From nobody Wed Mar 02 16:01:04 2022 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id B8FE019E16A2; Wed, 2 Mar 2022 16:01:06 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4K7zPF5ZzKz3NZW; Wed, 2 Mar 2022 16:01:05 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1646236866; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=auqyBV9rkJX9onAucjr8FM/i9l9KQjSQn2tpMG56mn4=; b=waKk+StLfAlHjAtS2tTNO4Y94Km5pZ0hlKJSfK7Qceyabu3tXyA5qxC7WLqT2feKf3mPBF LXL+gW1jMwGkbCCs8xQaHwP5F2AE3uyTSO08PVc/x+NqKZReWC9BOnBQ2IoOzSi8UURnyF UbA0akEqBmJD3akJhzfjn5PsAazytFZGqLVWaW2Sc1Z+w/Dn/9gDiCjZAwbneYMr8M2U3v HwjVAOwqZyEIxEn431EPJ2FYa+hM6ZsKlLiY1gkZ90Zye5O+WUbLz1Vi/5fsD8gEFFb2Oh /vHPMGrHOXUHNk8C2Csa5E2RvcSnyiIDlaVjbd3UtxSfAe39QjT38Mv2pLfURg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 37501261D3; Wed, 2 Mar 2022 16:01:04 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 222G140U091457; Wed, 2 Mar 2022 16:01:04 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 222G14hG091456; Wed, 2 Mar 2022 16:01:04 GMT (envelope-from git) Date: Wed, 2 Mar 2022 16:01:04 GMT Message-Id: <202203021601.222G14hG091456@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Kristof Provost Subject: git: 93b64cdc59d6 - main - pf tests: slightly more complect captive portal setup List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-main@freebsd.org X-BeenThere: dev-commits-src-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 93b64cdc59d66fa7cd5d7e2ba2de0a67bd717840 Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1646236866; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=auqyBV9rkJX9onAucjr8FM/i9l9KQjSQn2tpMG56mn4=; b=Y3cPcdAcGBGmBjEmvfT/YOQJWs9T4KWK7UPDqlrMIUzt2DF72KsadfmL9h2uD4IHWstv9G HRnfbEIhH7zzDNQRfT4YpNnJHPV2lI8yca7Q/K1hRZNVVllsO9IsPJpxCpA2xmXmuT+Scl vzUF3BjxB0xqfaNMQDeMhw8kv0qvc9fzwmziiJ4m71dignUHZ86WSAwFkjLOf+uIS9cePl wlaTqqnHunznGxUf37cUdp3CQPCmR1Bpvo2FCVCU8Aa/DF6GwimkznPUUJQQgf6saqV0a0 Y5Wt5YYaNAjAjOZrZH4JtBLfDbn1bkym6a1Vew3tT3K0ZJwzMpvH6Wf7xYKLng== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1646236866; a=rsa-sha256; cv=none; b=uYtAFNOM0eRBD7gFKXPvrE/87OrhM7bi8MiFNQILdrQYMZ7U38mjvNJjlX/OkSJjJklyYB Ofd/LhtUDkSLxpC1mgz+vW+BPhpjRkh+3i8XdIRyCZlfdXld703fdp+BjnyYbbAPiWQFck ibRRJIrA8VpZOLAO3S6yBOMcOJFke8CXTwvFTqJjdclU02olSaivP+Ui4GacV7S2b8GuQx 5hmOdmk6dvuk64xtllxFW/XnUWWo79qx6ufNHB3Lc6fdVmtCOLWoMbWQF9Pump2JlO6PqO 0hZPfN95b169LJSl+T19IDrbjCAKM5r/dU35aVa99KB2O6IComVd8JgxgGb/2Q== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=93b64cdc59d66fa7cd5d7e2ba2de0a67bd717840 commit 93b64cdc59d66fa7cd5d7e2ba2de0a67bd717840 Author: Kristof Provost AuthorDate: 2021-10-13 13:21:43 +0000 Commit: Kristof Provost CommitDate: 2022-03-02 16:00:07 +0000 pf tests: slightly more complect captive portal setup Combine anchor, dummynet and rdr to produce a more complex captive portal setup. Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D32484 --- tests/sys/netpfil/pf/Makefile | 1 + tests/sys/netpfil/pf/daytime_inetd.conf | 31 +++++++++++++ tests/sys/netpfil/pf/ether.sh | 81 +++++++++++++++++++++++++++++++++ 3 files changed, 113 insertions(+) diff --git a/tests/sys/netpfil/pf/Makefile b/tests/sys/netpfil/pf/Makefile index f793746cdbf0..45eaec2f8ddc 100644 --- a/tests/sys/netpfil/pf/Makefile +++ b/tests/sys/netpfil/pf/Makefile @@ -38,6 +38,7 @@ ATF_TESTS_SH+= altq \ ${PACKAGE}FILES+= CVE-2019-5597.py \ CVE-2019-5598.py \ + daytime_inetd.conf \ echo_inetd.conf \ fragcommon.py \ frag-overindex.py \ diff --git a/tests/sys/netpfil/pf/daytime_inetd.conf b/tests/sys/netpfil/pf/daytime_inetd.conf new file mode 100644 