git: 30276ef12cbb - main - pf tests: test NAT-ed ICMP errors

From: Kristof Provost <kp_at_FreeBSD.org>
Date: Fri, 22 Oct 2021 08:56:53 UTC
The branch main has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=30276ef12cbb47cdd302741096262041be30ec11

commit 30276ef12cbb47cdd302741096262041be30ec11
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2021-10-19 11:52:21 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2021-10-22 07:52:17 +0000

    pf tests: test NAT-ed ICMP errors
    
    Ensure that the ICMP error is returned with the correct
    source and destination addresses.
    
    MFC after:      3 weeks
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
    Differential Revision:  https://reviews.freebsd.org/D32572
---
 tests/sys/netpfil/common/Makefile          |   2 +
 tests/sys/netpfil/common/pft_icmp_check.py | 112 +++++++++++++++++++++++++++++
 tests/sys/netpfil/pf/route_to.sh           |  59 +++++++++++++++
 3 files changed, 173 insertions(+)

diff --git a/tests/sys/netpfil/common/Makefile b/tests/sys/netpfil/common/Makefile
index 749e0dd99469..189b8b44cfce 100644
--- a/tests/sys/netpfil/common/Makefile
+++ b/tests/sys/netpfil/common/Makefile
@@ -16,10 +16,12 @@ ATF_TESTS_SH+=	\
 ${PACKAGE}FILES+=	\
 		utils.subr \
 		runner.subr \
+		pft_icmp_check.py \
 		pft_ping.py \
 		pft_synflood.py \
 		sniffer.py
 
+${PACKAGE}FILESMODE_pft_icmp_check.py=	0555
 ${PACKAGE}FILESMODE_pft_ping.py=	0555
 ${PACKAGE}FILESMODE_pft_synflood.py=	0555
 
diff --git a/tests/sys/netpfil/common/pft_icmp_check.py b/tests/sys/netpfil/common/pft_icmp_check.py
new file mode 100644
index 000000000000..e3c5b927aa63
--- /dev/null
+++ b/tests/sys/netpfil/common/pft_icmp_check.py
@@ -0,0 +1,112 @@
+#!/usr/bin/env python3
+#
+# SPDX-License-Identifier: BSD-2-Clause
+#
+# Copyright (c) 2021 Rubicon Communications, LLC (Netgate)
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+
+import argparse
+import logging
+logging.getLogger("scapy").setLevel(logging.CRITICAL)
+import random
+import scapy.all as sp
+import socket
+import sys
+from sniffer import Sniffer
+
+PAYLOAD_MAGIC = bytes.fromhex('42c0ffee')
+
+def ping(send_if, dst_ip, args):
+	ether = sp.Ether()
+	ip = sp.IP(dst=dst_ip, src=args.fromaddr[0])
+	icmp = sp.ICMP(type='echo-request')
+	raw = sp.raw(PAYLOAD_MAGIC * 250) # We want 1000 bytes payload, -ish
+
+	ip.flags = 2 # Don't fragment
+	icmp.seq = random.randint(0, 65535)
+	args.icmp_seq = icmp.seq
+
+	req = ether / ip / icmp / raw
+	sp.sendp(req, iface=send_if, verbose=False)
+
+def check_icmp_too_big(args, packet):
+	"""
+	Verify that this is an ICMP packet too big error, and that the IP addresses
+	in the payload packet match expectations.
+	"""
+	icmp = packet.getlayer(sp.ICMP)
+	if not icmp:
+		return False
+
+	if not icmp.type == 3:
+		return False
+	ip = packet.getlayer(sp.IPerror)
+	if not ip:
+		return False
+
+	if ip.src != args.fromaddr[0]:
+		print("Incorrect src addr %s" % ip.src)
+		return False
+	if ip.dst != args.to[0]:
+		print("Incorrect dst addr %s" % ip.dst)
+		return False
+
+	icmp2 = packet.getlayer(sp.ICMPerror)
+	if not icmp2:
+		print("IPerror doesn't contain ICMP")
+		return False
+	if icmp2.seq != args.icmp_seq:
+		print("Incorrect icmp seq %d != %d" % (icmp2.seq, args.icmp_seq))
+		return False
+	return True
+
+def main():
+	parser = argparse.ArgumentParser("pft_icmp_check.py",
+	    description="ICMP error validation tool")
+	parser.add_argument('--to', nargs=1, required=True,
+	    help='The destination IP address')
+	parser.add_argument('--fromaddr', nargs=1, required=True,
+	    help='The source IP address')
+	parser.add_argument('--sendif', nargs=1, required=True,
+	    help='The interface through which the packet(s) will be sent')
+	parser.add_argument('--recvif', nargs=1,
+	    help='The interface on which to expect the ICMP error')
+
+	args = parser.parse_args()
+	sniffer = None
+	if not args.recvif is None:
+		sniffer = Sniffer(args, check_icmp_too_big)
+
+	ping(args.sendif[0], args.to[0], args)
+
+	if sniffer:
+		sniffer.join()
+
+		if sniffer.foundCorrectPacket:
+			sys.exit(0)
+		else:
+			sys.exit(1)
+
+if __name__ == '__main__':
+	main()
diff --git a/tests/sys/netpfil/pf/route_to.sh b/tests/sys/netpfil/pf/route_to.sh
index 957317eb462e..e7646a5fb7f7 100644
--- a/tests/sys/netpfil/pf/route_to.sh
+++ b/tests/sys/netpfil/pf/route_to.sh
@@ -27,6 +27,8 @@
 
