xref: /freebsd/tests/sys/netpfil/pf/ether.sh (revision 9f23cbd6cae82fd77edfad7173432fa8dccd0a95)
1# $FreeBSD$
2#
3# SPDX-License-Identifier: BSD-2-Clause
4#
5# Copyright © 2021. Rubicon Communications, LLC (Netgate). All Rights Reserved.
6#
7# Redistribution and use in source and binary forms, with or without
8# modification, are permitted provided that the following conditions
9# are met:
10# 1. Redistributions of source code must retain the above copyright
11#    notice, this list of conditions and the following disclaimer.
12# 2. Redistributions in binary form must reproduce the above copyright
13#    notice, this list of conditions and the following disclaimer in the
14#    documentation and/or other materials provided with the distribution.
15#
16# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
17# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
20# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26# SUCH DAMAGE.
27
28. $(atf_get_srcdir)/utils.subr
29
30common_dir=$(atf_get_srcdir)/../common
31
32atf_test_case "mac" "cleanup"
33mac_head()
34{
35	atf_set descr 'Test MAC address filtering'
36	atf_set require.user root
37}
38
39mac_body()
40{
41	pft_init
42
43	epair=$(vnet_mkepair)
44	epair_a_mac=$(ifconfig ${epair}a ether | awk '/ether/ { print $2; }')
45
46	ifconfig ${epair}a 192.0.2.1/24 up
47
48	vnet_mkjail alcatraz ${epair}b
49	jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up
50
51	pft_set_rules alcatraz \
52		"ether block from ${epair_a_mac}"
53
54	atf_check -s exit:0 -o ignore ping -c 1 -t 1 192.0.2.2
55
56	# Now enable. Ping should fail.
57	jexec alcatraz pfctl -e
58
59	atf_check -s exit:2 -o ignore ping -c 1 -t 1 192.0.2.2
60
61	# Should still fail for 'to'
62	pft_set_rules alcatraz \
63		"ether block to ${epair_a_mac}"
64	atf_check -s exit:2 -o ignore ping -c 1 -t 1 192.0.2.2
65
66	# Succeeds if we block a different MAC address
67	pft_set_rules alcatraz \
68		"ether block to 00:01:02:03:04:05"
69	atf_check -s exit:0 -o ignore ping -c 1 -t 1 192.0.2.2
70
71	# Should still fail for 'to', even if it's in a list
72	pft_set_rules alcatraz \
73		"ether block to { ${epair_a_mac}, 00:01:02:0:04:05 }"
74	atf_check -s exit:2 -o ignore ping -c 1 -t 1 192.0.2.2
75
76	# Now try this with an interface specified
77	pft_set_rules alcatraz \
78		"ether block on ${epair}b from ${epair_a_mac}"
79	atf_check -s exit:2 -o ignore ping -c 1 -t 1 192.0.2.2
80
81	# Wrong interface should not match
82	pft_set_rules alcatraz \
83		"ether block on ${epair}a from ${epair_a_mac}"
84	atf_check -s exit:0 -o ignore ping -c 1 -t 1 192.0.2.2
85
86	# Test negation
87	pft_set_rules alcatraz \
88		"ether block in on ${epair}b from ! ${epair_a_mac}"
89	atf_check -s exit:0 -o ignore ping -c 1 -t 1 192.0.2.2
90
91	pft_set_rules alcatraz \
92		"ether block out on ${epair}b to ! ${epair_a_mac}"
93	atf_check -s exit:0 -o ignore ping -c 1 -t 1 192.0.2.2
94
95	# Block everything not us
96	pft_set_rules alcatraz \
97		"ether block out on ${epair}b to { ! ${epair_a_mac} }"
98	atf_check -s exit:0 -o ignore ping -c 1 -t 1 192.0.2.2
99
100	# Block us now
101	pft_set_rules alcatraz \
102		"ether block out on ${epair}b to { ! 00:01:02:03:04:05 }"
103	atf_check -s exit:2 -o ignore ping -c 1 -t 1 192.0.2.2
104
105	# Block with a masked address
106	pft_set_rules alcatraz \
107		"ether block out on ${epair}b to { ! 00:01:02:03:00:00/32 }"
108	jexec alcatraz pfctl -se
109	atf_check -s exit:2 -o ignore ping -c 1 -t 1 192.0.2.2
110
111	epair_prefix=$(echo $epair_a_mac | cut -c-8)
112	pft_set_rules alcatraz \
113		"ether block out on ${epair}b to { ${epair_prefix}:00:00:00/24 }"
114	atf_check -s exit:2 -o ignore ping -c 1 -t 1 192.0.2.2
115
116	pft_set_rules alcatraz \
