165d553b0SKristof Provost# 24d846d26SWarner Losh# SPDX-License-Identifier: BSD-2-Clause 365d553b0SKristof Provost# 465d553b0SKristof Provost# Copyright (c) 2017 Kristof Provost <kp@FreeBSD.org> 565d553b0SKristof Provost# 60a7d1fc6SSamuel Robinette# Copyright (c) 2021 Samuel Robinette 70a7d1fc6SSamuel Robinette# 865d553b0SKristof Provost# Redistribution and use in source and binary forms, with or without 965d553b0SKristof Provost# modification, are permitted provided that the following conditions 1065d553b0SKristof Provost# are met: 1165d553b0SKristof Provost# 1. Redistributions of source code must retain the above copyright 1265d553b0SKristof Provost# notice, this list of conditions and the following disclaimer. 1365d553b0SKristof Provost# 2. Redistributions in binary form must reproduce the above copyright 1465d553b0SKristof Provost# notice, this list of conditions and the following disclaimer in the 1565d553b0SKristof Provost# documentation and/or other materials provided with the distribution. 1665d553b0SKristof Provost# 1765d553b0SKristof Provost# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 1865d553b0SKristof Provost# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 1965d553b0SKristof Provost# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 2065d553b0SKristof Provost# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 2165d553b0SKristof Provost# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 2265d553b0SKristof Provost# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 2365d553b0SKristof Provost# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 2465d553b0SKristof Provost# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 2565d553b0SKristof Provost# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 2665d553b0SKristof Provost# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 2765d553b0SKristof Provost# SUCH DAMAGE. 2867f4baf8SKristof Provost 2967f4baf8SKristof Provost. $(atf_get_srcdir)/utils.subr 3067f4baf8SKristof Provost 3195312530SKristof Provostcommon_dir=$(atf_get_srcdir)/../common 3295312530SKristof Provost 3367f4baf8SKristof Provostatf_test_case "v4" "cleanup" 3467f4baf8SKristof Provostv4_head() 3567f4baf8SKristof Provost{ 3667f4baf8SKristof Provost atf_set descr 'set-tos test' 3767f4baf8SKristof Provost atf_set require.user root 3867f4baf8SKristof Provost 3967f4baf8SKristof Provost # We need scapy to be installed for out test scripts to work 40*c46af893SJose Luis Duran atf_set require.progs python3 scapy 4167f4baf8SKristof Provost} 4267f4baf8SKristof Provost 4367f4baf8SKristof Provostv4_body() 4467f4baf8SKristof Provost{ 4567f4baf8SKristof Provost pft_init 4667f4baf8SKristof Provost 4706aac31aSKristof Provost epair_send=$(vnet_mkepair) 4867f4baf8SKristof Provost ifconfig ${epair_send}a 192.0.2.1/24 up 4967f4baf8SKristof Provost 5006aac31aSKristof Provost epair_recv=$(vnet_mkepair) 5167f4baf8SKristof Provost ifconfig ${epair_recv}a up 5267f4baf8SKristof Provost 5306aac31aSKristof Provost vnet_mkjail alcatraz ${epair_send}b ${epair_recv}b 5467f4baf8SKristof Provost jexec alcatraz ifconfig ${epair_send}b 192.0.2.2/24 up 5567f4baf8SKristof Provost jexec alcatraz ifconfig ${epair_recv}b 198.51.100.2/24 up 5667f4baf8SKristof Provost jexec alcatraz sysctl net.inet.ip.forwarding=1 5767f4baf8SKristof Provost jexec alcatraz arp -s 198.51.100.3 00:01:02:03:04:05 5867f4baf8SKristof Provost route add -net 198.51.100.0/24 192.0.2.2 5967f4baf8SKristof Provost 60f038a398SKristof Provost jexec alcatraz pfctl -e 61f038a398SKristof Provost 6267f4baf8SKristof Provost # No change is done if not requested 63f038a398SKristof Provost pft_set_rules alcatraz "scrub out proto icmp" 6495312530SKristof Provost atf_check -s exit:1 -o ignore ${common_dir}/pft_ping.py \ 6567f4baf8SKristof Provost --sendif ${epair_send}a \ 6667f4baf8SKristof Provost --to 198.51.100.3 \ 6767f4baf8SKristof Provost --recvif ${epair_recv}a \ 68f57218e4SKajetan Staszkiewicz --expect-tc 42 6967f4baf8SKristof Provost 7067f4baf8SKristof Provost # The requested ToS is set 71f038a398SKristof Provost pft_set_rules alcatraz "scrub out proto icmp set-tos 42" 7295312530SKristof Provost atf_check -s exit:0 ${common_dir}/pft_ping.py \ 7367f4baf8SKristof Provost --sendif ${epair_send}a \ 7467f4baf8SKristof Provost --to 198.51.100.3 \ 7567f4baf8SKristof Provost --recvif ${epair_recv}a \ 76f57218e4SKajetan Staszkiewicz --expect-tc 42 7767f4baf8SKristof Provost 7867f4baf8SKristof Provost # ToS is not changed if the scrub rule does not match 79f038a398SKristof Provost pft_set_rules alcatraz "scrub out proto tcp set-tos 42" 8095312530SKristof Provost atf_check -s exit:1 -o ignore ${common_dir}/pft_ping.py \ 8167f4baf8SKristof Provost --sendif ${epair_send}a \ 8267f4baf8SKristof Provost --to 198.51.100.3 \ 8367f4baf8SKristof Provost --recvif ${epair_recv}a \ 84f57218e4SKajetan Staszkiewicz --expect-tc 42 8567f4baf8SKristof Provost 8667f4baf8SKristof Provost # Multiple scrub rules match as expected 87f038a398SKristof Provost pft_set_rules alcatraz "scrub out proto tcp set-tos 13" \ 88f038a398SKristof Provost "scrub out proto icmp set-tos 14" 8995312530SKristof Provost atf_check -s exit:0 ${common_dir}/pft_ping.py \ 9067f4baf8SKristof Provost --sendif ${epair_send}a \ 9167f4baf8SKristof Provost --to 198.51.100.3 \ 9267f4baf8SKristof Provost --recvif ${epair_recv}a \ 93f57218e4SKajetan Staszkiewicz --expect-tc 14 9467f4baf8SKristof Provost 9567f4baf8SKristof Provost # And this works even if the packet already has ToS values set 9695312530SKristof Provost atf_check -s exit:0 ${common_dir}/pft_ping.py \ 9767f4baf8SKristof Provost --sendif ${epair_send}a \ 9867f4baf8SKristof Provost --to 198.51.100.3 \ 9967f4baf8SKristof Provost --recvif ${epair_recv}a \ 100f57218e4SKajetan Staszkiewicz --send-tc 42 \ 101f57218e4SKajetan Staszkiewicz --expect-tc 14 10267f4baf8SKristof Provost 10367f4baf8SKristof Provost # ToS values are unmolested if the packets do not match a scrub rule 104f038a398SKristof Provost pft_set_rules alcatraz "scrub out proto tcp set-tos 13" 10595312530SKristof