 . $(atf_get_srcdir)/utils.subr
 
+common_dir=$(atf_get_srcdir)/../common
+
 atf_test_case "v4" "cleanup"
 v4_head()
 {
@@ -250,10 +252,67 @@ multiwanlocal_cleanup()
 	pft_cleanup
 }
 
+atf_test_case "icmp_nat" "cleanup"
+icmp_nat_head()
+{
+	atf_set descr 'Test that ICMP packets are correct for route-to + NAT'
+	atf_set require.user root
+}
+
+icmp_nat_body()
+{
+	pft_init
+
+	epair_one=$(vnet_mkepair)
+	epair_two=$(vnet_mkepair)
+	epair_three=$(vnet_mkepair)
+
+	vnet_mkjail gw ${epair_one}b ${epair_two}a ${epair_three}a
+	vnet_mkjail srv ${epair_two}b
+	vnet_mkjail srv2 ${epair_three}b
+
+	ifconfig ${epair_one}a 192.0.2.2/24 up
+	route add -net 198.51.100.0/24 192.0.2.1
+	jexec gw sysctl net.inet.ip.forwarding=1
+	jexec gw ifconfig ${epair_one}b 192.0.2.1/24 up
+	jexec gw ifconfig ${epair_two}a 198.51.100.1/24 up
+	jexec gw ifconfig ${epair_three}a 203.0.113.1/24 up mtu 500
+	jexec srv ifconfig ${epair_two}b 198.51.100.2/24 up
+	jexec srv route add default 198.51.100.1
+	jexec srv2 ifconfig ${epair_three}b 203.0.113.2/24 up mtu 500
+	jexec srv2 route add default 203.0.113.1
+
+	# Sanity check
+	atf_check -s exit:0 -o ignore ping -c 1 198.51.100.2
+
+	jexec gw pfctl -e
+	pft_set_rules gw \
+		"nat on ${epair_two}a inet from 192.0.2.0/24 to any -> (${epair_two}a)" \
+		"nat on ${epair_three}a inet from 192.0.2.0/24 to any -> (${epair_three}a)" \
+		"pass out route-to (${epair_three}a 203.0.113.2) proto icmp icmp-type echoreq"
+
+	# Now ensure that we get an ICMP error with the correct IP addresses in it.
+	atf_check -s exit:0 ${common_dir}/pft_icmp_check.py \
+		--to 198.51.100.2 \
+		--fromaddr 192.0.2.2 \
+		--recvif ${epair_one}a \
+		--sendif ${epair_one}a
+
+	# ping reports the ICMP error, so check of that too.
+	atf_check -s exit:2 -o match:'frag needed and DF set' \
+		ping -D -c 1 -s 1000 198.51.100.2
+}
+
+icmp_nat_cleanup()
+{
+	pft_cleanup
+}
+
 atf_init_test_cases()
 {
 	atf_add_test_case "v4"
 	atf_add_test_case "v6"
 	atf_add_test_case "multiwan"
 	atf_add_test_case "multiwanlocal"
+	atf_add_test_case "icmp_nat"
 }