117		"ether block out on ${epair}b to { ${epair_prefix}:00:00:00&ff:ff:ff:00:00:00 }"
118	atf_check -s exit:2 -o ignore ping -c 1 -t 1 192.0.2.2
119
120	# Check '-F ethernet' works
121	jexec alcatraz pfctl -F ethernet
122	atf_check -s exit:0 -o ignore ping -c 1 -t 1 192.0.2.2
123}
124
125mac_cleanup()
126{
127	pft_cleanup
128}
129
130atf_test_case "proto" "cleanup"
131proto_head()
132{
133	atf_set descr 'Test EtherType filtering'
134	atf_set require.user root
135}
136
137proto_body()
138{
139	pft_init
140
141	epair=$(vnet_mkepair)
142	epair_a_mac=$(ifconfig ${epair}a ether | awk '/ether/ { print $2; }')
143
144	ifconfig ${epair}a 192.0.2.1/24 up
145
146	vnet_mkjail alcatraz ${epair}b
147	jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up
148
149	pft_set_rules alcatraz \
150		"ether block proto 0x0810"
151	jexec alcatraz pfctl -e
152
153	atf_check -s exit:0 -o ignore ping -c 1 -t 1 192.0.2.2
154
155	# Block IP
156	pft_set_rules alcatraz \
157		"ether block proto 0x0800"
158	atf_check -s exit:2 -o ignore ping -c 1 -t 1 192.0.2.2
159
160	# Block ARP
161	pft_set_rules alcatraz \
162		"ether block proto 0x0806"
163	arp -d 192.0.2.2
164	atf_check -s exit:2 -o ignore ping -c 1 -t 1 192.0.2.2
165}
166
167proto_cleanup()
168{
169	pft_cleanup
170}
171
172atf_test_case "direction" "cleanup"
173direction_head()
174{
175	atf_set descr 'Test directionality of ether rules'
176	atf_set require.user root
177	atf_set require.progs jq
178}
179
180direction_body()
181{
182	pft_init
183
184	epair=$(vnet_mkepair)
185	epair_a_mac=$(ifconfig ${epair}a ether | awk '/ether/ { print $2; }')
186	epair_b_mac=$(ifconfig ${epair}b ether | awk '/ether/ { print $2; }')
187
188	ifconfig ${epair}a 192.0.2.1/24 up
189
190	vnet_mkjail alcatraz ${epair}b
191	jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up
192
193	pft_set_rules alcatraz \
194		"ether block in proto 0x0806"
195	jexec alcatraz pfctl -e
196
197	arp -d 192.0.2.2
198	jexec alcatraz arp -d 192.0.2.1
199
200	# We don't allow the jail to receive ARP requests, so if we try to ping
201	# from host to jail the host can't resolve the MAC address
202	ping -c 1 -t 1 192.0.2.2
203
204	mac=$(arp -an --libxo json \
205	    | jq '."arp"."arp-cache"[] |
206	    select(."ip-address"=="192.0.2.2")."mac-address"')
207	atf_check_not_equal "$mac" "$epair_b_mac"
208
209	# Clear ARP table again
210	arp -d 192.0.2.2
211	jexec alcatraz arp -d 192.0.2.1
212
213	# However, we allow outbound ARP, so the host will learn our MAC if the
214	# jail tries to ping
215	jexec alcatraz ping -c 1 -t 1 192.0.2.1
216
217	mac=$(arp -an --libxo json \
218	    | jq '."arp"."arp-cache"[] |
219	    select(."ip-address"=="192.0.2.2")."mac-address"')
220	atf_check_equal "$mac" "$epair_b_mac"
221
222	# Now do the same, but with outbound ARP blocking
223	pft_set_rules alcatraz \
224		"ether block out proto 0x0806"
225
226	# Clear ARP table again
227	arp -d 192.0.2.2
228	jexec alcatraz arp -d 192.0.2.1
229
230	# The jail can't send ARP requests to us, so we'll never learn our MAC
231	# address
232	jexec alcatraz ping -c 1 -t 1 192.0.2.1
233
234	mac=$(jexec alcatraz arp -an --libxo json \
235	    | jq '."arp"."arp-cache"[] |
236	    select(."ip-address"=="192.0.2.1")."mac-address"')
237	atf_check_not_equal "$mac" "$epair_a_mac"
238}
239
240direction_cleanup()
241{
242	pft_cleanup
243}
244
245atf_test_case "captive" "cleanup"
246captive_head()
247{
248	atf_set descr 'Test a basic captive portal-like setup'
249	atf_set require.user root
250}
251
252captive_body()
253{
254	# Host is client, jail 'gw' is the captive portal gateway, jail 'srv'
255	# is a random (web)server. We use the echo protocol rather than http
256	# for the test, because that's easier.
