Lines Matching +full:set +full:- +full:up
2 # SPDX-License-Identifier: BSD-2-Clause
34 atf_set descr 'Basic route-to test'
43 ifconfig ${epair_send}a 192.0.2.1/24 up
45 ifconfig ${epair_route}a 203.0.113.1/24 up
48 jexec alcatraz ifconfig ${epair_send}b 192.0.2.2/24 up
49 jexec alcatraz ifconfig ${epair_route}b 203.0.113.2/24 up
50 jexec alcatraz route add -net 198.51.100.0/24 192.0.2.1
51 jexec alcatraz pfctl -e
55 "pass out route-to (${epair_route}b 203.0.113.1) from 192.0.2.2 to 198.51.100.1 no state"
56 jexec alcatraz nc -w 3 -s 192.0.2.2 198.51.100.1 22
70 atf_set descr 'Basic route-to test (IPv6)'
79 ifconfig ${epair_send}a inet6 2001:db8:42::1/64 up no_dad -ifdisabled
81 ifconfig ${epair_route}a inet6 2001:db8:43::1/64 up no_dad -ifdisabled
84 jexec alcatraz ifconfig ${epair_send}b inet6 2001:db8:42::2/64 up no_dad
85 jexec alcatraz ifconfig ${epair_route}b inet6 2001:db8:43::2/64 up no_dad
86 jexec alcatraz route add -6 2001:db8:666::/64 2001:db8:42::2
87 jexec alcatraz pfctl -e
91 …"pass out route-to (${epair_route}b 2001:db8:43::1) from 2001:db8:42::2 to 2001:db8:666::1 no stat…
92 jexec alcatraz nc -6 -w 3 -s 2001:db8:42::2 2001:db8:666::1 22
106 atf_set descr 'Multi-WAN redirection / reply-to test'
126 jexec wan_one ifconfig ${epair_one}a 192.0.2.1/24 up
128 jexec srv ifconfig ${epair_one}b 192.0.2.2/24 up
133 jexec wan_two ifconfig ${epair_two}a 198.51.100.1/24 up
135 jexec srv ifconfig ${epair_two}b 198.51.100.2/24 up
138 jexec srv ifconfig lo0 127.0.0.1/8 up
143 jexec srv /usr/sbin/inetd -p ${PWD}/multiwan.pid $(atf_get_srcdir)/echo_inetd.conf
145 jexec srv pfctl -e
147 "nat on ${epair_one}b inet from 127.0.0.0/8 to any -> (${epair_one}b)" \
148 "nat on ${epair_two}b inet from 127.0.0.0/8 to any -> (${epair_two}b)" \
149 "rdr on ${epair_one}b inet proto tcp from any to 192.0.2.2 port 7 -> 127.0.0.1 port 7" \
150 "rdr on ${epair_two}b inet proto tcp from any to 198.51.100.2 port 7 -> 127.0.0.1 port 7" \
153 …"pass in quick on ${epair_one}b reply-to (${epair_one}b 192.0.2.1) inet proto tcp from any to 127.…
154 …"pass in quick on ${epair_two}b reply-to (${epair_two}b 198.51.100.1) inet proto tcp from any to 1…
158 result=$(echo "one" | jexec wan_one nc -N -w 3 192.0.2.2 7)
162 result=$(echo "two" | jexec wan_two nc -N -w 3 198.51.100.2 7)
167 result=$(echo "one" | jexec client nc -N -w 3 192.0.2.2 7)
173 result=$(echo "two" | jexec client nc -N -w 3 198.51.100.2 7)
187 atf_set descr 'Multi-WAN local origin source-based redirection / route-to test'
208 jexec wan_one ifconfig ${epair_one}a 192.0.2.1/24 up
210 jexec srv1 ifconfig ${epair_one}b 192.0.2.2/24 up
214 jexec wan_two ifconfig ${epair_two}a 198.51.100.1/24 up
216 jexec srv2 ifconfig ${epair_two}b 198.51.100.2/24 up
