xref: /freebsd/tests/sys/netpfil/pf/table.sh (revision 258a0d760aa8b42899a000e30f610f900a402556)
1# $FreeBSD$
2#
3# SPDX-License-Identifier: BSD-2-Clause
4#
5# Copyright (c) 2020 Mark Johnston <markj@FreeBSD.org>
6#
7# Redistribution and use in source and binary forms, with or without
8# modification, are permitted provided that the following conditions
9# are met:
10# 1. Redistributions of source code must retain the above copyright
11#    notice, this list of conditions and the following disclaimer.
12# 2. Redistributions in binary form must reproduce the above copyright
13#    notice, this list of conditions and the following disclaimer in the
14#    documentation and/or other materials provided with the distribution.
15#
16# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
17# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
20# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26# SUCH DAMAGE.
27
28. $(atf_get_srcdir)/utils.subr
29
30TABLE_STATS_ZERO_REGEXP='Packets: 0[[:space:]]*Bytes: 0[[:space:]]'
31TABLE_STATS_NONZERO_REGEXP='Packets: [1-9][0-9]*[[:space:]]*Bytes: [1-9][0-9]*[[:space:]]'
32
33atf_test_case "v4_counters" "cleanup"
34v4_counters_head()
35{
36	atf_set descr 'Verify per-address counters for v4'
37	atf_set require.user root
38}
39
40v4_counters_body()
41{
42	pft_init
43
44	epair_send=$(vnet_mkepair)
45	ifconfig ${epair_send}a 192.0.2.1/24 up
46
47	vnet_mkjail alcatraz ${epair_send}b
48	jexec alcatraz ifconfig ${epair_send}b 192.0.2.2/24 up
49	jexec alcatraz pfctl -e
50
51	pft_set_rules alcatraz \
52	    "table <foo> counters { 192.0.2.1 }" \
53	    "block all" \
54	    "pass in from <foo> to any" \
55	    "pass out from any to <foo>" \
56	    "set skip on lo"
57
58	atf_check -s exit:0 -o ignore ping -c 3 192.0.2.2
59
60	atf_check -s exit:0 -e ignore \
61	    -o match:'In/Block:.*'"$TABLE_STATS_ZERO_REGEXP" \
62	    -o match:'In/Pass:.*'"$TABLE_STATS_NONZERO_REGEXP" \
63	    -o match:'Out/Block:.*'"$TABLE_STATS_ZERO_REGEXP" \
64	    -o match:'Out/Pass:.*'"$TABLE_STATS_NONZERO_REGEXP" \
65	    jexec alcatraz pfctl -t foo -T show -vv
66}
67
68v4_counters_cleanup()
69{
70	pft_cleanup
71}
72
73atf_test_case "v6_counters" "cleanup"
74v6_counters_head()
75{
76	atf_set descr 'Verify per-address counters for v6'
77	atf_set require.user root
78}
79
80v6_counters_body()
81{
82	pft_init
83
84	epair_send=$(vnet_mkepair)
85	ifconfig ${epair_send}a inet6 2001:db8:42::1/64 up no_dad -ifdisabled
86
87	vnet_mkjail alcatraz ${epair_send}b
88	jexec alcatraz ifconfig ${epair_send}b inet6 2001:db8:42::2/64 up no_dad
89	jexec alcatraz pfctl -e
90
91	pft_set_rules alcatraz \
92	    "table <foo6> counters { 2001:db8:42::1 }" \
93	    "block all" \
94	    "pass in from <foo6> to any" \
95	    "pass out from any to <foo6>" \
96	    "set skip on lo"
97
98	atf_check -s exit:0 -o ignore ping -6 -c 3 2001:db8:42::2
99
100	atf_check -s exit:0 -e ignore \
101	    -o match:'In/Block:.*'"$TABLE_STATS_ZERO_REGEXP" \
102	    -o match:'In/Pass:.*'"$TABLE_STATS_NONZERO_REGEXP" \
103	    -o match:'Out/Block:.*'"$TABLE_STATS_ZERO_REGEXP" \
104	    -o match:'Out/Pass:.*'"$TABLE_STATS_NONZERO_REGEXP" \
105	    jexec alcatraz pfctl -t foo6 -T show -vv
106}
107
108v6_counters_cleanup()
109{
110	pft_cleanup
111}
112
113atf_test_case "pr251414" "cleanup"
114pr251414_head()
115{
116	atf_set descr 'Test PR 251414'
117	atf_set require.user root
118}
119
120pr251414_body()
121{
122	pft_init
123
124	epair_send=$(vnet_mkepair)
125	ifconfig ${epair_send}a 192.0.2.1/24 up
126
127	vnet_mkjail alcatraz ${epair_send}b
128	jexec alcatraz ifconfig ${epair_send}b 192.0.2.2/24 up
129	jexec alcatraz pfctl -e
130
131	pft_set_rules alcatraz \
132		"pass all" \
133		"table <tab> { self }" \
134		"pass in log to <tab>"
135
136	pft_set_rules noflush alcatraz \
137		"pass all" \
138		"table <tab> counters { self }" \
139		"pass in log to <tab>"
140
141	atf_check -s exit:0 -o ignore ping -c 3 192.0.2.2
142
143	jexec alcatraz pfctl -t tab -T show -vv
144}
145
146pr251414_cleanup()
147{
148	pft_cleanup
149}
150
151atf_test_case "automatic" "cleanup"
152automatic_head()
153{
154	atf_set descr "Test automatic - optimizer generated - tables"
155	atf_set require.user root
156}
157
158automatic_body()
159{
