xref: /freebsd/tests/sys/netpfil/pf/utils.subr (revision 9bc300465e48e19d794d88d0c158a2adb92c7197) 
1# Utility functions
2##
3# SPDX-License-Identifier: BSD-2-Clause
4#
5# Copyright (c) 2017 Kristof Provost <kp@FreeBSD.org>
6# Copyright (c) 2023 Kajetan Staszkiewicz <vegeta@tuxpowered.net>
7#
8# Redistribution and use in source and binary forms, with or without
9# modification, are permitted provided that the following conditions
10# are met:
11# 1. Redistributions of source code must retain the above copyright
12#    notice, this list of conditions and the following disclaimer.
13# 2. Redistributions in binary form must reproduce the above copyright
14#    notice, this list of conditions and the following disclaimer in the
15#    documentation and/or other materials provided with the distribution.
16#
17# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
18# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
21# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27# SUCH DAMAGE.
28
29. $(atf_get_srcdir)/../../common/vnet.subr
30common_dir=$(atf_get_srcdir)/../common
31
32pft_onerror()
33{
34	status=$?
35
36	echo "Debug log."
37	echo "=========="
38	echo "Test exit status: $?"
39	echo
40
41	if [ -f created_jails.lst ]; then
42		for jailname in `cat created_jails.lst`
43		do
44			echo "Jail ${jailname}"
45			echo "----------------"
46			jexec ${jailname} ifconfig
47			jexec ${jailname} netstat -rn
48			jexec ${jailname} pfctl -sa -v
49		done
50	fi
51
52	echo "Created interfaces:"
53	echo "-------------------"
54	cat created_interfaces.lst
55
56	echo "Host interfaces:"
57	echo "----------------"
58	ifconfig
59}
60
61pft_init()
62{
63	if [ "$1" == "debug" ]
64	then
65		trap pft_onerror EXIT
66	fi
67
68	vnet_init
69
70	if [ ! -c /dev/pf ]; then
71		atf_skip "This test requires pf"
72	fi
73}
74
75pfsynct_init()
76{
77	pft_init
78
79	if ! kldstat -q -m pfsync; then
80		atf_skip "This test requires pfsync"
81	fi
82}
83
84pflog_init()
85{
86	pft_init
87
88	if ! kldstat -q -m pflog; then
89		atf_skip "This test requires pflog"
90	fi
91}
92
93pflow_init()
94{
95	pft_init
96
97	if ! kldstat -q -m pflow; then
98		atf_skip "This test requires pflow"
99	fi
100}
101
102dummynet_init()
103{
104	pft_init
105
106	if ! kldstat -q -m dummynet; then
107		atf_skip "This test requires dummynet"
108	fi
109}
110
111pft_set_rules()
112{
113	jname=$1
114	shift
115
116	if [ $jname == "noflush" ];
117	then
118		jname=$1
119		shift
120	else
121		# Flush all states, rules, fragments, ...
122		jexec ${jname} pfctl -F all
123	fi
124
125	while [ $# -gt 0 ]; do
126		printf "$1\n"
127		shift
128	done | jexec ${jname} pfctl -f -
129	if [ $? -ne 0 ];
130	then
131		atf_fail "Failed to set PF rules in ${jname}"
132	fi
133}
134
135pft_cleanup()
136{
137	vnet_cleanup
138}
139
140pfsynct_cleanup()
141{
142	pft_cleanup
143}
144
145is_altq_supported()
146{
147	sysctl -q kern.features.altq >/dev/null || \
148	    atf_skip "Test requires ALTQ"
149
150	while [ -n "$1" ]
151	do
152		sysctl -q kern.features.altq.${1} >/dev/null || \
153		    atf_skip "Test required ALTQ_${1}"
154		shift
155	done
156}
157
158altq_init()
159{
160	pft_init
161	is_altq_supported
162}
163
164altq_cleanup()
165{
166	pft_cleanup
167}
168
169# Create a bare router jail.
170# This function lacks target configuration.
