1065b5c7fSKristof Provost# $FreeBSD$ 2065b5c7fSKristof Provost# 3065b5c7fSKristof Provost# SPDX-License-Identifier: BSD-2-Clause-FreeBSD 4065b5c7fSKristof Provost# 5065b5c7fSKristof Provost# Copyright (c) 2021 Rubicon Communications, LLC (Netgate) 6065b5c7fSKristof Provost# 7065b5c7fSKristof Provost# Redistribution and use in source and binary forms, with or without 8065b5c7fSKristof Provost# modification, are permitted provided that the following conditions 9065b5c7fSKristof Provost# are met: 10065b5c7fSKristof Provost# 1. Redistributions of source code must retain the above copyright 11065b5c7fSKristof Provost# notice, this list of conditions and the following disclaimer. 12065b5c7fSKristof Provost# 2. Redistributions in binary form must reproduce the above copyright 13065b5c7fSKristof Provost# notice, this list of conditions and the following disclaimer in the 14065b5c7fSKristof Provost# documentation and/or other materials provided with the distribution. 15065b5c7fSKristof Provost# 16065b5c7fSKristof Provost# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 17065b5c7fSKristof Provost# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18065b5c7fSKristof Provost# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19065b5c7fSKristof Provost# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 20065b5c7fSKristof Provost# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21065b5c7fSKristof Provost# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22065b5c7fSKristof Provost# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23065b5c7fSKristof Provost# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24065b5c7fSKristof Provost# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25065b5c7fSKristof Provost# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26065b5c7fSKristof Provost# SUCH DAMAGE. 27065b5c7fSKristof Provost 28065b5c7fSKristof Provost. $(atf_get_srcdir)/utils.subr 29065b5c7fSKristof Provost 30065b5c7fSKristof Provostcommon_dir=$(atf_get_srcdir)/../common 31065b5c7fSKristof Provost 32065b5c7fSKristof Provostatf_test_case "v4" "cleanup" 33065b5c7fSKristof Provostv4_head() 34065b5c7fSKristof Provost{ 35065b5c7fSKristof Provost atf_set descr 'Test killing states by IPv4 address' 36065b5c7fSKristof Provost atf_set require.user root 37065b5c7fSKristof Provost atf_set require.progs scapy 38065b5c7fSKristof Provost} 39065b5c7fSKristof Provost 40065b5c7fSKristof Provostv4_body() 41065b5c7fSKristof Provost{ 42065b5c7fSKristof Provost pft_init 43065b5c7fSKristof Provost 44065b5c7fSKristof Provost epair=$(vnet_mkepair) 45065b5c7fSKristof Provost ifconfig ${epair}a 192.0.2.1/24 up 46065b5c7fSKristof Provost 47065b5c7fSKristof Provost vnet_mkjail alcatraz ${epair}b 48065b5c7fSKristof Provost jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up 49065b5c7fSKristof Provost jexec alcatraz pfctl -e 50065b5c7fSKristof Provost 51065b5c7fSKristof Provost pft_set_rules alcatraz "block all" \ 52065b5c7fSKristof Provost "pass in proto icmp" 53065b5c7fSKristof Provost 54065b5c7fSKristof Provost # Sanity check & establish state 55065b5c7fSKristof Provost # Note: use pft_ping so we always use the same ID, so pf considers all 56065b5c7fSKristof Provost # echo requests part of the same flow. 57065b5c7fSKristof