1
#
2
# Copyright (c) 2026 Boris Lytochkin
3
#
4
# SPDX-License-Identifier: BSD-2-Clause
5
#
6

7
common_dir="$(atf_get_srcdir)/../common"
8
. ${common_dir}/utils.subr
9

10
NC="nc -w 1 -dnN"
11

12
setup_network_v6()
13
{
14
	epair="$1"
15

16
	ifconfig ${epair}a inet6 2001:db8:42::1/64 up no_dad -ifdisabled
17

18
	vnet_mkjail alcatraz ${epair}b
19

20
	ifconfig -j alcatraz ${epair}b inet6 2001:db8:42::2/64 up no_dad -ifdisabled
21

22
	jexec alcatraz /usr/sbin/inetd -p /dev/null $(atf_get_srcdir)/lookup_inetd.conf
23

24
	# Sanity checks
25
	atf_check -s exit:0 -o ignore ping6 -i .1 -c 3 -s 1200 2001:db8:42::2
26
	atf_check -o "inline:GOOD 82\n" ${NC} 2001:db8:42::2 82
27
}
28

29
atf_test_case "ipv6fl" "cleanup"
30

31
ipv6fl_head()
32
{
33
	atf_set descr 'flow-id test'
34
	atf_set require.user root
35
	atf_set require.progs python3 scapy
36
}
37

38
ipv6fl_body()
39
{
40

41
        firewall_init "ipfw"
42

43
        epair=$(vnet_mkepair)
44

45
        setup_network_v6 ${epair}
46

47
	# Check if the firewall is able to match exact IPv6 flow label
48
	firewall_config "alcatraz" ipfw ipfw \
49
			"ipfw -q add 100 allow ip6 from any to any flow-id 0xbaad" \
50
			"ipfw -q add 200 deny ipv6-icmp from any to any icmp6types 128 in"
51

52
	# Check Flow Label matches
53
	atf_check -s exit:0 ${common_dir}/pft_ping.py \
54
		--sendif ${epair}a \
55
		--fromaddr 2001:db8:42::1 \
56
		--to 2001:db8:42::2 \
57
		--send-fl $((0xbaad)) \
58
		--replyif ${epair}a
59

60
	# Check Flow Label mismatch
61
	atf_check -s exit:1 ${common_dir}/pft_ping.py \
62
		--sendif ${epair}a \
63
		--fromaddr 2001:db8:42::1 \
64
		--to 2001:db8:42::2 \
65
		--send-fl $((0xf001)) \
66
		--replyif ${epair}a
67

68
}
69

70
ipv6fl_cleanup()
71
{
72
	firewall_cleanup $1
73
}
74

75
atf_init_test_cases()
76
{
77
	atf_add_test_case "ipv6fl"
78
}
79

80