xref: /freebsd/tests/sys/netpfil/pf/pass_block.sh (revision 6683132d54bd6d589889e43dabdc53d35e38a028)
1# $FreeBSD$
2
3. $(atf_get_srcdir)/utils.subr
4
5atf_test_case "v4" "cleanup"
6v4_head()
7{
8	atf_set descr 'Basic pass/block test for IPv4'
9	atf_set require.user root
10}
11
12v4_body()
13{
14	pft_init
15
16	epair=$(vnet_mkepair)
17	ifconfig ${epair}a 192.0.2.1/24 up
18
19	# Set up a simple jail with one interface
20	vnet_mkjail alcatraz ${epair}b
21	jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up
22
23	# Trivial ping to the jail, without pf
24	atf_check -s exit:0 -o ignore ping -c 1 -t 1 192.0.2.2
25
26	# pf without policy will let us ping
27	jexec alcatraz pfctl -e
28	atf_check -s exit:0 -o ignore ping -c 1 -t 1 192.0.2.2
29
30	# Block everything
31	pft_set_rules alcatraz "block in"
32	atf_check -s exit:2 -o ignore ping -c 1 -t 1 192.0.2.2
33
34	# Block everything but ICMP
35	pft_set_rules alcatraz "block in" "pass in proto icmp"
36	atf_check -s exit:0 -o ignore ping -c 1 -t 1 192.0.2.2
37}
38
39v4_cleanup()
40{
41	pft_cleanup
42}
43
44atf_test_case "v6" "cleanup"
45v6_head()
46{
47	atf_set descr 'Basic pass/block test for IPv6'
48	atf_set require.user root
49}
50
51v6_body()
52{
53	pft_init
54
55	epair=$(vnet_mkepair)
56	ifconfig ${epair}a inet6 2001:db8:42::1/64 up no_dad
57
58	# Set up a simple jail with one interface
59	vnet_mkjail alcatraz ${epair}b
60	jexec alcatraz ifconfig ${epair}b inet6 2001:db8:42::2/64 up no_dad
61
62	# Trivial ping to the jail, without pf
63	atf_check -s exit:0 -o ignore ping6 -c 1 -x 1 2001:db8:42::2
64
65	# pf without policy will let us ping
66	jexec alcatraz pfctl -e
67	atf_check -s exit:0 -o ignore ping6 -c 1 -x 1 2001:db8:42::2
68
69	# Block everything
70	pft_set_rules alcatraz "block in"
71	atf_check -s exit:2 -o ignore ping6 -c 1 -x 1 2001:db8:42::2
72
73	# Block everything but ICMP
74	pft_set_rules alcatraz "block in" "pass in proto icmp6"
75	atf_check -s exit:0 -o ignore ping6 -c 1 -x 1 2001:db8:42::2
76
77	# Allowing ICMPv4 does not allow ICMPv6
78	pft_set_rules alcatraz "block in" "pass in proto icmp"
79	atf_check -s exit:2 -o ignore ping6 -c 1 -x 1 2001:db8:42::2
80}
81
82v6_cleanup()
83{
84	pft_cleanup
85}
86
87atf_test_case "noalias" "cleanup"
88noalias_head()
89{
90	atf_set descr 'Test the :0 noalias option'
91	atf_set require.user root
92}
93
94noalias_body()
95{
96	pft_init
97
98	epair=$(vnet_mkepair)
99	ifconfig ${epair}a inet6 2001:db8:42::1/64 up no_dad
100
101	vnet_mkjail alcatraz ${epair}b
102	jexec alcatraz ifconfig ${epair}b inet6 2001:db8:42::2/64 up no_dad
103
104	linklocaladdr=$(jexec alcatraz ifconfig ${epair}b inet6 \
105		| grep %${epair}b \
106		| awk '{ print $2; }' \
107		| cut -d % -f 1)
108
109	# Sanity check
110	atf_check -s exit:0 -o ignore ping6 -c 3 -x 1 2001:db8:42::2
111	atf_check -s exit:0 -o ignore ping6 -c 3 -x 1 ${linklocaladdr}%${epair}a
112
113	jexec alcatraz pfctl -e
114	pft_set_rules alcatraz "block out inet6 from (${epair}b:0) to any"
115
116	atf_check -s exit:2 -o ignore ping6 -c 3 -x 1 2001:db8:42::2
117
118	# We should still be able to ping the link-local address
119	atf_check -s exit:0 -o ignore ping6 -c 3 -x 1 ${linklocaladdr}%${epair}a
120
121	pft_set_rules alcatraz "block out inet6 from (${epair}b) to any"
122
123	# We cannot ping to the link-local address
124	atf_check -s exit:2 -o ignore ping6 -c 3 -x 1 ${linklocaladdr}%${epair}a
125}
126
127noalias_cleanup()
128{
129	pft_cleanup
130}
131
132atf_test_case "nested_inline" "cleanup"
133nested_inline_head()
134{
135	atf_set descr "Test nested inline anchors, PR196314"
136	atf_set require.user root
137}
138
139nested_inline_body()
140{
141	pft_init
142
143	epair=$(vnet_mkepair)
144	ifconfig ${epair}a inet 192.0.2.1/24 up
145
146	vnet_mkjail alcatraz ${epair}b
147	jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up
148
149	jexec alcatraz pfctl -e
150	pft_set_rules alcatraz \
151		"block in" \
152		"anchor \"an1\" {" \
153			"pass in quick proto tcp to port time" \
154			"anchor \"an2\" {" \
155				"pass in quick proto icmp" \
156			"}" \
157		"}"
158
159	atf_check -s exit:0 -o ignore ping -c 1 -t 1 192.0.2.2
160}
161
162nested_inline_cleanup()
163{
164	pft_cleanup
165}
166
167atf_init_test_cases()
168{
169	atf_add_test_case "v4"
170	atf_add_test_case "v6"
171	atf_add_test_case "noalias"
172	atf_add_test_case "nested_inline"
173}
174