xref: /freebsd/tests/sys/netpfil/pf/set_skip.sh (revision 78cd75393ec79565c63927bf200f06f839a1dc05)
1#
2# SPDX-License-Identifier: BSD-2-Clause
3#
4# Copyright (c) 2018 Kristof Provost <kp@FreeBSD.org>
5#
6# Redistribution and use in source and binary forms, with or without
7# modification, are permitted provided that the following conditions
8# are met:
9# 1. Redistributions of source code must retain the above copyright
10#    notice, this list of conditions and the following disclaimer.
11# 2. Redistributions in binary form must reproduce the above copyright
12#    notice, this list of conditions and the following disclaimer in the
13#    documentation and/or other materials provided with the distribution.
14#
15# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
25# SUCH DAMAGE.
26
27. $(atf_get_srcdir)/utils.subr
28
29atf_test_case "set_skip_group" "cleanup"
30set_skip_group_head()
31{
32	atf_set descr 'Basic set skip test'
33	atf_set require.user root
34}
35
36set_skip_group_body()
37{
38	# See PR 229241
39	pft_init
40
41	vnet_mkjail alcatraz
42	jexec alcatraz ifconfig lo0 127.0.0.1/8 up
43	jexec alcatraz ifconfig lo0 group foo
44	jexec alcatraz pfctl -e
45	pft_set_rules alcatraz "set skip on foo" \
46		"block in proto icmp"
47
48	jexec alcatraz ifconfig
49	atf_check -s exit:0 -o ignore jexec alcatraz ping -c 1 127.0.0.1
50}
51
52set_skip_group_cleanup()
53{
54	pft_cleanup
55}
56
57atf_test_case "set_skip_group_lo" "cleanup"
58set_skip_group_lo_head()
59{
60	atf_set descr 'Basic set skip test, lo'
61	atf_set require.user root
62}
63
64set_skip_group_lo_body()
65{
66	# See PR 229241
67	pft_init
68
69	vnet_mkjail alcatraz
70	jexec alcatraz ifconfig lo0 127.0.0.1/8 up
71	jexec alcatraz pfctl -e
72	pft_set_rules alcatraz "set skip on lo" \
73		"block on lo0"
74
75	atf_check -s exit:0 -o ignore jexec alcatraz ping -c 1 127.0.0.1
76	pft_set_rules noflush alcatraz "set skip on lo" \
77		"block on lo0"
78	atf_check -s exit:0 -o ignore jexec alcatraz ping -c 1 127.0.0.1
79	jexec alcatraz pfctl -s rules
80}
81
82set_skip_group_lo_cleanup()
83{
84	pft_cleanup
85}
86
87atf_test_case "set_skip_dynamic" "cleanup"
88set_skip_dynamic_head()
89{
90	atf_set descr "Cope with group changes"
91	atf_set require.user root
92}
93
94set_skip_dynamic_body()
95{
96	pft_init
97
98	set -x
99
100	vnet_mkjail alcatraz
101	jexec alcatraz pfctl -e
102	pft_set_rules alcatraz "set skip on epair" \
103		"block on ! lo"
104
105	epair=$(vnet_mkepair)
106	ifconfig ${epair}a 192.0.2.2/24 up
107	vnet_ifmove ${epair}b alcatraz
108
109	jexec alcatraz ifconfig ${epair}b 192.0.2.1/24 up
110
111	atf_check -s exit:0 -o ignore jexec alcatraz ping -c 1 192.0.2.2
112}
113
114set_skip_dynamic_cleanup()
115{
116	pft_cleanup
117}
118
119atf_test_case "pr255852" "cleanup"
120pr255852_head()
121{
122	atf_set descr "PR 255852"
123	atf_set require.user root
124}
125
126pr255852_body()
127{
128	pft_init
129
130	epair=$(vnet_mkepair)
131
132	ifconfig ${epair}a 192.0.2.1/24 up
133
134	vnet_mkjail alcatraz ${epair}b
135	jexec alcatraz ifconfig lo0 127.0.0.1/8 up
136	jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up
137
138	# Sanity check
139	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2
140
141	jexec alcatraz pfctl -e
142	pft_set_rules alcatraz "set skip on { lo0, epair }" \
143		"block"
144	jexec alcatraz pfctl -vsI
145
146	# We're skipping on epair, so this should work
147	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2
148
149	# Note: flushing avoid the issue
150	pft_set_rules noflush alcatraz "set skip on { lo0 }" \
151		"block"
152
153	jexec alcatraz pfctl -vsI
154
155	# No longer skipping, so this should fail
156	atf_check -s exit:2 -o ignore ping -c 1 -t 1 192.0.2.2
157}
158
159pr255852_cleanup()
160{
161	pft_cleanup
162}
163
164atf_init_test_cases()
165{
166	atf_add_test_case "set_skip_group"
167	atf_add_test_case "set_skip_group_lo"
168	atf_add_test_case "set_skip_dynamic"
169	atf_add_test_case "pr255852"
170}
171