Index: tests/sys/netpfil/pf/Makefile =================================================================== --- tests/sys/netpfil/pf/Makefile +++ tests/sys/netpfil/pf/Makefile @@ -22,6 +22,7 @@ pfsync \ proxy \ rdr \ + ridentifier \ route_to \ rules_counter \ set_skip \ Index: tests/sys/netpfil/pf/ridentifier.sh =================================================================== --- tests/sys/netpfil/pf/ridentifier.sh +++ tests/sys/netpfil/pf/ridentifier.sh @@ -1,9 +1,8 @@ # $FreeBSD$ -# Utility functions -## +# # SPDX-License-Identifier: BSD-2-Clause-FreeBSD # -# Copyright (c) 2017 Kristof Provost +# Copyright (c) 2021 Rubicon Communications, LLC (Netgate) # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions @@ -26,80 +25,62 @@ # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. -. $(atf_get_srcdir)/../../common/vnet.subr +. $(atf_get_srcdir)/utils.subr -pft_init() +atf_test_case "basic" "cleanup" +basic_head() { - vnet_init - - if [ ! -c /dev/pf ]; then - atf_skip "This test requires pf" - fi + atf_set descr 'Test ridentifier keyword' + atf_set require.user root } -pfsynct_init() +basic_body() { pft_init + pflog_init - if ! kldstat -q -m pfsync; then - atf_skip "This test requires pfsync" - fi -} + epair=$(vnet_mkepair) -pft_set_rules() -{ - jname=$1 - shift + ifconfig ${epair}a 192.0.2.1/24 up - if [ $jname == "noflush" ]; - then - jname=$1 - shift - else - # Flush all states, rules, fragments, ... - jexec ${jname} pfctl -F all - fi + vnet_mkjail alcatraz ${epair}b + jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up + jexec alcatraz /usr/sbin/inetd -p inetd-alcatraz.pid $(atf_get_srcdir)/echo_inetd.conf - while [ $# -gt 0 ]; do - printf "$1\n" - shift - done | jexec ${jname} pfctl -f - - if [ $? -ne 0 ]; - then - atf_fail "Failed to set PF rules in ${jname}" - fi -} + # Sanity check + atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2 -pft_cleanup() -{ - vnet_cleanup -} + jexec alcatraz pfctl -e + jexec alcatraz ifconfig pflog0 up + pft_set_rules alcatraz \ + "pass in log" \ + "pass in log proto tcp ridentifier 1234" -pfsynct_cleanup() -{ - pft_cleanup -} + jexec alcatraz tcpdump --immediate-mode -n -e -i pflog0 > tcpdump.log & + sleep 1 -is_altq_supported() -{ - sysctl -q kern.features.altq >/dev/null || \ - atf_skip "Test requires ALTQ" + echo "test" | nc -N 192.0.2.2 7 + atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2 + + sleep 1 + jexec alcatraz killall tcpdump - while [ -n "$1" ] - do - sysctl -q kern.features.altq.${1} >/dev/null || \ - atf_skip "Test required ALTQ_${1}" - shift - done + # Make sure we spotted the ridentifier + atf_check -s exit:0 -o ignore \ + grep 'rule 1/0.*ridentifier 1234' tcpdump.log + # But not on the !TCP traffic + atf_check -s exit:1 -o ignore \ + grep 'rule 0/0.*ridentifier' tcpdump.log } -altq_init() +basic_cleanup() { - pft_init - is_altq_supported + pft_cleanup + rm -f inetd-alcatraz.pid + rm -f tcpdump.log } -altq_cleanup() +atf_init_test_cases() { - pft_cleanup + atf_add_test_case "basic" } Index: tests/sys/netpfil/pf/utils.subr =================================================================== --- tests/sys/netpfil/pf/utils.subr +++ tests/sys/netpfil/pf/utils.subr @@ -46,6 +46,13 @@ fi } +pflog_init() +{ + if ! kldstat -q -m pflog; then + atf_skip "This test requires pflog" + fi +} + pft_set_rules() { jname=$1