echo Check path MTU to AF_IN is 1280 ${SUDO} ${PYTHON}ping_mtu.py ${AF_IN} 1280 -run-regress-ping6-mtu: addr.py +run-regress-ping6-mtu: addr.py stamp-pfctl @echo '\n======== $@ ========' .for ip in ECO_IN RDR_IN @echo Check path MTU to ${ip}6 is 1300 @@ -165,14 +166,14 @@ run-regress-ping6-mtu: addr.py # The response must arrive in 1 second. TARGETS += udp udp6 -run-regress-udp: +run-regress-udp: stamp-pfctl @echo '\n======== $@ ========' .for ip in ECO_IN RDR_IN AF_IN @echo Check udp ${ip}: ( echo $$$$ | nc -u ${${ip}} 7 & sleep 1; kill $$! ) | grep $$$$ .endfor -run-regress-udp6: +run-regress-udp6: stamp-pfctl @echo '\n======== $@ ========' .for ip in ECO_IN RDR_IN AF_IN @echo Check udp ${ip}6: @@ -184,14 +185,14 @@ run-regress-udp6: # Count the reflected bytes and compare with the transmitted ones. TARGETS += tcp tcp6 -run-regress-tcp: +run-regress-tcp: stamp-pfctl @echo '\n======== $@ ========' .for ip in ECO_IN RDR_IN AF_IN @echo Check tcp ${ip}: openssl rand 200000 | nc ${${ip}} 7 | wc -c | grep '200000$$' .endfor -run-regress-tcp6: +run-regress-tcp6: stamp-pfctl @echo '\n======== $@ ========' .for ip in ECO_IN RDR_IN AF_IN @echo Check tcp ${ip}6: @@ -200,7 +201,7 @@ run-regress-tcp6: REGRESS_TARGETS = ${TARGETS:S/^/run-regress-/} -CLEANFILES += addr.py *.pyc *.log +CLEANFILES += addr.py *.pyc *.log stamp-* .PHONY: check-setup diff --git a/regress/sys/net/pf_forward/pf.conf b/regress/sys/net/pf_forward/pf.conf new file mode 100644 index 00000000000..8546c60bf4c --- /dev/null +++ b/regress/sys/net/pf_forward/pf.conf @@ -0,0 +1,16 @@ +# pf on PF must have these rules in the regress anchor + +pass to { $PF_IN/24 $PF_IN6/64 } +pass to { $RT_IN/24 $RT_IN6/64 } +pass to { $ECO_IN/24 $ECO_IN6/64 } +pass to { $RDR_IN/24 $RDR_IN6/64 } + +pass in to $RDR_IN/24 rdr-to $ECO_IN tag rdr +pass out nat-to $PF_OUT tagged rdr +pass in to $RDR_IN6/64 rdr-to $ECO_IN6 tag rdr +pass out nat-to $PF_OUT6 tagged rdr + +pass in to $AF_IN/24 af-to inet6 from $PF_OUT6 to $ECO_IN6/120 tag af +pass out inet6 tagged af +pass in to $AF_IN6/64 af-to inet from $PF_OUT to $ECO_IN/24 tag af +pass out inet tagged af diff --git a/regress/sys/net/pf_fragment/Makefile b/regress/sys/net/pf_fragment/Makefile index 0d6f3f12f1a..936ce8e2657 100644 --- a/regress/sys/net/pf_fragment/Makefile +++ b/regress/sys/net/pf_fragment/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.8 2014/07/12 21:41:49 bluhm Exp $ +# $OpenBSD: Makefile,v 1.9 2014/07/12 22:43:31 bluhm Exp $ # The following ports must be installed: # @@ -68,17 +68,17 @@ regress: @echo check wether your test machines are set up properly .endif -# pf rules on PF must look like this: -# -# pass to { $PF_IN/24 $PF_IN6/64 } -# pass to { $RT_IN/24 $RT_IN6/64 } -# pass to { $ECO_IN/24 $DST_IN6/64 } -# pass to { $RDR_IN/24 $RDR_IN6/64 } -# -# pass in to $RDR_IN/24 rdr-to $ECO_IN allow-opts tag rdr -# pass out nat-to $PF_OUT allow-opts tagged rdr -# pass in to $RDR_IN6/64 rdr-to $ECO_IN6 allow-opts tag rdr -# pass out nat-to $PF_OUT6 allow-opts tagged rdr +.MAIN: all + +.if ! empty (PF_SSH) +.if make (regress) || make (all) +.BEGIN: pf.conf addr.py + @echo + ${SUDO} true + ssh -t ${PF_SSH} ${SUDO} true + rm -f stamp-pfctl +.endif +.endif # Currently these test fail as pf does not fix the checksum of # NATed packets inside of icmp