xref: /freebsd/tests/sys/netpfil/pf/table.sh (revision d5b0e70f7e04d971691517ce1304d86a1e367e2e) 
1# $FreeBSD$
2#
3# SPDX-License-Identifier: BSD-2-Clause-FreeBSD
4#
5# Copyright (c) 2020 Mark Johnston <markj@FreeBSD.org>
6#
7# Redistribution and use in source and binary forms, with or without
8# modification, are permitted provided that the following conditions
9# are met:
10# 1. Redistributions of source code must retain the above copyright
11#    notice, this list of conditions and the following disclaimer.
12# 2. Redistributions in binary form must reproduce the above copyright
13#    notice, this list of conditions and the following disclaimer in the
14#    documentation and/or other materials provided with the distribution.
15#
16# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
17# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
20# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26# SUCH DAMAGE.
27
28. $(atf_get_srcdir)/utils.subr
29
30TABLE_STATS_ZERO_REGEXP='Packets: 0[[:space:]]*Bytes: 0[[:space:]]'
31TABLE_STATS_NONZERO_REGEXP='Packets: [1-9][0-9]*[[:space:]]*Bytes: [1-9][0-9]*[[:space:]]'
32
33atf_test_case "v4_counters" "cleanup"
34v4_counters_head()
35{
36	atf_set descr 'Verify per-address counters for v4'
37	atf_set require.user root
38}
39
40v4_counters_body()
41{
42	pft_init
43
44	epair_send=$(vnet_mkepair)
45	ifconfig ${epair_send}a 192.0.2.1/24 up
46
47	vnet_mkjail alcatraz ${epair_send}b
48	jexec alcatraz ifconfig ${epair_send}b 192.0.2.2/24 up
49	jexec alcatraz pfctl -e
50
51	pft_set_rules alcatraz \
52	    "table <foo> counters { 192.0.2.1 }" \
53	    "block all" \
54	    "pass in from <foo> to any" \
55	    "pass out from any to <foo>"
56
57	atf_check -s exit:0 -o ignore ping -c 3 192.0.2.2
58
59	atf_check -s exit:0 -e ignore \
60	    -o match:'In/Block:.*'"$TABLE_STATS_ZERO_REGEXP" \
61	    -o match:'In/Pass:.*'"$TABLE_STATS_NONZERO_REGEXP" \
62	    -o match:'Out/Block:.*'"$TABLE_STATS_ZERO_REGEXP" \
63	    -o match:'Out/Pass:.*'"$TABLE_STATS_NONZERO_REGEXP" \
64	    jexec alcatraz pfctl -t foo -T show -vv
65}
66
67v4_counters_cleanup()
68{
69	pft_cleanup
70}
71
72atf_test_case "v6_counters" "cleanup"
73v6_counters_head()
74{
75	atf_set descr 'Verify per-address counters for v6'
76	atf_set require.user root
77}
78
79v6_counters_body()
80{
81	pft_init
82
83	epair_send=$(vnet_mkepair)
84	ifconfig ${epair_send}a inet6 2001:db8:42::1/64 up no_dad -ifdisabled
85
86	vnet_mkjail alcatraz ${epair_send}b
87	jexec alcatraz ifconfig ${epair_send}b inet6 2001:db8:42::2/64 up no_dad
88	jexec alcatraz pfctl -e
89
90	pft_set_rules alcatraz \
91	    "table <foo6> counters { 2001:db8:42::1 }" \
92	    "block all" \
93	    "pass in from <foo6> to any" \
94	    "pass out from any to <foo6>"
95
96	atf_check -s exit:0 -o ignore ping -6 -c 3 2001:db8:42::2
97
98	atf_check -s exit:0 -e ignore \
99	    -o match:'In/Block:.*'"$TABLE_STATS_ZERO_REGEXP" \
100	    -o match:'In/Pass:.*'"$TABLE_STATS_NONZERO_REGEXP" \
101	    -o match:'Out/Block:.*'"$TABLE_STATS_ZERO_REGEXP" \
102	    -o match:'Out/Pass:.*'"$TABLE_STATS_NONZERO_REGEXP" \
103	    jexec alcatraz pfctl -t foo6 -T show -vv
104}
105
106v6_counters_cleanup()
107{
108	pft_cleanup
109}
110
111atf_test_case "pr251414" "cleanup"
112pr251414_head()
113{
114	atf_set descr 'Test PR 251414'
115	atf_set require.user root
116}
117
118pr251414_body()
119{
120	pft_init
121
122	epair_send=$(vnet_mkepair)
123	ifconfig ${epair_send}a 192.0.2.1/24 up
124
125	vnet_mkjail alcatraz ${epair_send}b
126	jexec alcatraz ifconfig ${epair_send}b 192.0.2.2/24 up
127	jexec alcatraz pfctl -e
128
129	pft_set_rules alcatraz \
130		"pass all" \
131		"table <tab> { self }" \
132		"pass in log to <tab>"
133
134	pft_set_rules noflush alcatraz \
135		"pass all" \
136		"table <tab> counters { self }" \
137		"pass in log to <tab>"
138
139	atf_check -s exit:0 -o ignore ping -c 3 192.0.2.2
140
141	jexec alcatraz pfctl -t tab -T show -vv
142}
143
144pr251414_cleanup()
145{
146	pft_cleanup
147}
148
149atf_test_case "automatic" "cleanup"
150automatic_head()
151{
152	atf_set descr "Test automatic - optimizer generated - tables"
153	atf_set require.user root
154}
155
156automatic_body()
157{
158	pft_init
159
