Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
freebsd
GitHub Repository: freebsd/freebsd-src
 Path: blob/main/tests/sys/netpfil/pf/anchor.sh
39536 views
1
#

2
# SPDX-License-Identifier: BSD-2-Clause

3
#

4
# Copyright (c) 2018 Kristof Provost <[email protected]>

5
#

6
# Redistribution and use in source and binary forms, with or without

7
# modification, are permitted provided that the following conditions

8
# are met:

9
# 1. Redistributions of source code must retain the above copyright

10
#    notice, this list of conditions and the following disclaimer.

11
# 2. Redistributions in binary form must reproduce the above copyright

12
#    notice, this list of conditions and the following disclaimer in the

13
#    documentation and/or other materials provided with the distribution.

14
#

15
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND

16
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

17
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

18
# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE

19
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

20
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

21
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

22
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

23
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

24
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

25
# SUCH DAMAGE.

26


27
. $(atf_get_srcdir)/utils.subr

28


29
atf_test_case "pr183198" "cleanup"

30
pr183198_head()

31
{

32
	atf_set descr 'Test tables referenced by rules in anchors'

33
	atf_set require.user root

34
}

35


36
pr183198_body()

37
{

38
	pft_init

39


40
	epair=$(vnet_mkepair)

41
	vnet_mkjail alcatraz ${epair}b

42
	jexec alcatraz pfctl -e

43


44
	# Forward with pf enabled

45
	pft_set_rules alcatraz  \

46
		"table <test> { 10.0.0.1, 10.0.0.2, 10.0.0.3 }" \

47
		"block in" \

48
		"anchor \"epair\" on ${epair}b { \n\

49
			pass in from <test> \n\

50
		}"

51


52
	atf_check -s exit:0 -o ignore jexec alcatraz pfctl -sr -a '*'

53
	atf_check -s exit:0 -o ignore jexec alcatraz pfctl -t test -T show

54
}

55


56
pr183198_cleanup()

57
{

58
	pft_cleanup

59
}

60


61
atf_test_case "pr279225" "cleanup"

62
pr279225_head()

63
{

64
	atf_set descr "Test that we can retrieve longer anchor names, PR 279225"

65
	atf_set require.user root

66
}

67


68
pr279225_body()

69
{

70
	pft_init

71


72
	vnet_mkjail alcatraz

73


74
	pft_set_rules alcatraz \

75
		"nat-anchor \"appjail-nat/jail/*\" all" \

76
		"rdr-anchor \"appjail-rdr/*\" all" \

77
		"anchor \"appjail/jail/*\" all"

78


79
	atf_check -s exit:0 -o match:"nat-anchor \"appjail-nat/jail/\*\" all \{" \

80
		jexec alcatraz pfctl -sn -a "*"

81
	atf_check -s exit:0 -o match:"rdr-anchor \"appjail-rdr/\*\" all \{" \

82
		jexec alcatraz pfctl -sn -a "*"

83
	atf_check -s exit:0 -o match:"anchor \"appjail/jail/\*\" all \{" \

84
		jexec alcatraz pfctl -sr -a "*"

85
}

86


87
pr279225_cleanup()

88
{

89
	pft_cleanup

90
}

91


92
atf_test_case "nested_anchor" "cleanup"

93
nested_anchor_head()

94
{

95
	atf_set descr 'Test setting and retrieving nested anchors'

96
	atf_set require.user root

97
}

98


99
nested_anchor_body()

100
{

101
	pft_init

102


103
	epair=$(vnet_mkepair)

104
	vnet_mkjail alcatraz ${epair}a

105


106
	pft_set_rules alcatraz \

107
		"anchor \"foo\" { \n\

108
			anchor \"bar\" { \n\

109
				pass on ${epair}a \n\

110
			} \n\

111
		}"

112


113
	atf_check -s exit:0 -o inline:"anchor \"foo\" all {

114
  anchor \"bar\" all {

115
    pass on ${epair}a all flags S/SA keep state

116
  }

117
}

118
" jexec alcatraz pfctl -sr -a "*"

