1# $FreeBSD$ 2# 3# SPDX-License-Identifier: BSD-2-Clause-FreeBSD 4# 5# Copyright (c) 2020 Mark Johnston <markj@FreeBSD.org> 6# 7# Redistribution and use in source and binary forms, with or without 8# modification, are permitted provided that the following conditions 9# are met: 10# 1. Redistributions of source code must retain the above copyright 11# notice, this list of conditions and the following disclaimer. 12# 2. Redistributions in binary form must reproduce the above copyright 13# notice, this list of conditions and the following disclaimer in the 14# documentation and/or other materials provided with the distribution. 15# 16# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 17# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 20# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26# SUCH DAMAGE. 27 28. $(atf_get_srcdir)/utils.subr 29 30TABLE_STATS_ZERO_REGEXP='Packets: 0[[:space:]]*Bytes: 0[[:space:]]' 31TABLE_STATS_NONZERO_REGEXP='Packets: [1-9][0-9]*[[:space:]]*Bytes: [1-9][0-9]*[[:space:]]' 32 33atf_test_case "v4_counters" "cleanup" 34v4_counters_head() 35{ 36 atf_set descr 'Verify per-address counters for v4' 37 atf_set require.user root 38} 39 40v4_counters_body() 41{ 42 pft_init 43 44 epair_send=$(vnet_mkepair) 45 ifconfig ${epair_send}a 192.0.2.1/24 up 46 47 vnet_mkjail alcatraz ${epair_send}b 48 jexec alcatraz ifconfig ${epair_send}b 192.0.2.2/24 up 49 jexec alcatraz pfctl -e 50 51 pft_set_rules alcatraz \ 52 "table <foo> counters { 192.0.2.1 }" \ 53 "block all" \ 54 "pass in from <foo> to any" \ 55 "pass out from any to <foo>" 56 57 atf_check -s exit:0 -o ignore ping -c 3 192.0.2.2 58 59 atf_check -s exit:0 -e ignore \ 60 -o match:'In/Block:.*'"$TABLE_STATS_ZERO_REGEXP" \ 61 -o match:'In/Pass:.*'"$TABLE_STATS_NONZERO_REGEXP" \ 62 -o match:'Out/Block:.*'"$TABLE_STATS_ZERO_REGEXP" \ 63 -o match:'Out/Pass:.*'"$TABLE_STATS_NONZERO_REGEXP" \ 64 jexec alcatraz pfctl -t foo -T show -vv 65} 66 67v4_counters_cleanup() 68{ 69 pft_cleanup 70} 71 72atf_test_case "v6_counters" "cleanup" 73v6_counters_head() 74{ 75 atf_set descr 'Verify per-address counters for v6' 76 atf_set require.user root 77} 78 79v6_counters_body() 80{ 81 pft_init 82 83 epair_send=$(vnet_mkepair) 84 ifconfig ${epair_send}a inet6 2001:db8:42::1/64 up no_dad -ifdisabled 85 86 vnet_mkjail alcatraz ${epair_send}b 87 jexec alcatraz ifconfig ${epair_send}b inet6 2001:db8:42::2/64 up no_dad 88 jexec alcatraz pfctl -e 89 90 pft_set_rules alcatraz \ 91 "table <foo6> counters { 2001:db8:42::1 }" \ 92 "block all" \ 93 "pass in from <foo6> to any" \ 94 "pass out from any to <foo6>" 95 96 atf_check -s exit:0 -o ignore ping -6 -c 3 2001:db8:42::2 97 98 atf_check -s exit:0 -e ignore \ 99 -o match:'In/Block:.*'"$TABLE_STATS_ZERO_REGEXP" \ 100 -o match:'In/Pass:.*'"$TABLE_STATS_NONZERO_REGEXP" \ 101 -o match:'Out/Block:.*'"$TABLE_STATS_ZERO_REGEXP" \ 102 -o match:'Out/Pass:.