xref: /freebsd/tests/sys/netpfil/pf/set_tos.sh (revision df21a004be237a1dccd03c7b47254625eea62fa9) 
1#
2# SPDX-License-Identifier: BSD-2-Clause
3#
4# Copyright (c) 2017 Kristof Provost <kp@FreeBSD.org>
5#
6# Copyright (c) 2021 Samuel Robinette
7#
8# Redistribution and use in source and binary forms, with or without
9# modification, are permitted provided that the following conditions
10# are met:
11# 1. Redistributions of source code must retain the above copyright
12#    notice, this list of conditions and the following disclaimer.
13# 2. Redistributions in binary form must reproduce the above copyright
14#    notice, this list of conditions and the following disclaimer in the
15#    documentation and/or other materials provided with the distribution.
16#
17# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
18# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
21# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27# SUCH DAMAGE.
28
29. $(atf_get_srcdir)/utils.subr
30
31common_dir=$(atf_get_srcdir)/../common
32
33atf_test_case "v4" "cleanup"
34v4_head()
35{
36	atf_set descr 'set-tos test'
37	atf_set require.user root
38
39	# We need scapy to be installed for out test scripts to work
40	atf_set require.progs python3 scapy
41}
42
43v4_body()
44{
45	pft_init
46
47	epair_send=$(vnet_mkepair)
48	ifconfig ${epair_send}a 192.0.2.1/24 up
49
50	epair_recv=$(vnet_mkepair)
51	ifconfig ${epair_recv}a up
52
53	vnet_mkjail alcatraz ${epair_send}b ${epair_recv}b
54	jexec alcatraz ifconfig ${epair_send}b 192.0.2.2/24 up
55	jexec alcatraz ifconfig ${epair_recv}b 198.51.100.2/24 up
56	jexec alcatraz sysctl net.inet.ip.forwarding=1
57	jexec alcatraz arp -s 198.51.100.3 00:01:02:03:04:05
58	route add -net 198.51.100.0/24 192.0.2.2
59
60	jexec alcatraz pfctl -e
61
62	# No change is done if not requested
63	pft_set_rules alcatraz "scrub out proto icmp"
64	atf_check -s exit:1 -o ignore ${common_dir}/pft_ping.py \
65		--sendif ${epair_send}a \
66		--to 198.51.100.3 \
67		--recvif ${epair_recv}a \
68		--expect-tc 42
69
70	# The requested ToS is set
71	pft_set_rules alcatraz "scrub out proto icmp set-tos 42"
72	atf_check -s exit:0 ${common_dir}/pft_ping.py \
73		--sendif ${epair_send}a \
74		--to 198.51.100.3 \
75		--recvif ${epair_recv}a \
76		--expect-tc 42
77
78	# ToS is not changed if the scrub rule does not match
79	pft_set_rules alcatraz "scrub out proto tcp set-tos 42"
80	atf_check -s exit:1 -o ignore ${common_dir}/pft_ping.py \
81		--sendif ${epair_send}a \
82		--to 198.51.100.3 \
83		--recvif ${epair_recv}a \
84		--expect-tc 42
85
86	# Multiple scrub rules match as expected
87	pft_set_rules alcatraz "scrub out proto tcp set-tos 13" \
88		"scrub out proto icmp set-tos 14"
89	atf_check -s exit:0 ${common_dir}/pft_ping.py \
90		--sendif ${epair_send}a \
91		--to 198.51.100.3 \
92		--recvif ${epair_recv}a \
93		--expect-tc 14
94
95	# And this works even if the packet already has ToS values set
96	atf_check -s exit:0 ${common_dir}/pft_ping.py \
97		--sendif ${epair_send}a \
98		--to 198.51.100.3 \
99		--recvif ${epair_recv}a \
100		--send-tc 42 \
101		--expect-tc 14
102
103	# ToS values are unmolested if the packets do not match a scrub rule
104	pft_set_rules alcatraz "scrub out proto tcp set-tos 13"
105	atf_check -s exit:0 ${common_dir}/pft_ping.py \
