xref: /freebsd/tests/sys/netpfil/pf/forward.sh (revision c46af893cd7aaff322b6f867539bc8fe5bcde6f9) 
165d553b0SKristof Provost#
24d846d26SWarner Losh# SPDX-License-Identifier: BSD-2-Clause
365d553b0SKristof Provost#
465d553b0SKristof Provost# Copyright (c) 2017 Kristof Provost <kp@FreeBSD.org>
565d553b0SKristof Provost#
665d553b0SKristof Provost# Redistribution and use in source and binary forms, with or without
765d553b0SKristof Provost# modification, are permitted provided that the following conditions
865d553b0SKristof Provost# are met:
965d553b0SKristof Provost# 1. Redistributions of source code must retain the above copyright
1065d553b0SKristof Provost#    notice, this list of conditions and the following disclaimer.
1165d553b0SKristof Provost# 2. Redistributions in binary form must reproduce the above copyright
1265d553b0SKristof Provost#    notice, this list of conditions and the following disclaimer in the
1365d553b0SKristof Provost#    documentation and/or other materials provided with the distribution.
1465d553b0SKristof Provost#
1565d553b0SKristof Provost# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
1665d553b0SKristof Provost# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
1765d553b0SKristof Provost# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
1865d553b0SKristof Provost# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
1965d553b0SKristof Provost# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
2065d553b0SKristof Provost# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
2165d553b0SKristof Provost# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
2265d553b0SKristof Provost# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
2365d553b0SKristof Provost# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
2465d553b0SKristof Provost# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
2565d553b0SKristof Provost# SUCH DAMAGE.
26c0b63519SKristof Provost
27c0b63519SKristof Provost. $(atf_get_srcdir)/utils.subr
28c0b63519SKristof Provost
2995312530SKristof Provostcommon_dir=$(atf_get_srcdir)/../common
3095312530SKristof Provost
31c0b63519SKristof Provostatf_test_case "v4" "cleanup"
32c0b63519SKristof Provostv4_head()
33c0b63519SKristof Provost{
34c0b63519SKristof Provost	atf_set descr 'Basic forwarding test'
35c0b63519SKristof Provost	atf_set require.user root
36c0b63519SKristof Provost
37c0b63519SKristof Provost	# We need scapy to be installed for out test scripts to work
38*c46af893SJose Luis Duran	atf_set require.progs python3 scapy
39c0b63519SKristof Provost}
40c0b63519SKristof Provost
41c0b63519SKristof Provostv4_body()
42c0b63519SKristof Provost{
43c0b63519SKristof Provost	pft_init
44c0b63519SKristof Provost
4506aac31aSKristof Provost	epair_send=$(vnet_mkepair)
46c0b63519SKristof Provost	ifconfig ${epair_send}a 192.0.2.1/24 up
47c0b63519SKristof Provost
4806aac31aSKristof Provost	epair_recv=$(vnet_mkepair)
49c0b63519SKristof Provost	ifconfig ${epair_recv}a up
50c0b63519SKristof Provost
5106aac31aSKristof Provost	vnet_mkjail alcatraz ${epair_send}b ${epair_recv}b
52c0b63519SKristof Provost	jexec alcatraz ifconfig ${epair_send}b 192.0.2.2/24 up
53c0b63519SKristof Provost	jexec alcatraz ifconfig ${epair_recv}b 198.51.100.2/24 up
54c0b63519SKristof Provost	jexec alcatraz sysctl net.inet.ip.forwarding=1
55c0b63519SKristof Provost	jexec alcatraz arp -s 198.51.100.3 00:01:02:03:04:05
56c0b63519SKristof Provost	route add -net 198.51.100.0/24 192.0.2.2
57c0b63519SKristof Provost
58c0b63519SKristof Provost	# Sanity check, can we forward ICMP echo requests without pf?
