xref: /freebsd/tests/sys/netpfil/pf/rtable.sh (revision f81cdf24ba5436367377f7c8e8f51f6df2a75ca7) 
1#
2# SPDX-License-Identifier: BSD-2-Clause
3#
4# Copyright (c) 2023 Kajetan Staszkiewicz <vegetga@tuxpowered.net>
5#
6# Redistribution and use in source and binary forms, with or without
7# modification, are permitted provided that the following conditions
8# are met:
9# 1. Redistributions of source code must retain the above copyright
10#    notice, this list of conditions and the following disclaimer.
11# 2. Redistributions in binary form must reproduce the above copyright
12#    notice, this list of conditions and the following disclaimer in the
13#    documentation and/or other materials provided with the distribution.
14#
15# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
25# SUCH DAMAGE.
26
27. $(atf_get_srcdir)/utils.subr
28
29atf_test_case "forward_v4" "cleanup"
30forward_v4_head()
31{
32	atf_set descr 'Test IPv4 forwarding with rtable'
33	atf_set require.user root
34	atf_set require.progs scapy
35}
36
37forward_v4_body()
38{
39	setup_router_server_ipv4
40
41	# Sanity check
42	ping_server_check_reply exit:0
43
44	jexec router sysctl net.fibs=2
45	jexec router ifconfig ${epair_server}a fib 1
46	jexec router route del -net ${net_server}
47	jexec router route add -fib 1 -net ${net_server} -iface ${epair_server}a
48
49	# Sanity check
50	ping_server_check_reply exit:1
51
52	# This rule is not enough.
53	# Echo requests will be properly forwarded but replies can't be routed back.
54	pft_set_rules router \
55		"pass in on ${epair_tester}b inet proto icmp all icmp-type echoreq rtable 1"
56	ping_server_check_reply exit:1
57
58	# Allow replies coming back to the tester properly via stateful filtering post-routing.
59	pft_set_rules router \
60		"pass in  on ${epair_tester}b inet proto icmp all icmp-type echoreq rtable 1" \
61		"pass out on ${epair_server}a inet proto icmp all icmp-type echoreq rtable 0"
62	ping_server_check_reply exit:0
63
64	# Allow replies coming back to the tester properly via provding extra routes in rtable 1
65	pft_set_rules router \
66		"pass in  on ${epair_tester}b inet proto icmp all icmp-type echoreq rtable 1"
67	jexec router route add -fib 1 -net ${net_tester} -iface ${epair_tester}b
68	ping_server_check_reply exit:0
69}
70
71forward_v4_cleanup()
72{
73	pft_cleanup
74}
75
76atf_test_case "forward_v6" "cleanup"
77forward_v6_head()
78{
79	atf_set descr 'Test IPv6 forwarding with rtable'
80	atf_set require.user root
81	atf_set require.progs scapy
82}
83
84forward_v6_body()
85{
86	setup_router_server_ipv6
87
88	# Sanity check
89	ping_server_check_reply exit:0
90
91	jexec router sysctl net.fibs=2
92	jexec router ifconfig ${epair_server}a fib 1
93	jexec router route del -6 ${net_server}
94	jexec router route add -fib 1 -6 ${net_server} -iface ${epair_server}a
95
96	# Sanity check
97	ping_server_check_reply exit:1
98
99	# This rule is not enough.
100	# Echo requests will be properly forwarded but replies can't be routed back.
101	pft_set_rules router \
102		"pass inet6 proto icmp6 icmp6-type { neighbrsol, neighbradv }" \
103		"pass in on ${epair_tester}b inet6 proto icmp6 icmp6-type echoreq"
104	ping_server_check_reply exit:1
105
106	# Allow replies coming back to the tester properly via stateful filtering post-routing.
107	pft_set_rules router \
108		"pass inet6 proto icmp6 icmp6-type { neighbrsol, neighbradv }" \
109		"pass in  on ${epair_tester}b inet6 proto icmp6 icmp6-type echoreq rtable 1" \
110		"pass out on ${epair_server}a inet6 proto icmp6 icmp6-type echoreq rtable 0"
111	ping_server_check_reply exit:0
112
113	# Allow replies coming back to the tester properly via provding extra routes in rtable 1
114	pft_set_rules router \
115		"pass inet6 proto icmp6 icmp6-type { neighbrsol, neighbradv }" \
116		"pass in  on ${epair_tester}b inet6 proto icmp6 icmp6-type echoreq rtable 1"
117	jexec router route add -fib 1 -6 ${net_tester} -iface ${epair_tester}b
118	ping_server_check_reply exit:0
119}
120
121forward_v6_cleanup()
122{
123	pft_cleanup
124}
125
126atf_init_test_cases()
127{
128	atf_add_test_case "forward_v4"
129	atf_add_test_case "forward_v6"
130}
131