1# $FreeBSD$ 2# 3# SPDX-License-Identifier: BSD-2-Clause-FreeBSD 4# 5# Copyright (c) 2017 Kristof Provost <kp@FreeBSD.org> 6# 7# Redistribution and use in source and binary forms, with or without 8# modification, are permitted provided that the following conditions 9# are met: 10# 1. Redistributions of source code must retain the above copyright 11# notice, this list of conditions and the following disclaimer. 12# 2. Redistributions in binary form must reproduce the above copyright 13# notice, this list of conditions and the following disclaimer in the 14# documentation and/or other materials provided with the distribution. 15# 16# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 17# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 20# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26# SUCH DAMAGE. 27 28. $(atf_get_srcdir)/utils.subr 29 30common_dir=$(atf_get_srcdir)/../common 31 32atf_test_case "v4" "cleanup" 33v4_head() 34{ 35 atf_set descr 'Basic forwarding test' 36 atf_set require.user root 37 38 # We need scapy to be installed for out test scripts to work 39 atf_set require.progs scapy 40} 41 42v4_body() 43{ 44 if [ `uname -p` = "i386" ]; then 45 atf_skip "https://bugs.freebsd.org/239380" 46 fi 47 48 pft_init 49 50 epair_send=$(vnet_mkepair) 51 ifconfig ${epair_send}a 192.0.2.1/24 up 52 53 epair_recv=$(vnet_mkepair) 54 ifconfig ${epair_recv}a up 55 56 vnet_mkjail alcatraz ${epair_send}b ${epair_recv}b 57 jexec alcatraz ifconfig ${epair_send}b 192.0.2.2/24 up 58 jexec alcatraz ifconfig ${epair_recv}b 198.51.100.2/24 up 59 jexec alcatraz sysctl net.inet.ip.forwarding=1 60 jexec alcatraz arp -s 198.51.100.3 00:01:02:03:04:05 61 route add -net 198.51.100.0/24 192.0.2.2 62 63 # Sanity check, can we forward ICMP echo requests without pf? 64 atf_check -s exit:0 ${common_dir}/pft_ping.py \ 65 --sendif ${epair_send}a \ 66 --to 198.51.100.3 \ 67 --recvif ${epair_recv}a 68 69 jexec alcatraz pfctl -e 70 71 # Forward with pf enabled 72 pft_set_rules alcatraz "block in" 73 atf_check -s exit:1 ${common_dir}/pft_ping.py \ 74 --sendif ${epair_send}a \ 75 --to 198.51.100.3 \ 76 --recvif ${epair_recv}a 77 78 pft_set_rules alcatraz "block out" 79 atf_check -s exit:1 ${common_dir}/pft_ping.py \ 80 --sendif ${epair_send}a \ 81 --to 198.51.100.3 \ 82 --recv ${epair_recv}a 83 84 # Allow ICMP 85 pft_set_rules alcatraz "block in" "pass in proto icmp" 86 atf_check -s exit:0 ${common_dir}/pft_ping.py \ 87 --sendif ${epair_send}a \ 88 --to 198.51.100.3 \ 89 --recvif ${epair_recv}a 90} 91 92v4_cleanup() 93{ 94 pft_cleanup 95} 96 97atf_test_case "v6" "cleanup" 98v6_head() 99{ 100 atf_set descr 'Basic IPv6 forwarding test' 101 atf_set require.user root 102 atf_set require.progs scapy 103} 104 105v6_body() 106{ 107 if [ `uname -p` = "i386" ]; then 108 atf_skip "https://bugs.freebsd.org/239380" 109 fi 110 111 pft_init 112 113 epair_send=$(vnet_mkepair) 114 epair_recv=$(vnet_mkepair) 115 116 ifconfig ${epair_send}a inet6 2001:db8:42::1/64 up no_dad -ifdisabled 117 ifconfig ${epair_recv}a up 118 119 vnet_mkjail alcatraz ${epair_send}b ${epair_recv}b 120 121 jexec alcatraz ifconfig ${epair_send}b inet6 2001:db8:42::2/64 up no_dad 122 jexec alcatraz ifconfig ${epair_recv}b inet6 2001:db8:43::2/64 up no_dad 123 jexec alcatraz sysctl net.inet6.ip6.forwarding=1 124 jexec alcatraz ndp -s 2001:db8:43::3 00:01:02:03:04:05 125 route add -6 2001:db8:43::/64 2001:db8:42::2 126 127 # Sanity check, can we forward ICMP echo requests without pf? 128 atf_check -s exit:0 ${common_dir}/pft_ping.py \ 129 --ip6 \ 130 --sendif ${epair_send}a \ 131 --to 2001:db8:43::3 \ 132 --recvif ${epair_recv}a 133 134 jexec alcatraz pfctl -e 135 136 # Block incoming echo request packets 137 pft_set_rules alcatraz \ 138 "block in inet6 proto icmp6 icmp6-type echoreq" 139 atf_check -s exit:1 ${common_dir}/pft_ping.py \ 140 --ip6 \ 141 --sendif ${epair_send}a \ 142 --to 2001:db8:43::3 \ 143 --recvif ${epair_recv}a 144 145 # Block outgoing echo request packets 146 pft_set_rules alcatraz \ 147 "block out inet6 proto icmp6 icmp6-type echoreq" 148 atf_check -s exit:1 -e ignore ${common_dir}/pft_ping.py \ 149 --ip6 \ 150 --sendif ${epair_send}a \ 151 --to 2001:db8:43::3 \ 152 --recvif ${epair_recv}a 153 154 # Allow ICMPv6 but nothing else 155 pft_set_rules alcatraz \ 156 "block out" \ 157 "pass out inet6 proto icmp6" 158 atf_check -s exit:0 ${common_dir}/pft_ping.py \ 159 --ip6 \ 160 --sendif ${epair_send}a \ 161 --to 2001:db8:43::3 \ 162 --recvif ${epair_recv}a 163 164 # Allowing ICMPv4 does not allow ICMPv6 165 pft_set_rules alcatraz \ 166 "block out inet6 proto icmp6 icmp6-type echoreq" \ 167 "pass in proto icmp" 168 atf_check -s exit:1 ${common_dir}/pft_ping.py \ 169 --ip6 \ 170 --sendif ${epair_send}a \ 171 --to 2001:db8:43::3 \ 172 --recvif ${epair_recv}a 173} 174 175v6_cleanup() 176{ 177 pft_cleanup 178} 179 180atf_init_test_cases() 181{ 182 atf_add_test_case "v4" 183 atf_add_test_case "v6" 184} 185