1# $FreeBSD$ 2# 3# SPDX-License-Identifier: BSD-2-Clause-FreeBSD 4# 5# Copyright (c) 2017 Kristof Provost <kp@FreeBSD.org> 6# 7# Copyright (c) 2021 Samuel Robinette 8# 9# Redistribution and use in source and binary forms, with or without 10# modification, are permitted provided that the following conditions 11# are met: 12# 1. Redistributions of source code must retain the above copyright 13# notice, this list of conditions and the following disclaimer. 14# 2. Redistributions in binary form must reproduce the above copyright 15# notice, this list of conditions and the following disclaimer in the 16# documentation and/or other materials provided with the distribution. 17# 18# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 19# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 22# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 26# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 27# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 28# SUCH DAMAGE. 29 30. $(atf_get_srcdir)/utils.subr 31 32common_dir=$(atf_get_srcdir)/../common 33 34atf_test_case "v4" "cleanup" 35v4_head() 36{ 37 atf_set descr 'set-tos test' 38 atf_set require.user root 39 40 # We need scapy to be installed for out test scripts to work 41 atf_set require.progs scapy 42} 43 44v4_body() 45{ 46 pft_init 47 48 epair_send=$(vnet_mkepair) 49 ifconfig ${epair_send}a 192.0.2.1/24 up 50 51 epair_recv=$(vnet_mkepair) 52 ifconfig ${epair_recv}a up 53 54 vnet_mkjail alcatraz ${epair_send}b ${epair_recv}b 55 jexec alcatraz ifconfig ${epair_send}b 192.0.2.2/24 up 56 jexec alcatraz ifconfig ${epair_recv}b 198.51.100.2/24 up 57 jexec alcatraz sysctl net.inet.ip.forwarding=1 58 jexec alcatraz arp -s 198.51.100.3 00:01:02:03:04:05 59 route add -net 198.51.100.0/24 192.0.2.2 60 61 jexec alcatraz pfctl -e 62 63 # No change is done if not requested 64 pft_set_rules alcatraz "scrub out proto icmp" 65 atf_check -s exit:1 -o ignore ${common_dir}/pft_ping.py \ 66 --sendif ${epair_send}a \ 67 --to 198.51.100.3 \ 68 --recvif ${epair_recv}a \ 69 --expect-tos 42 70 71 # The requested ToS is set 72 pft_set_rules alcatraz "scrub out proto icmp set-tos 42" 73 atf_check -s exit:0 ${common_dir}/pft_ping.py \ 74 --sendif ${epair_send}a \ 75 --to 198.51.100.3 \ 76 --recvif ${epair_recv}a \ 77 --expect-tos 42 78 79 # ToS is not changed if the scrub rule does not match 80 pft_set_rules alcatraz "scrub out proto tcp set-tos 42" 81 atf_check -s exit:1 -o ignore ${common_dir}/pft_ping.py \ 82 --sendif ${epair_send}a \ 83 --to 198.51.100.3 \ 84 --recvif ${epair_recv}a \ 85 --expect-tos 42 86 87 # Multiple scrub rules match as expected 88 pft_set_rules alcatraz "scrub out proto tcp set-tos 13" \ 89 "scrub out proto icmp set-tos 14" 90 atf_check -s exit:0 ${common_dir}/pft_ping.py \ 91 --sendif ${epair_send}a \ 92 --to 198.51.100.3 \ 93 --recvif ${epair_recv}a \ 94 --expect-tos 14 95 96 # And this works even if the packet already has ToS values set 97 atf_check -s exit:0 ${common_dir}/pft_ping.py \ 98 --sendif ${epair_send}a \ 99 --to 198.51.100.3 \ 100 --recvif ${epair_recv}a \ 101 --send-tos 42 \ 102 --expect-tos 14 103 104 # ToS values are unmolested if the packets do not match a scrub rule 105 pft_set_rules alcatraz "scrub out proto tcp set-tos 13" 106 atf_check -s exit:0 ${common_dir}/pft_ping.py \ 107 --sendif ${epair_send}a \ 108 --to 198.51.100.3 \ 109 --recvif ${epair_recv}a \ 110 --send-tos 42 \ 111 --expect-tos 42 112} 113 114v4_cleanup() 115{ 116 pft_cleanup 117} 118 119atf_test_case "v6" "cleanup" 120v6_head() 121{ 122 atf_set descr 'set-tos6 test' 123 atf_set require.user root 124 125 # We need scapy to be installed for out test scripts to work 126 atf_set require.progs scapy 127} 128 129v6_body() 130{ 131 pft_init 132 133 epair=$(vnet_mkepair) 134 ifconfig ${epair}a inet6 add 2001:db8:192::1 135 vnet_mkjail alcatraz ${epair}b 136 jexec alcatraz ifconfig ${epair}b inet6 add 2001:db8:192::2 137 138 route -6 add 2001:db8:192::2 2001:db8:192::1 139 jexec alcatraz route -6 add 2001:db8:192::1 2001:db8:192::2 140 141 jexec alcatraz pfctl -e 142 143 # No change is done if not requested 144 pft_set_rules alcatraz "scrub out proto ipv6-icmp" 145 atf_check -s exit:1 -o ignore -e ignore ${common_dir}/pft_ping.py \ 146 --ip6 \ 147 --sendif ${epair}a \ 148 --to 2001:db8:192::2 \ 149 --replyif ${epair}a \ 150 --expect-tc 42 151 152 # The requested ToS is set 153 pft_set_rules alcatraz "scrub out proto ipv6-icmp set-tos 42" 154 atf_check -s exit:0 -o ignore -e ignore ${common_dir}/pft_ping.py \ 155 --ip6 \ 156 --sendif ${epair}a \ 157 --to 2001:db8:192::2 \ 158 --replyif ${epair}a \ 159 --expect-tc 42 160 161 # ToS is not changed if the scrub rule does not match 162 pft_set_rules alcatraz "scrub out from 2001:db8:192::3 set-tos 42" 163 atf_check -s exit:1 -o ignore -e ignore ${common_dir}/pft_ping.py \ 164 --ip6 \ 165 --sendif ${epair}a \ 166 --to 2001:db8:192::2 \ 167 --replyif ${epair}a \ 168 --expect-tc 42 169 170 # Multiple scrub rules match as expected 171 pft_set_rules alcatraz "scrub out from 2001:db8:192::3 set-tos 13" \ 172 "scrub out proto ipv6-icmp set-tos 14" 173 atf_check -s exit:0 -o ignore -e ignore ${common_dir}/pft_ping.py \ 174 --ip6 \ 175 --sendif ${epair}a \ 176 --to 2001:db8:192::2 \ 177 --replyif ${epair}a \ 178 --expect-tc 14 179 180 # And this works even if the packet already has ToS values set 181 atf_check -s exit:0 -o ignore -e ignore ${common_dir}/pft_ping.py \ 182 --ip6 \ 183 --sendif ${epair}a \ 184 --to 2001:db8:192::2 \ 185 --replyif ${epair}a \ 186 --send-tc 42 \ 187 --expect-tc 14 188 189 # ToS values are unmolested if the packets do not match a scrub rule 190 pft_set_rules alcatraz "scrub out from 2001:db8:192::3 set-tos 13" 191 atf_check -s exit:0 -o ignore -e ignore ${common_dir}/pft_ping.py \ 192 --ip6 \ 193 --sendif ${epair}a \ 194 --to 2001:db8:192::2 \ 195 --replyif ${epair}a \ 196 --expect-tc 0 197} 198 199v6_cleanup() 200{ 201 pft_cleanup 202} 203 204atf_init_test_cases() 205{ 206 atf_add_test_case "v4" 207 atf_add_test_case "v6" 208} 209