xref: /freebsd/tests/sys/netpfil/pf/rules_counter.sh (revision 963f5dc7a30624e95d72fb7f87b8892651164e46)
1# $FreeBSD$
2#
3# SPDX-License-Identifier: BSD-2-Clause-FreeBSD
4#
5# Copyright (c) 2021 Rubicon Communications, LLC (Netgate)
6#
7# Redistribution and use in source and binary forms, with or without
8# modification, are permitted provided that the following conditions
9# are met:
10# 1. Redistributions of source code must retain the above copyright
11#    notice, this list of conditions and the following disclaimer.
12# 2. Redistributions in binary form must reproduce the above copyright
13#    notice, this list of conditions and the following disclaimer in the
14#    documentation and/or other materials provided with the distribution.
15#
16# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
17# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
20# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26# SUCH DAMAGE.
27
28. $(atf_get_srcdir)/utils.subr
29
30atf_test_case "get_clear" "cleanup"
31get_clear_head()
32{
33	atf_set descr 'Test clearing rules counters on get rules'
34	atf_set require.user root
35}
36
37get_clear_body()
38{
39	pft_init
40
41	epair_send=$(vnet_mkepair)
42	ifconfig ${epair_send}a 192.0.2.1/24 up
43
44	vnet_mkjail alcatraz ${epair_send}b
45	jexec alcatraz ifconfig ${epair_send}b 192.0.2.2/24 up
46	jexec alcatraz pfctl -e
47
48	pft_set_rules alcatraz \
49		"pass all"
50
51	# Ensure the rule matched packets, so we can verify non-zero counters
52	atf_check -s exit:0 -o ignore ping -c 3 192.0.2.2
53
54	# Expect non-zero counters
55	atf_check -s exit:0 -e ignore \
56	    -o match:'Evaluations: [1-9][0-9]*[[:space:]]*Packets: [1-9][0-9]*[[:space:]]*Bytes: [1-9][0-9]*[[:space:]]*' \
57	    jexec alcatraz pfctl -s r -v
58
59	# We should still see non-zero because we didn't clear on the last
60	# pfctl, but are going to clear now
61	atf_check -s exit:0 -e ignore \
62	    -o match:'Evaluations: [1-9][0-9]*[[:space:]]*Packets: [1-9][0-9]*[[:space:]]*Bytes: [1-9][0-9]*[[:space:]]*' \
63	    jexec alcatraz pfctl -s r -v -z
64
65	# Expect zero counters
66	atf_check -s exit:0 -e ignore \
67	    -o match:'Evaluations: 0[[:space:]]*Packets: 0*[[:space:]]*Bytes: 0*[[:space:]]*' \
68	    jexec alcatraz pfctl -s r -v
69}
70
71get_clear_cleanup()
72{
73	pft_cleanup
74}
75
76atf_test_case "keepcounters" "cleanup"
77keepcounters_head()
78{
79	atf_set descr 'Test keepcounter functionality'
80	atf_set require.user root
81}
82
83keepcounters_body()
84{
85	pft_init
86
87	epair_send=$(vnet_mkepair)
88	ifconfig ${epair_send}a 192.0.2.1/24 up
89
90	vnet_mkjail alcatraz ${epair_send}b
91	jexec alcatraz ifconfig ${epair_send}b 192.0.2.2/24 up
92	jexec alcatraz pfctl -e
93
94	pft_set_rules alcatraz \
95		"pass all"
96
97	# Expect zero counters
98	atf_check -s exit:0 -e ignore \
99	    -o match:'Evaluations: 0[[:space:]]*Packets: 0*[[:space:]]*Bytes: 0*[[:space:]]*' \
100	    jexec alcatraz pfctl -s r -v
101
102	# Ensure the rule matched packets, so we can verify non-zero counters
103	atf_check -s exit:0 -o ignore ping -c 3 192.0.2.2
104
105	# Expect non-zero counters
106	atf_check -s exit:0 -e ignore \
107	    -o match:'Evaluations: [1-9][0-9]*[[:space:]]*Packets: [1-9][0-9]*[[:space:]]*Bytes: [1-9][0-9]*[[:space:]]*' \
108	    jexec alcatraz pfctl -s r -v
109
110	# As we set the (same) rules again we'd expect the counters to return
111	# to zero
112	pft_set_rules noflush alcatraz \
113		"pass all"
114
115	atf_check -s exit:0 -e ignore \
116	    -o match:'Evaluations: 0[[:space:]]*Packets: 0*[[:space:]]*Bytes: 0*[[:space:]]*' \
117	    jexec alcatraz pfctl -s r -v
118
119	# Increment rule counters
120	atf_check -s exit:0 -o ignore ping -c 3 192.0.2.2
121
122	# Now set new rules with 'keepcounters' set, so we'd expect nonzero
123	# counters
124	pft_set_rules noflush alcatraz \
125		"set keepcounters" \
126		"pass all"
127
128	atf_check -s exit:0 -e ignore \
129	    -o match:'Evaluations: [1-9][0-9]*[[:space:]]*Packets: [1-9][0-9]*[[:space:]]*Bytes: [1-9][0-9]*[[:space:]]*' \
130	    jexec alcatraz pfctl -s r -v
131
132	# However, if we set a different rule it should return to zero
133	pft_set_rules noflush alcatraz \
134		"set keepcounters" \
135		"pass inet all"
136
137	atf_check -s exit:0 -e ignore \
138	    -o match:'Evaluations: 0[[:space:]]*Packets: 0*[[:space:]]*Bytes: 0*[[:space:]]*' \
139	    jexec alcatraz pfctl -s r -v
140
141	# If we generate traffic and don't set keepcounters we also see zero
142	# counts when setting new rules
143	atf_check -s exit:0 -o ignore ping -c 3 192.0.2.2
144	pft_set_rules noflush alcatraz \
145		"pass inet all"
146
147	atf_check -s exit:0 -e ignore \
148	    -o match:'Evaluations: 0[[:space:]]*Packets: 0*[[:space:]]*Bytes: 0*[[:space:]]*' \
149	    jexec alcatraz pfctl -s r -v
150}
151
152keepcounters_cleanup()
153{
154	pft_cleanup
155}
156
157atf_init_test_cases()
158{
159	atf_add_test_case "get_clear"
160	atf_add_test_case "keepcounters"
161}
162