System test for PROXYv2

This commit adds a system test suite for PROXYv2. The idea on which it
is based is simple:

1. Firstly we check that 'allow-proxy' and 'allow-proxy-on' (whatever
is using the new 'isc_nmhandle_real_localaddr/peeraddr()') do what
they intended to do.

2. Anything else that needs an interface or peer address (ACL
functionality, for example) is using the old
'isc_nmhandle_localaddr/peeraddr()' - which are now returning
addresses received via PROXY (if any) instead of the real connection
addresses. The beauty of it that we DO NOT need to verify every bit of
the code relying on these functions: whatever works in one place will
work everywhere else, as these were the only functions that allowed
any higher level code to get peer and interface addresses.

This way it is relatively easy to see if PROXYv2 works as intended.

bin/tests/system/proxy/clean.sh

@@ -0,0 +1,24 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+#
+# Clean up after zone transfer tests.
+#
+
+rm -f ./*/named.conf
+rm -f ./*/named.memstats
+rm -f ./*/named.run
+rm -f ./*/named.run.prev
+rm -f ./dig.out.*
+rm -f ./*/example.db
+rm -rf ./headers.*

bin/tests/system/proxy/ns1/named.conf.in

@@ -0,0 +1,117 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+include "../../_common/rndc.key";
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+tls self-signed {
+	cert-file "../self-signed-cert.pem";
+	key-file "../self-signed-key.pem";
+};
+
+options {
+	pid-file "named.pid";
+	##
+	# generic test
+	listen-on port @PORT@ { 10.53.0.1; };
+
+	listen-on port @EXTRAPORT1@ proxy plain { 10.53.0.1; };
+	listen-on port @EXTRAPORT1@ proxy plain { 10.53.0.2; };
+	listen-on port @TLSPORT@ proxy encrypted tls self-signed { 10.53.0.1; };
+	listen-on port @EXTRAPORT2@ proxy plain tls self-signed { 10.53.0.1; };
+	listen-on port @HTTPSPORT@ proxy encrypted tls self-signed http default { 10.53.0.1; };
+	listen-on port @EXTRAPORT3@ proxy plain tls self-signed http default { 10.53.0.1; };
+	listen-on port @HTTPPORT@ proxy plain tls none http default { 10.53.0.1; };
+
+	listen-on-v6 port @EXTRAPORT1@ proxy plain { fd92:7065:b8e:ffff::1; };
+	listen-on-v6 port @EXTRAPORT1@ proxy plain { fd92:7065:b8e:ffff::2; };
+	listen-on-v6 port @TLSPORT@ proxy encrypted tls self-signed { fd92:7065:b8e:ffff::1; };
+	listen-on-v6 port @EXTRAPORT2@ proxy plain tls self-signed { fd92:7065:b8e:ffff::1; };
+	listen-on-v6 port @HTTPSPORT@ proxy encrypted tls self-signed http default { fd92:7065:b8e:ffff::1; };
+	listen-on-v6 port @EXTRAPORT3@ proxy plain tls self-signed http default { fd92:7065:b8e:ffff::1; };
+	listen-on-v6 port @HTTPPORT@ proxy plain tls none http default { fd92:7065:b8e:ffff::1; };
+
+	allow-proxy { 10.53.0.10; fd92:7065:b8e:ffff::10; };
+	allow-proxy-on { 10.53.0.1; fd92:7065:b8e:ffff::1; };
+
+	recursion no;
+	notify explicit;
+	statistics-file "named.stats";
+	dnssec-validation yes;
+	tcp-initial-timeout 1200;
+};
+
+zone "example0" {
+	type primary;
+	file "example.db";
+	allow-query { any; };
+};
+
+zone "example1" {
+	type primary;
+	file "example.db";
+	allow-query { 1.2.3.4; fd0f:99d3:98a7::1234; };
+	allow-query-on { 4.3.2.1; fd0f:99d3:98a7::4321; }; # note, we are *not* listening on the interface
+};
+
+zone "example2" {
+	type primary;
+	file "example.db";
+	# allow the real addresses only so that we can test LOCAL requests
+	allow-query { 10.53.0.10; fd92:7065:b8e:ffff::10; };
+	allow-query-on { 10.53.0.1; fd92:7065:b8e:ffff::1; };
+};
+
+# Let's define some zones that will help us verify that ports
+# information from PROXY headers is used. Please note that we are NOT
+# listening on the ports used.
+zone "example-proxy-do53" {
+	type primary;
+	file "example.db";
+	allow-transfer port 53 transport tcp { 1.2.3.4; fd0f:99d3:98a7::1234; };
+};
+
+zone "example-proxy-encrypted-dot" {
+	type primary;
+	file "example.db";
+	allow-transfer port 853 transport tls { 1.2.3.4; fd0f:99d3:98a7::1234; };
+};
+
+zone "example-proxy-plain-dot" {
+	type primary;
+	file "example.db";
+	allow-transfer port 853 transport tls { 1.2.3.4; fd0f:99d3:98a7::1234; };
+};
+
+# Now let's make something similar, but for LOCAL PROXY requests (when
+# real ports and addresses are used)
+zone "example-proxy-local-do53" {
+	type primary;
+	file "example.db";
+	allow-transfer port @EXTRAPORT1@ transport tcp { 10.53.0.10; fd92:7065:b8e:ffff::10; };
+};
+
+zone "example-proxy-local-encrypted-dot" {
+	type primary;
+	file "example.db";
+	allow-transfer port @TLSPORT@ transport tls { 10.53.0.10; fd92:7065:b8e:ffff::10; };
+};
+
+zone "example-proxy-local-plain-dot" {
+	type primary;
+	file "example.db";
+	allow-transfer port @EXTRAPORT2@ transport tls { 10.53.0.10; fd92:7065:b8e:ffff::10; };
+};

