Lines Matching +full:c +full:- +full:states
2 # SPDX-License-Identifier: BSD-2-Clause
4 # Copyright (c) 2021 Rubicon Communications, LLC (Netgate)
33 jail=${1:-alcatraz}
34 ip=${2:-192.0.2.2}
36 jexec ${jail} pfctl -ss | grep icmp | grep ${ip}
41 jexec alcatraz pfctl -ss | grep icmp | grep 2001:db8::2
48 atf_set descr 'Test killing states by IPv4 address'
62 jexec alcatraz pfctl -e
69 atf_check -s exit:0 -o ignore ${common_dir}/pft_ping.py \
70 --sendif ${epair}a \
71 --to 192.0.2.2 \
72 --replyif ${epair}a
82 jexec alcatraz pfctl -k 192.0.2.3
89 jexec alcatraz pfctl -k 192.0.2.1 -k 192.0.2.3
96 jexec alcatraz pfctl -k 192.0.2.1
111 atf_set descr 'Test killing states by IPv6 address'
125 jexec alcatraz pfctl -e
132 atf_check -s exit:0 -o ignore ${common_dir}/pft_ping.py \
133 --sendif ${epair}a \
134 --to 2001:db8::2 \
135 --replyif ${epair}a
145 jexec alcatraz pfctl -k 2001:db8::3
152 jexec alcatraz pfctl -k 2001:db8::1 -k 2001:db8::3
159 jexec alcatraz pfctl -k 2001:db8::1
174 atf_set descr 'Test killing states by label'
188 jexec alcatraz pfctl -e
196 atf_check -s exit:0 -o ignore ${common_dir}/pft_ping.py \
197 --sendif ${epair}a \
198 --to 192.0.2.2 \
199 --replyif ${epair}a
209 jexec alcatraz pfctl -k label -k bar
215 # Killing a non-existing label keeps the state
216 jexec alcatraz pfctl -k label -k baz
219 atf_fail "Killing a non-existing label removed the state."
223 jexec alcatraz pfctl -k label -k foo
238 atf_set descr 'Test killing states with multiple labels by label'
252 jexec alcatraz pfctl -e
259 atf_check -s exit:0 -o ignore ${common_dir}/pft_ping.py \
260 --sendif ${epair}a \
261 --to 192.0.2.2 \
262 --replyif ${epair}a
272 jexec alcatraz pfctl -k label -k baz
279 jexec alcatraz pfctl -k label -k bar
290 atf_check -s exit:0 -o ignore ${common_dir}/pft_ping.py \
291 --sendif ${epair}a \
292 --to 192.0.2.2 \
293 --replyif ${epair}a
303 jexec alcatraz pfctl -k label -k foo
318 atf_set descr 'Test killing states by route-to/reply-to address'
332 jexec alcatraz pfctl -e
335 "pass in reply-to (${epair}b 192.0.2.1) proto icmp" \
341 atf_check -s exit:0 -o ignore ${common_dir}/pft_ping.py \
342 --sendif ${epair}a \
343 --to 192.0.2.2 \
344 --replyif ${epair}a
354 jexec alcatraz pfctl -k gateway -k 192.0.2.2
360 # Killing states with the relevant gateway does terminate our state
361 jexec alcatraz pfctl -k gateway -k 192.0.2.1
376 atf_set descr 'Test killing matching states'
385 while ! jexec $jail pfctl -s s | grep $addr >/dev/null;
404 jexec alcatraz pfctl -e
409 jexec singsing /usr/sbin/inetd -p ${PWD}/inetd-echo.pid \
415 "nat on ${epair_two}a from 192.0.2.0/24 -> (${epair_two}a)" \
421 # Expect two states
422 states=$(jexec alcatraz pfctl -s s | grep 192.0.2.1 | wc -l)
423 if [ $states -ne 2 ] ;
425 atf_fail "Expected two states, found $states"
