xref: /freebsd/tests/sys/netpfil/pf/anchor.sh (revision 4d846d260e2b9a3d4d0a701462568268cbfe7a5b) 
155177f18SKristof Provost# $FreeBSD$
265d553b0SKristof Provost#
3*4d846d26SWarner Losh# SPDX-License-Identifier: BSD-2-Clause
465d553b0SKristof Provost#
565d553b0SKristof Provost# Copyright (c) 2018 Kristof Provost <kp@FreeBSD.org>
665d553b0SKristof Provost#
765d553b0SKristof Provost# Redistribution and use in source and binary forms, with or without
865d553b0SKristof Provost# modification, are permitted provided that the following conditions
965d553b0SKristof Provost# are met:
1065d553b0SKristof Provost# 1. Redistributions of source code must retain the above copyright
1165d553b0SKristof Provost#    notice, this list of conditions and the following disclaimer.
1265d553b0SKristof Provost# 2. Redistributions in binary form must reproduce the above copyright
1365d553b0SKristof Provost#    notice, this list of conditions and the following disclaimer in the
1465d553b0SKristof Provost#    documentation and/or other materials provided with the distribution.
1565d553b0SKristof Provost#
1665d553b0SKristof Provost# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
1765d553b0SKristof Provost# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
1865d553b0SKristof Provost# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
1965d553b0SKristof Provost# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
2065d553b0SKristof Provost# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
2165d553b0SKristof Provost# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
2265d553b0SKristof Provost# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
2365d553b0SKristof Provost# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
2465d553b0SKristof Provost# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
2565d553b0SKristof Provost# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
2665d553b0SKristof Provost# SUCH DAMAGE.
2755177f18SKristof Provost
2855177f18SKristof Provost. $(atf_get_srcdir)/utils.subr
2955177f18SKristof Provost
3055177f18SKristof Provostatf_test_case "pr183198" "cleanup"
3155177f18SKristof Provostpr183198_head()
3255177f18SKristof Provost{
3355177f18SKristof Provost	atf_set descr 'Test tables referenced by rules in anchors'
3455177f18SKristof Provost	atf_set require.user root
3555177f18SKristof Provost}
3655177f18SKristof Provost
3755177f18SKristof Provostpr183198_body()
3855177f18SKristof Provost{
3955177f18SKristof Provost	pft_init
4055177f18SKristof Provost
4106aac31aSKristof Provost	epair=$(vnet_mkepair)
4206aac31aSKristof Provost	vnet_mkjail alcatraz ${epair}b
4355177f18SKristof Provost	jexec alcatraz pfctl -e
4455177f18SKristof Provost
4555177f18SKristof Provost	# Forward with pf enabled
4655177f18SKristof Provost	pft_set_rules alcatraz  \
4755177f18SKristof Provost		"table <test> { 10.0.0.1, 10.0.0.2, 10.0.0.3 }" \
4855177f18SKristof Provost		"block in" \
4955177f18SKristof Provost		"anchor \"epair\" on ${epair}b { \n\
5055177f18SKristof Provost			pass in from <test> \n\
5155177f18SKristof Provost		}"
5255177f18SKristof Provost
5355177f18SKristof Provost	atf_check -s exit:0 -o ignore jexec alcatraz pfctl -sr -a '*'
5455177f18SKristof Provost	atf_check -s exit:0 -o ignore jexec alcatraz pfctl -t test -T show
5555177f18SKristof Provost}
5655177f18SKristof Provost
5755177f18SKristof Provostpr183198_cleanup()
5855177f18SKristof Provost{
5955177f18SKristof Provost	pft_cleanup
6055177f18SKristof Provost}
