Page MenuHomeFreeBSD
Files F137134077

D12581.id33663.diff
No OneTemporary
Actions

D12581.id33663.diff
View Options

Index: tests/sys/netpfil/pf/Makefile
===================================================================
--- tests/sys/netpfil/pf/Makefile
+++ tests/sys/netpfil/pf/Makefile
@@ -4,8 +4,12 @@
TESTSDIR= ${TESTSBASE}/sys/netpfil/pf
-ATF_TESTS_SH+= pass_block
+ATF_TESTS_SH+= pass_block \
+ forward
-${PACKAGE}FILES+= utils.subr
+${PACKAGE}FILES+= utils.subr \
+ pft_ping.py
+
+${PACKAGE}FILESMODE_pft_ping.py= 0555
.include <bsd.test.mk>
Index: tests/sys/netpfil/pf/forward.sh
===================================================================
--- /dev/null
+++ tests/sys/netpfil/pf/forward.sh
@@ -0,0 +1,67 @@
+# $FreeBSD$
+
+. $(atf_get_srcdir)/utils.subr
+
+atf_init_test_cases()
+{
+ atf_add_test_case "v4"
+}
+
+atf_test_case "v4" "cleanup"
+v4_head()
+{
+ atf_set descr 'Basic forwarding test'
+ atf_set require.user root
+
+ # We need scapy to be installed for out test scripts to work
+ atf_set require.progs /usr/local/bin/scapy
+}
+
+v4_body()
+{
+ pft_init
+
+ epair_send=$(pft_mkepair)
+ ifconfig ${epair_send}a 172.16.42.1/24 up
+
+ epair_recv=$(pft_mkepair)
+ ifconfig ${epair_recv}a up
+
+ pft_mkjail alcatraz ${epair_send}b ${epair_recv}b
+ jexec alcatraz ifconfig ${epair_send}b 172.16.42.2/24 up
+ jexec alcatraz ifconfig ${epair_recv}b 172.16.43.2/24 up
+ jexec alcatraz sysctl net.inet.ip.forwarding=1
+ jexec alcatraz arp -s 172.16.43.3 00:01:02:03:04:05
+ route add -net 172.16.43.0/24 172.16.42.2
+
+ # Sanity check, can we forward ICMP echo requests without pf?
+ atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \
+ --sendif ${epair_send}a \
+ --to 172.16.43.3 \
+ --recvif ${epair_recv}a
+
+ # Forward with pf enabled
+ printf "block in\n" | jexec alcatraz pfctl -ef -
+ atf_check -s exit:1 $(atf_get_srcdir)/pft_ping.py \
+ --sendif ${epair_send}a \
+ --to 172.16.43.3 \
+ --recvif ${epair_recv}a
+
+ printf "block out\n" | jexec alcatraz pfctl -f -
+ atf_check -s exit:1 $(atf_get_srcdir)/pft_ping.py \
+ --send ${epair_send}a \
+ --to 172.16.43.3 \
+ --recv ${epair_recv}a
+
+ # Allow ICMP
+ printf "block in\npass in proto icmp\n" | jexec alcatraz pfctl -f -
+ atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \
+ --sendif ${epair_send}a \
+ --to 172.16.43.3 \
+ --recvif ${epair_recv}a
+}
+
+v4_cleanup()
+{
+ pft_cleanup
+}
Index: tests/sys/netpfil/pf/pft_ping.py
===================================================================
--- /dev/null
+++ tests/sys/netpfil/pf/pft_ping.py
@@ -0,0 +1,83 @@
+#!/usr/local/bin/python
+
+import argparse
+import scapy.all as sp
+import sys
+import threading
+
+PAYLOAD_MAGIC = 0x42c0ffee
+
+class Sniffer(threading.Thread):
+ def __init__(self, recvif):
+ threading.Thread.__init__(self)
+
+ self._recvif = recvif
+
+ self.start()
+
+ def run(self):
+ self.packets = sp.sniff(iface=self._recvif, timeout=3)
+
+def check_ping_request(packet, dst_ip):
+ """
+ Verify that the packet matches what we'd have sent
+ """
+ ip = packet.getlayer(sp.IP)
+ if not ip:
+ return False
+ if ip.dst != dst_ip:
+ return False
+
+ icmp = packet.getlayer(sp.ICMP)
+ if not icmp:
+ return False
+ if sp.icmptypes[icmp.type] != 'echo-request':
+ return False
+
+ raw = packet.getlayer(sp.Raw)
+ if not raw:
+ return False
+ if raw.load != str(PAYLOAD_MAGIC):
+ return False
+
+ return True
+
+def ping(send_if, dst_ip):
+ req = sp.Ether() \
+ / sp.IP(dst=dst_ip) \
+ / sp.ICMP(type='echo-request') \
+ / sp.Raw(PAYLOAD_MAGIC)
+ sp.sendp(req, iface=send_if, verbose=False)
+
+def main():
+ parser = argparse.ArgumentParser("pft_ping.py",
+ description="Ping test tool")
+ parser.add_argument('--sendif', nargs=1,
+ required=True,
+ help='The interface through which the packet(s) will be sent')
+ parser.add_argument('--recvif', nargs=1,
+ help='The interface on which to expect the ICMP echo response')
+ parser.add_argument('--to', nargs=1,
+ required=True,
+ help='The destination IP address for the ICMP echo request')
+
+ args = parser.parse_args()
+
+ sniffer = None
+ if not args.recvif is None:
+ sniffer = Sniffer(args.recvif[0])
+
+ ping(args.sendif[0], args.to[0])
+
+ if sniffer:
+ sniffer.join()
+
+ for packet in sniffer.packets:
+ if check_ping_request(packet, args.to[0]):
+ sys.exit(0)
+
+ # We did not get the packet we expected
+ sys.exit(1)
+
+if __name__ == '__main__':
+ main()
Index: tests/sys/netpfil/pf/utils.subr
===================================================================
--- tests/sys/netpfil/pf/utils.subr
+++ tests/sys/netpfil/pf/utils.subr
@@ -25,8 +25,14 @@
pft_mkjail()
{
jailname=$1
- ifname=$2
- jail -c name=${jailname} persist vnet vnet.interface=${ifname}
+ shift
+
+ vnet_interfaces=
+ for ifname in $@
+ do
+ vnet_interfaces="${vnet_interfaces} vnet.interface=${ifname}"
+ done
+ jail -c name=${jailname} persist vnet ${vnet_interfaces}
echo $jailname >> created_jails.lst
}

File Metadata

Mime Type
text/plain
Expires
Sat, Nov 22, 5:45 AM (16 h, 37 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
25918521
Default Alt Text
D12581.id33663.diff (5 KB)

Event Timeline