npf_nat_test.c revision 1.1
1 1.1 rmind /* $NetBSD: npf_nat_test.c,v 1.1 2012/08/12 03:35:14 rmind Exp $ */ 2 1.1 rmind 3 1.1 rmind /* 4 1.1 rmind * NPF NAT test. 5 1.1 rmind * 6 1.1 rmind * Public Domain. 7 1.1 rmind */ 8 1.1 rmind 9 1.1 rmind #include <sys/types.h> 10 1.1 rmind 11 1.1 rmind #include "npf_impl.h" 12 1.1 rmind #include "npf_test.h" 13 1.1 rmind 14 1.1 rmind #define IFNAME_EXT "npftest0" 15 1.1 rmind #define IFNAME_INT "npftest1" 16 1.1 rmind 17 1.1 rmind #define LOCAL_IP1 "10.1.1.1" 18 1.1 rmind #define LOCAL_IP2 "10.1.1.2" 19 1.1 rmind 20 1.1 rmind /* Note: RFC 5737 compliant addresses. */ 21 1.1 rmind #define PUB_IP1 "192.0.2.1" 22 1.1 rmind #define PUB_IP2 "192.0.2.2" 23 1.1 rmind #define REMOTE_IP1 "192.0.2.3" 24 1.1 rmind #define REMOTE_IP2 "192.0.2.4" 25 1.1 rmind 26 1.1 rmind #define RESULT_PASS 0 27 1.1 rmind #define RESULT_BLOCK ENETUNREACH 28 1.1 rmind 29 1.1 rmind #define NPF_BINAT (NPF_NATIN | NPF_NATOUT) 30 1.1 rmind 31 1.1 rmind static const struct test_case { 32 1.1 rmind const char * src; 33 1.1 rmind in_port_t sport; 34 1.1 rmind const char * dst; 35 1.1 rmind in_port_t dport; 36 1.1 rmind int ttype; 37 1.1 rmind const char * ifname; 38 1.1 rmind int di; 39 1.1 rmind int ret; 40 1.1 rmind const char * taddr; 41 1.1 rmind in_port_t tport; 42 1.1 rmind } test_cases[] = { 43 1.1 rmind 44 1.1 rmind /* 45 1.1 rmind * Traditional NAPT (outbound NAT): 46 1.1 rmind * map $ext_if dynamic $local_net -> $pub_ip1 47 1.1 rmind */ 48 1.1 rmind { 49 1.1 rmind LOCAL_IP1, 15000, REMOTE_IP1, 7000, 50 1.1 rmind NPF_NATOUT, IFNAME_EXT, PFIL_OUT, 51 1.1 rmind RESULT_PASS, PUB_IP1, 53472 52 1.1 rmind }, 53 1.1 rmind { 54 1.1 rmind LOCAL_IP1, 15000, REMOTE_IP1, 7000, 55 1.1 rmind NPF_NATOUT, IFNAME_EXT, PFIL_OUT, 56 1.1 rmind RESULT_PASS, PUB_IP1, 53472 57 1.1 rmind }, 58 1.1 rmind { 59 1.1 rmind LOCAL_IP1, 15000, REMOTE_IP1, 7000, 60 1.1 rmind NPF_NATOUT, IFNAME_EXT, PFIL_IN, 61 1.1 rmind RESULT_BLOCK, NULL, 0 62 1.1 rmind }, 63 1.1 rmind { 64 1.1 rmind REMOTE_IP1, 7000, LOCAL_IP1, 15000, 65 1.1 rmind NPF_NATOUT, IFNAME_EXT, PFIL_IN, 66 1.1 rmind RESULT_BLOCK, NULL, 0 67 1.1 rmind }, 68 1.1 rmind { 69 1.1 rmind REMOTE_IP1, 7000, PUB_IP1, 53472, 70 1.1 rmind NPF_NATOUT, IFNAME_INT, PFIL_IN, 71 1.1 rmind RESULT_BLOCK, NULL, 0 72 1.1 rmind }, 73 1.1 rmind { 74 1.1 rmind REMOTE_IP1, 7000, PUB_IP1, 53472, 75 1.1 rmind NPF_NATOUT, IFNAME_EXT, PFIL_IN, 76 1.1 