xref: /openbsd/regress/sys/net/pf_opts/Makefile (revision 4be5cdd0)

# $OpenBSD: Makefile,v 1.7 2023/10/11 18:07:56 anton Exp $

# Copyright (c) 2022 Alexander Bluhm <bluhm@openbsd.org>
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

# Set up two loopback interfaces in different routing domains.
# One loopback interface has a allow-opts pf rule, the other has
# default pass policy.  Send packets with IP options and IPv6
# option header and check wheter tcpdump finds them on lo or pflog.

# The following ports must be installed:
#
# scapy			powerful interactive packet manipulation in python

.if ! exists(/usr/local/bin/scapy)
regress:
	@echo Install scapy package to run this regress.
	@echo SKIPPED
.endif

# This test uses routing domain and interface number 11 and 12.
# Adjust it here, if you want to use something else.
N1 =		11
N2 =		12
NUMS =		${N1} ${N2}

.include <bsd.own.mk>

.if ! (make(clean) || make(cleandir) || make(obj))

PF_STATUS !=	${SUDO} /sbin/pfctl -si | sed -n 's/^Status: \([^ ]*\) .*/\1/p'
.if empty(PF_STATUS:MEnabled)
regress:
	@echo pf status: "${PF_STATUS}"
	@echo Enable pf to run this regress.
	@echo SKIPPED
.endif

PF_SKIP !=	${SUDO} /sbin/pfctl -sI -v | sed -n 's/ (skip)//p' | \
		grep -w -e lo${N1} -e lo${N2} || :
.if ! empty(PF_SKIP)
regress:
	@echo pf skip: "${PF_SKIP}"
	@echo Do not set skip on interface lo, lo${N1}, or lo${N2}.
	@echo SKIPPED
.endif

PF_ANCHOR !=	${SUDO} /sbin/pfctl -sr |\
		    sed -n 's/^anchor "\([^"]*\)" all$$/\1/p'
.if empty(PF_ANCHOR:Mregress)
regress:
	@echo pf anchor: "${PF_ANCHOR}"
	@echo Need anchor '"regress"' in pf.conf to load additional rules.
	@echo SKIPPED
.endif

.endif

.PHONY: busy-rdomains ifconfig unconfig pfctl

REGRESS_SETUP_ONCE +=	busy-rdomains
busy-rdomains:
	# Check if rdomains are busy.
.for n in ${NUMS}
	@if /sbin/ifconfig | grep -v '^lo$n:' | grep ' rdomain $n '; then\
	    echo routing domain $n is already used >&2; exit 1; fi
.endfor

REGRESS_SETUP_ONCE +=	ifconfig
ifconfig: unconfig
	# Create and configure loopback interfaces.
.for n in ${NUMS}
	${SUDO} /sbin/ifconfig lo$n rdomain $n
	${SUDO} /sbin/ifconfig lo$n inet 127.0.0.1/8
	${SUDO} /sbin/ifconfig lo$n inet 127.0.0.$n alias
	${SUDO} /sbin/ifconfig lo$n inet6 ::1/128
	${SUDO} /sbin/ifconfig lo$n inet6 fe80::$n/64
	${SUDO} /sbin/route -n -T $n add -inet 224.0.0.0/4 127.0.0.1
.endfor
	# Wait until IPv6 addresses are no longer tentative.
	for i in `jot 50`; do\
	    if ! { /sbin/ifconfig lo${N1}; /sbin/ifconfig lo${N2}; }\
		| fgrep -q tentative; then\
		    break;\
	    fi;\
	    sleep .1;\
	done
	! { /sbin/ifconfig lo${N1}; /sbin/ifconfig lo${N2}; }\
	    | fgrep tentative

REGRESS_CLEANUP +=	unconfig
unconfig: stamp-stop
	# Destroy interfaces.
.for n in ${NUMS}
	-${SUDO} /sbin/ifconfig lo$n rdomain $n
	-${SUDO} /sbin/ifconfig lo$n inet 127.0.0.1 delete
	-${SUDO} /sbin/ifconfig lo$n inet 127.0.0.$n delete
	-${SUDO} /sbin/ifconfig lo$n inet6 ::1 delete
	-${SUDO} /sbin/ifconfig lo$n inet6 fe80::$n/64 delete
.endfor
	rm -f stamp-ifconfig

addr.py: Makefile
	# Create python include file containing the addresses.
	rm -f $@ $@.tmp
.for var in N1 N2
	echo '${var}="${${var}}"' >>$@.tmp
	echo 'IF_${var}="lo${${var}}"' >>$@.tmp
	echo 'ADDR_${var}="127.0.0.${${var}}"' >>$@.tmp
	echo 'ADDR6_${var}="fe80::${${var}}"' >>$@.tmp
.endfor
	mv $@.tmp $@

