Changeset View
Changeset View
Standalone View
Standalone View
tests/sys/netpfil/pf/forward.sh
- This file was added.
| # $FreeBSD$ | |||||
| . $(atf_get_srcdir)/utils.subr | |||||
| atf_init_test_cases() | |||||
| { | |||||
| atf_add_test_case "v4" | |||||
| } | |||||
| atf_test_case "v4" "cleanup" | |||||
| v4_head() | |||||
| { | |||||
| atf_set descr 'Basic forwarding test' | |||||
asomers: `require.progs` searches through your `PATH` so it should be used with plain executable names. | |||||
| atf_set require.user root | |||||
| # We need scapy to be installed for out test scripts to work | |||||
| atf_set require.progs /usr/local/bin/scapy | |||||
| } | |||||
| v4_body() | |||||
| { | |||||
| pft_init | |||||
| epair_send=$(pft_mkepair) | |||||
| ifconfig ${epair_send}a 172.16.42.1/24 up | |||||
asomersUnsubmitted Done Inline ActionsHere as in the other review, use RFC5737 addresses asomers: Here as in the other review, use RFC5737 addresses | |||||
kpAuthorUnsubmitted Done Inline ActionsAck, will fix (in the next few days). kp: Ack, will fix (in the next few days). | |||||
| epair_recv=$(pft_mkepair) | |||||
| ifconfig ${epair_recv}a up | |||||
| pft_mkjail alcatraz ${epair_send}b ${epair_recv}b | |||||
| jexec alcatraz ifconfig ${epair_send}b 172.16.42.2/24 up | |||||
| jexec alcatraz ifconfig ${epair_recv}b 172.16.43.2/24 up | |||||
| jexec alcatraz sysctl net.inet.ip.forwarding=1 | |||||
asomersUnsubmitted Done Inline ActionsThis is too intrusive, and could screw up the host system. If you're going to do it, then put require.config allow_sysctl_side_effects in the head, and restore the old setting of net.inet.ip.forwarding during cleanup. asomers: This is too intrusive, and could screw up the host system. If you're going to do it, then put… | |||||
kpAuthorUnsubmitted Done Inline ActionsNote that this only affects the jail, not the host system. kp: Note that this only affects the jail, not the host system. | |||||
asomersUnsubmitted Done Inline ActionsOh, I see. I didn't realize that was a per-VIMAGE sysctl. asomers: Oh, I see. I didn't realize that was a per-VIMAGE sysctl. | |||||
| jexec alcatraz arp -s 172.16.43.3 00:01:02:03:04:05 | |||||
| route add -net 172.16.43.0/24 172.16.42.2 | |||||
| # Sanity check, can we forward ICMP echo requests without pf? | |||||
| atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \ | |||||
| --sendif ${epair_send}a \ | |||||
| --to 172.16.43.3 \ | |||||
| --recvif ${epair_recv}a | |||||
| # Forward with pf enabled | |||||
| printf "block in\n" | jexec alcatraz pfctl -ef - | |||||
| atf_check -s exit:1 $(atf_get_srcdir)/pft_ping.py \ | |||||
| --sendif ${epair_send}a \ | |||||
| --to 172.16.43.3 \ | |||||
| --recvif ${epair_recv}a | |||||
| printf "block out\n" | jexec alcatraz pfctl -f - | |||||
| atf_check -s exit:1 $(atf_get_srcdir)/pft_ping.py \ | |||||
| --send ${epair_send}a \ | |||||
| --to 172.16.43.3 \ | |||||
| --recv ${epair_recv}a | |||||
| # Allow ICMP | |||||
| printf "block in\npass in proto icmp\n" | jexec alcatraz pfctl -f - | |||||
| atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \ | |||||
| --sendif ${epair_send}a \ | |||||
| --to 172.16.43.3 \ | |||||
| --recvif ${epair_recv}a | |||||
| } | |||||
| v4_cleanup() | |||||
| { | |||||
| pft_cleanup | |||||
| } | |||||
require.progs searches through your PATH so it should be used with plain executable names. require.files does not, so it should be used with absolute paths. In this case, since ports can be installed to alternate prefixes, you should probably do require.progs scapy