bin/tests/system/proxy/ns3/named.conf.in

@@ -0,0 +1,56 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+include "../../_common/rndc.key";
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+tls self-signed {
+	cert-file "../self-signed-cert.pem";
+	key-file "../self-signed-key.pem";
+};
+
+options {
+	pid-file "named.pid";
+	##
+	# generic test
+	listen-on port @PORT@ { 10.53.0.3; };
+
+	listen-on port @EXTRAPORT1@ proxy plain { 10.53.0.3; };
+	listen-on port @TLSPORT@ proxy encrypted tls self-signed { 10.53.0.3; };
+	listen-on port @EXTRAPORT2@ proxy plain tls self-signed { 10.53.0.3; };
+	listen-on port @HTTPSPORT@ proxy encrypted tls self-signed http default { 10.53.0.3; };
+	listen-on port @EXTRAPORT3@ proxy plain tls self-signed http default { 10.53.0.3; };
+	listen-on port @HTTPPORT@ proxy plain tls none http default { 10.53.0.3; };
+
+	listen-on-v6 port @EXTRAPORT1@ proxy plain { fd92:7065:b8e:ffff::3; };
+	listen-on-v6 port @TLSPORT@ proxy encrypted tls self-signed { fd92:7065:b8e:ffff::3; };
+	listen-on-v6 port @EXTRAPORT2@ proxy plain tls self-signed { fd92:7065:b8e:ffff::3; };
+	listen-on-v6 port @HTTPSPORT@ proxy encrypted tls self-signed http default { fd92:7065:b8e:ffff::3; };
+	listen-on-v6 port @EXTRAPORT3@ proxy plain tls self-signed http default { fd92:7065:b8e:ffff::3; };
+	listen-on-v6 port @HTTPPORT@ proxy plain tls none http default { fd92:7065:b8e:ffff::3; };
+
+	recursion no;
+	notify explicit;
+	statistics-file "named.stats";
+	dnssec-validation yes;
+	tcp-initial-timeout 1200;
+};
+
+zone "example" {
+	type primary;
+	file "example.db";
+	allow-query { any; };
+};

bin/tests/system/proxy/prereq.sh

@@ -0,0 +1,21 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+. ../conf.sh
+
+$FEATURETEST --with-libnghttp2 || {
+  echo_i "This test requires libnghttp2 support." >&2
+  exit 255
+}
+
+exit 0

bin/tests/system/proxy/self-signed-cert.pem

@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICWDCCAf+gAwIBAgIUXudNo4NQ7lRM1xFFJ4ugVtyCzKgwCgYIKoZIzj0EAwIw
+gYExCzAJBgNVBAYTAlVBMRgwFgYDVQQIDA9LaGFya2l2IE9ibGFzdCcxEDAOBgNV
+BAcMB0toYXJraXYxJDAiBgNVBAoMG0ludGVybmV0IFN5c3RlbXMgQ29uc29ydGl1
+bTEgMB4GA1UEAwwXc2VsZi5zaWduZWQuZXhhbXBsZS5jb20wHhcNMjMxMTE3MTU1
+NjI3WhcNNDQwNTMwMTU1NjI3WjCBgTELMAkGA1UEBhMCVUExGDAWBgNVBAgMD0to
+YXJraXYgT2JsYXN0JzEQMA4GA1UEBwwHS2hhcmtpdjEkMCIGA1UECgwbSW50ZXJu
+ZXQgU3lzdGVtcyBDb25zb3J0aXVtMSAwHgYDVQQDDBdzZWxmLnNpZ25lZC5leGFt
+cGxlLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABNWscxXohNTBjcW4rhKD
+ZbLi7IqI7WYe5lOS1CrukfYJuMM1+qjYnzO6Wg5qTwin/Cvr4/GTm95I64nZLPQz
+CxajUzBRMB0GA1UdDgQWBBSnOr8xGlELdrcmyDIw9scsqn4UYjAfBgNVHSMEGDAW
+gBSnOr8xGlELdrcmyDIw9scsqn4UYjAPBgNVHRMBAf8EBTADAQH/MAoGCCqGSM49
+BAMCA0cAMEQCIG0OgexHV7bl/ZHd3Rn0VAudCHC7b1W2Sr6q+7kspLfhAiBemkVD
+POeoih/7KT3yn8j90+WWVlzV+mpom3eaVkjjog==
+-----END CERTIFICATE-----

bin/tests/system/proxy/self-signed-key.pem

@@ -0,0 +1,8 @@
+-----BEGIN EC PARAMETERS-----
+BggqhkjOPQMBBw==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIHwX7CofJJGLEG6evl6h9WSmZ1q1HAOO+SKgvMiqCFcXoAoGCCqGSM49
+AwEHoUQDQgAE1axzFeiE1MGNxbiuEoNlsuLsiojtZh7mU5LUKu6R9gm4wzX6qNif
+M7paDmpPCKf8K+vj8ZOb3kjridks9DMLFg==
+-----END EC PRIVATE KEY-----

bin/tests/system/proxy/setup.sh

@@ -0,0 +1,23 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck disable=SC1091
+. ../conf.sh
+
+$SHELL clean.sh
+
+$SHELL "${TOP_SRCDIR}"/bin/tests/system/genzone.sh 2 >ns1/example.db
+$SHELL "${TOP_SRCDIR}"/bin/tests/system/genzone.sh 2 >ns3/example.db
+
+copy_setports ns1/named.conf.in ns1/named.conf
+copy_setports ns3/named.conf.in ns3/named.conf

