testing

in this testing, a socket is crafted in kernel to listen on any address( all interfaces) and port 65000 which is ideal for testing

to test,
run : npfctl debug -c $dir_to_npftest.conf -o ./npf.plist
npftest -c ./npf.plist -T guid -v

Author: Emmankoko

sys/net/npf/npf_handler.c

@@ -251,7 +251,8 @@ npfk_packet_handler(npf_t *npf, struct mbuf **mp, ifnet_t *ifp, int di)
 		error = npf_rule_reverse(&npc, &mi, error);
 	}
 
-	if (error) {
+	/* reject packets whose addr-port pair matches no sockets  */
+	if (id_match == ENOTCONN || error) {
 		npf_stats_inc(npf, NPF_STAT_BLOCK_RULESET);
 		goto block;
 	}

sys/net/npf/npf_ruleset.c

@@ -1013,7 +1013,7 @@ int
 npf_rule_match_rid(npf_rule_t *rl, npf_cache_t *npc, int dir)
 {
 	uint32_t sock_gid, sock_uid;
-	int matched = 0;
+	bool uid_matched = false, gid_matched = false;
 
 	if (rl->gid.op == NPF_OP_NONE && rl->uid.op == NPF_OP_NONE)
 		return -1; /* quickly return if packet has nothing to do with rids */
@@ -1025,16 +1025,20 @@ npf_rule_match_rid(npf_rule_t *rl, npf_cache_t *npc, int dir)
 		if (npf_socket_lookup_rid(npc, kauth_cred_getegid, &sock_gid, dir) == -1)
 			return ENOTCONN;
 
-		matched |= npf_match_rid(&rl->gid, sock_gid);
+		gid_matched = npf_match_rid(&rl->gid, sock_gid);
 	}
 	if (rl->uid.op != NPF_OP_NONE) {
 		if (npf_socket_lookup_rid(npc, kauth_cred_geteuid, &sock_uid, dir) == -1)
 			return ENOTCONN;
 
-		matched |= npf_match_rid(&rl->uid, sock_uid);
+		uid_matched = npf_match_rid(&rl->uid, sock_uid);
 	}
 
-	return matched;
+	/* if both uid and gid are set on rule, both must be matching to agree */
+	if (rl->gid.op && rl->uid.op)
+		return gid_matched && uid_matched;
+	else
+		return gid_matched || uid_matched;
 }
 
 /*

usr.sbin/npf/npftest/Makefile

@@ -18,7 +18,7 @@ DPADD+=		${LIBNPFTEST}/libnpftest.a
 LDADD+=		-L${LIBNPFTEST} -lnpftest
 
 LDADD+=		-lrump -lrumpvfs_nofifofs -lrumpvfs -lrumpuser
-LDADD+=		-lrumpnet -lrumpnet_net	-lrumpdev_bpf
+LDADD+=		-lrumpnet -lrumpnet_net	-lrumpdev_bpf -lrumpnet_netinet
 
 .if ${RUMP_SANITIZE:Uno} != "no"
 LDADD+=	-fsanitize=${RUMP_SANITIZE}

usr.sbin/npf/npftest/libnpftest/Makefile

@@ -18,6 +18,7 @@ SRCS+=		npf_gc_test.c
 SRCS+=		npf_state_test.c
 SRCS+=		npf_rule_test.c
 SRCS+=		npf_nat_test.c
+SRCS+=		npf_rid_test.c
 
