xref: /freebsd/tests/sys/netpfil/pf/utils.subr (revision b1879975794772ee51f0b4865753364c7d7626c3)
1# Utility functions
2##
3# SPDX-License-Identifier: BSD-2-Clause
4#
5# Copyright (c) 2017 Kristof Provost <kp@FreeBSD.org>
6# Copyright (c) 2023 Kajetan Staszkiewicz <vegeta@tuxpowered.net>
7#
8# Redistribution and use in source and binary forms, with or without
9# modification, are permitted provided that the following conditions
10# are met:
11# 1. Redistributions of source code must retain the above copyright
12#    notice, this list of conditions and the following disclaimer.
13# 2. Redistributions in binary form must reproduce the above copyright
14#    notice, this list of conditions and the following disclaimer in the
15#    documentation and/or other materials provided with the distribution.
16#
17# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
18# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
21# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27# SUCH DAMAGE.
28
29. $(atf_get_srcdir)/../../common/vnet.subr
30common_dir=$(atf_get_srcdir)/../common
31
32pft_onerror()
33{
34	status=$?
35
36	echo "Debug log."
37	echo "=========="
38	echo "Test exit status: $?"
39	echo
40
41	if [ -f created_jails.lst ]; then
42		for jailname in `cat created_jails.lst`
43		do
44			echo "Jail ${jailname}"
45			echo "----------------"
46			jexec ${jailname} ifconfig
47			jexec ${jailname} netstat -rn
48			jexec ${jailname} pfctl -sa -v
49		done
50	fi
51
52	echo "Created interfaces:"
53	echo "-------------------"
54	cat created_interfaces.lst
55
56	echo "Host interfaces:"
57	echo "----------------"
58	ifconfig
59}
60
61pft_init()
62{
63	if [ "$1" == "debug" ]
64	then
65		trap pft_onerror EXIT
66	fi
67
68	vnet_init
69
70	if [ ! -c /dev/pf ]; then
71		atf_skip "This test requires pf"
72	fi
73}
74
75pfsynct_init()
76{
77	pft_init
78
79	if ! kldstat -q -m pfsync; then
80		atf_skip "This test requires pfsync"
81	fi
82}
83
84pflog_init()
85{
86	pft_init
87
88	if ! kldstat -q -m pflog; then
89		atf_skip "This test requires pflog"
90	fi
91}
92
93pflow_init()
94{
95	pft_init
96
97	if ! kldstat -q -m pflow; then
98		atf_skip "This test requires pflow"
99	fi
100}
101
102dummynet_init()
103{
104	pft_init
105
106	if ! kldstat -q -m dummynet; then
107		atf_skip "This test requires dummynet"
108	fi
109}
110
111pft_set_rules()
112{
113	jname=$1
114	shift
115
116	if [ $jname == "noflush" ];
117	then
118		jname=$1
119		shift
120	else
121		# Flush all states, rules, fragments, ...
122		jexec ${jname} pfctl -F all
123	fi
124
125	while [ $# -gt 0 ]; do
126		printf "$1\n"
127		shift
128	done | jexec ${jname} pfctl -f -
129	if [ $? -ne 0 ];
130	then
131		atf_fail "Failed to set PF rules in ${jname}"
132	fi
133}
134
135pft_cleanup()
136{
137	vnet_cleanup
138}
139
140pfsynct_cleanup()
141{
142	pft_cleanup
143}
144
145is_altq_supported()
146{
147	sysctl -q kern.features.altq >/dev/null || \
148	    atf_skip "Test requires ALTQ"
149
150	while [ -n "$1" ]
151	do
152		sysctl -q kern.features.altq.${1} >/dev/null || \
153		    atf_skip "Test required ALTQ_${1}"
154		shift
155	done
156}
157
158altq_init()
159{
160	pft_init
161	is_altq_supported
162}
163
164altq_cleanup()
165{
166	pft_cleanup
167}
168
169# Create a bare router jail.
170# This function lacks target configuration.
171setup_router_ipv4()
172{
173	pft_init
174
175	epair_tester=$(vnet_mkepair)
176	epair_server=$(vnet_mkepair)
177
178	net_tester=192.0.2.0/24
179	net_tester_mask=24
180	net_tester_host_router=192.0.2.1
181	net_tester_host_tester=192.0.2.2
182
183	net_server=198.51.100.0/24
184	net_server_mask=24
185	net_server_host_router=198.51.100.1
186	net_server_host_server=198.51.100.2
187
188	vnet_mkjail router ${epair_tester}b ${epair_server}a
189
190	ifconfig ${epair_tester}a ${net_tester_host_tester}/${net_tester_mask} up
191	route add -net ${net_server} ${net_tester_host_router}
192
193	jexec router ifconfig ${epair_tester}b ${net_tester_host_router}/${net_tester_mask} up
194	jexec router sysctl net.inet.ip.forwarding=1
195	jexec router ifconfig ${epair_server}a ${net_server_host_router}/${net_server_mask} up
196
197	jexec router pfctl -e
198}
199
200# Create a router jail.
