xref: /freebsd/tests/sys/netpfil/ipfw/ipv6-flow-id.sh (revision 3d39eadcdeb301e95abdc94b1ad5d1255fa0f446) 
1#
2# Copyright (c) 2026 Boris Lytochkin
3#
4# SPDX-License-Identifier: BSD-2-Clause
5#
6
7common_dir="$(atf_get_srcdir)/../common"
8. ${common_dir}/utils.subr
9
10NC="nc -w 1 -dnN"
11
12setup_network_v6()
13{
14	epair="$1"
15
16	ifconfig ${epair}a inet6 2001:db8:42::1/64 up no_dad -ifdisabled
17
18	vnet_mkjail alcatraz ${epair}b
19
20	ifconfig -j alcatraz ${epair}b inet6 2001:db8:42::2/64 up no_dad -ifdisabled
21
22	jexec alcatraz /usr/sbin/inetd -p /dev/null $(atf_get_srcdir)/lookup_inetd.conf
23
24	# Sanity checks
25	atf_check -s exit:0 -o ignore ping6 -i .1 -c 3 -s 1200 2001:db8:42::2
26	atf_check -o "inline:GOOD 82\n" ${NC} 2001:db8:42::2 82
27}
28
29atf_test_case "ipv6fl" "cleanup"
30
31ipv6fl_head()
32{
33	atf_set descr 'flow-id test'
34	atf_set require.user root
35	atf_set require.progs python3 scapy
36}
37
38ipv6fl_body()
39{
40
41        firewall_init "ipfw"
42
43        epair=$(vnet_mkepair)
44
45        setup_network_v6 ${epair}
46
47	# Check if the firewall is able to match exact IPv6 flow label
48	firewall_config "alcatraz" ipfw ipfw \
49			"ipfw -q add 100 allow ip6 from any to any flow-id 0xbaad" \
50			"ipfw -q add 200 deny ipv6-icmp from any to any icmp6types 128 in"
51
52	# Check Flow Label matches
53	atf_check -s exit:0 ${common_dir}/pft_ping.py \
54		--sendif ${epair}a \
55		--fromaddr 2001:db8:42::1 \
56		--to 2001:db8:42::2 \
57		--send-fl $((0xbaad)) \
58		--replyif ${epair}a
59
60	# Check Flow Label mismatch
61	atf_check -s exit:1 ${common_dir}/pft_ping.py \
62		--sendif ${epair}a \
63		--fromaddr 2001:db8:42::1 \
64		--to 2001:db8:42::2 \
65		--send-fl $((0xf001)) \
66		--replyif ${epair}a
67
68}
69
70ipv6fl_cleanup()
71{
72	firewall_cleanup $1
73}
74
75atf_init_test_cases()
76{
77	atf_add_test_case "ipv6fl"
78}
79