59cdac7169SLi-Wen Hsu	atf_check -s exit:0 ${common_dir}/pft_ping.py \
60c0b63519SKristof Provost		--sendif ${epair_send}a \
61c0b63519SKristof Provost		--to 198.51.100.3 \
62c0b63519SKristof Provost		--recvif ${epair_recv}a
63c0b63519SKristof Provost
64f038a398SKristof Provost	jexec alcatraz pfctl -e
65f038a398SKristof Provost
66c0b63519SKristof Provost	# Forward with pf enabled
67f038a398SKristof Provost	pft_set_rules alcatraz "block in"
6895312530SKristof Provost	atf_check -s exit:1 ${common_dir}/pft_ping.py \
69c0b63519SKristof Provost		--sendif ${epair_send}a \
70c0b63519SKristof Provost		--to 198.51.100.3 \
71c0b63519SKristof Provost		--recvif ${epair_recv}a
72c0b63519SKristof Provost
73f038a398SKristof Provost	pft_set_rules alcatraz "block out"
7495312530SKristof Provost	atf_check -s exit:1 ${common_dir}/pft_ping.py \
75c0b63519SKristof Provost		--sendif ${epair_send}a \
76c0b63519SKristof Provost		--to 198.51.100.3 \
77c0b63519SKristof Provost		--recv ${epair_recv}a
78c0b63519SKristof Provost
79c0b63519SKristof Provost	# Allow ICMP
80f038a398SKristof Provost	pft_set_rules alcatraz "block in" "pass in proto icmp"
8195312530SKristof Provost	atf_check -s exit:0 ${common_dir}/pft_ping.py \
82c0b63519SKristof Provost		--sendif ${epair_send}a \
83c0b63519SKristof Provost		--to 198.51.100.3 \
84c0b63519SKristof Provost		--recvif ${epair_recv}a
85c0b63519SKristof Provost}
86c0b63519SKristof Provost
87c0b63519SKristof Provostv4_cleanup()
88c0b63519SKristof Provost{
89c0b63519SKristof Provost	pft_cleanup
90c0b63519SKristof Provost}
91c0b63519SKristof Provost
92ba22aeacSKristof Provostatf_test_case "v6" "cleanup"
93ba22aeacSKristof Provostv6_head()
94ba22aeacSKristof Provost{
95ba22aeacSKristof Provost	atf_set descr 'Basic IPv6 forwarding test'
96ba22aeacSKristof Provost	atf_set require.user root
97*c46af893SJose Luis Duran	atf_set require.progs python3 scapy
98ba22aeacSKristof Provost}
99ba22aeacSKristof Provost
100ba22aeacSKristof Provostv6_body()
101ba22aeacSKristof Provost{
102ba22aeacSKristof Provost	pft_init
103ba22aeacSKristof Provost
1048b44e26dSWarner Losh	if [ "$(atf_config_get ci false)" = "true" ]; then
1058b44e26dSWarner Losh		atf_skip "https://bugs.freebsd.org/260460"
1068b44e26dSWarner Losh	fi
1078b44e26dSWarner Losh
10806aac31aSKristof Provost	epair_send=$(vnet_mkepair)
10906aac31aSKristof Provost	epair_recv=$(vnet_mkepair)
110ba22aeacSKristof Provost
111ba22aeacSKristof Provost	ifconfig ${epair_send}a inet6 2001:db8:42::1/64 up no_dad -ifdisabled
112ba22aeacSKristof Provost	ifconfig ${epair_recv}a up
113ba22aeacSKristof Provost
11406aac31aSKristof Provost	vnet_mkjail alcatraz ${epair_send}b ${epair_recv}b
115ba22aeacSKristof Provost
116ba22aeacSKristof Provost	jexec alcatraz ifconfig ${epair_send}b inet6 2001:db8:42::2/64 up no_dad
117ba22aeacSKristof Provost	jexec alcatraz ifconfig ${epair_recv}b inet6 2001:db8:43::2/64 up no_dad
118ba22aeacSKristof Provost	jexec alcatraz sysctl net.inet6.ip6.forwarding=1
119ba22aeacSKristof Provost	jexec alcatraz ndp -s 2001:db8:43::3 00:01:02:03:04:05
120ba22aeacSKristof Provost	route add -6 2001:db8:43::/64 2001:db8:42::2
121ba22aeacSKristof Provost
122ba22aeacSKristof Provost	# Sanity check, can we forward ICMP echo requests without pf?
