Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
freebsd
GitHub Repository: freebsd/freebsd-src
 Path: blob/main/tests/sys/netpfil/pf/match.sh
39536 views
1
#

2
# SPDX-License-Identifier: BSD-2-Clause

3
#

4
# Copyright (c) 2021 Rubicon Communications, LLC (Netgate)

5
#

6
# Redistribution and use in source and binary forms, with or without

7
# modification, are permitted provided that the following conditions

8
# are met:

9
# 1. Redistributions of source code must retain the above copyright

10
#    notice, this list of conditions and the following disclaimer.

11
# 2. Redistributions in binary form must reproduce the above copyright

12
#    notice, this list of conditions and the following disclaimer in the

13
#    documentation and/or other materials provided with the distribution.

14
#

15
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND

16
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

17
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

18
# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE

19
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

20
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

21
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

22
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

23
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

24
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

25
# SUCH DAMAGE.

26


27
. $(atf_get_srcdir)/utils.subr

28


29
common_dir=$(atf_get_srcdir)/../common

30


31
atf_test_case "dummynet" "cleanup"

32
dummynet_head()

33
{

34
	atf_set descr 'Test dummynet with match keyword'

35
	atf_set require.user root

36
}

37


38
dummynet_body()

39
{

40
	dummynet_init

41


42
	epair=$(vnet_mkepair)

43
	vnet_mkjail alcatraz ${epair}b

44


45
	ifconfig ${epair}a 192.0.2.1/24 up

46
	jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up

47


48
	# Sanity check

49
	atf_check -s exit:0 -o ignore ping -i .1 -c 3 -s 1200 192.0.2.2

50


51
	jexec alcatraz dnctl pipe 1 config bw 30Byte/s

52
	jexec alcatraz pfctl -e

53
	pft_set_rules alcatraz \

54
		"match in dnpipe 1" \

55
		"pass"

56


57
	# single ping succeeds just fine

58
	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2

59


60
	# Saturate the link

61
	ping -i .1 -c 5 -s 1200 192.0.2.2

62


63
	# We should now be hitting the limits and get this packet dropped.

64
	atf_check -s exit:2 -o ignore ping -c 1 -s 1200 192.0.2.2

65
}

66


67
dummynet_cleanup()

68
{

69
	pft_cleanup

70
}

71


72
atf_test_case "quick" "cleanup"

73
quick_head()

74
{

75
	atf_set descr 'Test quick on match rules'

76
	atf_set require.user root

77
}

78


79
quick_body()

80
{

81
	pft_init

82


83
	epair=$(vnet_mkepair)

84
	vnet_mkjail alcatraz ${epair}b

85


86
	ifconfig ${epair}a 192.0.2.1/24 up

87
	jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up

88


89
	# Sanity check

90
	atf_check -s exit:0 -o ignore \

91
	    ping -c 1 192.0.2.2

92


93
	jexec alcatraz pfctl -e

94
	pft_set_rules alcatraz \

95
		"pass" \

96
		"match in quick proto icmp" \

97
		"block"

98


99
	# 'match quick' should retain the previous pass/block state

100
	atf_check -s exit:0 -o ignore \

101
	    ping -c 1 192.0.2.2

102


103
	pft_set_rules alcatraz \

104
		"block" \

105
		"match in quick proto icmp" \

106
		"pass"

107


108
	atf_check -s exit:2 -o ignore \

109
	    ping -c 1 192.0.2.2

110
}

111


112
quick_cleanup()

113
{

114
	pft_cleanup

115
}

116


117
atf_test_case "allow_opts" "cleanup"

118
allow_opts_head()

119
{

120
	atf_set descr 'Test allowing IP options via match'

121
	atf_set require.user root

122
	atf_set require.progs python3 scapy

123
}

124


125
allow_opts_body()

126
{

127
	pft_init

128


129
	epair=$(vnet_mkepair)

130


131
	ifconfig ${epair}b 192.0.2.2/24 up

132


133
	vnet_mkjail alcatraz ${epair}a

134
	jexec alcatraz ifconfig ${epair}a 192.0.2.1/24 up

135


136
	jexec alcatraz pfctl -e

137
	jexec alcatraz pfctl -x loud

138
	pft_set_rules alcatraz \

139
	    "match proto icmp allow-opts" \

140
	    "pass"

141


142
	# Sanity check

143
	atf_check -s exit:0 -o ignore \

144
	    ping -c 1 192.0.2.1

145


146
	atf_check -s exit:0 -o ignore \

147
	    ${common_dir}/pft_ping.py  \

148
	    --sendif ${epair}b \

149
	    --to 192.0.2.1 \

150
	    --send-nop \

151
	    --replyif ${epair}b

152


153
	# This doesn't work without 'allow-opts'

154
	pft_set_rules alcatraz \

155
	    "match proto icmp" \

156
	    "pass"

157
	atf_check -s exit:1 -o ignore \

158
	    ${common_dir}/pft_ping.py  \

159
	    --sendif ${epair}b \

160
	    --to 192.0.2.1 \

161
	    --send-nop \

162
	    --replyif ${epair}b

163


164
	# Setting it on a pass rule still works.

165
	pft_set_rules alcatraz \

166
	    "pass allow-opts"

167
	atf_check -s exit:0 -o ignore \

168
	    ${common_dir}/pft_ping.py  \

169
	    --sendif ${epair}b \

170
	    --to 192.0.2.1 \

171
	    --send-nop \

172
	    --replyif ${epair}b

173
}

174


175
allow_opts_cleanup()

176
{

177
	pft_cleanup

178
}

179


180
atf_init_test_cases()

181
{

182
	atf_add_test_case "dummynet"

183
	atf_add_test_case "quick"

184
	atf_add_test_case "allow_opts"

185
}

186


187