rmind RESULT_PASS, LOCAL_IP1, 15000 77 1.1 rmind }, 78 1.1 rmind 79 1.1 rmind /* 80 1.1 rmind * NAT redirect (inbound NAT): 81 1.1 rmind * map $ext_if dynamic $local_ip1 port 8000 <- $pub_ip1 port 8000 82 1.1 rmind */ 83 1.1 rmind { 84 1.1 rmind REMOTE_IP2, 16000, PUB_IP1, 8000, 85 1.1 rmind NPF_NATIN, IFNAME_EXT, PFIL_IN, 86 1.1 rmind RESULT_PASS, LOCAL_IP1, 6000 87 1.1 rmind }, 88 1.1 rmind { 89 1.1 rmind LOCAL_IP1, 6000, REMOTE_IP2, 16000, 90 1.1 rmind NPF_NATIN, IFNAME_EXT, PFIL_OUT, 91 1.1 rmind RESULT_PASS, PUB_IP1, 8000 92 1.1 rmind }, 93 1.1 rmind 94 1.1 rmind /* 95 1.1 rmind * Bi-directional NAT (inbound + outbound NAT): 96 1.1 rmind * map $ext_if dynamic $local_ip2 <-> $pub_ip2 97 1.1 rmind */ 98 1.1 rmind { 99 1.1 rmind REMOTE_IP2, 17000, PUB_IP2, 9000, 100 1.1 rmind NPF_BINAT, IFNAME_EXT, PFIL_IN, 101 1.1 rmind RESULT_PASS, LOCAL_IP2, 9000 102 1.1 rmind }, 103 1.1 rmind { 104 1.1 rmind LOCAL_IP2, 9000, REMOTE_IP2, 17000, 105 1.1 rmind NPF_BINAT, IFNAME_EXT, PFIL_OUT, 106 1.1 rmind RESULT_PASS, PUB_IP2, 9000 107 1.1 rmind }, 108 1.1 rmind { 109 1.1 rmind LOCAL_IP2, 18000, REMOTE_IP2, 9000, 110 1.1 rmind NPF_BINAT, IFNAME_EXT, PFIL_OUT, 111 1.1 rmind RESULT_PASS, PUB_IP2, 18000 112 1.1 rmind }, 113 1.1 rmind { 114 1.1 rmind REMOTE_IP2, 9000, PUB_IP2, 18000, 115 1.1 rmind NPF_BINAT, IFNAME_EXT, PFIL_IN, 116 1.1 rmind RESULT_PASS, LOCAL_IP2, 18000 117 1.1 rmind }, 118 1.1 rmind 119 1.1 rmind }; 120 1.1 rmind 121 1.1 rmind static bool 122 1.1 rmind nmatch_addr(const char *saddr, const struct in_addr *addr2) 123 1.1 rmind { 124 1.1 rmind const in_addr_t addr1 = inet_addr(saddr); 125 1.1 rmind return memcmp(&addr1, &addr2->s_addr, sizeof(in_addr_t)) != 0; 126 1.1 rmind } 127 1.1 rmind 128 1.1 rmind static bool 129 1.1 rmind checkresult(bool verbose, unsigned i, struct mbuf *m, int error) 130 1.1 rmind { 131 1.1 rmind const struct test_case *t = &test_cases[i]; 132 1.1 rmind npf_cache_t npc = { .npc_info = 0 }; 133 1.1 rmind 134 1.1 rmind if (verbose) { 135 1.1 rmind printf("packet %d (expected %d ret %d)\n", i+1, t->ret, error); 136 1.1 rmind } 137 1.1 rmind if (error) { 138 1.1 rmind return error == t->ret; 139 1.1 rmind } 140 1.1 rmind if (!npf_cache_all(&npc, m)) { 141 1.1 rmind printf("error: could not fetch the packet data"); 142 1.1 rmind return false; 143 1.1 rmind } 144 1.1 rmind 145 1.1 rmind const struct ip *ip = &npc.npc_ip.v4; 146 1.1 rmind const