223 jexec srv1 sh -c 'dd if=/dev/zero bs=1024 count=100 | nc -l 7 -w 2 -N &'
224 jexec srv2 sh -c 'dd if=/dev/zero bs=1024 count=100 | nc -l 7 -w 2 -N &'
226 jexec client pfctl -e
230 …"pass out quick route-to (${epair_cl_two}a 203.0.113.129) inet proto tcp from 203.0.113.128 to any…
232 "set skip on lo"
235 result=$(jexec client nc -N -w 1 192.0.2.2 7 | wc -c)
236 if [ ${result} -ne 102400 ]; then
237 jexec client pfctl -ss
242 result=$(jexec client nc -N -w 1 -s 203.0.113.128 198.51.100.2 7 | wc -c)
243 jexec client pfctl -ss
244 if [ ${result} -ne 102400 ]; then
257 atf_set descr 'Test that ICMP packets are correct for route-to + NAT'
274 ifconfig ${epair_one}a 192.0.2.2/24 up
275 route add -net 198.51.100.0/24 192.0.2.1
277 jexec gw ifconfig ${epair_one}b 192.0.2.1/24 up
278 jexec gw ifconfig ${epair_two}a 198.51.100.1/24 up
279 jexec gw ifconfig ${epair_three}a 203.0.113.1/24 up mtu 500
280 jexec srv ifconfig ${epair_two}b 198.51.100.2/24 up
282 jexec srv2 ifconfig ${epair_three}b 203.0.113.2/24 up mtu 500
286 atf_check -s exit:0 -o ignore ping -c 1 198.51.100.2
288 jexec gw pfctl -e
290 "nat on ${epair_two}a inet from 192.0.2.0/24 to any -> (${epair_two}a)" \
291 "nat on ${epair_three}a inet from 192.0.2.0/24 to any -> (${epair_three}a)" \
292 "pass out route-to (${epair_three}a 203.0.113.2) proto icmp icmp-type echoreq"
295 atf_check -s exit:0 ${common_dir}/pft_icmp_check.py \
296 --to 198.51.100.2 \
297 --fromaddr 192.0.2.2 \
298 --recvif ${epair_one}a \
299 --sendif ${epair_one}a
302 atf_check -s exit:2 -o match:'frag needed and DF set' \
303 ping -D -c 1 -s 1000 198.51.100.2
314 atf_set descr 'Test that dummynet applies to route-to packets'
326 jexec srv ifconfig ${epair_srv}a 192.0.2.1/24 up
330 jexec gw ifconfig ${epair_srv}b 192.0.2.2/24 up
331 jexec gw ifconfig ${epair_gw}a 198.51.100.1/24 up
334 ifconfig ${epair_gw}b 198.51.100.2/24 up
335 route add -net 192.0.2.0/24 198.51.100.1
338 atf_check -s exit:0 -o ignore ping -c 1 -t 1 192.0.2.1
342 "pass out route-to (${epair_srv}b 192.0.2.1) to 192.0.2.1 dnpipe 1"
343 jexec gw pfctl -e
347 atf_check -s exit:0 -o ignore ping -c 1 -t 2 192.0.2.1
349 atf_check -s exit:2 -o ignore ping -c 1 -t 1 192.0.2.1
353 "pass out route-to (${epair_srv}b 192.0.2.1) to 192.0.2.1 dnpipe (0, 1)"
357 atf_check -s exit:0 -o ignore ping -c 1 -t 2 192.0.2.1
359 atf_check -s exit:2 -o ignore ping -c 1 -t 1 192.0.2.1
370 atf_set descr 'Thest that dummynet works as expected on pass in route-to packets'
382 jexec srv ifconfig ${epair_srv}a 192.0.2.1/24 up
386 jexec gw ifconfig ${epair_srv}b 192.0.2.2/24 up
387 jexec gw ifconfig ${epair_gw}a 198.51.100.1/24 up
390 ifconfig ${epair_gw}b 198.51.100.2/24 up
391 route add -net 192.0.2.0/24 198.51.100.1
