aboutsummaryrefslogtreecommitdiff
path: root/sbin/ipfw/tests
diff options
context:
space:
mode:
Diffstat (limited to 'sbin/ipfw/tests')
-rw-r--r--sbin/ipfw/tests/Makefile1
-rw-r--r--sbin/ipfw/tests/ipfw_test.sh107
-rwxr-xr-xsbin/ipfw/tests/test_add_rule.py25
3 files changed, 121 insertions, 12 deletions
diff --git a/sbin/ipfw/tests/Makefile b/sbin/ipfw/tests/Makefile
index 987410f5d710..e2d4dab2729a 100644
--- a/sbin/ipfw/tests/Makefile
+++ b/sbin/ipfw/tests/Makefile
@@ -1,5 +1,6 @@
PACKAGE= tests
ATF_TESTS_PYTEST+= test_add_rule.py
+ATF_TESTS_SH+= ipfw_test
.include <bsd.test.mk>
diff --git a/sbin/ipfw/tests/ipfw_test.sh b/sbin/ipfw/tests/ipfw_test.sh
new file mode 100644
index 000000000000..c7993c430a3d
--- /dev/null
+++ b/sbin/ipfw/tests/ipfw_test.sh
@@ -0,0 +1,107 @@
+#
+# Copyright (c) 2025 Dag-Erling Smørgrav <des@FreeBSD.org>
+#
+# SPDX-License-Identifier: BSD-2-Clause
+#
+
+. $(atf_get_srcdir)/../../sys/common/vnet.subr
+
+atf_test_case nptv6 cleanup
+nptv6_head()
+{
+ atf_set "descr" "Test creation of NPTv6 rules"
+ atf_set "require.user" "root"
+ atf_set "require.kmods" "ipfw_nptv6"
+}
+nptv6_body()
+{
+ vnet_init
+ local jail=ipfw_$(atf_get ident)
+ local epair=$(vnet_mkepair)
+ vnet_mkjail ${jail} ${epair}a
+
+ local rule="xyzzy"
+ local int="2001:db8:1::"
+ local ext="2001:db8:2::"
+
+ atf_check jexec ${jail} \
+ ifconfig "${epair}"a inet6 ${ext}1/64 up
+
+ # This is how it's supposed to be used
+ atf_check jexec ${jail} ipfw nptv6 ${rule} create \
+ int_prefix ${int} ext_prefix ${ext} prefixlen 64
+ atf_check -o inline:\
+"nptv6 $rule int_prefix $int ext_prefix $ext prefixlen 64\n" \
+ jexec ${jail} ipfw nptv6 all list
+ atf_check jexec ${jail} ipfw nptv6 all destroy
+
+ # Specify external interface rather than network
+ atf_check jexec ${jail} ipfw nptv6 ${rule} create \
+ int_prefix ${int} ext_if ${epair}a prefixlen 64
+ atf_check -o inline:\
+"nptv6 $rule int_prefix $int ext_if ${epair}a prefixlen 64\n" \
+ jexec ${jail} ipfw nptv6 all list
+ atf_check jexec ${jail} ipfw nptv6 all destroy
+
+ # This should also work
+ atf_check jexec ${jail} ipfw nptv6 ${rule} create \
+ int_prefix ${int}/64 ext_prefix ${ext}/64 prefixlen 64
+ atf_check -o inline:\
+"nptv6 $rule int_prefix $int ext_prefix $ext prefixlen 64\n" \
+ jexec ${jail} ipfw nptv6 all list
+ atf_check jexec ${jail} ipfw nptv6 all destroy
+
+ # This should also work, although it's not encouraged
+ atf_check -e match:"use prefixlen instead" \
+ jexec ${jail} ipfw nptv6 ${rule} create \
+ int_prefix ${int}/64 ext_prefix ${ext}/64
+ atf_check -o inline:\