Provost atf_check -s exit:0 -o ignore ${common_dir}/pft_ping.py \ 58065b5c7fSKristof Provost --sendif ${epair}a \ 59065b5c7fSKristof Provost --to 192.0.2.2 \ 60065b5c7fSKristof Provost --replyif ${epair}a 61065b5c7fSKristof Provost 62065b5c7fSKristof Provost # Change rules to now deny the ICMP traffic 63065b5c7fSKristof Provost pft_set_rules noflush alcatraz "block all" 64065b5c7fSKristof Provost 65065b5c7fSKristof Provost # Established state means we can still ping alcatraz 66065b5c7fSKristof Provost atf_check -s exit:0 -o ignore ${common_dir}/pft_ping.py \ 67065b5c7fSKristof Provost --sendif ${epair}a \ 68065b5c7fSKristof Provost --to 192.0.2.2 \ 69065b5c7fSKristof Provost --replyif ${epair}a 70065b5c7fSKristof Provost 71065b5c7fSKristof Provost # Killing with the wrong IP doesn't affect our state 72065b5c7fSKristof Provost jexec alcatraz pfctl -k 192.0.2.3 73065b5c7fSKristof Provost 74065b5c7fSKristof Provost # So we can still ping 75065b5c7fSKristof Provost atf_check -s exit:0 -o ignore ${common_dir}/pft_ping.py \ 76065b5c7fSKristof Provost --sendif ${epair}a \ 77065b5c7fSKristof Provost --to 192.0.2.2 \ 78065b5c7fSKristof Provost --replyif ${epair}a 79065b5c7fSKristof Provost 80065b5c7fSKristof Provost # Killing with one correct address and one incorrect doesn't kill the state 81065b5c7fSKristof Provost jexec alcatraz pfctl -k 192.0.2.1 -k 192.0.2.3 82065b5c7fSKristof Provost 83065b5c7fSKristof Provost # So we can still ping 84065b5c7fSKristof Provost atf_check -s exit:0 -o ignore ${common_dir}/pft_ping.py \ 85065b5c7fSKristof Provost --sendif ${epair}a \ 86065b5c7fSKristof Provost --to 192.0.2.2 \ 87065b5c7fSKristof Provost --replyif ${epair}a 88065b5c7fSKristof Provost 89065b5c7fSKristof Provost # Killing with correct address does remove the state 90065b5c7fSKristof Provost jexec alcatraz pfctl -k 192.0.2.1 91065b5c7fSKristof Provost 92065b5c7fSKristof Provost # Now the ping fails 93065b5c7fSKristof Provost atf_check -s exit:1 -o ignore ${common_dir}/pft_ping.py \ 94065b5c7fSKristof Provost --sendif ${epair}a \ 95065b5c7fSKristof Provost --to 192.0.2.2 \ 96065b5c7fSKristof Provost --replyif ${epair}a 97065b5c7fSKristof Provost} 98065b5c7fSKristof Provost 99065b5c7fSKristof Provostv4_cleanup() 100065b5c7fSKristof Provost{ 101065b5c7fSKristof Provost pft_cleanup 102065b5c7fSKristof Provost} 103065b5c7fSKristof Provost 104*9af23174SKristof Provostatf_test_case "v6" "cleanup" 105*9af23174SKristof Provostv6_head() 106*9af23174SKristof Provost{ 107*9af23174SKristof Provost atf_set descr 'Test killing states by IPv6 address' 108*9af23174SKristof Provost atf_set require.user root 109*9af23174SKristof Provost atf_set require.progs scapy 110*9af23174SKristof Provost} 111*9af23174SKristof Provost 112*9af23174SKristof Provostv6_body() 113*9af23174SKristof Provost{ 114*9af23174SKristof Provost pft_init 115*9af23174SKristof Provost 116*9af23174SKristof Provost epair=$(vnet_mkepair) 117*9af23174SKristof Provost ifconfig ${epair}a inet6 2001:db8::1/64 up no_dad 118*9af23174SKristof Provost 119*9af23174SKristof Provost vnet_mkjail alcatraz ${epair}b 120*9af23174SKristof Provost jexec alcatraz ifconfig ${epair}b inet6 2001:db8::2/64 up no_dad 121*9af23174SKristof Provost jexec alcatraz pfctl -e 122*9af23174SKristof Provost 123*9af23174SKristof