npf_nat_test.c revision 1.3
1 /* $NetBSD: npf_nat_test.c,v 1.3 2013/09/19 01:04:46 rmind Exp $ */ 2 3 /* 4 * NPF NAT test. 5 * 6 * Public Domain. 7 */ 8 9 #include <sys/types.h> 10 11 #include "npf_impl.h" 12 #include "npf_test.h" 13 14 #define IFNAME_EXT "npftest0" 15 #define IFNAME_INT "npftest1" 16 17 #define LOCAL_IP1 "10.1.1.1" 18 #define LOCAL_IP2 "10.1.1.2" 19 20 /* Note: RFC 5737 compliant addresses. */ 21 #define PUB_IP1 "192.0.2.1" 22 #define PUB_IP2 "192.0.2.2" 23 #define REMOTE_IP1 "192.0.2.3" 24 #define REMOTE_IP2 "192.0.2.4" 25 26 #define RESULT_PASS 0 27 #define RESULT_BLOCK ENETUNREACH 28 29 #define NPF_BINAT (NPF_NATIN | NPF_NATOUT) 30 31 static const struct test_case { 32 const char * src; 33 in_port_t sport; 34 const char * dst; 35 in_port_t dport; 36 int ttype; 37 const char * ifname; 38 int di; 39 int ret; 40 const char * taddr; 41 in_port_t tport; 42 } test_cases[] = { 43 44 /* 45 * Traditional NAPT (outbound NAT): 46 * map $ext_if dynamic $local_net -> $pub_ip1 47 */ 48 { 49 LOCAL_IP1, 15000, REMOTE_IP1, 7000, 50 NPF_NATOUT, IFNAME_EXT, PFIL_OUT, 51 RESULT_PASS, PUB_IP1, 53472 52 }, 53 { 54 LOCAL_IP1, 15000, REMOTE_IP1, 7000, 55 NPF_NATOUT, IFNAME_EXT, PFIL_OUT, 56 RESULT_PASS, PUB_IP1, 53472 57 }, 58 { 59 LOCAL_IP1, 15000, REMOTE_IP1, 7000, 60 NPF_NATOUT, IFNAME_EXT, PFIL_IN, 61 RESULT_BLOCK, NULL, 0 62 }, 63 { 64 REMOTE_IP1, 7000, LOCAL_IP1, 15000, 65 NPF_NATOUT, IFNAME_EXT, PFIL_IN, 66 RESULT_BLOCK, NULL, 0 67 }, 68 { 69 REMOTE_IP1, 7000, PUB_IP1, 53472, 70 NPF_NATOUT, IFNAME_INT, PFIL_IN, 71 RESULT_BLOCK, NULL, 0 72 }, 73 { 74 REMOTE_IP1, 7000, PUB_IP1, 53472, 75 NPF_NATOUT, IFNAME_EXT, PFIL_IN, 76 RESULT_PASS, LOCAL_IP1, 15000 77 }, 78 79 /* 80 * NAT redirect (inbound NAT): 81 * map $ext_if dynamic $local_ip1 port 8000 <- $pub_ip1 port 8000 82 */ 83 { 84 REMOTE_IP2, 16000, PUB_IP1, 8000, 85 NPF_NATIN, IFNAME_EXT, PFIL_IN, 86 RESULT_PASS, LOCAL_IP1, 6000 87 }, 88 { 89 LOCAL_IP1, 6000, REMOTE_IP2, 16000, 90 NPF_NATIN, IFNAME_EXT, PFIL_OUT, 91 RESULT_PASS, PUB_IP1, 8000 92 }, 93 94 /* 95 * Bi-directional NAT (inbound + outbound NAT): 96 * map $ext_if dynamic $local_ip2 <-> $pub_ip2 97 */ 98 { 99 REMOTE_IP2, 17000, PUB_IP2, 9000, 100 NPF_BINAT, IFNAME_EXT, PFIL_IN, 101 RESULT_PASS, LOCAL_IP2, 9000 102 }, 103 { 104 LOCAL_IP2, 9000, REMOTE_IP2, 17000, 105 NPF_BINAT, IFNAME_EXT, PFIL_OUT, 106 RESULT_PASS, PUB_IP2, 9000 107 }, 108 { 109 LOCAL_IP2, 18000, REMOTE_IP2, 9000, 110 NPF_BINAT, IFNAME_EXT, PFIL_OUT, 111 RESULT_PASS, PUB_IP2, 18000 112 }, 113 { 114 REMOTE_IP2, 9000, PUB_IP2, 18000, 115 NPF_BINAT, IFNAME_EXT, PFIL_IN, 116 RESULT_PASS, LOCAL_IP2, 