+"nptv6 $rule int_prefix $int ext_prefix $ext prefixlen 64\n" \
+ jexec ${jail} ipfw nptv6 all list
+ atf_check jexec ${jail} ipfw nptv6 all destroy
+
+ # These should all fail
+ atf_check -s not-exit:0 -e match:"one ext_prefix or ext_if" \
+ jexec ${jail} ipfw nptv6 ${rule} create \
+ int_prefix ${int} ext_prefix ${ext} ext_if ${epair}a
+ atf_check -o empty jexec ${jail} ipfw nptv6 all list
+
+ atf_check -s not-exit:0 -e match:"one ext_prefix or ext_if" \
+ jexec ${jail} ipfw nptv6 ${rule} create \
+ int_prefix ${int} ext_if ${epair}a ext_prefix ${ext}
+ atf_check -o empty jexec ${jail} ipfw nptv6 all list
+
+ atf_check -s not-exit:0 -e match:"prefix length mismatch" \
+ jexec ${jail} ipfw nptv6 ${rule} create \
+ int_prefix ${int}/48 ext_prefix ${ext}/64
+ atf_check -o empty jexec ${jail} ipfw nptv6 all list
+
+ atf_check -s not-exit:0 -e match:"prefix length mismatch" \
+ jexec ${jail} ipfw nptv6 ${rule} create \
+ int_prefix ${int}/64 ext_prefix ${ext}/64 prefixlen 48
+ atf_check -o empty jexec ${jail} ipfw nptv6 all list
+
+ atf_check -s not-exit:0 -e match:"prefix length mismatch" \
+ jexec ${jail} ipfw nptv6 ${rule} create \
+ int_prefix ${int}/64 ext_prefix ${ext} prefixlen 48
+ atf_check -o empty jexec ${jail} ipfw nptv6 all list
+
+ atf_check -s not-exit:0 -e match:"prefix length mismatch" \
+ jexec ${jail} ipfw nptv6 ${rule} create \
+ int_prefix ${int} ext_prefix ${ext}/64 prefixlen 48
+ atf_check -o empty jexec ${jail} ipfw nptv6 all list
+
+ atf_check -s not-exit:0 -e match:"prefix length mismatch" \
+ jexec ${jail} ipfw nptv6 ${rule} create \
+ int_prefix ${int}/64 ext_if ${epair}a prefixlen 48
+ atf_check -o empty jexec ${jail} ipfw nptv6 all list
+}
+nptv6_cleanup()
+{
+ vnet_cleanup
+}
+
+atf_init_test_cases()
+{
+ atf_add_test_case nptv6
+}
diff --git a/sbin/ipfw/tests/test_add_rule.py b/sbin/ipfw/tests/test_add_rule.py
index 60c8cebaceaa..c2c4bf0b360c 100755
--- a/sbin/ipfw/tests/test_add_rule.py
+++ b/sbin/ipfw/tests/test_add_rule.py
@@ -36,6 +36,7 @@ from atf_python.sys.netpfil.ipfw.insns import InsnProb
from atf_python.sys.netpfil.ipfw.insns import InsnProto
from atf_python.sys.netpfil.ipfw.insns import InsnReject
from atf_python.sys.netpfil.ipfw.insns import InsnTable
+from atf_python.sys.netpfil.ipfw.insns import InsnU32
from atf_python.sys.netpfil.ipfw.insns import IpFwOpcode
from atf_python.sys.netpfil.ipfw.ioctl import CTlv
from atf_python.sys.netpfil.ipfw.ioctl import CTlvRule
@@ -152,8 +153,8 @@ class TestAddRule(BaseTest):
NTlv(IpFwTlvType.IPFW_TLV_TBL_NAME, idx=2, name="BBB"),
],
"insns": [