packets. @@ -102,6 +102,12 @@ addr.py: Makefile .endfor mv $@.tmp $@ +# load the pf rules into the kernel of the PF machine +stamp-pfctl: addr.py + cat addr.py ${.CURDIR}/pf.conf | \ + ssh ${PF_SSH} ${SUDO} pfctl -a regress -f - + @date >$@ + # Set variables so that make runs with and without obj directory. # Only do that if necessary to keep visible output short. .if ${.CURDIR} == ${.OBJDIR} @@ -116,14 +122,14 @@ PYTHON = PYTHONPATH=${.OBJDIR} python2.7 ${.CURDIR}/ # by PF and handled by ECO. TARGETS += ping ping6 -run-regress-ping: +run-regress-ping: stamp-pfctl @echo '\n======== $@ ========' .for ip in SRC_OUT PF_IN PF_OUT RT_IN RT_OUT ECO_IN RDR_IN @echo Check ping ${ip}: ping -n -c 1 ${${ip}} .endfor -run-regress-ping6: +run-regress-ping6: stamp-pfctl @echo '\n======== $@ ========' .for ip in SRC_OUT PF_IN PF_OUT RT_IN RT_OUT ECO_IN RDR_IN @echo Check ping ${ip}6: @@ -135,7 +141,7 @@ run-regress-ping6: # Send 1 packet in advance for Path-MTU discovery. TARGETS += fragping fragping6 -run-regress-fragping: +run-regress-fragping: stamp-pfctl @echo '\n======== $@ ========' .for ip in PF_IN PF_OUT RT_IN RT_OUT ECO_IN RDR_IN @echo Check ping ${ip}: @@ -143,7 +149,7 @@ run-regress-fragping: ping -n -c 1 -s 5000 ${${ip}} .endfor -run-regress-fragping6: +run-regress-fragping6: stamp-pfctl @echo '\n======== $@ ========' .for ip in PF_IN PF_OUT RT_IN RT_OUT ECO_IN RDR_IN @echo Check ping ${ip}6: @@ -157,14 +163,14 @@ run-regress-fragping6: # the router RT before. TARGETS += ping-mtu ping6-mtu -run-regress-ping-mtu: addr.py +run-regress-ping-mtu: addr.py stamp-pfctl @echo '\n======== $@ ========' .for ip in ECO_IN RDR_IN @echo Check path MTU to ${ip} ${SUDO} ${PYTHON}ping_mtu_1300.py ${${ip}} .endfor -run-regress-ping6-mtu: addr.py +run-regress-ping6-mtu: addr.py stamp-pfctl @echo '\n======== $@ ========' .for ip in ECO_IN RDR_IN @echo Check path MTU to ${ip}6 @@ -175,28 +181,28 @@ run-regress-ping6-mtu: addr.py # Check that checksum of the quoted original packet in icmp is correct. TARGETS += ping-cksum ping6-cksum udp-cksum udp6-cksum -run-regress-ping-cksum: addr.py +run-regress-ping-cksum: addr.py stamp-pfctl @echo '\n======== $@ ========' .for ip in ECO_IN RDR_IN @echo Check icmp chksum in fragmentation needed to ${ip} ${SUDO} ${PYTHON}ping_cksum.py ${${ip}} .endfor -run-regress-ping6-cksum: addr.py +run-regress-ping6-cksum: addr.py stamp-pfctl @echo '\n======== $@ ========' .for ip in ECO_IN RDR_IN @echo Check icmp6 chksum in packet too big to ${ip}6 ${SUDO} ${PYTHON}ping6_cksum.py ${${ip}6} .endfor -run-regress-udp-cksum: addr.py +run-regress-udp-cksum: addr.py stamp-pfctl @echo '\n======== $@ ========' .for ip in ECO_IN RDR_IN @echo Check udp chksum in packet too big to ${ip} ${SUDO} ${PYTHON}udp_cksum.py ${${ip}} .endfor -run-regress-udp6-cksum: addr.py +run-regress-udp6-cksum: addr.py stamp-pfctl @echo '\n======== $@ ========' .for ip in ECO_IN RDR_IN @echo Check udp6 chksum in packet too big to ${ip}6 @@ -206,14 +212,14 @@ run-regress-udp6-cksum: addr.py # Send handcrafted fragmented packets with overlaps TARGETS += frag frag6 -run-regress-frag: addr.py +run-regress-frag: addr.py stamp-pfctl @echo '\n======== $@ ========' .for ip in ECO_IN RDR_IN @echo Check ping reassembly ${ip} ${SUDO} ${PYTHON}frag.py ${${ip}} .endfor -run-regress-frag6: addr.py +run-regress-frag6: addr.py stamp-pfctl @echo '\n======== $@ ========' .for ip in ECO_IN RDR_IN @echo Check ping6 reassembly ${ip}6 @@ -222,7 +228,7 @@ run-regress-frag6: addr.py TARGETS += frag6-ext -run-regress-frag6-ext: addr.py +run-regress-frag6-ext: addr.py stamp-pfctl @echo '\n======== $@ ========' .for ip in ECO_IN RDR_IN @echo Check ping6 extension header reassembly ${ip}6 @@ -231,14 +237,14 @@ run-regress-frag6-ext: addr.py TARGETS += frag-cutnew frag6-cutnew -run-regress-frag-cutnew: addr.py +run-regress-frag-cutnew: addr.py stamp-pfctl @echo '\n======== $@ ========' .for ip in ECO_IN RDR_IN @echo Check ping head overlap reassembly ${ip} ${SUDO} ${PYTHON}frag_cutnew.py ${${ip}} .endfor -run-regress-frag6-cutnew: addr.py +run-regress-frag6-cutnew: addr.py stamp-pfctl @echo '\n======== $@ ========' .for ip in ECO_IN RDR_IN @echo Check ping6 head overlap reassembly ${ip}6 @@ -247,14 +253,14 @@ run-regress-frag6-cutnew: addr.py TARGETS += frag-cutold frag6-cutold -run-regress-frag-cutold: addr.py +run-regress-frag-cutold: addr.py stamp-pfctl @echo '\n======== $@ ========' .for ip in ECO_IN RDR_IN @echo Check ping tail overlap reassembly ${ip} ${SUDO} ${PYTHON}frag_cutold.py ${${ip}} .endfor -run-regress-frag6-cutold: addr.py +run-regress-frag6-cutold: addr.py stamp-pfctl @echo '\n======== $@ ========' .for ip in ECO_IN RDR_IN @echo Check ping6 tail overlap reassembly ${ip}6 @@ -263,14 +269,14 @@ run-regress-frag6-cutold: addr.py TARGETS += frag-dropold frag6-dropold -run-regress-frag-dropold: addr.py +run-regress-frag-dropold: addr.py stamp-pfctl @echo '\n======== $@ ========' .for ip in ECO_IN RDR_IN @echo Check ping total overlapping reassembly ${ip} ${SUDO} ${PYTHON}frag_dropold.py ${${ip}} .endfor -run-regress-frag6-dropold: addr.py +run-regress-frag6-dropold: addr.py stamp-pfctl @echo '\n======== $@ ========' .for ip in ECO_IN RDR_IN @echo Check ping6 total overlapping reassembly ${ip}6 @@ -279,14 +285,14 @@ run-regress-frag6-dropold: addr.py TARGETS += frag-dropnew frag6-dropnew -run-regress-frag-dropnew: addr.py +run-regress-frag-dropnew: addr.py stamp-pfctl @echo '\n======== $@ ========' .for ip in ECO_IN RDR_IN @echo Check ping total overlaped reassembly ${ip} ${SUDO} ${PYTHON}frag_dropnew.py ${${ip}} .endfor -run-regress-frag6-dropnew: addr.py +run-regress-frag6-dropnew: addr.py stamp-pfctl @echo '\n======== $@ ========' .for ip in ECO_IN RDR_IN @echo Check ping6 total overlaped reassembly ${ip}6 @@ -295,7 +301,7 @@ run-regress-frag6-dropnew: addr.py REGRESS_TARGETS = ${TARGETS:S/^/run-regress-/} -CLEANFILES += addr.py *.pyc *.log +CLEANFILES += addr.py *.pyc *.log stamp-* .PHONY: check-setup diff --git a/regress/sys/net/pf_fragment/pf.conf b/regress/sys/net/pf_fragment/pf.conf new file mode 100644 index 00000000000..e6755bdfb8a --- /dev/null +++ b/regress/sys/net/pf_fragment/pf.conf @@ -0,0 +1,11 @@ +# pf on PF must have these rules in the regress anchor + +pass to { $PF_IN/24 $PF_IN6/64 } +pass to { $RT_IN/24 $RT_IN6/64 } +pass to { $ECO_IN/24 $ECO_IN6/64 } +pass to { $RDR_IN/24 $RDR_IN6/64 } + +pass in to $RDR_IN/24 rdr-to $ECO_IN allow-opts tag rdr +pass out nat-to $PF_OUT allow-opts tagged rdr +pass in to $RDR_IN6/64 rdr-to $ECO_IN6 allow-opts tag rdr +pass out nat-to $PF_OUT6 allow-opts tagged rdr -- 2.20.1