xref: /freebsd/tests/sys/netpfil/pf/anchor.sh (revision 5eee34fa0351f1fdb240f7d085145c05e9ed95d5) 
1#
2# SPDX-License-Identifier: BSD-2-Clause
3#
4# Copyright (c) 2018 Kristof Provost <kp@FreeBSD.org>
5#
6# Redistribution and use in source and binary forms, with or without
7# modification, are permitted provided that the following conditions
8# are met:
9# 1. Redistributions of source code must retain the above copyright
10#    notice, this list of conditions and the following disclaimer.
11# 2. Redistributions in binary form must reproduce the above copyright
12#    notice, this list of conditions and the following disclaimer in the
13#    documentation and/or other materials provided with the distribution.
14#
15# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
25# SUCH DAMAGE.
26
27. $(atf_get_srcdir)/utils.subr
28
29atf_test_case "pr183198" "cleanup"
30pr183198_head()
31{
32	atf_set descr 'Test tables referenced by rules in anchors'
33	atf_set require.user root
34}
35
36pr183198_body()
37{
38	pft_init
39
40	epair=$(vnet_mkepair)
41	vnet_mkjail alcatraz ${epair}b
42	jexec alcatraz pfctl -e
43
44	# Forward with pf enabled
45	pft_set_rules alcatraz  \
46		"table <test> { 10.0.0.1, 10.0.0.2, 10.0.0.3 }" \
47		"block in" \
48		"anchor \"epair\" on ${epair}b { \n\
49			pass in from <test> \n\
50		}"
51
52	atf_check -s exit:0 -o ignore jexec alcatraz pfctl -sr -a '*'
53	atf_check -s exit:0 -o ignore jexec alcatraz pfctl -t test -T show
54}
55
56pr183198_cleanup()
57{
58	pft_cleanup
59}
60
61atf_test_case "pr279225" "cleanup"
62pr279225_head()
63{
64	atf_set descr "Test that we can retrieve longer anchor names, PR 279225"
65	atf_set require.user root
66}
67
68pr279225_body()
69{
70	pft_init
71
72	vnet_mkjail alcatraz
73
74	pft_set_rules alcatraz \
75		"nat-anchor \"appjail-nat/jail/*\" all" \
76		"rdr-anchor \"appjail-rdr/*\" all" \
77		"anchor \"appjail/jail/*\" all"
78
79	atf_check -s exit:0 -o match:"nat-anchor \"appjail-nat/jail/\*\" all \{" \
80		jexec alcatraz pfctl -sn -a "*"
81	atf_check -s exit:0 -o match:"rdr-anchor \"appjail-rdr/\*\" all \{" \
82		jexec alcatraz pfctl -sn -a "*"
83	atf_check -s exit:0 -o match:"anchor \"appjail/jail/\*\" all \{" \
84		jexec alcatraz pfctl -sr -a "*"
85}
86
87pr279225_cleanup()
88{
89	pft_cleanup
90}
91
92atf_test_case "nested_anchor" "cleanup"
93nested_anchor_head()
94{
95	atf_set descr 'Test setting and retrieving nested anchors'
96	atf_set require.user root
97}
98
99nested_anchor_body()
100{
101	pft_init
102
103	epair=$(vnet_mkepair)
104	vnet_mkjail alcatraz ${epair}a
105
106	pft_set_rules alcatraz \
107		"anchor \"foo\" { \n\
108			anchor \"bar\" { \n\
109				pass on ${epair}a \n\
110			} \n\
111		}"
112
113	atf_check -s exit:0 -o inline:"anchor \"foo\" all {
114  anchor \"bar\" all {
115    pass on ${epair}a all flags S/SA keep state
116  }
117}
118" jexec alcatraz pfctl -sr -a "*"
119}
120
121nested_anchor_cleanup()
122{
123	pft_cleanup
124}
125
126atf_test_case "wildcard" "cleanup"
127wildcard_head()
128{
129	atf_set descr 'Test wildcard anchors for functionality'
130	atf_set require.user root
131}
132
133wildcard_body()
134{
135	pft_init
136
137	epair=$(vnet_mkepair)
138	vnet_mkjail alcatraz ${epair}a
139
