3 # Copyright (c) 2010, "Bjoern A. Zeeb" <bz@FreeBSD.org>
4 # Copyright (c) 2011, Sandvine Incorporated ULC.
7 # Redistribution and use in source and binary forms, with or without
8 # modification, are permitted provided that the following conditions
10 # 1. Redistributions of source code must retain the above copyright
11 # notice, this list of conditions and the following disclaimer.
12 # 2. Redistributions in binary form must reproduce the above copyright
13 # notice, this list of conditions and the following disclaimer in the
14 # documentation and/or other materials provided with the distribution.
16 # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
17 # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
20 # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21 # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22 # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23 # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24 # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 # Test ipfw fwd for IPv4 and IPv6 using VIMAGE, testing that as well.
33 # For no test the packet header contents must be changed but always
34 # keeping the original destination.
39 *) echo "ERROR: Must be run as superuser." >&2
47 ep=`ifconfig epair create`
48 expr ${ep} : '\(.*\).'
59 echo " ~~ start of debug ~~"
61 jexec ${ljid} /sbin/ipfw show
63 jexec ${mjid} /sbin/ipfw show
65 jexec ${rjid} /sbin/ipfw show
66 echo " ~~ result file:"
70 echo " ~~ end of debug ~~"
75 check_cleanup_result_file()
80 if test ! -s ${_p}.1; then
81 echo "FAIL (output file empty)."
85 # Netcat adds 'X's in udp mode.
87 if test "${l}" = "${_p}"; then
90 echo "FAIL (expected: '${_p}' got '${l}')."
99 # Transparent proxy scenario (local address).
103 local _sip _dip _fip _fport _dport _p
117 "") _lport="${_dport}" ;;
118 *) _lport="${_fport#,}" ;;
125 OUT=`mktemp -t "ipfwfwd$$-XXXXXX"`
126 echo -n "${descr} (${OUT}).."
128 jexec ${ljid} /sbin/ipfw -f flush
129 jexec ${ljid} /sbin/ipfw -f zero
130 jexec ${mjid} /sbin/ipfw -f flush
131 jexec ${mjid} /sbin/ipfw -f zero
132 jexec ${rjid} /sbin/ipfw -f flush
133 jexec ${rjid} /sbin/ipfw -f zero
134 jexec ${mjid} /sbin/ipfw add 100 fwd ${_fip}${_fport} ${_p} from ${_sip} to ${_dip}
136 jexec ${mjid} /bin/sh -c "nc -w 10 ${_nc_af} -n ${_nc_p} -l ${_fip} ${_lport} > ${OUT}.1 &"
137 jexec ${rjid} /bin/sh -c "echo '${OUT}' | nc -w 1 -v ${_nc_af} -n ${_nc_p} ${_dip} ${_dport}"
139 check_cleanup_result_file "${OUT}"
142 # Transparent redirect scenario (non-local address).
146 local _sip _dip _fip _fport _dport _p
160 "") _lport="${_dport}" ;;
161 *) _lport="${_fport#,}" ;;
168 OUT=`mktemp -t "ipfwfwd$$-XXXXXX"`
169 echo -n "${descr} (${OUT}).."
171 jexec ${ljid} /sbin/ipfw -f flush
172 jexec ${ljid} /sbin/ipfw -f zero
173 jexec ${mjid} /sbin/ipfw -f flush
174 jexec ${mjid} /sbin/ipfw -f zero
175 jexec ${rjid} /sbin/ipfw -f flush
176 jexec ${rjid} /sbin/ipfw -f zero
177 jexec ${mjid} /sbin/ipfw add 100 fwd ${_fip} ${_p} from ${_sip} to ${_dip}
179 jexec ${ljid} /bin/sh -c "nc -w 10 ${_nc_af} -n ${_nc_p} -l ${_dip} ${_lport} > ${OUT}.1 &"
180 jexec ${rjid} /bin/sh -c "echo '${OUT}' | nc -w 1 -v ${_nc_af} -n ${_nc_p} ${_dip} ${_dport}"
182 check_cleanup_result_file "${OUT}"
185 echo "==> Setting up test network"
186 kldload -q ipfw > /dev/null 2>&1
188 # Start left (sender) jail.