Provost pft_set_rules alcatraz "block all" \ 124*9af23174SKristof Provost "pass in proto icmp6" 125*9af23174SKristof Provost 126*9af23174SKristof Provost # Sanity check & establish state 127*9af23174SKristof Provost # Note: use pft_ping so we always use the same ID, so pf considers all 128*9af23174SKristof Provost # echo requests part of the same flow. 129*9af23174SKristof Provost atf_check -s exit:0 -o ignore ${common_dir}/pft_ping.py \ 130*9af23174SKristof Provost --ip6 \ 131*9af23174SKristof Provost --sendif ${epair}a \ 132*9af23174SKristof Provost --to 2001:db8::2 \ 133*9af23174SKristof Provost --replyif ${epair}a 134*9af23174SKristof Provost 135*9af23174SKristof Provost # Change rules to now deny the ICMP traffic 136*9af23174SKristof Provost pft_set_rules noflush alcatraz "block all" 137*9af23174SKristof Provost 138*9af23174SKristof Provost # Established state means we can still ping alcatraz 139*9af23174SKristof Provost atf_check -s exit:0 -o ignore ${common_dir}/pft_ping.py \ 140*9af23174SKristof Provost --ip6 \ 141*9af23174SKristof Provost --sendif ${epair}a \ 142*9af23174SKristof Provost --to 2001:db8::2 \ 143*9af23174SKristof Provost --replyif ${epair}a 144*9af23174SKristof Provost 145*9af23174SKristof Provost # Killing with the wrong IP doesn't affect our state 146*9af23174SKristof Provost jexec alcatraz pfctl -k 2001:db8::3 147*9af23174SKristof Provost atf_check -s exit:0 -o ignore ${common_dir}/pft_ping.py \ 148*9af23174SKristof Provost --ip6 \ 149*9af23174SKristof Provost --sendif ${epair}a \ 150*9af23174SKristof Provost --to 2001:db8::2 \ 151*9af23174SKristof Provost --replyif ${epair}a 152*9af23174SKristof Provost 153*9af23174SKristof Provost # Killing with one correct address and one incorrect doesn't kill the state 154*9af23174SKristof Provost jexec alcatraz pfctl -k 2001:db8::1 -k 2001:db8::3 155*9af23174SKristof Provost atf_check -s exit:0 -o ignore ${common_dir}/pft_ping.py \ 156*9af23174SKristof Provost --ip6 \ 157*9af23174SKristof Provost --sendif ${epair}a \ 158*9af23174SKristof Provost --to 2001:db8::2 \ 159*9af23174SKristof Provost --replyif ${epair}a 160*9af23174SKristof Provost 161*9af23174SKristof Provost # Killing with correct address does remove the state 162*9af23174SKristof Provost jexec alcatraz pfctl -k 2001:db8::1 163*9af23174SKristof Provost atf_check -s exit:1 -o ignore ${common_dir}/pft_ping.py \ 164*9af23174SKristof Provost --ip6 \ 165*9af23174SKristof Provost --sendif ${epair}a \ 166*9af23174SKristof Provost --to 2001:db8::2 \ 167*9af23174SKristof Provost --replyif ${epair}a 168*9af23174SKristof Provost 169*9af23174SKristof Provost} 170*9af23174SKristof Provost 171*9af23174SKristof Provostv6_cleanup() 172*9af23174SKristof Provost{ 173*9af23174SKristof Provost pft_cleanup 174*9af23174SKristof Provost} 175*9af23174SKristof Provost 176065b5c7fSKristof Provostatf_test_case "label" "cleanup" 177065b5c7fSKristof Provostlabel_head() 178065b5c7fSKristof Provost{ 179065b5c7fSKristof Provost atf_set descr 'Test killing states by label' 180065b5c7fSKristof Provost atf_set require.user root 181065b5c7fSKristof Provost atf_set require.progs scapy 182065b5c7fSKristof Provost} 183065b5c7fSKristof Provost 184065b5c7fSKristof Provostlabel_body() 185065b5c7fSKristof Provost{ 186065b5c7fSKristof