bin/tests/system/proxy/tests.sh

@@ -0,0 +1,253 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+set -e
+
+# shellcheck disable=SC1091
+. ../conf.sh
+
+dig_out_basename="dig.out.test"
+testing="PROXY test"
+fail_regex='(^(; EDE: 18 \(Prohibited\))|(; Transfer failed\.$))'
+
+dig_with_opts() {
+  # shellcheck disable=SC2086
+  "$DIG" +noadd +nosea +nostat +noquest +nocmd +tries=1 "$@"
+}
+
+status=0
+n=0
+
+run_dig_test() {
+  test_message="$1"
+  shift
+  n=$((n + 1))
+  echo_i "$test_message ($n)"
+  ret=0
+  dig_failed=0
+  dig_with_opts "$@" >"$dig_out_basename$n" || dig_failed=1
+}
+
+run_dig_test_expect_success() {
+  run_dig_test "$@"
+  if [ $dig_failed != 0 ]; then
+    ret=1
+  elif ! [ -s "$dig_out_basename$n" ]; then
+    ret=1
+  else
+    grep -E "$fail_regex" "$dig_out_basename$n" >/dev/null && ret=1
+  fi
+  if [ $ret != 0 ]; then echo_i "failed"; fi
+  status=$((status + ret))
+}
+
+run_dig_test_expect_failure() {
+  run_dig_test "$@"
+  if [ $dig_failed -eq 0 ] && [ -s "$dig_out_basename$n" ]; then
+    grep -E "$fail_regex" "$dig_out_basename$n" >/dev/null || ret=1
+  fi
+  if [ $ret != 0 ]; then echo_i "failed"; fi
+  status=$((status + ret))
+}
+
+run_dig_multitest_expect_success() {
+  message="$1"
+  shift
+  proxy_addrs="$1"
+  shift
+  run_dig_test_expect_success "$message (UDP)" -p "${EXTRAPORT1}" -b 10.53.0.10 @10.53.0.1 +notcp "+proxy=$proxy_addrs" "$@"
+  run_dig_test_expect_success "$message (TCP)" -p "${EXTRAPORT1}" -b 10.53.0.10 @10.53.0.1 +tcp "+proxy=$proxy_addrs" "$@"
+  run_dig_test_expect_success "$message (TLS/PROXY encrypted)" -p "${TLSPORT}" -b 10.53.0.10 @10.53.0.1 +tls "+proxy=$proxy_addrs" "$@"
+  run_dig_test_expect_success "$message (TLS/PROXY plain)" -p "${EXTRAPORT2}" -b 10.53.0.10 @10.53.0.1 +tls "+proxy-plain=$proxy_addrs" "$@"
+  run_dig_test_expect_success "$message (HTTPS/PROXY encrypted)" -p "${HTTPSPORT}" -b 10.53.0.10 @10.53.0.1 +https "+proxy=$proxy_addrs" "$@"
+  run_dig_test_expect_success "$message (HTTPS/PROXY plain)" -p "${EXTRAPORT3}" -b 10.53.0.10 @10.53.0.1 +https "+proxy-plain=$proxy_addrs" "$@"
+  run_dig_test_expect_success "$message (HTTP)" -p "${HTTPPORT}" -b 10.53.0.10 @10.53.0.1 +http-plain "+proxy=$proxy_addrs" "$@"
+  run_dig_test_expect_success "$message (UDP, IPv6)" -p "${EXTRAPORT1}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::1 +notcp "+proxy=$proxy_addrs" "$@"
+  run_dig_test_expect_success "$message (TCP, IPv6)" -p "${EXTRAPORT1}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::1 +tcp "+proxy=$proxy_addrs" "$@"
+  run_dig_test_expect_success "$message (TLS/PROXY encrypted, IPv6)" -p "${TLSPORT}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::1 +tls "+proxy=$proxy_addrs" "$@"
+  run_dig_test_expect_success "$message (TLS/PROXY plain, IPv6)" -p "${EXTRAPORT2}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::1 +tls "+proxy-plain=$proxy_addrs" "$@"
+  run_dig_test_expect_success "$message (HTTPS/PROXY encrypted, IPv6)" -p "${HTTPSPORT}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::1 +https "+proxy=$proxy_addrs" "$@"
+  run_dig_test_expect_success "$message (HTTPS/PROXY plain, IPv6)" -p "${EXTRAPORT3}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::1 +https "+proxy-plain=$proxy_addrs" "$@"
+  run_dig_test_expect_success "$message (HTTP, IPv6)" -p "${HTTPPORT}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::1 +http-plain "+proxy=$proxy_addrs" "$@"
+}
+
+run_dig_multitest_expect_failure() {
+  message="$1"
+  shift
+  proxy_addrs="$1"
+  shift
+  run_dig_test_expect_failure "$message (UDP)" -p "${EXTRAPORT1}" -b 10.53.0.10 @10.53.0.1 +notcp "+proxy=$proxy_addrs" "$@"
+  run_dig_test_expect_failure "$message (TCP)" -p "${EXTRAPORT1}" -b 10.53.0.10 @10.53.0.1 +tcp "+proxy=$proxy_addrs" "$@"
+  run_dig_test_expect_failure "$message (TLS/PROXY encrypted)" -p "${TLSPORT}" -b 10.53.0.10 @10.53.0.1 +tls "+proxy=$proxy_addrs" "$@"
+  run_dig_test_expect_failure "$message (TLS/PROXY plain)" -p "${EXTRAPORT2}" -b 10.53.0.10 @10.53.0.1 +tls "+proxy-plain=$proxy_addrs" "$@"
+  run_dig_test_expect_failure "$message (HTTPS/PROXY encrypted)" -p "${HTTPSPORT}" -b 10.53.0.10 @10.53.0.1 +https "+proxy=$proxy_addrs" "$@"
+  run_dig_test_expect_failure "$message (HTTPS/PROXY plain)" -p "${EXTRAPORT3}" -b 10.53.0.10 @10.53.0.1 +https "+proxy-plain=$proxy_addrs" "$@"
+  run_dig_test_expect_failure "$message (HTTP)" -p "${HTTPPORT}" -b 10.53.0.10 @10.53.0.1 +http-plain "+proxy=$proxy_addrs" "$@"
+  run_dig_test_expect_failure "$message (UDP, IPv6)" -p "${EXTRAPORT1}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::1 +notcp "+proxy=$proxy_addrs" "$@"
+  run_dig_test_expect_failure "$message (TCP, IPv6)" -p "${EXTRAPORT1}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::1 +tcp "+proxy=$proxy_addrs" "$@"
