1# $FreeBSD$ 2# 3# SPDX-License-Identifier: BSD-2-Clause 4# 5# Copyright (c) 2021 Rubicon Communications, LLC (Netgate) 6# 7# Redistribution and use in source and binary forms, with or without 8# modification, are permitted provided that the following conditions 9# are met: 10# 1. Redistributions of source code must retain the above copyright 11# notice, this list of conditions and the following disclaimer. 12# 2. Redistributions in binary form must reproduce the above copyright 13# notice, this list of conditions and the following disclaimer in the 14# documentation and/or other materials provided with the distribution. 15# 16# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 17# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 20# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26# SUCH DAMAGE. 27 28. $(atf_get_srcdir)/utils.subr 29 30atf_test_case "get_clear" "cleanup" 31get_clear_head() 32{ 33 atf_set descr 'Test clearing rules counters on get rules' 34 atf_set require.user root 35} 36 37get_clear_body() 38{ 39 pft_init 40 41 epair_send=$(vnet_mkepair) 42 ifconfig ${epair_send}a 192.0.2.1/24 up 43 44 vnet_mkjail alcatraz ${epair_send}b 45 jexec alcatraz ifconfig ${epair_send}b 192.0.2.2/24 up 46 jexec alcatraz pfctl -e 47 48 pft_set_rules alcatraz \ 49 "pass all" 50 51 # Ensure the rule matched packets, so we can verify non-zero counters 52 atf_check -s exit:0 -o ignore ping -c 3 192.0.2.2 53 54 # Expect non-zero counters 55 atf_check -s exit:0 -e ignore \ 56 -o match:'Evaluations: [1-9][0-9]*[[:space:]]*Packets: [1-9][0-9]*[[:space:]]*Bytes: [1-9][0-9]*[[:space:]]*' \ 57 jexec alcatraz pfctl -s r -v 58 59 # We should still see non-zero because we didn't clear on the last 60 # pfctl, but are going to clear now 61 atf_check -s exit:0 -e ignore \ 62 -o match:'Evaluations: [1-9][0-9]*[[:space:]]*Packets: [1-9][0-9]*[[:space:]]*Bytes: [1-9][0-9]*[[:space:]]*' \ 63 jexec alcatraz pfctl -s r -v -z 64 65 # Expect zero counters 66 atf_check -s exit:0 -e ignore \ 67 -o match:'Evaluations: 0[[:space:]]*Packets: 0*[[:space:]]*Bytes: 0*[[:space:]]*' \ 68 jexec alcatraz pfctl -s r -v 69} 70 71get_clear_cleanup() 72{ 73 pft_cleanup 74} 75 76atf_test_case "keepcounters" "cleanup" 77keepcounters_head() 78{ 79 atf_set descr 'Test keepcounter functionality' 80 atf_set require.user root 81} 82 83keepcounters_body() 84{ 85 pft_init 86 87 epair_send=$(vnet_mkepair) 88 ifconfig ${epair_send}a 192.0.2.1/24 up 89 90 vnet_mkjail alcatraz ${epair_send}b 91 jexec alcatraz ifconfig ${epair_send}b 192.0.2.2/24 up 92 jexec alcatraz pfctl -e 93 94 pft_set_rules alcatraz \ 95 "pass all" 96 97 # Expect zero counters 98 atf_check -s exit:0 -e ignore \ 99 -o match:'Evaluations: 0[[:space:]]*Packets: 0*[[:space:]]*Bytes: 0*[[:space:]]*' \ 100 jexec alcatraz pfctl -s r -v 101 102 # Ensure the rule matched packets, so we can verify non-zero counters 103 atf_check -s exit:0 -o ignore ping -c 3 192.0.2.2 104 105 # Expect non-zero counters 106 atf_check -s exit:0 -e ignore \ 107 -o match:'Evaluations: [1-9][0-9]*[[:space:]]*Packets: [1-9][0-9]*[[:space:]]*Bytes: [1-9][0-9]*[[:space:]]*' \ 108 jexec alcatraz pfctl -s r -v 109 110 # As we set the (same) rules again we'd expect the counters to return 111 # to zero 112 pft_set_rules noflush alcatraz \ 113 "pass all" 114 115 atf_check -s exit:0 -e ignore \ 116 -o match:'Evaluations: 0[[:space:]]*Packets: 0*[[:space:]]*Bytes: 0*[[:space:]]*' \ 117 jexec alcatraz pfctl -s r -v 118 119 # Increment rule counters 120 atf_check -s exit:0 -o ignore ping -c 3 192.0.2.2 121 122 # Now set new rules with 'keepcounters' set, so we'd expect nonzero 123 # counters 124 pft_set_rules noflush alcatraz \ 125 "set keepcounters" \ 126 "pass all" 127 128 atf_check -s exit:0 -e ignore \ 129 -o match:'Evaluations: [1-9][0-9]*[[:space:]]*Packets: [1-9][0-9]*[[:space:]]*Bytes: [1-9][0-9]*[[:space:]]*' \ 130 jexec alcatraz pfctl -s r -v 131 132 # However, if we set a different rule it should return to zero 133 pft_set_rules noflush alcatraz \ 134 "set keepcounters" \ 135 "pass inet all" 136 137 atf_check -s exit:0 -e ignore \ 138 -o match:'Evaluations: 0[[:space:]]*Packets: 0*[[:space:]]*Bytes: 0*[[:space:]]*' \ 139 jexec alcatraz pfctl -s r -v 140 141 # If we generate traffic and don't set keepcounters we also see zero 142 # counts when setting new rules 143 atf_check -s exit:0 -o ignore ping -c 3 192.0.2.2 144 pft_set_rules noflush alcatraz \ 145 "pass inet all" 146 147 atf_check -s exit:0 -e ignore \ 148 -o match:'Evaluations: 0[[:space:]]*Packets: 0*[[:space:]]*Bytes: 0*[[:space:]]*' \ 149 jexec alcatraz pfctl -s r -v 150} 151 152keepcounters_cleanup() 153{ 154 pft_cleanup 155} 156 157atf_init_test_cases() 158{ 159 atf_add_test_case "get_clear" 160 atf_add_test_case "keepcounters" 161} 162