xref: /freebsd/tests/sys/netpfil/pf/forward.sh (revision cddbc3b40812213ff00041f79174cac0be360a2a)
1# $FreeBSD$
2
3. $(atf_get_srcdir)/utils.subr
4
5atf_test_case "v4" "cleanup"
6v4_head()
7{
8	atf_set descr 'Basic forwarding test'
9	atf_set require.user root
10
11	# We need scapy to be installed for out test scripts to work
12	atf_set require.progs scapy
13}
14
15v4_body()
16{
17	pft_init
18
19	epair_send=$(vnet_mkepair)
20	ifconfig ${epair_send}a 192.0.2.1/24 up
21
22	epair_recv=$(vnet_mkepair)
23	ifconfig ${epair_recv}a up
24
25	vnet_mkjail alcatraz ${epair_send}b ${epair_recv}b
26	jexec alcatraz ifconfig ${epair_send}b 192.0.2.2/24 up
27	jexec alcatraz ifconfig ${epair_recv}b 198.51.100.2/24 up
28	jexec alcatraz sysctl net.inet.ip.forwarding=1
29	jexec alcatraz arp -s 198.51.100.3 00:01:02:03:04:05
30	route add -net 198.51.100.0/24 192.0.2.2
31
32	# Sanity check, can we forward ICMP echo requests without pf?
33	atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \
34		--sendif ${epair_send}a \
35		--to 198.51.100.3 \
36		--recvif ${epair_recv}a
37
38	jexec alcatraz pfctl -e
39
40	# Forward with pf enabled
41	pft_set_rules alcatraz "block in"
42	atf_check -s exit:1 $(atf_get_srcdir)/pft_ping.py \
43		--sendif ${epair_send}a \
44		--to 198.51.100.3 \
45		--recvif ${epair_recv}a
46
47	pft_set_rules alcatraz "block out"
48	atf_check -s exit:1 $(atf_get_srcdir)/pft_ping.py \
49		--sendif ${epair_send}a \
50		--to 198.51.100.3 \
51		--recv ${epair_recv}a
52
53	# Allow ICMP
54	pft_set_rules alcatraz "block in" "pass in proto icmp"
55	atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \
56		--sendif ${epair_send}a \
57		--to 198.51.100.3 \
58		--recvif ${epair_recv}a
59}
60
61v4_cleanup()
62{
63	pft_cleanup
64}
65
66atf_test_case "v6" "cleanup"
67v6_head()
68{
69	atf_set descr 'Basic IPv6 forwarding test'
70	atf_set require.user root
71	atf_set require.progs scapy
72}
73
74v6_body()
75{
76	pft_init
77
78	epair_send=$(vnet_mkepair)
79	epair_recv=$(vnet_mkepair)
80
81	ifconfig ${epair_send}a inet6 2001:db8:42::1/64 up no_dad -ifdisabled
82	ifconfig ${epair_recv}a up
83
84	vnet_mkjail alcatraz ${epair_send}b ${epair_recv}b
85
86	jexec alcatraz ifconfig ${epair_send}b inet6 2001:db8:42::2/64 up no_dad
87	jexec alcatraz ifconfig ${epair_recv}b inet6 2001:db8:43::2/64 up no_dad
88	jexec alcatraz sysctl net.inet6.ip6.forwarding=1
89	jexec alcatraz ndp -s 2001:db8:43::3 00:01:02:03:04:05
90	route add -6 2001:db8:43::/64 2001:db8:42::2
91
92	# Sanity check, can we forward ICMP echo requests without pf?
93	atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \
94		--ip6 \
95		--sendif ${epair_send}a \
96		--to 2001:db8:43::3 \
97		--recvif ${epair_recv}a
98
99	jexec alcatraz pfctl -e
100
101	# Block incoming echo request packets
102	pft_set_rules alcatraz \
103		"block in inet6 proto icmp6 icmp6-type echoreq"
104	atf_check -s exit:1 $(atf_get_srcdir)/pft_ping.py \
105		--ip6 \
106		--sendif ${epair_send}a \
107		--to 2001:db8:43::3 \
108		--recvif ${epair_recv}a
109
110	# Block outgoing echo request packets
111	pft_set_rules alcatraz \
112		"block out inet6 proto icmp6 icmp6-type echoreq"
113	atf_check -s exit:1 -e ignore $(atf_get_srcdir)/pft_ping.py \
114		--ip6 \
115		--sendif ${epair_send}a \
116		--to 2001:db8:43::3 \
117		--recvif ${epair_recv}a
118
119	# Allow ICMPv6 but nothing else
120	pft_set_rules alcatraz \
121		"block out" \
122		"pass out inet6 proto icmp6"
123	atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \
124		--ip6 \
125		--sendif ${epair_send}a \
126		--to 2001:db8:43::3 \
127		--recvif ${epair_recv}a
128
129	# Allowing ICMPv4 does not allow ICMPv6
130	pft_set_rules alcatraz \
131		"block out inet6 proto icmp6 icmp6-type echoreq" \
132		"pass in proto icmp"
133	atf_check -s exit:1 $(atf_get_srcdir)/pft_ping.py \
134		--ip6 \
135		--sendif ${epair_send}a \
136		--to 2001:db8:43::3 \
137		--recvif ${epair_recv}a
138}
139
140v6_cleanup()
141{
142	pft_cleanup
143}
144
145atf_init_test_cases()
146{
147	atf_add_test_case "v4"
148	atf_add_test_case "v6"
149}
150