2022-08-18 15:03:47 +00:00
|
|
|
package ingress
|
|
|
|
|
|
|
|
import (
|
|
|
|
"context"
|
|
|
|
"fmt"
|
2022-09-02 16:29:50 +00:00
|
|
|
"net"
|
2022-08-18 15:03:47 +00:00
|
|
|
"net/netip"
|
|
|
|
"testing"
|
|
|
|
|
|
|
|
"github.com/google/gopacket/layers"
|
|
|
|
"github.com/rs/zerolog"
|
|
|
|
"github.com/stretchr/testify/require"
|
|
|
|
"golang.org/x/net/icmp"
|
|
|
|
"golang.org/x/net/ipv4"
|
|
|
|
|
|
|
|
"github.com/cloudflare/cloudflared/packet"
|
|
|
|
)
|
|
|
|
|
|
|
|
var (
|
|
|
|
noopLogger = zerolog.Nop()
|
|
|
|
localhostIP = netip.MustParseAddr("127.0.0.1")
|
|
|
|
)
|
|
|
|
|
|
|
|
// TestICMPProxyEcho makes sure we can send ICMP echo via the Request method and receives response via the
|
|
|
|
// ListenResponse method
|
2022-09-06 12:20:50 +00:00
|
|
|
//
|
|
|
|
// Note: if this test fails on your device under Linux, then most likely you need to make sure that your user
|
|
|
|
// is allowed in ping_group_range. See the following gist for how to do that:
|
|
|
|
// https://github.com/ValentinBELYN/icmplib/blob/main/docs/6-use-icmplib-without-privileges.md
|
2022-08-18 15:03:47 +00:00
|
|
|
func TestICMPProxyEcho(t *testing.T) {
|
|
|
|
const (
|
|
|
|
echoID = 36571
|
|
|
|
endSeq = 100
|
|
|
|
)
|
2022-08-22 16:41:51 +00:00
|
|
|
|
2022-08-25 11:34:19 +00:00
|
|
|
proxy, err := NewICMPProxy(localhostIP, &noopLogger)
|
2022-08-18 15:03:47 +00:00
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
proxyDone := make(chan struct{})
|
|
|
|
ctx, cancel := context.WithCancel(context.Background())
|
|
|
|
go func() {
|
2022-08-25 11:34:19 +00:00
|
|
|
proxy.Serve(ctx)
|
2022-08-18 15:03:47 +00:00
|
|
|
close(proxyDone)
|
|
|
|
}()
|
|
|
|
|
|
|
|
responder := echoFlowResponder{
|
|
|
|
decoder: packet.NewICMPDecoder(),
|
2022-08-29 17:49:07 +00:00
|
|
|
respChan: make(chan []byte, 1),
|
2022-08-18 15:03:47 +00:00
|
|
|
}
|
|
|
|
|
2022-09-02 16:29:50 +00:00
|
|
|
ips := []packet.IP{
|
|
|
|
{
|
|
|
|
Src: localhostIP,
|
|
|
|
Dst: localhostIP,
|
|
|
|
Protocol: layers.IPProtocolICMPv4,
|
|
|
|
},
|
2022-08-18 15:03:47 +00:00
|
|
|
}
|
2022-09-02 16:29:50 +00:00
|
|
|
|
|
|
|
addrs, err := net.InterfaceAddrs()
|
|
|
|
require.NoError(t, err)
|
|
|
|
for _, addr := range addrs {
|
|
|
|
if ipnet, ok := addr.(*net.IPNet); ok {
|
|
|
|
ip := ipnet.IP
|
|
|
|
if !ipnet.IP.IsLoopback() && ip.IsPrivate() && ip.To4() != nil {
|
|
|
|
localIP := netip.MustParseAddr(ipnet.IP.String())
|
|
|
|
ips = append(ips, packet.IP{
|
|
|
|
Src: localIP,
|
|
|
|
Dst: localIP,
|
|
|
|
Protocol: layers.IPProtocolICMPv4,
|
|
|
|
})
|
|
|
|
break
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
for seq := 0; seq < endSeq; seq++ {
|
|
|
|
for i, ip := range ips {
|
|
|
|
pk := packet.ICMP{
|
|
|
|
IP: &ip,
|
|
|
|
Message: &icmp.Message{
|
|
|
|
Type: ipv4.ICMPTypeEcho,
|
|
|
|
Code: 0,
|
|
|
|
Body: &icmp.Echo{
|
|
|
|
ID: echoID + i,
|
|
|
|
Seq: seq,
|
|
|
|
Data: []byte(fmt.Sprintf("icmp echo seq %d", seq)),
