1065b5c7fSKristof Provost# $FreeBSD$ 2065b5c7fSKristof Provost# 3065b5c7fSKristof Provost# SPDX-License-Identifier: BSD-2-Clause-FreeBSD 4065b5c7fSKristof Provost# 5065b5c7fSKristof Provost# Copyright (c) 2021 Rubicon Communications, LLC (Netgate) 6065b5c7fSKristof Provost# 7065b5c7fSKristof Provost# Redistribution and use in source and binary forms, with or without 8065b5c7fSKristof Provost# modification, are permitted provided that the following conditions 9065b5c7fSKristof Provost# are met: 10065b5c7fSKristof Provost# 1. Redistributions of source code must retain the above copyright 11065b5c7fSKristof Provost# notice, this list of conditions and the following disclaimer. 12065b5c7fSKristof Provost# 2. Redistributions in binary form must reproduce the above copyright 13065b5c7fSKristof Provost# notice, this list of conditions and the following disclaimer in the 14065b5c7fSKristof Provost# documentation and/or other materials provided with the distribution. 15065b5c7fSKristof Provost# 16065b5c7fSKristof Provost# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 17065b5c7fSKristof Provost# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18065b5c7fSKristof Provost# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19065b5c7fSKristof Provost# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 20065b5c7fSKristof Provost# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21065b5c7fSKristof Provost# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22065b5c7fSKristof Provost# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23065b5c7fSKristof Provost# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24065b5c7fSKristof Provost# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25065b5c7fSKristof Provost# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26065b5c7fSKristof Provost# SUCH DAMAGE. 27065b5c7fSKristof Provost 28065b5c7fSKristof Provost. $(atf_get_srcdir)/utils.subr 29065b5c7fSKristof Provost 30065b5c7fSKristof Provostcommon_dir=$(atf_get_srcdir)/../common 31065b5c7fSKristof Provost 32065b5c7fSKristof Provostatf_test_case "v4" "cleanup" 33065b5c7fSKristof Provostv4_head() 34065b5c7fSKristof Provost{ 35065b5c7fSKristof Provost atf_set descr 'Test killing states by IPv4 address' 36065b5c7fSKristof Provost atf_set require.user root 37065b5c7fSKristof Provost atf_set require.progs scapy 38065b5c7fSKristof Provost} 39065b5c7fSKristof Provost 40065b5c7fSKristof Provostv4_body() 41065b5c7fSKristof Provost{ 42065b5c7fSKristof Provost pft_init 43065b5c7fSKristof Provost 44065b5c7fSKristof Provost epair=$(vnet_mkepair) 45065b5c7fSKristof Provost ifconfig ${epair}a 192.0.2.1/24 up 46065b5c7fSKristof Provost 47065b5c7fSKristof Provost vnet_mkjail alcatraz ${epair}b 48065b5c7fSKristof Provost jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up 49065b5c7fSKristof Provost jexec alcatraz pfctl -e 50065b5c7fSKristof Provost 51065b5c7fSKristof Provost pft_set_rules alcatraz "block all" \ 52065b5c7fSKristof Provost "pass in proto icmp" 53065b5c7fSKristof Provost 54065b5c7fSKristof Provost # Sanity check & establish state 55065b5c7fSKristof Provost # Note: use pft_ping so we always use the same ID, so pf considers all 56065b5c7fSKristof Provost # echo requests part of the same flow. 57065b5c7fSKristof Provost atf_check -s exit:0 -o ignore ${common_dir}/pft_ping.py \ 58065b5c7fSKristof Provost --sendif ${epair}a \ 59065b5c7fSKristof Provost --to 192.0.2.2 \ 60065b5c7fSKristof Provost --replyif ${epair}a 61065b5c7fSKristof Provost 62065b5c7fSKristof Provost # Change rules to now deny the ICMP traffic 63065b5c7fSKristof Provost pft_set_rules noflush alcatraz "block all" 64065b5c7fSKristof Provost 65065b5c7fSKristof Provost # Established state means we can still ping alcatraz 66065b5c7fSKristof Provost atf_check -s exit:0 -o ignore ${common_dir}/pft_ping.py \ 67065b5c7fSKristof Provost --sendif ${epair}a \ 68065b5c7fSKristof Provost --to 192.0.2.2 \ 69065b5c7fSKristof Provost --replyif ${epair}a 70065b5c7fSKristof Provost 71065b5c7fSKristof Provost # Killing with the wrong IP doesn't affect our state 72065b5c7fSKristof Provost jexec alcatraz pfctl -k 192.0.2.3 73065b5c7fSKristof Provost 74065b5c7fSKristof Provost # So we can still ping 75065b5c7fSKristof Provost atf_check -s exit:0 -o ignore ${common_dir}/pft_ping.py \ 76065b5c7fSKristof Provost --sendif ${epair}a \ 77065b5c7fSKristof Provost --to 192.0.2.2 \ 78065b5c7fSKristof Provost --replyif ${epair}a 79065b5c7fSKristof Provost 80065b5c7fSKristof Provost # Killing with one correct address and one incorrect doesn't kill the state 81065b5c7fSKristof Provost jexec alcatraz pfctl -k 192.0.2.1 -k 192.0.2.3 82065b5c7fSKristof Provost 83065b5c7fSKristof Provost # So we can still ping 84065b5c7fSKristof Provost atf_check -s exit:0 -o ignore ${common_dir}/pft_ping.py \ 85065b5c7fSKristof Provost --sendif ${epair}a \ 86065b5c7fSKristof Provost --to 192.0.2.2 \ 87065b5c7fSKristof Provost --replyif ${epair}a 88065b5c7fSKristof Provost 89065b5c7fSKristof Provost # Killing with correct address does remove the state 90065b5c7fSKristof Provost jexec alcatraz pfctl -k 192.0.2.1 91065b5c7fSKristof Provost 92065b5c7fSKristof Provost # Now the ping fails 93065b5c7fSKristof Provost atf_check -s exit:1 -o ignore ${common_dir}/pft_ping.py \ 94065b5c7fSKristof Provost --sendif ${epair}a \ 95065b5c7fSKristof Provost --to 192.0.2.2 \ 96065b5c7fSKristof Provost --replyif ${epair}a 97065b5c7fSKristof Provost} 98065b5c7fSKristof Provost 99065b5c7fSKristof Provostv4_cleanup() 100065b5c7fSKristof Provost{ 101065b5c7fSKristof Provost pft_cleanup 102065b5c7fSKristof Provost} 103065b5c7fSKristof Provost 1049af23174SKristof Provostatf_test_case "v6" "cleanup" 1059af23174SKristof Provostv6_head() 1069af23174SKristof Provost{ 1079af23174SKristof Provost atf_set descr 'Test killing states by IPv6 address' 1089af23174SKristof Provost atf_set require.user root 1099af23174SKristof Provost atf_set require.progs scapy 1109af23174SKristof Provost} 1119af23174SKristof Provost 1129af23174SKristof Provostv6_body() 1139af23174SKristof Provost{ 1149af23174SKristof Provost pft_init 1159af23174SKristof Provost 116*300f4be4SWarner Losh if [ "$(atf_config_get ci false)" = "true" ]; then 117*300f4be4SWarner Losh atf_skip "https://bugs.freebsd.org/260458" 118*300f4be4SWarner Losh fi 119*300f4be4SWarner Losh 1209af23174SKristof Provost epair=$(vnet_mkepair) 1219af23174SKristof Provost ifconfig ${epair}a inet6 2001:db8::1/64 up no_dad 1229af23174SKristof Provost 1239af23174SKristof Provost vnet_mkjail alcatraz ${epair}b 1249af23174SKristof Provost jexec alcatraz ifconfig ${epair}b inet6 2001:db8::2/64 up no_dad 1259af23174SKristof Provost jexec alcatraz pfctl -e 1269af23174SKristof Provost 1279af23174SKristof Provost pft_set_rules alcatraz "block all" \ 1289af23174SKristof Provost "pass in proto icmp6" 1299af23174SKristof Provost 1309af23174SKristof Provost # Sanity check & establish state 1319af23174SKristof Provost # Note: use pft_ping so we always use the same ID, so pf considers all 1329af23174SKristof Provost # echo requests part of the same flow. 1339af23174SKristof Provost atf_check -s exit:0 -o ignore ${common_dir}/pft_ping.py \ 1349af23174SKristof Provost --ip6 \ 1359af23174SKristof Provost --sendif ${epair}a \ 1369af23174SKristof Provost --to 2001:db8::2 \ 1379af23174SKristof Provost --replyif ${epair}a 1389af23174SKristof Provost 1399af23174SKristof Provost # Change rules to now deny the ICMP traffic 1409af23174SKristof Provost pft_set_rules noflush alcatraz "block all" 1419af23174SKristof Provost 1429af23174SKristof Provost # Established state means we can still ping alcatraz 1439af23174SKristof Provost atf_check -s exit:0 -o ignore ${common_dir}/pft_ping.py \ 1449af23174SKristof Provost --ip6 \ 1459af23174SKristof Provost --sendif ${epair}a \ 1469af23174SKristof Provost --to 2001:db8::2 \ 1479af23174SKristof Provost --replyif ${epair}a 1489af23174SKristof Provost 1499af23174SKristof Provost # Killing with the wrong IP doesn't affect our state 1509af23174SKristof Provost jexec alcatraz pfctl -k 2001:db8::3 1519af23174SKristof Provost atf_check -s exit:0 -o ignore ${common_dir}/pft_ping.py \ 1529af23174SKristof Provost --ip6 \ 1539af23174SKristof Provost --sendif ${epair}a \ 1549af23174SKristof Provost --to 2001:db8::2 \ 1559af23174SKristof Provost --replyif ${epair}a 1569af23174SKristof Provost 1579af23174SKristof Provost # Killing with one correct address and one incorrect doesn't kill the state 1589af23174SKristof Provost jexec alcatraz pfctl -k 2001:db8::1 -k 2001:db8::3 1599af23174SKristof Provost atf_check -s exit:0 -o ignore ${common_dir}/pft_ping.py \ 1609af23174SKristof Provost --ip6 \ 1619af23174SKristof Provost --sendif ${epair}a \ 1629af23174SKristof Provost --to 2001:db8::2 \ 1639af23174SKristof Provost --replyif ${epair}a 1649af23174SKristof Provost 1659af23174SKristof Provost # Killing with correct address does remove the state 1669af23174SKristof Provost jexec alcatraz pfctl -k 2001:db8::1 1679af23174SKristof Provost atf_check -s exit:1 -o ignore ${common_dir}/pft_ping.py \ 1689af23174SKristof Provost --ip6 \ 1699af23174SKristof Provost --sendif ${epair}a \ 1709af23174SKristof Provost --to 2001:db8::2 \ 1719af23174SKristof Provost --replyif ${epair}a 1729af23174SKristof Provost 1739af23174SKristof Provost} 1749af23174SKristof Provost 1759af23174SKristof Provostv6_cleanup() 1769af23174SKristof Provost{ 1779af23174SKristof Provost pft_cleanup 1789af23174SKristof Provost} 1799af23174SKristof Provost 180065b5c7fSKristof Provostatf_test_case "label" "cleanup" 181065b5c7fSKristof Provostlabel_head() 182065b5c7fSKristof Provost{ 183065b5c7fSKristof Provost atf_set descr 'Test killing states by label' 184065b5c7fSKristof Provost atf_set require.user root 185065b5c7fSKristof Provost atf_set require.progs scapy 186065b5c7fSKristof Provost} 187065b5c7fSKristof Provost 188065b5c7fSKristof Provostlabel_body() 189065b5c7fSKristof Provost{ 190065b5c7fSKristof Provost pft_init 191065b5c7fSKristof Provost 192065b5c7fSKristof Provost epair=$(vnet_mkepair) 193065b5c7fSKristof Provost ifconfig ${epair}a 192.0.2.1/24 up 194065b5c7fSKristof Provost 195065b5c7fSKristof Provost vnet_mkjail alcatraz ${epair}b 196065b5c7fSKristof Provost jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up 197065b5c7fSKristof Provost jexec alcatraz pfctl -e 198065b5c7fSKristof Provost 199065b5c7fSKristof Provost pft_set_rules alcatraz "block all" \ 200065b5c7fSKristof Provost "pass in proto tcp label bar" \ 201065b5c7fSKristof Provost "pass in proto icmp label foo" 202065b5c7fSKristof Provost 203065b5c7fSKristof Provost # Sanity check & establish state 204065b5c7fSKristof Provost # Note: use pft_ping so we always use the same ID, so pf considers all 205065b5c7fSKristof Provost # echo requests part of the same flow. 206065b5c7fSKristof Provost atf_check -s exit:0 -o ignore ${common_dir}/pft_ping.py \ 207065b5c7fSKristof Provost --sendif ${epair}a \ 208065b5c7fSKristof Provost --to 192.0.2.2 \ 209065b5c7fSKristof Provost --replyif ${epair}a 210065b5c7fSKristof Provost 211065b5c7fSKristof Provost # Change rules to now deny the ICMP traffic 212065b5c7fSKristof Provost pft_set_rules noflush alcatraz "block all" 213065b5c7fSKristof Provost 214065b5c7fSKristof Provost # Established state means we can still ping alcatraz 215065b5c7fSKristof Provost atf_check -s exit:0 -o ignore ${common_dir}/pft_ping.py \ 216065b5c7fSKristof Provost --sendif ${epair}a \ 217065b5c7fSKristof Provost --to 192.0.2.2 \ 218065b5c7fSKristof Provost --replyif ${epair}a 219065b5c7fSKristof Provost 220065b5c7fSKristof Provost # Killing a label on a