+  run_dig_test_expect_failure "$message (TLS/PROXY encrypted, IPv6)" -p "${TLSPORT}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::1 +tls "+proxy=$proxy_addrs" "$@"
+  run_dig_test_expect_failure "$message (TLS/PROXY plain, IPv6)" -p "${EXTRAPORT2}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::1 +tls "+proxy-plain=$proxy_addrs" "$@"
+  run_dig_test_expect_failure "$message (HTTPS/PROXY encrypted, IPv6)" -p "${HTTPSPORT}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::1 +https "+proxy=$proxy_addrs" "$@"
+  run_dig_test_expect_failure "$message (HTTPS/PROXY plain, IPv6)" -p "${EXTRAPORT3}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::1 +https "+proxy-plain=$proxy_addrs" "$@"
+  run_dig_test_expect_failure "$message (HTTP, IPv6)" -p "${HTTPPORT}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::1 +http-plain "+proxy=$proxy_addrs" "$@"
+}
+
+# generic tests
+
+# Bind to the IP address that is allowed to send PROXYv2
+run_dig_test_expect_success "$testing: allow-proxy expect success (UDP)" -p "${EXTRAPORT1}" -b 10.53.0.10 @10.53.0.1 +notcp +proxy NS example0
+run_dig_test_expect_success "$testing: allow-proxy expect success (TCP)" -p "${EXTRAPORT1}" -b 10.53.0.10 @10.53.0.1 +tcp +proxy NS example0
+run_dig_test_expect_success "$testing: allow-proxy expect success (TLS/PROXY encrypted)" -p "${TLSPORT}" -b 10.53.0.10 @10.53.0.1 +tls +proxy NS example0
+run_dig_test_expect_success "$testing: allow-proxy expect success (TLS/PROXY plain)" -p "${EXTRAPORT2}" -b 10.53.0.10 @10.53.0.1 +tls +proxy-plain NS example0
+run_dig_test_expect_success "$testing: allow-proxy expect success (HTTPS/PROXY encrypted)" -p "${HTTPSPORT}" -b 10.53.0.10 @10.53.0.1 +https +proxy NS example0
+run_dig_test_expect_success "$testing: allow-proxy expect success (HTTPS/PROXY plain)" -p "${EXTRAPORT3}" -b 10.53.0.10 @10.53.0.1 +https +proxy-plain NS example0
+run_dig_test_expect_success "$testing: allow-proxy expect success (HTTP)" -p "${HTTPPORT}" -b 10.53.0.10 @10.53.0.1 +http-plain +proxy NS example0
+
+run_dig_test_expect_success "$testing: allow-proxy expect success (UDP, IPv6)" -p "${EXTRAPORT1}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::1 +notcp +proxy NS example0
+run_dig_test_expect_success "$testing: allow-proxy expect success (TCP, IPv6)" -p "${EXTRAPORT1}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::1 +tcp +proxy NS example0
+run_dig_test_expect_success "$testing: allow-proxy expect success (TLS/PROXY encrypted, IPv6)" -p "${TLSPORT}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::1 +tls +proxy NS example0
+run_dig_test_expect_success "$testing: allow-proxy expect success (TLS/PROXY plain, IPv6)" -p "${EXTRAPORT2}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::1 +tls +proxy-plain NS example0
+run_dig_test_expect_success "$testing: allow-proxy expect success (HTTPS/PROXY encrypted, IPv6)" -p "${HTTPSPORT}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::1 +https +proxy NS example0
+run_dig_test_expect_success "$testing: allow-proxy expect success (HTTPS/PROXY plain, IPv6)" -p "${EXTRAPORT3}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::1 +https +proxy-plain NS example0
+run_dig_test_expect_success "$testing: allow-proxy expect success (HTTP, IPv6)" -p "${HTTPPORT}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::1 +http-plain +proxy NS example0
+
+# Bind to the IP address that is not allowed to send PROXYv2
+run_dig_test_expect_failure "$testing: allow-proxy expect failure (UDP)" -p "${EXTRAPORT1}" -b 10.53.0.11 @10.53.0.1 +notcp +proxy NS example0
+run_dig_test_expect_failure "$testing: allow-proxy expect failure (TCP)" -p "${EXTRAPORT1}" -b 10.53.0.11 @10.53.0.1 +tcp +proxy NS example0
+run_dig_test_expect_failure "$testing: allow-proxy expect failure (TLS/PROXY encrypted)" -p "${TLSPORT}" -b 10.53.0.11 @10.53.0.1 +tls +proxy NS example0
+run_dig_test_expect_failure "$testing: allow-proxy expect failure (TLS/PROXY plain)" -p "${EXTRAPORT2}" -b 10.53.0.11 @10.53.0.1 +tls +proxy-plain NS example0
+run_dig_test_expect_failure "$testing: allow-proxy expect failure (HTTPS/PROXY encrypted)" -p "${HTTPSPORT}" -b 10.53.0.11 @10.53.0.1 +https +proxy NS example0
+run_dig_test_expect_failure "$testing: allow-proxy expect failure (HTTPS/PROXY plain)" -p "${EXTRAPORT3}" -b 10.53.0.11 @10.53.0.1 +https +proxy-plain NS example0
+run_dig_test_expect_failure "$testing: allow-proxy expect failure (HTTP)" -p "${HTTPPORT}" -b 10.53.0.11 @10.53.0.1 +http-plain +proxy NS example0
+
+run_dig_test_expect_failure "$testing: allow-proxy expect failure (UDP, IPv6)" -p "${EXTRAPORT1}" -b fd92:7065:b8e:ffff::11 @fd92:7065:b8e:ffff::1 +notcp +proxy NS example0
+run_dig_test_expect_failure "$testing: allow-proxy expect failure (TCP, IPv6)" -p "${EXTRAPORT1}" -b fd92:7065:b8e:ffff::11 @fd92:7065:b8e:ffff::1 +tcp +proxy NS example0
