aboutsummaryrefslogtreecommitdiff
path: root/tests/sys/netpfil
diff options
context:
space:
mode:
authorKristof Provost <kp@FreeBSD.org>2017-10-06 20:43:14 +0000
committerKristof Provost <kp@FreeBSD.org>2017-10-06 20:43:14 +0000
commit1d6f5f214a6ee80570ad56583cb58acfc6cf84d2 (patch)
treea5ebb4acd7318b32d6d5ff146271ab4489d6278e /tests/sys/netpfil
parente29c55e4bb38245e20b138dc833e20b141c2bcac (diff)
downloadsrc-1d6f5f214a6ee80570ad56583cb58acfc6cf84d2.tar.gz
src-1d6f5f214a6ee80570ad56583cb58acfc6cf84d2.zip
pf: Basic automated test using VIMAGE
If VIMAGE is present we can start jails with their own pf instance. This makes it fairly easy to run tests. For example, this basic test verifies that drop/pass and icmp classification works. It's a basic sanity test for pf, and hopefully an example on how to write more pf tests. The tests are skipped if VIMAGE is not enabled. This work is inspired by the GSoC work of Panagiotes Mousikides. Differential Revision: https://reviews.freebsd.org/D12580
Notes
Notes: svn path=/head/; revision=324375
Diffstat (limited to 'tests/sys/netpfil')
-rw-r--r--tests/sys/netpfil/Makefile7
-rw-r--r--tests/sys/netpfil/pf/Makefile11
-rwxr-xr-xtests/sys/netpfil/pf/pass_block.sh91
-rw-r--r--tests/sys/netpfil/pf/utils.subr47
4 files changed, 156 insertions, 0 deletions
diff --git a/tests/sys/netpfil/Makefile b/tests/sys/netpfil/Makefile
new file mode 100644
index 000000000000..f9719f6ce2b4
--- /dev/null
+++ b/tests/sys/netpfil/Makefile
@@ -0,0 +1,7 @@
+# $FreeBSD$
+
+TESTSDIR= ${TESTSBASE}/sys/netpfil
+
+TESTS_SUBDIRS+= pf
+
+.include <bsd.test.mk>
diff --git a/tests/sys/netpfil/pf/Makefile b/tests/sys/netpfil/pf/Makefile
new file mode 100644
index 000000000000..72e373db3310
--- /dev/null
+++ b/tests/sys/netpfil/pf/Makefile
@@ -0,0 +1,11 @@
+# $FreeBSD$
+
+PACKAGE= tests
+
+TESTSDIR= ${TESTSBASE}/sys/netpfil/pf
+
+ATF_TESTS_SH+= pass_block
+
+${PACKAGE}FILES+= utils.subr
+
+.include <bsd.test.mk>
diff --git a/tests/sys/netpfil/pf/pass_block.sh b/tests/sys/netpfil/pf/pass_block.sh
new file mode 100755
index 000000000000..abb481d40e57
--- /dev/null
+++ b/tests/sys/netpfil/pf/pass_block.sh
@@ -0,0 +1,91 @@
+# $FreeBSD$
+
+. $(atf_get_srcdir)/utils.subr
+
+atf_test_case "v4" "cleanup"
+v4_head()
+{
+ atf_set descr 'Basic pass/block test for IPv4'
+ atf_set require.user root
+}
+
+v4_body()
+{
+ pft_init
+
+ epair=$(pft_mkepair)
+ ifconfig ${epair}a 192.0.2.1/24 up
+
+ # Set up a simple jail with one interface
+ pft_mkjail alcatraz ${epair}b
+ jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up
+
+ # Trivial ping to the jail, without pf
+ atf_check -s exit:0 -o ignore ping -c 1 -t 1 192.0.2.2
+
+ # pf without policy will let us ping
+ jexec alcatraz pfctl -e
+ atf_check -s exit:0 -o ignore ping -c 1 -t 1 192.0.2.2
+
+ # Block everything
+ printf "block in\n" | jexec alcatraz pfctl -f -
+ atf_check -s exit:2 -o ignore ping -c 1 -t 1 192.0.2.2
+
+ # Block everything but ICMP
+ printf "block in\npass in proto icmp\n" | jexec alcatraz pfctl -f -
+ atf_check -s exit:0 -o ignore ping -c 1 -t 1 192.0.2.2
+}
+
+v4_cleanup()
+{
+ pft_cleanup
+}
+
+atf_test_case "v6" "cleanup"
+v6_head()
+{
+ atf_set descr 'Basic pass/block test for IPv6'
+ atf_set require.user root
+}
+
+v6_body()
+{
+ pft_init
+
+ epair=$(pft_mkepair)
+ ifconfig ${epair}a inet6 2001:db8:42::1/64 up no_dad
+
+ # Set up a simple jail with one interface
+ pft_mkjail alcatraz ${epair}b
+ jexec alcatraz ifconfig ${epair}b inet6 2001:db8:42::2/64 up no_dad
+
+ # Trivial ping to the jail, without pf
+ atf_check -s exit:0 -o ignore ping6 -c 1 -x 1 2001:db8:42::2
+
+ # pf without policy will let us ping
+ jexec alcatraz pfctl -e
+ atf_check -s exit:0 -o ignore ping6 -c 1 -x 1 2001:db8:42::2
+
+ # Block everything
+ printf "block in\n" | jexec alcatraz pfctl -f -
+ atf_check -s exit:2 -o ignore ping6 -c 1 -x 1 2001:db8:42::2
+
+ # Block everything but ICMP
+ printf "block in\npass in proto icmp6\n" | jexec alcatraz pfctl -f -
+ atf_check -s exit:0 -o ignore ping6 -c 1 -x 1 2001:db8:42::2
+
+ # Allowing ICMPv4 does not allow ICMPv6
+ printf "block in\npass in proto icmp\n" | jexec alcatraz pfctl -f -
+ atf_check -s exit:2 -o ignore ping6 -c 1 -x 1 2001:db8:42::2
+}
+
+v6_cleanup()
+{
+ pft_cleanup
+}
+
+atf_init_test_cases()
+{
+ atf_add_test_case "v4"
+ atf_add_test_case "v6"
+}
diff --git a/tests/sys/netpfil/pf/utils.subr b/tests/sys/netpfil/pf/utils.subr
new file mode 100644
index 000000000000..822dd741e204
--- /dev/null
+++ b/tests/sys/netpfil/pf/utils.subr
@@ -0,0 +1,47 @@
+# $FreeBSD$
+# Utility functions
+##
+
+pft_init()
+{
+ if [ ! -c /dev/pf ]; then
+ atf_skip "This test requires pf"
+ fi
+
+ if [ "`sysctl -i -n kern.features.vimage`" != 1 ]; then
+ atf_skip "This test requires VIMAGE"
+ fi
+}
+
+pft_mkepair()
+{
+ ifname=$(ifconfig epair create)
+ echo $ifname >> created_interfaces.lst
+ echo ${ifname%a}
+}
+
+pft_mkjail()
+{
+ jailname=$1
+ ifname=$2
+ jail -c name=${jailname} persist vnet vnet.interface=${ifname}
+
+ echo $jailname >> created_jails.lst
+}
+
+pft_cleanup()
+{
+ if [ -f created_interfaces.lst ]; then
+ for ifname in `cat created_interfaces.lst`
+ do
+ ifconfig ${ifname} destroy
+ done
+ fi
+
+ if [ -f created_jails.lst ]; then
+ for jailname in `cat created_jails.lst`
+ do
+ jail -r ${jailname}
+ done
+ fi
+}