npf_nat_test.c revision 1.10.12.1
1 /* $NetBSD: npf_nat_test.c,v 1.10.12.1 2019/01/26 22:00:39 pgoyette Exp $ */ 2 3 /* 4 * NPF NAT tests. 5 * 6 * Public Domain. 7 */ 8 9 #ifdef _KERNEL 10 #include <sys/types.h> 11 #endif 12 13 #include "npf_impl.h" 14 #include "npf_test.h" 15 16 #define RESULT_PASS 0 17 #define RESULT_BLOCK ENETUNREACH 18 19 #define NPF_BINAT (NPF_NATIN | NPF_NATOUT) 20 21 #define RANDOM_PORT 53472 22 23 static const struct test_case { 24 const char * src; 25 in_port_t sport; 26 const char * dst; 27 in_port_t dport; 28 int ttype; 29 const char * ifname; 30 int di; 31 int ret; 32 int af; 33 const char * taddr; 34 in_port_t tport; 35 } test_cases[] = { 36 37 /* 38 * Traditional NAPT (outbound NAT): 39 * map $ext_if dynamic $local_net -> $pub_ip1 40 */ 41 { 42 LOCAL_IP1, 15000, REMOTE_IP1, 7000, 43 NPF_NATOUT, IFNAME_EXT, PFIL_OUT, 44 RESULT_PASS, AF_INET, PUB_IP1, RANDOM_PORT 45 }, 46 { 47 LOCAL_IP1, 15000, REMOTE_IP1, 7000, 48 NPF_NATOUT, IFNAME_EXT, PFIL_OUT, 49 RESULT_PASS, AF_INET, PUB_IP1, RANDOM_PORT 50 }, 51 { 52 LOCAL_IP1, 15000, REMOTE_IP1, 7000, 53 NPF_NATOUT, IFNAME_EXT, PFIL_IN, 54 RESULT_BLOCK, AF_INET, NULL, 0 55 }, 56 { 57 REMOTE_IP1, 7000, LOCAL_IP1, 15000, 58 NPF_NATOUT, IFNAME_EXT, PFIL_IN, 59 RESULT_BLOCK, AF_INET, NULL, 0 60 }, 61 { 62 REMOTE_IP1, 7000, PUB_IP1, RANDOM_PORT, 63 NPF_NATOUT, IFNAME_INT, PFIL_IN, 64 RESULT_BLOCK, AF_INET, NULL, 0 65 }, 66 { 67 REMOTE_IP1, 7000, PUB_IP1, RANDOM_PORT, 68 NPF_NATOUT, IFNAME_EXT, PFIL_IN, 69 RESULT_PASS, AF_INET, LOCAL_IP1, 15000 70 }, 71 72 /* 73 * NAT redirect (inbound NAT): 74 * map $ext_if dynamic $local_ip1 port 6000 <- $pub_ip1 port 8000 75 */ 76 { 77 REMOTE_IP2, 16000, PUB_IP1, 8000, 78 NPF_NATIN, IFNAME_EXT, PFIL_IN, 79 RESULT_PASS, AF_INET, LOCAL_IP1, 6000 80 }, 81 { 82 LOCAL_IP1, 6000, REMOTE_IP2, 16000, 83 NPF_NATIN, IFNAME_EXT, PFIL_OUT, 84 RESULT_PASS, AF_INET, PUB_IP1, 8000 85 }, 86 87 /* 88 * Bi-directional NAT (inbound + outbound NAT): 89 * map $ext_if dynamic $local_ip2 <-> $pub_ip2 90 */ 91 { 92 REMOTE_IP2, 17000, PUB_IP2, 9000, 93 NPF_BINAT, IFNAME_EXT, PFIL_IN, 94 RESULT_PASS, AF_INET, LOCAL_IP2, 9000 95 }, 96 { 97 LOCAL_IP2, 9000, REMOTE_IP2, 17000, 98 NPF_BINAT, IFNAME_EXT, PFIL_OUT, 99 RESULT_PASS, AF_INET, PUB_IP2, 9000 100 }, 101 { 102 LOCAL_IP2, 18000, REMOTE_IP2, 9000, 103 NPF_BINAT, IFNAME_EXT, PFIL_OUT, 104 RESULT_PASS, AF_INET, PUB_IP2, 18000 105 }, 106 { 107 REMOTE_IP2, 9000, PUB_IP2, 18000, 108 NPF_BINAT, IFNAME_EXT, PFIL_IN, 109 RESULT_PASS, AF_INET, LOCAL_IP2, 18000 110 }, 111 112 /* 113 * Static NAT: plain translation both ways. 114 * map $ext_if static $local_ip3 <-> $pub_ip3 115 */ 116 { 117 LOCAL_IP3, 19000, REMOTE_IP3, 10000, 118 NPF_BINAT, IFNAME_EXT, PFIL_OUT, 119 RESULT_PASS, AF_INET, PUB_IP3, 19000 120 }, 121 { 122 REMOTE_IP3, 10000, PUB_IP3, 19000, 123 NPF_BINAT, IFNAME_EXT, PFIL_IN, 124 RESULT_PASS, AF_INET, LOCAL_IP3, 19000 125 }, 126 127 /* 128 * NETMAP case: 129 * map $ext_if static algo netmap $net_a <-> $net_b 130 */ 131 { 132 NET_A_IP1, 12345, REMOTE_IP4, 12345, 133 NPF_BINAT, IFNAME_EXT, PFIL_OUT, 134 RESULT_PASS, AF_INET, NET_B_IP1, 12345 135 }, 136 137 /* 138 * NPTv6 case: 139 * map $ext_if static algo npt66 $net6_inner <-> $net6_outer 140 */ 141 { 142 LOCAL_IP6, 1000, REMOTE_IP6, 1001, 143 NPF_BINAT, IFNAME_EXT, PFIL_OUT, 144 RESULT_PASS, AF_INET6, EXPECTED_IP6, 1000 145 }, 146 { 147 REMOTE_IP6, 1001, EXPECTED_IP6, 1000, 148 NPF_BINAT, IFNAME_EXT, PFIL_IN, 149 RESULT_PASS, AF_INET6, LOCAL_IP6, 1000 150 }, 151 152 }; 153 154 static bool 155 nmatch_addr(int af, const char *saddr, const npf_addr_t *addr2) 156 { 157 npf_addr_t addr1; 158 size_t len; 159 160 npf_inet_pton(af, saddr, &addr1); 161 len = af == AF_INET ? sizeof(struct in_addr) : sizeof(struct in6_addr); 162 return memcmp(&addr1, addr2, len) != 0; 163 } 164 165 static bool 166 checkresult(bool verbose, unsigned i, struct mbuf *m, ifnet_t *ifp, int error) 167 { 168 const struct test_case *t = &test_cases[i]; 169 npf_cache_t npc = { .npc_info = 0, .npc_ctx = npf_getkernctx() }; 170 const int af = t->af; 171 nbuf_t nbuf; 172 173 if (verbose) { 174 printf("packet %d (expected %d ret %d)\n", i+1, t->ret, error); 175 } 176 if (error) { 177 return error == t->ret; 178 } 179 180 nbuf_init(npf_getkernctx(), &nbuf, m, ifp); 181 npc.npc_nbuf = &nbuf; 182 if (!npf_cache_all(&npc)) { 183 printf("error: could not fetch the packet data"); 184 return false; 185 } 186 187 const struct udphdr *uh = npc.npc_l4.udp; 188 189 if (verbose) { 190 char sbuf[64], dbuf[64]; 191 192 npf_inet_ntop(af, npc.npc_ips[NPF_SRC], sbuf, sizeof(sbuf)); 193 npf_inet_ntop(af, npc.npc_ips[NPF_DST], dbuf, sizeof(dbuf)); 194 195 printf("\tpost-translation:"); 196 printf("src %s (%d) ", sbuf, ntohs(uh->uh_sport)); 197 printf("dst %s (%d)\n", dbuf, ntohs(uh->uh_dport)); 198 } 199 if (error != t->ret) { 200 return false; 201 } 202 203 const bool forw = t->di == PFIL_OUT; 204 const char *saddr = forw ? t->taddr : t->src; 205 const char *daddr = forw ? t->dst : t->taddr; 206 in_addr_t sport = forw ? t->tport : t->sport; 207 in_addr_t dport = forw ? t->dport : t->tport; 208 209 bool defect = false; 210 defect |= nmatch_addr(af, saddr, npc.npc_ips[NPF_SRC]); 211 defect |= sport != ntohs(uh->uh_sport); 212 defect |= nmatch_addr(af, daddr, npc.npc_ips[NPF_DST]); 213 defect |= dport != ntohs(uh->uh_dport); 214 215 return !defect; 216 } 217 218 static struct mbuf * 219 fill_packet(const struct test_case *t) 220 { 221 struct mbuf *m; 222 void *ipsrc, *ipdst; 223 struct udphdr *uh; 224 225 if (t->af == AF_INET6) { 226 struct ip6_hdr *ip6; 227 228 m = mbuf_construct6(IPPROTO_UDP); 229 uh = mbuf_return_hdrs6(m, &ip6); 230 ipsrc = &ip6->ip6_src, ipdst = &ip6->ip6_dst; 231 } else { 232 struct ip *ip; 233 234 m = mbuf_construct(IPPROTO_UDP); 235 uh = mbuf_return_hdrs(m, false, &ip); 236 ipsrc = &ip->ip_src.s_addr, ipdst = &ip->ip_dst.s_addr; 237 } 238 239 npf_inet_pton(t->af, t->src, ipsrc); 240 npf_inet_pton(t->af, t->dst, ipdst); 241 uh->uh_sport = htons(t->sport); 242 uh->uh_dport = htons(t->dport); 243 return m; 244 } 245 246 bool 247 npf_nat_test(bool verbose) 248 { 249 npf_t *npf = npf_getkernctx(); 250 251 for (unsigned i = 0; i < __arraycount(test_cases); i++) { 252 const struct test_case *t = &test_cases[i]; 253 ifnet_t *ifp = npf_test_getif(t->ifname); 254 struct mbuf *m = fill_packet(t); 255 int error; 256 bool ret; 257 258 if (ifp == NULL) { 259 printf("Interface %s is not configured.\n", t->ifname); 260 return false; 261 } 262 error = npf_packet_handler(npf, &m, ifp, t->di); 263 ret = checkresult(verbose, i, m, ifp, error); 264 if (m) { 265 m_freem(m); 266 } 267 if (!ret) { 268 return false; 269 } 270 } 271 return true; 272 } 273
Indexes created Fri Oct 17 00:09:41 GMT 2025