- InsnTable(IpFwOpcode.O_IP_SRC_LOOKUP, arg1=1),
- InsnTable(IpFwOpcode.O_IP_DST_LOOKUP, arg1=2),
+ InsnU32(IpFwOpcode.O_IP_SRC_LOOKUP, u32=1),
+ InsnU32(IpFwOpcode.O_IP_DST_LOOKUP, u32=2),
InsnEmpty(IpFwOpcode.O_ACCEPT),
],
},
@@ -182,7 +183,7 @@ class TestAddRule(BaseTest):
],
"insns": [
InsnIp(IpFwOpcode.O_IP_DST, ip="1.2.3.4"),
- Insn(IpFwOpcode.O_EXTERNAL_ACTION, arg1=1),
+ InsnU32(IpFwOpcode.O_EXTERNAL_ACTION, u32=1),
Insn(IpFwOpcode.O_EXTERNAL_DATA, arg1=123),
],
},
@@ -199,8 +200,8 @@ class TestAddRule(BaseTest):
],
"insns": [
InsnIp(IpFwOpcode.O_IP_DST, ip="1.2.3.4"),
- Insn(IpFwOpcode.O_EXTERNAL_ACTION, arg1=1),
- Insn(IpFwOpcode.O_EXTERNAL_INSTANCE, arg1=2),
+ InsnU32(IpFwOpcode.O_EXTERNAL_ACTION, u32=1),
+ InsnU32(IpFwOpcode.O_EXTERNAL_INSTANCE, u32=2),
],
},
},
@@ -227,7 +228,7 @@ class TestAddRule(BaseTest):
],
"insns": [
InsnComment(comment="test comment"),
- Insn(IpFwOpcode.O_CHECK_STATE, arg1=1),
+ InsnU32(IpFwOpcode.O_CHECK_STATE, u32=1),
],
},
},
@@ -241,9 +242,9 @@ class TestAddRule(BaseTest):
NTlv(IpFwTlvType.IPFW_TLV_STATE_NAME, idx=1, name="OUT"),
],
"insns": [
- Insn(IpFwOpcode.O_PROBE_STATE, arg1=1),
+ InsnU32(IpFwOpcode.O_PROBE_STATE, u32=1),
Insn(IpFwOpcode.O_PROTO, arg1=6),
- Insn(IpFwOpcode.O_KEEP_STATE, arg1=1),
+ InsnU32(IpFwOpcode.O_KEEP_STATE, u32=1),
InsnEmpty(IpFwOpcode.O_ACCEPT),
],
},
@@ -259,7 +260,7 @@ class TestAddRule(BaseTest):
],
"insns": [
Insn(IpFwOpcode.O_PROTO, arg1=6),
- Insn(IpFwOpcode.O_KEEP_STATE, arg1=1),
+ InsnU32(IpFwOpcode.O_KEEP_STATE, u32=1),
InsnEmpty(IpFwOpcode.O_ACCEPT),
],
},
@@ -370,7 +371,7 @@ class TestAddRule(BaseTest):
),
pytest.param(("pipe 42", Insn(IpFwOpcode.O_PIPE, arg1=42)), id="pipe_42"),
pytest.param(
- ("skipto 42", Insn(IpFwOpcode.O_SKIPTO, arg1=42)), id="skipto_42"
+ ("skipto 42", InsnU32(IpFwOpcode.O_SKIPTO, u32=42)), id="skipto_42"
),
pytest.param(
("netgraph 42", Insn(IpFwOpcode.O_NETGRAPH, arg1=42)), id="netgraph_42"
@@ -386,7 +387,7 @@ class TestAddRule(BaseTest):
),
pytest.param(("tee 42", Insn(IpFwOpcode.O_TEE, arg1=42)), id="tee_42"),
pytest.param(
- ("call 420", Insn(IpFwOpcode.O_CALLRETURN, arg1=420)), id="call_420"
+ ("call 420", InsnU32(IpFwOpcode.O_CALLRETURN, u32=420)), id="call_420"
),
# TOK_FORWARD
pytest.param(
@@ -400,7 +401,7 @@ class TestAddRule(BaseTest):
),
pytest.param(("reass", InsnEmpty(IpFwOpcode.O_REASS)), id="reass"),
pytest.param(
- ("return", InsnEmpty(IpFwOpcode.O_CALLRETURN, is_not=True)), id="return"
+ ("return", InsnU32(IpFwOpcode.O_CALLRETURN, is_not=True)), id="return"
),
],
)
generated by cgit v1.2.3 (git 2.25.1) at 2025-10-06 02:19:33 +0000