132df0124SKristof Provost# 232df0124SKristof Provost# SPDX-License-Identifier: BSD-2-Clause 332df0124SKristof Provost# 432df0124SKristof Provost# Copyright (c) 2023 Rubicon Communications, LLC (Netgate) 532df0124SKristof Provost# 632df0124SKristof Provost# Redistribution and use in source and binary forms, with or without 732df0124SKristof Provost# modification, are permitted provided that the following conditions 832df0124SKristof Provost# are met: 932df0124SKristof Provost# 1. Redistributions of source code must retain the above copyright 1032df0124SKristof Provost# notice, this list of conditions and the following disclaimer. 1132df0124SKristof Provost# 2. Redistributions in binary form must reproduce the above copyright 1232df0124SKristof Provost# notice, this list of conditions and the following disclaimer in the 1332df0124SKristof Provost# documentation and/or other materials provided with the distribution. 1432df0124SKristof Provost# 1532df0124SKristof Provost# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 1632df0124SKristof Provost# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 1732df0124SKristof Provost# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 1832df0124SKristof Provost# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 1932df0124SKristof Provost# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 2032df0124SKristof Provost# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 2132df0124SKristof Provost# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 2232df0124SKristof Provost# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 2332df0124SKristof Provost# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 2432df0124SKristof Provost# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 2532df0124SKristof Provost# SUCH DAMAGE. 2632df0124SKristof Provost 2732df0124SKristof Provost. $(atf_get_srcdir)/utils.subr 2832df0124SKristof Provost 2932df0124SKristof Provostcommon_dir=$(atf_get_srcdir)/../common 3032df0124SKristof Provost 3132df0124SKristof Provostatf_test_case "malformed" "cleanup" 3232df0124SKristof Provostmalformed_head() 3332df0124SKristof Provost{ 3432df0124SKristof Provost atf_set descr 'Test that we do not log malformed packets as passing' 3532df0124SKristof Provost atf_set require.user root 3632df0124SKristof Provost atf_set require.progs scapy 3732df0124SKristof Provost} 3832df0124SKristof Provost 3932df0124SKristof Provostmalformed_body() 4032df0124SKristof Provost{ 4132df0124SKristof Provost pflog_init 4232df0124SKristof Provost 4332df0124SKristof Provost epair=$(vnet_mkepair) 4432df0124SKristof Provost 4532df0124SKristof Provost vnet_mkjail srv ${epair}b 4632df0124SKristof Provost jexec srv ifconfig ${epair}b 192.0.2.1/24 up 4732df0124SKristof Provost 4832df0124SKristof Provost vnet_mkjail cl ${epair}a 4932df0124SKristof Provost jexec cl ifconfig ${epair}a 192.0.2.2/24 up 5032df0124SKristof Provost 5132df0124SKristof Provost jexec cl pfctl -e 5232df0124SKristof Provost jexec cl ifconfig pflog0 up 5332df0124SKristof Provost pft_set_rules cl \ 5432df0124SKristof Provost "pass log keep state" 5532df0124SKristof Provost 5632df0124SKristof Provost # Not required, but the 'pf: dropping packet with ip options' kernel log can 5732df0124SKristof Provost # help when debugging the test. 5832df0124SKristof Provost jexec cl pfctl -x loud 5932df0124SKristof Provost 6032df0124SKristof Provost jexec cl tcpdump -n -e -ttt --immediate-mode -l -U -i pflog0 >> pflog.txt & 6132df0124SKristof Provost sleep 1 # Wait for tcpdump to start 6232df0124SKristof Provost 6332df0124SKristof Provost # Sanity check 6432df0124SKristof Provost atf_check -s exit:0 -o ignore \ 6532df0124SKristof Provost jexec srv ping -c 1 192.0.2.2 6632df0124SKristof Provost 6732df0124SKristof Provost jexec srv ${common_dir}/pft_ping.py \ 6832df0124SKristof Provost --sendif ${epair}b \ 6932df0124SKristof Provost --to 192.0.2.2 \ 7032df0124SKristof Provost --send-nop \ 7132df0124SKristof Provost --recvif ${epair}b 7232df0124SKristof Provost 7332df0124SKristof Provost atf_check -o match:".