1# $FreeBSD$ 2# 3# SPDX-License-Identifier: BSD-2-Clause-FreeBSD 4# 5# Copyright (c) 2021 Modirum MDPay 6# 7# Redistribution and use in source and binary forms, with or without 8# modification, are permitted provided that the following conditions 9# are met: 10# 1. Redistributions of source code must retain the above copyright 11# notice, this list of conditions and the following disclaimer. 12# 2. Redistributions in binary form must reproduce the above copyright 13# notice, this list of conditions and the following disclaimer in the 14# documentation and/or other materials provided with the distribution. 15# 16# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 17# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 20# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26# SUCH DAMAGE. 27 28. $(atf_get_srcdir)/utils.subr 29 30common_dir=$(atf_get_srcdir)/../common 31 32atf_test_case "forward" "cleanup" 33forward_head() 34{ 35 atf_set descr 'Syncookies for forwarded hosts' 36 atf_set require.user root 37} 38 39forward_body() 40{ 41 pft_init 42 43 epair_in=$(vnet_mkepair) 44 epair_out=$(vnet_mkepair) 45 46 vnet_mkjail fwd ${epair_in}b ${epair_out}a 47 vnet_mkjail srv ${epair_out}b 48 49 jexec fwd ifconfig ${epair_in}b 192.0.2.1/24 up 50 jexec fwd ifconfig ${epair_out}a 198.51.100.1/24 up 51 jexec fwd sysctl net.inet.ip.forwarding=1 52 53 jexec srv ifconfig ${epair_out}b 198.51.100.2/24 up 54 jexec srv route add default 198.51.100.1 55 jexec srv /usr/sbin/inetd -p inetd-alcatraz.pid \ 56 $(atf_get_srcdir)/echo_inetd.conf 57 58 ifconfig ${epair_in}a 192.0.2.2/24 up 59 route add -net 198.51.100.0/24 192.0.2.1 60 61 jexec fwd pfctl -e 62 pft_set_rules fwd \ 63 "set syncookies always" \ 64 "pass in" \ 65 "pass out" 66 67 # Sanity check 68 atf_check -s exit:0 -o ignore ping -c 1 198.51.100.2 69 70 reply=$(echo foo | nc -N -w 5 198.51.100.2 7) 71 if [ "${reply}" != "foo" ]; 72 then 73 atf_fail "Failed to connect to syncookie protected echo daemon" 74 fi 75} 76 77forward_cleanup() 78{ 79 rm -f inetd-alcatraz.pid 80 pft_cleanup 81} 82 83atf_test_case "nostate" "cleanup" 84nostate_head() 85{ 86 atf_set descr 'Ensure that we do not create until SYN|ACK' 87 atf_set require.user root 88 atf_set require.progs scapy 89} 90 91nostate_body() 92{ 93 pft_init 94 95 epair=$(vnet_mkepair) 96 ifconfig ${epair}a 192.0.2.2/24 up 97 98 vnet_mkjail alcatraz ${epair}b 99 jexec alcatraz ifconfig ${epair}b 192.0.2.1/24 up 100 101 jexec alcatraz pfctl -e 102 pft_set_rules alcatraz \ 103 "set syncookies always" \ 104 "pass in" \ 105 "pass out" 106 107 # Sanity check 108 atf_check -s exit:0 -o ignore ping -c 1 192.0.2.1 109 110 # Now syn flood to create many states 111 ${common_dir}/pft_synflood.py \ 112 --sendif ${epair}a \ 113 --to 192.0.2.2 \ 114 --count 20 115 116 states=$(jexec alcatraz pfctl -ss | grep tcp) 117 if [ -n "$states" ]; 118 then 119 echo "$states" 120 atf_fail "Found unexpected state" 121 fi 122} 123 124nostate_cleanup() 125{ 126 pft_cleanup 127} 128 129atf_init_test_cases() 130{ 131 atf_add_test_case "forward" 132 atf_add_test_case "nostate" 133} 134