12395312530SKristof Provost	atf_check -s exit:0 ${common_dir}/pft_ping.py \
124ba22aeacSKristof Provost		--sendif ${epair_send}a \
125ba22aeacSKristof Provost		--to 2001:db8:43::3 \
126ba22aeacSKristof Provost		--recvif ${epair_recv}a
127ba22aeacSKristof Provost
128ba22aeacSKristof Provost	jexec alcatraz pfctl -e
129ba22aeacSKristof Provost
130ba22aeacSKristof Provost	# Block incoming echo request packets
131ba22aeacSKristof Provost	pft_set_rules alcatraz \
132ba22aeacSKristof Provost		"block in inet6 proto icmp6 icmp6-type echoreq"
13395312530SKristof Provost	atf_check -s exit:1 ${common_dir}/pft_ping.py \
134ba22aeacSKristof Provost		--sendif ${epair_send}a \
135ba22aeacSKristof Provost		--to 2001:db8:43::3 \
136ba22aeacSKristof Provost		--recvif ${epair_recv}a
137ba22aeacSKristof Provost
138ba22aeacSKristof Provost	# Block outgoing echo request packets
139ba22aeacSKristof Provost	pft_set_rules alcatraz \
140ba22aeacSKristof Provost		"block out inet6 proto icmp6 icmp6-type echoreq"
14195312530SKristof Provost	atf_check -s exit:1 -e ignore ${common_dir}/pft_ping.py \
142ba22aeacSKristof Provost		--sendif ${epair_send}a \
143ba22aeacSKristof Provost		--to 2001:db8:43::3 \
144ba22aeacSKristof Provost		--recvif ${epair_recv}a
145ba22aeacSKristof Provost
146ba22aeacSKristof Provost	# Allow ICMPv6 but nothing else
147ba22aeacSKristof Provost	pft_set_rules alcatraz \
148ba22aeacSKristof Provost		"block out" \
149ba22aeacSKristof Provost		"pass out inet6 proto icmp6"
15095312530SKristof Provost	atf_check -s exit:0 ${common_dir}/pft_ping.py \
151ba22aeacSKristof Provost		--sendif ${epair_send}a \
152ba22aeacSKristof Provost		--to 2001:db8:43::3 \
153ba22aeacSKristof Provost		--recvif ${epair_recv}a
154ba22aeacSKristof Provost
155ba22aeacSKristof Provost	# Allowing ICMPv4 does not allow ICMPv6
156ba22aeacSKristof Provost	pft_set_rules alcatraz \
157ba22aeacSKristof Provost		"block out inet6 proto icmp6 icmp6-type echoreq" \
158ba22aeacSKristof Provost		"pass in proto icmp"
15995312530SKristof Provost	atf_check -s exit:1 ${common_dir}/pft_ping.py \
160ba22aeacSKristof Provost		--sendif ${epair_send}a \
161ba22aeacSKristof Provost		--to 2001:db8:43::3 \
162ba22aeacSKristof Provost		--recvif ${epair_recv}a
163ba22aeacSKristof Provost}
164ba22aeacSKristof Provost
165ba22aeacSKristof Provostv6_cleanup()
166ba22aeacSKristof Provost{
167ba22aeacSKristof Provost	pft_cleanup
168ba22aeacSKristof Provost}
169ba22aeacSKristof Provost
170c0b63519SKristof Provostatf_init_test_cases()
171c0b63519SKristof Provost{
172c0b63519SKristof Provost	atf_add_test_case "v4"
173ba22aeacSKristof Provost	atf_add_test_case "v6"
174c0b63519SKristof Provost}
175