1#- 2# SPDX-License-Identifier: BSD-2-Clause 3# 4# Copyright (c) 2019 Ahsan Barkati 5# 6# Redistribution and use in source and binary forms, with or without 7# modification, are permitted provided that the following conditions 8# are met: 9# 1. Redistributions of source code must retain the above copyright 10# notice, this list of conditions and the following disclaimer. 11# 2. Redistributions in binary form must reproduce the above copyright 12# notice, this list of conditions and the following disclaimer in the 13# documentation and/or other materials provided with the distribution. 14# 15# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 16# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 17# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 18# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 19# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 20# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 21# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 22# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 23# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 24# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 25# SUCH DAMAGE. 26# 27# $FreeBSD$ 28# 29 30. $(atf_get_srcdir)/../../common/vnet.subr 31 32firewall_config() 33{ 34 jname=$1 35 shift 36 fw=$1 37 shift 38 39 while [ $# -gt 0 ]; do 40 if [ $(is_firewall "$1") -eq 1 ]; then 41 current_fw="$1" 42 shift 43 filename=${current_fw}.rule 44 cwd=$(pwd) 45 if [ -f ${current_fw}.rule ]; then 46 rm ${current_fw}.rule 47 fi 48 fi 49 rule=$1 50 echo $rule >> $filename 51 shift 52 done 53 54 if [ ${fw} == "ipfw" ]; then 55 jexec ${jname} ipfw -q -f flush 56 jexec ${jname} /bin/sh $cwd/ipfw.rule 57 elif [ ${fw} == "pf" ]; then 58 jexec ${jname} pfctl -e 59 jexec ${jname} pfctl -F all 60 jexec ${jname} pfctl -f $cwd/pf.rule 61 jexec ${jname} pfilctl link -o pf:default-out inet-local 62 jexec ${jname} pfilctl link -o pf:default-out6 inet6-local 63 elif [ ${fw} == "ipf" ]; then 64 jexec ${jname} ipf -E 65 jexec ${jname} ipf -Fa -f $cwd/ipf.rule 66 elif [ ${fw} == "ipfnat" ]; then 67 jexec ${jname} service ipfilter start 68 jexec ${jname} ipnat -CF -f $cwd/ipfnat.rule 69 jexec ${jname} pfilctl link -o ipfilter:default-ip4 inet-local 70 jexec ${jname} pfilctl link -o ipfilter:default-ip6 inet6-local 71 else 72 atf_fail "$fw is not a valid firewall to configure" 73 fi 74} 75 76firewall_cleanup() 77{ 78 firewall=$1 79 echo "Cleaning $firewall" 80 vnet_cleanup 81} 82 83firewall_init() 84{ 85 firewall=$1 86 vnet_init 87 88 if [ ${firewall} == "ipfw" ]; then 89 if ! kldstat -q -m ipfw; then 90 atf_skip "This test requires ipfw" 91 fi 92 elif [ ${firewall} == "pf" ]; then 93 if [ ! -c /dev/pf ]; then 94 atf_skip "This test requires pf" 95 fi 96 elif [ ${firewall} == "ipf" ]; then 97 if ! kldstat -q -m ipfilter; then 98 atf_skip "This test requires ipf" 99 fi 100 elif [ ${firewall} == "ipfnat" ]; then 101 if ! kldstat -q -m ipfilter; then 102 atf_skip "This test requires ipf" 103 fi 104 else 105 atf_fail "$fw is not a valid firewall to initialize" 106 fi 107 108} 109 110dummynet_init() 111{ 112 firewall=$1 113 114 if ! kldstat -q -m dummynet; then 115 atf_skip "This test requires dummynet" 116 fi 117 118 case $firewall in 119 ipfw|pf) 120 # Nothing. This is okay. 121 ;; 122 *) 123 atf_skip "${firewall} does not support dummynet" 124 ;; 125 esac 126} 127 128nat_init() 129{ 130 firewall=$1 131 if [ ${firewall} == "ipfw" ]; then 132 if ! kldstat -q -m ipfw_nat; then 133 atf_skip "This test requires ipfw_nat" 134 fi 135 fi 136} 137 138is_firewall() 139{ 140 if [ "$1" = "pf" -o "$1" = "ipfw" -o "$1" = "ipf" -o "$1" = "ipfnat" ]; then 141 echo 1 142 else 143 echo 0 144 fi 145} 146