394 atf_check -s exit:0 -o ignore ping -c 1 -t 1 192.0.2.1
398 "pass in route-to (${epair_srv}b 192.0.2.1) to 192.0.2.1 dnpipe 1"
399 jexec gw pfctl -e
404 ping -c 1 192.0.2.1
405 atf_check -s exit:0 -o ignore ping -c 1 -t 2 192.0.2.1
407 atf_check -s exit:2 -o ignore ping -c 1 -t 1 192.0.2.1
411 "pass in route-to (${epair_srv}b 192.0.2.1) to 192.0.2.1 dnpipe (0, 1)"
416 ping -c 1 192.0.2.1
417 atf_check -s exit:0 -o ignore ping -c 1 -t 2 192.0.2.1
419 atf_check -s exit:2 -o ignore ping -c 1 -t 1 192.0.2.1
430 atf_set descr 'Test that route-to states bind the expected interface'
442 ifconfig ${epair_one}b up
445 jexec ${j}2 ifconfig ${epair_two}b inet 198.51.100.2/24 up
450 jexec $j ifconfig ${epair_one}a 192.0.2.1/24 up
451 jexec $j ifconfig ${epair_two}a 198.51.100.1/24 up
454 jexec $j pfctl -e
456 "set state-policy if-bound" \
458 "pass out route-to (${epair_two}a 198.51.100.2)"
460 atf_check -s exit:0 -o ignore \
461 jexec $j ping -c 3 203.0.113.1
472 atf_set descr 'Test that route-to states for IPv6 bind the expected interface'
484 ifconfig ${epair_one}b up
487 jexec ${j}2 ifconfig ${epair_two}b inet6 2001:db8:1::2/64 up no_dad
489 jexec ${j}2 route -6 add default 2001:db8:1::1
492 jexec $j ifconfig ${epair_one}a inet6 2001:db8::1/64 up no_dad
493 jexec $j ifconfig ${epair_two}a inet6 2001:db8:1::1/64 up no_dad
494 jexec $j route -6 add default 2001:db8::2
496 jexec $j ping6 -c 3 2001:db8:1::2
498 jexec $j pfctl -e
500 "set state-policy if-bound" \
502 "pass inet6 proto icmp6 icmp6-type { neighbrsol, neighbradv }" \
503 "pass out route-to (${epair_two}a 2001:db8:1::2)"
505 atf_check -s exit:0 -o ignore \
506 jexec $j ping6 -c 3 2001:db8:2::1
517 atf_set descr 'Test that reply-to states bind to the expected interface'
530 ifconfig ${epair_one}b inet 192.0.2.2/24 up
531 ifconfig ${epair_two}b up
534 jexec $j ifconfig ${epair_one}a 192.0.2.1/24 up
535 jexec $j ifconfig ${epair_two}a 198.51.100.1/24 up
538 jexec $j pfctl -e
540 "set state-policy if-bound" \
542 …"pass in on ${epair_one}a reply-to (${epair_one}a 192.0.2.2) inet from any to 192.0.2.0/24 keep st…
544 atf_check -s exit:0 -o ignore \
545 ping -c 3 192.0.2.1
547 atf_check -s exit:0 \
549 --to 192.0.2.1 \
550 --from 203.0.113.2 \
551 --sendif ${epair_one}b \
552 --replyif ${epair_one}b
555 atf_check -s exit:0 \
557 --to 192.0.2.1 \
558 --from 203.0.113.2 \
559 --sendif ${epair_one}b \
560 --replyif ${epair_one}b
562 jexec $j pfctl -ss -vv
573 atf_set descr 'Test that reply-to states bind to the expected interface for IPv6'
588 jexec ${j}s ifconfig ${epair_one}b inet6 2001:db8::2/64 up no_dad
589 jexec ${j}s ifconfig ${epair_two}b up
590 #jexec ${j}s route -6 add default 2001:db8::1
593 jexec $j ifconfig ${epair_one}a inet6 2001:db8::1/64 up no_dad
