xref: /freebsd/tests/sys/netpfil/pf/table.sh (revision 0fca6ea1d4eea4c934cfff25ac9ee8ad6fe95583)
1#
2# SPDX-License-Identifier: BSD-2-Clause
3#
4# Copyright (c) 2020 Mark Johnston <markj@FreeBSD.org>
5#
6# Redistribution and use in source and binary forms, with or without
7# modification, are permitted provided that the following conditions
8# are met:
9# 1. Redistributions of source code must retain the above copyright
10#    notice, this list of conditions and the following disclaimer.
11# 2. Redistributions in binary form must reproduce the above copyright
12#    notice, this list of conditions and the following disclaimer in the
13#    documentation and/or other materials provided with the distribution.
14#
15# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
25# SUCH DAMAGE.
26
27. $(atf_get_srcdir)/utils.subr
28
29TABLE_STATS_ZERO_REGEXP='Packets: 0[[:space:]]*Bytes: 0[[:space:]]'
30TABLE_STATS_NONZERO_REGEXP='Packets: [1-9][0-9]*[[:space:]]*Bytes: [1-9][0-9]*[[:space:]]'
31
32atf_test_case "v4_counters" "cleanup"
33v4_counters_head()
34{
35	atf_set descr 'Verify per-address counters for v4'
36	atf_set require.user root
37}
38
39v4_counters_body()
40{
41	pft_init
42
43	epair_send=$(vnet_mkepair)
44	ifconfig ${epair_send}a 192.0.2.1/24 up
45
46	vnet_mkjail alcatraz ${epair_send}b
47	jexec alcatraz ifconfig ${epair_send}b 192.0.2.2/24 up
48	jexec alcatraz pfctl -e
49
50	pft_set_rules alcatraz \
51	    "table <foo> counters { 192.0.2.1 }" \
52	    "block all" \
53	    "pass in from <foo> to any" \
54	    "pass out from any to <foo>" \
55	    "set skip on lo"
56
57	atf_check -s exit:0 -o ignore ping -c 3 192.0.2.2
58
59	atf_check -s exit:0 -e ignore \
60	    -o match:'In/Block:.*'"$TABLE_STATS_ZERO_REGEXP" \
61	    -o match:'In/Pass:.*'"$TABLE_STATS_NONZERO_REGEXP" \
62	    -o match:'Out/Block:.*'"$TABLE_STATS_ZERO_REGEXP" \
63	    -o match:'Out/Pass:.*'"$TABLE_STATS_NONZERO_REGEXP" \
64	    jexec alcatraz pfctl -t foo -T show -vv
65}
66
67v4_counters_cleanup()
68{
69	pft_cleanup
70}
71
72atf_test_case "v6_counters" "cleanup"
73v6_counters_head()
74{
75	atf_set descr 'Verify per-address counters for v6'
76	atf_set require.user root
77}
78
79v6_counters_body()
80{
81	pft_init
82
83	epair_send=$(vnet_mkepair)
84	ifconfig ${epair_send}a inet6 2001:db8:42::1/64 up no_dad -ifdisabled
85
86	vnet_mkjail alcatraz ${epair_send}b
87	jexec alcatraz ifconfig ${epair_send}b inet6 2001:db8:42::2/64 up no_dad
88	jexec alcatraz pfctl -e
89
90	pft_set_rules alcatraz \
91	    "table <foo6> counters { 2001:db8:42::1 }" \
92	    "block all" \
93	    "pass in from <foo6> to any" \
94	    "pass out from any to <foo6>" \
95	    "set skip on lo"
96
97	atf_check -s exit:0 -o ignore ping -6 -c 3 2001:db8:42::2
98
99	atf_check -s exit:0 -e ignore \
100	    -o match:'In/Block:.*'"$TABLE_STATS_ZERO_REGEXP" \
101	    -o match:'In/Pass:.*'"$TABLE_STATS_NONZERO_REGEXP" \
102	    -o match:'Out/Block:.*'"$TABLE_STATS_ZERO_REGEXP" \
103	    -o match:'Out/Pass:.*'"$TABLE_STATS_NONZERO_REGEXP" \
104	    jexec alcatraz pfctl -t foo6 -T show -vv
105}
106
107v6_counters_cleanup()
108{
109	pft_cleanup
110}
111
112atf_test_case "pr251414" "cleanup"
113pr251414_head()
114{
115	atf_set descr 'Test PR 251414'
116	atf_set require.user root
117}
118
119pr251414_body()
120{
121	pft_init
122
123	epair_send=$(vnet_mkepair)
124	ifconfig ${epair_send}a 192.0.2.1/24 up
125
126	vnet_mkjail alcatraz ${epair_send}b
127	jexec alcatraz ifconfig ${epair_send}b 192.0.2.2/24 up
128	jexec alcatraz pfctl -e
129
130	pft_set_rules alcatraz \
131		"pass all" \
132		"table <tab> { self }" \
133		"pass in log to <tab>"
134
135	pft_set_rules noflush alcatraz \
136		"pass all" \
137		"table <tab> counters { self }" \
138		"pass in log to <tab>"
139
140	atf_check -s exit:0 -o ignore ping -c 3 192.0.2.2
141
142	jexec alcatraz pfctl -t tab -T show -vv
143}
144
145pr251414_cleanup()
146{
147	pft_cleanup
148}
149
150atf_test_case "automatic" "cleanup"
151automatic_head()
152{
153	atf_set descr "Test automatic - optimizer generated - tables"
154	atf_set require.user root
155}
156
157automatic_body()
158{
159	pft_init
160
161	epair=$(vnet_mkepair)
162	ifconfig ${epair}a 192.0.2.1/24 up
