xref: /freebsd/tests/sys/netpfil/pf/set_tos.sh (revision b9128a37faafede823eb456aa65a11ac69997284)
1#
2# SPDX-License-Identifier: BSD-2-Clause
3#
4# Copyright (c) 2017 Kristof Provost <kp@FreeBSD.org>
5#
6# Copyright (c) 2021 Samuel Robinette
7#
8# Redistribution and use in source and binary forms, with or without
9# modification, are permitted provided that the following conditions
10# are met:
11# 1. Redistributions of source code must retain the above copyright
12#    notice, this list of conditions and the following disclaimer.
13# 2. Redistributions in binary form must reproduce the above copyright
14#    notice, this list of conditions and the following disclaimer in the
15#    documentation and/or other materials provided with the distribution.
16#
17# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
18# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
21# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27# SUCH DAMAGE.
28
29. $(atf_get_srcdir)/utils.subr
30
31common_dir=$(atf_get_srcdir)/../common
32
33atf_test_case "v4" "cleanup"
34v4_head()
35{
36	atf_set descr 'set-tos test'
37	atf_set require.user root
38
39	# We need scapy to be installed for out test scripts to work
40	atf_set require.progs scapy
41}
42
43v4_body()
44{
45	pft_init
46
47	epair_send=$(vnet_mkepair)
48	ifconfig ${epair_send}a 192.0.2.1/24 up
49
50	epair_recv=$(vnet_mkepair)
51	ifconfig ${epair_recv}a up
52
53	vnet_mkjail alcatraz ${epair_send}b ${epair_recv}b
54	jexec alcatraz ifconfig ${epair_send}b 192.0.2.2/24 up
55	jexec alcatraz ifconfig ${epair_recv}b 198.51.100.2/24 up
56	jexec alcatraz sysctl net.inet.ip.forwarding=1
57	jexec alcatraz arp -s 198.51.100.3 00:01:02:03:04:05
58	route add -net 198.51.100.0/24 192.0.2.2
59
60	jexec alcatraz pfctl -e
61
62	# No change is done if not requested
63	pft_set_rules alcatraz "scrub out proto icmp"
64	atf_check -s exit:1 -o ignore ${common_dir}/pft_ping.py \
65		--sendif ${epair_send}a \
66		--to 198.51.100.3 \
67		--recvif ${epair_recv}a \
68		--expect-tc 42
69
70	# The requested ToS is set
71	pft_set_rules alcatraz "scrub out proto icmp set-tos 42"
72	atf_check -s exit:0 ${common_dir}/pft_ping.py \
73		--sendif ${epair_send}a \
74		--to 198.51.100.3 \
75		--recvif ${epair_recv}a \
76		--expect-tc 42
77
78	# ToS is not changed if the scrub rule does not match
79	pft_set_rules alcatraz "scrub out proto tcp set-tos 42"
80	atf_check -s exit:1 -o ignore ${common_dir}/pft_ping.py \
81		--sendif ${epair_send}a \
82		--to 198.51.100.3 \
83		--recvif ${epair_recv}a \
84		--expect-tc 42
85
86	# Multiple scrub rules match as expected
87	pft_set_rules alcatraz "scrub out proto tcp set-tos 13" \
88		"scrub out proto icmp set-tos 14"
89	atf_check -s exit:0 ${common_dir}/pft_ping.py \
90		--sendif ${epair_send}a \
91		--to 198.51.100.3 \
92		--recvif ${epair_recv}a \
93		--expect-tc 14
94
95	# And this works even if the packet already has ToS values set
96	atf_check -s exit:0 ${common_dir}/pft_ping.py \
97		--sendif ${epair_send}a \
98		--to 198.51.100.3 \
99		--recvif ${epair_recv}a \
100		--send-tc 42 \
101		--expect-tc 14
102
103	# ToS values are unmolested if the packets do not match a scrub rule
104	pft_set_rules alcatraz "scrub out proto tcp set-tos 13"
105	atf_check -s exit:0 ${common_dir}/pft_ping.py \
106		--sendif ${epair_send}a \
107		--to 198.51.100.3 \
108		--recvif ${epair_recv}a \
109		--send-tc 42 \
110		--expect-tc 42
111}
112
113v4_cleanup()
114{
115	pft_cleanup
116}
117
118atf_test_case "v6" "cleanup"
119v6_head()
120{
121	atf_set descr 'set-tos6 test'
122	atf_set require.user root
123
124	# We need scapy to be installed for out test scripts to work
125	atf_set require.progs scapy
126}
127
128v6_body()
129{
130	pft_init
131
132	if [ "$(atf_config_get ci false)" = "true" ]; then
133            atf_skip "https://bugs.freebsd.org/260459"
134	fi
135
136	epair=$(vnet_mkepair)
137	ifconfig ${epair}a inet6 add 2001:db8:192::1
138	vnet_mkjail alcatraz ${epair}b
139	jexec alcatraz ifconfig ${epair}b inet6 add 2001:db8:192::2
140
141	route -6 add 2001:db8:192::2 2001:db8:192::1
142	jexec alcatraz route -6 add 2001:db8:192::1 2001:db8:192::2
143
144	jexec alcatraz pfctl -e
145
146	# No change is done if not requested
147	pft_set_rules alcatraz "scrub out proto ipv6-icmp"
148	atf_check -s exit:1 -o ignore -e ignore ${common_dir}/pft_ping.py \
149		--sendif ${epair}a \
150		--to 2001:db8:192::2 \
151		--replyif ${epair}a \
152		--expect-tc 42
153
154	# The requested ToS is set
155	pft_set_rules alcatraz "scrub out proto ipv6-icmp set-tos 42"
156	atf_check -s exit:0 -o ignore -e ignore ${common_dir}/pft_ping.py \
157		--sendif ${epair}a \
158		--to 2001:db8:192::2 \
159		--replyif ${epair}a \
160		--expect-tc 42
161
162	# ToS is not changed if the scrub rule does not match
163	pft_set_rules alcatraz "scrub out from 2001:db8:192::3 set-tos 42"
164	atf_check -s exit:1 -o ignore -e ignore ${common_dir}/pft_ping.py \
165		--sendif ${epair}a \
166		--to 2001:db8:192::2 \
167		--replyif ${epair}a \
168		--expect-tc 42
169
170	# Multiple scrub rules match as expected
171	pft_set_rules alcatraz "scrub out from 2001:db8:192::3 set-tos 13" \
172		"scrub out proto ipv6-icmp set-tos 14"
173	atf_check -s exit:0 -o ignore -e ignore ${common_dir}/pft_ping.py \
174		--sendif ${epair}a \
175		--to 2001:db8:192::2 \
176		--replyif ${epair}a \
177		--expect-tc 14
178
179	# And this works even if the packet already has ToS values set
180	atf_check -s exit:0 -o ignore -e ignore ${common_dir}/pft_ping.py \
181		--sendif ${epair}a \
182		--to 2001:db8:192::2 \
183		--replyif ${epair}a \
184		--send-tc 42 \
185		--expect-tc 14
186
187	# ToS values are unmolested if the packets do not match a scrub rule
188	pft_set_rules alcatraz "scrub out from 2001:db8:192::3 set-tos 13"
189	atf_check -s exit:0 -o ignore -e ignore ${common_dir}/pft_ping.py \
190		--sendif ${epair}a \
191		--to 2001:db8:192::2 \
192		--replyif ${epair}a \
193		--expect-tc 0
194}
195
196v6_cleanup()
197{
198	pft_cleanup
199}
200
201atf_init_test_cases()
202{
203	atf_add_test_case "v4"
204	atf_add_test_case "v6"
205}
206