npf_nat_test.c revision 1.10
1 1.10 christos /* $NetBSD: npf_nat_test.c,v 1.10 2016/12/26 23:05:05 christos Exp $ */ 2 1.1 rmind 3 1.1 rmind /* 4 1.1 rmind * NPF NAT test. 5 1.1 rmind * 6 1.1 rmind * Public Domain. 7 1.1 rmind */ 8 1.1 rmind 9 1.10 christos #ifdef _KERNEL 10 1.1 rmind #include <sys/types.h> 11 1.10 christos #endif 12 1.1 rmind 13 1.1 rmind #include "npf_impl.h" 14 1.1 rmind #include "npf_test.h" 15 1.1 rmind 16 1.1 rmind #define RESULT_PASS 0 17 1.1 rmind #define RESULT_BLOCK ENETUNREACH 18 1.1 rmind 19 1.1 rmind #define NPF_BINAT (NPF_NATIN | NPF_NATOUT) 20 1.1 rmind 21 1.6 rmind #define RANDOM_PORT 53472 22 1.5 rmind 23 1.1 rmind static const struct test_case { 24 1.1 rmind const char * src; 25 1.1 rmind in_port_t sport; 26 1.1 rmind const char * dst; 27 1.1 rmind in_port_t dport; 28 1.1 rmind int ttype; 29 1.1 rmind const char * ifname; 30 1.1 rmind int di; 31 1.1 rmind int ret; 32 1.8 rmind int af; 33 1.1 rmind const char * taddr; 34 1.1 rmind in_port_t tport; 35 1.1 rmind } test_cases[] = { 36 1.1 rmind 37 1.1 rmind /* 38 1.1 rmind * Traditional NAPT (outbound NAT): 39 1.1 rmind * map $ext_if dynamic $local_net -> $pub_ip1 40 1.1 rmind */ 41 1.1 rmind { 42 1.1 rmind LOCAL_IP1, 15000, REMOTE_IP1, 7000, 43 1.1 rmind NPF_NATOUT, IFNAME_EXT, PFIL_OUT, 44 1.8 rmind RESULT_PASS, AF_INET, PUB_IP1, RANDOM_PORT 45 1.1 rmind }, 46 1.1 rmind { 47 1.1 rmind LOCAL_IP1, 15000, REMOTE_IP1, 7000, 48 1.1 rmind NPF_NATOUT, IFNAME_EXT, PFIL_OUT, 49 1.8 rmind RESULT_PASS, AF_INET, PUB_IP1, RANDOM_PORT 50 1.1 rmind }, 51 1.1 rmind { 52 1.1 rmind LOCAL_IP1, 15000, REMOTE_IP1, 7000, 53 1.1 rmind NPF_NATOUT, IFNAME_EXT, PFIL_IN, 54 1.8 rmind RESULT_BLOCK, AF_INET, NULL, 0 55 1.1 rmind }, 56 1.1 rmind { 57 1.1 rmind REMOTE_IP1, 7000, LOCAL_IP1, 15000, 58 1.1 rmind NPF_NATOUT, IFNAME_EXT, PFIL_IN, 59 1.8 rmind RESULT_BLOCK, AF_INET, NULL, 0 60 1.1 rmind }, 61 1.1 rmind { 62 1.5 rmind REMOTE_IP1, 7000, PUB_IP1, RANDOM_PORT, 63 1.1 rmind NPF_NATOUT, IFNAME_INT, PFIL_IN, 64 1.8 rmind RESULT_BLOCK, AF_INET, NULL, 0 65 1.1 rmind }, 66 1.1 rmind { 67 1.5 rmind REMOTE_IP1, 7000, PUB_IP1, RANDOM_PORT, 68 1.1 rmind NPF_NATOUT, IFNAME_EXT, PFIL_IN, 69 1.8 rmind RESULT_PASS, AF_INET, LOCAL_IP1, 15000 70 1.1 rmind }, 71 1.1 rmind 72 1.1 rmind /* 73 1.1 rmind * NAT redirect (inbound NAT): 74 1.7 rmind * map $ext_if dynamic $local_ip1 port 6000 <- $pub_ip1 port 8000 75 1.1 rmind */ 76 1.1 rmind { 77 1.1 rmind REMOTE_IP2, 16000, PUB_IP1, 8000, 78 1.1 rmind NPF_NATIN, IFNAME_EXT, PFIL_IN, 79 1.8 rmind RESULT_PASS, AF_INET, LOCAL_IP1, 6000 80 1.1 rmind }, 81 1.1 rmind { 82 1.1 rmind LOCAL_IP1, 6000, REMOTE_IP2, 16000, 83 1.1 rmind NPF_NATIN, IFNAME_EXT, PFIL_OUT, 84 1.8 rmind RESULT_PASS, AF_INET, PUB_IP1, 8000 85 1.1 rmind }, 86 1.1 rmind 87 1.1 rmind /* 88 1.1 rmind * Bi-directional NAT (inbound + outbound NAT): 89 1.1 rmind * map $ext_if dynamic $local_ip2 <-> $pub_ip2 90 1.1 rmind */ 91 1.1 rmind { 92 1.1 rmind REMOTE_IP2, 17000, PUB_IP2, 9000, 93 1.1 rmind NPF_BINAT, IFNAME_EXT, PFIL_IN, 94 1.8 rmind