different rules keeps the state 221065b5c7fSKristof Provost jexec alcatraz pfctl -k label -k bar 222065b5c7fSKristof Provost atf_check -s exit:0 -o ignore ${common_dir}/pft_ping.py \ 223065b5c7fSKristof Provost --sendif ${epair}a \ 224065b5c7fSKristof Provost --to 192.0.2.2 \ 225065b5c7fSKristof Provost --replyif ${epair}a 226065b5c7fSKristof Provost 227065b5c7fSKristof Provost # Killing a non-existing label keeps the state 228065b5c7fSKristof Provost jexec alcatraz pfctl -k label -k baz 229065b5c7fSKristof Provost atf_check -s exit:0 -o ignore ${common_dir}/pft_ping.py \ 230065b5c7fSKristof Provost --sendif ${epair}a \ 231065b5c7fSKristof Provost --to 192.0.2.2 \ 232065b5c7fSKristof Provost --replyif ${epair}a 233065b5c7fSKristof Provost 234065b5c7fSKristof Provost # Killing the correct label kills the state 235065b5c7fSKristof Provost jexec alcatraz pfctl -k label -k foo 236065b5c7fSKristof Provost atf_check -s exit:1 -o ignore ${common_dir}/pft_ping.py \ 237065b5c7fSKristof Provost --sendif ${epair}a \ 238065b5c7fSKristof Provost --to 192.0.2.2 \ 239065b5c7fSKristof Provost --replyif ${epair}a 240065b5c7fSKristof Provost} 241065b5c7fSKristof Provost 242065b5c7fSKristof Provostlabel_cleanup() 243065b5c7fSKristof Provost{ 244065b5c7fSKristof Provost pft_cleanup 245065b5c7fSKristof Provost} 246065b5c7fSKristof Provost 2475632f585SKristof Provostatf_test_case "multilabel" "cleanup" 2485632f585SKristof Provostmultilabel_head() 2495632f585SKristof Provost{ 2505632f585SKristof Provost atf_set descr 'Test killing states with multiple labels by label' 2515632f585SKristof Provost atf_set require.user root 2525632f585SKristof Provost atf_set require.progs scapy 2535632f585SKristof Provost} 2545632f585SKristof Provost 2555632f585SKristof Provostmultilabel_body() 2565632f585SKristof Provost{ 2575632f585SKristof Provost pft_init 2585632f585SKristof Provost 2595632f585SKristof Provost epair=$(vnet_mkepair) 2605632f585SKristof Provost ifconfig ${epair}a 192.0.2.1/24 up 2615632f585SKristof Provost 2625632f585SKristof Provost vnet_mkjail alcatraz ${epair}b 2635632f585SKristof Provost jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up 2645632f585SKristof Provost jexec alcatraz pfctl -e 2655632f585SKristof Provost 2665632f585SKristof Provost pft_set_rules alcatraz "block all" \ 2675632f585SKristof Provost "pass in proto icmp label foo label bar" 2685632f585SKristof Provost 2695632f585SKristof Provost # Sanity check & establish state 2705632f585SKristof Provost # Note: use pft_ping so we always use the same ID, so pf considers all 2715632f585SKristof Provost # echo requests part of the same flow. 2725632f585SKristof Provost atf_check -s exit:0 -o ignore ${common_dir}/pft_ping.py \ 2735632f585SKristof Provost --sendif ${epair}a \ 2745632f585SKristof Provost --to 192.0.2.2 \ 2755632f585SKristof Provost --replyif ${epair}a 2765632f585SKristof Provost 2775632f585SKristof Provost # Change rules to now deny the ICMP traffic 2785632f585SKristof Provost pft_set_rules noflush alcatraz "block all" 2795632f585SKristof Provost 2805632f585SKristof Provost # Established state means we can still ping alcatraz 2815632f585SKristof Provost atf_check -s exit:0 -o ignore ${common_dir}/pft_ping.py \ 2825632f585SKristof Provost --sendif ${epair}a \ 2835632f585SKristof Provost --to 192.0.2.2 \ 2845632f585SKristof Provost --replyif ${epair}a 2855632f585SKristof Provost 2865632f585SKristof Provost # Killing a label on a different rules keeps the state 2875632f585SKristof Provost jexec alcatraz pfctl -k label -k baz 2885632f585SKristof Provost atf_check -s exit:0 -o ignore ${common_dir}/pft_ping.py \ 2895632f585SKristof Provost --sendif ${epair}a \ 2905632f585SKristof Provost --to 192.0.2.2 \ 2915632f585SKristof Provost --replyif ${epair}a 2925632f585SKristof Provost 2935632f585SKristof Provost # Killing the state with the last label works 