165d553b0SKristof Provost# 24d846d26SWarner Losh# SPDX-License-Identifier: BSD-2-Clause 365d553b0SKristof Provost# 465d553b0SKristof Provost# Copyright (c) 2018 Kristof Provost <kp@FreeBSD.org> 565d553b0SKristof Provost# 665d553b0SKristof Provost# Redistribution and use in source and binary forms, with or without 765d553b0SKristof Provost# modification, are permitted provided that the following conditions 865d553b0SKristof Provost# are met: 965d553b0SKristof Provost# 1. Redistributions of source code must retain the above copyright 1065d553b0SKristof Provost# notice, this list of conditions and the following disclaimer. 1165d553b0SKristof Provost# 2. Redistributions in binary form must reproduce the above copyright 1265d553b0SKristof Provost# notice, this list of conditions and the following disclaimer in the 1365d553b0SKristof Provost# documentation and/or other materials provided with the distribution. 1465d553b0SKristof Provost# 1565d553b0SKristof Provost# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 1665d553b0SKristof Provost# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 1765d553b0SKristof Provost# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 1865d553b0SKristof Provost# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 1965d553b0SKristof Provost# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 2065d553b0SKristof Provost# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 2165d553b0SKristof Provost# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 2265d553b0SKristof Provost# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 2365d553b0SKristof Provost# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 2465d553b0SKristof Provost# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 2565d553b0SKristof Provost# SUCH DAMAGE. 2655177f18SKristof Provost 2755177f18SKristof Provost. $(atf_get_srcdir)/utils.subr 2855177f18SKristof Provost 2955177f18SKristof Provostatf_test_case "pr183198" "cleanup" 3055177f18SKristof Provostpr183198_head() 3155177f18SKristof Provost{ 3255177f18SKristof Provost atf_set descr 'Test tables referenced by rules in anchors' 3355177f18SKristof Provost atf_set require.user root 3455177f18SKristof Provost} 3555177f18SKristof Provost 3655177f18SKristof Provostpr183198_body() 3755177f18SKristof Provost{ 3855177f18SKristof Provost pft_init 3955177f18SKristof Provost 4006aac31aSKristof Provost epair=$(vnet_mkepair) 4106aac31aSKristof Provost vnet_mkjail alcatraz ${epair}b 4255177f18SKristof Provost jexec alcatraz pfctl -e 4355177f18SKristof Provost 4455177f18SKristof Provost # Forward with pf enabled 4555177f18SKristof Provost pft_set_rules alcatraz \ 4655177f18SKristof Provost "table <test> { 10.0.0.1, 10.0.0.2, 10.0.0.3 }" \ 4755177f18SKristof Provost "block in" \ 4855177f18SKristof Provost "anchor \"epair\" on ${epair}b { \n\ 4955177f18SKristof Provost pass in from <test> \n\ 5055177f18SKristof Provost }" 5155177f18SKristof Provost 5255177f18SKristof Provost atf_check -s exit:0 -o ignore jexec alcatraz pfctl -sr -a '*' 5355177f18SKristof Provost atf_check -s exit:0 -o ignore jexec alcatraz pfctl -t test -T show 5455177f18SKristof Provost} 5555177f18SKristof Provost 5655177f18SKristof Provostpr183198_cleanup() 5755177f18SKristof Provost{ 5855177f18SKristof Provost pft_cleanup 5955177f18SKristof Provost} 6055177f18SKristof