257	pft_init
258
259	epair_gw=$(vnet_mkepair)
260	epair_srv=$(vnet_mkepair)
261	epair_gw_a_mac=$(ifconfig ${epair_gw}a ether | awk '/ether/ { print $2; }')
262
263	vnet_mkjail gw ${epair_gw}b ${epair_srv}a
264	vnet_mkjail srv ${epair_srv}b
265
266	ifconfig ${epair_gw}a 192.0.2.2/24 up
267	route add -net 198.51.100.0/24 192.0.2.1
268	jexec gw ifconfig ${epair_gw}b 192.0.2.1/24 up
269	jexec gw ifconfig lo0 127.0.0.1/8 up
270	jexec gw sysctl net.inet.ip.forwarding=1
271
272	jexec gw ifconfig ${epair_srv}a 198.51.100.1/24 up
273	jexec srv ifconfig ${epair_srv}b 198.51.100.2/24 up
274	jexec srv route add -net 192.0.2.0/24 198.51.100.1
275
276	# Sanity check
277	atf_check -s exit:0 -o ignore ping -c 1 -t 1 198.51.100.2
278
279	pft_set_rules gw \
280		"ether pass quick proto 0x0806" \
281		"ether pass tag captive" \
282		"rdr on ${epair_gw}b proto tcp to port echo tagged captive -> 127.0.0.1 port echo"
283	jexec gw pfctl -e
284
285	# ICMP should still work, because we don't redirect it.
286	atf_check -s exit:0 -o ignore ping -c 1 -t 1 198.51.100.2
287
288	# Run the echo server only on the gw, so we know we've redirectly
289	# correctly if we get an echo message.
290	jexec gw /usr/sbin/inetd $(atf_get_srcdir)/echo_inetd.conf
291
292	# Confirm that we're getting redirected
293	atf_check -s exit:0 -o match:"^foo$" -x "echo foo | nc -N 198.51.100.2 7"
294
295	jexec gw killall inetd
296
297	# Now pretend we've authenticated, so add the client's MAC address
298	pft_set_rules gw \
299		"ether pass quick proto 0x0806" \
300		"ether pass quick from ${epair_gw_a_mac}" \
301		"ether pass tag captive" \
302		"rdr on ${epair_gw}b proto tcp to port echo tagged captive -> 127.0.0.1 port echo"
303
304	# No redirect, so failure.
305	atf_check -s exit:1 -x "echo foo | nc -N 198.51.100.2 7"
306
307	# Start a server in srv
308	jexec srv /usr/sbin/inetd $(atf_get_srcdir)/echo_inetd.conf
309
310	# And now we can talk to that one.
311	atf_check -s exit:0 -o match:"^foo$" -x "echo foo | nc -N 198.51.100.2 7"
312}
313
314captive_cleanup()
315{
316	pft_cleanup
317}
318
319atf_test_case "captive_long" "cleanup"
320captive_long_head()
321{
322	atf_set descr 'More complex captive portal setup'
323	atf_set require.user root
324}
325
326captive_long_body()
327{
328	# Host is client, jail 'gw' is the captive portal gateway, jail 'srv'
329	# is a random (web)server. We use the echo protocol rather than http
330	# for the test, because that's easier.