struct udphdr *uh = &npc.npc_l4.udp; 147 1.1 rmind 148 1.1 rmind if (verbose) { 149 1.1 rmind printf("\tpost-translation: src %s (%d)", 150 1.1 rmind inet_ntoa(ip->ip_src), ntohs(uh->uh_sport)); 151 1.1 rmind printf(" dst %s (%d)\n", 152 1.1 rmind inet_ntoa(ip->ip_dst), ntohs(uh->uh_dport)); 153 1.1 rmind } 154 1.1 rmind 155 1.1 rmind const bool forw = t->di == PFIL_OUT; 156 1.1 rmind const char *saddr = forw ? t->taddr : t->src; 157 1.1 rmind const char *daddr = forw ? t->dst : t->taddr; 158 1.1 rmind in_addr_t sport = forw ? t->tport : t->sport; 159 1.1 rmind in_addr_t dport = forw ? t->dport : t->tport; 160 1.1 rmind 161 1.1 rmind bool defect = false; 162 1.1 rmind defect |= nmatch_addr(saddr, &ip->ip_src); 163 1.1 rmind defect |= sport != ntohs(uh->uh_sport); 164 1.1 rmind defect |= nmatch_addr(daddr, &ip->ip_dst); 165 1.1 rmind defect |= dport != ntohs(uh->uh_dport); 166 1.1 rmind 167 1.1 rmind return !defect && error == t->ret; 168 1.1 rmind } 169 1.1 rmind 170 1.1 rmind static struct mbuf * 171 1.1 rmind fill_packet(const struct test_case *t) 172 1.1 rmind { 173 1.1 rmind struct mbuf *m; 174 1.1 rmind struct ip *ip; 175 1.1 rmind struct udphdr *uh; 176 1.1 rmind 177 1.1 rmind m = mbuf_construct(IPPROTO_UDP); 178 1.1 rmind uh = mbuf_return_hdrs(m, false, &ip); 179 1.1 rmind ip->ip_src.s_addr = inet_addr(t->src); 180 1.1 rmind ip->ip_dst.s_addr = inet_addr(t->dst); 181 1.1 rmind uh->uh_sport = htons(t->sport); 182 1.1 rmind uh->uh_dport = htons(t->dport); 183 1.1 rmind return m; 184 1.1 rmind } 185 1.1 rmind 186 1.1 rmind bool 187 1.1 rmind npf_nat_test(bool verbose) 188 1.1 rmind { 189 1.1 rmind for (unsigned i = 0; i < __arraycount(test_cases); i++) { 190 1.1 rmind const struct test_case *t = &test_cases[i]; 191 1.1 rmind ifnet_t *ifp = ifunit(t->ifname); 192 1.1 rmind struct mbuf *m = fill_packet(t); 193 1.1 rmind int error; 194 1.1 rmind bool ret; 195 1.1 rmind 196 1.1 rmind if (ifp == NULL) { 197 1.1 rmind printf("Interface %s is not configured.\n", t->ifname); 198 1.1 rmind return false; 199 1.1 rmind } 200 1.1 rmind error = npf_packet_handler(NULL, &m, ifp, t->di); 201 1.1 rmind ret = checkresult(verbose, i, m, error); 202 1.1 rmind if (m) { 203 1.1 rmind m_freem(m); 204 1.1 rmind } 205 1.1 rmind if (!ret) { 206 1.1 rmind return false; 207 1.1 rmind } 208 1.1 rmind } 209 1.1 rmind return true; 210 1.1 rmind } 211
Indexes created Wed Sep 24 22:09:59 GMT 2025