diff options
| author | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2021-01-14 21:53:43 +0000 |
|---|---|---|
| committer | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2021-01-14 21:53:43 +0000 |
| commit | 8a0bf882b48c67d9df12b49912564ecb061da33d (patch) | |
| tree | 38e0dc76c58eb63f5bdf6f9ceb21212586b3fa93 /regress/sys/net/pflog | |
| parent | cf4b7e41cb7dde672cbb87738ba6b31777a8ffee (diff) | |
IPv4 loopback addresses do not work with af-to as in_canforward()
prevents forwarding such packets. Switch regress to IPv4 link-local
addresses. Add tests for pflog(4) on af-to rules.
Diffstat (limited to 'regress/sys/net/pflog')
| -rw-r--r-- | regress/sys/net/pflog/Makefile | 123 | ||||
| -rw-r--r-- | regress/sys/net/pflog/pf.conf | 24 |
2 files changed, 92 insertions, 55 deletions
diff --git a/regress/sys/net/pflog/Makefile b/regress/sys/net/pflog/Makefile index 2e5785aec96..a9208b6fb22 100644 --- a/regress/sys/net/pflog/Makefile +++ b/regress/sys/net/pflog/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.4 2021/01/14 13:41:28 bluhm Exp $ +# $OpenBSD: Makefile,v 1.5 2021/01/14 21:53:42 bluhm Exp $ # Copyright (c) 2021 Alexander Bluhm <bluhm@openbsd.org> # @@ -25,7 +25,7 @@ N2 = 12 N3 = 13 N = ${N1} NUMS = ${N1} ${N2} ${N3} -IPS = 1 2 3 4 5 6 11 12 +IPS = 1 2 3 4 5 6 11 12 14 UID !!= id -u @@ -76,19 +76,19 @@ ifconfig: unconfig ${SUDO} ifconfig lo$N rdomain $N ${SUDO} ifconfig lo$N inet 127.0.0.1/8 ${SUDO} ifconfig lo$N inet6 ::1/128 - ${SUDO} ifconfig lo$N inet6 fc00::1/128 -.for i in ${IPS:N1} 21 22 - ${SUDO} ifconfig lo$N inet 127.0.0.$i/32 alias +.for i in ${IPS} 21 22 23 24 + ${SUDO} ifconfig lo$N inet 169.254.0.$i/32 alias ${SUDO} ifconfig lo$N inet6 fc00::$i/128 .endfor REGRESS_CLEANUP += unconfig unconfig: stamp-stop # Destroy interfaces. -.for i in ${IPS} 21 22 - -${SUDO} ifconfig lo$N inet 127.0.0.$i delete +.for i in ${IPS} 21 22 23 24 + -${SUDO} ifconfig lo$N inet 169.254.0.$i delete -${SUDO} ifconfig lo$N inet6 fc00::$i delete .endfor + -${SUDO} ifconfig lo$N inet 127.0.0.1 delete -${SUDO} ifconfig lo$N inet6 ::1 delete .for n in ${NUMS} -${SUDO} ifconfig pflog$n destroy @@ -139,7 +139,7 @@ stamp-stop: .for i in ${IPS} REGRESS_TARGETS += run-ping-$i run-ping-$i: stamp-bpf - ping -n -w 1 -c 1 -V $N 127.0.0.$i + ping -n -w 1 -c 1 -V $N 169.254.0.$i REGRESS_TARGETS += run-ping6-$i run-ping6-$i: stamp-bpf @@ -148,7 +148,7 @@ run-ping6-$i: stamp-bpf REGRESS_TARGETS += run-udp-$i run-udp-$i: stamp-bpf # ignore errors, just send packet fast - echo foo | nc -u -w 1 -V $N 127.0.0.$i discard & + echo foo | nc -u -w 1 -V $N 169.254.0.$i discard & REGRESS_TARGETS += run-udp6-$i run-udp6-$i: stamp-bpf @@ -180,7 +180,7 @@ REGRESS_TARGETS += run-bpf-everything run-bpf-everything: stamp-stop # rule with pflog${N2} matches on every packet .for i in ${IPS} - grep 'regress\.1/.* > 127.0.0.$i:' pflog${N2}.tcpdump + grep 'regress\.1/.* > 169.254.0.