1065b5c7fSKristof Provost# $FreeBSD$ 2065b5c7fSKristof Provost# 3065b5c7fSKristof Provost# SPDX-License-Identifier: BSD-2-Clause-FreeBSD 4065b5c7fSKristof Provost# 5065b5c7fSKristof Provost# Copyright (c) 2021 Rubicon Communications, LLC (Netgate) 6065b5c7fSKristof Provost# 7065b5c7fSKristof Provost# Redistribution and use in source and binary forms, with or without 8065b5c7fSKristof Provost# modification, are permitted provided that the following conditions 9065b5c7fSKristof Provost# are met: 10065b5c7fSKristof Provost# 1. Redistributions of source code must retain the above copyright 11065b5c7fSKristof Provost# notice, this list of conditions and the following disclaimer. 12065b5c7fSKristof Provost# 2. Redistributions in binary form must reproduce the above copyright 13065b5c7fSKristof Provost# notice, this list of conditions and the following disclaimer in the 14065b5c7fSKristof Provost# documentation and/or other materials provided with the distribution. 15065b5c7fSKristof Provost# 16065b5c7fSKristof Provost# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 17065b5c7fSKristof Provost# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18065b5c7fSKristof Provost# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19065b5c7fSKristof Provost# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 20065b5c7fSKristof Provost# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21065b5c7fSKristof Provost# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22065b5c7fSKristof Provost# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23065b5c7fSKristof Provost# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24065b5c7fSKristof Provost# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25065b5c7fSKristof Provost# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26065b5c7fSKristof Provost# SUCH DAMAGE. 27065b5c7fSKristof Provost 28065b5c7fSKristof Provost. $(atf_get_srcdir)/utils.subr 29065b5c7fSKristof Provost 30065b5c7fSKristof Provostcommon_dir=$(atf_get_srcdir)/../common 31065b5c7fSKristof Provost 32065b5c7fSKristof Provostatf_test_case "v4" "cleanup" 33065b5c7fSKristof Provostv4_head() 34065b5c7fSKristof Provost{ 35065b5c7fSKristof Provost atf_set descr 'Test killing states by IPv4 address' 36065b5c7fSKristof Provost atf_set require.user root 37065b5c7fSKristof Provost atf_set require.progs scapy 38065b5c7fSKristof Provost} 39065b5c7fSKristof Provost 40065b5c7fSKristof Provostv4_body() 41065b5c7fSKristof Provost{ 42065b5c7fSKristof Provost pft_init 43065b5c7fSKristof Provost 44065b5c7fSKristof Provost epair=$(vnet_mkepair) 45065b5c7fSKristof Provost ifconfig ${epair}a 192.0.2.1/24 up 46065b5c7fSKristof Provost 47065b5c7fSKristof Provost vnet_mkjail alcatraz ${epair}b 48065b5c7fSKristof Provost jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up 49065b5c7fSKristof Provost jexec alcatraz pfctl -e 50065b5c7fSKristof Provost 51065b5c7fSKristof Provost pft_set_rules alcatraz "block all" \ 52065b5c7fSKristof Provost "pass in proto icmp" 53065b5c7fSKristof Provost 54065b5c7fSKristof Provost # Sanity check & establish state 55065b5c7fSKristof Provost # Note: use pft_ping so we always use the same ID, so pf considers all 56065b5c7fSKristof Provost # echo requests part of the same flow. 57065b5c7fSKristof Provost atf_check -s exit:0 -o ignore ${common_dir}/pft_ping.py \ 58065b5c7fSKristof Provost --sendif ${epair}a \ 59065b5c7fSKristof Provost --to 192.0.2.2 \ 60065b5c7fSKristof