331	dummynet_init
332
333	epair_gw=$(vnet_mkepair)
334	epair_srv=$(vnet_mkepair)
335	epair_gw_a_mac=$(ifconfig ${epair_gw}a ether | awk '/ether/ { print $2; }')
336
337	vnet_mkjail gw ${epair_gw}b ${epair_srv}a
338	vnet_mkjail srv ${epair_srv}b
339
340	ifconfig ${epair_gw}a 192.0.2.2/24 up
341	route add -net 198.51.100.0/24 192.0.2.1
342	jexec gw ifconfig ${epair_gw}b 192.0.2.1/24 up
343	jexec gw ifconfig lo0 127.0.0.1/8 up
344	jexec gw sysctl net.inet.ip.forwarding=1
345
346	jexec gw ifconfig ${epair_srv}a 198.51.100.1/24 up
347	jexec srv ifconfig ${epair_srv}b 198.51.100.2/24 up
348	jexec srv route add -net 192.0.2.0/24 198.51.100.1
349
350	jexec gw dnctl pipe 1 config bw 300KByte/s
351
352	# Sanity check
353	atf_check -s exit:0 -o ignore ping -c 1 -t 1 198.51.100.2
354
355	pft_set_rules gw \
356		"ether anchor \"captiveportal\" on { ${epair_gw}b } {" \
357			"ether pass quick proto { 0x0806, 0x8035, 0x888e, 0x88c7, 0x8863, 0x8864 }" \
358			"ether pass tag \"captive\"" \
359		"}" \
360		"rdr on ${epair_gw}b proto tcp to port daytime tagged captive -> 127.0.0.1 port echo"
361	jexec gw pfctl -e
362
363	# ICMP should still work, because we don't redirect it.
364	atf_check -s exit:0 -o ignore ping -c 1 -t 1 198.51.100.2
365
366	jexec gw /usr/sbin/inetd -p gw.pid $(atf_get_srcdir)/echo_inetd.conf
367	jexec srv /usr/sbin/inetd -p srv.pid $(atf_get_srcdir)/daytime_inetd.conf
368
369	echo foo | nc -N 198.51.100.2 13
370
371	# Confirm that we're getting redirected
372	atf_check -s exit:0 -o match:"^foo$" -x "echo foo | nc -N 198.51.100.2 13"
373
374	# Now update the rules to allow our client to pass without redirect
375	pft_set_rules gw \
376		"ether anchor \"captiveportal\" on { ${epair_gw}b } {" \
377			"ether pass quick proto { 0x0806, 0x8035, 0x888e, 0x88c7, 0x8863, 0x8864 }" \
378			"ether pass quick from { ${epair_gw_a_mac} } dnpipe 1" \
379			"ether pass tag \"captive\"" \
380		"}" \
381		"rdr on ${epair_gw}b proto tcp to port daytime tagged captive -> 127.0.0.1 port echo"
382
383	# We're not being redirected and get datime information now
384	atf_check -s exit:0 -o match:"^(Mon|Tue|Wed|Thu|Fri|Sat|Sun)" -x "echo foo | nc -N 198.51.100.2 13"
385
386	jexec gw killall inetd
387	jexec srv killall inetd
388}
389
390captive_long_cleanup()
391{
392	pft_cleanup
393}
394
395atf_test_case "dummynet" "cleanup"
396dummynet_head()
397{
398	atf_set descr 'Test dummynet for L2 traffic'
399	atf_set require.user root
400}
401
402dummynet_body()
403{
404	pft_init
405
406	if ! kldstat -q -m dummynet; then
407		atf_skip "This test requires dummynet"
408	fi
409
410	epair=$(vnet_mkepair)
411	vnet_mkjail alcatraz ${epair}b
412
413	ifconfig ${epair}a 192.0.2.1/24 up
414	jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up
415
416	# Sanity check
417	atf_check -s exit:0 -o ignore ping -i .1 -c 3 -s 1200 192.0.2.2
418
419	jexec alcatraz dnctl pipe 1 config bw 30Byte/s
420	jexec alcatraz pfctl -e
421	pft_set_rules alcatraz \
422		"ether pass in dnpipe 1"
423
424	# Ensure things don't break if non-IP(v4/v6) traffic hits dummynet
425	arp -d 192.0.2.2
426
427	# single ping succeeds just fine
428	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2
429
430	# Saturate the link
431	ping -i .1 -c 5 -s 1200 192.0.2.2
432
433	# We should now be hitting the limits and get this packet dropped.
434	atf_check -s exit:2 -o ignore ping -c 1 -s 1200 192.0.2.2
435
436	# We can now also dummynet outbound traffic!
