npf_rule_test.c revision 1.14.10.2
1 1.14.10.2 pgoyette /* $NetBSD: npf_rule_test.c,v 1.14.10.2 2019/01/26 22:00:39 pgoyette Exp $ */ 2 1.1 rmind 3 1.1 rmind /* 4 1.14.10.2 pgoyette * NPF ruleset tests. 5 1.1 rmind * 6 1.1 rmind * Public Domain. 7 1.1 rmind */ 8 1.1 rmind 9 1.13 christos #ifdef _KERNEL 10 1.1 rmind #include <sys/types.h> 11 1.13 christos #endif 12 1.1 rmind 13 1.1 rmind #include "npf_impl.h" 14 1.1 rmind #include "npf_test.h" 15 1.1 rmind 16 1.14.10.2 pgoyette #define CHECK_TRUE(x) \ 17 1.14.10.2 pgoyette if (!(x)) { printf("FAIL: %s line %d\n", __func__, __LINE__); return 0; } 18 1.14.10.2 pgoyette 19 1.1 rmind #define RESULT_PASS 0 20 1.1 rmind #define RESULT_BLOCK ENETUNREACH 21 1.1 rmind 22 1.1 rmind static const struct test_case { 23 1.1 rmind const char * src; 24 1.1 rmind const char * dst; 25 1.1 rmind const char * ifname; 26 1.1 rmind int di; 27 1.1 rmind int stateful_ret; 28 1.1 rmind int ret; 29 1.1 rmind } test_cases[] = { 30 1.1 rmind 31 1.1 rmind /* Stateful pass. */ 32 1.1 rmind { 33 1.1 rmind .src = "10.1.1.1", .dst = "10.1.1.2", 34 1.1 rmind .ifname = IFNAME_INT, .di = PFIL_OUT, 35 1.1 rmind .stateful_ret = RESULT_PASS, .ret = RESULT_PASS 36 1.1 rmind }, 37 1.1 rmind { 38 1.1 rmind .src = "10.1.1.2", .dst = "10.1.1.1", 39 1.1 rmind .ifname = IFNAME_INT, .di = PFIL_IN, 40 1.1 rmind .stateful_ret = RESULT_PASS, .ret = RESULT_BLOCK 41 1.1 rmind }, 42 1.1 rmind 43 1.1 rmind /* Pass forwards stream only. */ 44 1.1 rmind { 45 1.1 rmind .src = "10.1.1.1", .dst = "10.1.1.3", 46 1.1 rmind .ifname = IFNAME_INT, .di = PFIL_OUT, 47 1.1 rmind .stateful_ret = RESULT_PASS, .ret = RESULT_PASS 48 1.1 rmind }, 49 1.1 rmind { 50 1.1 rmind .src = "10.1.1.3", .dst = "10.1.1.1", 51 1.1 rmind .ifname = IFNAME_INT, .di = PFIL_IN, 52 1.1 rmind .stateful_ret = RESULT_BLOCK, .ret = RESULT_BLOCK 53 1.1 rmind }, 54 1.1 rmind 55 1.1 rmind /* Block. */ 56 1.1 rmind { .src = "10.1.1.1", .dst = "10.1.1.4", 57 1.1 rmind .ifname = IFNAME_INT, .di = PFIL_OUT, 58 1.1 rmind .stateful_ret = RESULT_BLOCK, .ret = RESULT_BLOCK 59 1.1 rmind }, 60 1.1 rmind 61 1.1 rmind }; 62 1.1 rmind 63 1.1 rmind static struct mbuf * 64 1.1 rmind fill_packet(const struct test_case *t) 65 1.1 rmind { 66 1.1 rmind struct mbuf *m; 67 1.1 rmind struct ip *ip; 68 1.1 rmind struct udphdr *uh; 69 1.1 rmind 70 1.1 rmind m = mbuf_construct(IPPROTO_UDP); 71 1.1 rmind uh = mbuf_return_hdrs(m, false, &ip); 72 1.1 rmind ip->ip_src.s_addr = inet_addr(t->src); 73 1.1 rmind ip->ip_dst.s_addr = inet_addr(t->dst); 74 1.1 rmind uh->uh_sport = htons(9000); 75 1.1 rmind uh->uh_dport = htons(9000); 76 1.1 rmind return m; 77 1.1 rmind } 78 1.1 rmind 79 1.1 rmind static int 80 1.14.10.1 pgoyette npf_rule_raw_test(struct mbuf *m, ifnet_t *ifp, int di) 81 1.1 rmind { 82 1.13 christos npf_t *npf = npf_getkernctx(); 83 1.13 christos npf_cache_t npc = { .npc_info = 0, .npc_ctx = npf }; 84 1.3 rmind nbuf_t nbuf; 85 1.1 rmind npf_rule_t *rl; 86 1.14 christos npf_match_info_t mi; 87 1.14 christos int error; 88 1.1 rmind 89 1.13 christos nbuf_init(npf, &nbuf, m, ifp); 90 1.11 rmind npc.npc_nbuf = &nbuf; 91 1.11 rmind npf_cache_all(&npc); 92 1.3 rmind 93 1.4 rmind int slock = npf_config_read_enter(); 94 1.13 christos rl = npf_ruleset_inspect(&npc, npf_config_ruleset(npf), 95 1.3 rmind di, NPF_LAYER_3); 96 1.1 rmind if (rl) { 97 1.14 christos error = npf_rule_conclude(rl, &mi); 98 1.1 rmind } else { 99 1.1 rmind error = ENOENT; 100 1.1 rmind } 101 1.4 rmind npf_config_read_exit(slock); 102 1.1 rmind return error; 103 1.1 rmind } 104 1.1 rmind 105 1.4 rmind static int 106 1.14.10.1 pgoyette npf_test_case(unsigned i) 107 1.4 rmind { 108 1.8 rmind const struct test_case *t = &test_cases[i]; 109 1.13 christos ifnet_t *ifp = npf_test_getif(t->ifname); 110 1.4 rmind int error; 111 1.4 rmind 112 1.4 rmind struct mbuf *m = fill_packet(t); 113 1.14.10.1 pgoyette error = npf_rule_raw_test(m, ifp, t->di); 114 1.4 rmind m_freem(m); 115 1.4 rmind return error; 116 1.4 rmind } 117 1.4 rmind 118 1.4 rmind static npf_rule_t * 119 1.4 rmind npf_blockall_rule(void) 120 1.4 rmind { 121 1.13 christos npf_t *npf = npf_getkernctx(); 122 1.14.10.1 pgoyette nvlist_t *rule = nvlist_create(0); 123 1.4 rmind 124 1.14.10.1 pgoyette nvlist_add_number(rule, "attr", 125 1.7 rmind NPF_RULE_IN | NPF_RULE_OUT | NPF_RULE_DYNAMIC); 126 1.14.10.1 pgoyette return npf_rule_alloc(npf, rule); 127 1.4 rmind } 128 1.4 rmind 129 1.1 rmind bool 130 1.1 rmind npf_rule_test(bool verbose) 131 1.1 rmind { 132 1.13 christos npf_t *npf = npf_getkernctx(); 133 1.4 rmind npf_ruleset_t *rlset; 134 1.4 rmind npf_rule_t *rl; 135 1.6 rmind uint64_t id; 136 1.4 rmind int error; 137 1.2 rmind 138 1.1 rmind for (unsigned i = 0; i < __arraycount(test_cases); i++) { 139 1.1 rmind const struct test_case *t = &test_cases[i]; 140 1.13 christos ifnet_t *ifp = npf_test_getif(t->ifname); 141 1.4 rmind int serror; 142 1.1 rmind 143 1.1 rmind if (ifp == NULL) { 144 1.1 rmind printf("Interface %s is not configured.\n", t->ifname); 145 1.1 rmind return false; 146 1.1 rmind } 147 1.1 rmind 148 1.2 rmind struct mbuf *m = fill_packet(t); 149 1.14.10.1 pgoyette error = npf_rule_raw_test(m, ifp, t->di); 150 1.13 christos serror = npf_packet_handler(npf, &m, ifp, t->di); 151 1.1 rmind 152 1.1 rmind if (m) { 153 1.1 rmind m_freem(m); 154 1.1 rmind } 155 1.1 rmind 156 1.1 rmind if (verbose) { 157 1.14.10.2 pgoyette printf("rule test %d:\texpected %d (stateful) and %d\n" 158 1.14.10.2 pgoyette "\t\t-> returned %d and %d\n", 159 1.1 rmind i + 1, t->stateful_ret, t->ret, serror, error); 160 1.1 rmind } 161 1.14.10.2 pgoyette CHECK_TRUE(serror == t->stateful_ret && error == t->ret); 162 1.1 rmind } 163 1.4 rmind 164 1.8 rmind /* 165 1.8 rmind * Test dynamic NPF rules. 166 1.8 rmind */ 167 1.8 rmind 168 1.14.10.1 pgoyette error = npf_test_case(0); 169 1.14.10.2 pgoyette CHECK_TRUE(error == RESULT_PASS); 170 1.4 rmind 171 1.13 christos npf_config_enter(npf); 172 1.13 christos rlset = npf_config_ruleset(npf); 173 1.4 rmind 174 1.4 rmind rl = npf_blockall_rule(); 175 1.4 rmind error = npf_ruleset_add(rlset, "test-rules", rl); 176 1.14.10.2 pgoyette CHECK_TRUE(error == 0); 177 1.4 rmind 178 1.14.10.1 pgoyette error = npf_test_case(0); 179 1.14.10.2 pgoyette CHECK_TRUE(error == RESULT_BLOCK); 180 1.4 rmind 181 1.6 rmind id = npf_rule_getid(rl); 182 1.6 rmind error = npf_ruleset_remove(rlset, "test-rules", id); 183 1.14.10.2 pgoyette CHECK_TRUE(error == 0); 184 1.4 rmind 185 1.13 christos npf_config_exit(npf); 186 1.4 rmind 187 1.14.10.1 pgoyette error = npf_test_case(0); 188 1.14.10.2 pgoyette CHECK_TRUE(error == RESULT_PASS); 189 1.4 rmind 190 1.14.10.2 pgoyette return true; 191 1.1 rmind } 192
Indexes created Sat Oct 25 07:10:08 GMT 2025