2945632f585SKristof Provost jexec alcatraz pfctl -k label -k bar 2955632f585SKristof Provost atf_check -s exit:1 -o ignore ${common_dir}/pft_ping.py \ 2965632f585SKristof Provost --sendif ${epair}a \ 2975632f585SKristof Provost --to 192.0.2.2 \ 2985632f585SKristof Provost --replyif ${epair}a 2995632f585SKristof Provost 3005632f585SKristof Provost pft_set_rules alcatraz "block all" \ 3015632f585SKristof Provost "pass in proto icmp label foo label bar" 3025632f585SKristof Provost 3035632f585SKristof Provost # Reestablish state 3045632f585SKristof Provost atf_check -s exit:0 -o ignore ${common_dir}/pft_ping.py \ 3055632f585SKristof Provost --sendif ${epair}a \ 3065632f585SKristof Provost --to 192.0.2.2 \ 3075632f585SKristof Provost --replyif ${epair}a 3085632f585SKristof Provost 3095632f585SKristof Provost # Change rules to now deny the ICMP traffic 3105632f585SKristof Provost pft_set_rules noflush alcatraz "block all" 3115632f585SKristof Provost 3125632f585SKristof Provost # Killing with the first label works too 3135632f585SKristof Provost jexec alcatraz pfctl -k label -k foo 3145632f585SKristof Provost atf_check -s exit:1 -o ignore ${common_dir}/pft_ping.py \ 3155632f585SKristof Provost --sendif ${epair}a \ 3165632f585SKristof Provost --to 192.0.2.2 \ 3175632f585SKristof Provost --replyif ${epair}a 3185632f585SKristof Provost} 3195632f585SKristof Provost 3205632f585SKristof Provostmultilabel_cleanup() 3215632f585SKristof Provost{ 3225632f585SKristof Provost pft_cleanup 3235632f585SKristof Provost} 3245632f585SKristof Provost 325c2e11d81SKristof Provostatf_test_case "gateway" "cleanup" 326c2e11d81SKristof Provostgateway_head() 327c2e11d81SKristof Provost{ 328c2e11d81SKristof Provost atf_set descr 'Test killing states by route-to/reply-to address' 329c2e11d81SKristof Provost atf_set require.user root 330c2e11d81SKristof Provost atf_set require.progs scapy 331c2e11d81SKristof Provost} 332c2e11d81SKristof Provost 333c2e11d81SKristof Provostgateway_body() 334c2e11d81SKristof Provost{ 335c2e11d81SKristof Provost pft_init 336c2e11d81SKristof Provost 337c2e11d81SKristof Provost epair=$(vnet_mkepair) 338c2e11d81SKristof Provost ifconfig ${epair}a 192.0.2.1/24 up 339c2e11d81SKristof Provost 340c2e11d81SKristof Provost vnet_mkjail alcatraz ${epair}b 341c2e11d81SKristof Provost jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up 342c2e11d81SKristof Provost jexec alcatraz pfctl -e 343c2e11d81SKristof Provost 344c2e11d81SKristof Provost pft_set_rules alcatraz "block all" \ 345c2e11d81SKristof Provost "pass in reply-to (${epair}b 192.0.2.1) proto icmp" 346c2e11d81SKristof Provost 347c2e11d81SKristof Provost # Sanity check & establish state 348c2e11d81SKristof Provost # Note: use pft_ping so we always use the same ID, so pf considers all 349c2e11d81SKristof Provost # echo requests part of the same flow. 350c2e11d81SKristof Provost atf_check -s exit:0 -o ignore ${common_dir}/pft_ping.py \ 351c2e11d81SKristof Provost --sendif ${epair}a \ 352c2e11d81SKristof Provost --to 192.0.2.2 \ 353c2e11d81SKristof Provost --replyif ${epair}a 354c2e11d81SKristof Provost 355c2e11d81SKristof Provost # Change rules to now deny the ICMP traffic 356c2e11d81SKristof Provost pft_set_rules noflush alcatraz "block all" 357c2e11d81SKristof Provost 358c2e11d81SKristof Provost # Established state means we can still ping alcatraz 359c2e11d81SKristof Provost atf_check -s exit:0 -o ignore ${common_dir}/pft_ping.py \ 360c2e11d81SKristof Provost --sendif ${epair}a \ 361c2e11d81SKristof Provost --to 192.0.2.2 \ 362c2e11d81SKristof Provost --replyif ${epair}a 363c2e11d81SKristof Provost 364c2e11d81SKristof Provost # Killing with a different gateway does not affect our state 365c2e11d81SKristof Provost jexec alcatraz pfctl -k gateway -k 192.0.2.2 366c2e11d81SKristof Provost atf_check -s exit:0 -o ignore ${common_dir}/pft_ping.py \ 367c2e11d81SKristof Provost --sendif ${epair}a \ 368c2e11d81SKristof Provost --to 192.0.2.2 \ 369c2e11d81SKristof Provost --replyif ${epair}a 370c2e11d81SKristof Provost 371c2e11d81SKristof Provost # Killing states with the relevant gateway does terminate our state 372c2e11d81SKristof Provost jexec alcatraz pfctl -k gateway -k 192.0.2.1 373c2e11d81SKristof Provost atf_check -s exit:1 -o ignore ${common_dir}/pft_ping.py \ 374c2e11d81SKristof Provost --sendif ${epair}a \ 375c2e11d81SKristof Provost --to 192.0.2.2 \ 376c2e11d81SKristof Provost --replyif ${epair}a 377c2e11d81SKristof Provost} 378c2e11d81SKristof Provost 379c2e11d81SKristof Provostgateway_cleanup() 380c2e11d81SKristof Provost{ 381c2e11d81SKristof Provost pft_cleanup 382c2e11d81SKristof Provost} 383c2e11d81SKristof Provost 384ac200a9cSKristof Provostatf_test_case "match" "cleanup" 385ac200a9cSKristof Provostmatch_head() 386ac200a9cSKristof Provost{ 387ac200a9cSKristof Provost atf_set descr 'Test killing matching states' 388ac200a9cSKristof Provost atf_set require.user root 389ac200a9cSKristof Provost} 390ac200a9cSKristof Provost 39170dd30d4SKristof Provostwait_for_state() 39270dd30d4SKristof Provost{ 39370dd30d4SKristof Provost jail=$1 39470dd30d4SKristof Provost addr=$2 39570dd30d4SKristof Provost 39670dd30d4SKristof Provost while ! jexec $jail pfctl -s s | grep $addr >/dev/null; 39770dd30d4SKristof Provost do 39870dd30d4SKristof Provost sleep .1 39970dd30d4SKristof Provost done 40070dd30d4SKristof Provost} 40170dd30d4SKristof Provost 402ac200a9cSKristof Provostmatch_body() 403ac200a9cSKristof Provost{ 404ac200a9cSKristof Provost pft_init 405ac200a9cSKristof Provost 406ac200a9cSKristof Provost epair_one=$(vnet_mkepair) 407ac200a9cSKristof Provost ifconfig ${epair_one}a 192.0.2.1/24 up 408ac200a9cSKristof Provost 409ac200a9cSKristof Provost epair_two=$(vnet_mkepair) 410ac200a9cSKristof Provost 411ac200a9cSKristof Provost vnet_mkjail alcatraz ${epair_one}b ${epair_two}a 412ac200a9cSKristof Provost jexec alcatraz ifconfig ${epair_one}b 192.0.2.2/24 up 413ac200a9cSKristof Provost jexec alcatraz ifconfig ${epair_two}a 198.51.100.1/24 up 414ac200a9cSKristof Provost jexec alcatraz sysctl net.inet.ip.forwarding=1 415ac200a9cSKristof Provost jexec alcatraz pfctl -e 416ac200a9cSKristof Provost 417ac200a9cSKristof Provost vnet_mkjail singsing ${epair_two}b 418ac200a9cSKristof Provost jexec singsing ifconfig ${epair_two}b 198.51.100.2/24 up 419ac200a9cSKristof Provost jexec singsing route add default 198.51.100.1 420ac200a9cSKristof Provost jexec singsing /usr/sbin/inetd -p inetd-echo.pid \ 421ac200a9cSKristof Provost $(atf_get_srcdir)/echo_inetd.conf 422ac200a9cSKristof Provost 423ac200a9cSKristof Provost route add 198.51.100.0/24 192.0.2.2 424ac200a9cSKristof Provost 425ac200a9cSKristof Provost pft_set_rules alcatraz \ 426ac200a9cSKristof Provost "nat on ${epair_two}a from 192.0.2.0/24 -> (${epair_two}a)" \ 427ac200a9cSKristof Provost "pass all" 428ac200a9cSKristof Provost 429ac200a9cSKristof Provost nc 198.51.100.2 7 & 43070dd30d4SKristof Provost wait_for_state alcatraz 192.0.2.1 431ac200a9cSKristof Provost 432ac200a9cSKristof Provost # Expect two states 4334e860bd5SKristof Provost states=$(jexec alcatraz pfctl -s s | grep 192.0.2.1 | wc -l) 434ac200a9cSKristof Provost if [ $states -ne 2 ] ; 435ac200a9cSKristof Provost then 436ac200a9cSKristof Provost atf_fail "Expected two states, found $states" 437ac200a9cSKristof Provost fi 438ac200a9cSKristof Provost 439ac200a9cSKristof Provost # If we don't kill the matching NAT state one should be left 440ac200a9cSKristof Provost jexec alcatraz pfctl -k 192.0.2.1 4414e860bd5SKristof Provost states=$(jexec alcatraz pfctl -s s | grep 192.0.2.1 | wc -l) 442ac200a9cSKristof Provost if [ $states -ne 1 ] ; 443ac200a9cSKristof Provost then 444ac200a9cSKristof Provost atf_fail "Expected one states, found $states" 445ac200a9cSKristof Provost fi 