437	pft_set_rules alcatraz \
438		"ether pass out dnpipe 1"
439
440	# We should still be hitting the limits and get this packet dropped.
441	atf_check -s exit:2 -o ignore ping -c 1 -s 1200 192.0.2.2
442}
443
444dummynet_cleanup()
445{
446	pft_cleanup
447}
448
449atf_test_case "anchor" "cleanup"
450anchor_head()
451{
452	atf_set descr 'Test ether anchors'
453	atf_set require.user root
454}
455
456anchor_body()
457{
458	pft_init
459
460	epair=$(vnet_mkepair)
461	epair_a_mac=$(ifconfig ${epair}a ether | awk '/ether/ { print $2; }')
462
463	vnet_mkjail alcatraz ${epair}b
464
465	ifconfig ${epair}a 192.0.2.1/24 up
466	jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up
467
468	# Sanity check
469	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2
470
471	jexec alcatraz pfctl -e
472	pft_set_rules alcatraz \
473		"ether anchor \"foo\" in on lo0 {" \
474			"ether block" \
475		"}"
476
477	# That only filters on lo0, so we should still be able to pass traffic
478	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2
479
480	pft_set_rules alcatraz \
481		"ether block in" \
482		"ether anchor \"foo\" in on ${epair}b {" \
483			"ether pass" \
484		"}"
485	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2
486
487	pft_set_rules alcatraz \
488		"ether pass" \
489		"ether anchor \"bar\" in on ${epair}b {" \
490			"ether block" \
491		"}"
492	atf_check -s exit:2 -o ignore ping -c 1 -t 2 192.0.2.2
493
494	pft_set_rules alcatraz \
495		"ether block in" \
496		"ether anchor \"baz\" on ${epair}b {" \
497			"ether pass in from 01:02:03:04:05:06" \
498		"}" \
499		"ether pass in from ${epair_a_mac}"
500	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2
501
502	atf_check -s exit:0 -o match:'baz' jexec alcatraz pfctl -sA
503}
504
505anchor_cleanup()
506{
507	pft_cleanup
508}
509
510atf_test_case "ip" "cleanup"
511ip_head()
512{
513	atf_set descr 'Test filtering based on IP source/destination'
514	atf_set require.user root
515}
516
517ip_body()
518{
519	pft_init
520
521	epair=$(vnet_mkepair)
522
523	vnet_mkjail alcatraz ${epair}b
524
525	ifconfig ${epair}a 192.0.2.1/24 up
526	jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up
527
528	# Sanity check
529	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2
530
531	jexec alcatraz pfctl -e
532	pft_set_rules alcatraz \
533		"ether pass" \
534		"ether block in l3 from 192.0.2.1"
535
536	atf_check -s exit:2 -o ignore ping -c 1 192.0.2.2
537
538	# Change IP address and we can ping again
539	ifconfig ${epair}a 192.0.2.3/24 up
540	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2
541
542	# Test the 'to' keyword too
543	pft_set_rules alcatraz \
544		"ether pass" \
545		"ether block out l3 to 192.0.2.3"
546	atf_check -s exit:2 -o ignore ping -c 1 192.0.2.2
547
548	# Test table
549	pft_set_rules alcatraz \
550		"table <tbl> { 192.0.2.3 }" \
551		"ether pass" \
552		"ether block out l3 to <tbl>"
553	atf_check -s exit:2 -o ignore ping -c 1 192.0.2.2
554}
555
556ip_cleanup()
557{
558	pft_cleanup
559}
560
561atf_test_case "tag" "cleanup"
562tag_head()
563{
564	atf_set descr 'Test setting tags'
565	atf_set require.user root
566}
567
568tag_body()
569{
570	pft_init
571
572	epair=$(vnet_mkepair)
573
574	vnet_mkjail alcatraz ${epair}b
575	ifconfig ${epair}a 192.0.2.1/24 up
576	jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up
577
578	# Sanity check
579	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2
580
581	jexec alcatraz pfctl -e
582	pft_set_rules alcatraz \
583		"ether pass in tag foo" \
584		"block in tagged foo"
585
586	atf_check -s exit:2 -o ignore ping -c 1 192.0.2.2
587
588	pft_set_rules alcatraz \
589		"ether pass in tag bar" \
590		"block in tagged foo"