201# The target for tests does not exist but a static ARP entry does
202# so packets to it can be properly routed.
203setup_router_dummy_ipv4()
204{
205	setup_router_ipv4
206	jexec router arp -s ${net_server_host_server} 00:01:02:03:04:05
207	ifconfig ${epair_server}b up
208}
209
210# Create a router and a server jail.
211# The server is capable of responding to pings from the tester.
212setup_router_server_ipv4()
213{
214	setup_router_ipv4
215	vnet_mkjail server ${epair_server}b
216	jexec server ifconfig ${epair_server}b ${net_server_host_server}/${net_server_mask} up
217	jexec server route add -net ${net_tester} ${net_server_host_router}
218	inetd_conf=$(mktemp)
219	echo "discard stream tcp nowait root internal" > $inetd_conf
220	jexec server inetd -p ${PWD}/inetd.pid $inetd_conf
221}
222
223# Create a bare router jail.
224# This function lacks target configuration.
225setup_router_ipv6()
226{
227	pft_init
228
229	epair_tester=$(vnet_mkepair)
230	epair_server=$(vnet_mkepair)
231
232	net_tester=2001:db8:42::/64
233	net_tester_mask=64
234	net_tester_host_router=2001:db8:42::1
235	net_tester_host_tester=2001:db8:42::2
236
237	net_server=2001:db8:43::/64
238	net_server_mask=64
239	net_server_host_router=2001:db8:43::1
240	net_server_host_server=2001:db8:43::2
241
242	vnet_mkjail router ${epair_tester}b ${epair_server}a
243
244	ifconfig ${epair_tester}a inet6 ${net_tester_host_tester}/${net_tester_mask}up no_dad
245	route add -6 ${net_server} ${net_tester_host_router}
246
247	jexec router ifconfig ${epair_tester}b inet6 ${net_tester_host_router}/${net_tester_mask} up no_dad
248	jexec router sysctl net.inet6.ip6.forwarding=1
249	jexec router ifconfig ${epair_server}a inet6 ${net_server_host_router}/${net_server_mask} up no_dad
250
251	jexec router pfctl -e
252}
253
254# Create a router jail.
255# The target for tests does not exist but a static NDP entry does
256# so packets to it can be properly routed.
257setup_router_dummy_ipv6()
258{
259	setup_router_ipv6
260	jexec router ndp -s ${net_server_host_server} 00:01:02:03:04:05
261	ifconfig ${epair_server}b up
262}
263
264# Create a router and a server jail.
265# The server is capable of responding to pings from tester.
266setup_router_server_ipv6()
267{
268	setup_router_ipv6
269	vnet_mkjail server ${epair_server}b
270	jexec server ifconfig ${epair_server}b inet6 ${net_server_host_server}/${net_server_mask} up no_dad
271	jexec server route add -6 ${net_tester} ${net_server_host_router}
272	inetd_conf=$(mktemp)
273	echo "discard stream tcp6 nowait root internal" > $inetd_conf
274	jexec server inetd -p ${PWD}/inetd.pid $inetd_conf
275}
276
277# Ping the dummy static NDP target.
278# Check for pings being forwarded through the router towards the target.
279ping_dummy_check_request()
280{
281	exit_condition=$1
282	shift
283	params=$@
284	atf_check -s ${exit_condition} ${common_dir}/pft_ping.py \
285	    --sendif ${epair_tester}a \
286	    --to ${net_server_host_server} \
287	    --recvif ${epair_server}b \
288	$params
289}
290
291# Ping the server jail.
292# Check for responses coming back throught the router back to the tester.
293ping_server_check_reply()
294{
295	exit_condition=$1
296	shift
297	params=$@
298	atf_check -s ${exit_condition} ${common_dir}/pft_ping.py \
299	    --sendif ${epair_tester}a \
300	    --to ${net_server_host_server} \
301	    --replyif ${epair_tester}a \
302	$params
303}
304
305normalize_pfctl_s()
306{
307	# `pfctl -s[rsS]` output is divided into sections. Each rule, state or
308	# source node starts with the beginning of a line and next lines with leading
309	# spaces are various parameters of said rule, state or source node.
310	# Convert it into a single line per entry, and remove multiple spaces,
311	# so that regular expressions for matching them in tests can be simpler.
312	awk '{ if ($0 ~ /^[^ ]/ && NR > 1) print(""); gsub(/ +/, " ", $0); printf("%s", $0); } END {print("");}'
313}
314