RESULT_PASS, AF_INET, LOCAL_IP2, 9000 95 1.1 rmind }, 96 1.1 rmind { 97 1.1 rmind LOCAL_IP2, 9000, REMOTE_IP2, 17000, 98 1.1 rmind NPF_BINAT, IFNAME_EXT, PFIL_OUT, 99 1.8 rmind RESULT_PASS, AF_INET, PUB_IP2, 9000 100 1.1 rmind }, 101 1.1 rmind { 102 1.1 rmind LOCAL_IP2, 18000, REMOTE_IP2, 9000, 103 1.1 rmind NPF_BINAT, IFNAME_EXT, PFIL_OUT, 104 1.8 rmind RESULT_PASS, AF_INET, PUB_IP2, 18000 105 1.1 rmind }, 106 1.1 rmind { 107 1.1 rmind REMOTE_IP2, 9000, PUB_IP2, 18000, 108 1.1 rmind NPF_BINAT, IFNAME_EXT, PFIL_IN, 109 1.8 rmind RESULT_PASS, AF_INET, LOCAL_IP2, 18000 110 1.1 rmind }, 111 1.1 rmind 112 1.7 rmind /* 113 1.7 rmind * Static NAT: plain translation both ways. 114 1.7 rmind * map $ext_if static $local_ip3 <-> $pub_ip3 115 1.7 rmind */ 116 1.7 rmind { 117 1.7 rmind LOCAL_IP3, 19000, REMOTE_IP3, 10000, 118 1.7 rmind NPF_BINAT, IFNAME_EXT, PFIL_OUT, 119 1.8 rmind RESULT_PASS, AF_INET, PUB_IP3, 19000 120 1.7 rmind }, 121 1.7 rmind { 122 1.7 rmind REMOTE_IP3, 10000, PUB_IP3, 19000, 123 1.7 rmind NPF_BINAT, IFNAME_EXT, PFIL_IN, 124 1.8 rmind RESULT_PASS, AF_INET, LOCAL_IP3, 19000 125 1.8 rmind }, 126 1.8 rmind 127 1.8 rmind /* 128 1.8 rmind * NPTv6 case: 129 1.8 rmind * map $ext_if static algo npt66 $net6_inner <-> $net6_outer 130 1.8 rmind */ 131 1.8 rmind { 132 1.8 rmind LOCAL_IP6, 1000, REMOTE_IP6, 1001, 133 1.8 rmind NPF_BINAT, IFNAME_EXT, PFIL_OUT, 134 1.8 rmind RESULT_PASS, AF_INET6, EXPECTED_IP6, 1000 135 1.8 rmind }, 136 1.8 rmind { 137 1.8 rmind REMOTE_IP6, 1001, EXPECTED_IP6, 1000, 138 1.8 rmind NPF_BINAT, IFNAME_EXT, PFIL_IN, 139 1.8 rmind RESULT_PASS, AF_INET6, LOCAL_IP6, 1000 140 1.7 rmind }, 141 1.7 rmind 142 1.1 rmind }; 143 1.1 rmind 144 1.1 rmind static bool 145 1.8 rmind nmatch_addr(int af, const char *saddr, const npf_addr_t *addr2) 146 1.1 rmind { 147 1.8 rmind npf_addr_t addr1; 148 1.8 rmind size_t len; 149 1.8 rmind 150 1.8 rmind npf_inet_pton(af, saddr, &addr1); 151 1.8 rmind len = af == AF_INET ? sizeof(struct in_addr) : sizeof(struct in6_addr); 152 1.8 rmind return memcmp(&addr1, addr2, len) != 0; 153 1.1 rmind } 154 1.1 rmind 155 1.1 rmind static bool 156 1.2 rmind checkresult(bool verbose, unsigned i, struct mbuf *m, ifnet_t *ifp, int error) 157 1.1 rmind { 158 1.1 rmind const struct test_case *t = &test_cases[i]; 159 1.10 christos npf_cache_t npc = { .npc_info = 0, .npc_ctx = npf_getkernctx() }; 160 1.8 rmind const int af = t->af; 161 1.2 rmind nbuf_t nbuf; 162 1.1 rmind 163 1.1 rmind if (verbose) { 164 1.1 rmind printf("packet %d (expected %d ret %d)\n", i+1, t->ret, error); 165 1.1 rmind } 166 1.1 rmind if (error) { 167 1.1 rmind return error == t->ret; 168 1.1 rmind } 169 1.2 rmind 170 1.10 christos nbuf_init(npf_getkernctx(), &nbuf, m, ifp); 171 1.9 rmind npc.npc_nbuf = &nbuf; 172 1.9 rmind if (!npf_cache_all(&npc)) { 173 1.1 rmind printf("error: could not fetch the packet data"); 174 1.1 rmind return false; 175 1.1 rmind } 176 1.1 rmind 177 1.2 rmind const struct udphdr *uh = npc.npc_l4.udp; 178 1.1 rmind 179 1.1 rmind if (verbose) { 180 1.8 rmind char sbuf[64], dbuf[64]; 181 