119
}

120


121
nested_anchor_cleanup()

122
{

123
	pft_cleanup

124
}

125


126
atf_test_case "wildcard" "cleanup"

127
wildcard_head()

128
{

129
	atf_set descr 'Test wildcard anchors for functionality'

130
	atf_set require.user root

131
}

132


133
wildcard_body()

134
{

135
	pft_init

136


137
	epair=$(vnet_mkepair)

138
	vnet_mkjail alcatraz ${epair}a

139


140
	ifconfig ${epair}b 192.0.2.2/24 up

141
	jexec alcatraz ifconfig ${epair}a 192.0.2.1/24 up

142


143
	# Sanity check

144
	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.1

145


146
	jexec alcatraz pfctl -e

147
	pft_set_rules alcatraz \

148
		"block" \

149
		"anchor \"foo/*\""

150


151
	atf_check -s exit:2 -o ignore ping -c 1 192.0.2.1

152


153
	echo "pass" | jexec alcatraz pfctl -g -f - -a "foo/bar"

154


155
	jexec alcatraz pfctl -sr -a "*"

156
	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.1

157
}

158


159
wildcard_cleanup()

160
{

161
	pft_cleanup

162
}

163


164
atf_test_case "nested_label" "cleanup"

165
nested_label_head()

166
{

167
	atf_set descr "Test recursive listing of labels"

168
	atf_set require.user root

169
}

170


171
nested_label_body()

172
{

173
	pft_init

174


175
	vnet_mkjail alcatraz

176


177
	pft_set_rules alcatraz \

178
		"anchor \"foo\" { \n\

179
			pass in quick proto icmp label \"passicmp\"\n\

180
			anchor \"bar\" { \n\

181
				pass in proto tcp label \"passtcp\"\n\

182
			} \n\

183
		}" \

184
		"pass quick from any to any label \"anytoany\""

185


186
	atf_check -s exit:0 \

187
	    -o inline:"passicmp 0 0 0 0 0 0 0 0

188
passtcp 0 0 0 0 0 0 0 0

189
anytoany 0 0 0 0 0 0 0 0

190
" jexec alcatraz pfctl -sl -a*

191
}

192


193
nested_label_cleanup()

194
{

195
	pft_cleanup

196
}

197


198
atf_test_case "quick" "cleanup"

199
quick_head()

200
{

201
	atf_set descr "Test handling of quick on anchors"

202
	atf_set require.user root

203
}

204


205
quick_body()

206
{

207
	pft_init

208


209
	epair=$(vnet_mkepair)

210
	vnet_mkjail alcatraz ${epair}a

211


212
	ifconfig ${epair}b 192.0.2.2/24 up

213
	jexec alcatraz ifconfig ${epair}a 192.0.2.1/24 up

214


215
	# Sanity check

216
	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.1

217


218
	jexec alcatraz pfctl -e

219
	pft_set_rules alcatraz \

220
	    "anchor quick {\n\

221
	        pass\n\

222
	    }" \

223
	    "block"

224


225
	# We can still ping because the anchor is 'quick'

226
	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.1

227
	jexec alcatraz pfctl -sr -v

228
	jexec alcatraz pfctl -ss -v

229
}

230


231
quick_cleanup()

232
{

233
	pft_cleanup

234
}

235


236
atf_test_case "quick_nested" "cleanup"

237
quick_nested_head()

238
{

239
	atf_set descr 'Verify that a nested anchor does not clear quick'

240
	atf_set require.user root

241
}

242


243
quick_nested_body()

244
{

245
	pft_init

246


247
	epair=$(vnet_mkepair)

248
	vnet_mkjail alcatraz ${epair}a

249


250
	ifconfig ${epair}b 192.0.2.2/24 up

251
	jexec alcatraz ifconfig ${epair}a 192.0.2.1/24 up

252


253
	# Sanity check

254
	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.1

255


256
	jexec alcatraz pfctl -e

257
	pft_set_rules alcatraz \

258
	    "anchor quick {\n\

259
	        pass\n\

260
	        anchor {\n\

261
	            block proto tcp\n\

262
	        }\n\

263
	    }" \

264
	    "block"