REGRESS_SETUP_ONCE +=	pfctl
pfctl: addr.py pf.conf
	# Load the pf rules into the kernel.
	cat addr.py ${.CURDIR}/pf.conf | /sbin/pfctl -n -f -
	cat addr.py ${.CURDIR}/pf.conf | ${SUDO} /sbin/pfctl -a regress -f -

# run tcpdump on lo and pflog device
DUMPCMD =	/usr/sbin/tcpdump -l -e -vvv -s 2048 -ni

stamp-bpf: stamp-bpf-lo${N1} stamp-bpf-lo${N2} stamp-bpf-pflog0
	sleep 2  # XXX
	@date >$@

.for i in lo${N1} lo${N2} pflog0

stamp-bpf-$i: stamp-ifconfig
	rm -f $i.tcpdump
	${SUDO} pkill -f '^${DUMPCMD} $i' || true
	${SUDO} ${DUMPCMD} $i >$i.tcpdump &
	rm -f stamp-stop
	@date >$@

.endfor

stamp-stop:
	sleep 2  # XXX
	-${SUDO} pkill -f '^${DUMPCMD}'
	rm -f stamp-bpf*
	@date >$@

# Set variables so that make runs with and without obj directory.
# Only do that if necessary to keep visible output short.
.if ${.CURDIR} == ${.OBJDIR}
PYTHON =	python3 -u ./
.else
PYTHON =	env PYTHONPATH=${.OBJDIR} python3 -u ${.CURDIR}/
.endif

# ping

REGRESS_TARGETS +=	run-ping
run-ping: stamp-bpf
	# Ping localhost on loopback
	/sbin/ping -n -w 1 -c 1 -V ${N1} 127.0.0.${N1}
	/sbin/ping -n -w 1 -c 1 -V ${N2} 127.0.0.${N2}

REGRESS_TARGETS +=	run-ping6
run-ping6: stamp-bpf
	# Ping localhost on loopback
	/sbin/ping6 -n -w 1 -c 1 -V ${N1} fe80::${N1}%lo${N1}
	/sbin/ping6 -n -w 1 -c 1 -V ${N2} fe80::${N2}%lo${N2}

REGRESS_TARGETS +=	run-bpf-ping
run-bpf-ping: stamp-stop
	# Check that ping packet went through loopback.
	grep ' 127.0.0.${N1}: icmp: echo request' lo${N1}.tcpdump
	grep ' 127.0.0.${N2}: icmp: echo request' lo${N2}.tcpdump
	grep ' fe80:.*::${N1}: icmp6: echo request' lo${N1}.tcpdump
	grep ' fe80:.*::${N2}: icmp6: echo request' lo${N2}.tcpdump
	! grep ': icmp: echo request' pflog0.tcpdump
	! grep ': icmp6: echo request' pflog0.tcpdump

# ping with RR option

REGRESS_TARGETS +=	run-ping-record
run-ping-record: stamp-bpf
	# Ping localhost with record route option
	/sbin/ping -n -w 1 -c 1 -V ${N1} -R 127.0.0.${N1}
	! /sbin/ping -n -w 1 -c 1 -V ${N2} -R 127.0.0.${N2}

REGRESS_TARGETS +=	run-bpf-ping-record
run-bpf-ping-record: stamp-stop
	# Check that ping packet with options is in pflog0.
	grep ' 127.0.0.${N1}: icmp: echo request .*\
	    optlen=40 RR' lo${N1}.tcpdump
	grep ' 127.0.0.${N2}: icmp: echo request .*\
	    optlen=40 RR' pflog0.tcpdump

# icmp

REGRESS_TARGETS +=	run-icmp
run-icmp: stamp-bpf
	${SUDO} /sbin/route -T ${N1} exec ${PYTHON}icmp.py N1
	${SUDO} /sbin/route -T ${N2} exec ${PYTHON}icmp.py N2

REGRESS_TARGETS +=	run-icmp6
run-icmp6: stamp-bpf
	${SUDO} /sbin/route -T ${N1} exec ${PYTHON}icmp6.py N1
	${SUDO} /sbin/route -T ${N2} exec ${PYTHON}icmp6.py N2