594 jexec $j ifconfig ${epair_two}a inet6 2001:db8:1::1/64 up no_dad
595 jexec $j route -6 add default 2001:db8:1::254
597 jexec $j pfctl -e
599 "set state-policy if-bound" \
601 "pass quick inet6 proto icmp6 icmp6-type { neighbrsol, neighbradv }" \
602 …"pass in on ${epair_one}a reply-to (${epair_one}a 2001:db8::2) inet6 from any to 2001:db8::/64 kee…
604 atf_check -s exit:0 -o ignore \
605 jexec ${j}s ping6 -c 3 2001:db8::1
607 atf_check -s exit:0 \
609 --to 2001:db8::1 \
610 --from 2001:db8:2::2 \
611 --sendif ${epair_one}b \
612 --replyif ${epair_one}b
615 atf_check -s exit:0 \
617 --to 2001:db8::1 \
618 --from 2001:db8:2::2 \
619 --sendif ${epair_one}b \
620 --replyif ${epair_one}b
622 jexec $j pfctl -ss -vv
633 …atf_set descr 'Test that reply-to states bind to the expected non-default-route interface after rd…
646 ifconfig ${epair_one}b inet 192.0.2.2/24 up
647 ifconfig ${epair_two}b up
650 jexec $j ifconfig lo0 inet 127.0.0.1/8 up
651 jexec $j ifconfig ${epair_one}a 192.0.2.1/24 up
652 jexec $j ifconfig ${epair_two}a 198.51.100.1/24 up
655 jexec $j pfctl -e
658 "set state-policy if-bound" \
659 "rdr on ${epair_one}a proto icmp from any to 192.0.2.1 -> 127.0.0.1" \
660 "rdr on ${epair_two}a proto icmp from any to 198.51.100.1 -> 127.0.0.1" \
662 …"pass in on ${epair_one}a reply-to (${epair_one}a 192.0.2.2) inet from any to 127.0.0.1 keep state"
664 atf_check -s exit:0 -o ignore \
665 ping -c 3 192.0.2.1
667 atf_check -s exit:0 \
669 --to 192.0.2.1 \
670 --from 203.0.113.2 \
671 --sendif ${epair_one}b \
672 --replyif ${epair_one}b
675 atf_check -s exit:0 \
677 --to 192.0.2.1 \
678 --from 203.0.113.2 \
679 --sendif ${epair_one}b \
680 --replyif ${epair_one}b
682 jexec $j pfctl -sr -vv
683 jexec $j pfctl -ss -vv
694 atf_set descr 'Test fragmentation with route-to and dummynet'
706 ifconfig ${epair_one}a 192.0.2.1/24 up
709 jexec alcatraz ifconfig ${epair_one}b 192.0.2.2/24 up
710 jexec alcatraz ifconfig ${epair_two}a 198.51.100.1/24 up
714 jexec singsing ifconfig ${epair_two}b 198.51.100.2/24 up
724 jexec alcatraz pfctl -e
726 "set reassemble yes" \
727 "pass in route-to (${epair_two}a 198.51.100.2) inet proto icmp all icmp-type echoreq dnpipe 1" \
731 atf_check -s exit:0 -o ignore ping -c 1 198.51.100.2
732 atf_check -s exit:0 -o ignore ping -c 1 -s 4000 198.51.100.2
755 ifconfig ${epair_one}a 192.0.2.1/24 up
758 jexec alcatraz ifconfig ${epair_one}b 192.0.2.2/24 up
759 jexec alcatraz ifconfig ${epair_two}a 198.51.100.1/24 up
763 jexec singsing ifconfig ${epair_two}b 198.51.100.2/24 up
770 jexec alcatraz pfctl -e
772 "set reassemble yes" \
773 "nat on ${epair_two}a from 192.0.2.0/24 -> (${epair_two}a)" \
774 …"pass in route-to (${epair_two}a 198.51.100.2) inet proto icmp all icmp-type echoreq dnpipe (1, 1)…
775 "pass out route-to (${epair_two}a 198.51.100.2) inet proto icmp all icmp-type echoreq"
777 ping -c 1 198.51.100.2
778 jexec alcatraz pfctl -sr -vv
779 jexec alcatraz pfctl -ss -vv
783 atf_check -s exit:0 -o ignore ping -t 2 -c 1 198.51.100.2
784 atf_check -s exit:2 -o ignore ping -t 1 -c 1 198.51.100.2
795 atf_set descr 'Set and retrieve a rule with sticky-address'
806 …"pass in quick log on n_test_h_rtr route-to (n_srv_h_rtr <change_dst>) sticky-address from any to …
808 jexec alcatraz pfctl -qvvsr
819 atf_set descr 'Ensure we decrement TTL on route-to'
829 ifconfig ${epair_one}b 192.0.2.2/24 up
833 jexec alcatraz ifconfig ${epair_one}a 192.0.2.1/24 up
834 jexec alcatraz ifconfig ${epair_two}a 198.51.100.1/24 up
838 jexec singsing ifconfig ${epair_two}b 198.51.100.2/24 up
842 atf_check -s exit:0 -o ignore \
843 ping -c 3 198.51.100.2
845 jexec alcatraz pfctl -e
848 "pass in route-to (${epair_two}a 198.51.100.2)"
850 atf_check -s exit:0 -o ignore \
851 ping -c 3 198.51.100.2
853 atf_check -s exit:2 -o ignore \
854 ping -m 1 -c 3 198.51.100.2
866 atf_set descr 'Route-to with empty pool'
879 "pass inet6 proto icmp6 icmp6-type { neighbrsol, neighbradv }" \
880 …"pass in on ${epair_tester}b route-to (${epair_server}a <nonexistent>) inet6 from any to ${net_se…
887 # Ignore warnings about not-loaded ALTQ
888 atf_check -o "match:map-failed +1 +" -x "jexec router pfctl -qvvsi 2> /dev/null"
912 jexec router route add -6 ${net_clients_6}::/${net_clients_6_mask} ${net_tester_6_host_tester}
927 jexec router pfctl -e
929 "set debug loud" \
930 "set reassemble yes" \
931 "set state-policy if-bound" \
935 route-to { \
950 atf_check -s exit:0 ${common_dir}/pft_ping.py \
951 --sendif ${epair_tester}a --replyif ${epair_tester}a \
952 --fromaddr ${net_clients_6}::1 --to ${host_server_6} \
953 --ping-type=tcp3way --send-sport=${port}
957 jexec router pfctl -qvvss | normalize_pfctl_s > $states
961 …"${epair_tester}b tcp ${host_server_6}\[9\] <- ${net_clients_6}::1\[4201\] .* route-to: ${net_serv…
962 …"${epair_tester}b tcp ${host_server_6}\[9\] <- ${net_clients_6}::1\[4202\] .* route-to: ${net_serv…
963 …"${epair_tester}b tcp ${host_server_6}\[9\] <- ${net_clients_6}::1\[4203\] .* route-to: ${net_serv…
964 …"${epair_tester}b tcp ${host_server_6}\[9\] <- ${net_clients_6}::1\[4204\] .* route-to: ${net_serv…
965 …"${epair_tester}b tcp ${host_server_6}\[9\] <- ${net_clients_6}::1\[4205\] .* route-to: ${net_serv…
966 …"${epair_tester}b tcp ${host_server_6}\[9\] <- ${net_clients_6}::1\[4206\] .* route-to: ${net_serv…
967 …"${epair_tester}b tcp ${host_server_6}\[9\] <- ${net_clients_6}::1\[4207\] .* route-to: ${net_serv…
969 grep -qE "${state_regexp}" $states || atf_fail "State not found for '${state_regexp}'"