|
|
|
|
},
|
2022-08-18 15:03:47 +00:00
|
|
|
},
|
2022-09-02 16:29:50 +00:00
|
|
|
}
|
|
|
|
require.NoError(t, proxy.Request(&pk, &responder))
|
|
|
|
responder.validate(t, &pk)
|
2022-08-18 15:03:47 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
cancel()
|
|
|
|
<-proxyDone
|
|
|
|
}
|
|
|
|
|
|
|
|
// TestICMPProxyRejectNotEcho makes sure it rejects messages other than echo
|
|
|
|
func TestICMPProxyRejectNotEcho(t *testing.T) {
|
|
|
|
msgs := []icmp.Message{
|
|
|
|
{
|
|
|
|
Type: ipv4.ICMPTypeDestinationUnreachable,
|
|
|
|
Code: 1,
|
|
|
|
Body: &icmp.DstUnreach{
|
|
|
|
Data: []byte("original packet"),
|
|
|
|
},
|
|
|
|
},
|
|
|
|
{
|
|
|
|
Type: ipv4.ICMPTypeTimeExceeded,
|
|
|
|
Code: 1,
|
|
|
|
Body: &icmp.TimeExceeded{
|
|
|
|
Data: []byte("original packet"),
|
|
|
|
},
|
|
|
|
},
|
|
|
|
{
|
|
|
|
Type: ipv4.ICMPType(2),
|
|
|
|
Code: 0,
|
|
|
|
Body: &icmp.PacketTooBig{
|
|
|
|
MTU: 1280,
|
|
|
|
Data: []byte("original packet"),
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
2022-08-25 11:34:19 +00:00
|
|
|
proxy, err := NewICMPProxy(localhostIP, &noopLogger)
|
2022-08-18 15:03:47 +00:00
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
responder := echoFlowResponder{
|
|
|
|
decoder: packet.NewICMPDecoder(),
|
|
|
|
respChan: make(chan []byte),
|
|
|
|
}
|
|
|
|
for _, m := range msgs {
|
|
|
|
pk := packet.ICMP{
|
|
|
|
IP: &packet.IP{
|
|
|
|
Src: localhostIP,
|
|
|
|
Dst: localhostIP,
|
|
|
|
Protocol: layers.IPProtocolICMPv4,
|
|
|
|
},
|
|
|
|
Message: &m,
|
|
|
|
}
|
|
|
|
require.Error(t, proxy.Request(&pk, &responder))
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
type echoFlowResponder struct {
|
|
|
|
decoder *packet.ICMPDecoder
|
|
|
|
respChan chan []byte
|
|
|
|
}
|
|
|
|
|
2022-09-02 16:29:50 +00:00
|
|
|
func (efr *echoFlowResponder) SendPacket(dst netip.Addr, pk packet.RawPacket) error {
|
2022-08-18 15:03:47 +00:00
|
|
|
copiedPacket := make([]byte, len(pk.Data))
|
|
|
|
copy(copiedPacket, pk.Data)
|
|
|
|
efr.respChan <- copiedPacket
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2022-09-02 16:29:50 +00:00
|
|
|
func (efr *echoFlowResponder) Close() error {
|
|
|
|
close(efr.respChan)
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2022-08-18 15:03:47 +00:00
|
|
|
func (efr *echoFlowResponder) validate(t *testing.T, echoReq *packet.ICMP) {
|
|
|
|
pk := <-efr.respChan
|
|
|
|
decoded, err := efr.decoder.Decode(packet.RawPacket{Data: pk})
|
|
|
|
require.NoError(t, err)
|
|
|
|
require.Equal(t, decoded.Src, echoReq.Dst)
|
|
|
|
require.Equal(t, decoded.Dst, echoReq.Src)
|
|
|
|
require.Equal(t, echoReq.Protocol, decoded.Protocol)
|
|
|
|
|
|
|
|
require.Equal(t, ipv4.ICMPTypeEchoReply, decoded.Type)
|
|
|
|
require.Equal(t, 0, decoded.Code)
|
|
|
|
require.NotZero(t, decoded.Checksum)
|
2022-08-22 16:41:51 +00:00
|
|
|
require.Equal(t, echoReq.Body, decoded.Body)
|
2022-08-18 15:03:47 +00:00
|
|
|
}
|