$i:' pflog${N2}.tcpdump .endfor REGRESS_TARGETS += run-bpf-everything6 @@ -193,58 +193,74 @@ run-bpf-everything6: stamp-stop REGRESS_TARGETS += run-bpf-all run-bpf-all: stamp-stop # reply without keep state - grep 'regress\.3/.* > 127.0.0.1: icmp: echo request' pflog${N1}.tcpdump - grep 'regress\.3/.* 127.0.0.1 .*: icmp: echo reply' pflog${N1}.tcpdump + grep 'regress\.3/.* 169.254.0.1 > 169.254.0.1:\ + icmp: echo request' pflog${N1}.tcpdump + grep 'regress\.3/.* 169.254.0.1 > 169.254.0.1:\ + icmp: echo reply' pflog${N1}.tcpdump # no reply with keep state and without all - grep 'regress\.4/.* > 127.0.0.2: icmp: echo request' pflog${N1}.tcpdump - ! grep 'regress\.4/.* 127.0.0.2 .*: icmp: echo reply' pflog${N1}.tcpdump + grep 'regress\.4/.* 169.254.0.2 > 169.254.0.2:\ + icmp: echo request' pflog${N1}.tcpdump + ! grep 'regress\.4/.* 169.254.0.2 >169.254.0.2:\ + icmp: echo reply' pflog${N1}.tcpdump # reply with keep state and with all - grep 'regress\.5/.* > 127.0.0.3: icmp: echo request' pflog${N1}.tcpdump + grep 'regress\.5/.* 169.254.0.3 > 169.254.0.3:\ + icmp: echo request' pflog${N1}.tcpdump # XXX anchor name missing - grep '/.* 127.0.0.3 .*: icmp: echo reply' pflog${N1}.tcpdump + grep '/.* 169.254.0.3 > 169.254.0.3:\ + icmp: echo reply' pflog${N1}.tcpdump REGRESS_TARGETS += run-bpf-all6 run-bpf-all6: stamp-stop # reply without keep state - grep 'regress\.11/.* > fc00::1: icmp6: echo request' pflog${N1}.tcpdump - grep 'regress\.11/.* fc00::1 .*: icmp6: echo reply' pflog${N1}.tcpdump + grep 'regress\.11/.* fc00::1 > fc00::1:\ + icmp6: echo request' pflog${N1}.tcpdump + grep 'regress\.11/.* fc00::1 > fc00::1:\ + icmp6: echo reply' pflog${N1}.tcpdump # no reply with keep state and without all - grep 'regress\.12/.* > fc00::2: icmp6: echo request' pflog${N1}.tcpdump - ! grep 'regress\.12/.* fc00::2 .*: icmp6: echo reply' pflog${N1}.tcpdump + grep 'regress\.12/.* fc00::2 > fc00::2:\ + icmp6: echo request' pflog${N1}.tcpdump + ! grep 'regress\.12/.* fc00::2 > fc00::2:\ + icmp6: echo reply' pflog${N1}.tcpdump # reply with keep state and with all - grep 'regress\.13/.* > fc00::3: icmp6: echo request' pflog${N1}.tcpdump + grep 'regress\.13/.* fc00::3 > fc00::3:\ + icmp6: echo request' pflog${N1}.tcpdump # XXX anchor name missing - grep '/.* fc00::3 .*: icmp6: echo reply' pflog${N1}.tcpdump + grep '/.* fc00::3 > fc00::3:\ + icmp6: echo reply' pflog${N1}.tcpdump REGRESS_TARGETS += run-bpf-user run-bpf-user: stamp-stop # out rule creates log entry with uid grep 'regress\.6/.* pass out on lo$N: \[uid ${UID}, pid [0-9]*\]\ - 127.* > 127.0.0.4.9:.* udp' pflog${N1}.tcpdump + 169.254.0.4\.[0-9]* > 169.254.0.4\.9:\ + .* udp [0-9]' pflog${N1}.tcpdump # in rule has no uid at log entry grep 'regress\.6/.* pass in on lo$N:\ - 127.* > 127.0.0.4.9:.* udp' pflog${N1}.tcpdump + 169.254.0.4\.[0-9]* > 169.254.0.4\.9:\ + .* udp [0-9]' pflog${N1}.tcpdump # icmp has no uid at log entry grep 'regress\.6/.* pass out on lo$N:\ - 127.* > 127.0.0.4: icmp: echo request' pflog${N1}.tcpdump + 169.254.0.4 > 169.254.0\.4:\ + icmp: echo request' pflog${N1}.tcpdump # rule without user has no uid in log entry grep 'regress\.3/.