Provost atf_check -s exit:0 ${common_dir}/pft_ping.py \ 10667f4baf8SKristof Provost --sendif ${epair_send}a \ 10767f4baf8SKristof Provost --to 198.51.100.3 \ 10867f4baf8SKristof Provost --recvif ${epair_recv}a \ 109f57218e4SKajetan Staszkiewicz --send-tc 42 \ 110f57218e4SKajetan Staszkiewicz --expect-tc 42 11167f4baf8SKristof Provost} 11267f4baf8SKristof Provost 11367f4baf8SKristof Provostv4_cleanup() 11467f4baf8SKristof Provost{ 11567f4baf8SKristof Provost pft_cleanup 11667f4baf8SKristof Provost} 11767f4baf8SKristof Provost 1180a7d1fc6SSamuel Robinetteatf_test_case "v6" "cleanup" 1190a7d1fc6SSamuel Robinettev6_head() 1200a7d1fc6SSamuel Robinette{ 1210a7d1fc6SSamuel Robinette atf_set descr 'set-tos6 test' 1220a7d1fc6SSamuel Robinette atf_set require.user root 1230a7d1fc6SSamuel Robinette 1240a7d1fc6SSamuel Robinette # We need scapy to be installed for out test scripts to work 125*c46af893SJose Luis Duran atf_set require.progs python3 scapy 1260a7d1fc6SSamuel Robinette} 1270a7d1fc6SSamuel Robinette 1280a7d1fc6SSamuel Robinettev6_body() 1290a7d1fc6SSamuel Robinette{ 1300a7d1fc6SSamuel Robinette pft_init 1310a7d1fc6SSamuel Robinette 1320a7d1fc6SSamuel Robinette epair=$(vnet_mkepair) 1330a7d1fc6SSamuel Robinette ifconfig ${epair}a inet6 add 2001:db8:192::1 1340a7d1fc6SSamuel Robinette vnet_mkjail alcatraz ${epair}b 1350a7d1fc6SSamuel Robinette jexec alcatraz ifconfig ${epair}b inet6 add 2001:db8:192::2 1360a7d1fc6SSamuel Robinette 1370a7d1fc6SSamuel Robinette route -6 add 2001:db8:192::2 2001:db8:192::1 1380a7d1fc6SSamuel Robinette jexec alcatraz route -6 add 2001:db8:192::1 2001:db8:192::2 1390a7d1fc6SSamuel Robinette 1400a7d1fc6SSamuel Robinette jexec alcatraz pfctl -e 1410a7d1fc6SSamuel Robinette 1420a7d1fc6SSamuel Robinette # No change is done if not requested 1430a7d1fc6SSamuel Robinette pft_set_rules alcatraz "scrub out proto ipv6-icmp" 1440a7d1fc6SSamuel Robinette atf_check -s exit:1 -o ignore -e ignore ${common_dir}/pft_ping.py \ 1450a7d1fc6SSamuel Robinette --sendif ${epair}a \ 1460a7d1fc6SSamuel Robinette --to 2001:db8:192::2 \ 1470a7d1fc6SSamuel Robinette --replyif ${epair}a \ 1480a7d1fc6SSamuel Robinette --expect-tc 42 1490a7d1fc6SSamuel Robinette 1500a7d1fc6SSamuel Robinette # The requested ToS is set 1510a7d1fc6SSamuel Robinette pft_set_rules alcatraz "scrub out proto ipv6-icmp set-tos 42" 1520a7d1fc6SSamuel Robinette atf_check -s exit:0 -o ignore -e ignore ${common_dir}/pft_ping.py \ 1530a7d1fc6SSamuel Robinette --sendif ${epair}a \ 1540a7d1fc6SSamuel Robinette --to 2001:db8:192::2 \ 1550a7d1fc6SSamuel Robinette --replyif ${epair}a \ 1560a7d1fc6SSamuel Robinette --expect-tc 42 1570a7d1fc6SSamuel Robinette 1580a7d1fc6SSamuel Robinette # ToS is not changed if the scrub rule does not match 1590a7d1fc6SSamuel Robinette pft_set_rules alcatraz "scrub out from 2001:db8:192::3 set-tos 42" 1600a7d1fc6SSamuel Robinette atf_check -s exit:1 -o ignore -e ignore ${common_dir}/pft_ping.py \ 1610a7d1fc6SSamuel Robinette --sendif ${epair}a \ 1620a7d1fc6SSamuel Robinette --to 2001:db8:192::2 \ 1630a7d1fc6SSamuel Robinette --replyif ${epair}a \ 1640a7d1fc6SSamuel Robinette --expect-tc 42 1650a7d1fc6SSamuel Robinette 1660a7d1fc6SSamuel Robinette # Multiple scrub rules match as expected 1670a7d1fc6SSamuel Robinette pft_set_rules alcatraz "scrub out from 2001:db8:192::3 set-tos 13" \ 1680a7d1fc6SSamuel Robinette "scrub out proto ipv6-icmp set-tos 14" 1690a7d1fc6SSamuel Robinette atf_check -s exit:0 -o ignore -e ignore ${common_dir}/pft_ping.py \ 1700a7d1fc6SSamuel Robinette --sendif ${epair}a \ 1710a7d1fc6SSamuel Robinette --to 2001:db8:192::2 \ 1720a7d1fc6SSamuel Robinette --replyif ${epair}a \ 1730a7d1fc6SSamuel Robinette --expect-tc 14 1740a7d1fc6SSamuel Robinette 1750a7d1fc6SSamuel Robinette # And this works even if the packet already has ToS values set 1760a7d1fc6SSamuel Robinette atf_check -s exit:0 -o ignore -e ignore ${common_dir}/pft_ping.py \ 1770a7d1fc6SSamuel Robinette --sendif ${epair}a \ 1780a7d1fc6SSamuel Robinette --to 2001:db8:192::2 \ 1790a7d1fc6SSamuel Robinette --replyif ${epair}a \ 1800a7d1fc6SSamuel Robinette --send-tc 42 \ 1810a7d1fc6SSamuel Robinette --expect-tc 14 1820a7d1fc6SSamuel Robinette 1830a7d1fc6SSamuel Robinette # ToS values are unmolested if the packets do not match a scrub rule 1840a7d1fc6SSamuel Robinette pft_set_rules alcatraz "scrub out from 2001:db8:192::3 set-tos 13" 1850a7d1fc6SSamuel Robinette atf_check -s exit:0 -o ignore -e ignore ${common_dir}/pft_ping.py \ 1860a7d1fc6SSamuel Robinette --sendif ${epair}a \ 1870a7d1fc6SSamuel Robinette --to 2001:db8:192::2 \ 1880a7d1fc6SSamuel Robinette --replyif ${epair}a \ 1890a7d1fc6SSamuel Robinette --expect-tc 0 1900cd95355SKristof Provost 1910cd95355SKristof Provost # We can set tos on pass rules 1920cd95355SKristof Provost pft_set_rules alcatraz "pass out set tos 13" 1930cd95355SKristof Provost atf_check -s exit:0 -o ignore -e ignore ${common_dir}/pft_ping.py \ 1940cd95355SKristof Provost --sendif ${epair}a \ 1950cd95355SKristof Provost --to 2001:db8:192::2 \ 1960cd95355SKristof Provost --replyif ${epair}a \ 1970cd95355SKristof Provost --expect-tc 13 1980cd95355SKristof Provost 1990cd95355SKristof Provost # And that still works with 'scrub' options too 2000cd95355SKristof Provost pft_set_rules alcatraz "pass out set tos 14 scrub (min-ttl 64)" 2010cd95355SKristof Provost atf_check -s exit:0 -o ignore -e ignore ${common_dir}/pft_ping.py \ 2020cd95355SKristof Provost --sendif ${epair}a \ 2030cd95355SKristof Provost --to 2001:db8:192::2 \ 2040cd95355SKristof Provost --replyif ${epair}a \ 2050cd95355SKristof Provost --expect-tc 14 2060a7d1fc6SSamuel Robinette} 2070a7d1fc6SSamuel Robinette 2080a7d1fc6SSamuel Robinettev6_cleanup() 2090a7d1fc6SSamuel Robinette{ 2100a7d1fc6SSamuel Robinette pft_cleanup 2110a7d1fc6SSamuel Robinette} 2120a7d1fc6SSamuel Robinette 21367f4baf8SKristof Provostatf_init_test_cases() 21467f4baf8SKristof Provost{ 21567f4baf8SKristof Provost atf_add_test_case "v4" 2160a7d1fc6SSamuel Robinette atf_add_test_case "v6" 21767f4baf8SKristof Provost} 218