6155177f18SKristof Provost
62d58d2e40SKristof Provostatf_test_case "nested_anchor" "cleanup"
63d58d2e40SKristof Provostnested_anchor_head()
64d58d2e40SKristof Provost{
65d58d2e40SKristof Provost	atf_set descr 'Test setting and retrieving nested anchors'
66d58d2e40SKristof Provost	atf_set require.user root
67d58d2e40SKristof Provost}
68d58d2e40SKristof Provost
69d58d2e40SKristof Provostnested_anchor_body()
70d58d2e40SKristof Provost{
71d58d2e40SKristof Provost	pft_init
72d58d2e40SKristof Provost
73d58d2e40SKristof Provost	epair=$(vnet_mkepair)
74d58d2e40SKristof Provost	vnet_mkjail alcatraz ${epair}a
75d58d2e40SKristof Provost
76d58d2e40SKristof Provost	pft_set_rules alcatraz \
77d58d2e40SKristof Provost		"anchor \"foo\" { \n\
78d58d2e40SKristof Provost			anchor \"bar\" { \n\
79d58d2e40SKristof Provost				pass on ${epair}a \n\
80d58d2e40SKristof Provost			} \n\
81d58d2e40SKristof Provost		}"
82d58d2e40SKristof Provost
83d58d2e40SKristof Provost	atf_check -s exit:0 -o inline:"anchor \"foo\" all {
84d58d2e40SKristof Provost  anchor \"bar\" all {
85d58d2e40SKristof Provost    pass on ${epair}a all flags S/SA keep state
86d58d2e40SKristof Provost  }
87d58d2e40SKristof Provost}
88d58d2e40SKristof Provost" jexec alcatraz pfctl -sr -a "*"
89d58d2e40SKristof Provost}
90d58d2e40SKristof Provost
91d58d2e40SKristof Provostnested_anchor_cleanup()
92d58d2e40SKristof Provost{
93d58d2e40SKristof Provost	pft_cleanup
94d58d2e40SKristof Provost}
95d58d2e40SKristof Provost
96d5a0bf45SKristof Provostatf_test_case "wildcard" "cleanup"
97d5a0bf45SKristof Provostwildcard_head()
98d5a0bf45SKristof Provost{
99d5a0bf45SKristof Provost	atf_set descr 'Test wildcard anchors for functionality'
100d5a0bf45SKristof Provost	atf_set require.user root
101d5a0bf45SKristof Provost}
102d5a0bf45SKristof Provost
103d5a0bf45SKristof Provostwildcard_body()
104d5a0bf45SKristof Provost{
105d5a0bf45SKristof Provost	pft_init
106d5a0bf45SKristof Provost
107d5a0bf45SKristof Provost	epair=$(vnet_mkepair)
108d5a0bf45SKristof Provost	vnet_mkjail alcatraz ${epair}a
109d5a0bf45SKristof Provost
110d5a0bf45SKristof Provost	ifconfig ${epair}b 192.0.2.2/24 up
111d5a0bf45SKristof Provost	jexec alcatraz ifconfig ${epair}a 192.0.2.1/24 up
112d5a0bf45SKristof Provost
113d5a0bf45SKristof Provost	# Sanity check
114d5a0bf45SKristof Provost	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.1
115d5a0bf45SKristof Provost
116d5a0bf45SKristof Provost	jexec alcatraz pfctl -e
117d5a0bf45SKristof Provost	pft_set_rules alcatraz \
118d5a0bf45SKristof Provost		"block" \
119d5a0bf45SKristof Provost		"anchor \"foo/*\""
120d5a0bf45SKristof Provost
121d5a0bf45SKristof Provost	atf_check -s exit:2 -o ignore ping -c 1 192.0.2.1
122d5a0bf45SKristof Provost
123d5a0bf45SKristof Provost	echo "pass" | jexec alcatraz pfctl -g -f - -a "foo/bar"
124d5a0bf45SKristof Provost
125d5a0bf45SKristof Provost	jexec alcatraz pfctl -sr -a "*"
126d5a0bf45SKristof Provost	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.1
127d5a0bf45SKristof Provost}
128d5a0bf45SKristof Provost
129d5a0bf45SKristof Provostwildcard_cleanup()
130d5a0bf45SKristof Provost{
131d5a0bf45SKristof Provost	pft_cleanup
132d5a0bf45SKristof Provost}
133d5a0bf45SKristof Provost
13455177f18SKristof Provostatf_init_test_cases()
13555177f18SKristof Provost{
13655177f18SKristof Provost	atf_add_test_case "pr183198"
137d58d2e40SKristof Provost	atf_add_test_case "nested_anchor"
138d5a0bf45SKristof Provost	atf_add_test_case "wildcard"
13955177f18SKristof Provost}
140