1# $FreeBSD$ 2 3. $(atf_get_srcdir)/utils.subr 4 5atf_test_case "v4" "cleanup" 6v4_head() 7{ 8 atf_set descr 'Basic forwarding test' 9 atf_set require.user root 10 11 # We need scapy to be installed for out test scripts to work 12 atf_set require.progs scapy 13} 14 15v4_body() 16{ 17 if [ `uname -p` = "i386" ]; then 18 atf_skip "https://bugs.freebsd.org/239380" 19 fi 20 21 pft_init 22 23 epair_send=$(vnet_mkepair) 24 ifconfig ${epair_send}a 192.0.2.1/24 up 25 26 epair_recv=$(vnet_mkepair) 27 ifconfig ${epair_recv}a up 28 29 vnet_mkjail alcatraz ${epair_send}b ${epair_recv}b 30 jexec alcatraz ifconfig ${epair_send}b 192.0.2.2/24 up 31 jexec alcatraz ifconfig ${epair_recv}b 198.51.100.2/24 up 32 jexec alcatraz sysctl net.inet.ip.forwarding=1 33 jexec alcatraz arp -s 198.51.100.3 00:01:02:03:04:05 34 route add -net 198.51.100.0/24 192.0.2.2 35 36 # Sanity check, can we forward ICMP echo requests without pf? 37 atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \ 38 --sendif ${epair_send}a \ 39 --to 198.51.100.3 \ 40 --recvif ${epair_recv}a 41 42 jexec alcatraz pfctl -e 43 44 # Forward with pf enabled 45 pft_set_rules alcatraz "block in" 46 atf_check -s exit:1 $(atf_get_srcdir)/pft_ping.py \ 47 --sendif ${epair_send}a \ 48 --to 198.51.100.3 \ 49 --recvif ${epair_recv}a 50 51 pft_set_rules alcatraz "block out" 52 atf_check -s exit:1 $(atf_get_srcdir)/pft_ping.py \ 53 --sendif ${epair_send}a \ 54 --to 198.51.100.3 \ 55 --recv ${epair_recv}a 56 57 # Allow ICMP 58 pft_set_rules alcatraz "block in" "pass in proto icmp" 59 atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \ 60 --sendif ${epair_send}a \ 61 --to 198.51.100.3 \ 62 --recvif ${epair_recv}a 63} 64 65v4_cleanup() 66{ 67 pft_cleanup 68} 69 70atf_test_case "v6" "cleanup" 71v6_head() 72{ 73 atf_set descr 'Basic IPv6 forwarding test' 74 atf_set require.user root 75 atf_set require.progs scapy 76} 77 78v6_body() 79{ 80 if [ `uname -p` = "i386" ]; then 81 atf_skip "https://bugs.freebsd.org/239380" 82 fi 83 84 pft_init 85 86 epair_send=$(vnet_mkepair) 87 epair_recv=$(vnet_mkepair) 88 89 ifconfig ${epair_send}a inet6 2001:db8:42::1/64 up no_dad -ifdisabled 90 ifconfig ${epair_recv}a up 91 92 vnet_mkjail alcatraz ${epair_send}b ${epair_recv}b 93 94 jexec alcatraz ifconfig ${epair_send}b inet6 2001:db8:42::2/64 up no_dad 95 jexec alcatraz ifconfig ${epair_recv}b inet6 2001:db8:43::2/64 up no_dad 96 jexec alcatraz sysctl net.inet6.ip6.forwarding=1 97 jexec alcatraz ndp -s 2001:db8:43::3 00:01:02:03:04:05 98 route add -6 2001:db8:43::/64 2001:db8:42::2 99 100 # Sanity check, can we forward ICMP echo requests without pf? 101 atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \ 102 --ip6 \ 103 --sendif ${epair_send}a \ 104 --to 2001:db8:43::3 \ 105 --recvif ${epair_recv}a 106 107 jexec alcatraz pfctl -e 108 109 # Block incoming echo request packets 110 pft_set_rules alcatraz \ 111 "block in inet6 proto icmp6 icmp6-type echoreq" 112 atf_check -s exit:1 $(atf_get_srcdir)/pft_ping.py \ 113 --ip6 \ 114 --sendif ${epair_send}a \ 115 --to 2001:db8:43::3 \ 116 --recvif ${epair_recv}a 117 118 # Block outgoing echo request packets 119 pft_set_rules alcatraz \ 120 "block out inet6 proto icmp6 icmp6-type echoreq" 121 atf_check -s exit:1 -e ignore $(atf_get_srcdir)/pft_ping.py \ 122 --ip6 \ 123 --sendif ${epair_send}a \ 124 --to 2001:db8:43::3 \ 125 --recvif ${epair_recv}a 126 127 # Allow ICMPv6 but nothing else 128 pft_set_rules alcatraz \ 129 "block out" \ 130 "pass out inet6 proto icmp6" 131 atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \ 132 --ip6 \ 133 --sendif ${epair_send}a \ 134 --to 2001:db8:43::3 \ 135 --recvif ${epair_recv}a 136 137 # Allowing ICMPv4 does not allow ICMPv6 138 pft_set_rules alcatraz \ 139 "block out inet6 proto icmp6 icmp6-type echoreq" \ 140 "pass in proto icmp" 141 atf_check -s exit:1 $(atf_get_srcdir)/pft_ping.py \ 142 --ip6 \ 143 --sendif ${epair_send}a \ 144 --to 2001:db8:43::3 \ 145 --recvif ${epair_recv}a 146} 147 148v6_cleanup() 149{ 150 pft_cleanup 151} 152 153atf_init_test_cases() 154{ 155 atf_add_test_case "v4" 156 atf_add_test_case "v6" 157} 158