429 jexec alcatraz pfctl -k 192.0.2.1
430 states=$(jexec alcatraz pfctl -s s | grep 192.0.2.1 | wc -l)
431 if [ $states -ne 1 ] ;
433 atf_fail "Expected one states, found $states"
437 jexec alcatraz pfctl -F states
442 # Kill matching states, expect all of them to be gone
443 jexec alcatraz pfctl -M -k 192.0.2.1
444 states=$(jexec alcatraz pfctl -s s | grep 192.0.2.1 | wc -l)
445 if [ $states -ne 0 ] ;
447 atf_fail "Expected zero states, found $states"
459 atf_set descr 'Test killing states based on interface'
473 jexec alcatraz pfctl -e
480 atf_check -s exit:0 -o ignore ${common_dir}/pft_ping.py \
481 --sendif ${epair}a \
482 --to 192.0.2.2 \
483 --replyif ${epair}a
492 # Flushing states on a different interface doesn't affect our state
493 jexec alcatraz pfctl -i ${epair}a -Fs
499 # Flushing on the correct interface does (even with floating states)
500 jexec alcatraz pfctl -i ${epair}b -Fs
515 atf_set descr 'Test killing states by id'
529 jexec alcatraz pfctl -e
537 atf_check -s exit:0 -o ignore ${common_dir}/pft_ping.py \
538 --sendif ${epair}a \
539 --to 192.0.2.2 \
540 --replyif ${epair}a
550 id=$(jexec alcatraz pfctl -ss -vvv | grep -A 3 icmp |
551 grep -A 3 192.0.2.2 | awk '/id:/ { printf("%s/%s", $2, $4); }')
554 jexec alcatraz pfctl -k id -k 1
561 jexec alcatraz pfctl -k id -k ${id}
576 atf_set descr 'Test killing states by their key'
590 jexec alcatraz pfctl -e
598 atf_check -s exit:0 -o ignore ${common_dir}/pft_ping.py \
599 --sendif ${epair}a \
600 --to 192.0.2.2 \
601 --replyif ${epair}a
604 key=$(jexec alcatraz pfctl -ss -vvv | awk '/icmp/ { print($2 " " $3 " " $4 " " $5); }')
608 atf_check -s exit:0 -e "match:killed 0 states" \
609 jexec alcatraz pfctl -k key -k "${bad_key}"
616 atf_check -s exit:0 -e "match:killed 1 states" \
617 jexec alcatraz pfctl -k key -k "${key}"
632 atf_set descr 'Test killing states by their NAT-ed IP address'
645 vnet_mkjail ${j}c ${epair_c}a
646 ifconfig -j ${j}c ${epair_c}a inet 192.0.2.2/24 up
647 jexec ${j}c route add default 192.0.2.1
650 ifconfig -j ${j}srv ${epair_srv}a inet 198.51.100.2/24 up
653 ifconfig -j ${j}r ${epair_c}b inet 192.0.2.1/24 up
654 ifconfig -j ${j}r ${epair_srv}b inet 198.51.100.1/24 up
657 jexec ${j}r pfctl -e
659 "nat on ${epair_srv}b inet from 192.0.2.0/24 to any -> (${epair_srv}b)"
662 atf_check -s exit:0 -o ignore \
663 jexec ${j}c ping -c 1 192.0.2.1
664 atf_check -s exit:0 -o ignore \
665 jexec ${j}srv ping -c 1 198.51.100.1
666 atf_check -s exit:0 -o ignore \
667 jexec ${j}c ping -c 1 198.51.100.2
672 atf_check -s exit:0 -o ignore jexec ${j}c ${common_dir}/pft_ping.py \
673 --sendif ${epair_c}a \
674 --to 198.51.100.1 \
675 --replyif ${epair_c}a
683 # By NAT-ed address?
684 jexec ${j}r pfctl -k nat -k 192.0.2.2
688 jexec ${j}r pfctl -ss -v