1# $FreeBSD$ 2# 3# SPDX-License-Identifier: BSD-2-Clause 4# 5# Copyright (c) 2018 Kristof Provost <kp@FreeBSD.org> 6# 7# Redistribution and use in source and binary forms, with or without 8# modification, are permitted provided that the following conditions 9# are met: 10# 1. Redistributions of source code must retain the above copyright 11# notice, this list of conditions and the following disclaimer. 12# 2. Redistributions in binary form must reproduce the above copyright 13# notice, this list of conditions and the following disclaimer in the 14# documentation and/or other materials provided with the distribution. 15# 16# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 17# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 20# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26# SUCH DAMAGE. 27 28. $(atf_get_srcdir)/utils.subr 29 30atf_test_case "pr183198" "cleanup" 31pr183198_head() 32{ 33 atf_set descr 'Test tables referenced by rules in anchors' 34 atf_set require.user root 35} 36 37pr183198_body() 38{ 39 pft_init 40 41 epair=$(vnet_mkepair) 42 vnet_mkjail alcatraz ${epair}b 43 jexec alcatraz pfctl -e 44 45 # Forward with pf enabled 46 pft_set_rules alcatraz \ 47 "table <test> { 10.0.0.1, 10.0.0.2, 10.0.0.3 }" \ 48 "block in" \ 49 "anchor \"epair\" on ${epair}b { \n\ 50 pass in from <test> \n\ 51 }" 52 53 atf_check -s exit:0 -o ignore jexec alcatraz pfctl -sr -a '*' 54 atf_check -s exit:0 -o ignore jexec alcatraz pfctl -t test -T show 55} 56 57pr183198_cleanup() 58{ 59 pft_cleanup 60} 61 62atf_test_case "nested_anchor" "cleanup" 63nested_anchor_head() 64{ 65 atf_set descr 'Test setting and retrieving nested anchors' 66 atf_set require.user root 67} 68 69nested_anchor_body() 70{ 71 pft_init 72 73 epair=$(vnet_mkepair) 74 vnet_mkjail alcatraz ${epair}a 75 76 pft_set_rules alcatraz \ 77 "anchor \"foo\" { \n\ 78 anchor \"bar\" { \n\ 79 pass on ${epair}a \n\ 80 } \n\ 81 }" 82 83 atf_check -s exit:0 -o inline:"anchor \"foo\" all { 84 anchor \"bar\" all { 85 pass on ${epair}a all flags S/SA keep state 86 } 87} 88" jexec alcatraz pfctl -sr -a "*" 89} 90 91nested_anchor_cleanup() 92{ 93 pft_cleanup 94} 95 96atf_test_case "wildcard" "cleanup" 97wildcard_head() 98{ 99 atf_set descr 'Test wildcard anchors for functionality' 100 atf_set require.user root 101} 102 103wildcard_body() 104{ 105 pft_init 106 107 epair=$(vnet_mkepair) 108 vnet_mkjail alcatraz ${epair}a 109 110 ifconfig ${epair}b 192.0.2.2/24 up 111 jexec alcatraz ifconfig ${epair}a 192.0.2.1/24 up 112 113 # Sanity check 114 atf_check -s exit:0 -o ignore ping -c 1 192.0.2.1 115 116 jexec alcatraz pfctl -e 117 pft_set_rules alcatraz \ 118 "block" \ 119 "anchor \"foo/*\"" 120 121 atf_check -s exit:2 -o ignore ping -c 1 192.0.2.1 122 123 echo "pass" | jexec alcatraz pfctl -g -f - -a "foo/bar" 124 125 jexec alcatraz pfctl -sr -a "*" 126 atf_check -s exit:0 -o ignore ping -c 1 192.0.2.1 127} 128 129wildcard_cleanup() 130{ 131 pft_cleanup 132} 133 134atf_init_test_cases() 135{ 136 atf_add_test_case "pr183198" 137 atf_add_test_case "nested_anchor" 138 atf_add_test_case "wildcard" 139} 140