 SRCS+=		npf_perf_test.c
 

usr.sbin/npf/npftest/libnpftest/npf_rid_test.c

@@ -0,0 +1,271 @@
+/*
+* NPF ruleset tests.
+*
+* Public Domain.
+*/
+
+#ifdef _KERNEL
+#include <sys/types.h>
+#endif
+
+#include "npf_impl.h"
+#include "npf_test.h"
+
+#include <netinet/in.h>
+#include <sys/socket.h>
+#include <sys/kauth.h>
+#include <sys/socketvar.h>
+#include <sys/lwp.h>
+#include <sys/cpu.h>
+
+#define	RESULT_PASS	0
+#define	RESULT_BLOCK	ENETUNREACH
+
+/* this port number suitable for testing */
+#define REMOTE_PORT	65500
+#define LOCAL_PORT	65000
+#define LOCAL_IP	"127.0.0.1"
+#define REMOTE_IP	LOCAL_IP
+
+static const struct test_case {
+	int		af;
+	const char *	src;
+	uint16_t	sport;
+	const char *	dst;
+	uint16_t	dport;
+	uint32_t	uid;
+	uint32_t	gid;
+	const char *	ifname;
+	int		di;
+	int 	ret;
+	int 	stateful_ret;
+} test_cases[] = {
+	{
+		/* pass in final from $local_ip4 user $Kojo = 1001 group $wheel = 20 */
+		.af = AF_INET,
+		.src = "10.1.1.4",			.sport = 9000,
+		.dst = LOCAL_IP,			.dport = LOCAL_PORT,
+		.ifname = IFNAME_EXT,			.di = PFIL_IN,
+		.uid = 1001,				.gid = 20, /* matches so pass it */
+		.ret = RESULT_PASS,			.stateful_ret = RESULT_PASS
+	},
+	{
+		/* connect on different UID and block */
+		.af = AF_INET,
+		.src = "10.1.1.4",			.sport = 9000,
+		.dst = LOCAL_IP,			.dport = LOCAL_PORT,
+		.ifname = IFNAME_EXT,			.di = PFIL_IN,
+		.uid = 1001,				.gid = 10, /* mismatch gid so block it */
+		.ret = RESULT_BLOCK,			.stateful_ret = RESULT_BLOCK
+	},
+	{
+		.af = AF_INET,
+		.src = "10.1.1.4",			.sport = 9000,
+		.dst = LOCAL_IP,			.dport = LOCAL_PORT,
+		.ifname = IFNAME_EXT,			.di = PFIL_IN,
+		.uid = 100,				.gid = 20, /* mismatch uid so block it */
+		.ret = RESULT_BLOCK,			.stateful_ret = RESULT_BLOCK
+	},
+
+
+	/* block out final to 127.0.0.1 user > $Kojo( > 1001) group 1 >< $wheel( IRG 1 >< 20) */
+	{
+		.af = AF_INET,
+		.src = LOCAL_IP,			.sport = LOCAL_PORT,
+		.dst = REMOTE_IP,			.dport = REMOTE_PORT,
+		.ifname = IFNAME_EXT,			.di = PFIL_OUT,
+		.uid = 1005,				.gid = 14, /* matches so blocks it */
+		.ret = RESULT_BLOCK,			.stateful_ret = RESULT_BLOCK
+	},
+	{
+		.af = AF_INET,
+		.src = LOCAL_IP,			.sport = LOCAL_PORT,
+		.dst = REMOTE_IP,			.dport = REMOTE_PORT,
+		.ifname = IFNAME_EXT,			.di = PFIL_OUT,
+		.uid = 1005,				.gid = 30, /* mismatch gid so pass it */
+		.ret = RESULT_PASS,			.stateful_ret = RESULT_PASS
+	},
+	{
+		.af = AF_INET,
+		.src = LOCAL_IP,			.sport = LOCAL_PORT,
+		.dst = REMOTE_IP,			.dport = REMOTE_PORT,
+		.ifname = IFNAME_EXT,			.di = PFIL_OUT,
+		.uid = 100,				.gid = 15, /* mismatch uid so pass it */
+		.ret = RESULT_PASS,			.stateful_ret = RESULT_PASS
+	},
+	{
+		.af = AF_INET,
+		.src = LOCAL_IP,			.sport = LOCAL_PORT,
+		.dst = REMOTE_IP,			.dport = REMOTE_PORT,
+		.ifname = IFNAME_EXT,			.di = PFIL_OUT,
+		.uid = 1010,				.gid = 11, /* matches so blocks it */
+		.ret = RESULT_BLOCK,			.stateful_ret = RESULT_BLOCK
+	},
+};
+
+static int
+run_raw_testcase(unsigned i, bool verbose)
+{
+	const struct test_case *t = &test_cases[i];
+	npf_t *npf = npf_getkernctx();
+	npf_cache_t *npc;
+	struct mbuf *m;
+	npf_rule_t *rl;
+	int slock, error;
+
+	m = mbuf_get_pkt(t->af, IPPROTO_UDP, t->src, t->dst, t->sport, t->dport);
+	npc = get_cached_pkt(m, t->ifname);
+
+	slock = npf_config_read_enter(npf);
+	rl = npf_ruleset_inspect(npc, npf_config_ruleset(npf), t->di, NPF_LAYER_3);
+	if (rl) {
+		npf_match_info_t mi;
