xref: /freebsd/tests/sys/netpfil/pf/match.sh (revision 7e70d94acd68b3ac6b45f49d4ab7a0f7867c3ea7) 
1#
2# SPDX-License-Identifier: BSD-2-Clause
3#
4# Copyright (c) 2021 Rubicon Communications, LLC (Netgate)
5#
6# Redistribution and use in source and binary forms, with or without
7# modification, are permitted provided that the following conditions
8# are met:
9# 1. Redistributions of source code must retain the above copyright
10#    notice, this list of conditions and the following disclaimer.
11# 2. Redistributions in binary form must reproduce the above copyright
12#    notice, this list of conditions and the following disclaimer in the
13#    documentation and/or other materials provided with the distribution.
14#
15# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
25# SUCH DAMAGE.
26
27. $(atf_get_srcdir)/utils.subr
28
29common_dir=$(atf_get_srcdir)/../common
30
31atf_test_case "dummynet" "cleanup"
32dummynet_head()
33{
34	atf_set descr 'Test dummynet with match keyword'
35	atf_set require.user root
36}
37
38dummynet_body()
39{
40	dummynet_init
41
42	epair=$(vnet_mkepair)
43	vnet_mkjail alcatraz ${epair}b
44
45	ifconfig ${epair}a 192.0.2.1/24 up
46	jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up
47
48	# Sanity check
49	atf_check -s exit:0 -o ignore ping -i .1 -c 3 -s 1200 192.0.2.2
50
51	jexec alcatraz dnctl pipe 1 config bw 30Byte/s
52	jexec alcatraz pfctl -e
53	pft_set_rules alcatraz \
54		"match in dnpipe 1" \
55		"pass"
56
57	# single ping succeeds just fine
58	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2
59
60	# Saturate the link
61	ping -i .1 -c 5 -s 1200 192.0.2.2
62
63	# We should now be hitting the limits and get this packet dropped.
64	atf_check -s exit:2 -o ignore ping -c 1 -s 1200 192.0.2.2
65}
66
67dummynet_cleanup()
68{
69	pft_cleanup
70}
71
72atf_test_case "quick" "cleanup"
73quick_head()
74{
75	atf_set descr 'Test quick on match rules'
76	atf_set require.user root
77}
78
79quick_body()
80{
81	pft_init
82
83	epair=$(vnet_mkepair)
84	vnet_mkjail alcatraz ${epair}b
85
86	ifconfig ${epair}a 192.0.2.1/24 up
87	jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up
88
89	# Sanity check
90	atf_check -s exit:0 -o ignore \
91	    ping -c 1 192.0.2.2
92
93	jexec alcatraz pfctl -e
94	pft_set_rules alcatraz \
95		"pass" \
96		"match in quick proto icmp" \
97		"block"
98
99	# 'match quick' should retain the previous pass/block state
100	atf_check -s exit:0 -o ignore \
101	    ping -c 1 192.0.2.2
102
103	pft_set_rules alcatraz \
104		"block" \
105		"match in quick proto icmp" \
106		"pass"
107
108	atf_check -s exit:2 -o ignore \
109	    ping -c 1 192.0.2.2
110}
111
112quick_cleanup()
113{
114	pft_cleanup
115}
116
117atf_test_case "allow_opts" "cleanup"
118allow_opts_head()
119{
120	atf_set descr 'Test allowing IP options via match'
121	atf_set require.user root
122	atf_set require.progs python3 scapy
123}
124
125allow_opts_body()
126{
127	pft_init
128
129	epair=$(vnet_mkepair)
130
131	ifconfig ${epair}b 192.0.2.2/24 up
132
133	vnet_mkjail alcatraz ${epair}a
134	jexec alcatraz ifconfig ${epair}a 192.0.2.1/24 up
135
136	jexec alcatraz pfctl -e
137	jexec alcatraz pfctl -x loud
138	pft_set_rules alcatraz \
139	    "match proto icmp allow-opts" \
140	    "pass"
141
142	# Sanity check
143	atf_check -s exit:0 -o ignore \
144	    ping -c 1 192.0.2.1
145
146	atf_check -s exit:0 -o ignore \
147	    ${common_dir}/pft_ping.py  \
148	    --sendif ${epair}b \
149	    --to 192.0.2.1 \
150	    --send-nop \
151	    --replyif ${epair}b
152
153	# This doesn't work without 'allow-opts'
154	pft_set_rules alcatraz \
155	    "match proto icmp" \
156	    "pass"
157	atf_check -s exit:1 -o ignore \
158	    ${common_dir}/pft_ping.py  \
159	    --sendif ${epair}b \
160	    --to 192.0.2.1 \
161	    --send-nop \
162	    --replyif ${epair}b
163
164	# Setting it on a pass rule still works.
165	pft_set_rules alcatraz \
166	    "pass allow-opts"
167	atf_check -s exit:0 -o ignore \
168	    ${common_dir}/pft_ping.py  \
169	    --sendif ${epair}b \
170	    --to 192.0.2.1 \
171	    --send-nop \
172	    --replyif ${epair}b
173}
174
175allow_opts_cleanup()
176{
177	pft_cleanup
178}
179
180atf_init_test_cases()
181{
182	atf_add_test_case "dummynet"
183	atf_add_test_case "quick"
184	atf_add_test_case "allow_opts"
185}
186