xref: /freebsd/tests/sys/netpfil/pf/table.sh (revision 6463b6b59152fb1695bbe0de78f6e2675c5a765a) 
1#
2# SPDX-License-Identifier: BSD-2-Clause
3#
4# Copyright (c) 2020 Mark Johnston <markj@FreeBSD.org>
5#
6# Redistribution and use in source and binary forms, with or without
7# modification, are permitted provided that the following conditions
8# are met:
9# 1. Redistributions of source code must retain the above copyright
10#    notice, this list of conditions and the following disclaimer.
11# 2. Redistributions in binary form must reproduce the above copyright
12#    notice, this list of conditions and the following disclaimer in the
13#    documentation and/or other materials provided with the distribution.
14#
15# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
25# SUCH DAMAGE.
26
27. $(atf_get_srcdir)/utils.subr
28
29TABLE_STATS_ZERO_REGEXP='Packets: 0[[:space:]]*Bytes: 0[[:space:]]'
30TABLE_STATS_NONZERO_REGEXP='Packets: [1-9][0-9]*[[:space:]]*Bytes: [1-9][0-9]*[[:space:]]'
31
32atf_test_case "v4_counters" "cleanup"
33v4_counters_head()
34{
35	atf_set descr 'Verify per-address counters for v4'
36	atf_set require.user root
37}
38
39v4_counters_body()
40{
41	pft_init
42
43	epair_send=$(vnet_mkepair)
44	ifconfig ${epair_send}a 192.0.2.1/24 up
45
46	vnet_mkjail alcatraz ${epair_send}b
47	jexec alcatraz ifconfig ${epair_send}b 192.0.2.2/24 up
48	jexec alcatraz pfctl -e
49
50	pft_set_rules alcatraz \
51	    "table <foo> counters { 192.0.2.1 }" \
52	    "block all" \
53	    "pass in from <foo> to any" \
54	    "pass out from any to <foo>" \
55	    "set skip on lo"
56
57	atf_check -s exit:0 -o ignore ping -c 3 192.0.2.2
58
59	atf_check -s exit:0 -e ignore \
60	    -o match:'In/Block:.*'"$TABLE_STATS_ZERO_REGEXP" \
61	    -o match:'In/Pass:.*'"$TABLE_STATS_NONZERO_REGEXP" \
62	    -o match:'Out/Block:.*'"$TABLE_STATS_ZERO_REGEXP" \
63	    -o match:'Out/Pass:.*'"$TABLE_STATS_NONZERO_REGEXP" \
64	    jexec alcatraz pfctl -t foo -T show -vv
65}
66
67v4_counters_cleanup()
68{
69	pft_cleanup
70}
71
72atf_test_case "v6_counters" "cleanup"
73v6_counters_head()
74{
75	atf_set descr 'Verify per-address counters for v6'
76	atf_set require.user root
77}
78
79v6_counters_body()
80{
81	pft_init
82
83	epair_send=$(vnet_mkepair)
84	ifconfig ${epair_send}a inet6 2001:db8:42::1/64 up no_dad -ifdisabled
85
86	vnet_mkjail alcatraz ${epair_send}b
87	jexec alcatraz ifconfig ${epair_send}b inet6 2001:db8:42::2/64 up no_dad
88	jexec alcatraz pfctl -e
89
90	pft_set_rules alcatraz \
91	    "table <foo6> counters { 2001:db8:42::1 }" \
92	    "block all" \
93	    "pass in from <foo6> to any" \
94	    "pass out from any to <foo6>" \
95	    "set skip on lo"
96
97	atf_check -s exit:0 -o ignore ping -6 -c 3 2001:db8:42::2
98
99	atf_check -s exit:0 -e ignore \
100	    -o match:'In/Block:.*'"$TABLE_STATS_ZERO_REGEXP" \
101	    -o match:'In/Pass:.*'"$TABLE_STATS_NONZERO_REGEXP" \
102	    -o match:'Out/Block:.*'"$TABLE_STATS_ZERO_REGEXP" \
103	    -o match:'Out/Pass:.*'"$TABLE_STATS_NONZERO_REGEXP" \
104	    jexec alcatraz pfctl -t foo6 -T show -vv
105}
106
107v6_counters_cleanup()
108{
109	pft_cleanup
110}
111
112atf_test_case "zero_one" "cleanup"
113zero_one_head()
114{
115	atf_set descr 'Test zeroing a single address in a table'
116	atf_set require.user root
117}
118
119zero_one_body()
120{
121	epair_send=$(vnet_mkepair)
122	ifconfig ${epair_send}a 192.0.2.1/24 up