160	epair=$(vnet_mkepair)
161	ifconfig ${epair}a 192.0.2.1/24 up
162
163	vnet_mkjail alcatraz ${epair}b
164	jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up
165	jexec alcatraz pfctl -e
166
167	pft_set_rules alcatraz \
168		"block in" \
169		"pass in proto icmp from 192.0.2.1" \
170		"pass in proto icmp from 192.0.2.3" \
171		"pass in proto icmp from 192.0.2.4" \
172		"pass in proto icmp from 192.0.2.5" \
173		"pass in proto icmp from 192.0.2.6" \
174		"pass in proto icmp from 192.0.2.7" \
175		"pass in proto icmp from 192.0.2.8" \
176		"pass in proto icmp from 192.0.2.9"
177
178	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2
179}
180
181automatic_cleanup()
182{
183	pft_cleanup
184}
185
186atf_test_case "network" "cleanup"
187network_head()
188{
189	atf_set descr 'Test <ifgroup>:network'
190	atf_set require.user root
191}
192
193network_body()
194{
195	pft_init
196
197	epair=$(vnet_mkepair)
198	ifconfig ${epair}a 192.0.2.1/24 up
199
200	vnet_mkjail alcatraz ${epair}b
201	jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up
202	jexec alcatraz pfctl -e
203
204	pft_set_rules alcatraz \
205		"table <allow> const { epair:network }"\
206		"block in" \
207		"pass in from <allow>"
208
209	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2
210}
211
212network_cleanup()
213{
214	pft_cleanup
215}
216
217atf_test_case "pr259689" "cleanup"
218pr259689_head()
219{
220	atf_set descr 'Test PR 259689'
221	atf_set require.user root
222}
223
224pr259689_body()
225{
226	pft_init
227
228	vnet_mkjail alcatraz
229	jexec alcatraz pfctl -e
230
231	pft_set_rules alcatraz \
232	    "pass in" \
233	    "block in inet from { 1.1.1.1, 1.1.1.2, 2.2.2.2, 2.2.2.3, 4.4.4.4, 4.4.4.5 }"
234
235	atf_check -o match:'block drop in inet from <__automatic_.*:6> to any' \
236	    -e ignore \
237	    jexec alcatraz pfctl -sr -vv
238}
239
240pr259689_cleanup()
241{
242	pft_cleanup
243}
244
245atf_test_case "precreate" "cleanup"
246precreate_head()
247{
248	atf_set descr 'Test creating a table without counters, then loading rules that add counters'
249	atf_set require.user root
250}
251
252precreate_body()
253{
254	pft_init
255
256	vnet_mkjail alcatraz
257
258	jexec alcatraz pfctl -t foo -T add 192.0.2.1
259	jexec alcatraz pfctl -t foo -T show
260
261	pft_set_rules noflush alcatraz \
262		"table <foo> counters persist" \
263		"pass in from <foo>"
264
265	# Expect all counters to be zero
266	atf_check -s exit:0 -e ignore \
267	    -o match:'In/Block:.*'"$TABLE_STATS_ZERO_REGEXP" \
268	    -o match:'In/Pass:.*'"$TABLE_STATS_ZERO_REGEXP" \
269	    -o match:'Out/Block:.*'"$TABLE_STATS_ZERO_REGEXP" \
270	    -o match:'Out/Pass:.*'"$TABLE_STATS_ZERO_REGEXP" \
271	    jexec alcatraz pfctl -t foo -T show -vv
272
273}
274
275precreate_cleanup()
276{
277	pft_cleanup
278}
279
280atf_test_case "anchor" "cleanup"
281anchor_head()
282{
283	atf_set descr 'Test tables in anchors'
284	atf_set require.user root
285}
286
287anchor_body()
288{
289	pft_init
290
291	epair=$(vnet_mkepair)
292	ifconfig ${epair}a 192.0.2.1/24 up
293
294	vnet_mkjail alcatraz ${epair}b
295	jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up
296	jexec alcatraz pfctl -e
297
298	(echo "table <testtable> persist"
299	 echo "block in quick from <testtable> to any"
300	) | jexec alcatraz pfctl -a anchorage -f -
301
302	pft_set_rules noflush alcatraz \
303		"pass" \
304		"anchor anchorage"
305
306	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2
307
308	# Tables belong to anchors, so this is a different table and won't affect anything
309	jexec alcatraz pfctl -t testtable -T add 192.0.2.1
310	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2
311
312	# But when we add the address to the table in the anchor it does block traffic
313	jexec alcatraz pfctl -a anchorage -t testtable -T add 192.0.2.1
314	atf_check -s exit:2 -o ignore ping -c 1 192.0.2.2
315}
316
317anchor_cleanup()
318{
319	pft_cleanup
320}
321
322atf_init_test_cases()
323{
324	atf_add_test_case "v4_counters"
325	atf_add_test_case "v6_counters"
326	atf_add_test_case "pr251414"
327	atf_add_test_case "automatic"
328	atf_add_test_case "network"
329	atf_add_test_case "pr259689"
330	atf_add_test_case "precreate"
331	atf_add_test_case "anchor"
332}
333