Provost 61*8b28ec38SKristof Provostatf_test_case "pr279225" "cleanup" 62*8b28ec38SKristof Provostpr279225_head() 63*8b28ec38SKristof Provost{ 64*8b28ec38SKristof Provost atf_set descr "Test that we can retrieve longer anchor names, PR 279225" 65*8b28ec38SKristof Provost atf_set require.user root 66*8b28ec38SKristof Provost} 67*8b28ec38SKristof Provost 68*8b28ec38SKristof Provostpr279225_body() 69*8b28ec38SKristof Provost{ 70*8b28ec38SKristof Provost pft_init 71*8b28ec38SKristof Provost 72*8b28ec38SKristof Provost vnet_mkjail alcatraz 73*8b28ec38SKristof Provost 74*8b28ec38SKristof Provost pft_set_rules alcatraz \ 75*8b28ec38SKristof Provost "nat-anchor \"appjail-nat/jail/*\" all" \ 76*8b28ec38SKristof Provost "rdr-anchor \"appjail-rdr/*\" all" \ 77*8b28ec38SKristof Provost "anchor \"appjail/jail/*\" all" 78*8b28ec38SKristof Provost 79*8b28ec38SKristof Provost atf_check -s exit:0 -o match:"nat-anchor \"appjail-nat/jail/\*\" all \{" \ 80*8b28ec38SKristof Provost jexec alcatraz pfctl -sn -a "*" 81*8b28ec38SKristof Provost atf_check -s exit:0 -o match:"rdr-anchor \"appjail-rdr/\*\" all \{" \ 82*8b28ec38SKristof Provost jexec alcatraz pfctl -sn -a "*" 83*8b28ec38SKristof Provost atf_check -s exit:0 -o match:"anchor \"appjail/jail/\*\" all \{" \ 84*8b28ec38SKristof Provost jexec alcatraz pfctl -sr -a "*" 85*8b28ec38SKristof Provost} 86*8b28ec38SKristof Provost 87*8b28ec38SKristof Provostpr279225_cleanup() 88*8b28ec38SKristof Provost{ 89*8b28ec38SKristof Provost pft_cleanup 90*8b28ec38SKristof Provost} 91*8b28ec38SKristof Provost 92d58d2e40SKristof Provostatf_test_case "nested_anchor" "cleanup" 93d58d2e40SKristof Provostnested_anchor_head() 94d58d2e40SKristof Provost{ 95d58d2e40SKristof Provost atf_set descr 'Test setting and retrieving nested anchors' 96d58d2e40SKristof Provost atf_set require.user root 97d58d2e40SKristof Provost} 98d58d2e40SKristof Provost 99d58d2e40SKristof Provostnested_anchor_body() 100d58d2e40SKristof Provost{ 101d58d2e40SKristof Provost pft_init 102d58d2e40SKristof Provost 103d58d2e40SKristof Provost epair=$(vnet_mkepair) 104d58d2e40SKristof Provost vnet_mkjail alcatraz ${epair}a 105d58d2e40SKristof Provost 106d58d2e40SKristof Provost pft_set_rules alcatraz \ 107d58d2e40SKristof Provost "anchor \"foo\" { \n\ 108d58d2e40SKristof Provost anchor \"bar\" { \n\ 109d58d2e40SKristof Provost pass on ${epair}a \n\ 110d58d2e40SKristof Provost } \n\ 111d58d2e40SKristof Provost }" 112d58d2e40SKristof Provost 113d58d2e40SKristof Provost atf_check -s exit:0 -o inline:"anchor \"foo\" all { 114d58d2e40SKristof Provost anchor \"bar\" all { 115d58d2e40SKristof Provost pass on ${epair}a all flags S/SA keep state 116d58d2e40SKristof Provost } 117d58d2e40SKristof Provost} 118d58d2e40SKristof Provost" jexec alcatraz pfctl -sr -a "*" 119d58d2e40SKristof Provost} 120d58d2e40SKristof Provost 121d58d2e40SKristof Provostnested_anchor_cleanup() 122d58d2e40SKristof Provost{ 123d58d2e40SKristof Provost pft_cleanup 124d58d2e40SKristof Provost} 125d58d2e40SKristof Provost 126d5a0bf45SKristof Provostatf_test_case "wildcard" "cleanup" 127d5a0bf45SKristof Provostwildcard_head() 128d5a0bf45SKristof Provost{ 129d5a0bf45SKristof Provost atf_set descr 'Test wildcard anchors for functionality' 130d5a0bf45SKristof Provost atf_set require.user root 131d5a0bf45SKristof Provost} 132d5a0bf45SKristof