Provost --replyif ${epair}a 61065b5c7fSKristof Provost 62065b5c7fSKristof Provost # Change rules to now deny the ICMP traffic 63065b5c7fSKristof Provost pft_set_rules noflush alcatraz "block all" 64065b5c7fSKristof Provost 65065b5c7fSKristof Provost # Established state means we can still ping alcatraz 66065b5c7fSKristof Provost atf_check -s exit:0 -o ignore ${common_dir}/pft_ping.py \ 67065b5c7fSKristof Provost --sendif ${epair}a \ 68065b5c7fSKristof Provost --to 192.0.2.2 \ 69065b5c7fSKristof Provost --replyif ${epair}a 70065b5c7fSKristof Provost 71065b5c7fSKristof Provost # Killing with the wrong IP doesn't affect our state 72065b5c7fSKristof Provost jexec alcatraz pfctl -k 192.0.2.3 73065b5c7fSKristof Provost 74065b5c7fSKristof Provost # So we can still ping 75065b5c7fSKristof Provost atf_check -s exit:0 -o ignore ${common_dir}/pft_ping.py \ 76065b5c7fSKristof Provost --sendif ${epair}a \ 77065b5c7fSKristof Provost --to 192.0.2.2 \ 78065b5c7fSKristof Provost --replyif ${epair}a 79065b5c7fSKristof Provost 80065b5c7fSKristof Provost # Killing with one correct address and one incorrect doesn't kill the state 81065b5c7fSKristof Provost jexec alcatraz pfctl -k 192.0.2.1 -k 192.0.2.3 82065b5c7fSKristof Provost 83065b5c7fSKristof Provost # So we can still ping 84065b5c7fSKristof Provost atf_check -s exit:0 -o ignore ${common_dir}/pft_ping.py \ 85065b5c7fSKristof Provost --sendif ${epair}a \ 86065b5c7fSKristof Provost --to 192.0.2.2 \ 87065b5c7fSKristof Provost --replyif ${epair}a 88065b5c7fSKristof Provost 89065b5c7fSKristof Provost # Killing with correct address does remove the state 90065b5c7fSKristof Provost jexec alcatraz pfctl -k 192.0.2.1 91065b5c7fSKristof Provost 92065b5c7fSKristof Provost # Now the ping fails 93065b5c7fSKristof Provost atf_check -s exit:1 -o ignore ${common_dir}/pft_ping.py \ 94065b5c7fSKristof Provost --sendif ${epair}a \ 95065b5c7fSKristof Provost --to 192.0.2.2 \ 96065b5c7fSKristof Provost --replyif ${epair}a 97065b5c7fSKristof Provost} 98065b5c7fSKristof Provost 99065b5c7fSKristof Provostv4_cleanup() 100065b5c7fSKristof Provost{ 101065b5c7fSKristof Provost pft_cleanup 102065b5c7fSKristof Provost} 103065b5c7fSKristof Provost 1049af23174SKristof Provostatf_test_case "v6" "cleanup" 1059af23174SKristof Provostv6_head() 1069af23174SKristof Provost{ 1079af23174SKristof Provost atf_set descr 'Test killing states by IPv6 address' 1089af23174SKristof Provost atf_set require.user root 1099af23174SKristof Provost atf_set require.progs scapy 1109af23174SKristof Provost} 1119af23174SKristof Provost 1129af23174SKristof Provostv6_body() 1139af23174SKristof Provost{ 1149af23174SKristof Provost pft_init 1159af23174SKristof Provost 1169af23174SKristof Provost epair=$(vnet_mkepair) 1179af23174SKristof Provost ifconfig ${epair}a inet6 2001:db8::1/64 up no_dad 1189af23174SKristof Provost 1199af23174SKristof Provost vnet_mkjail alcatraz ${epair}b 1209af23174SKristof Provost jexec alcatraz ifconfig ${epair}b inet6 2001:db8::2/64 up no_dad 1219af23174SKristof Provost jexec alcatraz pfctl -e 1229af23174SKristof Provost 1239af23174SKristof Provost pft_set_rules alcatraz "block all" \ 1249af23174SKristof Provost "pass in proto icmp6" 1259af23174SKristof Provost 1269af23174SKristof Provost # Sanity check & establish state 1279af23174SKristof Provost # Note: use pft_ping so we always use the same ID, so pf considers all 1289af23174SKristof Provost # echo requests part of the same flow. 