446ac200a9cSKristof Provost 447ac200a9cSKristof Provost # Flush 448ac200a9cSKristof Provost jexec alcatraz pfctl -F states 449ac200a9cSKristof Provost 450ac200a9cSKristof Provost nc 198.51.100.2 7 & 45170dd30d4SKristof Provost wait_for_state alcatraz 192.0.2.1 452ac200a9cSKristof Provost 453ac200a9cSKristof Provost # Kill matching states, expect all of them to be gone 454ac200a9cSKristof Provost jexec alcatraz pfctl -M -k 192.0.2.1 4554e860bd5SKristof Provost states=$(jexec alcatraz pfctl -s s | grep 192.0.2.1 | wc -l) 456ac200a9cSKristof Provost if [ $states -ne 0 ] ; 457ac200a9cSKristof Provost then 458ac200a9cSKristof Provost atf_fail "Expected zero states, found $states" 459ac200a9cSKristof Provost fi 460ac200a9cSKristof Provost} 461ac200a9cSKristof Provost 462ac200a9cSKristof Provostmatch_cleanup() 463ac200a9cSKristof Provost{ 464ac200a9cSKristof Provost pft_cleanup 465ac200a9cSKristof Provost} 466ac200a9cSKristof Provost 4677bd7933fSKristof Provostatf_test_case "interface" "cleanup" 4687bd7933fSKristof Provostinterface_head() 4697bd7933fSKristof Provost{ 4707bd7933fSKristof Provost atf_set descr 'Test killing states based on interface' 4717bd7933fSKristof Provost atf_set require.user root 4727bd7933fSKristof Provost atf_set require.progs scapy 4737bd7933fSKristof Provost} 4747bd7933fSKristof Provost 4757bd7933fSKristof Provostinterface_body() 4767bd7933fSKristof Provost{ 4777bd7933fSKristof Provost pft_init 4787bd7933fSKristof Provost 4797bd7933fSKristof Provost epair=$(vnet_mkepair) 4807bd7933fSKristof Provost ifconfig ${epair}a 192.0.2.1/24 up 4817bd7933fSKristof Provost 4827bd7933fSKristof Provost vnet_mkjail alcatraz ${epair}b 4837bd7933fSKristof Provost jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up 4847bd7933fSKristof Provost jexec alcatraz pfctl -e 4857bd7933fSKristof Provost 4867bd7933fSKristof Provost pft_set_rules alcatraz "block all" \ 4877bd7933fSKristof Provost "pass in proto icmp" 4887bd7933fSKristof Provost 4897bd7933fSKristof Provost # Sanity check & establish state 4907bd7933fSKristof Provost # Note: use pft_ping so we always use the same ID, so pf considers all 4917bd7933fSKristof Provost # echo requests part of the same flow. 4927bd7933fSKristof Provost atf_check -s exit:0 -o ignore ${common_dir}/pft_ping.py \ 4937bd7933fSKristof Provost --sendif ${epair}a \ 4947bd7933fSKristof Provost --to 192.0.2.2 \ 4957bd7933fSKristof Provost --replyif ${epair}a 4967bd7933fSKristof Provost 4977bd7933fSKristof Provost # Change rules to now deny the ICMP traffic 4987bd7933fSKristof Provost pft_set_rules noflush alcatraz "block all" 4997bd7933fSKristof Provost 5007bd7933fSKristof Provost # Established state means we can still ping alcatraz 5017bd7933fSKristof Provost atf_check -s exit:0 -o ignore ${common_dir}/pft_ping.py \ 5027bd7933fSKristof Provost --sendif ${epair}a \ 5037bd7933fSKristof Provost --to 192.0.2.2 \ 5047bd7933fSKristof Provost --replyif ${epair}a 5057bd7933fSKristof Provost 5067bd7933fSKristof Provost # Flushing states on a different interface doesn't affect our state 5077bd7933fSKristof Provost jexec alcatraz pfctl -i ${epair}a -Fs 5087bd7933fSKristof Provost atf_check -s exit:0 -o ignore ${common_dir}/pft_ping.py \ 5097bd7933fSKristof Provost --sendif ${epair}a \ 5107bd7933fSKristof Provost --to 192.0.2.2 \ 5117bd7933fSKristof Provost --replyif ${epair}a 5127bd7933fSKristof Provost 5137bd7933fSKristof Provost # Flushing on the correct interface does (even with floating states) 5147bd7933fSKristof Provost jexec alcatraz pfctl -i ${epair}b -Fs 5157bd7933fSKristof Provost atf_check -s exit:1 -o ignore ${common_dir}/pft_ping.py \ 5167bd7933fSKristof Provost --sendif ${epair}a \ 5177bd7933fSKristof Provost --to 192.0.2.2 \ 5187bd7933fSKristof Provost --replyif ${epair}a 5197bd7933fSKristof Provost} 5207bd7933fSKristof Provost 5217bd7933fSKristof Provostinterface_cleanup() 