+run_dig_test_expect_failure "$testing: allow-proxy expect failure (TLS/PROXY encrypted, IPv6)" -p "${TLSPORT}" -b fd92:7065:b8e:ffff::11 @fd92:7065:b8e:ffff::1 +tls +proxy NS example0
+run_dig_test_expect_failure "$testing: allow-proxy expect failure (TLS/PROXY plain, IPv6)" -p "${EXTRAPORT2}" -b fd92:7065:b8e:ffff::11 @fd92:7065:b8e:ffff::1 +tls +proxy-plain NS example0
+run_dig_test_expect_failure "$testing: allow-proxy expect failure (HTTPS/PROXY encrypted, IPv6)" -p "${HTTPSPORT}" -b fd92:7065:b8e:ffff::11 @fd92:7065:b8e:ffff::1 +https +proxy NS example0
+run_dig_test_expect_failure "$testing: allow-proxy expect failure (HTTPS/PROXY plain, IPv6)" -p "${EXTRAPORT3}" -b fd92:7065:b8e:ffff::11 @fd92:7065:b8e:ffff::1 +https +proxy-plain NS example0
+run_dig_test_expect_failure "$testing: allow-proxy expect failure (HTTP, IPv6)" -p "${HTTPPORT}" -b fd92:7065:b8e:ffff::11 @fd92:7065:b8e:ffff::1 +http-plain +proxy NS example0
+
+# Send a query to the interface that is not allowed to accept PROXYv2
+run_dig_test_expect_failure "$testing: allow-proxy-on expect failure (UDP)" -p "${EXTRAPORT1}" -b 10.53.0.10 @10.53.0.2 +notcp +proxy NS example0
+run_dig_test_expect_failure "$testing: allow-proxy-on expect failure (TCP)" -p "${EXTRAPORT1}" -b 10.53.0.10 @10.53.0.2 +tcp +proxy NS example0
+run_dig_test_expect_failure "$testing: allow-proxy-on expect failure (TLS/PROXY encrypted)" -p "${TLSPORT}" -b 10.53.0.10 @10.53.0.2 +tls +proxy NS example0
+run_dig_test_expect_failure "$testing: allow-proxy-on expect failure (TLS/PROXY plain)" -p "${EXTRAPORT2}" -b 10.53.0.10 @10.53.0.2 +tls +proxy-plain NS example0
+run_dig_test_expect_failure "$testing: allow-proxy-on expect failure (HTTPS/PROXY encrypted)" -p "${HTTPSPORT}" -b 10.53.0.10 @10.53.0.2 +https +proxy NS example0
+run_dig_test_expect_failure "$testing: allow-proxy-on expect failure (HTTPS/PROXY plain)" -p "${EXTRAPORT3}" -b 10.53.0.10 @10.53.0.2 +https +proxy-plain NS example0
+run_dig_test_expect_failure "$testing: allow-proxy-on expect failure (HTTP)" -p "${HTTPPORT}" -b 10.53.0.10 @10.53.0.2 +http-plain +proxy NS example0
+
+run_dig_test_expect_failure "$testing: allow-proxy-on expect failure (UDP, IPv6)" -p "${EXTRAPORT1}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::2 +notcp +proxy NS example0
+run_dig_test_expect_failure "$testing: allow-proxy-on expect failure (TCP, IPv6)" -p "${EXTRAPORT1}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::2 +tcp +proxy NS example0
+run_dig_test_expect_failure "$testing: allow-proxy-on expect failure (TLS/PROXY encrypted, IPv6)" -p "${TLSPORT}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::2 +tls +proxy NS example0
+run_dig_test_expect_failure "$testing: allow-proxy-on expect failure (TLS/PROXY plain, IPv6)" -p "${EXTRAPORT2}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::2 +tls +proxy-plain NS example0
+run_dig_test_expect_failure "$testing: allow-proxy-on expect failure (HTTPS/PROXY encrypted, IPv6)" -p "${HTTPSPORT}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::2 +https +proxy NS example0
+run_dig_test_expect_failure "$testing: allow-proxy-on expect failure (HTTPS/PROXY plain, IPv6)" -p "${EXTRAPORT3}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::2 +https +proxy-plain NS example0
+run_dig_test_expect_failure "$testing: allow-proxy-on expect failure (HTTP, IPv6)" -p "${HTTPPORT}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::2 +http-plain +proxy NS example0
+
+## Now let's check if the addresses passed via PROXYv2 are getting used by BIND9.
+run_dig_multitest_expect_success "check if IPv4 addresses are getting passed and accepted" "1.2.3.4-4.3.2.1" NS example1
+run_dig_multitest_expect_success "check if IPv6 addresses are getting passed and accepted" "fd0f:99d3:98a7::1234-fd0f:99d3:98a7::4321" NS example1
+
+run_dig_multitest_expect_failure "check if IPv4 addresses are getting passed and rejected" "4.4.4.4-5.5.5.5" NS example1
+run_dig_multitest_expect_failure "check if IPv6 addresses are getting passed and rejected" "fd0f:99d3:98a7::4444-fd0f:99d3:98a7::5555" NS example1
+
+run_dig_multitest_expect_failure "check if IPv4 addresses are getting passed and an unexpected source address is getting rejected" "4.4.4.4-4.3.2.1" NS example1
+run_dig_multitest_expect_failure "check if IPv6 addresses are getting passed and an unexpected source address is getting rejected" "fd0f:99d3:98a7::4444-fd0f:99d3:98a7::4321" NS example1
+
+run_dig_multitest_expect_failure "check if IPv4 addresses are getting passed and an unexpected destination address is getting rejected" "1.2.3.4-5.5.5.5" NS example1
+run_dig_multitest_expect_failure "check if IPv6 addresses are getting passed and an unexpected destination address is getting rejected" "fd0f:99d3:98a7::1234-fd0f:99d3:98a7::5.5.5.5" NS example1
