diff options
| author | Kristof Provost <kp@FreeBSD.org> | 2021-02-12 16:01:29 +0000 |
|---|---|---|
| committer | Kristof Provost <kp@FreeBSD.org> | 2022-03-02 16:00:05 +0000 |
| commit | 792d7a56308bb3a54f852f096f4cdde3f46f103c (patch) | |
| tree | c755033a9622d778ee6595c7187483bd154c67a0 | |
| parent | 4ffb7d1300a6e4d46ab7fe212509ba32555d1024 (diff) | |
| download | src-792d7a56308bb3a54f852f096f4cdde3f46f103c.tar.gz src-792d7a56308bb3a54f852f096f4cdde3f46f103c.zip | |
pf tests: Basic captive portal like test
Use the ether rules to selectively (i.e. per MAC address) redirect
certain connections. Test that tags carry over to the layer-3 pf code.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D31746
| -rw-r--r-- | tests/sys/netpfil/pf/ether.sh | 75 |
1 files changed, 75 insertions, 0 deletions
diff --git a/tests/sys/netpfil/pf/ether.sh b/tests/sys/netpfil/pf/ether.sh index 273c5654afa5..9178a0845773 100644 --- a/tests/sys/netpfil/pf/ether.sh +++ b/tests/sys/netpfil/pf/ether.sh @@ -133,8 +133,83 @@ proto_cleanup() pft_cleanup } +atf_test_case "captive" "cleanup" +captive_head() +{ + atf_set descr 'Test a basic captive portal-like setup' + atf_set require.user root +} + +captive_body() +{ + # Host is client, jail 'gw' is the captive portal gateway, jail 'srv' + # is a random (web)server. We use the echo protocol rather than http + # for the test, because that's easier. + pft_init + + epair_gw=$(vnet_mkepair) + epair_srv=$(vnet_mkepair) + epair_gw_a_mac=$(ifconfig ${epair_gw}a ether | awk '/ether/ { print $2; }') + + vnet_mkjail gw ${epair_gw}b ${epair_srv}a + vnet_mkjail srv ${epair_srv}b + + ifconfig ${epair_gw}a 192.0.2.2/24 up + route add -net 198.51.100.0/24 192.0.2.1 + jexec gw ifconfig ${epair_gw}b 192.0.2.1/24 up + jexec gw ifconfig lo0 127.0.0.1/8 up + jexec gw sysctl net.inet.ip.forwarding=1 + + jexec gw ifconfig ${epair_srv}a 198.51.100.1/24 up + jexec srv ifconfig ${epair_srv}b 198.51.100.2/24 up + jexec srv route add -net 192.0.2.0/24 198.51.100.1 + + # Sanity check + atf_check -s exit:0 -o ignore ping -c 1 -t 1 198.51.100.2 + + pft_set_rules gw \ + "ether pass quick proto 0x0806" \ + "ether pass tag captive" \ + "rdr on ${epair_gw}b proto tcp to port echo tagged captive -> 127.0.0.1 port echo" + jexec gw pfctl -e + + # ICMP should still work, because we don't redirect it. + atf_check -s exit:0 -o ignore ping -c 1 -t 1 198.51.100.2 + + # Run the echo server only on the gw, so we know we've redirectly + # correctly if we get an echo message. + jexec gw /usr/sbin/inetd $(atf_get_srcdir)/echo_inetd.conf + + # Confirm that we're getting redirected + atf_check -s exit:0 -o match:"^foo$" -x "echo foo | nc -N 198.51.100.2 7" + + jexec gw killall inetd + + # Now pretend we've authenticated, so add the client's MAC address + pft_set_rules gw \ + "ether pass quick proto 0x0806" \ + "ether pass quick from ${epair_gw_a_mac}" \ + "ether pass tag captive" \ + "rdr on ${epair_gw}b proto tcp to port echo tagged captive -> 127.0.0.1 port echo" + + # No redirect, so failure. + atf_check -s exit:1 -x "echo foo | nc -N 198.51.100.2 7" + + # Start a server in srv + jexec srv /usr/sbin/inetd $(atf_get_srcdir)/echo_inetd.conf + + # And now we can talk to that one. + atf_check -s exit:0 -o match:"^foo$" -x "echo foo | nc -N 198.51.100.2 7" +} + +captive_cleanup() +{ + pft_cleanup +} + atf_init_test_cases() { atf_add_test_case "mac" atf_add_test_case "proto" + atf_add_test_case "captive" } |