* pass out on lo$N:\ - 127.* > 127.0.0.1.9:.* udp' pflog${N1}.tcpdump + 169.254.0.1\.[0-9]* > 169.254.0.1\.9:\ + .* udp [0-9]' pflog${N1}.tcpdump REGRESS_TARGETS += run-bpf-user6 run-bpf-user6: stamp-stop # out rule creates log entry with uid grep 'regress\.14/.* pass out on lo$N: \[uid ${UID}, pid [0-9]*\]\ - fc00.* > fc00::4.9:.* udp' pflog${N1}.tcpdump + fc00::4\.[0-9]* > fc00::4\.9:.* udp [0-9]' pflog${N1}.tcpdump # in rule has no uid at log entry grep 'regress\.14/.* pass in on lo$N:\ - fc00.* > fc00::4.9:.* udp' pflog${N1}.tcpdump + fc00::4\.[0-9]* > fc00::4\.9:.* udp [0-9]' pflog${N1}.tcpdump # icmp has no uid at log entry grep 'regress\.14/.* pass out on lo$N:\ - fc00.* > fc00::4: icmp6: echo request' pflog${N1}.tcpdump + fc00::4 > fc00::4: icmp6: echo request' pflog${N1}.tcpdump # rule without user has no uid in log entry grep 'regress\.11/.* pass out on lo$N:\ - fc00.* > fc00::1.9:.* udp' pflog${N1}.tcpdump + fc00::1\.[0-9]* > fc00::1\.9:.* udp [0-9]' pflog${N1}.tcpdump run-bpf-matches run-bpf-matches6: # XXX The log matches keyword seems to be totally broken. @@ -253,46 +269,61 @@ run-bpf-matches run-bpf-matches6: REGRESS_TARGETS += run-bpf-matches run-bpf-matches: stamp-stop - grep 'regress\.9/.* > 127.0.0.6: icmp: echo request' pflog${N1}.tcpdump + grep 'regress\.9/.* .*: 169.254.0.6 > 169.254.0.6:\ + icmp: echo request' pflog${N1}.tcpdump ! grep 'regress\.8/.* icmp: echo request' pflog${N1}.tcpdump ! grep 'regress\.7/.* icmp: echo request' pflog${N1}.tcpdump REGRESS_TARGETS += run-bpf-rdr run-bpf-rdr: stamp-stop # loopback input logs redirected packet - grep 'regress\.2/.* pass in .* > 127.0.0.21:\ + grep 'regress\.2/.* pass in .*: 169.254.0.11 > 169.254.0.21:\ icmp: echo request' pflog${N1}.tcpdump # loopback output redirects and logs original packet - grep 'regress\.18/.* pass out .* > 127.0.0.11:\ - icmp: echo request' pflog${N1}.tcpdump - -REGRESS_TARGETS += run-bpf-nat -run-bpf-nat: stamp-stop - # loopback input logs redirected packet - grep 'regress\.2/.* pass in .* 127.0.0.22 > 127.0.0.12:\ - icmp: echo request' pflog${N1}.tcpdump - # loopback output redirects and logs original packet - grep 'regress\.19/.* pass out .* 127.0.0.12 > 127.0.0.12:\ + grep 'regress\.18/.* pass out .*: 169.254.0.11 > 169.254.0.11:\ icmp: echo request' pflog${N1}.tcpdump REGRESS_TARGETS += run-bpf-rdr6 run-bpf-rdr6: stamp-stop # loopback input logs redirected packet - grep 'regress\.10/.* pass in .* > fc00::21:\ + grep 'regress\.10/.* pass in .*: fc00::11 > fc00::21:\ icmp6: echo request' pflog${N1}.tcpdump # loopback output redirects and logs original packet - grep 'regress\.20/.* pass out .* > fc00::11:\ + grep 'regress\.20/.* pass out .*: fc00::11 > fc00::11:\ icmp6: echo request' pflog${N1}.tcpdump +REGRESS_TARGETS += run-bpf-nat +run-bpf-nat: stamp-stop + # loopback input logs redirected packet + grep 'regress\.2/.* pass in .*: 169.254.0.22 > 169.254.0.12:\ + icmp: echo request' pflog${N1}.tcpdump + # loopback output redirects and logs original packet + grep 'regress\.19/.