189 ljid=`jail -i -c -n lef$$ host.hostname=left.example.net vnet persist`
191 # Start middle (ipfw) jail.
192 mjid=`jail -i -c -n mid$$ host.hostname=center.example.net vnet persist`
194 # Start right (non-local ip redirects go to here) jail.
195 rjid=`jail -i -c -n right$$ host.hostname=right.example.net vnet persist`
197 echo "left ${ljid} middle ${mjid} right ${rjid}"
201 # jail: left middle right
202 # ifaces: lmep:a ---- lmep:b mrep:a ---- mrep:b
205 jexec ${mjid} sysctl net.inet.ip.forwarding=1
206 jexec ${mjid} sysctl net.inet6.ip6.forwarding=1
207 jexec ${mjid} sysctl net.inet6.ip6.accept_rtadv=0
210 ifconfig ${lmep}a vnet ${ljid}
211 ifconfig ${lmep}b vnet ${mjid}
213 jexec ${ljid} ifconfig lo0 inet 127.0.0.1/8
214 jexec ${ljid} ifconfig lo0 inet 192.0.2.5/32 alias # Test 9-10
215 jexec ${ljid} ifconfig lo0 inet6 2001:db8:1::1/128 alias # Test 11-12
216 jexec ${ljid} ifconfig ${lmep}a inet 192.0.2.1/30 up
217 jexec ${ljid} ifconfig ${lmep}a inet6 2001:db8::1/64 alias
219 jexec ${ljid} route add default 192.0.2.2
220 jexec ${ljid} route add -inet6 default 2001:db8::2
222 jexec ${mjid} ifconfig lo0 inet 127.0.0.1/8
223 jexec ${mjid} ifconfig lo0 inet 192.0.2.255/32 alias # Test 1-4
224 jexec ${mjid} ifconfig lo0 inet6 2001:db8:ffff::1/128 alias # Test 5-8
225 jexec ${mjid} ifconfig ${lmep}b inet 192.0.2.2/30 up
226 jexec ${mjid} ifconfig ${lmep}b inet6 2001:db8::2/64 alias
227 jexec ${mjid} route add default 192.0.2.1
230 ifconfig ${mrep}a vnet ${mjid}
231 ifconfig ${mrep}b vnet ${rjid}
233 jexec ${mjid} ifconfig ${mrep}a inet 192.0.2.5/30 up
234 jexec ${mjid} ifconfig ${mrep}a inet6 2001:db8:1::1/64 alias
236 jexec ${rjid} ifconfig lo0 inet 127.0.0.1/8
237 jexec ${rjid} ifconfig ${mrep}b inet 192.0.2.6/30 up
238 jexec ${rjid} ifconfig ${mrep}b inet6 2001:db8:1::2/64 alias
240 jexec ${rjid} route add default 192.0.2.5
241 jexec ${rjid} route add -inet6 default 2001:db8:1::1
243 # ------------------------------------------------------------------------------
246 # The jails are not chrooted to they all share the same base filesystem.
247 # This means we can put results into /tmp and just collect them from here.