REGRESS_TARGETS +=	run-bpf-icmp
run-bpf-icmp: stamp-stop
	# Check that icmp packet went through loopback.
	grep ' 127.0.0.${N1}: icmp: type-#6' lo${N1}.tcpdump
	grep ' 127.0.0.${N2}: icmp: type-#6' lo${N2}.tcpdump
	grep ' fe80::${N1}: icmp6: type-#6' lo${N1}.tcpdump
	grep ' fe80::${N2}: icmp6: type-#6' lo${N2}.tcpdump
	! grep ': icmp: type-#6' pflog0.tcpdump
	! grep ': icmp6: type-#6' pflog0.tcpdump

# option extension header

REGRESS_TARGETS +=	run-icmp6-hop
run-icmp6-hop: stamp-bpf
	${SUDO} /sbin/route -T ${N1} exec ${PYTHON}icmp6_hop.py N1
	${SUDO} /sbin/route -T ${N2} exec ${PYTHON}icmp6_hop.py N2

REGRESS_TARGETS +=	run-icmp6-dst
run-icmp6-dst: stamp-bpf
	${SUDO} /sbin/route -T ${N1} exec ${PYTHON}icmp6_dst.py N1
	${SUDO} /sbin/route -T ${N2} exec ${PYTHON}icmp6_dst.py N2

REGRESS_TARGETS +=	run-bpf-ext
run-bpf-ext: stamp-stop
	# Check that icmp6 packet with extension headers were blocked
	fgrep ' fe80::${N2}: HBH icmp6:' pflog0.tcpdump
	fgrep ' fe80::${N2}: DSTOPT icmp6:' pflog0.tcpdump
	! grep fe80::${N1} pflog0.tcpdump

# icmp with options

REGRESS_TARGETS +=	run-icmp-pad
run-icmp-pad: stamp-bpf
	${SUDO} /sbin/route -T ${N1} exec ${PYTHON}icmp_pad.py N1
	${SUDO} /sbin/route -T ${N2} exec ${PYTHON}icmp_pad.py N2

REGRESS_TARGETS +=	run-icmp-eol
run-icmp-eol: stamp-bpf
	${SUDO} /sbin/route -T ${N1} exec ${PYTHON}icmp_eol.py N1
	${SUDO} /sbin/route -T ${N2} exec ${PYTHON}icmp_eol.py N2

REGRESS_TARGETS +=	run-icmp6-pad
run-icmp6-pad: stamp-bpf
	${SUDO} /sbin/route -T ${N1} exec ${PYTHON}icmp6_hop_pad.py N1
	${SUDO} /sbin/route -T ${N2} exec ${PYTHON}icmp6_hop_pad.py N2

REGRESS_TARGETS +=	run-icmp-max
run-icmp-max: stamp-bpf
	${SUDO} /sbin/route -T ${N1} exec ${PYTHON}icmp_max.py N1
	${SUDO} /sbin/route -T ${N2} exec ${PYTHON}icmp_max.py N2

REGRESS_TARGETS +=	run-icmp6-max
run-icmp6-max: stamp-bpf
	${SUDO} /sbin/route -T ${N1} exec ${PYTHON}icmp6_hop_max.py N1
	${SUDO} /sbin/route -T ${N2} exec ${PYTHON}icmp6_hop_max.py N2

REGRESS_TARGETS +=	run-icmp-ra
run-icmp-ra: stamp-bpf
	${SUDO} /sbin/route -T ${N1} exec ${PYTHON}icmp_ra.py N1
	${SUDO} /sbin/route -T ${N2} exec ${PYTHON}icmp_ra.py N2

REGRESS_TARGETS +=	run-icmp6-ra
run-icmp6-ra: stamp-bpf
	${SUDO} /sbin/route -T ${N1} exec ${PYTHON}icmp6_hop_ra.py N1
	${SUDO} /sbin/route -T ${N2} exec ${PYTHON}icmp6_hop_ra.py N2

REGRESS_TARGETS +=	run-icmp-bad
run-icmp-bad: stamp-bpf
	${SUDO} /sbin/route -T ${N1} exec ${PYTHON}icmp_bad.py N1
	${SUDO} /sbin/route -T ${N2} exec ${PYTHON}icmp_bad.py N2