+		int id_match;
+
+		id_match = npf_rule_match_rid(rl, npc, t->di);
+		error = npf_rule_conclude(rl, &mi);
+		if (verbose)
+			printf("id match is ...%d\n", id_match);
+		if (id_match != -1 && !id_match) {
+			error = npf_rule_reverse(npc, &mi, error);
+		}
+
+	} else {
+		error = ENOENT;
+	}
+	npf_config_read_exit(npf, slock);
+
+	put_cached_pkt(npc);
+	return error;
+}
+
+static int
+run_handler_testcase(unsigned i)
+{
+	const struct test_case *t = &test_cases[i];
+	ifnet_t *ifp = npf_test_getif(t->ifname);
+	npf_t *npf = npf_getkernctx();
+	struct mbuf *m;
+	int error;
+
+	m = mbuf_get_pkt(t->af, IPPROTO_UDP, t->src, t->dst, t->sport, t->dport);
+	error = npfk_packet_handler(npf, &m, ifp, t->di);
+	if (m) {
+		m_freem(m);
+	}
+	return error;
+}
+
+/*
+ * we create our specific server socket here which listens on
+ * loopback address and port 65000. easier to test pcb lookup here since
+ * it will be loaded into the protocol table.
+ */
+static struct socket *
+test_socket(int dir, uid_t uid, gid_t gid)
+{
+	struct sockaddr_in server;
+	struct lwp *cur = curlwp;
+	void *p, *rp;
+
+	memset(&Server, 0, sizeof(server));
+
+	server.sin_len = sizeof(server);
+	server.sin_family = AF_INET;
+	p = &server.sin_addr.s_addr;
+	npf_inet_pton(AF_INET, LOCAL_IP, p); /* we bind to 127.0.0.1 */
+	server.sin_port = htons(LOCAL_PORT);
+
+	struct socket *so;
+	int error = socreate(AF_INET, &so, SOCK_DGRAM, 0, cur, NULL);
+	if (error) {
+		printf("socket creation failed: error is %d\n", error);
+		return NULL;
+	}
+
+	solock(so);
+
+	kauth_cred_t cred = kauth_cred_alloc();
+	kauth_cred_seteuid(cred, uid);
+	kauth_cred_setegid(cred, gid);
+
+	kauth_cred_t old = so->so_cred;
+	so->so_cred = kauth_cred_dup(cred);
+	kauth_cred_free(old);
+
+	sounlock(so);
+
+	if ((error = sobind(so, (struct sockaddr *)&server, cur)) != 0) {
+		printf("bind failed %d\n", error);
+		return NULL;
+	}
+
+	if (dir == PFIL_OUT) {
+		/* connect to an additional remote address to set the 4 tuple addr-port state */
+		struct sockaddr_in remote;
+		memset(&Remote, 0, sizeof(remote));
+
+		remote.sin_len = sizeof(remote);
+		remote.sin_family = AF_INET;
+		rp = &remote.sin_addr.s_addr;
+		npf_inet_pton(AF_INET, REMOTE_IP, rp); /* we connect to 127.0.0.1 */
+		remote.sin_port = htons(REMOTE_PORT);
+
+		solock(so);
+		if ((error = soconnect(so, (struct sockaddr *)&remote, cur)) != 0) {
+			printf("connect failed :%d\n", error);
+			return NULL;
+		}
+		sounlock(so);
+	}
+
+	return so;
+}
+
+static bool
+test_static(bool verbose)
+{
+	for (size_t i = 0; i < __arraycount(test_cases); i++) {
+		const struct test_case *t = &test_cases[i];
+		int error, serror;
+		struct socket *so;
+
+		so = test_socket(t->di, t->uid, t->gid);
+		if (so == NULL) {
+			printf("socket:\n");
+			return false;
+		}
+
+		if (npf_test_getif(t->ifname) == NULL) {
+			printf("Interface %s is not configured.\n", t->ifname);
+			return false;
+		}
+
+		error = run_raw_testcase(i, verbose);
+		serror = run_handler_testcase(i);
+
+		if (verbose) {
+			printf("rule test %d:\texpected %d (stateful) and %d\n"
+			    "\t\t-> returned %d and %d\n",
+			    i + 1, t->stateful_ret, t->ret, serror, error);
+		}
+		CHECK_TRUE(error == t->ret);
+		CHECK_TRUE(serror == t->stateful_ret)
+
+		soclose(so);
+	}
+	return true;
+}
+
+bool
+npf_guid_test(bool verbose)
+{
+	soinit1();
+
+	bool ok;
+
+	ok = test_static(verbose);
+	CHECK_TRUE(ok);
+
+	return true;
+}