265
	ping -c 1 192.0.2.1

266


267
	jexec alcatraz pfctl -sr -v

268
	jexec alcatraz pfctl -ss -v

269


270
	# We can still ping because the anchor is 'quick'

271
	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.1

272
	jexec alcatraz pfctl -sr -v

273
	jexec alcatraz pfctl -ss -v

274
}

275


276
quick_nested_cleanup()

277
{

278
	pft_cleanup

279
}

280


281
atf_test_case "counter" "cleanup"

282
counter_head()

283
{

284
	atf_set descr 'Test counters on anchors'

285
	atf_set require.user root

286
}

287


288
counter_body()

289
{

290
	pft_init

291


292
	epair=$(vnet_mkepair)

293
	vnet_mkjail alcatraz ${epair}a

294


295
	ifconfig ${epair}b 192.0.2.2/24 up

296
	jexec alcatraz ifconfig ${epair}a 192.0.2.1/24 up

297


298
	# Sanity check

299
	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.1

300


301
	jexec alcatraz pfctl -e

302
	pft_set_rules alcatraz \

303
	    "anchor \"foo\" {\n\

304
	        pass\n\

305
	    }"

306


307
	# Generate traffic

308
	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.1

309
	atf_check -s exit:0 -e ignore \

310
	    -o match:'[ Evaluations: 1         Packets: 2         Bytes: 168         States: 1     ]' \

311
	    jexec alcatraz pfctl -sr -vv

312
}

313


314
counter_cleanup()

315
{

316
	pft_cleanup

317
}

318


319
atf_test_case "nat" "cleanup"

320
nat_head()

321
{

322
	atf_set descr 'Test nested nat anchors'

323
	atf_set require.user root

324
}

325


326
nat_body()

327
{

328
	pft_init

329


330
	epair=$(vnet_mkepair)

331
	vnet_mkjail alcatraz ${epair}a

332


333
	ifconfig ${epair}b 192.0.2.2/24 up

334
	jexec alcatraz ifconfig ${epair}a 192.0.2.1/24 up

335


336
	# Sanity check

337
	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.1

338


339
	jexec alcatraz pfctl -e

340
	pft_set_rules alcatraz \

341
	    "nat-anchor \"foo/*\"" \

342
	    "pass"

343


344
	echo "nat log on ${epair}a inet from 192.0.2.0/24 to any port = 53 -> 192.0.2.1" \

345
	    | jexec alcatraz pfctl -a "foo/bar" -g -f -

346
	echo "rdr on ${epair}a proto tcp to port echo -> 127.0.0.1 port echo" \

347
	    | jexec alcatraz pfctl -a "foo/baz" -g -f -

348


349
	jexec alcatraz pfctl -sn -a "*"

350
	jexec alcatraz pfctl -sn -a "foo/bar"

351
	jexec alcatraz pfctl -sn -a "foo/baz"

352


353
	atf_check -s exit:0 -o match:"nat log on ${epair}a inet from 192.0.2.0/24 to any port = domain -> 192.0.2.1" \

354
	    jexec alcatraz pfctl -sn -a "*"

355
	atf_check -s exit:0 -o match:"rdr on ${epair}a inet proto tcp from any to any port = echo -> 127.0.0.1 port 7" \

356
	    jexec alcatraz pfctl -sn -a "*"

357
}

358


359
nat_cleanup()

360
{

361
	pft_cleanup

362
}

363


364
atf_test_case "include" "cleanup"

365
include_head()

366
{

367
	atf_set descr 'Test including inside anchors'

368
	atf_set require.user root

369
}

370


371
include_body()

372
{

373
	pft_init

374


375
	wd=`pwd`

376


377
	epair=$(vnet_mkepair)

