1# $FreeBSD$ 2 3. $(atf_get_srcdir)/utils.subr 4 5atf_test_case "v4" "cleanup" 6v4_head() 7{ 8 atf_set descr 'Basic forwarding test' 9 atf_set require.user root 10 11 # We need scapy to be installed for out test scripts to work 12 atf_set require.progs scapy 13} 14 15v4_body() 16{ 17 pft_init 18 19 epair_send=$(vnet_mkepair) 20 ifconfig ${epair_send}a 192.0.2.1/24 up 21 22 epair_recv=$(vnet_mkepair) 23 ifconfig ${epair_recv}a up 24 25 vnet_mkjail alcatraz ${epair_send}b ${epair_recv}b 26 jexec alcatraz ifconfig ${epair_send}b 192.0.2.2/24 up 27 jexec alcatraz ifconfig ${epair_recv}b 198.51.100.2/24 up 28 jexec alcatraz sysctl net.inet.ip.forwarding=1 29 jexec alcatraz arp -s 198.51.100.3 00:01:02:03:04:05 30 route add -net 198.51.100.0/24 192.0.2.2 31 32 # Sanity check, can we forward ICMP echo requests without pf? 33 atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \ 34 --sendif ${epair_send}a \ 35 --to 198.51.100.3 \ 36 --recvif ${epair_recv}a 37 38 jexec alcatraz pfctl -e 39 40 # Forward with pf enabled 41 pft_set_rules alcatraz "block in" 42 atf_check -s exit:1 $(atf_get_srcdir)/pft_ping.py \ 43 --sendif ${epair_send}a \ 44 --to 198.51.100.3 \ 45 --recvif ${epair_recv}a 46 47 pft_set_rules alcatraz "block out" 48 atf_check -s exit:1 $(atf_get_srcdir)/pft_ping.py \ 49 --sendif ${epair_send}a \ 50 --to 198.51.100.3 \ 51 --recv ${epair_recv}a 52 53 # Allow ICMP 54 pft_set_rules alcatraz "block in" "pass in proto icmp" 55 atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \ 56 --sendif ${epair_send}a \ 57 --to 198.51.100.3 \ 58 --recvif ${epair_recv}a 59} 60 61v4_cleanup() 62{ 63 pft_cleanup 64} 65 66atf_test_case "v6" "cleanup" 67v6_head() 68{ 69 atf_set descr 'Basic IPv6 forwarding test' 70 atf_set require.user root 71 atf_set require.progs scapy 72} 73 74v6_body() 75{ 76 pft_init 77 78 epair_send=$(vnet_mkepair) 79 epair_recv=$(vnet_mkepair) 80 81 ifconfig ${epair_send}a inet6 2001:db8:42::1/64 up no_dad -ifdisabled 82 ifconfig ${epair_recv}a up 83 84 vnet_mkjail alcatraz ${epair_send}b ${epair_recv}b 85 86 jexec alcatraz ifconfig ${epair_send}b inet6 2001:db8:42::2/64 up no_dad 87 jexec alcatraz ifconfig ${epair_recv}b inet6 2001:db8:43::2/64 up no_dad 88 jexec alcatraz sysctl net.inet6.ip6.forwarding=1 89 jexec alcatraz ndp -s 2001:db8:43::3 00:01:02:03:04:05 90 route add -6 2001:db8:43::/64 2001:db8:42::2 91 92 # Sanity check, can we forward ICMP echo requests without pf? 93 atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \ 94 --ip6 \ 95 --sendif ${epair_send}a \ 96 --to 2001:db8:43::3 \ 97 --recvif ${epair_recv}a 98 99 jexec alcatraz pfctl -e 100 101 # Block incoming echo request packets 102 pft_set_rules alcatraz \ 103 "block in inet6 proto icmp6 icmp6-type echoreq" 104 atf_check -s exit:1 $(atf_get_srcdir)/pft_ping.py \ 105 --ip6 \ 106 --sendif ${epair_send}a \ 107 --to 2001:db8:43::3 \ 108 --recvif ${epair_recv}a 109 110 # Block outgoing echo request packets 111 pft_set_rules alcatraz \ 112 "block out inet6 proto icmp6 icmp6-type echoreq" 113 atf_check -s exit:1 -e ignore $(atf_get_srcdir)/pft_ping.py \ 114 --ip6 \ 115 --sendif ${epair_send}a \ 116 --to 2001:db8:43::3 \ 117 --recvif ${epair_recv}a 118 119 # Allow ICMPv6 but nothing else 120 pft_set_rules alcatraz \ 121 "block out" \ 122 "pass out inet6 proto icmp6" 123 atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \ 124 --ip6 \ 125 --sendif ${epair_send}a \ 126 --to 2001:db8:43::3 \ 127 --recvif ${epair_recv}a 128 129 # Allowing ICMPv4 does not allow ICMPv6 130 pft_set_rules alcatraz \ 131 "block out inet6 proto icmp6 icmp6-type echoreq" \ 132 "pass in proto icmp" 133 atf_check -s exit:1 $(atf_get_srcdir)/pft_ping.py \ 134 --ip6 \ 135 --sendif ${epair_send}a \ 136 --to 2001:db8:43::3 \ 137 --recvif ${epair_recv}a 138} 139 140v6_cleanup() 141{ 142 pft_cleanup 143} 144 145atf_init_test_cases() 146{ 147 atf_add_test_case "v4" 148 atf_add_test_case "v6" 149} 150