18000 117 }, 118 119 }; 120 121 static bool 122 nmatch_addr(const char *saddr, const struct in_addr *addr2) 123 { 124 const in_addr_t addr1 = inet_addr(saddr); 125 return memcmp(&addr1, &addr2->s_addr, sizeof(in_addr_t)) != 0; 126 } 127 128 static bool 129 checkresult(bool verbose, unsigned i, struct mbuf *m, ifnet_t *ifp, int error) 130 { 131 const struct test_case *t = &test_cases[i]; 132 npf_cache_t npc = { .npc_info = 0 }; 133 nbuf_t nbuf; 134 135 if (verbose) { 136 printf("packet %d (expected %d ret %d)\n", i+1, t->ret, error); 137 } 138 if (error) { 139 return error == t->ret; 140 } 141 142 nbuf_init(&nbuf, m, ifp); 143 if (!npf_cache_all(&npc, &nbuf)) { 144 printf("error: could not fetch the packet data"); 145 return false; 146 } 147 148 const struct ip *ip = npc.npc_ip.v4; 149 const struct udphdr *uh = npc.npc_l4.udp; 150 151 if (verbose) { 152 printf("\tpost-translation: src %s (%d)", 153 inet_ntoa(ip->ip_src), ntohs(uh->uh_sport)); 154 printf(" dst %s (%d)\n", 155 inet_ntoa(ip->ip_dst), ntohs(uh->uh_dport)); 156 } 157 if (error != t->ret) { 158 return false; 159 } 160 161 const bool forw = t->di == PFIL_OUT; 162 const char *saddr = forw ? t->taddr : t->src; 163 const char *daddr = forw ? t->dst : t->taddr; 164 in_addr_t sport = forw ? t->tport : t->sport; 165 in_addr_t dport = forw ? t->dport : t->tport; 166 167 bool defect = false; 168 defect |= nmatch_addr(saddr, &ip->ip_src); 169 defect |= sport != ntohs(uh->uh_sport); 170 defect |= nmatch_addr(daddr, &ip->ip_dst); 171 defect |= dport != ntohs(uh->uh_dport); 172 return !defect; 173 } 174 175 static struct mbuf * 176 fill_packet(const struct test_case *t) 177 { 178 struct mbuf *m; 179 struct ip *ip; 180 struct udphdr *uh; 181 182 m = mbuf_construct(IPPROTO_UDP); 183 uh = mbuf_return_hdrs(m, false, &ip); 184 ip->ip_src.s_addr = inet_addr(t->src); 185 ip->ip_dst.s_addr = inet_addr(t->dst); 186 uh->uh_sport = htons(t->sport); 187 uh->uh_dport = htons(t->dport); 188 return m; 189 } 190 191 bool 192 npf_nat_test(bool verbose) 193 { 194 for (unsigned i = 0; i < __arraycount(test_cases); i++) { 195 const struct test_case *t = &test_cases[i]; 196 ifnet_t *ifp = ifunit(t->ifname); 197 struct mbuf *m = fill_packet(t); 198 int error; 199 bool ret; 200 201 if (ifp == NULL) { 202 printf("Interface %s is not configured.\n", t->ifname); 203 return false; 204 } 205 error = npf_packet_handler(NULL, &m, ifp, t->di); 206 ret = checkresult(verbose, i, m, ifp, error); 207 if (m) { 208 m_freem(m); 209 } 210 if (!ret) { 211 return false; 212 } 213 } 214 return true; 215 } 216
Indexes created Fri Sep 26 08:10:20 GMT 2025