xref: /freebsd/tests/sys/netpfil/pf/icmp6.sh (revision b9f0dbc3d006e0b904ee4275d54459f4edd65bb8) 
1*b9f0dbc3SKristof Provost#
2*b9f0dbc3SKristof Provost# SPDX-License-Identifier: BSD-2-Clause
3*b9f0dbc3SKristof Provost#
4*b9f0dbc3SKristof Provost# Copyright (c) 2024 Rubicon Communications, LLC (Netgate)
5*b9f0dbc3SKristof Provost#
6*b9f0dbc3SKristof Provost# Redistribution and use in source and binary forms, with or without
7*b9f0dbc3SKristof Provost# modification, are permitted provided that the following conditions
8*b9f0dbc3SKristof Provost# are met:
9*b9f0dbc3SKristof Provost# 1. Redistributions of source code must retain the above copyright
10*b9f0dbc3SKristof Provost#    notice, this list of conditions and the following disclaimer.
11*b9f0dbc3SKristof Provost# 2. Redistributions in binary form must reproduce the above copyright
12*b9f0dbc3SKristof Provost#    notice, this list of conditions and the following disclaimer in the
13*b9f0dbc3SKristof Provost#    documentation and/or other materials provided with the distribution.
14*b9f0dbc3SKristof Provost#
15*b9f0dbc3SKristof Provost# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16*b9f0dbc3SKristof Provost# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17*b9f0dbc3SKristof Provost# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18*b9f0dbc3SKristof Provost# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19*b9f0dbc3SKristof Provost# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20*b9f0dbc3SKristof Provost# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21*b9f0dbc3SKristof Provost# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22*b9f0dbc3SKristof Provost# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23*b9f0dbc3SKristof Provost# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24*b9f0dbc3SKristof Provost# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
25*b9f0dbc3SKristof Provost# SUCH DAMAGE.
26*b9f0dbc3SKristof Provost
27*b9f0dbc3SKristof Provost. $(atf_get_srcdir)/utils.subr
28*b9f0dbc3SKristof Provost
29*b9f0dbc3SKristof Provostcommon_dir=$(atf_get_srcdir)/../common
30*b9f0dbc3SKristof Provost
31*b9f0dbc3SKristof Provostatf_test_case "zero_id" "cleanup"
32*b9f0dbc3SKristof Provostzero_id_head()
33*b9f0dbc3SKristof Provost{
34*b9f0dbc3SKristof Provost	atf_set descr 'Test ICMPv6 echo with ID 0 keep being blocked'
35*b9f0dbc3SKristof Provost	atf_set require.user root
36*b9f0dbc3SKristof Provost	atf_set require.progs scapy
37*b9f0dbc3SKristof Provost}
38*b9f0dbc3SKristof Provost
39*b9f0dbc3SKristof Provostzero_id_body()
40*b9f0dbc3SKristof Provost{
41*b9f0dbc3SKristof Provost	pft_init
42*b9f0dbc3SKristof Provost
43*b9f0dbc3SKristof Provost	epair=$(vnet_mkepair)
44*b9f0dbc3SKristof Provost	ifconfig ${epair}a inet6 2001:db8::2/64 up no_dad
45*b9f0dbc3SKristof Provost
46*b9f0dbc3SKristof Provost	vnet_mkjail alcatraz ${epair}b
47*b9f0dbc3SKristof Provost	jexec alcatraz ifconfig ${epair}b inet6 2001:db8::1/64 up no_dad
48*b9f0dbc3SKristof Provost
49*b9f0dbc3SKristof Provost	# Sanity check
50*b9f0dbc3SKristof Provost	atf_check -s exit:0 -o ignore \
51*b9f0dbc3SKristof Provost	    ping -c 1 2001:db8::1
52*b9f0dbc3SKristof Provost
53*b9f0dbc3SKristof Provost	jexec alcatraz pfctl -e
54*b9f0dbc3SKristof Provost	pft_set_rules alcatraz \
55*b9f0dbc3SKristof Provost		"set block-policy drop" \
56*b9f0dbc3SKristof Provost		"antispoof quick for { egress ${epair}b }" \
57*b9f0dbc3SKristof Provost		"block all" \
58*b9f0dbc3SKristof Provost		"pass out" \
59*b9f0dbc3SKristof Provost		"pass in quick inet6 proto IPV6-ICMP icmp6-type 135" \
60*b9f0dbc3SKristof Provost		"pass in quick inet6 proto IPV6-ICMP icmp6-type 136" \
61*b9f0dbc3SKristof Provost		"pass out quick inet6 proto IPV6 from self to any"
62*b9f0dbc3SKristof Provost
63*b9f0dbc3SKristof Provost	# Now we can't ping
64*b9f0dbc3SKristof Provost	atf_check -s exit:2 -o ignore \
65*b9f0dbc3SKristof Provost	    ping -c 1 2001:db8::1
66*b9f0dbc3SKristof Provost
67*b9f0dbc3SKristof Provost	# Force neighbour discovery
68*b9f0dbc3SKristof Provost	ndp -d 2001:db8::1
69*b9f0dbc3SKristof Provost
70*b9f0dbc3SKristof Provost	# Verify that we don't confuse echo request with ID 0 for neighbour discovery
71*b9f0dbc3SKristof Provost	atf_check -s exit:1 -o ignore \
72*b9f0dbc3SKristof Provost	     ${common_dir}/pft_ping.py \
73*b9f0dbc3SKristof Provost	         --sendif ${epair}a \
74*b9f0dbc3SKristof Provost	         --to 2001:db8::1 \
75*b9f0dbc3SKristof Provost	         --replyif ${epair}a
76*b9f0dbc3SKristof Provost
77*b9f0dbc3SKristof Provost	jexec alcatraz pfctl -ss -vv
78*b9f0dbc3SKristof Provost	jexec alcatraz pfctl -sr -vv
79*b9f0dbc3SKristof Provost}
80*b9f0dbc3SKristof Provost
81*b9f0dbc3SKristof Provostzero_id_cleanup()
82*b9f0dbc3SKristof Provost{
83*b9f0dbc3SKristof Provost	pft_cleanup
84*b9f0dbc3SKristof Provost}
85*b9f0dbc3SKristof Provost
86*b9f0dbc3SKristof Provostatf_init_test_cases()
87*b9f0dbc3SKristof Provost{
88*b9f0dbc3SKristof Provost	atf_add_test_case "zero_id"
89*b9f0dbc3SKristof Provost}
90