pf tests: test SCTP 'return'

Ensure that we send a correct abort message for 'block return' rules. Test this by validating that nc doesn't sit around waiting for a connection. It should give up immediately when it receives the abort. MFC after: 3 weeks Sponsored by: Orange Business Services Differential Revision: https://reviews.freebsd.org/D40865
2023-05-31 21:45:29 +02:00 · 2023-05-31 21:45:29 +02:00 · 2d42aa9d7b
commit 2d42aa9d7b
parent d1bc1e9e1a
1 changed files with 117 additions and 0 deletions
--- a/tests/sys/netpfil/pf/sctp.sh
+++ b/tests/sys/netpfil/pf/sctp.sh
@ -182,9 +182,126 @@ basic_v6_cleanup()
 	pft_cleanup
 }

+atf_test_case "abort_v4" "cleanup"
+abort_v4_head()
+{
+	atf_set descr 'Test sending ABORT messages'
+	atf_set require.user root
+}
+
+abort_v4_body()
+{
+	sctp_init
+
+	j="sctp:abort_v4"
+	epair=$(vnet_mkepair)
+
+	vnet_mkjail ${j}a ${epair}a
+	vnet_mkjail ${j}b ${epair}b
+
+	jexec ${j}a ifconfig ${epair}a 192.0.2.1/24 up
+	jexec ${j}b ifconfig ${epair}b 192.0.2.2/24 up
+
+	# Sanity check
+	atf_check -s exit:0 -o ignore \
+	    jexec ${j}a ping -c 1 192.0.2.2
+
+	jexec ${j}a pfctl -e
+	pft_set_rules ${j}a \
+		"block return in proto sctp to port 1234"
+
+	echo "foo" | jexec ${j}a nc --sctp -N -l 1234 &
+
+	# Wait for the server to start
+	sleep 1
+
+	# If we get the abort we'll exit immediately, if we don't timeout will
+	# stop nc.
+	out=$(jexec ${j}b timeout 3 nc --sctp -N 192.0.2.1 1234)
+	if [ $? -eq 124 ]; then
+		atf_fail 'Abort not received'
+	fi
+	if [ "$out" == "foo" ]; then
+		atf_fail "block failed entirely"
+	fi
+
+	# Without 'return' we will time out.
+	pft_set_rules ${j}a \
+		"block in proto sctp to port 1234"
+
+	out=$(jexec ${j}b timeout 3 nc --sctp -N 192.0.2.1 1234)
+	if [ $? -ne 124 ]; then
+		atf_fail 'Abort sent anyway?'
+	fi
+}
+
+abort_v4_cleanup()
+{
+	pft_cleanup
+}
+
+atf_test_case "abort_v6" "cleanup"
+abort_v4_head()
+{
+	atf_set descr 'Test sending ABORT messages over IPv6'
+	atf_set require.user root
+}
+
+abort_v6_body()
+{
+	sctp_init
+
+	j="sctp:abort_v6"
+	epair=$(vnet_mkepair)
+
+	vnet_mkjail ${j}a ${epair}a
+	vnet_mkjail ${j}b ${epair}b
+
+	jexec ${j}a ifconfig ${epair}a inet6 2001:db8::a/64 no_dad
+	jexec ${j}b ifconfig ${epair}b inet6 2001:db8::b/64 no_dad
+
+	# Sanity check
+	atf_check -s exit:0 -o ignore \
+	    jexec ${j}a ping -6 -c 1 2001:db8::b
+
+	jexec ${j}a pfctl -e
+	pft_set_rules ${j}a \
+		"block return in proto sctp to port 1234"
+
+	echo "foo" | jexec ${j}a nc -6 --sctp -N -l 1234 &
+
+	# Wait for the server to start
+	sleep 1
+
+	# If we get the abort we'll exit immediately, if we don't timeout will
+	# stop nc.
+	out=$(jexec ${j}b timeout 3 nc --sctp -N 2001:db8::a 1234)
+	if [ $? -eq 124 ]; then
+		atf_fail 'Abort not received'
+	fi
+	if [ "$out" == "foo" ]; then
+		atf_fail "block failed entirely"
+	fi
+
+	# Without 'return' we will time out.
+	pft_set_rules ${j}a \
+		"block in proto sctp to port 1234"
+
+	out=$(jexec ${j}b timeout 3 nc --sctp -N 2001:db8::a 1234)
+	if [ $? -ne 124 ]; then
+		atf_fail 'Abort sent anyway?'
+	fi
+}
+
+abort_v4_cleanup()
+{
+	pft_cleanup
+}

 atf_init_test_cases()
 {
 	atf_add_test_case "basic_v4"
 	atf_add_test_case "basic_v6"
+	atf_add_test_case "abort_v4"
+	atf_add_test_case "abort_v6"
 }