378
	vnet_mkjail alcatraz ${epair}a

379


380
	ifconfig ${epair}b 192.0.2.2/24 up

381
	jexec alcatraz ifconfig ${epair}a 192.0.2.1/24 up

382


383
	# Sanity check

384
	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.1

385


386
	echo "pass" > ${wd}/extra.conf

387
	jexec alcatraz pfctl -e

388
	pft_set_rules alcatraz \

389
	    "block" \

390
	    "anchor \"foo\" {\n\

391
	        include \"${wd}/extra.conf\"\n\

392
	    }"

393


394
	jexec alcatraz pfctl -sr

395


396
	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.1

397
}

398


399
include_cleanup()

400
{

401
	pft_cleanup

402
}

403


404
atf_test_case "quick" "cleanup"

405
quick_head()

406
{

407
	atf_set descr 'Test quick on anchors'

408
	atf_set require.user root

409
}

410


411
quick_body()

412
{

413
	pft_init

414


415
	epair=$(vnet_mkepair)

416
	vnet_mkjail alcatraz ${epair}a

417


418
	ifconfig ${epair}b 192.0.2.2/24 up

419
	jexec alcatraz ifconfig ${epair}a 192.0.2.1/24 up

420


421
	# Sanity check

422
	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.1

423


424
	jexec alcatraz pfctl -e

425
	pft_set_rules alcatraz \

426
	    "anchor quick {\n\

427
	        pass\n\

428
	    }" \

429
	    "block"

430


431
	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.1

432
	jexec alcatraz pfctl -sr -vv -a "*"

433
}

434


435
quick_cleanup()

436
{

437
	pft_cleanup

438
}

439


440
atf_test_case "recursive_flush" "cleanup"

441
recursive_flush_head()

442
{

443
	atf_set descr 'Test recursive flushing of rules'

444
	atf_set require.user root

445
}

446


447
recursive_flush_body()

448
{

449
	pft_init

450


451
	epair=$(vnet_mkepair)

452
	vnet_mkjail alcatraz ${epair}a

453


454
	ifconfig ${epair}b 192.0.2.2/24 up

455
	jexec alcatraz ifconfig ${epair}a 192.0.2.1/24 up

456


457
	# Sanity check

458
	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.1

459


460
	jexec alcatraz pfctl -e

461
	pft_set_rules alcatraz \

462
	    "block" \

463
	    "anchor \"foo\" {\n\

464
	        pass\n\

465
	    }"

466


467
	# We can ping thanks to the pass rule in foo

468
	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.1

469


470
	# Only reset the main rules. I.e. not a recursive flush

471
	pft_set_rules alcatraz \

472
	    "block" \

473
	    "anchor \"foo\""

474


475
	# "foo" still has the pass rule, so this works

476
	jexec alcatraz pfctl -a "*" -sr

477
	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.1

478


479
	# Now do a recursive flush

480
	atf_check -s exit:0 -e ignore -o ignore \

481
	    jexec alcatraz pfctl -a "*" -Fr

482
	pft_set_rules alcatraz \

483
	    "block" \

484
	    "anchor \"foo\""

485


486
	# So this fails

487
	jexec alcatraz pfctl -a "*" -sr

488
	atf_check -s exit:2 -o ignore ping -c 1 192.0.2.1

489
}

490


491
recursive_flush_cleanup()

492
{

493
	pft_cleanup

494
}

495


496
atf_init_test_cases()

497
{

498
	atf_add_test_case "pr183198"

499
	atf_add_test_case "pr279225"

500
	atf_add_test_case "nested_anchor"

501
	atf_add_test_case "wildcard"

502
	atf_add_test_case "nested_label"

503
	atf_add_test_case "quick"

504
	atf_add_test_case "quick_nested"

505
	atf_add_test_case "counter"

506
	atf_add_test_case "nat"

507
	atf_add_test_case "include"

508
	atf_add_test_case "quick"

509
	atf_add_test_case "recursive_flush"

510
}

511


512