140	ifconfig ${epair}b 192.0.2.2/24 up
141	jexec alcatraz ifconfig ${epair}a 192.0.2.1/24 up
142
143	# Sanity check
144	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.1
145
146	jexec alcatraz pfctl -e
147	pft_set_rules alcatraz \
148		"block" \
149		"anchor \"foo/*\""
150
151	atf_check -s exit:2 -o ignore ping -c 1 192.0.2.1
152
153	echo "pass" | jexec alcatraz pfctl -g -f - -a "foo/bar"
154
155	jexec alcatraz pfctl -sr -a "*"
156	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.1
157}
158
159wildcard_cleanup()
160{
161	pft_cleanup
162}
163
164atf_test_case "nested_label" "cleanup"
165nested_label_head()
166{
167	atf_set descr "Test recursive listing of labels"
168	atf_set require.user root
169}
170
171nested_label_body()
172{
173	pft_init
174
175	vnet_mkjail alcatraz
176
177	pft_set_rules alcatraz \
178		"anchor \"foo\" { \n\
179			pass in quick proto icmp label \"passicmp\"\n\
180			anchor \"bar\" { \n\
181				pass in proto tcp label \"passtcp\"\n\
182			} \n\
183		}" \
184		"pass quick from any to any label \"anytoany\""
185
186	atf_check -s exit:0 \
187	    -o inline:"passicmp 0 0 0 0 0 0 0 0
188passtcp 0 0 0 0 0 0 0 0
189anytoany 0 0 0 0 0 0 0 0
190" jexec alcatraz pfctl -sl -a*
191}
192
193nested_label_cleanup()
194{
195	pft_cleanup
196}
197
198atf_test_case "quick" "cleanup"
199quick_head()
200{
201	atf_set descr "Test handling of quick on anchors"
202	atf_set require.user root
203}
204
205quick_body()
206{
207	pft_init
208
209	epair=$(vnet_mkepair)
210	vnet_mkjail alcatraz ${epair}a
211
212	ifconfig ${epair}b 192.0.2.2/24 up
213	jexec alcatraz ifconfig ${epair}a 192.0.2.1/24 up
214
215	# Sanity check
216	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.1
217
218	jexec alcatraz pfctl -e
219	pft_set_rules alcatraz \
220	    "anchor quick {\n\
221	        pass\n\
222	    }" \
223	    "block"
224
225	# We can still ping because the anchor is 'quick'
226	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.1
227	jexec alcatraz pfctl -sr -v
228	jexec alcatraz pfctl -ss -v
229}
230
231quick_cleanup()
232{
233	pft_cleanup
234}
235
236atf_test_case "counter" "cleanup"
237counter_head()
238{
239	atf_set descr 'Test counters on anchors'
240	atf_set require.user root
241}
242
243counter_body()
244{
245	pft_init
246
247	epair=$(vnet_mkepair)
248	vnet_mkjail alcatraz ${epair}a
249
250	ifconfig ${epair}b 192.0.2.2/24 up
251	jexec alcatraz ifconfig ${epair}a 192.0.2.1/24 up
252
253	# Sanity check
254	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.1
255
256	jexec alcatraz pfctl -e
257	pft_set_rules alcatraz \
258	    "anchor \"foo\" {\n\
259	        pass\n\
260	    }"
261
262	# Generate traffic
263	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.1
264	atf_check -s exit:0 -e ignore \
265	    -o match:'[ Evaluations: 1         Packets: 2         Bytes: 168         States: 1     ]' \
266	    jexec alcatraz pfctl -sr -vv
267}
268
269counter_cleanup()
270{
271	pft_cleanup
272}
273
274atf_init_test_cases()
275{
276	atf_add_test_case "pr183198"
277	atf_add_test_case "pr279225"
278	atf_add_test_case "nested_anchor"
279	atf_add_test_case "wildcard"
280	atf_add_test_case "nested_label"
281	atf_add_test_case "quick"
282	atf_add_test_case "counter"
283}
284