249 echo "==> Running tests"
251 #- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
253 run_test_tp "TEST ${i} IPv4 UDP redirect local to other local address, same port" \
254 192.0.2.6 192.0.2.5 192.0.2.255 "" 12345 udp "-4"
257 run_test_tp "TEST ${i} IPv4 UDP redirect local to other local address, different port" \
258 192.0.2.6 192.0.2.5 192.0.2.255 ",65534" 12345 udp "-4"
260 #- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
262 run_test_tp "TEST ${i} IPv4 TCP redirect local to other local address, same port" \
263 192.0.2.6 192.0.2.5 192.0.2.255 "" 12345 tcp "-4"
266 run_test_tp "TEST ${i} IPv4 TCP redirect local to other local address, different port" \
267 192.0.2.6 192.0.2.5 192.0.2.255 ",65534" 12345 tcp "-4"
269 #- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
271 run_test_tp "TEST ${i} IPv4 UDP redirect foreign to local address, same port" \
272 192.0.2.6 192.0.2.1 192.0.2.255 "" 12345 udp "-4"
275 run_test_tp "TEST ${i} IPv4 UDP redirect foreign to local address, different port" \
276 192.0.2.6 192.0.2.1 192.0.2.255 ",65534" 12345 udp "-4"
278 #- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
280 run_test_tp "TEST ${i} IPv4 TCP redirect foreign to local address, same port" \
281 192.0.2.6 192.0.2.1 192.0.2.255 "" 12345 tcp "-4"
284 run_test_tp "TEST ${i} IPv4 TCP redirect foreign to local address, different port" \
285 192.0.2.6 192.0.2.1 192.0.2.255 ",65534" 12345 tcp "-4"
287 #- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
289 run_test_tp "TEST ${i} IPv6 UDP redirect local to other local address, same port" \
290 2001:db8:1::2 2001:db8::1 2001:db8:ffff::1 "" 12345 udp "-6"
293 run_test_tp "TEST ${i} IPv6 UDP redirect local to other local address, different port" \
294 2001:db8:1::2 2001:db8::1 2001:db8:ffff::1 ",65534" 12345 udp "-6"
296 #- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
298 run_test_tp "TEST ${i} IPv6 TCP redirect local to other local address, same port" \
299 2001:db8:1::2 2001:db8::1 2001:db8:ffff::1 "" 12345 tcp "-6"
302 run_test_tp "TEST ${i} IPv6 TCP redirect local to other local address, different port" \
303 2001:db8:1::2 2001:db8::1 2001:db8:ffff::1 ",65534" 12345 tcp "-6"
305 #- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
307 run_test_tp "TEST ${i} IPv6 UDP redirect foreign to local address, same port" \
308 2001:db8:1::2 2001:db8::1 2001:db8:ffff::1 "" 12345 udp "-6"
311 run_test_tp "TEST ${i} IPv6 UDP redirect foreign to local address, different port" \
312 2001:db8:1::2 2001:db8::1 2001:db8:ffff::1 ",65534" 12345 udp "-6"
314 #- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
316 run_test_tp "TEST ${i} IPv6 TCP redirect foreign to local address, same port" \
317 2001:db8:1::2 2001:db8::1 2001:db8:ffff::1 "" 12345 tcp "-6"
320 run_test_tp "TEST ${i} IPv6 TCP redirect foreign to local address, different port" \
321 2001:db8:1::2 2001:db8::1 2001:db8:ffff::1 ",65534" 12345 tcp "-6"
323 #- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
325 run_test_nh "TEST ${i} IPv4 UDP redirect to foreign address" \
326 192.0.2.6 192.0.2.5 192.0.2.1 "" 12345 udp "-4"
329 run_test_nh "TEST ${i} IPv4 TCP redirect to foreign address" \
330 192.0.2.6 192.0.2.5 192.0.2.1 "" 12345 tcp "-4"
332 #- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
334 run_test_nh "TEST ${i} IPv6 UDP redirect to foreign address" \
335 2001:db8:1::2 2001:db8:1::1 2001:db8::1 "" 12345 udp "-6"
338 run_test_nh "TEST ${i} IPv6 TCP redirect to foreign address" \
339 2001:db8:1::2 2001:db8:1::1 2001:db8::1 "" 12345 tcp "-6"
341 ################################################################################
345 echo "==> Cleaning up in 3 seconds"
346 # Let VIMAGE network stacks settle to avoid panics while still "experimental".
353 for jid in ${rjid} ${mjid} ${ljid}; do
355 x=`jls -as -j ${jid} jid 2>/dev/null`
357 jid=*) echo "Waiting for jail ${jid} to stop." >&2
366 ifconfig ${lmep}a destroy
367 ifconfig ${mrep}a destroy