+
+## Let's check if the real addresses are used by BIND9 for LOCAL requests
+run_dig_multitest_expect_success "check if LOCAL PROXYv2 headers are accepted and real connection addresses are used" "" NS example2
+
+## Let's check if BIND9 does not like suspicious PROXY headers with zeroed addresses or destination ports
+run_dig_multitest_expect_failure "check if port 0 is not accepted when used in the destination IPv4 address" "1.2.3.4-4.3.2.1#0" NS example1
+run_dig_multitest_expect_failure "check if port 0 is not accepted when used in the destination IPv6 address" "fd0f:99d3:98a7::1234-fd0f:99d3:98a7::4321#0" NS example1
+
+run_dig_multitest_expect_failure "check if \"0.0.0.0\" is not accepted as a source address" "0.0.0.0-4.3.2.1" NS example1
+run_dig_multitest_expect_failure "check if \"::\" is not accepted as a source address" "::-fd0f:99d3:98a7::4321" NS example1
+
+run_dig_multitest_expect_failure "check if \"0.0.0.0\" is not accepted as a destination address" "1.2.3.4-0.0.0.0" NS example1
+run_dig_multitest_expect_failure "check if \"::\" is not accepted as a destination address" "fd0f:99d3:98a7::1234-::" NS example1
+
+# Let's verify that ports information from PROXY headers is being used by BIND
+run_dig_test_expect_success "$testing: check if ports information from a PROXYv2 header with IPv4 addresses is being used by BIND (TCP)" -p "${EXTRAPORT1}" -b 10.53.0.10 @10.53.0.1 +tcp +proxy="1.2.3.4-4.3.2.1#53" AXFR example-proxy-do53
+run_dig_test_expect_success "$testing: check if ports information from a PROXYv2 header with IPv4 addresses is being used by BIND (TLS/PROXY encrypted)" -p "${TLSPORT}" -b 10.53.0.10 @10.53.0.1 +tls +proxy="1.2.3.4-4.3.2.1#853" AXFR example-proxy-encrypted-dot
+run_dig_test_expect_success "$testing: check if ports information from a PROXYv2 header with IPv4 addresses is being used by BIND (TLS/PROXY plain)" -p "${EXTRAPORT2}" -b 10.53.0.10 @10.53.0.1 +tls +proxy-plain="1.2.3.4-4.3.2.1#853" AXFR example-proxy-plain-dot
+
+run_dig_test_expect_success "$testing: check if ports information from a PROXYv2 header with IPv4 addresses is being used by BIND (TCP, IPv6)" -p "${EXTRAPORT1}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::1 +tcp +proxy="1.2.3.4-4.3.2.1#53" AXFR example-proxy-do53
+run_dig_test_expect_success "$testing: check if ports information from a PROXYv2 header with IPv4 addresses is being used by BIND (TLS/PROXY encrypted, IPv6)" -p "${TLSPORT}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::1 +tls +proxy="1.2.3.4-4.3.2.1#853" AXFR example-proxy-encrypted-dot
+run_dig_test_expect_success "$testing: check if ports information from a PROXYv2 header with IPv4 addresses is being used by BIND (TLS/PROXY plain, IPv6)" -p "${EXTRAPORT2}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::1 +tls +proxy-plain="1.2.3.4-4.3.2.1#853" AXFR example-proxy-plain-dot
+
+run_dig_test_expect_success "$testing: check if ports information from a PROXYv2 header with IPv6 addresses is being used by BIND (TCP)" -p "${EXTRAPORT1}" -b 10.53.0.10 @10.53.0.1 +tcp +proxy="fd0f:99d3:98a7::1234-fd0f:99d3:98a7::4321#53" AXFR example-proxy-do53
+run_dig_test_expect_success "$testing: check if ports information from a PROXYv2 header with IPv6 addresses is being used by BIND (TLS/PROXY encrypted)" -p "${TLSPORT}" -b 10.53.0.10 @10.53.0.1 +tls +proxy="fd0f:99d3:98a7::1234-fd0f:99d3:98a7::4321#853" AXFR example-proxy-encrypted-dot
+run_dig_test_expect_success "$testing: check if ports information from a PROXYv2 header with IPv6 addresses is being used by BIND (TLS/PROXY plain)" -p "${EXTRAPORT2}" -b 10.53.0.10 @10.53.0.1 +tls +proxy-plain="fd0f:99d3:98a7::1234-fd0f:99d3:98a7::4321#853" AXFR example-proxy-plain-dot
+
+run_dig_test_expect_success "$testing: check if ports information from a PROXYv2 header with IPv6 addresses is being used by BIND (TCP, IPv6)" -p "${EXTRAPORT1}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::1 +tcp +proxy="fd0f:99d3:98a7::1234-fd0f:99d3:98a7::4321#53" AXFR example-proxy-do53
+run_dig_test_expect_success "$testing: check if ports information from a PROXYv2 header with IPv6 addresses is being used by BIND (TLS/PROXY encrypted, IPv6)" -p "${TLSPORT}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::1 +tls +proxy="fd0f:99d3:98a7::1234-fd0f:99d3:98a7::4321#853" AXFR example-proxy-encrypted-dot
+run_dig_test_expect_success "$testing: check if ports information from a PROXYv2 header with IPv6 addresses is being used by BIND (TLS/PROXY plain, IPv6)" -p "${EXTRAPORT2}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::1 +tls +proxy-plain="fd0f:99d3:98a7::1234-fd0f:99d3:98a7::4321#853" AXFR example-proxy-plain-dot
+
+# Let's use a wrong ports to see if BIND will reject the queries (as it should)
