1# 2# SPDX-License-Identifier: BSD-2-Clause 3# 4# Copyright (c) 2018 Kristof Provost <kp@FreeBSD.org> 5# 6# Redistribution and use in source and binary forms, with or without 7# modification, are permitted provided that the following conditions 8# are met: 9# 1. Redistributions of source code must retain the above copyright 10# notice, this list of conditions and the following disclaimer. 11# 2. Redistributions in binary form must reproduce the above copyright 12# notice, this list of conditions and the following disclaimer in the 13# documentation and/or other materials provided with the distribution. 14# 15# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 16# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 17# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 18# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 19# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 20# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 21# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 22# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 23# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 24# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 25# SUCH DAMAGE. 26 27. $(atf_get_srcdir)/utils.subr 28 29atf_test_case "unset" "cleanup" 30unset_head() 31{ 32 atf_set descr 'Unset set skip test' 33 atf_set require.user root 34} 35 36unset_body() 37{ 38 pft_init 39 40 vnet_mkjail alcatraz 41 jexec alcatraz ifconfig lo0 127.0.0.1/8 up 42 jexec alcatraz pfctl -e 43 pft_set_rules alcatraz "set skip on lo0" \ 44 "block in proto icmp" 45 46 echo "set skip" 47 jexec alcatraz pfctl -v -sI 48 49 jexec alcatraz ifconfig 50 atf_check -s exit:0 -o ignore jexec alcatraz ping -c 1 127.0.0.1 51 52 # Unset the skip on the group 53 pft_set_rules noflush alcatraz \ 54 "block in proto icmp" 55 56 echo "No setskip" 57 jexec alcatraz pfctl -v -sI 58 59 # Do flush states 60 jexec alcatraz pfctl -Fs 61 62 # And now our ping is blocked 63 atf_check -s exit:2 -o ignore jexec alcatraz ping -c 1 127.0.0.1 64 65 jexec alcatraz pfctl -v -sI 66} 67 68unset_cleanup() 69{ 70 pft_cleanup 71} 72 73atf_test_case "set_skip_group" "cleanup" 74set_skip_group_head() 75{ 76 atf_set descr 'Basic set skip test' 77 atf_set require.user root 78} 79 80set_skip_group_body() 81{ 82 # See PR 229241 83 pft_init 84 85 vnet_mkjail alcatraz 86 jexec alcatraz ifconfig lo0 127.0.0.1/8 up 87 jexec alcatraz ifconfig lo0 group foo 88 jexec alcatraz pfctl -e 89 pft_set_rules alcatraz "set skip on foo" \ 90 "block in proto icmp" 91 92 echo "set skip" 93 jexec alcatraz pfctl -v -sI 94 95 jexec alcatraz ifconfig 96 atf_check -s exit:0 -o ignore jexec alcatraz ping -c 1 127.0.0.1 97 98 # Unset the skip on the group 99 pft_set_rules noflush alcatraz \ 100 "block in proto icmp" 101 102 # Do flush states 103 jexec alcatraz pfctl -Fs 104 105 # And now our ping is blocked 106 atf_check -s exit:2 -o ignore jexec alcatraz ping -c 1 127.0.0.1 107 108 echo "No setskip" 109 jexec alcatraz pfctl -v -sI 110} 111 112set_skip_group_cleanup() 113{ 114 pft_cleanup 115} 116 117atf_test_case "set_skip_group_lo" "cleanup" 118set_skip_group_lo_head() 119{ 120 atf_set descr 'Basic set skip test, lo' 121 atf_set require.user root 122} 123 124set_skip_group_lo_body() 125{ 126 # See PR 229241 127 pft_init 128 129 vnet_mkjail alcatraz 130 jexec alcatraz ifconfig lo0 127.0.0.1/8 up 131 jexec alcatraz pfctl -e 132 pft_set_rules alcatraz "set skip on lo" \ 133 "block on lo0" 134 135 atf_check -s exit:0 -o ignore jexec alcatraz ping -c 1 127.0.0.1 136 pft_set_rules noflush alcatraz "set skip on lo" \ 137 "block on lo0" 138 atf_check -s exit:0 -o ignore jexec alcatraz ping -c 1 127.0.0.1 139 jexec alcatraz pfctl -s rules 140} 141 142set_skip_group_lo_cleanup() 143{ 144 pft_cleanup 145} 146 147atf_test_case "set_skip_dynamic" "cleanup" 148set_skip_dynamic_head() 149{ 150 atf_set descr "Cope with group changes" 151 atf_set require.user root 152} 153 154set_skip_dynamic_body() 155{ 156 pft_init 157 158 set -x 159 160 vnet_mkjail alcatraz 161 jexec alcatraz pfctl -e 162 pft_set_rules alcatraz "set skip on epair" \ 163 "block on ! lo" 164 165 epair=$(vnet_mkepair) 166 ifconfig ${epair}a 192.0.2.2/24 up 167 vnet_ifmove ${epair}b alcatraz 168 169 jexec alcatraz ifconfig ${epair}b 192.0.2.1/24 up 170 171 atf_check -s exit:0 -o ignore jexec alcatraz ping -c 1 192.0.2.2 172} 173 174set_skip_dynamic_cleanup() 175{ 176 pft_cleanup 177} 178 179atf_test_case "pr255852" "cleanup" 180pr255852_head() 181{ 182 atf_set descr "PR 255852" 183 atf_set require.user root 184} 185 186pr255852_body() 187{ 188 pft_init 189 190 epair=$(vnet_mkepair) 191 192 ifconfig ${epair}a 192.0.2.1/24 up 193 194 vnet_mkjail alcatraz ${epair}b 195 jexec alcatraz ifconfig lo0 127.0.0.1/8 up 196 jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up 197 198 # Sanity check 199 atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2 200 201 jexec alcatraz pfctl -e 202 pft_set_rules alcatraz "set skip on { lo0, epair }" \ 203 "block" 204 jexec alcatraz pfctl -vsI 205 206 # We're skipping on epair, so this should work 207 atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2 208 209 # Note: flushing avoid the issue 210 pft_set_rules noflush alcatraz "set skip on { lo0 }" \ 211 "block" 212 213 jexec alcatraz pfctl -vsI 214 215 # No longer skipping, so this should fail 216 atf_check -s exit:2 -o ignore ping -c 1 -t 1 192.0.2.2 217} 218 219pr255852_cleanup() 220{ 221 pft_cleanup 222} 223 224atf_init_test_cases() 225{ 226 atf_add_test_case "unset" 227 atf_add_test_case "set_skip_group" 228 atf_add_test_case "set_skip_group_lo" 229 atf_add_test_case "set_skip_dynamic" 230 atf_add_test_case "pr255852" 231} 232