Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
freebsd
GitHub Repository: freebsd/freebsd-src
 Path: blob/main/tests/sys/netpfil/pf/forward.sh
39507 views
1
#

2
# SPDX-License-Identifier: BSD-2-Clause

3
#

4
# Copyright (c) 2017 Kristof Provost <[email protected]>

5
#

6
# Redistribution and use in source and binary forms, with or without

7
# modification, are permitted provided that the following conditions

8
# are met:

9
# 1. Redistributions of source code must retain the above copyright

10
#    notice, this list of conditions and the following disclaimer.

11
# 2. Redistributions in binary form must reproduce the above copyright

12
#    notice, this list of conditions and the following disclaimer in the

13
#    documentation and/or other materials provided with the distribution.

14
#

15
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND

16
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

17
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

18
# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE

19
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

20
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

21
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

22
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

23
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

24
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

25
# SUCH DAMAGE.

26


27
. $(atf_get_srcdir)/utils.subr

28


29
common_dir=$(atf_get_srcdir)/../common

30


31
atf_test_case "v4" "cleanup"

32
v4_head()

33
{

34
	atf_set descr 'Basic forwarding test'

35
	atf_set require.user root

36


37
	# We need scapy to be installed for out test scripts to work

38
	atf_set require.progs python3 scapy

39
}

40


41
v4_body()

42
{

43
	pft_init

44


45
	epair_send=$(vnet_mkepair)

46
	ifconfig ${epair_send}a 192.0.2.1/24 up

47


48
	epair_recv=$(vnet_mkepair)

49
	ifconfig ${epair_recv}a up

50


51
	vnet_mkjail alcatraz ${epair_send}b ${epair_recv}b

52
	jexec alcatraz ifconfig ${epair_send}b 192.0.2.2/24 up

53
	jexec alcatraz ifconfig ${epair_recv}b 198.51.100.2/24 up

54
	jexec alcatraz sysctl net.inet.ip.forwarding=1

55
	jexec alcatraz arp -s 198.51.100.3 00:01:02:03:04:05

56
	route add -net 198.51.100.0/24 192.0.2.2

57


58
	# Sanity check, can we forward ICMP echo requests without pf?

59
	atf_check -s exit:0 ${common_dir}/pft_ping.py \

60
		--sendif ${epair_send}a \

61
		--to 198.51.100.3 \

62
		--recvif ${epair_recv}a

63


64
	jexec alcatraz pfctl -e

65


66
	# Forward with pf enabled

67
	pft_set_rules alcatraz "block in"

68
	atf_check -s exit:1 ${common_dir}/pft_ping.py \

69
		--sendif ${epair_send}a \

70
		--to 198.51.100.3 \

71
		--recvif ${epair_recv}a

72


73
	pft_set_rules alcatraz "block out"

74
	atf_check -s exit:1 ${common_dir}/pft_ping.py \

75
		--sendif ${epair_send}a \

76
		--to 198.51.100.3 \

77
		--recv ${epair_recv}a

78


79
	# Allow ICMP

80
	pft_set_rules alcatraz "block in" "pass in proto icmp"

81
	atf_check -s exit:0 ${common_dir}/pft_ping.py \

82
		--sendif ${epair_send}a \

83
		--to 198.51.100.3 \

84
		--recvif ${epair_recv}a

85
}

86


87
v4_cleanup()

88
{

89
	pft_cleanup

90
}

91


92
atf_test_case "v6" "cleanup"

93
v6_head()

94
{

95
	atf_set descr 'Basic IPv6 forwarding test'

96
	atf_set require.user root

97
	atf_set require.progs python3 scapy

98
}

99


100
v6_body()

101
{

102
	pft_init

103


104
	epair_send=$(vnet_mkepair)

105
	epair_recv=$(vnet_mkepair)

106


107
	ifconfig ${epair_send}a inet6 2001:db8:42::1/64 up no_dad -ifdisabled

108
	ifconfig ${epair_recv}a up

109


110
	vnet_mkjail alcatraz ${epair_send}b ${epair_recv}b

111


112
	jexec alcatraz ifconfig ${epair_send}b inet6 2001:db8:42::2/64 up no_dad

113
	jexec alcatraz ifconfig ${epair_recv}b inet6 2001:db8:43::2/64 up no_dad

114
	jexec alcatraz sysctl net.inet6.ip6.forwarding=1

115
	jexec alcatraz ndp -s 2001:db8:43::3 00:01:02:03:04:05

116
	route add -6 2001:db8:43::/64 2001:db8:42::2

117


118
	# Sanity check, can we forward ICMP echo requests without pf?

119
	atf_check -s exit:0 ${common_dir}/pft_ping.py \

120
		--sendif ${epair_send}a \

121
		--to 2001:db8:43::3 \

122
		--recvif ${epair_recv}a

123


124
	jexec alcatraz pfctl -e

125


126
	# Block incoming echo request packets

127
	pft_set_rules alcatraz \

128
		"block in inet6 proto icmp6 icmp6-type echoreq"

129
	atf_check -s exit:1 ${common_dir}/pft_ping.py \

130
		--sendif ${epair_send}a \

131
		--to 2001:db8:43::3 \

132
		--recvif ${epair_recv}a

133


134
	# Block outgoing echo request packets

135
	pft_set_rules alcatraz \

136
		"block out inet6 proto icmp6 icmp6-type echoreq"

137
	atf_check -s exit:1 -e ignore ${common_dir}/pft_ping.py \

138
		--sendif ${epair_send}a \

139
		--to 2001:db8:43::3 \

140
		--recvif ${epair_recv}a

141


142
	# Allow ICMPv6 but nothing else

143
	pft_set_rules alcatraz \

144
		"block out" \

145
		"pass out inet6 proto icmp6"

146
	atf_check -s exit:0 ${common_dir}/pft_ping.py \

147
		--sendif ${epair_send}a \

148
		--to 2001:db8:43::3 \

149
		--recvif ${epair_recv}a

150


151
	# Allowing ICMPv4 does not allow ICMPv6

152
	pft_set_rules alcatraz \

153
		"block out inet6 proto icmp6 icmp6-type echoreq" \

154
		"pass in proto icmp"

155
	atf_check -s exit:1 ${common_dir}/pft_ping.py \

156
		--sendif ${epair_send}a \

157
		--to 2001:db8:43::3 \

158
		--recvif ${epair_recv}a

159
}

160


161
v6_cleanup()

162
{

163
	pft_cleanup

164
}

165


166
atf_init_test_cases()

167
{

168
	atf_add_test_case "v4"

169
	atf_add_test_case "v6"

170
}

171


172