+run_dig_test_expect_failure "$testing: check if ports information from a PROXYv2 header with IPv4 addresses is being used by BIND for rejection (TCP)" -p "${EXTRAPORT1}" -b 10.53.0.10 @10.53.0.1 +tcp +proxy="1.2.3.4-4.3.2.1#1234" AXFR example-proxy-do53
+run_dig_test_expect_failure "$testing: check if ports information from a PROXYv2 header with IPv4 addresses is being used by BIND for rejection (TLS/PROXY encrypted)" -p "${TLSPORT}" -b 10.53.0.10 @10.53.0.1 +tls +proxy="1.2.3.4-4.3.2.1#1234" AXFR example-proxy-encrypted-dot
+run_dig_test_expect_failure "$testing: check if ports information from a PROXYv2 header with IPv4 addresses is being used by BIND for rejection (TLS/PROXY plain)" -p "${EXTRAPORT2}" -b 10.53.0.10 @10.53.0.1 +tls +proxy-plain="1.2.3.4-4.3.2.1#1234" AXFR example-proxy-plain-dot
+
+run_dig_test_expect_failure "$testing: check if ports information from a PROXYv2 header with IPv4 addresses is being used by BIND for rejection (TCP, IPv6)" -p "${EXTRAPORT1}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::1 +tcp +proxy="1.2.3.4-4.3.2.1#1234" AXFR example-proxy-do53
+run_dig_test_expect_failure "$testing: check if ports information from a PROXYv2 header with IPv4 addresses is being used by BIND for rejection (TLS/PROXY encrypted, IPv6)" -p "${TLSPORT}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::1 +tls +proxy="1.2.3.4-4.3.2.1#1234" AXFR example-proxy-encrypted-dot
+run_dig_test_expect_failure "$testing: check if ports information from a PROXYv2 header with IPv4 addresses is being used by BIND for rejection (TLS/PROXY plain, IPv6)" -p "${EXTRAPORT2}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::1 +tls +proxy-plain="1.2.3.4-4.3.2.1#1234" AXFR example-proxy-plain-dot
+
+run_dig_test_expect_failure "$testing: check if ports information from a PROXYv2 header with IPv6 addresses is being used by BIND for rejection (TCP)" -p "${EXTRAPORT1}" -b 10.53.0.10 @10.53.0.1 +tcp +proxy="fd0f:99d3:98a7::1234-fd0f:99d3:98a7::4321#1234" AXFR example-proxy-do53
+run_dig_test_expect_failure "$testing: check if ports information from a PROXYv2 header with IPv6 addresses is being used by BIND for rejection (TLS/PROXY encrypted)" -p "${TLSPORT}" -b 10.53.0.10 @10.53.0.1 +tls +proxy="fd0f:99d3:98a7::1234-fd0f:99d3:98a7::4321#1234" AXFR example-proxy-encrypted-dot
+run_dig_test_expect_failure "$testing: check if ports information from a PROXYv2 header with IPv6 addresses is being used by BIND for rejection (TLS/PROXY plain)" -p "${EXTRAPORT2}" -b 10.53.0.10 @10.53.0.1 +tls +proxy-plain="fd0f:99d3:98a7::1234-fd0f:99d3:98a7::4321#1234" AXFR example-proxy-plain-dot
+
+run_dig_test_expect_failure "$testing: check if ports information from a PROXYv2 header with IPv6 addresses is being used by BIND for rejection (TCP, IPv6)" -p "${EXTRAPORT1}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::1 +tcp +proxy="fd0f:99d3:98a7::1234-fd0f:99d3:98a7::4321#1234" AXFR example-proxy-do53
+run_dig_test_expect_failure "$testing: check if ports information from a PROXYv2 header with IPv6 addresses is being used by BIND for rejection (TLS/PROXY encrypted, IPv6)" -p "${TLSPORT}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::1 +tls +proxy="fd0f:99d3:98a7::1234-fd0f:99d3:98a7::4321#1234" AXFR example-proxy-encrypted-dot
+run_dig_test_expect_failure "$testing: check if ports information from a PROXYv2 header with IPv6 addresses is being used by BIND for rejection (TLS/PROXY plain, IPv6)" -p "${EXTRAPORT2}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::1 +tls +proxy-plain="fd0f:99d3:98a7::1234-fd0f:99d3:98a7::4321#1234" AXFR example-proxy-plain-dot
+
+# Now let's make something similar, but for LOCAL PROXY requests
+run_dig_test_expect_success "$testing: check if ports information from a PROXYv2 header with IPv4 addresses is being used by BIND (TCP)" -p "${EXTRAPORT1}" -b 10.53.0.10 @10.53.0.1 +tcp +proxy AXFR example-proxy-local-do53
+run_dig_test_expect_success "$testing: check if ports information from a PROXYv2 header with IPv4 addresses is being used by BIND (TLS/PROXY encrypted)" -p "${TLSPORT}" -b 10.53.0.10 @10.53.0.1 +tls +proxy AXFR example-proxy-local-encrypted-dot
+run_dig_test_expect_success "$testing: check if ports information from a PROXYv2 header with IPv4 addresses is being used by BIND (TLS/PROXY plain)" -p "${EXTRAPORT2}" -b 10.53.0.10 @10.53.0.1 +tls +proxy-plain AXFR example-proxy-local-plain-dot
+
+run_dig_test_expect_success "$testing: check if ports information from a PROXYv2 header with IPv4 addresses is being used by BIND (TCP, IPv6)" -p "${EXTRAPORT1}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::1 +tcp +proxy AXFR example-proxy-local-do53
+run_dig_test_expect_success "$testing: check if ports information from a PROXYv2 header with IPv4 addresses is being used by BIND (TLS/PROXY encrypted, IPv6)" -p "${TLSPORT}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::1 +tls +proxy AXFR example-proxy-local-encrypted-dot