Provost 133d5a0bf45SKristof Provostwildcard_body() 134d5a0bf45SKristof Provost{ 135d5a0bf45SKristof Provost pft_init 136d5a0bf45SKristof Provost 137d5a0bf45SKristof Provost epair=$(vnet_mkepair) 138d5a0bf45SKristof Provost vnet_mkjail alcatraz ${epair}a 139d5a0bf45SKristof Provost 140d5a0bf45SKristof Provost ifconfig ${epair}b 192.0.2.2/24 up 141d5a0bf45SKristof Provost jexec alcatraz ifconfig ${epair}a 192.0.2.1/24 up 142d5a0bf45SKristof Provost 143d5a0bf45SKristof Provost # Sanity check 144d5a0bf45SKristof Provost atf_check -s exit:0 -o ignore ping -c 1 192.0.2.1 145d5a0bf45SKristof Provost 146d5a0bf45SKristof Provost jexec alcatraz pfctl -e 147d5a0bf45SKristof Provost pft_set_rules alcatraz \ 148d5a0bf45SKristof Provost "block" \ 149d5a0bf45SKristof Provost "anchor \"foo/*\"" 150d5a0bf45SKristof Provost 151d5a0bf45SKristof Provost atf_check -s exit:2 -o ignore ping -c 1 192.0.2.1 152d5a0bf45SKristof Provost 153d5a0bf45SKristof Provost echo "pass" | jexec alcatraz pfctl -g -f - -a "foo/bar" 154d5a0bf45SKristof Provost 155d5a0bf45SKristof Provost jexec alcatraz pfctl -sr -a "*" 156d5a0bf45SKristof Provost atf_check -s exit:0 -o ignore ping -c 1 192.0.2.1 157d5a0bf45SKristof Provost} 158d5a0bf45SKristof Provost 159d5a0bf45SKristof Provostwildcard_cleanup() 160d5a0bf45SKristof Provost{ 161d5a0bf45SKristof Provost pft_cleanup 162d5a0bf45SKristof Provost} 163d5a0bf45SKristof Provost 1641d723c1eSKristof Provostatf_test_case "nested_label" "cleanup" 1651d723c1eSKristof Provostnested_label_head() 1661d723c1eSKristof Provost{ 1671d723c1eSKristof Provost atf_set descr "Test recursive listing of labels" 1681d723c1eSKristof Provost atf_set require.user root 1691d723c1eSKristof Provost} 1701d723c1eSKristof Provost 1711d723c1eSKristof Provostnested_label_body() 1721d723c1eSKristof Provost{ 1731d723c1eSKristof Provost pft_init 1741d723c1eSKristof Provost 1751d723c1eSKristof Provost vnet_mkjail alcatraz 1761d723c1eSKristof Provost 1771d723c1eSKristof Provost pft_set_rules alcatraz \ 1781d723c1eSKristof Provost "anchor \"foo\" { \n\ 1791d723c1eSKristof Provost pass in quick proto icmp label \"passicmp\"\n\ 1801d723c1eSKristof Provost anchor \"bar\" { \n\ 1811d723c1eSKristof Provost pass in proto tcp label \"passtcp\"\n\ 1821d723c1eSKristof Provost } \n\ 1831d723c1eSKristof Provost }" \ 1841d723c1eSKristof Provost "pass quick from any to any label \"anytoany\"" 1851d723c1eSKristof Provost 1861d723c1eSKristof Provost atf_check -s exit:0 \ 1871d723c1eSKristof Provost -o inline:"passicmp 0 0 0 0 0 0 0 0 1881d723c1eSKristof Provostpasstcp 0 0 0 0 0 0 0 0 1891d723c1eSKristof Provostanytoany 0 0 0 0 0 0 0 0 1901d723c1eSKristof Provost" jexec alcatraz pfctl -sl -a* 1911d723c1eSKristof Provost} 1921d723c1eSKristof Provost 1931d723c1eSKristof Provostnested_label_cleanup() 1941d723c1eSKristof Provost{ 1951d723c1eSKristof Provost pft_cleanup 1961d723c1eSKristof Provost} 1971d723c1eSKristof Provost 19855177f18SKristof Provostatf_init_test_cases() 19955177f18SKristof Provost{ 20055177f18SKristof Provost atf_add_test_case "pr183198" 201*8b28ec38SKristof Provost atf_add_test_case "pr279225" 202d58d2e40SKristof Provost atf_add_test_case "nested_anchor" 203d5a0bf45SKristof Provost atf_add_test_case "wildcard" 2041d723c1eSKristof Provost atf_add_test_case "nested_label" 20555177f18SKristof Provost} 206