1299af23174SKristof Provost atf_check -s exit:0 -o ignore ${common_dir}/pft_ping.py \ 1309af23174SKristof Provost --ip6 \ 1319af23174SKristof Provost --sendif ${epair}a \ 1329af23174SKristof Provost --to 2001:db8::2 \ 1339af23174SKristof Provost --replyif ${epair}a 1349af23174SKristof Provost 1359af23174SKristof Provost # Change rules to now deny the ICMP traffic 1369af23174SKristof Provost pft_set_rules noflush alcatraz "block all" 1379af23174SKristof Provost 1389af23174SKristof Provost # Established state means we can still ping alcatraz 1399af23174SKristof Provost atf_check -s exit:0 -o ignore ${common_dir}/pft_ping.py \ 1409af23174SKristof Provost --ip6 \ 1419af23174SKristof Provost --sendif ${epair}a \ 1429af23174SKristof Provost --to 2001:db8::2 \ 1439af23174SKristof Provost --replyif ${epair}a 1449af23174SKristof Provost 1459af23174SKristof Provost # Killing with the wrong IP doesn't affect our state 1469af23174SKristof Provost jexec alcatraz pfctl -k 2001:db8::3 1479af23174SKristof Provost atf_check -s exit:0 -o ignore ${common_dir}/pft_ping.py \ 1489af23174SKristof Provost --ip6 \ 1499af23174SKristof Provost --sendif ${epair}a \ 1509af23174SKristof Provost --to 2001:db8::2 \ 1519af23174SKristof Provost --replyif ${epair}a 1529af23174SKristof Provost 1539af23174SKristof Provost # Killing with one correct address and one incorrect doesn't kill the state 1549af23174SKristof Provost jexec alcatraz pfctl -k 2001:db8::1 -k 2001:db8::3 1559af23174SKristof Provost atf_check -s exit:0 -o ignore ${common_dir}/pft_ping.py \ 1569af23174SKristof Provost --ip6 \ 1579af23174SKristof Provost --sendif ${epair}a \ 1589af23174SKristof Provost --to 2001:db8::2 \ 1599af23174SKristof Provost --replyif ${epair}a 1609af23174SKristof Provost 1619af23174SKristof Provost # Killing with correct address does remove the state 1629af23174SKristof Provost jexec alcatraz pfctl -k 2001:db8::1 1639af23174SKristof Provost atf_check -s exit:1 -o ignore ${common_dir}/pft_ping.py \ 1649af23174SKristof Provost --ip6 \ 1659af23174SKristof Provost --sendif ${epair}a \ 1669af23174SKristof Provost --to 2001:db8::2 \ 1679af23174SKristof Provost --replyif ${epair}a 1689af23174SKristof Provost 1699af23174SKristof Provost} 1709af23174SKristof Provost 1719af23174SKristof Provostv6_cleanup() 1729af23174SKristof Provost{ 1739af23174SKristof Provost pft_cleanup 1749af23174SKristof Provost} 1759af23174SKristof Provost 176065b5c7fSKristof Provostatf_test_case "label" "cleanup" 177065b5c7fSKristof Provostlabel_head() 178065b5c7fSKristof Provost{ 179065b5c7fSKristof Provost atf_set descr 'Test killing states by label' 180065b5c7fSKristof Provost atf_set require.user root 181065b5c7fSKristof Provost atf_set require.progs scapy 182065b5c7fSKristof Provost} 183065b5c7fSKristof Provost 184065b5c7fSKristof Provostlabel_body() 185065b5c7fSKristof Provost{ 186065b5c7fSKristof Provost pft_init 187065b5c7fSKristof Provost 188065b5c7fSKristof Provost epair=$(vnet_mkepair) 189065b5c7fSKristof Provost ifconfig ${epair}a 192.0.2.1/24 up 190065b5c7fSKristof Provost 191065b5c7fSKristof Provost vnet_mkjail alcatraz ${epair}b 192065b5c7fSKristof Provost jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up 193065b5c7fSKristof Provost jexec alcatraz pfctl -e 194065b5c7fSKristof Provost 195065b5c7fSKristof Provost pft_set_rules alcatraz "block all" \ 196065b5c7fSKristof Provost "pass in proto tcp label bar" \ 197065b5c7fSKristof Provost "pass in proto icmp label