Provost pft_init 187065b5c7fSKristof Provost 188065b5c7fSKristof Provost epair=$(vnet_mkepair) 189065b5c7fSKristof Provost ifconfig ${epair}a 192.0.2.1/24 up 190065b5c7fSKristof Provost 191065b5c7fSKristof Provost vnet_mkjail alcatraz ${epair}b 192065b5c7fSKristof Provost jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up 193065b5c7fSKristof Provost jexec alcatraz pfctl -e 194065b5c7fSKristof Provost 195065b5c7fSKristof Provost pft_set_rules alcatraz "block all" \ 196065b5c7fSKristof Provost "pass in proto tcp label bar" \ 197065b5c7fSKristof Provost "pass in proto icmp label foo" 198065b5c7fSKristof Provost 199065b5c7fSKristof Provost # Sanity check & establish state 200065b5c7fSKristof Provost # Note: use pft_ping so we always use the same ID, so pf considers all 201065b5c7fSKristof Provost # echo requests part of the same flow. 202065b5c7fSKristof Provost atf_check -s exit:0 -o ignore ${common_dir}/pft_ping.py \ 203065b5c7fSKristof Provost --sendif ${epair}a \ 204065b5c7fSKristof Provost --to 192.0.2.2 \ 205065b5c7fSKristof Provost --replyif ${epair}a 206065b5c7fSKristof Provost 207065b5c7fSKristof Provost # Change rules to now deny the ICMP traffic 208065b5c7fSKristof Provost pft_set_rules noflush alcatraz "block all" 209065b5c7fSKristof Provost 210065b5c7fSKristof Provost # Established state means we can still ping alcatraz 211065b5c7fSKristof Provost atf_check -s exit:0 -o ignore ${common_dir}/pft_ping.py \ 212065b5c7fSKristof Provost --sendif ${epair}a \ 213065b5c7fSKristof Provost --to 192.0.2.2 \ 214065b5c7fSKristof Provost --replyif ${epair}a 215065b5c7fSKristof Provost 216065b5c7fSKristof Provost # Killing a label on a different rules keeps the state 217065b5c7fSKristof Provost jexec alcatraz pfctl -k label -k bar 218065b5c7fSKristof Provost atf_check -s exit:0 -o ignore ${common_dir}/pft_ping.py \ 219065b5c7fSKristof Provost --sendif ${epair}a \ 220065b5c7fSKristof Provost --to 192.0.2.2 \ 221065b5c7fSKristof Provost --replyif ${epair}a 222065b5c7fSKristof Provost 223065b5c7fSKristof Provost # Killing a non-existing label keeps the state 224065b5c7fSKristof Provost jexec alcatraz pfctl -k label -k baz 225065b5c7fSKristof Provost atf_check -s exit:0 -o ignore ${common_dir}/pft_ping.py \ 226065b5c7fSKristof Provost --sendif ${epair}a \ 227065b5c7fSKristof Provost --to 192.0.2.2 \ 228065b5c7fSKristof Provost --replyif ${epair}a 229065b5c7fSKristof Provost 230065b5c7fSKristof Provost # Killing the correct label kills the state 231065b5c7fSKristof Provost jexec alcatraz pfctl -k label -k foo 232065b5c7fSKristof Provost atf_check -s exit:1 -o ignore ${common_dir}/pft_ping.py \ 233065b5c7fSKristof Provost --sendif ${epair}a \ 234065b5c7fSKristof Provost --to 192.0.2.2 \ 235065b5c7fSKristof Provost --replyif ${epair}a 236065b5c7fSKristof Provost} 237065b5c7fSKristof Provost 238065b5c7fSKristof Provostlabel_cleanup() 239065b5c7fSKristof Provost{ 240065b5c7fSKristof Provost pft_cleanup 241065b5c7fSKristof Provost} 242065b5c7fSKristof Provost 243065b5c7fSKristof Provostatf_init_test_cases() 244065b5c7fSKristof Provost{ 245065b5c7fSKristof Provost atf_add_test_case "v4" 246*9af23174SKristof Provost atf_add_test_case "v6" 247065b5c7fSKristof Provost atf_add_test_case "label" 248065b5c7fSKristof Provost} 249