106		--sendif ${epair_send}a \
107		--to 198.51.100.3 \
108		--recvif ${epair_recv}a \
109		--send-tc 42 \
110		--expect-tc 42
111}
112
113v4_cleanup()
114{
115	pft_cleanup
116}
117
118atf_test_case "v6" "cleanup"
119v6_head()
120{
121	atf_set descr 'set-tos6 test'
122	atf_set require.user root
123
124	# We need scapy to be installed for out test scripts to work
125	atf_set require.progs python3 scapy
126}
127
128v6_body()
129{
130	pft_init
131
132	epair=$(vnet_mkepair)
133	ifconfig ${epair}a inet6 add 2001:db8:192::1
134	vnet_mkjail alcatraz ${epair}b
135	jexec alcatraz ifconfig ${epair}b inet6 add 2001:db8:192::2
136
137	route -6 add 2001:db8:192::2 2001:db8:192::1
138	jexec alcatraz route -6 add 2001:db8:192::1 2001:db8:192::2
139
140	jexec alcatraz pfctl -e
141
142	# No change is done if not requested
143	pft_set_rules alcatraz "scrub out proto ipv6-icmp"
144	atf_check -s exit:1 -o ignore -e ignore ${common_dir}/pft_ping.py \
145		--sendif ${epair}a \
146		--to 2001:db8:192::2 \
147		--replyif ${epair}a \
148		--expect-tc 42
149
150	# The requested ToS is set
151	pft_set_rules alcatraz "scrub out proto ipv6-icmp set-tos 42"
152	atf_check -s exit:0 -o ignore -e ignore ${common_dir}/pft_ping.py \
153		--sendif ${epair}a \
154		--to 2001:db8:192::2 \
155		--replyif ${epair}a \
156		--expect-tc 42
157
158	# ToS is not changed if the scrub rule does not match
159	pft_set_rules alcatraz "scrub out from 2001:db8:192::3 set-tos 42"
160	atf_check -s exit:1 -o ignore -e ignore ${common_dir}/pft_ping.py \
161		--sendif ${epair}a \
162		--to 2001:db8:192::2 \
163		--replyif ${epair}a \
164		--expect-tc 42
165
166	# Multiple scrub rules match as expected
167	pft_set_rules alcatraz "scrub out from 2001:db8:192::3 set-tos 13" \
168		"scrub out proto ipv6-icmp set-tos 14"
169	atf_check -s exit:0 -o ignore -e ignore ${common_dir}/pft_ping.py \
170		--sendif ${epair}a \
171		--to 2001:db8:192::2 \
172		--replyif ${epair}a \
173		--expect-tc 14
174
175	# And this works even if the packet already has ToS values set
176	atf_check -s exit:0 -o ignore -e ignore ${common_dir}/pft_ping.py \
177		--sendif ${epair}a \
178		--to 2001:db8:192::2 \
179		--replyif ${epair}a \
180		--send-tc 42 \
181		--expect-tc 14
182
183	# ToS values are unmolested if the packets do not match a scrub rule
184	pft_set_rules alcatraz "scrub out from 2001:db8:192::3 set-tos 13"
185	atf_check -s exit:0 -o ignore -e ignore ${common_dir}/pft_ping.py \
186		--sendif ${epair}a \
187		--to 2001:db8:192::2 \
188		--replyif ${epair}a \
189		--expect-tc 0
190
191	# We can set tos on pass rules
192	pft_set_rules alcatraz "pass out set tos 13"
193	atf_check -s exit:0 -o ignore -e ignore ${common_dir}/pft_ping.py \
194		--sendif ${epair}a \
195		--to 2001:db8:192::2 \
196		--replyif ${epair}a \
197		--expect-tc 13
198
199	# And that still works with 'scrub' options too
200	pft_set_rules alcatraz "pass out set tos 14 scrub (min-ttl 64)"
201	atf_check -s exit:0 -o ignore -e ignore ${common_dir}/pft_ping.py \
202		--sendif ${epair}a \
203		--to 2001:db8:192::2 \
204		--replyif ${epair}a \
205		--expect-tc 14
206}
207
208v6_cleanup()
209{
210	pft_cleanup
211}
212
213atf_init_test_cases()
214{
215	atf_add_test_case "v4"
216	atf_add_test_case "v6"
217}
218