165d553b0SKristof Provost# 24d846d26SWarner Losh# SPDX-License-Identifier: BSD-2-Clause 365d553b0SKristof Provost# 465d553b0SKristof Provost# Copyright (c) 2018 Kristof Provost <kp@FreeBSD.org> 565d553b0SKristof Provost# 665d553b0SKristof Provost# Redistribution and use in source and binary forms, with or without 765d553b0SKristof Provost# modification, are permitted provided that the following conditions 865d553b0SKristof Provost# are met: 965d553b0SKristof Provost# 1. Redistributions of source code must retain the above copyright 1065d553b0SKristof Provost# notice, this list of conditions and the following disclaimer. 1165d553b0SKristof Provost# 2. Redistributions in binary form must reproduce the above copyright 1265d553b0SKristof Provost# notice, this list of conditions and the following disclaimer in the 1365d553b0SKristof Provost# documentation and/or other materials provided with the distribution. 1465d553b0SKristof Provost# 1565d553b0SKristof Provost# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 1665d553b0SKristof Provost# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 1765d553b0SKristof Provost# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 1865d553b0SKristof Provost# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 1965d553b0SKristof Provost# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 2065d553b0SKristof Provost# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 2165d553b0SKristof Provost# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 2265d553b0SKristof Provost# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 2365d553b0SKristof Provost# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 2465d553b0SKristof Provost# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 2565d553b0SKristof Provost# SUCH DAMAGE. 2655177f18SKristof Provost 2755177f18SKristof Provost. $(atf_get_srcdir)/utils.subr 2855177f18SKristof Provost 2955177f18SKristof Provostatf_test_case "pr183198" "cleanup" 3055177f18SKristof Provostpr183198_head() 3155177f18SKristof Provost{ 3255177f18SKristof Provost atf_set descr 'Test tables referenced by rules in anchors' 3355177f18SKristof Provost atf_set require.user root 3455177f18SKristof Provost} 3555177f18SKristof Provost 3655177f18SKristof Provostpr183198_body() 3755177f18SKristof Provost{ 3855177f18SKristof Provost pft_init 3955177f18SKristof Provost 4006aac31aSKristof Provost epair=$(vnet_mkepair) 4106aac31aSKristof Provost vnet_mkjail alcatraz ${epair}b 4255177f18SKristof Provost jexec alcatraz pfctl -e 4355177f18SKristof Provost 4455177f18SKristof Provost # Forward with pf enabled 4555177f18SKristof Provost pft_set_rules alcatraz \ 4655177f18SKristof Provost "table <test> { 10.0.0.1, 10.0.0.2, 10.0.0.3 }" \ 4755177f18SKristof Provost "block in" \ 4855177f18SKristof Provost "anchor \"epair\" on ${epair}b { \n\ 4955177f18SKristof Provost pass in from <test> \n\ 5055177f18SKristof Provost }" 5155177f18SKristof Provost 5255177f18SKristof Provost atf_check -s exit:0 -o ignore jexec alcatraz pfctl -sr -a '*' 5355177f18SKristof Provost atf_check -s exit:0 -o ignore jexec alcatraz pfctl -t test -T show 5455177f18SKristof Provost} 5555177f18SKristof Provost 5655177f18SKristof Provostpr183198_cleanup() 5755177f18SKristof Provost{ 5855177f18SKristof Provost pft_cleanup 5955177f18SKristof Provost} 6055177f18SKristof Provost 61d58d2e40SKristof Provostatf_test_case "nested_anchor" "cleanup" 62d58d2e40SKristof Provostnested_anchor_head() 63d58d2e40SKristof Provost{ 64d58d2e40SKristof Provost atf_set descr 'Test setting and retrieving nested anchors' 65d58d2e40SKristof Provost atf_set require.user root 66d58d2e40SKristof Provost} 67d58d2e40SKristof Provost 68d58d2e40SKristof Provostnested_anchor_body() 69d58d2e40SKristof Provost{ 70d58d2e40SKristof Provost pft_init 71d58d2e40SKristof Provost 72d58d2e40SKristof Provost epair=$(vnet_mkepair) 73d58d2e40SKristof Provost vnet_mkjail alcatraz ${epair}a 74d58d2e40SKristof Provost 75d58d2e40SKristof Provost pft_set_rules alcatraz \ 76d58d2e40SKristof Provost "anchor \"foo\" { \n\ 77d58d2e40SKristof Provost anchor \"bar\" { \n\ 78d58d2e40SKristof Provost pass on ${epair}a \n\ 79d58d2e40SKristof Provost } \n\ 80d58d2e40SKristof