160	pft_init
161
162	epair=$(vnet_mkepair)
163	ifconfig ${epair}a 192.0.2.1/24 up
164
165	vnet_mkjail alcatraz ${epair}b
166	jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up
167	jexec alcatraz pfctl -e
168
169	pft_set_rules alcatraz \
170		"block in" \
171		"pass in proto icmp from 192.0.2.1" \
172		"pass in proto icmp from 192.0.2.3" \
173		"pass in proto icmp from 192.0.2.4" \
174		"pass in proto icmp from 192.0.2.5" \
175		"pass in proto icmp from 192.0.2.6" \
176		"pass in proto icmp from 192.0.2.7" \
177		"pass in proto icmp from 192.0.2.8" \
178		"pass in proto icmp from 192.0.2.9"
179
180	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2
181}
182
183automatic_cleanup()
184{
185	pft_cleanup
186}
187
188atf_test_case "network" "cleanup"
189network_head()
190{
191	atf_set descr 'Test <ifgroup>:network'
192	atf_set require.user root
193}
194
195network_body()
196{
197	pft_init
198
199	epair=$(vnet_mkepair)
200	ifconfig ${epair}a 192.0.2.1/24 up
201
202	vnet_mkjail alcatraz ${epair}b
203	jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up
204	jexec alcatraz pfctl -e
205
206	pft_set_rules alcatraz \
207		"table <allow> const { epair:network }"\
208		"block in" \
209		"pass in from <allow>"
210
211	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2
212}
213
214network_cleanup()
215{
216	pft_cleanup
217}
218
219atf_test_case "pr259689" "cleanup"
220pr259689_head()
221{
222	atf_set descr 'Test PR 259689'
223	atf_set require.user root
224}
225
226pr259689_body()
227{
228	pft_init
229
230	vnet_mkjail alcatraz
231	jexec alcatraz pfctl -e
232
233	pft_set_rules alcatraz \
234	    "pass in" \
235	    "block in inet from { 1.1.1.1, 1.1.1.2, 2.2.2.2, 2.2.2.3, 4.4.4.4, 4.4.4.5 }"
236
237	atf_check -o match:'block drop in inet from <__automatic_.*:6> to any' \
238	    -e ignore \
239	    jexec alcatraz pfctl -sr -vv
240}
241
242pr259689_cleanup()
243{
244	pft_cleanup
245}
246
247atf_test_case "precreate" "cleanup"
248precreate_head()
249{
250	atf_set descr 'Test creating a table without counters, then loading rules that add counters'
251	atf_set require.user root
252}
253
254precreate_body()
255{
256	pft_init
257
258	vnet_mkjail alcatraz
259
260	jexec alcatraz pfctl -t foo -T add 192.0.2.1
261	jexec alcatraz pfctl -t foo -T show
262
263	pft_set_rules noflush alcatraz \
264		"table <foo> counters persist" \
265		"pass in from <foo>"
266
267	# Expect all counters to be zero
268	atf_check -s exit:0 -e ignore \
269	    -o match:'In/Block:.*'"$TABLE_STATS_ZERO_REGEXP" \
270	    -o match:'In/Pass:.*'"$TABLE_STATS_ZERO_REGEXP" \
271	    -o match:'Out/Block:.*'"$TABLE_STATS_ZERO_REGEXP" \
272	    -o match:'Out/Pass:.*'"$TABLE_STATS_ZERO_REGEXP" \
273	    jexec alcatraz pfctl -t foo -T show -vv
274
275}
276
277precreate_cleanup()
278{
279	pft_cleanup
280}
281
282atf_test_case "anchor" "cleanup"
283anchor_head()
284{
285	atf_set descr 'Test tables in anchors'
286	atf_set require.user root
287}
288
289anchor_body()
290{
291	pft_init
292
293	epair=$(vnet_mkepair)
294	ifconfig ${epair}a 192.0.2.1/24 up
295
296	vnet_mkjail alcatraz ${epair}b
297	jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up
298	jexec alcatraz pfctl -e
299
300	(echo "table <testtable> persist"
301	 echo "block in quick from <testtable> to any"
302	) | jexec alcatraz pfctl -a anchorage -f -
303
304	pft_set_rules noflush alcatraz \
305		"pass" \
306		"anchor anchorage"
307
308	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2
309
310	# Tables belong to anchors, so this is a different table and won't affect anything
311	jexec alcatraz pfctl -t testtable -T add 192.0.2.1
312	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2
313
314	# But when we add the address to the table in the anchor it does block traffic
315	jexec alcatraz pfctl -a anchorage -t testtable -T add 192.0.2.1
316	atf_check -s exit:2 -o ignore ping -c 1 192.0.2.2
317}
318
319anchor_cleanup()
320{
321	pft_cleanup
322}
323
324atf_init_test_cases()
325{
326	atf_add_test_case "v4_counters"
327	atf_add_test_case "v6_counters"
328	atf_add_test_case "pr251414"
329	atf_add_test_case "automatic"
330	atf_add_test_case "network"
331	atf_add_test_case "pr259689"
332	atf_add_test_case "precreate"
333	atf_add_test_case "anchor"
334}
335