* pass out .*: 169.254.0.12 > 169.254.0.12:\ + icmp: echo request' pflog${N1}.tcpdump + REGRESS_TARGETS += run-bpf-nat6 run-bpf-nat6: stamp-stop # loopback input logs redirected packet - grep 'regress\.10/.* pass in .* fc00::22 > fc00::12:\ + grep 'regress\.10/.* pass in .*: fc00::22 > fc00::12:\ icmp6: echo request' pflog${N1}.tcpdump # loopback output redirects and logs original packet - grep 'regress\.21/.* pass out .* fc00::12 > fc00::12:\ + grep 'regress\.21/.* pass out .*: fc00::12 > fc00::12:\ icmp6: echo request' pflog${N1}.tcpdump +REGRESS_TARGETS += run-bpf-af +run-bpf-af: stamp-stop + # pf in rule logs original IPv4 packet + # XXX address family in bpf is wrong + grep 'regress\.22/.* pass in .*:\ + bad-ip6-version 4' pflog${N1}.tcpdump + +REGRESS_TARGETS += run-bpf-af6 +run-bpf-af6: stamp-stop + # pf in rule logs original IPv6 packet + # XXX address family in bpf is wrong + grep 'regress\.23/.* pass in .*:\ + bad-ip-version 6' pflog${N1}.tcpdump + CLEANFILES += addr.py *.pyc *.tcpdump *.log stamp-* .include <bsd.regress.mk> diff --git a/regress/sys/net/pflog/pf.conf b/regress/sys/net/pflog/pf.conf index 35c7538d8fc..cc0d2f25d51 100644 --- a/regress/sys/net/pflog/pf.conf +++ b/regress/sys/net/pflog/pf.conf @@ -10,13 +10,13 @@ match log (to $PFLOG_N2) on $LO no state # specific test to pflog N1 pass log (to $PFLOG_N1) on $LO inet -pass log (to $PFLOG_N1) on $LO to 127.0.0.1 no state -pass log (to $PFLOG_N1) on $LO to 127.0.0.2 keep state -pass log (all to $PFLOG_N1) on $LO to 127.0.0.3 keep state -pass log (user to $PFLOG_N1) on $LO to 127.0.0.4 -pass on $LO to 127.0.0.5 -pass log (matches to $PFLOG_N1) on $LO to 127.0.0.6 -pass on $LO to 127.0.0.6 +pass log (to $PFLOG_N1) on $LO to 169.254.0.1 no state +pass log (to $PFLOG_N1) on $LO to 169.254.0.2 keep state +pass log (all to $PFLOG_N1) on $LO to 169.254.0.3 keep state +pass log (user to $PFLOG_N1) on $LO to 169.254.0.4 +pass on $LO to 169.254.0.5 +pass log (matches to $PFLOG_N1) on $LO to 169.254.0.6 +pass on $LO to 169.254.0.6 # use unique local adresses, link local scope id is broken in pf pass log (to $PFLOG_N1) on $LO inet6 @@ -29,7 +29,13 @@ pass log (matches to $PFLOG_N1) on $LO to fc00::6 pass on $LO to fc00::6 # we nat on lo-out, log the original packet, generic lo-in logs natted packet -pass out log (to $PFLOG_N1) on $LO to 127.0.0.11 rdr-to 127.0.0.21 -pass out log (to $PFLOG_N1) on $LO to 127.0.0.12 nat-to 127.0.0.22 +pass out log (to $PFLOG_N1) on $LO to 169.254.0.11 rdr-to 169.254.0.21 +pass out log (to $PFLOG_N1) on $LO to 169.254.0.12 nat-to 169.254.0.22 pass out log (to $PFLOG_N1) on $LO to fc00::11 rdr-to fc00::21 pass out log (to $PFLOG_N1) on $LO to fc00::12 nat-to fc00::22 + +# af-to is for in rule only, IPv4 loopback does not work, use link-local +pass in log (to $PFLOG_N1) on $LO to 169.254.0.14 af-to \ + inet6 from fc00::23 to fc00::24 +pass in log (to $PFLOG_N1) on $LO to fc00::14 af-to \ + inet from 169.254.0.23 to 169.254.0.24 |