Provost }" 81d58d2e40SKristof Provost 82d58d2e40SKristof Provost atf_check -s exit:0 -o inline:"anchor \"foo\" all { 83d58d2e40SKristof Provost anchor \"bar\" all { 84d58d2e40SKristof Provost pass on ${epair}a all flags S/SA keep state 85d58d2e40SKristof Provost } 86d58d2e40SKristof Provost} 87d58d2e40SKristof Provost" jexec alcatraz pfctl -sr -a "*" 88d58d2e40SKristof Provost} 89d58d2e40SKristof Provost 90d58d2e40SKristof Provostnested_anchor_cleanup() 91d58d2e40SKristof Provost{ 92d58d2e40SKristof Provost pft_cleanup 93d58d2e40SKristof Provost} 94d58d2e40SKristof Provost 95d5a0bf45SKristof Provostatf_test_case "wildcard" "cleanup" 96d5a0bf45SKristof Provostwildcard_head() 97d5a0bf45SKristof Provost{ 98d5a0bf45SKristof Provost atf_set descr 'Test wildcard anchors for functionality' 99d5a0bf45SKristof Provost atf_set require.user root 100d5a0bf45SKristof Provost} 101d5a0bf45SKristof Provost 102d5a0bf45SKristof Provostwildcard_body() 103d5a0bf45SKristof Provost{ 104d5a0bf45SKristof Provost pft_init 105d5a0bf45SKristof Provost 106d5a0bf45SKristof Provost epair=$(vnet_mkepair) 107d5a0bf45SKristof Provost vnet_mkjail alcatraz ${epair}a 108d5a0bf45SKristof Provost 109d5a0bf45SKristof Provost ifconfig ${epair}b 192.0.2.2/24 up 110d5a0bf45SKristof Provost jexec alcatraz ifconfig ${epair}a 192.0.2.1/24 up 111d5a0bf45SKristof Provost 112d5a0bf45SKristof Provost # Sanity check 113d5a0bf45SKristof Provost atf_check -s exit:0 -o ignore ping -c 1 192.0.2.1 114d5a0bf45SKristof Provost 115d5a0bf45SKristof Provost jexec alcatraz pfctl -e 116d5a0bf45SKristof Provost pft_set_rules alcatraz \ 117d5a0bf45SKristof Provost "block" \ 118d5a0bf45SKristof Provost "anchor \"foo/*\"" 119d5a0bf45SKristof Provost 120d5a0bf45SKristof Provost atf_check -s exit:2 -o ignore ping -c 1 192.0.2.1 121d5a0bf45SKristof Provost 122d5a0bf45SKristof Provost echo "pass" | jexec alcatraz pfctl -g -f - -a "foo/bar" 123d5a0bf45SKristof Provost 124d5a0bf45SKristof Provost jexec alcatraz pfctl -sr -a "*" 125d5a0bf45SKristof Provost atf_check -s exit:0 -o ignore ping -c 1 192.0.2.1 126d5a0bf45SKristof Provost} 127d5a0bf45SKristof Provost 128d5a0bf45SKristof Provostwildcard_cleanup() 129d5a0bf45SKristof Provost{ 130d5a0bf45SKristof Provost pft_cleanup 131d5a0bf45SKristof Provost} 132d5a0bf45SKristof Provost 133*1d723c1eSKristof Provostatf_test_case "nested_label" "cleanup" 134*1d723c1eSKristof Provostnested_label_head() 135*1d723c1eSKristof Provost{ 136*1d723c1eSKristof Provost atf_set descr "Test recursive listing of labels" 137*1d723c1eSKristof Provost atf_set require.user root 138*1d723c1eSKristof Provost} 139*1d723c1eSKristof Provost 140*1d723c1eSKristof Provostnested_label_body() 141*1d723c1eSKristof Provost{ 142*1d723c1eSKristof Provost pft_init 143*1d723c1eSKristof Provost 144*1d723c1eSKristof Provost vnet_mkjail alcatraz 145*1d723c1eSKristof Provost 146*1d723c1eSKristof Provost pft_set_rules alcatraz \ 147*1d723c1eSKristof Provost "anchor \"foo\" { \n\ 148*1d723c1eSKristof Provost pass in quick proto icmp label \"passicmp\"\n\ 149*1d723c1eSKristof Provost anchor \"bar\" { \n\ 150*1d723c1eSKristof Provost pass in proto tcp label \"passtcp\"\n\ 151*1d723c1eSKristof Provost } \n\ 152*1d723c1eSKristof Provost }" \ 153*1d723c1eSKristof Provost "pass quick from any to any label \"anytoany\"" 154*1d723c1eSKristof Provost 155*1d723c1eSKristof Provost atf_check -s exit:0 \ 156*1d723c1eSKristof Provost -o inline:"passicmp 0 0 0 0 0 0 0 0 157*1d723c1eSKristof Provostpasstcp 0 0 0 0 0 0 0 0 158*1d723c1eSKristof Provostanytoany 0 0 0 0 0 0 0 0 159*1d723c1eSKristof Provost" jexec alcatraz pfctl -sl -a* 160*1d723c1eSKristof Provost} 161*1d723c1eSKristof Provost 162*1d723c1eSKristof Provostnested_label_cleanup() 163*1d723c1eSKristof Provost{ 164*1d723c1eSKristof Provost pft_cleanup 165*1d723c1eSKristof Provost} 166*1d723c1eSKristof Provost 16755177f18SKristof Provostatf_init_test_cases() 16855177f18SKristof Provost{ 16955177f18SKristof Provost atf_add_test_case "pr183198" 170d58d2e40SKristof Provost atf_add_test_case "nested_anchor" 171d5a0bf45SKristof Provost atf_add_test_case "wildcard" 172*1d723c1eSKristof Provost atf_add_test_case "nested_label" 17355177f18SKristof Provost} 174