123	ifconfig ${epair_send}a inet alias 192.0.2.3/24
124
125	vnet_mkjail alcatraz ${epair_send}b
126	jexec alcatraz ifconfig ${epair_send}b 192.0.2.2/24 up
127	jexec alcatraz pfctl -e
128
129	pft_set_rules alcatraz \
130	    "table <foo> counters { 192.0.2.1, 192.0.2.3 }" \
131	    "block all" \
132	    "pass in from <foo> to any" \
133	    "pass out from any to <foo>" \
134	    "set skip on lo"
135
136	atf_check -s exit:0 -o ignore ping -c 3 -S 192.0.2.1 192.0.2.2
137	atf_check -s exit:0 -o ignore ping -c 3 -S 192.0.2.3 192.0.2.2
138
139	jexec alcatraz pfctl -t foo -T show -vv
140
141	atf_check -s exit:0 -e ignore \
142	    -o match:'In/Block:.*'"$TABLE_STATS_ZERO_REGEXP" \
143	    -o match:'In/Pass:.*'"$TABLE_STATS_NONZERO_REGEXP" \
144	    -o match:'Out/Block:.*'"$TABLE_STATS_ZERO_REGEXP" \
145	    -o match:'Out/Pass:.*'"$TABLE_STATS_NONZERO_REGEXP" \
146	    jexec alcatraz pfctl -t foo -T show -vv
147
148	atf_check -s exit:0 -e ignore \
149	    jexec alcatraz pfctl -t foo -T zero 192.0.2.3
150
151	# We now have a zeroed and a non-zeroed counter, so both patterns
152	# should match
153	atf_check -s exit:0 -e ignore \
154	    -o match:'In/Pass:.*'"$TABLE_STATS_NONZERO_REGEXP" \
155	    -o match:'Out/Pass:.*'"$TABLE_STATS_NONZERO_REGEXP" \
156	    jexec alcatraz pfctl -t foo -T show -vv
157	atf_check -s exit:0 -e ignore \
158	    -o match:'In/Pass:.*'"$TABLE_STATS_ZERO_REGEXP" \
159	    -o match:'Out/Pass:.*'"$TABLE_STATS_ZERO_REGEXP" \
160	    jexec alcatraz pfctl -t foo -T show -vv
161}
162
163zero_one_cleanup()
164{
165	pft_cleanup
166}
167
168atf_test_case "pr251414" "cleanup"
169pr251414_head()
170{
171	atf_set descr 'Test PR 251414'
172	atf_set require.user root
173}
174
175pr251414_body()
176{
177	pft_init
178
179	epair_send=$(vnet_mkepair)
180	ifconfig ${epair_send}a 192.0.2.1/24 up
181
182	vnet_mkjail alcatraz ${epair_send}b
183	jexec alcatraz ifconfig ${epair_send}b 192.0.2.2/24 up
184	jexec alcatraz pfctl -e
185
186	pft_set_rules alcatraz \
187		"pass all" \
188		"table <tab> { self }" \
189		"pass in log to <tab>"
190
191	pft_set_rules noflush alcatraz \
192		"pass all" \
193		"table <tab> counters { self }" \
194		"pass in log to <tab>"
195
196	atf_check -s exit:0 -o ignore ping -c 3 192.0.2.2
197
198	jexec alcatraz pfctl -t tab -T show -vv
199}
200
201pr251414_cleanup()
202{
203	pft_cleanup
204}
205
206atf_test_case "automatic" "cleanup"
207automatic_head()
208{
209	atf_set descr "Test automatic - optimizer generated - tables"
210	atf_set require.user root
211}
212
213automatic_body()
214{
215	pft_init
216
217	epair=$(vnet_mkepair)
218	ifconfig ${epair}a 192.0.2.1/24 up
219
220	vnet_mkjail alcatraz ${epair}b
221	jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up
222	jexec alcatraz pfctl -e
223
224	pft_set_rules alcatraz \
225		"block in" \
226		"pass in proto icmp from 192.0.2.1" \
227		"pass in proto icmp from 192.0.2.3" \
228		"pass in proto icmp from 192.0.2.4" \
229		"pass in proto icmp from 192.0.2.5" \
230		"pass in proto icmp from 192.0.2.6" \
231		"pass in proto icmp from 192.0.2.7" \
232		"pass in proto icmp from 192.0.2.8" \
233		"pass in proto icmp from 192.0.2.9"
234
235	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2
236}
237
238automatic_cleanup()
239{
240	pft_cleanup
241}
242
243atf_test_case "network" "cleanup"
244network_head()
245{
246	atf_set descr 'Test <ifgroup>:network'
247	atf_set require.user root
248}
249
