xref: /freebsd/tests/sys/netpfil/pf/set_skip.sh (revision 96190b4fef3b4a0cc3ca0606b0c4e3e69a5e6717)
1#
2# SPDX-License-Identifier: BSD-2-Clause
3#
4# Copyright (c) 2018 Kristof Provost <kp@FreeBSD.org>
5#
6# Redistribution and use in source and binary forms, with or without
7# modification, are permitted provided that the following conditions
8# are met:
9# 1. Redistributions of source code must retain the above copyright
10#    notice, this list of conditions and the following disclaimer.
11# 2. Redistributions in binary form must reproduce the above copyright
12#    notice, this list of conditions and the following disclaimer in the
13#    documentation and/or other materials provided with the distribution.
14#
15# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
25# SUCH DAMAGE.
26
27. $(atf_get_srcdir)/utils.subr
28
29atf_test_case "unset" "cleanup"
30unset_head()
31{
32	atf_set descr 'Unset set skip test'
33	atf_set require.user root
34}
35
36unset_body()
37{
38	pft_init
39
40	vnet_mkjail alcatraz
41	jexec alcatraz ifconfig lo0 127.0.0.1/8 up
42	jexec alcatraz pfctl -e
43	pft_set_rules alcatraz "set skip on lo0" \
44		"block in proto icmp"
45
46	echo "set skip"
47	jexec alcatraz pfctl -v -sI
48
49	jexec alcatraz ifconfig
50	atf_check -s exit:0 -o ignore jexec alcatraz ping -c 1 127.0.0.1
51
52	# Unset the skip on the group
53	pft_set_rules noflush alcatraz \
54	    "block in proto icmp"
55
56	echo "No setskip"
57	jexec alcatraz pfctl -v -sI
58
59	# Do flush states
60	jexec alcatraz pfctl -Fs
61
62	# And now our ping is blocked
63	atf_check -s exit:2 -o ignore jexec alcatraz ping -c 1 127.0.0.1
64
65	jexec alcatraz pfctl -v -sI
66}
67
68unset_cleanup()
69{
70	pft_cleanup
71}
72
73atf_test_case "set_skip_group" "cleanup"
74set_skip_group_head()
75{
76	atf_set descr 'Basic set skip test'
77	atf_set require.user root
78}
79
80set_skip_group_body()
81{
82	# See PR 229241
83	pft_init
84
85	vnet_mkjail alcatraz
86	jexec alcatraz ifconfig lo0 127.0.0.1/8 up
87	jexec alcatraz ifconfig lo0 group foo
88	jexec alcatraz pfctl -e
89	pft_set_rules alcatraz "set skip on foo" \
90		"block in proto icmp"
91
92	echo "set skip"
93	jexec alcatraz pfctl -v -sI
94
95	jexec alcatraz ifconfig
96	atf_check -s exit:0 -o ignore jexec alcatraz ping -c 1 127.0.0.1
97
98	# Unset the skip on the group
99	pft_set_rules noflush alcatraz \
100	    "block in proto icmp"
101
102	# Do flush states
103	jexec alcatraz pfctl -Fs
104
105	# And now our ping is blocked
106	atf_check -s exit:2 -o ignore jexec alcatraz ping -c 1 127.0.0.1
107
108	echo "No setskip"
109	jexec alcatraz pfctl -v -sI
110}
111
112set_skip_group_cleanup()
113{
114	pft_cleanup
115}
116
117atf_test_case "set_skip_group_lo" "cleanup"
118set_skip_group_lo_head()
119{
120	atf_set descr 'Basic set skip test, lo'
121	atf_set require.user root
122}
123
124set_skip_group_lo_body()
125{
126	# See PR 229241
127	pft_init
128
129	vnet_mkjail alcatraz
130	jexec alcatraz ifconfig lo0 127.0.0.1/8 up
131	jexec alcatraz pfctl -e
132	pft_set_rules alcatraz "set skip on lo" \
133		"block on lo0"
134
135	atf_check -s exit:0 -o ignore jexec alcatraz ping -c 1 127.0.0.1
136	pft_set_rules noflush alcatraz "set skip on lo" \
137		"block on lo0"
138	atf_check -s exit:0 -o ignore jexec alcatraz ping -c 1 127.0.0.1
139	jexec alcatraz pfctl -s rules
140}
141
142set_skip_group_lo_cleanup()
143{
144	pft_cleanup
145}
146
147atf_test_case "set_skip_dynamic" "cleanup"
148set_skip_dynamic_head()
149{
150	atf_set descr "Cope with group changes"
151	atf_set require.user root
152}
153
154set_skip_dynamic_body()
155{
156	pft_init
157
158	set -x
159
160	vnet_mkjail alcatraz
161	jexec alcatraz pfctl -e
162	pft_set_rules alcatraz "set skip on epair" \
163		"block on ! lo"
164
165	epair=$(vnet_mkepair)
166	ifconfig ${epair}a 192.0.2.2/24 up
167	vnet_ifmove ${epair}b alcatraz
168
169	jexec alcatraz ifconfig ${epair}b 192.0.2.1/24 up
170
171	atf_check -s exit:0 -o ignore jexec alcatraz ping -c 1 192.0.2.2
172}
173
174set_skip_dynamic_cleanup()
175{
176	pft_cleanup
177}
178
179atf_test_case "pr255852" "cleanup"
180pr255852_head()
181{
182	atf_set descr "PR 255852"
183	atf_set require.user root
184}
185
186pr255852_body()
187{
188	pft_init
189
190	epair=$(vnet_mkepair)
191
192	ifconfig ${epair}a 192.0.2.1/24 up
193
194	vnet_mkjail alcatraz ${epair}b
195	jexec alcatraz ifconfig lo0 127.0.0.1/8 up
196	jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up
197
198	# Sanity check
199	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2
200
201	jexec alcatraz pfctl -e
202	pft_set_rules alcatraz "set skip on { lo0, epair }" \
203		"block"
204	jexec alcatraz pfctl -vsI
205
206	# We're skipping on epair, so this should work
207	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2
208
209	# Note: flushing avoid the issue
210	pft_set_rules noflush alcatraz "set skip on { lo0 }" \
211		"block"
212
213	jexec alcatraz pfctl -vsI
214
215	# No longer skipping, so this should fail
216	atf_check -s exit:2 -o ignore ping -c 1 -t 1 192.0.2.2
217}
218
219pr255852_cleanup()
220{
221	pft_cleanup
222}
223
224atf_init_test_cases()
225{
226	atf_add_test_case "unset"
227	atf_add_test_case "set_skip_group"
228	atf_add_test_case "set_skip_group_lo"
229	atf_add_test_case "set_skip_dynamic"
230	atf_add_test_case "pr255852"
231}
232