Commit 30276ef1 authored by Kristof Provost's avatar Kristof Provost
Browse files

pf tests: test NAT-ed ICMP errors

Ensure that the ICMP error is returned with the correct
source and destination addresses.

MFC after:	3 weeks
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D32572
parent ab238f14
......@@ -16,10 +16,12 @@ ATF_TESTS_SH+= \
${PACKAGE}FILES+= \
utils.subr \
runner.subr \
pft_icmp_check.py \
pft_ping.py \
pft_synflood.py \
sniffer.py
${PACKAGE}FILESMODE_pft_icmp_check.py= 0555
${PACKAGE}FILESMODE_pft_ping.py= 0555
${PACKAGE}FILESMODE_pft_synflood.py= 0555
......
#!/usr/bin/env python3
#
# SPDX-License-Identifier: BSD-2-Clause
#
# Copyright (c) 2021 Rubicon Communications, LLC (Netgate)
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
#
import argparse
import logging
logging.getLogger("scapy").setLevel(logging.CRITICAL)
import random
import scapy.all as sp
import socket
import sys
from sniffer import Sniffer
PAYLOAD_MAGIC = bytes.fromhex('42c0ffee')
def ping(send_if, dst_ip, args):
ether = sp.Ether()
ip = sp.IP(dst=dst_ip, src=args.fromaddr[0])
icmp = sp.ICMP(type='echo-request')
raw = sp.raw(PAYLOAD_MAGIC * 250) # We want 1000 bytes payload, -ish
ip.flags = 2 # Don't fragment
icmp.seq = random.randint(0, 65535)
args.icmp_seq = icmp.seq
req = ether / ip / icmp / raw
sp.sendp(req, iface=send_if, verbose=False)
def check_icmp_too_big(args, packet):
"""
Verify that this is an ICMP packet too big error, and that the IP addresses
in the payload packet match expectations.
"""
icmp = packet.getlayer(sp.ICMP)
if not icmp:
return False
if not icmp.type == 3:
return False
ip = packet.getlayer(sp.IPerror)
if not ip:
return False
if ip.src != args.fromaddr[0]:
print("Incorrect src addr %s" % ip.src)
return False
if ip.dst != args.to[0]:
print("Incorrect dst addr %s" % ip.dst)
return False
icmp2 = packet.getlayer(sp.ICMPerror)
if not icmp2:
print("IPerror doesn't contain ICMP")
return False
if icmp2.seq != args.icmp_seq:
print("Incorrect icmp seq %d != %d" % (icmp2.seq, args.icmp_seq))
return False
return True
def main():
parser = argparse.ArgumentParser("pft_icmp_check.py",
description="ICMP error validation tool")
parser.add_argument('--to', nargs=1, required=True,
help='The destination IP address')
parser.add_argument('--fromaddr', nargs=1, required=True,
help='The source IP address')
parser.add_argument('--sendif', nargs=1, required=True,
help='The interface through which the packet(s) will be sent')
parser.add_argument('--recvif', nargs=1,
help='The interface on which to expect the ICMP error')
args = parser.parse_args()
sniffer = None
if not args.recvif is None:
sniffer = Sniffer(args, check_icmp_too_big)
ping(args.sendif[0], args.to[0], args)
if sniffer:
sniffer.join()
if sniffer.foundCorrectPacket:
sys.exit(0)
else:
sys.exit(1)
if __name__ == '__main__':
main()
......@@ -27,6 +27,8 @@
. $(atf_get_srcdir)/utils.subr
common_dir=$(atf_get_srcdir)/../common
atf_test_case "v4" "cleanup"
v4_head()
{
......@@ -250,10 +252,67 @@ multiwanlocal_cleanup()
pft_cleanup
}
atf_test_case "icmp_nat" "cleanup"
icmp_nat_head()
{
atf_set descr 'Test that ICMP packets are correct for route-to + NAT'
atf_set require.user root
}
icmp_nat_body()
{
pft_init
epair_one=$(vnet_mkepair)
epair_two=$(vnet_mkepair)
epair_three=$(vnet_mkepair)
vnet_mkjail gw ${epair_one}b ${epair_two}a ${epair_three}a
vnet_mkjail srv ${epair_two}b
vnet_mkjail srv2 ${epair_three}b
ifconfig ${epair_one}a 192.0.2.2/24 up
route add -net 198.51.100.0/24 192.0.2.1
jexec gw sysctl net.inet.ip.forwarding=1
jexec gw ifconfig ${epair_one}b 192.0.2.1/24 up
jexec gw ifconfig ${epair_two}a 198.51.100.1/24 up
jexec gw ifconfig ${epair_three}a 203.0.113.1/24 up mtu 500
jexec srv ifconfig ${epair_two}b 198.51.100.2/24 up
jexec srv route add default 198.51.100.1
jexec srv2 ifconfig ${epair_three}b 203.0.113.2/24 up mtu 500
jexec srv2 route add default 203.0.113.1
# Sanity check
atf_check -s exit:0 -o ignore ping -c 1 198.51.100.2
jexec gw pfctl -e
pft_set_rules gw \
"nat on ${epair_two}a inet from 192.0.2.0/24 to any -> (${epair_two}a)" \
"nat on ${epair_three}a inet from 192.0.2.0/24 to any -> (${epair_three}a)" \
"pass out route-to (${epair_three}a 203.0.113.2) proto icmp icmp-type echoreq"
# Now ensure that we get an ICMP error with the correct IP addresses in it.
atf_check -s exit:0 ${common_dir}/pft_icmp_check.py \
--to 198.51.100.2 \
--fromaddr 192.0.2.2 \
--recvif ${epair_one}a \
--sendif ${epair_one}a
# ping reports the ICMP error, so check of that too.
atf_check -s exit:2 -o match:'frag needed and DF set' \
ping -D -c 1 -s 1000 198.51.100.2
}
icmp_nat_cleanup()
{
pft_cleanup
}
atf_init_test_cases()
{
atf_add_test_case "v4"
atf_add_test_case "v6"
atf_add_test_case "multiwan"
atf_add_test_case "multiwanlocal"
atf_add_test_case "icmp_nat"
}
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment