# # SPDX-License-Identifier: BSD-2-Clause # # Copyright (c) 2018 Kristof Provost # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. . $(atf_get_srcdir)/utils.subr atf_test_case "pr183198" "cleanup" pr183198_head() { atf_set descr 'Test tables referenced by rules in anchors' atf_set require.user root } pr183198_body() { pft_init epair=$(vnet_mkepair) vnet_mkjail alcatraz ${epair}b jexec alcatraz pfctl -e # Forward with pf enabled pft_set_rules alcatraz \ "table { 10.0.0.1, 10.0.0.2, 10.0.0.3 }" \ "block in" \ "anchor \"epair\" on ${epair}b { \n\ pass in from \n\ }" atf_check -s exit:0 -o ignore jexec alcatraz pfctl -sr -a '*' atf_check -s exit:0 -o ignore jexec alcatraz pfctl -t test -T show } pr183198_cleanup() { pft_cleanup } atf_test_case "pr279225" "cleanup" pr279225_head() { atf_set descr "Test that we can retrieve longer anchor names, PR 279225" atf_set require.user root } pr279225_body() { pft_init vnet_mkjail alcatraz pft_set_rules alcatraz \ "nat-anchor \"appjail-nat/jail/*\" all" \ "rdr-anchor \"appjail-rdr/*\" all" \ "anchor \"appjail/jail/*\" all" atf_check -s exit:0 -o match:"nat-anchor \"appjail-nat/jail/\*\" all \{" \ jexec alcatraz pfctl -sn -a "*" atf_check -s exit:0 -o match:"rdr-anchor \"appjail-rdr/\*\" all \{" \ jexec alcatraz pfctl -sn -a "*" atf_check -s exit:0 -o match:"anchor \"appjail/jail/\*\" all \{" \ jexec alcatraz pfctl -sr -a "*" } pr279225_cleanup() { pft_cleanup } atf_test_case "nested_anchor" "cleanup" nested_anchor_head() { atf_set descr 'Test setting and retrieving nested anchors' atf_set require.user root } nested_anchor_body() { pft_init epair=$(vnet_mkepair) vnet_mkjail alcatraz ${epair}a pft_set_rules alcatraz \ "anchor \"foo\" { \n\ anchor \"bar\" { \n\ pass on ${epair}a \n\ } \n\ }" atf_check -s exit:0 -o inline:"anchor \"foo\" all { anchor \"bar\" all { pass on ${epair}a all flags S/SA keep state } } " jexec alcatraz pfctl -sr -a "*" } nested_anchor_cleanup() { pft_cleanup } atf_test_case "wildcard" "cleanup" wildcard_head() { atf_set descr 'Test wildcard anchors for functionality' atf_set require.user root } wildcard_body() { pft_init epair=$(vnet_mkepair) vnet_mkjail alcatraz ${epair}a ifconfig ${epair}b 192.0.2.2/24 up jexec alcatraz ifconfig ${epair}a 192.0.2.1/24 up # Sanity check atf_check -s exit:0 -o ignore ping -c 1 192.0.2.1 jexec alcatraz pfctl -e pft_set_rules alcatraz \ "block" \ "anchor \"foo/*\"" atf_check -s exit:2 -o ignore ping -c 1 192.0.2.1 echo "pass" | jexec alcatraz pfctl -g -f - -a "foo/bar" jexec alcatraz pfctl -sr -a "*" atf_check -s exit:0 -o ignore ping -c 1 192.0.2.1 } wildcard_cleanup() { pft_cleanup } atf_test_case "nested_label" "cleanup" nested_label_head() { atf_set descr "Test recursive listing of labels" atf_set require.user root } nested_label_body() { pft_init vnet_mkjail alcatraz pft_set_rules alcatraz \ "anchor \"foo\" { \n\ pass in quick proto icmp label \"passicmp\"\n\ anchor \"bar\" { \n\ pass in proto tcp label \"passtcp\"\n\ } \n\ }" \ "pass quick from any to any label \"anytoany\"" atf_check -s exit:0 \ -o inline:"passicmp 0 0 0 0 0 0 0 0 passtcp 0 0 0 0 0 0 0 0 anytoany 0 0 0 0 0 0 0 0 " jexec alcatraz pfctl -sl -a* } nested_label_cleanup() { pft_cleanup } atf_test_case "quick" "cleanup" quick_head() { atf_set descr "Test handling of quick on anchors" atf_set require.user root } quick_body() { pft_init epair=$(vnet_mkepair) vnet_mkjail alcatraz ${epair}a ifconfig ${epair}b 192.0.2.2/24 up jexec alcatraz ifconfig ${epair}a 192.0.2.1/24 up # Sanity check atf_check -s exit:0 -o ignore ping -c 1 192.0.2.1 jexec alcatraz pfctl -e pft_set_rules alcatraz \ "anchor quick {\n\ pass\n\ }" \ "block" # We can still ping because the anchor is 'quick' atf_check -s exit:0 -o ignore ping -c 1 192.0.2.1 jexec alcatraz pfctl -sr -v jexec alcatraz pfctl -ss -v } quick_cleanup() { pft_cleanup } atf_test_case "counter" "cleanup" counter_head() { atf_set descr 'Test counters on anchors' atf_set require.user root } counter_body() { pft_init epair=$(vnet_mkepair) vnet_mkjail alcatraz ${epair}a ifconfig ${epair}b 192.0.2.2/24 up jexec alcatraz ifconfig ${epair}a 192.0.2.1/24 up # Sanity check atf_check -s exit:0 -o ignore ping -c 1 192.0.2.1 jexec alcatraz pfctl -e pft_set_rules alcatraz \ "anchor \"foo\" {\n\ pass\n\ }" # Generate traffic atf_check -s exit:0 -o ignore ping -c 1 192.0.2.1 atf_check -s exit:0 -e ignore \ -o match:'[ Evaluations: 1 Packets: 2 Bytes: 168 States: 1 ]' \ jexec alcatraz pfctl -sr -vv } counter_cleanup() { pft_cleanup } atf_init_test_cases() { atf_add_test_case "pr183198" atf_add_test_case "pr279225" atf_add_test_case "nested_anchor" atf_add_test_case "wildcard" atf_add_test_case "nested_label" atf_add_test_case "quick" atf_add_test_case "counter" }