1#- 2# SPDX-License-Identifier: BSD-2-Clause 3# 4# Copyright (c) 2019 Ahsan Barkati 5# 6# Redistribution and use in source and binary forms, with or without 7# modification, are permitted provided that the following conditions 8# are met: 9# 1. Redistributions of source code must retain the above copyright 10# notice, this list of conditions and the following disclaimer. 11# 2. Redistributions in binary form must reproduce the above copyright 12# notice, this list of conditions and the following disclaimer in the 13# documentation and/or other materials provided with the distribution. 14# 15# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 16# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 17# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 18# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 19# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 20# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 21# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 22# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 23# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 24# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 25# SUCH DAMAGE. 26# 27# 28 29. $(atf_get_srcdir)/../../common/vnet.subr 30 31firewall_config() 32{ 33 jname=$1 34 shift 35 fw=$1 36 shift 37 38 while [ $# -gt 0 ]; do 39 if [ $(is_firewall "$1") -eq 1 ]; then 40 current_fw="$1" 41 shift 42 filename=${current_fw}.rule 43 cwd=$(pwd) 44 if [ -f ${current_fw}.rule ]; then 45 rm ${current_fw}.rule 46 fi 47 fi 48 rule=$1 49 echo $rule >> $filename 50 shift 51 done 52 53 if [ ${fw} == "ipfw" ]; then 54 jexec ${jname} ipfw -q -f flush 55 jexec ${jname} ipfw -q -f table all destroy 56 jexec ${jname} /bin/sh $cwd/ipfw.rule 57 elif [ ${fw} == "pf" ]; then 58 jexec ${jname} sysctl net.pf.filter_local=1 59 jexec ${jname} pfctl -e 60 jexec ${jname} pfctl -F all 61 jexec ${jname} pfctl -f $cwd/pf.rule 62 elif [ ${fw} == "ipf" ]; then 63 jexec ${jname} ipf -E 64 jexec ${jname} ipf -Fa -f $cwd/ipf.rule 65 elif [ ${fw} == "ipfnat" ]; then 66 jexec ${jname} service ipfilter start 67 jexec ${jname} ipnat -CF -f $cwd/ipfnat.rule 68 jexec ${jname} pfilctl link -o ipfilter:default-ip4 inet-local 69 jexec ${jname} pfilctl link -o ipfilter:default-ip6 inet6-local 70 else 71 atf_fail "$fw is not a valid firewall to configure" 72 fi 73} 74 75firewall_cleanup() 76{ 77 firewall=$1 78 echo "Cleaning $firewall" 79 vnet_cleanup 80} 81 82firewall_init() 83{ 84 firewall=$1 85 vnet_init 86 87 if [ ${firewall} == "ipfw" ]; then 88 if ! kldstat -q -m ipfw; then 89 atf_skip "This test requires ipfw" 90 elif [ $(sysctl -n net.inet.ip.fw.default_to_accept) -ne 1 ]; then 91 atf_fail "ipfw tests require net.inet.ip.fw.default_to_accept=1 tunable" 92 fi 93 elif [ ${firewall} == "pf" ]; then 94 if [ ! -c /dev/pf ]; then 95 atf_skip "This test requires pf" 96 fi 97 elif [ ${firewall} == "ipf" ]; then 98 if ! kldstat -q -m ipfilter; then 99 atf_skip "This test requires ipf" 100 fi 101 elif [ ${firewall} == "ipfnat" ]; then 102 if ! kldstat -q -m ipfilter; then 103 atf_skip "This test requires ipf" 104 fi 105 else 106 atf_fail "$fw is not a valid firewall to initialize" 107 fi 108 109} 110 111dummynet_init() 112{ 113 firewall=$1 114 115 if ! kldstat -q -m dummynet; then 116 atf_skip "This test requires dummynet" 117 fi 118 119 case $firewall in 120 ipfw|pf) 121 # Nothing. This is okay. 122 ;; 123 *) 124 atf_skip "${firewall} does not support dummynet" 125 ;; 126 esac 127} 128 129nat_init() 130{ 131 firewall=$1 132 if [ ${firewall} == "ipfw" ]; then 133 if ! kldstat -q -m ipfw_nat; then 134 atf_skip "This test requires ipfw_nat" 135 fi 136 fi 137} 138 139is_firewall() 140{ 141 if [ "$1" = "pf" -o "$1" = "ipfw" -o "$1" = "ipf" -o "$1" = "ipfnat" ]; then 142 echo 1 143 else 144 echo 0 145 fi 146} 147