usr.sbin/npf/npftest/libnpftest/npf_rule_test.c

@@ -190,7 +190,6 @@ static const struct test_case {
 		.ifname = IFNAME_INT,		.di = PFIL_OUT,
 		.stateful_ret = RESULT_BLOCK,	.ret = RESULT_BLOCK
 	},
-
 };
 
 static int

usr.sbin/npf/npftest/libnpftest/npf_test.h

@@ -121,6 +121,7 @@ bool		npf_table_test(bool, void *, size_t);
 bool		npf_state_test(bool);
 
 bool		npf_rule_test(bool);
+bool 		npf_guid_test(bool);
 bool		npf_nat_test(bool);
 bool		npf_gc_test(bool);
 

usr.sbin/npf/npftest/npftest.c

@@ -66,7 +66,8 @@ describe_tests(void)
 		"state\tstate handling and processing\n"
 		"gc\tconnection G/C\n"
 		"rule\trule processing\n"
-		"nat\tNAT rule processing\n");
+		"nat\tNAT rule processing\n"
+		"guid\tUser/group filtering\n");
 	exit(EXIT_SUCCESS);
 }
 
@@ -323,6 +324,12 @@ main(int argc, char **argv)
 			tname_matched = true;
 		}
 
+		if (!testname || strcmp("guid", testname) == 0) {
+			ok = rumpns_npf_guid_test(verbose);
+			fail |= result("guid", ok);
+			tname_matched = true;
+		}
+
 		if (!testname || strcmp("nat", testname) == 0) {
 			srandom(1);
 			ok = rumpns_npf_nat_test(verbose);

usr.sbin/npf/npftest/npftest.conf

@@ -18,6 +18,8 @@ $local_ip1 = 10.1.1.1
 $local_ip2 = 10.1.1.2
 $local_ip3 = 10.1.1.3
 $local_ip4 = 10.1.1.4
+$Kojo = 1001
+$wheel = 20
 
 $local_net = { 10.1.1.0/24 }
 $ports = { 8000, 9000 }
@@ -44,6 +46,8 @@ map ruleset "map:some-daemon" on $ext_if
 group "ext" on $ext_if {
 	pass out final from $local_ip3
 	pass in final to $pub_ip3
+	pass in final from $local_ip4 user $Kojo group $wheel
+	block out final to 127.0.0.1 user > $Kojo group 1 >< $wheel
 
 	pass out final from $net6_inner
 	pass in final to $net6_outer