+run_dig_test_expect_success "$testing: check if ports information from a PROXYv2 header with IPv4 addresses is being used by BIND (TLS/PROXY plain, IPv6)" -p "${EXTRAPORT2}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::1 +tls +proxy-plain AXFR example-proxy-local-plain-dot
+
+run_dig_test_expect_success "$testing: check if ports information from a PROXYv2 header with IPv6 addresses is being used by BIND (TCP)" -p "${EXTRAPORT1}" -b 10.53.0.10 @10.53.0.1 +tcp +proxy AXFR example-proxy-local-do53
+run_dig_test_expect_success "$testing: check if ports information from a PROXYv2 header with IPv6 addresses is being used by BIND (TLS/PROXY encrypted)" -p "${TLSPORT}" -b 10.53.0.10 @10.53.0.1 +tls +proxy AXFR example-proxy-local-encrypted-dot
+run_dig_test_expect_success "$testing: check if ports information from a PROXYv2 header with IPv6 addresses is being used by BIND (TLS/PROXY plain)" -p "${EXTRAPORT2}" -b 10.53.0.10 @10.53.0.1 +tls +proxy-plain AXFR example-proxy-local-plain-dot
+
+run_dig_test_expect_success "$testing: check if ports information from a PROXYv2 header with IPv6 addresses is being used by BIND (TCP, IPv6)" -p "${EXTRAPORT1}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::1 +tcp +proxy AXFR example-proxy-local-do53
+run_dig_test_expect_success "$testing: check if ports information from a PROXYv2 header with IPv6 addresses is being used by BIND (TLS/PROXY encrypted, IPv6)" -p "${TLSPORT}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::1 +tls +proxy AXFR example-proxy-local-encrypted-dot
+run_dig_test_expect_success "$testing: check if ports information from a PROXYv2 header with IPv6 addresses is being used by BIND (TLS/PROXY plain, IPv6)" -p "${EXTRAPORT2}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::1 +tls +proxy-plain AXFR example-proxy-local-plain-dot
+
+# verify that by default PROXYv2 is not accepted
+run_dig_test_expect_failure "$testing: check if BIND does not accept PROXYv2 by default (UDP)" -p "${EXTRAPORT1}" -b 10.53.0.10 @10.53.0.3 +proxy NS example
+run_dig_test_expect_failure "$testing: check if BIND does not accept PROXYv2 by default (TCP)" -p "${EXTRAPORT1}" -b 10.53.0.10 @10.53.0.3 +tcp +proxy NS example
+run_dig_test_expect_failure "$testing: check if BIND does not accept PROXYv2 by default (TLS/PROXY encrypted)" -p "${TLSPORT}" -b 10.53.0.10 @10.53.0.3 +tls +proxy NS example
+run_dig_test_expect_failure "$testing: check if BIND does not accept PROXYv2 by default (TLS/PROXY plain)" -p "${EXTRAPORT2}" -b 10.53.0.10 @10.53.0.3 +tls +proxy NS example
+run_dig_test_expect_failure "$testing: check if BIND does not accept PROXYv2 by default (HTTPS/PROXY encrypted)" -p "${HTTPSPORT}" -b 10.53.0.10 @10.53.0.3 +https +proxy NS example
+run_dig_test_expect_failure "$testing: check if BIND does not accept PROXYv2 by default (HTTPS/PROXY plain)" -p "${EXTRAPORT3}" -b 10.53.0.10 @10.53.0.3 +https +proxy-plain NS example
+run_dig_test_expect_failure "$testing: check if BIND does not accept PROXYv2 by default (HTTP)" -p "${HTTPPORT}" -b 10.53.0.10 @10.53.0.3 +https +proxy NS example
+
+run_dig_test_expect_failure "$testing: check if BIND does not accept PROXYv2 by default (UDP, IPv6)" -p "${EXTRAPORT1}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::3 +proxy NS example
+run_dig_test_expect_failure "$testing: check if BIND does not accept PROXYv2 by default (TCP, IPv6)" -p "${EXTRAPORT1}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::3 +tcp +proxy NS example
+run_dig_test_expect_failure "$testing: check if BIND does not accept PROXYv2 by default (TLS/PROXY encrypted, IPv6)" -p "${TLSPORT}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::3 +tls +proxy NS example
+run_dig_test_expect_failure "$testing: check if BIND does not accept PROXYv2 by default (TLS/PROXY plain, IPv6)" -p "${EXTRAPORT2}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::3 +tls +proxy NS example
+run_dig_test_expect_failure "$testing: check if BIND does not accept PROXYv2 by default (HTTPS/PROXY encrypted, IPv6)" -p "${HTTPSPORT}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::3 +https +proxy NS example
+run_dig_test_expect_failure "$testing: check if BIND does not accept PROXYv2 by default (HTTPS/PROXY plain, IPv6)" -p "${EXTRAPORT3}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::3 +https +proxy-plain NS example
+run_dig_test_expect_failure "$testing: check if BIND does not accept PROXYv2 by default (HTTP, IPv6)" -p "${HTTPPORT}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::3 +https +proxy NS example
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1

bin/tests/system/proxy/tests_sh_proxy.py

@@ -0,0 +1,14 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+
+def test_proxy(run_tests_sh):
+    run_tests_sh()