foo" 198065b5c7fSKristof Provost 199065b5c7fSKristof Provost # Sanity check & establish state 200065b5c7fSKristof Provost # Note: use pft_ping so we always use the same ID, so pf considers all 201065b5c7fSKristof Provost # echo requests part of the same flow. 202065b5c7fSKristof Provost atf_check -s exit:0 -o ignore ${common_dir}/pft_ping.py \ 203065b5c7fSKristof Provost --sendif ${epair}a \ 204065b5c7fSKristof Provost --to 192.0.2.2 \ 205065b5c7fSKristof Provost --replyif ${epair}a 206065b5c7fSKristof Provost 207065b5c7fSKristof Provost # Change rules to now deny the ICMP traffic 208065b5c7fSKristof Provost pft_set_rules noflush alcatraz "block all" 209065b5c7fSKristof Provost 210065b5c7fSKristof Provost # Established state means we can still ping alcatraz 211065b5c7fSKristof Provost atf_check -s exit:0 -o ignore ${common_dir}/pft_ping.py \ 212065b5c7fSKristof Provost --sendif ${epair}a \ 213065b5c7fSKristof Provost --to 192.0.2.2 \ 214065b5c7fSKristof Provost --replyif ${epair}a 215065b5c7fSKristof Provost 216065b5c7fSKristof Provost # Killing a label on a different rules keeps the state 217065b5c7fSKristof Provost jexec alcatraz pfctl -k label -k bar 218065b5c7fSKristof Provost atf_check -s exit:0 -o ignore ${common_dir}/pft_ping.py \ 219065b5c7fSKristof Provost --sendif ${epair}a \ 220065b5c7fSKristof Provost --to 192.0.2.2 \ 221065b5c7fSKristof Provost --replyif ${epair}a 222065b5c7fSKristof Provost 223065b5c7fSKristof Provost # Killing a non-existing label keeps the state 224065b5c7fSKristof Provost jexec alcatraz pfctl -k label -k baz 225065b5c7fSKristof Provost atf_check -s exit:0 -o ignore ${common_dir}/pft_ping.py \ 226065b5c7fSKristof Provost --sendif ${epair}a \ 227065b5c7fSKristof Provost --to 192.0.2.2 \ 228065b5c7fSKristof Provost --replyif ${epair}a 229065b5c7fSKristof Provost 230065b5c7fSKristof Provost # Killing the correct label kills the state 231065b5c7fSKristof Provost jexec alcatraz pfctl -k label -k foo 232065b5c7fSKristof Provost atf_check -s exit:1 -o ignore ${common_dir}/pft_ping.py \ 233065b5c7fSKristof Provost --sendif ${epair}a \ 234065b5c7fSKristof Provost --to 192.0.2.2 \ 235065b5c7fSKristof Provost --replyif ${epair}a 236065b5c7fSKristof Provost} 237065b5c7fSKristof Provost 238065b5c7fSKristof Provostlabel_cleanup() 239065b5c7fSKristof Provost{ 240065b5c7fSKristof Provost pft_cleanup 241065b5c7fSKristof Provost} 242065b5c7fSKristof Provost 243*5632f585SKristof Provostatf_test_case "multilabel" "cleanup" 244*5632f585SKristof Provostmultilabel_head() 245*5632f585SKristof Provost{ 246*5632f585SKristof Provost atf_set descr 'Test killing states with multiple labels by label' 247*5632f585SKristof Provost atf_set require.user root 248*5632f585SKristof Provost atf_set require.progs scapy 249*5632f585SKristof Provost} 250*5632f585SKristof Provost 251*5632f585SKristof Provostmultilabel_body() 252*5632f585SKristof Provost{ 253*5632f585SKristof Provost pft_init 254*5632f585SKristof Provost 255*5632f585SKristof Provost epair=$(vnet_mkepair) 256*5632f585SKristof Provost ifconfig ${epair}a 192.0.2.1/24 up 257*5632f585SKristof Provost 258*5632f585SKristof Provost vnet_mkjail alcatraz ${epair}b 259*5632f585SKristof Provost jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up 260*5632f585SKristof Provost jexec alcatraz pfctl -e 261*5632f585SKristof Provost 262*5632f585SKristof Provost pft_set_rules alcatraz "block all" \ 263*5632f585SKristof Provost "pass in proto icmp