npf_nat_test.c revision 1.5
1 /* $NetBSD: npf_nat_test.c,v 1.5 2014/02/05 03:30:13 rmind Exp $ */ 2 3 /* 4 * NPF NAT test. 5 * 6 * Public Domain. 7 */ 8 9 #include <sys/types.h> 10 11 #include "npf_impl.h" 12 #include "npf_test.h" 13 14 #define RESULT_PASS 0 15 #define RESULT_BLOCK ENETUNREACH 16 17 #define NPF_BINAT (NPF_NATIN | NPF_NATOUT) 18 19 #define RANDOM_PORT 45600 20 21 static const struct test_case { 22 const char * src; 23 in_port_t sport; 24 const char * dst; 25 in_port_t dport; 26 int ttype; 27 const char * ifname; 28 int di; 29 int ret; 30 const char * taddr; 31 in_port_t tport; 32 } test_cases[] = { 33 34 /* 35 * Traditional NAPT (outbound NAT): 36 * map $ext_if dynamic $local_net -> $pub_ip1 37 */ 38 { 39 LOCAL_IP1, 15000, REMOTE_IP1, 7000, 40 NPF_NATOUT, IFNAME_EXT, PFIL_OUT, 41 RESULT_PASS, PUB_IP1, RANDOM_PORT 42 }, 43 { 44 LOCAL_IP1, 15000, REMOTE_IP1, 7000, 45 NPF_NATOUT, IFNAME_EXT, PFIL_OUT, 46 RESULT_PASS, PUB_IP1, RANDOM_PORT 47 }, 48 { 49 LOCAL_IP1, 15000, REMOTE_IP1, 7000, 50 NPF_NATOUT, IFNAME_EXT, PFIL_IN, 51 RESULT_BLOCK, NULL, 0 52 }, 53 { 54 REMOTE_IP1, 7000, LOCAL_IP1, 15000, 55 NPF_NATOUT, IFNAME_EXT, PFIL_IN, 56 RESULT_BLOCK, NULL, 0 57 }, 58 { 59 REMOTE_IP1, 7000, PUB_IP1, RANDOM_PORT, 60 NPF_NATOUT, IFNAME_INT, PFIL_IN, 61 RESULT_BLOCK, NULL, 0 62 }, 63 { 64 REMOTE_IP1, 7000, PUB_IP1, RANDOM_PORT, 65 NPF_NATOUT, IFNAME_EXT, PFIL_IN, 66 RESULT_PASS, LOCAL_IP1, 15000 67 }, 68 69 /* 70 * NAT redirect (inbound NAT): 71 * map $ext_if dynamic $local_ip1 port 8000 <- $pub_ip1 port 8000 72 */ 73 { 74 REMOTE_IP2, 16000, PUB_IP1, 8000, 75 NPF_NATIN, IFNAME_EXT, PFIL_IN, 76 RESULT_PASS, LOCAL_IP1, 6000 77 }, 78 { 79 LOCAL_IP1, 6000, REMOTE_IP2, 16000, 80 NPF_NATIN, IFNAME_EXT, PFIL_OUT, 81 RESULT_PASS, PUB_IP1, 8000 82 }, 83 84 /* 85 * Bi-directional NAT (inbound + outbound NAT): 86 * map $ext_if dynamic $local_ip2 <-> $pub_ip2 87 */ 88 { 89 REMOTE_IP2, 17000, PUB_IP2, 9000, 90 NPF_BINAT, IFNAME_EXT, PFIL_IN, 91 RESULT_PASS, LOCAL_IP2, 9000 92 }, 93 { 94 LOCAL_IP2, 9000, REMOTE_IP2, 17000, 95 NPF_BINAT, IFNAME_EXT, PFIL_OUT, 96 RESULT_PASS, PUB_IP2, 9000 97 }, 98 { 99 LOCAL_IP2, 18000, REMOTE_IP2, 9000, 100 NPF_BINAT, IFNAME_EXT, PFIL_OUT, 101 RESULT_PASS, PUB_IP2, 18000 102 }, 103 { 104 REMOTE_IP2, 9000, PUB_IP2, 18000, 105 NPF_BINAT, IFNAME_EXT, PFIL_IN, 106 RESULT_PASS, LOCAL_IP2, 18000 107 }, 108 109 }; 110 111 static bool 112 nmatch_addr(const char *saddr, const struct in_addr *addr2) 113 { 114 const