5227bd7933fSKristof Provost{ 5237bd7933fSKristof Provost pft_cleanup 5247bd7933fSKristof Provost} 5257bd7933fSKristof Provost 526bbf832f3SKristof Provostatf_test_case "id" "cleanup" 527bbf832f3SKristof Provostid_head() 528bbf832f3SKristof Provost{ 529bbf832f3SKristof Provost atf_set descr 'Test killing states by id' 530bbf832f3SKristof Provost atf_set require.user root 531bbf832f3SKristof Provost atf_set require.progs scapy 532bbf832f3SKristof Provost} 533bbf832f3SKristof Provost 534bbf832f3SKristof Provostid_body() 535bbf832f3SKristof Provost{ 536bbf832f3SKristof Provost pft_init 537bbf832f3SKristof Provost 538bbf832f3SKristof Provost epair=$(vnet_mkepair) 539bbf832f3SKristof Provost ifconfig ${epair}a 192.0.2.1/24 up 540bbf832f3SKristof Provost 541bbf832f3SKristof Provost vnet_mkjail alcatraz ${epair}b 542bbf832f3SKristof Provost jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up 543bbf832f3SKristof Provost jexec alcatraz pfctl -e 544bbf832f3SKristof Provost 545bbf832f3SKristof Provost pft_set_rules alcatraz "block all" \ 546bbf832f3SKristof Provost "pass in proto tcp" \ 547bbf832f3SKristof Provost "pass in proto icmp" 548bbf832f3SKristof Provost 549bbf832f3SKristof Provost # Sanity check & establish state 550bbf832f3SKristof Provost # Note: use pft_ping so we always use the same ID, so pf considers all 551bbf832f3SKristof Provost # echo requests part of the same flow. 552bbf832f3SKristof Provost atf_check -s exit:0 -o ignore ${common_dir}/pft_ping.py \ 553bbf832f3SKristof Provost --sendif ${epair}a \ 554bbf832f3SKristof Provost --to 192.0.2.2 \ 555bbf832f3SKristof Provost --replyif ${epair}a 556bbf832f3SKristof Provost 557bbf832f3SKristof Provost # Change rules to now deny the ICMP traffic 558bbf832f3SKristof Provost pft_set_rules noflush alcatraz "block all" 559bbf832f3SKristof Provost 560bbf832f3SKristof Provost # Established state means we can still ping alcatraz 561bbf832f3SKristof Provost atf_check -s exit:0 -o ignore ${common_dir}/pft_ping.py \ 562bbf832f3SKristof Provost --sendif ${epair}a \ 563bbf832f3SKristof Provost --to 192.0.2.2 \ 564bbf832f3SKristof Provost --replyif ${epair}a 565bbf832f3SKristof Provost 566bbf832f3SKristof Provost # Get the state ID 567bbf832f3SKristof Provost id=$(jexec alcatraz pfctl -ss -vvv | grep -A 3 icmp | 568bbf832f3SKristof Provost grep -A 3 192.0.2.2 | awk '/id:/ { printf("%s/%s", $2, $4); }') 569bbf832f3SKristof Provost 570bbf832f3SKristof Provost # Kill the wrong ID 571bbf832f3SKristof Provost jexec alcatraz pfctl -k id -k 1 572bbf832f3SKristof Provost atf_check -s exit:0 -o ignore ${common_dir}/pft_ping.py \ 573bbf832f3SKristof Provost --sendif ${epair}a \ 574bbf832f3SKristof Provost --to 192.0.2.2 \ 575bbf832f3SKristof Provost --replyif ${epair}a 576bbf832f3SKristof Provost 577bbf832f3SKristof Provost # Kill the correct ID 578bbf832f3SKristof Provost jexec alcatraz pfctl -k id -k ${id} 579bbf832f3SKristof Provost atf_check -s exit:1 -o ignore ${common_dir}/pft_ping.py \ 580bbf832f3SKristof Provost --sendif ${epair}a \ 581bbf832f3SKristof Provost --to 192.0.2.2 \ 582bbf832f3SKristof Provost --replyif ${epair}a 583bbf832f3SKristof Provost} 584bbf832f3SKristof Provost 585bbf832f3SKristof Provostid_cleanup() 586bbf832f3SKristof Provost{ 587bbf832f3SKristof Provost pft_cleanup 588bbf832f3SKristof Provost} 589bbf832f3SKristof Provost 590065b5c7fSKristof Provostatf_init_test_cases() 591065b5c7fSKristof Provost{ 592065b5c7fSKristof Provost atf_add_test_case "v4" 5939af23174SKristof Provost atf_add_test_case "v6" 594065b5c7fSKristof Provost atf_add_test_case "label" 5955632f585SKristof Provost atf_add_test_case "multilabel" 596c2e11d81SKristof Provost atf_add_test_case "gateway" 597ac200a9cSKristof Provost atf_add_test_case "match" 5987bd7933fSKristof Provost atf_add_test_case "interface" 599bbf832f3SKristof Provost atf_add_test_case "id" 600065b5c7fSKristof Provost} 601