index 000000000000..99cef08c3da0 --- /dev/null +++ b/tests/sys/netpfil/pf/daytime_inetd.conf @@ -0,0 +1,31 @@ +# $FreeBSD$ +# +# SPDX-License-Identifier: BSD-2-Clause-FreeBSD +# +# Copyright (c) 2021 Rubicon Communications, LLC (Netgate) +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. + +daytime stream tcp nowait root internal +daytime stream tcp6 nowait root internal +daytime dgram udp wait root internal +daytime dgram udp6 wait root internal diff --git a/tests/sys/netpfil/pf/ether.sh b/tests/sys/netpfil/pf/ether.sh index 998badad91f1..77245666a86e 100644 --- a/tests/sys/netpfil/pf/ether.sh +++ b/tests/sys/netpfil/pf/ether.sh @@ -295,6 +295,86 @@ captive_cleanup() pft_cleanup } +atf_test_case "captive_long" "cleanup" +captive_long_head() +{ + atf_set descr 'More complex captive portal setup' + atf_set require.user root +} + +captive_long_body() +{ + # Host is client, jail 'gw' is the captive portal gateway, jail 'srv' + # is a random (web)server. We use the echo protocol rather than http + # for the test, because that's easier. + pft_init + + if ! kldstat -q -m dummynet; then + atf_skip "This test requires dummynet" + fi + + epair_gw=$(vnet_mkepair) + epair_srv=$(vnet_mkepair) + epair_gw_a_mac=$(ifconfig ${epair_gw}a ether | awk '/ether/ { print $2; }') + + vnet_mkjail gw ${epair_gw}b ${epair_srv}a + vnet_mkjail srv ${epair_srv}b + + ifconfig ${epair_gw}a 192.0.2.2/24 up + route add -net 198.51.100.0/24 192.0.2.1 + jexec gw ifconfig ${epair_gw}b 192.0.2.1/24 up + jexec gw ifconfig lo0 127.0.0.1/8 up + jexec gw sysctl net.inet.ip.forwarding=1 + + jexec gw ifconfig ${epair_srv}a 198.51.100.1/24 up + jexec srv ifconfig ${epair_srv}b 198.51.100.2/24 up + jexec srv route add -net 192.0.2.0/24 198.51.100.1 + + jexec gw dnctl pipe 1 config bw 300KByte/s + + # Sanity check + atf_check -s exit:0 -o ignore ping -c 1 -t 1 198.51.100.2 + + pft_set_rules gw \ + "ether anchor \"captiveportal\" on { ${epair_gw}b } {" \ + "ether pass quick proto { 0x0806, 0x8035, 0x888e, 0x88c7, 0x8863, 0x8864 }" \ + "ether pass tag \"captive\"" \ + "}" \ + "rdr on ${epair_gw}b proto tcp to port daytime tagged captive -> 127.0.0.1 port echo" + jexec gw pfctl -e + + # ICMP should still work, because we don't redirect it. + atf_check -s exit:0 -o ignore ping -c 1 -t 1 198.51.100.2 + + jexec gw /usr/sbin/inetd -p gw.pid $(atf_get_srcdir)/echo_inetd.conf + jexec srv /usr/sbin/inetd -p srv.pid $(atf_get_srcdir)/daytime_inetd.conf + + echo foo | nc -N 198.51.100.2 13 + + # Confirm that we're getting redirected + atf_check -s exit:0 -o match:"^foo$" -x "echo foo | nc -N 198.51.100.2 13" + + # Now update the rules to allow our client to pass without redirect + pft_set_rules gw \ + "ether anchor \"captiveportal\" on { ${epair_gw}b } {" \ + "ether pass quick proto { 0x0806, 0x8035, 0x888e, 0x88c7, 0x8863, 0x8864 }" \ + "ether pass quick from { ${epair_gw_a_mac} } dnpipe 1" \ + "ether pass tag \"captive\"" \ + "}" \ + "rdr on ${epair_gw}b proto tcp to port daytime tagged captive -> 127.0.0.1 port echo" + + # We're not being redirected and get datime information now + atf_check -s exit:0 -o match:"^(Mon|Tue|Wed|Thu|Fri|Sat|Sun)" -x "echo foo | nc -N 198.51.100.2 13" + + jexec gw killall inetd + jexec srv killall inetd +} + +captive_long_cleanup() +{ + pft_cleanup +} + atf_test_case "dummynet" "cleanup" dummynet_head() { @@ -404,6 +484,7 @@ atf_init_test_cases() atf_add_test_case "proto" atf_add_test_case "direction" atf_add_test_case "captive" + atf_add_test_case "captive_long" atf_add_test_case "dummynet" atf_add_test_case "anchor" }