in_addr_t addr1 = inet_addr(saddr); 115 return memcmp(&addr1, &addr2->s_addr, sizeof(in_addr_t)) != 0; 116 } 117 118 static bool 119 checkresult(bool verbose, unsigned i, struct mbuf *m, ifnet_t *ifp, int error) 120 { 121 const struct test_case *t = &test_cases[i]; 122 npf_cache_t npc = { .npc_info = 0 }; 123 nbuf_t nbuf; 124 125 if (verbose) { 126 printf("packet %d (expected %d ret %d)\n", i+1, t->ret, error); 127 } 128 if (error) { 129 return error == t->ret; 130 } 131 132 nbuf_init(&nbuf, m, ifp); 133 if (!npf_cache_all(&npc, &nbuf)) { 134 printf("error: could not fetch the packet data"); 135 return false; 136 } 137 138 const struct ip *ip = npc.npc_ip.v4; 139 const struct udphdr *uh = npc.npc_l4.udp; 140 141 if (verbose) { 142 printf("\tpost-translation: src %s (%d)", 143 inet_ntoa(ip->ip_src), ntohs(uh->uh_sport)); 144 printf(" dst %s (%d)\n", 145 inet_ntoa(ip->ip_dst), ntohs(uh->uh_dport)); 146 } 147 if (error != t->ret) { 148 return false; 149 } 150 151 const bool forw = t->di == PFIL_OUT; 152 const char *saddr = forw ? t->taddr : t->src; 153 const char *daddr = forw ? t->dst : t->taddr; 154 in_addr_t sport = forw ? t->tport : t->sport; 155 in_addr_t dport = forw ? t->dport : t->tport; 156 157 bool defect = false; 158 defect |= nmatch_addr(saddr, &ip->ip_src); 159 defect |= sport != ntohs(uh->uh_sport); 160 defect |= nmatch_addr(daddr, &ip->ip_dst); 161 defect |= dport != ntohs(uh->uh_dport); 162 return !defect; 163 } 164 165 static struct mbuf * 166 fill_packet(const struct test_case *t) 167 { 168 struct mbuf *m; 169 struct ip *ip; 170 struct udphdr *uh; 171 172 m = mbuf_construct(IPPROTO_UDP); 173 uh = mbuf_return_hdrs(m, false, &ip); 174 ip->ip_src.s_addr = inet_addr(t->src); 175 ip->ip_dst.s_addr = inet_addr(t->dst); 176 uh->uh_sport = htons(t->sport); 177 uh->uh_dport = htons(t->dport); 178 return m; 179 } 180 181 bool 182 npf_nat_test(bool verbose) 183 { 184 for (unsigned i = 0; i < __arraycount(test_cases); i++) { 185 const struct test_case *t = &test_cases[i]; 186 ifnet_t *ifp = ifunit(t->ifname); 187 struct mbuf *m = fill_packet(t); 188 int error; 189 bool ret; 190 191 if (ifp == NULL) { 192 printf("Interface %s is not configured.\n", t->ifname); 193 return false; 194 } 195 error = npf_packet_handler(NULL, &m, ifp, t->di); 196 ret = checkresult(verbose, i, m, ifp, error); 197 if (m) { 198 m_freem(m); 199 } 200 if (!ret) { 201 return false; 202 } 203 } 204 return true; 205 } 206
Indexes created Fri Sep 26 08:10:20 GMT 2025