D12580.id33662.diff
No OneTemporary
Actions

Size

4 KB

Referenced Files

None

Subscribers

None

D12580.id33662.diff
View Options

	Index: etc/mtree/BSD.tests.dist
	===================================================================
	--- etc/mtree/BSD.tests.dist
	+++ etc/mtree/BSD.tests.dist
	@@ -478,6 +478,10 @@
	..
	netinet
	..
	+ netpfil
	+ pf
	+ ..
	+ ..
	opencrypto
	..
	pjdfstest
	Index: tests/sys/Makefile
	===================================================================
	--- tests/sys/Makefile
	+++ tests/sys/Makefile
	@@ -13,6 +13,7 @@
	TESTS_SUBDIRS+= mac
	TESTS_SUBDIRS+= mqueue
	TESTS_SUBDIRS+= netinet
	+TESTS_SUBDIRS+= netpfil
	TESTS_SUBDIRS+= opencrypto
	TESTS_SUBDIRS+= posixshm
	TESTS_SUBDIRS+= sys
	Index: tests/sys/netpfil/Makefile
	===================================================================
	--- /dev/null
	+++ tests/sys/netpfil/Makefile
	@@ -0,0 +1,7 @@
	+# $FreeBSD$
	+
	+TESTSDIR= ${TESTSBASE}/sys/netpfil
	+
	+TESTS_SUBDIRS+= pf
	+
	+.include <bsd.test.mk>
	Index: tests/sys/netpfil/pf/Makefile
	===================================================================
	--- /dev/null
	+++ tests/sys/netpfil/pf/Makefile
	@@ -0,0 +1,11 @@
	+# $FreeBSD$
	+
	+PACKAGE= tests
	+
	+TESTSDIR= ${TESTSBASE}/sys/netpfil/pf
	+
	+ATF_TESTS_SH+= pass_block
	+
	+${PACKAGE}FILES+= utils.subr
	+
	+.include <bsd.test.mk>
	Index: tests/sys/netpfil/pf/pass_block.sh
	===================================================================
	--- /dev/null
	+++ tests/sys/netpfil/pf/pass_block.sh
	@@ -0,0 +1,94 @@
	+# $FreeBSD$
	+
	+. $(atf_get_srcdir)/utils.subr
	+
	+atf_init_test_cases()
	+{
	+ atf_add_test_case "v4"
	+ atf_add_test_case "v6"
	+}
	+
	+atf_test_case "v4" "cleanup"
	+v4_head()
	+{
	+ atf_set descr 'Basic pass/block test for IPv4'
	+ atf_set require.user root
	+}
	+
	+v4_body()
	+{
	+ pft_init
	+
	+ epair=$(pft_mkepair)
	+ ifconfig ${epair}a 172.16.42.1/24 up
	+
	+ # Set up a simple jail with one interface
	+ pft_mkjail alcatraz ${epair}b
	+ jexec alcatraz ifconfig ${epair}b 172.16.42.2/24 up
	+
	+ # Trivial ping to the jail, without pf
	+ atf_check -s exit:0 -o ignore ping -c 1 -t 1 172.16.42.2
	+
	+ # pf without policy will let us ping
	+ jexec alcatraz pfctl -e
	+ atf_check -s exit:0 -o ignore ping -c 1 -t 1 172.16.42.2
	+
	+ # Block everything
	+ printf "block in\n" \| jexec alcatraz pfctl -f -
	+ atf_check -s exit:2 -o ignore ping -c 1 -t 1 172.16.42.2
	+
	+ # Block everything but ICMP
	+ printf "block in\npass in proto icmp\n" \| jexec alcatraz pfctl -f -
	+ atf_check -s exit:0 -o ignore ping -c 1 -t 1 172.16.42.2
	+}
	+
	+v4_cleanup()
	+{
	+ pft_cleanup
	+}
	+
	+atf_test_case "v6" "cleanup"
	+v6_head()
	+{
	+ atf_set descr 'Basic pass/block test for IPv6'
	+ atf_set require.user root
	+}
	+
	+v6_body()
	+{
	+ pft_init
	+
	+ epair=$(pft_mkepair)
	+ ifconfig ${epair}a inet6 2001:db8:42::1/64 up
	+
	+ # Set up a simple jail with one interface
	+ pft_mkjail alcatraz ${epair}b
	+ jexec alcatraz ifconfig ${epair}b inet6 2001:db8:42::2/64 up
	+
	+ # XXX v6 Address assignment is not instant...
	+ sleep 1
	+
	+ # Trivial ping to the jail, without pf
	+ atf_check -s exit:0 -o ignore ping6 -c 1 -x 1 2001:db8:42::2
	+
	+ # pf without policy will let us ping
	+ jexec alcatraz pfctl -e
	+ atf_check -s exit:0 -o ignore ping6 -c 1 -x 1 2001:db8:42::2
	+
	+ # Block everything
	+ printf "block in\n" \| jexec alcatraz pfctl -f -
	+ atf_check -s exit:2 -o ignore ping6 -c 1 -x 1 2001:db8:42::2
	+
	+ # Block everything but ICMP
	+ printf "block in\npass in proto icmp6\n" \| jexec alcatraz pfctl -f -
	+ atf_check -s exit:0 -o ignore ping6 -c 1 -x 1 2001:db8:42::2
	+
	+ # Allowing ICMPv4 does not allow ICMPv6
	+ printf "block in\npass in proto icmp\n" \| jexec alcatraz pfctl -f -
	+ atf_check -s exit:2 -o ignore ping6 -c 1 -x 1 2001:db8:42::2
	+}
	+
	+v6_cleanup()
	+{
	+ pft_cleanup
	+}
	Index: tests/sys/netpfil/pf/utils.subr
	===================================================================
	--- /dev/null
	+++ tests/sys/netpfil/pf/utils.subr
	@@ -0,0 +1,45 @@
	+# $FreeBSD$
	+# Utility functions
	+##
	+
	+pft_init()
	+{
	+ kldload -n pf
	+
	+ if [ "`sysctl -i -n kern.features.vimage`" != 1 ]; then
	+ atf_skip "This test requires VIMAGE"
	+ fi
	+
	+ # Ensure these files exist as this simplifies cleanup code
	+ touch created_interfaces.lst
	+ touch created_jails.lst
	+}
	+
	+pft_mkepair()
	+{
	+ ifname=$(ifconfig epair create)
	+ echo $ifname >> created_interfaces.lst
	+ echo ${ifname%a}
	+}
	+
	+pft_mkjail()
	+{
	+ jailname=$1
	+ ifname=$2
	+ jail -c name=${jailname} persist vnet vnet.interface=${ifname}
	+
	+ echo $jailname >> created_jails.lst
	+}
	+
	+pft_cleanup()
	+{
	+ for ifname in `cat created_interfaces.lst`
	+ do
	+ ifconfig ${ifname} destroy
	+ done
	+
	+ for jailname in `cat created_jails.lst`
	+ do
	+ jail -r ${jailname}
	+ done
	+}

File Metadata

Mime Type: text/plain
Expires: Fri, Dec 26, 10:30 PM (6 h, 3 m)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 27291156
Default Alt Text: D12580.id33662.diff (4 KB)

D12580.id33662.diffNo OneTemporaryActions

D12580.id33662.diffView Options

File Metadata

Event Timeline

D12580.id33662.diff
No OneTemporary
Actions

D12580.id33662.diff
View Options