REGRESS_TARGETS +=	run-icmp6-bad
run-icmp6-bad: stamp-bpf
	${SUDO} /sbin/route -T ${N1} exec ${PYTHON}icmp6_hop_bad.py N1
	${SUDO} /sbin/route -T ${N2} exec ${PYTHON}icmp6_hop_bad.py N2

REGRESS_TARGETS +=	run-bpf-opts
run-bpf-opts: stamp-stop
	# Check that icmp packet with options were blocked
	grep ' 127.0.0.${N2}:.* optlen=4 NOP NOP NOP NOP)' pflog0.tcpdump
	grep ' 127.0.0.${N2}:.* optlen=4 NOP EOL-2)' pflog0.tcpdump
	grep ' 127.0.0.${N2}:.* optlen=40 NOP ' pflog0.tcpdump
	grep ' 127.0.0.${N2}:.* optlen=8 NOP IPOPT-148{4} NOP ' pflog0.tcpdump
	grep ' 127.0.0.${N2}:.* optlen=4 IPOPT-3{4})' pflog0.tcpdump
	grep ' fe80::${N2}: HBH icmp6:.* (len 28,' pflog0.tcpdump
	grep ' fe80::${N2}: HBH icmp6:.* (len 284,' pflog0.tcpdump
	grep ' fe80::${N2}: HBH (rtalert: 0x0000) icmp6:' pflog0.tcpdump
	grep ' fe80::${N2}: HBH (type 0x03: len=0) icmp6:' pflog0.tcpdump
	! grep '127.0.0.${N1}' pflog0.tcpdump
	! grep 'fe80::${N1}' pflog0.tcpdump

# multicast with router alert

REGRESS_TARGETS +=	run-igmp
run-igmp: stamp-bpf
	${SUDO} /sbin/route -T ${N1} exec ${PYTHON}igmp_ra.py N1
	${SUDO} /sbin/route -T ${N2} exec ${PYTHON}igmp_ra.py N2

REGRESS_TARGETS +=	run-icmp6-mld
run-icmp6-mld: stamp-bpf
	${SUDO} /sbin/route -T ${N1} exec ${PYTHON}icmp6_mld_ra.py N1
	${SUDO} /sbin/route -T ${N2} exec ${PYTHON}icmp6_mld_ra.py N2

REGRESS_TARGETS +=	run-bpf-mcast
run-bpf-mcast: stamp-stop
	# Check that multicast protocol packet with router alert passed
	grep '127.0.0.${N2} > 224.0.0.1:\
	    igmp query .* IPOPT-148{4}' lo${N2}.tcpdump
	grep 'fe80::${N2} > ff02::1:\
	    HBH (rtalert:.* icmp6: multicast ' lo${N2}.tcpdump
	! grep '127.0.0.${N1}' pflog0.tcpdump
	! grep 'fe80::${N1}' pflog0.tcpdump
	! grep '127.0.0.${N2}' pflog0.tcpdump
	! grep 'fe80::${N2}' pflog0.tcpdump
	! grep '224.0.0.1' pflog0.tcpdump
	! grep 'ff02::1' pflog0.tcpdump

REGRESS_TARGETS +=	run-igmp-bad
run-igmp-bad: stamp-bpf
	${SUDO} /sbin/route -T ${N1} exec ${PYTHON}igmp_bad.py N1
	${SUDO} /sbin/route -T ${N2} exec ${PYTHON}igmp_bad.py N2

REGRESS_TARGETS +=	run-icmp6-mld-bad
run-icmp6-mld-bad: stamp-bpf
	${SUDO} /sbin/route -T ${N1} exec ${PYTHON}icmp6_mld_bad.py N1
	${SUDO} /sbin/route -T ${N2} exec ${PYTHON}icmp6_mld_bad.py N2

REGRESS_TARGETS +=	run-bpf-mcast-bad
run-bpf-mcast-bad: stamp-stop
	# Check that multicast protocol packet with options were blocked
	grep '127.0.0.${N2} > 224.0.0.1:\
	    igmp query .* IPOPT-3{4}' pflog0.tcpdump
	grep 'fe80::${N2} > ff02::1:\
	    HBH (type 0x03:.* icmp6: multicast ' pflog0.tcpdump
	! grep '127.0.0.${N1}' pflog0.tcpdump
	! grep 'fe80::${N1}' pflog0.tcpdump

CLEANFILES +=	addr.py *.pyc *.tcpdump *.log stamp-*

.include <bsd.regress.mk>