250network_body()
251{
252	pft_init
253
254	epair=$(vnet_mkepair)
255	ifconfig ${epair}a 192.0.2.1/24 up
256
257	vnet_mkjail alcatraz ${epair}b
258	jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up
259	jexec alcatraz pfctl -e
260
261	pft_set_rules alcatraz \
262		"table <allow> const { epair:network }"\
263		"block in" \
264		"pass in from <allow>"
265
266	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2
267}
268
269network_cleanup()
270{
271	pft_cleanup
272}
273
274atf_test_case "pr259689" "cleanup"
275pr259689_head()
276{
277	atf_set descr 'Test PR 259689'
278	atf_set require.user root
279}
280
281pr259689_body()
282{
283	pft_init
284
285	vnet_mkjail alcatraz
286	jexec alcatraz pfctl -e
287
288	pft_set_rules alcatraz \
289	    "pass in" \
290	    "block in inet from { 1.1.1.1, 1.1.1.2, 2.2.2.2, 2.2.2.3, 4.4.4.4, 4.4.4.5 }"
291
292	atf_check -o match:'block drop in inet from <__automatic_.*:6> to any' \
293	    -e ignore \
294	    jexec alcatraz pfctl -sr -vv
295}
296
297pr259689_cleanup()
298{
299	pft_cleanup
300}
301
302atf_test_case "precreate" "cleanup"
303precreate_head()
304{
305	atf_set descr 'Test creating a table without counters, then loading rules that add counters'
306	atf_set require.user root
307}
308
309precreate_body()
310{
311	pft_init
312
313	vnet_mkjail alcatraz
314
315	jexec alcatraz pfctl -t foo -T add 192.0.2.1
316	jexec alcatraz pfctl -t foo -T show
317
318	pft_set_rules noflush alcatraz \
319		"table <foo> counters persist" \
320		"pass in from <foo>"
321
322	# Expect all counters to be zero
323	atf_check -s exit:0 -e ignore \
324	    -o match:'In/Block:.*'"$TABLE_STATS_ZERO_REGEXP" \
325	    -o match:'In/Pass:.*'"$TABLE_STATS_ZERO_REGEXP" \
326	    -o match:'Out/Block:.*'"$TABLE_STATS_ZERO_REGEXP" \
327	    -o match:'Out/Pass:.*'"$TABLE_STATS_ZERO_REGEXP" \
328	    jexec alcatraz pfctl -t foo -T show -vv
329
330}
331
332precreate_cleanup()
333{
334	pft_cleanup
335}
336
337atf_test_case "anchor" "cleanup"
338anchor_head()
339{
340	atf_set descr 'Test tables in anchors'
341	atf_set require.user root
342}
343
344anchor_body()
345{
346	pft_init
347
348	epair=$(vnet_mkepair)
349	ifconfig ${epair}a 192.0.2.1/24 up
350
351	vnet_mkjail alcatraz ${epair}b
352	jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up
353	jexec alcatraz pfctl -e
354
355	(echo "table <testtable> persist"
356	 echo "block in quick from <testtable> to any"
357	) | jexec alcatraz pfctl -a anchorage -f -
358
359	pft_set_rules noflush alcatraz \
360		"pass" \
361		"anchor anchorage"
362
363	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2
364
365	# Tables belong to anchors, so this is a different table and won't affect anything
366	jexec alcatraz pfctl -t testtable -T add 192.0.2.1
367	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2
368
369	# But when we add the address to the table in the anchor it does block traffic
370	jexec alcatraz pfctl -a anchorage -t testtable -T add 192.0.2.1
371	atf_check -s exit:2 -o ignore ping -c 1 192.0.2.2
372}
373
374anchor_cleanup()
375{
376	pft_cleanup
377}
378
379atf_init_test_cases()
380{
381	atf_add_test_case "v4_counters"
382	atf_add_test_case "v6_counters"
383	atf_add_test_case "zero_one"
384	atf_add_test_case "pr251414"
385	atf_add_test_case "automatic"
386	atf_add_test_case "network"
387	atf_add_test_case "pr259689"
388	atf_add_test_case "precreate"
389	atf_add_test_case "anchor"
390}
391