label foo label bar" 264*5632f585SKristof Provost 265*5632f585SKristof Provost # Sanity check & establish state 266*5632f585SKristof Provost # Note: use pft_ping so we always use the same ID, so pf considers all 267*5632f585SKristof Provost # echo requests part of the same flow. 268*5632f585SKristof Provost atf_check -s exit:0 -o ignore ${common_dir}/pft_ping.py \ 269*5632f585SKristof Provost --sendif ${epair}a \ 270*5632f585SKristof Provost --to 192.0.2.2 \ 271*5632f585SKristof Provost --replyif ${epair}a 272*5632f585SKristof Provost 273*5632f585SKristof Provost # Change rules to now deny the ICMP traffic 274*5632f585SKristof Provost pft_set_rules noflush alcatraz "block all" 275*5632f585SKristof Provost 276*5632f585SKristof Provost # Established state means we can still ping alcatraz 277*5632f585SKristof Provost atf_check -s exit:0 -o ignore ${common_dir}/pft_ping.py \ 278*5632f585SKristof Provost --sendif ${epair}a \ 279*5632f585SKristof Provost --to 192.0.2.2 \ 280*5632f585SKristof Provost --replyif ${epair}a 281*5632f585SKristof Provost 282*5632f585SKristof Provost # Killing a label on a different rules keeps the state 283*5632f585SKristof Provost jexec alcatraz pfctl -k label -k baz 284*5632f585SKristof Provost atf_check -s exit:0 -o ignore ${common_dir}/pft_ping.py \ 285*5632f585SKristof Provost --sendif ${epair}a \ 286*5632f585SKristof Provost --to 192.0.2.2 \ 287*5632f585SKristof Provost --replyif ${epair}a 288*5632f585SKristof Provost 289*5632f585SKristof Provost # Killing the state with the last label works 290*5632f585SKristof Provost jexec alcatraz pfctl -k label -k bar 291*5632f585SKristof Provost atf_check -s exit:1 -o ignore ${common_dir}/pft_ping.py \ 292*5632f585SKristof Provost --sendif ${epair}a \ 293*5632f585SKristof Provost --to 192.0.2.2 \ 294*5632f585SKristof Provost --replyif ${epair}a 295*5632f585SKristof Provost 296*5632f585SKristof Provost pft_set_rules alcatraz "block all" \ 297*5632f585SKristof Provost "pass in proto icmp label foo label bar" 298*5632f585SKristof Provost 299*5632f585SKristof Provost # Reestablish state 300*5632f585SKristof Provost atf_check -s exit:0 -o ignore ${common_dir}/pft_ping.py \ 301*5632f585SKristof Provost --sendif ${epair}a \ 302*5632f585SKristof Provost --to 192.0.2.2 \ 303*5632f585SKristof Provost --replyif ${epair}a 304*5632f585SKristof Provost 305*5632f585SKristof Provost # Change rules to now deny the ICMP traffic 306*5632f585SKristof Provost pft_set_rules noflush alcatraz "block all" 307*5632f585SKristof Provost 308*5632f585SKristof Provost # Killing with the first label works too 309*5632f585SKristof Provost jexec alcatraz pfctl -k label -k foo 310*5632f585SKristof Provost atf_check -s exit:1 -o ignore ${common_dir}/pft_ping.py \ 311*5632f585SKristof Provost --sendif ${epair}a \ 312*5632f585SKristof Provost --to 192.0.2.2 \ 313*5632f585SKristof Provost --replyif ${epair}a 314*5632f585SKristof Provost} 315*5632f585SKristof Provost 316*5632f585SKristof Provostmultilabel_cleanup() 317*5632f585SKristof Provost{ 318*5632f585SKristof Provost pft_cleanup 319*5632f585SKristof Provost} 320*5632f585SKristof Provost 321065b5c7fSKristof Provostatf_init_test_cases() 322065b5c7fSKristof Provost{ 323065b5c7fSKristof Provost atf_add_test_case "v4" 3249af23174SKristof Provost atf_add_test_case "v6" 325065b5c7fSKristof Provost atf_add_test_case "label" 326*5632f585SKristof Provost atf_add_test_case "multilabel" 327065b5c7fSKristof Provost} 328