1.8 rmind 182 1.8 rmind npf_inet_ntop(af, npc.npc_ips[NPF_SRC], sbuf, sizeof(sbuf)); 183 1.8 rmind npf_inet_ntop(af, npc.npc_ips[NPF_DST], dbuf, sizeof(dbuf)); 184 1.8 rmind 185 1.8 rmind printf("\tpost-translation:"); 186 1.8 rmind printf("src %s (%d) ", sbuf, ntohs(uh->uh_sport)); 187 1.8 rmind printf("dst %s (%d)\n", dbuf, ntohs(uh->uh_dport)); 188 1.1 rmind } 189 1.3 rmind if (error != t->ret) { 190 1.3 rmind return false; 191 1.3 rmind } 192 1.1 rmind 193 1.1 rmind const bool forw = t->di == PFIL_OUT; 194 1.1 rmind const char *saddr = forw ? t->taddr : t->src; 195 1.1 rmind const char *daddr = forw ? t->dst : t->taddr; 196 1.1 rmind in_addr_t sport = forw ? t->tport : t->sport; 197 1.1 rmind in_addr_t dport = forw ? t->dport : t->tport; 198 1.1 rmind 199 1.1 rmind bool defect = false; 200 1.8 rmind defect |= nmatch_addr(af, saddr, npc.npc_ips[NPF_SRC]); 201 1.1 rmind defect |= sport != ntohs(uh->uh_sport); 202 1.8 rmind defect |= nmatch_addr(af, daddr, npc.npc_ips[NPF_DST]); 203 1.1 rmind defect |= dport != ntohs(uh->uh_dport); 204 1.8 rmind 205 1.3 rmind return !defect; 206 1.1 rmind } 207 1.1 rmind 208 1.1 rmind static struct mbuf * 209 1.1 rmind fill_packet(const struct test_case *t) 210 1.1 rmind { 211 1.1 rmind struct mbuf *m; 212 1.8 rmind void *ipsrc, *ipdst; 213 1.1 rmind struct udphdr *uh; 214 1.1 rmind 215 1.8 rmind if (t->af == AF_INET6) { 216 1.8 rmind struct ip6_hdr *ip6; 217 1.8 rmind 218 1.8 rmind m = mbuf_construct6(IPPROTO_UDP); 219 1.8 rmind uh = mbuf_return_hdrs6(m, &ip6); 220 1.8 rmind ipsrc = &ip6->ip6_src, ipdst = &ip6->ip6_dst; 221 1.8 rmind } else { 222 1.8 rmind struct ip *ip; 223 1.8 rmind 224 1.8 rmind m = mbuf_construct(IPPROTO_UDP); 225 1.8 rmind uh = mbuf_return_hdrs(m, false, &ip); 226 1.8 rmind ipsrc = &ip->ip_src.s_addr, ipdst = &ip->ip_dst.s_addr; 227 1.8 rmind } 228 1.8 rmind 229 1.8 rmind npf_inet_pton(t->af, t->src, ipsrc); 230 1.8 rmind npf_inet_pton(t->af, t->dst, ipdst); 231 1.1 rmind uh->uh_sport = htons(t->sport); 232 1.1 rmind uh->uh_dport = htons(t->dport); 233 1.1 rmind return m; 234 1.1 rmind } 235 1.1 rmind 236 1.1 rmind bool 237 1.1 rmind npf_nat_test(bool verbose) 238 1.1 rmind { 239 1.10 christos npf_t *npf = npf_getkernctx(); 240 1.10 christos 241 1.1 rmind for (unsigned i = 0; i < __arraycount(test_cases); i++) { 242 1.1 rmind const struct test_case *t = &test_cases[i]; 243 1.10 christos ifnet_t *ifp = npf_test_getif(t->ifname); 244 1.1 rmind struct mbuf *m = fill_packet(t); 245 1.1 rmind int error; 246 1.1 rmind bool ret; 247 1.1 rmind 248 1.1 rmind if (ifp == NULL) { 249 1.1 rmind printf("Interface %s is not configured.\n", t->ifname); 250 1.1 rmind return false; 251 1.1 rmind } 252 1.10 christos error = npf_packet_handler(npf, &m, ifp, t->di); 253 1.2 rmind ret = checkresult(verbose, i, m, ifp, error); 254 1.1 rmind if (m) { 255 1.1 rmind m_freem(m); 256 1.1 rmind } 257 1.1 rmind if (!ret) { 258 1.1 rmind return false; 259 1.1 rmind } 260 1.1 rmind } 261 1.1 rmind return true; 262 1.1 rmind } 263
Indexes created Thu Sep 25 16:09:42 GMT 2025