1# $FreeBSD$ 2 3. $(atf_get_srcdir)/utils.subr 4 5common_dir=$(atf_get_srcdir)/../common 6 7atf_test_case "v4" "cleanup" 8v4_head() 9{ 10 atf_set descr 'Basic forwarding test' 11 atf_set require.user root 12 13 # We need scapy to be installed for out test scripts to work 14 atf_set require.progs scapy 15} 16 17v4_body() 18{ 19 if [ `uname -p` = "i386" ]; then 20 atf_skip "https://bugs.freebsd.org/239380" 21 fi 22 23 pft_init 24 25 epair_send=$(vnet_mkepair) 26 ifconfig ${epair_send}a 192.0.2.1/24 up 27 28 epair_recv=$(vnet_mkepair) 29 ifconfig ${epair_recv}a up 30 31 vnet_mkjail alcatraz ${epair_send}b ${epair_recv}b 32 jexec alcatraz ifconfig ${epair_send}b 192.0.2.2/24 up 33 jexec alcatraz ifconfig ${epair_recv}b 198.51.100.2/24 up 34 jexec alcatraz sysctl net.inet.ip.forwarding=1 35 jexec alcatraz arp -s 198.51.100.3 00:01:02:03:04:05 36 route add -net 198.51.100.0/24 192.0.2.2 37 38 # Sanity check, can we forward ICMP echo requests without pf? 39 atf_check -s exit:0 ${common_dir}/pft_ping.py \ 40 --sendif ${epair_send}a \ 41 --to 198.51.100.3 \ 42 --recvif ${epair_recv}a 43 44 jexec alcatraz pfctl -e 45 46 # Forward with pf enabled 47 pft_set_rules alcatraz "block in" 48 atf_check -s exit:1 ${common_dir}/pft_ping.py \ 49 --sendif ${epair_send}a \ 50 --to 198.51.100.3 \ 51 --recvif ${epair_recv}a 52 53 pft_set_rules alcatraz "block out" 54 atf_check -s exit:1 ${common_dir}/pft_ping.py \ 55 --sendif ${epair_send}a \ 56 --to 198.51.100.3 \ 57 --recv ${epair_recv}a 58 59 # Allow ICMP 60 pft_set_rules alcatraz "block in" "pass in proto icmp" 61 atf_check -s exit:0 ${common_dir}/pft_ping.py \ 62 --sendif ${epair_send}a \ 63 --to 198.51.100.3 \ 64 --recvif ${epair_recv}a 65} 66 67v4_cleanup() 68{ 69 pft_cleanup 70} 71 72atf_test_case "v6" "cleanup" 73v6_head() 74{ 75 atf_set descr 'Basic IPv6 forwarding test' 76 atf_set require.user root 77 atf_set require.progs scapy 78} 79 80v6_body() 81{ 82 if [ `uname -p` = "i386" ]; then 83 atf_skip "https://bugs.freebsd.org/239380" 84 fi 85 86 pft_init 87 88 epair_send=$(vnet_mkepair) 89 epair_recv=$(vnet_mkepair) 90 91 ifconfig ${epair_send}a inet6 2001:db8:42::1/64 up no_dad -ifdisabled 92 ifconfig ${epair_recv}a up 93 94 vnet_mkjail alcatraz ${epair_send}b ${epair_recv}b 95 96 jexec alcatraz ifconfig ${epair_send}b inet6 2001:db8:42::2/64 up no_dad 97 jexec alcatraz ifconfig ${epair_recv}b inet6 2001:db8:43::2/64 up no_dad 98 jexec alcatraz sysctl net.inet6.ip6.forwarding=1 99 jexec alcatraz ndp -s 2001:db8:43::3 00:01:02:03:04:05 100 route add -6 2001:db8:43::/64 2001:db8:42::2 101 102 # Sanity check, can we forward ICMP echo requests without pf? 103 atf_check -s exit:0 ${common_dir}/pft_ping.py \ 104 --ip6 \ 105 --sendif ${epair_send}a \ 106 --to 2001:db8:43::3 \ 107 --recvif ${epair_recv}a 108 109 jexec alcatraz pfctl -e 110 111 # Block incoming echo request packets 112 pft_set_rules alcatraz \ 113 "block in inet6 proto icmp6 icmp6-type echoreq" 114 atf_check -s exit:1 ${common_dir}/pft_ping.py \ 115 --ip6 \ 116 --sendif ${epair_send}a \ 117 --to 2001:db8:43::3 \ 118 --recvif ${epair_recv}a 119 120 # Block outgoing echo request packets 121 pft_set_rules alcatraz \ 122 "block out inet6 proto icmp6 icmp6-type echoreq" 123 atf_check -s exit:1 -e ignore ${common_dir}/pft_ping.py \ 124 --ip6 \ 125 --sendif ${epair_send}a \ 126 --to 2001:db8:43::3 \ 127 --recvif ${epair_recv}a 128 129 # Allow ICMPv6 but nothing else 130 pft_set_rules alcatraz \ 131 "block out" \ 132 "pass out inet6 proto icmp6" 133 atf_check -s exit:0 ${common_dir}/pft_ping.py \ 134 --ip6 \ 135 --sendif ${epair_send}a \ 136 --to 2001:db8:43::3 \ 137 --recvif ${epair_recv}a 138 139 # Allowing ICMPv4 does not allow ICMPv6 140 pft_set_rules alcatraz \ 141 "block out inet6 proto icmp6 icmp6-type echoreq" \ 142 "pass in proto icmp" 143 atf_check -s exit:1 ${common_dir}/pft_ping.py \ 144 --ip6 \ 145 --sendif ${epair_send}a \ 146 --to 2001:db8:43::3 \ 147 --recvif ${epair_recv}a 148} 149 150v6_cleanup() 151{ 152 pft_cleanup 153} 154 155atf_init_test_cases() 156{ 157 atf_add_test_case "v4" 158 atf_add_test_case "v6" 159} 160