*rule 0/8\(ip-option\): block in on ${epair}a: 192.0.2.1 > 192.0.2.2: ICMP echo request.*" \ 7432df0124SKristof Provost cat pflog.txt 7532df0124SKristof Provost} 7632df0124SKristof Provost 7732df0124SKristof Provostmalformed_cleanup() 7832df0124SKristof Provost{ 7932df0124SKristof Provost pft_cleanup 8032df0124SKristof Provost} 8132df0124SKristof Provost 82*7309c551SKristof Provostatf_test_case "matches" "cleanup" 83*7309c551SKristof Provostmatches_head() 84*7309c551SKristof Provost{ 85*7309c551SKristof Provost atf_set descr 'Test the pflog matches keyword' 86*7309c551SKristof Provost atf_set require.user root 87*7309c551SKristof Provost} 88*7309c551SKristof Provost 89*7309c551SKristof Provostmatches_body() 90*7309c551SKristof Provost{ 91*7309c551SKristof Provost pflog_init 92*7309c551SKristof Provost 93*7309c551SKristof Provost epair=$(vnet_mkepair) 94*7309c551SKristof Provost 95*7309c551SKristof Provost vnet_mkjail alcatraz ${epair}a 96*7309c551SKristof Provost jexec alcatraz ifconfig ${epair}a 192.0.2.1/24 up 97*7309c551SKristof Provost 98*7309c551SKristof Provost ifconfig ${epair}b 192.0.2.2/24 up 99*7309c551SKristof Provost 100*7309c551SKristof Provost # Sanity check 101*7309c551SKristof Provost atf_check -s exit:0 -o ignore \ 102*7309c551SKristof Provost ping -c 1 192.0.2.1 103*7309c551SKristof Provost 104*7309c551SKristof Provost jexec alcatraz pfctl -e 105*7309c551SKristof Provost jexec alcatraz ifconfig pflog0 up 106*7309c551SKristof Provost pft_set_rules alcatraz \ 107*7309c551SKristof Provost "match log(matches) inet proto icmp" \ 108*7309c551SKristof Provost "match log(matches) inet from 192.0.2.2" \ 109*7309c551SKristof Provost "pass" 110*7309c551SKristof Provost 111*7309c551SKristof Provost jexec alcatraz tcpdump -n -e -ttt --immediate-mode -l -U -i pflog0 >> ${PWD}/pflog.txt & 112*7309c551SKristof Provost sleep 1 # Wait for tcpdump to start 113*7309c551SKristof Provost 114*7309c551SKristof Provost atf_check -s exit:0 -o ignore \ 115*7309c551SKristof Provost ping -c 1 192.0.2.1 116*7309c551SKristof Provost 117*7309c551SKristof Provost echo "Rules" 118*7309c551SKristof Provost jexec alcatraz pfctl -sr -vv 119*7309c551SKristof Provost echo "States" 120*7309c551SKristof Provost jexec alcatraz pfctl -ss -vv 121*7309c551SKristof Provost echo "Log" 122*7309c551SKristof Provost cat ${PWD}/pflog.txt 123*7309c551SKristof Provost 124*7309c551SKristof Provost atf_check -o match:".*rule 0/0\(match\): match in on ${epair}a: 192.0.2.2 > 192.0.2.1: ICMP echo request.*" \ 125*7309c551SKristof Provost cat pflog.txt 126*7309c551SKristof Provost atf_check -o match:".*rule 1/0\(match\): match in on ${epair}a: 192.0.2.2 > 192.0.2.1: ICMP echo request.*" \ 127*7309c551SKristof Provost cat pflog.txt 128*7309c551SKristof Provost} 129*7309c551SKristof Provost 130*7309c551SKristof Provostmatches_cleanup() 131*7309c551SKristof Provost{ 132*7309c551SKristof Provost pft_cleanup 133*7309c551SKristof Provost} 134*7309c551SKristof Provost 13532df0124SKristof Provostatf_init_test_cases() 13632df0124SKristof Provost{ 13732df0124SKristof Provost atf_add_test_case "malformed" 138*7309c551SKristof Provost atf_add_test_case "matches" 13932df0124SKristof Provost} 140