591
592	# Still passes when tagged differently
593	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2
594}
595
596tag_cleanup()
597{
598	pft_cleanup
599}
600
601atf_test_case "match_tag" "cleanup"
602match_tag_head()
603{
604	atf_set descr 'Test matching tags'
605	atf_set require.user root
606}
607
608match_tag_body()
609{
610	pft_init
611
612	epair=$(vnet_mkepair)
613
614	vnet_mkjail alcatraz ${epair}b
615
616	ifconfig ${epair}a 192.0.2.1/24 up
617	jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up
618
619	# Sanity check
620	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2
621
622	jexec alcatraz pfctl -e
623	pft_set_rules alcatraz \
624		"ether block out tagged foo" \
625		"pass in proto icmp tag foo"
626
627	atf_check -s exit:2 -o ignore ping -c 1 192.0.2.2
628
629	pft_set_rules alcatraz \
630		"ether block out tagged bar" \
631		"pass in proto icmp tag foo"
632
633	# Still passes when tagged differently
634	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2
635}
636
637match_tag_cleanup()
638{
639	pft_cleanup
640}
641
642atf_test_case "short_pkt" "cleanup"
643short_pkt_head()
644{
645	atf_set descr 'Test overly short Ethernet packets'
646	atf_set require.user root
647	atf_set require.progs scapy
648}
649
650short_pkt_body()
651{
652	pft_init
653
654	epair=$(vnet_mkepair)
655	ifconfig ${epair}a 192.0.2.1/24 up
656
657	vnet_mkjail alcatraz ${epair}b
658	jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up
659
660	jexec alcatraz pfctl -e
661	pft_set_rules alcatraz \
662		"ether pass in" \
663		"ether pass out" \
664		"ether pass in l3 from 192.0.2.1"
665
666	# Sanity check
667	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2
668
669	jexec alcatraz pfctl -se -v
670
671	# Try sending ever shorter ping requests
672	# BPF won't let us send anything shorter than an Ethernet header, but
673	# that's good enough for this test
674	$(atf_get_srcdir)/pft_ether.py \
675	    --sendif ${epair}a \
676	    --to 192.0.2.2 \
677	    --len 14-64
678}
679
680short_pkt_cleanup()
681{
682	pft_cleanup
683}
684
685atf_test_case "bridge_to" "cleanup"
686bridge_to_head()
687{
688	atf_set descr 'Test bridge-to keyword'
689	atf_set require.user root
690	atf_set require.progs scapy
691}
692
693bridge_to_body()
694{
695	pft_init
696
697	epair_in=$(vnet_mkepair)
698	epair_out=$(vnet_mkepair)
699
700	ifconfig ${epair_in}a 192.0.2.1/24 up
701	ifconfig ${epair_out}a up
702
703	vnet_mkjail alcatraz ${epair_in}b ${epair_out}b
704	jexec alcatraz ifconfig ${epair_in}b 192.0.2.2/24 up
705	jexec alcatraz ifconfig ${epair_out}b up
706
707	# Sanity check
708	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2
709	atf_check -s exit:1 -o ignore \
710		${common_dir}/pft_ping.py \
711		--sendif ${epair_in}a \
712		--to 192.0.2.2 \
713		--recvif ${epair_out}a
714
715	jexec alcatraz pfctl -e
716	pft_set_rules alcatraz \
717		"ether pass in on ${epair_in}b bridge-to ${epair_out}b"
718
719	# Now the packets go out epair_out rather than be processed locally
720	atf_check -s exit:2 -o ignore ping -c 1 192.0.2.2
721	atf_check -s exit:0 -o ignore \
722		${common_dir}/pft_ping.py \
723		--sendif ${epair_in}a \
724		--to 192.0.2.2 \
725		--recvif ${epair_out}a
726}
727
728bridge_to_cleanup()
729{
730	pft_cleanup
731}
732
733atf_init_test_cases()
734{
735	atf_add_test_case "mac"
736	atf_add_test_case "proto"
737	atf_add_test_case "direction"
738	atf_add_test_case "captive"
739	atf_add_test_case "captive_long"
740	atf_add_test_case "dummynet"
741	atf_add_test_case "anchor"
742	atf_add_test_case "ip"
743	atf_add_test_case "tag"
744	atf_add_test_case "match_tag"
745	atf_add_test_case "short_pkt"
746	atf_add_test_case "bridge_to"
747}
748