xref: /freebsd/tests/sys/netpfil/pf/set_tos.sh (revision 744bfb213144c63cbaf38d91a1c4f7aebb9b9fbc)
1# $FreeBSD$
2#
3# SPDX-License-Identifier: BSD-2-Clause-FreeBSD
4#
5# Copyright (c) 2017 Kristof Provost <kp@FreeBSD.org>
6#
7# Copyright (c) 2021 Samuel Robinette
8#
9# Redistribution and use in source and binary forms, with or without
10# modification, are permitted provided that the following conditions
11# are met:
12# 1. Redistributions of source code must retain the above copyright
13#    notice, this list of conditions and the following disclaimer.
14# 2. Redistributions in binary form must reproduce the above copyright
15#    notice, this list of conditions and the following disclaimer in the
16#    documentation and/or other materials provided with the distribution.
17#
18# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
19# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
22# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
26# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
27# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28# SUCH DAMAGE.
29
30. $(atf_get_srcdir)/utils.subr
31
32common_dir=$(atf_get_srcdir)/../common
33
34atf_test_case "v4" "cleanup"
35v4_head()
36{
37	atf_set descr 'set-tos test'
38	atf_set require.user root
39
40	# We need scapy to be installed for out test scripts to work
41	atf_set require.progs scapy
42}
43
44v4_body()
45{
46	pft_init
47
48	epair_send=$(vnet_mkepair)
49	ifconfig ${epair_send}a 192.0.2.1/24 up
50
51	epair_recv=$(vnet_mkepair)
52	ifconfig ${epair_recv}a up
53
54	vnet_mkjail alcatraz ${epair_send}b ${epair_recv}b
55	jexec alcatraz ifconfig ${epair_send}b 192.0.2.2/24 up
56	jexec alcatraz ifconfig ${epair_recv}b 198.51.100.2/24 up
57	jexec alcatraz sysctl net.inet.ip.forwarding=1
58	jexec alcatraz arp -s 198.51.100.3 00:01:02:03:04:05
59	route add -net 198.51.100.0/24 192.0.2.2
60
61	jexec alcatraz pfctl -e
62
63	# No change is done if not requested
64	pft_set_rules alcatraz "scrub out proto icmp"
65	atf_check -s exit:1 -o ignore ${common_dir}/pft_ping.py \
66		--sendif ${epair_send}a \
67		--to 198.51.100.3 \
68		--recvif ${epair_recv}a \
69		--expect-tos 42
70
71	# The requested ToS is set
72	pft_set_rules alcatraz "scrub out proto icmp set-tos 42"
73	atf_check -s exit:0 ${common_dir}/pft_ping.py \
74		--sendif ${epair_send}a \
75		--to 198.51.100.3 \
76		--recvif ${epair_recv}a \
77		--expect-tos 42
78
79	# ToS is not changed if the scrub rule does not match
80	pft_set_rules alcatraz "scrub out proto tcp set-tos 42"
81	atf_check -s exit:1 -o ignore ${common_dir}/pft_ping.py \
82		--sendif ${epair_send}a \
83		--to 198.51.100.3 \
84		--recvif ${epair_recv}a \
85		--expect-tos 42
86
87	# Multiple scrub rules match as expected
88	pft_set_rules alcatraz "scrub out proto tcp set-tos 13" \
89		"scrub out proto icmp set-tos 14"
90	atf_check -s exit:0 ${common_dir}/pft_ping.py \
91		--sendif ${epair_send}a \
92		--to 198.51.100.3 \
93		--recvif ${epair_recv}a \
94		--expect-tos 14
95
96	# And this works even if the packet already has ToS values set
97	atf_check -s exit:0 ${common_dir}/pft_ping.py \
98		--sendif ${epair_send}a \
99		--to 198.51.100.3 \
