check 'update-policy 6to4-self' over IPv6

2025-09-02 07:35:26 +00:00 · 2024-06-07 13:28:48 +10:00
parent b28e5ff721
commit 3b0de4773b
10 changed files with 60 additions and 1 deletions
--- a/bin/tests/system/ifconfig.sh.in
+++ b/bin/tests/system/ifconfig.sh.in
@@ -21,6 +21,7 @@
 #       fd92:7065:b8e:99ff::{1..2}
 #       fd92:7065:b8e:ff::{1..2}
 #       fd92:7065:b8e:fffe::10.53.0.4
 #       2002:0a35:0007::1                       6to4 for 10.53.0.7
 #
 # We also set the MTU on the 1500 bytes to match the default MTU on physical
 # interfaces, so we can properly test the cases with packets bigger than
@@ -241,7 +242,7 @@ sequence() (
 max=11
 case $1 in
  start | up | stop | down)
-    for i in $(sequence 0 3); do
+    for i in $(sequence 0 4); do
      case $i in
        0) ipv6="ff" ;;
        1) ipv6="99" ;;
@@ -261,6 +262,11 @@ case $1 in
            a=
            aaaa=fd92:7065:b8e:fffe::10.53.0.$ns
            ;;
          4)
            [ $ns -ne 1 ] && continue
            a=
            aaaa=2002:0a35:0007::$ns
            ;;
        esac
        case "$1" in
          start | up) up ;;
--- a/bin/tests/system/nsupdate/ns10/named.conf.in
+++ b/bin/tests/system/nsupdate/ns10/named.conf.in
@@ -21,6 +21,7 @@ options {
 	session-keyfile "session.key";
 	listen-on { 10.53.0.10; };
 	listen-on tls ephemeral { 10.53.0.10; };
 	listen-on-v6 { none; };
 	recursion no;
 	notify yes;
 	minimal-responses no;
--- a/bin/tests/system/nsupdate/ns5/named.conf.in
+++ b/bin/tests/system/nsupdate/ns5/named.conf.in
@@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	session-keyfile "session.key";
 	listen-on { 10.53.0.5; };
 	listen-on-v6 { none; };
 	recursion no;
 	notify yes;
 	minimal-responses no;
--- a/bin/tests/system/nsupdate/ns6/named.conf.in
+++ b/bin/tests/system/nsupdate/ns6/named.conf.in
@@ -15,10 +15,14 @@ options {
 	query-source address 10.53.0.6;
 	notify-source 10.53.0.6;
 	transfer-source 10.53.0.6;
 	query-source-v6 address fd92:7065:b8e:ffff::6;
 	notify-source-v6 fd92:7065:b8e:ffff::6;
 	transfer-source-v6 fd92:7065:b8e:ffff::6;
 	port @PORT@;
 	pid-file "named.pid";
 	session-keyfile "session.key";
 	listen-on { 10.53.0.6; };
 	listen-on-v6 { fd92:7065:b8e:ffff::6; };
 	recursion no;
 	notify yes;
 	minimal-responses no;
--- a/bin/tests/system/nsupdate/ns7/named1.conf.in
+++ b/bin/tests/system/nsupdate/ns7/named1.conf.in
@@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	session-keyfile "session.key";
 	listen-on { 10.53.0.7; };
 	listen-on-v6 { none; };
 	recursion no;
 	notify yes;
 	minimal-responses no;
--- a/bin/tests/system/nsupdate/ns7/named2.conf.in
+++ b/bin/tests/system/nsupdate/ns7/named2.conf.in
@@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	session-keyfile "session.key";
 	listen-on { 10.53.0.7; };
 	listen-on-v6 { none; };
 	recursion no;
 	notify yes;
 	minimal-responses no;
--- a/bin/tests/system/nsupdate/ns8/named.conf.in
+++ b/bin/tests/system/nsupdate/ns8/named.conf.in
@@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	session-keyfile "session.key";
 	listen-on { 10.53.0.8; };
 	listen-on-v6 { none; };
 	recursion no;
 	notify yes;
 	minimal-responses no;
--- a/bin/tests/system/nsupdate/ns9/named.conf.in
+++ b/bin/tests/system/nsupdate/ns9/named.conf.in
@@ -19,6 +19,7 @@ options {
 	pid-file "named.pid";
 	session-keyfile "session.key";
 	listen-on { 10.53.0.9; };
 	listen-on-v6 { none; };
 	recursion no;
 	notify yes;
 	minimal-responses no;
--- a/bin/tests/system/nsupdate/tests.sh
+++ b/bin/tests/system/nsupdate/tests.sh
@@ -801,6 +801,48 @@ if test $ret -ne 0; then
  status=1
 fi
 n=$((n + 1))
 ret=0
 echo_i "check that 'update-policy 6to4-self' refuses update of records via UDP over IPv6 ($n)"
 REVERSE_NAME=7.0.0.0.5.3.a.0.2.0.0.2.ip6.arpa
 $NSUPDATE >nsupdate.out.$n 2>&1 <<END && ret=1
 server fd92:7065:b8e:ffff::6 ${PORT}
 local 2002:a35:7::1
 zone 2.0.0.2.ip6.arpa
 update add ${REVERSE_NAME} 600 NS localhost.
 send
 END
 grep REFUSED nsupdate.out.$n >/dev/null 2>&1 || ret=1
 $DIG $DIGOPTS @fd92:7065:b8e:ffff::6 \
  +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \
  $REVERSE_NAME NS >dig.out.ns6.$n
 grep localhost. dig.out.ns6.$n >/dev/null 2>&1 && ret=1
 if test $ret -ne 0; then
  echo_i "failed"
  status=1
 fi
 n=$((n + 1))
 echo_i "check that 'update-policy 6to4-self' permits update of records for the client's own address via TCP over IPv6 ($n)"
 ret=0
 REVERSE_NAME=7.0.0.0.5.3.a.0.2.0.0.2.ip6.arpa
 $NSUPDATE -v >nsupdate.out.$n 2>&1 <<END || ret=1
 server fd92:7065:b8e:ffff::6 ${PORT}
 local 2002:a35:7::1
 zone 2.0.0.2.ip6.arpa
 update add ${REVERSE_NAME} 600 NS localhost.
 send
 END
 grep REFUSED nsupdate.out.$n >/dev/null 2>&1 && ret=1
 $DIG $DIGOPTS @fd92:7065:b8e:ffff::6 \
  +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \
  $REVERSE_NAME NS >dig.out.ns6.$n || ret=1
 grep localhost. dig.out.ns6.$n >/dev/null 2>&1 || ret=1
 if test $ret -ne 0; then
  echo_i "failed"
  status=1
 fi
 n=$((n + 1))
 ret=0
 echo_i "check that 'update-policy subdomain' is properly enforced ($n)"
--- a/bin/tests/system/org.isc.bind.system
+++ b/bin/tests/system/org.isc.bind.system
@@ -28,3 +28,4 @@ do
 	ifup 2 00 $ns
 done
 /sbin/ifconfig lo0 inet6 fd92:7065:b8e:fffe::10.53.0.4 alias
 /sbin/ifconfig lo0 inet6 2002:a35:7::1 alias