1# $FreeBSD$ 2 3. $(atf_get_srcdir)/utils.subr 4 5atf_test_case "v4" "cleanup" 6v4_head() 7{ 8 atf_set descr 'Basic pass/block test for IPv4' 9 atf_set require.user root 10} 11 12v4_body() 13{ 14 pft_init 15 16 epair=$(vnet_mkepair) 17 ifconfig ${epair}a 192.0.2.1/24 up 18 19 # Set up a simple jail with one interface 20 vnet_mkjail alcatraz ${epair}b 21 jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up 22 23 # Trivial ping to the jail, without pf 24 atf_check -s exit:0 -o ignore ping -c 1 -t 1 192.0.2.2 25 26 # pf without policy will let us ping 27 jexec alcatraz pfctl -e 28 atf_check -s exit:0 -o ignore ping -c 1 -t 1 192.0.2.2 29 30 # Block everything 31 pft_set_rules alcatraz "block in" 32 atf_check -s exit:2 -o ignore ping -c 1 -t 1 192.0.2.2 33 34 # Block everything but ICMP 35 pft_set_rules alcatraz "block in" "pass in proto icmp" 36 atf_check -s exit:0 -o ignore ping -c 1 -t 1 192.0.2.2 37} 38 39v4_cleanup() 40{ 41 pft_cleanup 42} 43 44atf_test_case "v6" "cleanup" 45v6_head() 46{ 47 atf_set descr 'Basic pass/block test for IPv6' 48 atf_set require.user root 49} 50 51v6_body() 52{ 53 pft_init 54 55 epair=$(vnet_mkepair) 56 ifconfig ${epair}a inet6 2001:db8:42::1/64 up no_dad 57 58 # Set up a simple jail with one interface 59 vnet_mkjail alcatraz ${epair}b 60 jexec alcatraz ifconfig ${epair}b inet6 2001:db8:42::2/64 up no_dad 61 62 # Trivial ping to the jail, without pf 63 atf_check -s exit:0 -o ignore ping6 -c 1 -W 1 2001:db8:42::2 64 65 # pf without policy will let us ping 66 jexec alcatraz pfctl -e 67 atf_check -s exit:0 -o ignore ping6 -c 1 -W 1 2001:db8:42::2 68 69 # Block everything 70 pft_set_rules alcatraz "block in" 71 atf_check -s exit:2 -o ignore ping6 -c 1 -W 1 2001:db8:42::2 72 73 # Block everything but ICMP 74 pft_set_rules alcatraz "block in" "pass in proto icmp6" 75 atf_check -s exit:0 -o ignore ping6 -c 1 -W 1 2001:db8:42::2 76 77 # Allowing ICMPv4 does not allow ICMPv6 78 pft_set_rules alcatraz "block in" "pass in proto icmp" 79 atf_check -s exit:2 -o ignore ping6 -c 1 -W 1 2001:db8:42::2 80} 81 82v6_cleanup() 83{ 84 pft_cleanup 85} 86 87atf_test_case "noalias" "cleanup" 88noalias_head() 89{ 90 atf_set descr 'Test the :0 noalias option' 91 atf_set require.user root 92} 93 94noalias_body() 95{ 96 pft_init 97 98 epair=$(vnet_mkepair) 99 ifconfig ${epair}a inet6 2001:db8:42::1/64 up no_dad 100 101 vnet_mkjail alcatraz ${epair}b 102 jexec alcatraz ifconfig ${epair}b inet6 2001:db8:42::2/64 up no_dad 103 104 linklocaladdr=$(jexec alcatraz ifconfig ${epair}b inet6 \ 105 | grep %${epair}b \ 106 | awk '{ print $2; }' \ 107 | cut -d % -f 1) 108 109 # Sanity check 110 atf_check -s exit:0 -o ignore ping6 -c 3 -W 1 2001:db8:42::2 111 atf_check -s exit:0 -o ignore ping6 -c 3 -W 1 ${linklocaladdr}%${epair}a 112 113 jexec alcatraz pfctl -e 114 pft_set_rules alcatraz "block out inet6 from (${epair}b:0) to any" 115 116 atf_check -s exit:2 -o ignore ping6 -c 3 -W 1 2001:db8:42::2 117 118 # We should still be able to ping the link-local address 119 atf_check -s exit:0 -o ignore ping6 -c 3 -W 1 ${linklocaladdr}%${epair}a 120 121 pft_set_rules alcatraz "block out inet6 from (${epair}b) to any" 122 123 # We cannot ping to the link-local address 124 atf_check -s exit:2 -o ignore ping6 -c 3 -W 1 ${linklocaladdr}%${epair}a 125} 126 127noalias_cleanup() 128{ 129 pft_cleanup 130} 131 132atf_test_case "nested_inline" "cleanup" 133nested_inline_head() 134{ 135 atf_set descr "Test nested inline anchors, PR196314" 136 atf_set require.user root 137} 138 139nested_inline_body() 140{ 141 pft_init 142 143 epair=$(vnet_mkepair) 144 ifconfig ${epair}a inet 192.0.2.1/24 up 145 146 vnet_mkjail alcatraz ${epair}b 147 jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up 148 149 jexec alcatraz pfctl -e 150 pft_set_rules alcatraz \ 151 "block in" \ 152 "anchor \"an1\" {" \ 153 "pass in quick proto tcp to port time" \ 154 "anchor \"an2\" {" \ 155 "pass in quick proto icmp" \ 156 "}" \ 157 "}" 158 159 atf_check -s exit:0 -o ignore ping -c 1 -t 1 192.0.2.2 160} 161 162nested_inline_cleanup() 163{ 164 pft_cleanup 165} 166 167atf_init_test_cases() 168{ 169 atf_add_test_case "v4" 170 atf_add_test_case "v6" 171 atf_add_test_case "noalias" 172 atf_add_test_case "nested_inline" 173} 174