100		--recvif ${epair_recv}a \
101		--send-tos 42 \
102		--expect-tos 14
103
104	# ToS values are unmolested if the packets do not match a scrub rule
105	pft_set_rules alcatraz "scrub out proto tcp set-tos 13"
106	atf_check -s exit:0 ${common_dir}/pft_ping.py \
107		--sendif ${epair_send}a \
108		--to 198.51.100.3 \
109		--recvif ${epair_recv}a \
110		--send-tos 42 \
111		--expect-tos 42
112}
113
114v4_cleanup()
115{
116	pft_cleanup
117}
118
119atf_test_case "v6" "cleanup"
120v6_head()
121{
122	atf_set descr 'set-tos6 test'
123	atf_set require.user root
124
125	# We need scapy to be installed for out test scripts to work
126	atf_set require.progs scapy
127}
128
129v6_body()
130{
131	pft_init
132
133	if [ "$(atf_config_get ci false)" = "true" ]; then
134            atf_skip "https://bugs.freebsd.org/260459"
135	fi
136
137	epair=$(vnet_mkepair)
138	ifconfig ${epair}a inet6 add 2001:db8:192::1
139	vnet_mkjail alcatraz ${epair}b
140	jexec alcatraz ifconfig ${epair}b inet6 add 2001:db8:192::2
141
142	route -6 add 2001:db8:192::2 2001:db8:192::1
143	jexec alcatraz route -6 add 2001:db8:192::1 2001:db8:192::2
144
145	jexec alcatraz pfctl -e
146
147	# No change is done if not requested
148	pft_set_rules alcatraz "scrub out proto ipv6-icmp"
149	atf_check -s exit:1 -o ignore -e ignore ${common_dir}/pft_ping.py \
150		--ip6 \
151		--sendif ${epair}a \
152		--to 2001:db8:192::2 \
153		--replyif ${epair}a \
154		--expect-tc 42
155
156	# The requested ToS is set
157	pft_set_rules alcatraz "scrub out proto ipv6-icmp set-tos 42"
158	atf_check -s exit:0 -o ignore -e ignore ${common_dir}/pft_ping.py \
159		--ip6 \
160		--sendif ${epair}a \
161		--to 2001:db8:192::2 \
162		--replyif ${epair}a \
163		--expect-tc 42
164
165	# ToS is not changed if the scrub rule does not match
166	pft_set_rules alcatraz "scrub out from 2001:db8:192::3 set-tos 42"
167	atf_check -s exit:1 -o ignore -e ignore ${common_dir}/pft_ping.py \
168		--ip6 \
169		--sendif ${epair}a \
170		--to 2001:db8:192::2 \
171		--replyif ${epair}a \
172		--expect-tc 42
173
174	# Multiple scrub rules match as expected
175	pft_set_rules alcatraz "scrub out from 2001:db8:192::3 set-tos 13" \
176		"scrub out proto ipv6-icmp set-tos 14"
177	atf_check -s exit:0 -o ignore -e ignore ${common_dir}/pft_ping.py \
178		--ip6 \
179		--sendif ${epair}a \
180		--to 2001:db8:192::2 \
181		--replyif ${epair}a \
182		--expect-tc 14
183
184	# And this works even if the packet already has ToS values set
185	atf_check -s exit:0 -o ignore -e ignore ${common_dir}/pft_ping.py \
186		--ip6 \
187		--sendif ${epair}a \
188		--to 2001:db8:192::2 \
189		--replyif ${epair}a \
190		--send-tc 42 \
191		--expect-tc 14
192
193	# ToS values are unmolested if the packets do not match a scrub rule
194	pft_set_rules alcatraz "scrub out from 2001:db8:192::3 set-tos 13"
195	atf_check -s exit:0 -o ignore -e ignore ${common_dir}/pft_ping.py \
196		--ip6 \
197		--sendif ${epair}a \
198		--to 2001:db8:192::2 \
199		--replyif ${epair}a \
200		--expect-tc 0
201}
202
203v6_cleanup()
204{
205	pft_cleanup
206}
207
208atf_init_test_cases()
209{
210	atf_add_test_case "v4"
211	atf_add_test_case "v6"
212}
213