*'"$TABLE_STATS_NONZERO_REGEXP" \ 103 jexec alcatraz pfctl -t foo6 -T show -vv 104} 105 106v6_counters_cleanup() 107{ 108 pft_cleanup 109} 110 111atf_test_case "pr251414" "cleanup" 112pr251414_head() 113{ 114 atf_set descr 'Test PR 251414' 115 atf_set require.user root 116} 117 118pr251414_body() 119{ 120 pft_init 121 122 epair_send=$(vnet_mkepair) 123 ifconfig ${epair_send}a 192.0.2.1/24 up 124 125 vnet_mkjail alcatraz ${epair_send}b 126 jexec alcatraz ifconfig ${epair_send}b 192.0.2.2/24 up 127 jexec alcatraz pfctl -e 128 129 pft_set_rules alcatraz \ 130 "pass all" \ 131 "table <tab> { self }" \ 132 "pass in log to <tab>" 133 134 pft_set_rules noflush alcatraz \ 135 "pass all" \ 136 "table <tab> counters { self }" \ 137 "pass in log to <tab>" 138 139 atf_check -s exit:0 -o ignore ping -c 3 192.0.2.2 140 141 jexec alcatraz pfctl -t tab -T show -vv 142} 143 144pr251414_cleanup() 145{ 146 pft_cleanup 147} 148 149atf_test_case "automatic" "cleanup" 150automatic_head() 151{ 152 atf_set descr "Test automatic - optimizer generated - tables" 153 atf_set require.user root 154} 155 156automatic_body() 157{ 158 pft_init 159 160 epair=$(vnet_mkepair) 161 ifconfig ${epair}a 192.0.2.1/24 up 162 163 vnet_mkjail alcatraz ${epair}b 164 jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up 165 jexec alcatraz pfctl -e 166 167 pft_set_rules alcatraz \ 168 "block in" \ 169 "pass in proto icmp from 192.0.2.1" \ 170 "pass in proto icmp from 192.0.2.3" \ 171 "pass in proto icmp from 192.0.2.4" \ 172 "pass in proto icmp from 192.0.2.5" \ 173 "pass in proto icmp from 192.0.2.6" \ 174 "pass in proto icmp from 192.0.2.7" \ 175 "pass in proto icmp from 192.0.2.8" \ 176 "pass in proto icmp from 192.0.2.9" 177 178 atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2 179} 180 181automatic_cleanup() 182{ 183 pft_cleanup 184} 185 186atf_test_case "network" "cleanup" 187network_head() 188{ 189 atf_set descr 'Test <ifgroup>:network' 190 atf_set require.user root 191} 192 193network_body() 194{ 195 pft_init 196 197 epair=$(vnet_mkepair) 198 ifconfig ${epair}a 192.0.2.1/24 up 199 200 vnet_mkjail alcatraz ${epair}b 201 jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up 202 jexec alcatraz pfctl -e 203 204 pft_set_rules alcatraz \ 205 "table <allow> const { epair:network }"\ 206 "block in" \ 207 "pass in from <allow>" 208 209 atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2 210} 211 212network_cleanup() 213{ 214 pft_cleanup 215} 216 217atf_test_case "pr259689" "cleanup" 218pr259689_head() 219{ 220 atf_set descr 'Test PR 259689' 221 atf_set require.user root 222} 223 224pr259689_body() 225{ 226 pft_init 227 228 vnet_mkjail alcatraz 229 jexec alcatraz pfctl -e 230 231 pft_set_rules alcatraz \ 232 "pass in" \ 233 "block in inet from { 1.1.1.1, 1.1.1.2, 2.2.2.2, 2.2.2.3, 4.4.4.4, 4.4.4.5 }" 234 235 atf_check -o match:'block drop in inet from <__automatic_.*:6> to any' \ 236 -e ignore \ 237 jexec alcatraz pfctl -sr -vv 238} 239 240pr259689_cleanup() 241{ 242 pft_cleanup 243} 244 245atf_init_test_cases() 246{ 247 atf_add_test_case "v4_counters" 248 atf_add_test_case "v6_counters" 249 atf_add_test_case "pr251414" 250 atf_add_test_case "automatic" 251 atf_add_test_case "network" 252 atf_add_test_case "pr259689" 253} 254