1# $FreeBSD$ 2# 3# SPDX-License-Identifier: BSD-2-Clause-FreeBSD 4# 5# Copyright (c) 2018 Kristof Provost <kp@FreeBSD.org> 6# 7# Redistribution and use in source and binary forms, with or without 8# modification, are permitted provided that the following conditions 9# are met: 10# 1. Redistributions of source code must retain the above copyright 11# notice, this list of conditions and the following disclaimer. 12# 2. Redistributions in binary form must reproduce the above copyright 13# notice, this list of conditions and the following disclaimer in the 14# documentation and/or other materials provided with the distribution. 15# 16# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 17# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 20# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26# SUCH DAMAGE. 27 28. $(atf_get_srcdir)/utils.subr 29 30atf_test_case "v4" "cleanup" 31v4_head() 32{ 33 atf_set descr 'Basic pass/block test for IPv4' 34 atf_set require.user root 35} 36 37v4_body() 38{ 39 pft_init 40 41 epair=$(vnet_mkepair) 42 ifconfig ${epair}a 192.0.2.1/24 up 43 44 # Set up a simple jail with one interface 45 vnet_mkjail alcatraz ${epair}b 46 jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up 47 48 # Trivial ping to the jail, without pf 49 atf_check -s exit:0 -o ignore ping -c 1 -t 1 192.0.2.2 50 51 # pf without policy will let us ping 52 jexec alcatraz pfctl -e 53 atf_check -s exit:0 -o ignore ping -c 1 -t 1 192.0.2.2 54 55 # Block everything 56 pft_set_rules alcatraz "block in" 57 atf_check -s exit:2 -o ignore ping -c 1 -t 1 192.0.2.2 58 59 # Block everything but ICMP 60 pft_set_rules alcatraz "block in" "pass in proto icmp" 61 atf_check -s exit:0 -o ignore ping -c 1 -t 1 192.0.2.2 62} 63 64v4_cleanup() 65{ 66 pft_cleanup 67} 68 69atf_test_case "v6" "cleanup" 70v6_head() 71{ 72 atf_set descr 'Basic pass/block test for IPv6' 73 atf_set require.user root 74} 75 76v6_body() 77{ 78 pft_init 79 80 epair=$(vnet_mkepair) 81 ifconfig ${epair}a inet6 2001:db8:42::1/64 up no_dad 82 83 # Set up a simple jail with one interface 84 vnet_mkjail alcatraz ${epair}b 85 jexec alcatraz ifconfig ${epair}b inet6 2001:db8:42::2/64 up no_dad 86 87 # Trivial ping to the jail, without pf 88 atf_check -s exit:0 -o ignore ping6 -c 1 -W 1 2001:db8:42::2 89 90 # pf without policy will let us ping 91 jexec alcatraz pfctl -e 92 atf_check -s exit:0 -o ignore ping6 -c 1 -W 1 2001:db8:42::2 93 94 # Block everything 95 pft_set_rules alcatraz "block in" 96 atf_check -s exit:2 -o ignore ping6 -c 1 -W 1 2001:db8:42::2 97 98 # Block everything but ICMP 99 pft_set_rules alcatraz "block in" "pass in proto icmp6" 100 atf_check -s exit:0 -o ignore ping6 -c 1 -W 1 2001:db8:42::2 101 102 # Allowing ICMPv4 does not allow ICMPv6 103 pft_set_rules alcatraz "block in" "pass in proto icmp" 104 atf_check -s exit:2 -o ignore ping6 -c 1 -W 1 2001:db8:42::2 105} 106 107v6_cleanup() 108{ 109 pft_cleanup 110} 111 112atf_test_case "noalias" "cleanup" 113noalias_head() 114{ 115 atf_set descr 'Test the :0 noalias option' 116 atf_set require.user root 117} 118 119noalias_body() 120{ 121 pft_init 122 123 epair=$(vnet_mkepair) 124 ifconfig ${epair}a inet6 2001:db8:42::1/64 up no_dad 125 126 vnet_mkjail alcatraz ${epair}b 127 jexec alcatraz ifconfig ${epair}b inet6 2001:db8:42::2/64 up no_dad 128 129 linklocaladdr=$(jexec alcatraz ifconfig ${epair}b inet6 \ 130 | grep %${epair}b \ 131 | awk '{ print $2; }' \ 132 | cut -d % -f 1) 133 134 # Sanity check 135 atf_check -s exit:0 -o ignore ping6 -c 3 -W 1 2001:db8:42::2 136 atf_check -s exit:0 -o ignore ping6 -c 3 -W 1 ${linklocaladdr}%${epair}a 137 138 jexec alcatraz pfctl -e 139 pft_set_rules alcatraz "block out inet6 from (${epair}b:0) to any" 140 141 atf_check -s exit:2 -o ignore ping6 -c 3 -W 1 2001:db8:42::2 142 143 # We should still be able to ping the link-local address 144 atf_check -s exit:0 -o ignore ping6 -c 3 -W 1 ${linklocaladdr}%${epair}a 145 146 pft_set_rules alcatraz "block out inet6 from (${epair}b) to any" 147 148 # We cannot ping to the link-local address 149 atf_check -s exit:2 -o ignore ping6 -c 3 -W 1 ${linklocaladdr}%${epair}a 150} 151 152noalias_cleanup() 153{ 154 pft_cleanup 155} 156 157atf_test_case "nested_inline" "cleanup" 158nested_inline_head() 159{ 160 atf_set descr "Test nested inline anchors, PR196314" 161 atf_set require.user root 162} 163 164nested_inline_body() 165{ 166 pft_init 167 168 epair=$(vnet_mkepair) 169 ifconfig ${epair}a inet 192.0.2.1/24 up 170 171 vnet_mkjail alcatraz ${epair}b 172 jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up 173 174 jexec alcatraz pfctl -e 175 pft_set_rules alcatraz \ 176 "block in" \ 177 "anchor \"an1\" {" \ 178 "pass in quick proto tcp to port time" \ 179 "anchor \"an2\" {" \ 180 "pass in quick proto icmp" \ 181 "}" \ 182 "}" 183 184 atf_check -s exit:0 -o ignore ping -c 1 -t 1 192.0.2.2 185} 186 187nested_inline_cleanup() 188{ 189 pft_cleanup 190} 191 192atf_init_test_cases() 193{ 194 atf_add_test_case "v4" 195 atf_add_test_case "v6" 196 atf_add_test_case "noalias" 197 atf_add_test_case "nested_inline" 198} 199