git: 4369a57514f2 - main - pf tests: test 'rdr' for SCTP

From: Kristof Provost <kp_at_FreeBSD.org>
Date: Fri, 21 Jul 2023 10:32:44 UTC
The branch main has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=4369a57514f227c989d4de87d1ce54470279ba41

commit 4369a57514f227c989d4de87d1ce54470279ba41
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2023-06-01 16:03:07 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2023-07-21 10:32:19 +0000

    pf tests: test 'rdr' for SCTP
    
    Explicitly test that we cannot change the port number with rdr.
    That's not a desireable feature on SCTP, because it could break
    multihomed connections.
    
    MFC after:      3 weeks
    Sponsored by:   Orange Business Services
    Differential Revision:  https://reviews.freebsd.org/D40868
---
 tests/sys/netpfil/pf/sctp.sh | 68 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 68 insertions(+)

diff --git a/tests/sys/netpfil/pf/sctp.sh b/tests/sys/netpfil/pf/sctp.sh
index 659c11c62113..2c736017f9fa 100644
--- a/tests/sys/netpfil/pf/sctp.sh
+++ b/tests/sys/netpfil/pf/sctp.sh
@@ -402,6 +402,73 @@ nat_v6_cleanup()
 	pft_cleanup
 }
 
+atf_test_case "rdr_v4" "cleanup"
+rdr_v4_head()
+{
+	atf_set descr 'Test rdr SCTP over IPv4'
+	atf_set require.user root
+}
+
+rdr_v4_body()
+{
+	sctp_init
+
+	j="sctp:rdr_v4"
+	epair_c=$(vnet_mkepair)
+	epair_srv=$(vnet_mkepair)
+
+	vnet_mkjail ${j}srv ${epair_srv}a
+	vnet_mkjail ${j}gw ${epair_srv}b ${epair_c}a
+	vnet_mkjail ${j}c ${epair_c}b
+
+	jexec ${j}srv ifconfig ${epair_srv}a 198.51.100.1/24 up
+	# No default route in srv jail, to ensure we're NAT-ing
+	jexec ${j}gw ifconfig ${epair_srv}b 198.51.100.2/24 up
+	jexec ${j}gw ifconfig ${epair_c}a 192.0.2.1/24 up
+	jexec ${j}gw sysctl net.inet.ip.forwarding=1
+	jexec ${j}c ifconfig ${epair_c}b 192.0.2.2/24 up
+	jexec ${j}c route add default 192.0.2.1
+
+	jexec ${j}gw pfctl -e
+	pft_set_rules ${j}gw \
+		"rdr pass on ${epair_srv}b proto sctp from 198.51.100.0/24 to any port 1234 -> 192.0.2.2 port 1234" \
+		"pass"
+
+	echo "foo" | jexec ${j}c nc --sctp -N -l 1234 &
+
+	# Wait for the server to start
+	sleep 1
+
+	out=$(jexec ${j}srv nc --sctp -N -w 3 198.51.100.2 1234)
+	if [ "$out" != "foo" ]; then
+		atf_fail "SCTP connection failed"
+	fi
+
+	# Despite configuring port changes pf will not do so.
+	echo "bar" | jexec ${j}c nc --sctp -N -l 1234 &
+
+	pft_set_rules ${j}gw \
+		"rdr pass on ${epair_srv}b proto sctp from 198.51.100.0/24 to any port 1234 -> 192.0.2.2 port 4321" \
+		"pass"
+
+	# This will fail
+	out=$(jexec ${j}srv nc --sctp -N -w 3 198.51.100.2 4321)
+	if [ "$out" == "bar" ]; then
+		atf_fail "Port was unexpectedly changed."
+	fi
+
+	# This succeeds
+	out=$(jexec ${j}srv nc --sctp -N -w 3 198.51.100.2 1234)
+	if [ "$out" != "bar" ]; then
+		atf_fail "Port was unexpectedly changed."
+	fi
+}
+
+rdr_v4_cleanup()
+{
+	pft_cleanup
+}
+
 atf_init_test_cases()
 {
 	atf_add_test_case "basic_v4"
@@ -410,4 +477,5 @@ atf_init_test_cases()
 	atf_add_test_case "abort_v6"
 	atf_add_test_case "nat_v4"
 	atf_add_test_case "nat_v6"
+	atf_add_test_case "rdr_v4"
 }