171setup_router_ipv4()
172{
173	pft_init
174
175	epair_tester=$(vnet_mkepair)
176	epair_server=$(vnet_mkepair)
177
178	net_tester=192.0.2.0/24
179	net_tester_mask=24
180	net_tester_host_router=192.0.2.1
181	net_tester_host_tester=192.0.2.2
182
183	net_server=198.51.100.0/24
184	net_server_mask=24
185	net_server_host_router=198.51.100.1
186	net_server_host_server=198.51.100.2
187
188	vnet_mkjail router ${epair_tester}b ${epair_server}a
189
190	ifconfig ${epair_tester}a ${net_tester_host_tester}/${net_tester_mask} up
191	route add -net ${net_server} ${net_tester_host_router}
192
193	jexec router ifconfig ${epair_tester}b ${net_tester_host_router}/${net_tester_mask} up
194	jexec router sysctl net.inet.ip.forwarding=1
195	jexec router ifconfig ${epair_server}a ${net_server_host_router}/${net_server_mask} up
196
197	jexec router pfctl -e
198}
199
200# Create a router jail.
201# The target for tests does not exist but a static ARP entry does
202# so packets to it can be properly routed.
203setup_router_dummy_ipv4()
204{
205	setup_router_ipv4
206	jexec router arp -s ${net_server_host_server} 00:01:02:03:04:05
207	ifconfig ${epair_server}b up
208}
209
210# Create a router and a server jail.
211# The server is capable of responding to pings from the tester.
212setup_router_server_ipv4()
213{
214	setup_router_ipv4
215	vnet_mkjail server ${epair_server}b
216	jexec server ifconfig ${epair_server}b ${net_server_host_server}/${net_server_mask} up
217	jexec server route add -net ${net_tester} ${net_server_host_router}
218	jexec server nc -4l 666 &
219	sleep 1 # Give nc time to start and listen
220}
221
222# Create a bare router jail.
223# This function lacks target configuration.
224setup_router_ipv6()
225{
226	pft_init
227
228	epair_tester=$(vnet_mkepair)
229	epair_server=$(vnet_mkepair)
230
231	net_tester=2001:db8:42::/64
232	net_tester_mask=64
233	net_tester_host_router=2001:db8:42::1
234	net_tester_host_tester=2001:db8:42::2
235
236	net_server=2001:db8:43::/64
237	net_server_mask=64
238	net_server_host_router=2001:db8:43::1
239	net_server_host_server=2001:db8:43::2
240
241	vnet_mkjail router ${epair_tester}b ${epair_server}a
242
243	ifconfig ${epair_tester}a inet6 ${net_tester_host_tester}/${net_tester_mask}up no_dad
244	route add -6 ${net_server} ${net_tester_host_router}
245
246	jexec router ifconfig ${epair_tester}b inet6 ${net_tester_host_router}/${net_tester_mask} up no_dad
247	jexec router sysctl net.inet6.ip6.forwarding=1
248	jexec router ifconfig ${epair_server}a inet6 ${net_server_host_router}/${net_server_mask} up no_dad
249
250	jexec router pfctl -e
251}
252
253# Create a router jail.
254# The target for tests does not exist but a static NDP entry does
255# so packets to it can be properly routed.
256setup_router_dummy_ipv6()
257{
258	setup_router_ipv6
259	jexec router ndp -s ${net_server_host_server} 00:01:02:03:04:05
260	ifconfig ${epair_server}b up
261}
262
263# Create a router and a server jail.
264# The server is capable of responding to pings from tester.
265setup_router_server_ipv6()
266{
267	setup_router_ipv6
268	vnet_mkjail server ${epair_server}b
269	jexec server ifconfig ${epair_server}b inet6 ${net_server_host_server}/${net_server_mask} up no_dad
270	jexec server route add -6 ${net_tester} ${net_server_host_router}
271	jexec server nc -6l 666 &
272	sleep 1 # Give nc time to start and listen
273}
274
275# Ping the dummy static NDP target.
276# Check for pings being forwarded through the router towards the target.
277ping_dummy_check_request()
278{
279	exit_condition=$1
280	shift
281	params=$@
282	atf_check -s ${exit_condition} ${common_dir}/pft_ping.py \
283	    --sendif ${epair_tester}a \
284	    --to ${net_server_host_server} \
285	    --recvif ${epair_server}b \
286	$params
287}
288
289# Ping the server jail.
290# Check for responses coming back throught the router back to the tester.
291ping_server_check_reply()
292{
293	exit_condition=$1
294	shift
295	params=$@
296	atf_check -s ${exit_condition} ${common_dir}/pft_ping.py \
297	    --sendif ${epair_tester}a \
298	    --to ${net_server_host_server} \
299	    --replyif ${epair_tester}a \
300	$params
301}
302