163
164	vnet_mkjail alcatraz ${epair}b
165	jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up
166	jexec alcatraz pfctl -e
167
168	pft_set_rules alcatraz \
169		"block in" \
170		"pass in proto icmp from 192.0.2.1" \
171		"pass in proto icmp from 192.0.2.3" \
172		"pass in proto icmp from 192.0.2.4" \
173		"pass in proto icmp from 192.0.2.5" \
174		"pass in proto icmp from 192.0.2.6" \
175		"pass in proto icmp from 192.0.2.7" \
176		"pass in proto icmp from 192.0.2.8" \
177		"pass in proto icmp from 192.0.2.9"
178
179	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2
180}
181
182automatic_cleanup()
183{
184	pft_cleanup
185}
186
187atf_test_case "network" "cleanup"
188network_head()
189{
190	atf_set descr 'Test <ifgroup>:network'
191	atf_set require.user root
192}
193
194network_body()
195{
196	pft_init
197
198	epair=$(vnet_mkepair)
199	ifconfig ${epair}a 192.0.2.1/24 up
200
201	vnet_mkjail alcatraz ${epair}b
202	jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up
203	jexec alcatraz pfctl -e
204
205	pft_set_rules alcatraz \
206		"table <allow> const { epair:network }"\
207		"block in" \
208		"pass in from <allow>"
209
210	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2
211}
212
213network_cleanup()
214{
215	pft_cleanup
216}
217
218atf_test_case "pr259689" "cleanup"
219pr259689_head()
220{
221	atf_set descr 'Test PR 259689'
222	atf_set require.user root
223}
224
225pr259689_body()
226{
227	pft_init
228
229	vnet_mkjail alcatraz
230	jexec alcatraz pfctl -e
231
232	pft_set_rules alcatraz \
233	    "pass in" \
234	    "block in inet from { 1.1.1.1, 1.1.1.2, 2.2.2.2, 2.2.2.3, 4.4.4.4, 4.4.4.5 }"
235
236	atf_check -o match:'block drop in inet from <__automatic_.*:6> to any' \
237	    -e ignore \
238	    jexec alcatraz pfctl -sr -vv
239}
240
241pr259689_cleanup()
242{
243	pft_cleanup
244}
245
246atf_test_case "precreate" "cleanup"
247precreate_head()
248{
249	atf_set descr 'Test creating a table without counters, then loading rules that add counters'
250	atf_set require.user root
251}
252
253precreate_body()
254{
255	pft_init
256
257	vnet_mkjail alcatraz
258
259	jexec alcatraz pfctl -t foo -T add 192.0.2.1
260	jexec alcatraz pfctl -t foo -T show
261
262	pft_set_rules noflush alcatraz \
263		"table <foo> counters persist" \
264		"pass in from <foo>"
265
266	# Expect all counters to be zero
267	atf_check -s exit:0 -e ignore \
268	    -o match:'In/Block:.*'"$TABLE_STATS_ZERO_REGEXP" \
269	    -o match:'In/Pass:.*'"$TABLE_STATS_ZERO_REGEXP" \
270	    -o match:'Out/Block:.*'"$TABLE_STATS_ZERO_REGEXP" \
271	    -o match:'Out/Pass:.*'"$TABLE_STATS_ZERO_REGEXP" \
272	    jexec alcatraz pfctl -t foo -T show -vv
273
274}
275
276precreate_cleanup()
277{
278	pft_cleanup
279}
280
281atf_test_case "anchor" "cleanup"
282anchor_head()
283{
284	atf_set descr 'Test tables in anchors'
285	atf_set require.user root
286}
287
288anchor_body()
289{
290	pft_init
291
292	epair=$(vnet_mkepair)
293	ifconfig ${epair}a 192.0.2.1/24 up
294
295	vnet_mkjail alcatraz ${epair}b
296	jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up
297	jexec alcatraz pfctl -e
298
299	(echo "table <testtable> persist"
300	 echo "block in quick from <testtable> to any"
301	) | jexec alcatraz pfctl -a anchorage -f -
302
303	pft_set_rules noflush alcatraz \
304		"pass" \
305		"anchor anchorage"
306
307	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2
308
309	# Tables belong to anchors, so this is a different table and won't affect anything
310	jexec alcatraz pfctl -t testtable -T add 192.0.2.1
311	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2
312
313	# But when we add the address to the table in the anchor it does block traffic
314	jexec alcatraz pfctl -a anchorage -t testtable -T add 192.0.2.1
315	atf_check -s exit:2 -o ignore ping -c 1 192.0.2.2
316}
317
318anchor_cleanup()
319{
320	pft_cleanup
321}
322
323atf_init_test_cases()
324{
325	atf_add_test_case "v4_counters"
326	atf_add_test_case "v6_counters"
327	atf_add_test_case "pr251414"
328	atf_add_test_case "automatic"
329	atf_add_test_case "network"
330	atf_add_test_case "pr259689"
331	atf_add_test_case "precreate"
332	atf_add_test_case "anchor"
333}
334