Differential D24021 Diff 69560 tests/sys/netpfil/common/ipfw_me4.sh

Changeset View

Standalone View

tests/sys/netpfil/common/ipfw_me4.sh

Property	Old Value	New Value
svn:eol-style	null	native \ No newline at end of property
svn:executable	null	* \ No newline at end of property
svn:keywords	null	FreeBSD=%H \ No newline at end of property
svn:mime-type	null	text/plain \ No newline at end of property

				#-
				# SPDX-License-Identifier: BSD-2-Clause-FreeBSD
				#
				# Copyright (c) 2020 Neel Chauhan
				#
				melifaroUnsubmitted Done Inline Actions 2020 ? :-) melifaro: 2020 ? :-)
				# Redistribution and use in source and binary forms, with or without
				# modification, are permitted provided that the following conditions
				# are met:
				# 1. Redistributions of source code must retain the above copyright
				# notice, this list of conditions and the following disclaimer.
				# 2. Redistributions in binary form must reproduce the above copyright
				# notice, this list of conditions and the following disclaimer in the
				# documentation and/or other materials provided with the distribution.
				#
				# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
				# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
				# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
				# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
				# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
				# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
				# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
				# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
				# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
				# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
				# SUCH DAMAGE.
				#
				# $FreeBSD$
				#

				. $(atf_get_srcdir)/utils.subr
				. $(atf_get_srcdir)/runner.subr

				me4_allow_head()
				{
				atf_set descr 'IPFW me4 allow identifier test'
				atf_set require.user root
				}

				me4_allow_body()
				{
				firewall=$1
				firewall_init $firewall
				jname_cli="client"
				jname_srv="server"

				epair=$(vnet_mkepair)
				melifaroUnsubmitted Done Inline Actions I'd suggest creating another jail for this end, to avoid using `192.0.2.0/24` in the host system and allow this tests running in parallel with other tests using this network. melifaro: I'd suggest creating another jail for this end, to avoid using `192.0.2.0/24` in the host…
				vnet_mkjail ${jname_cli} ${epair}a
				melifaroUnsubmitted Done Inline Actions Better to use something like `${jname}` as jail identifier. Also: it would be better to have the jail name somewhat consistent with the test name, as in the future we will certainly have more `ipfw(8)` tests. melifaro: Better to use something like `${jname}` as jail identifier. Also: it would be better to have…
				jexec ${jname_cli} ifconfig ${epair}a 192.0.2.1/30 up
				vnet_mkjail ${jname_srv} ${epair}b
				jexec ${jname_srv} ifconfig ${epair}b 192.0.2.2/30 up
				melifaroUnsubmitted Done Inline Actions Maybe it's worth having simple setup with allow+deny rule and not having depends on `rc.firewall` functionality? melifaro: Maybe it's worth having simple setup with allow+deny rule and not having depends on `rc.

				firewall_config ${jname_srv} ${firewall} \
				"ipfw" \
				"ipfw -q add 100 allow all from any to any"
				firewall_config ${jname_cli} ${firewall} \
				"ipfw" \
				"ipfw -q add 100 allow all from any to any"
				atf_check -s exit:0 -o ignore jexec ${jname_cli} ping -c 1 -t 1 192.0.2.2
				melifaroUnsubmitted Done Inline Actions It would be better if you make the positive and negative cases into separate tests. melifaro: It would be better if you make the positive and negative cases into separate tests.
				}

				me4_allow_cleanup()
				{
				firewall=$1
				firewall_cleanup $firewall
				}

				me4_deny_head()
				{
				atf_set descr 'IPFW me4 deny identifier test'
				atf_set require.user root
				}

				me4_deny_body()
				melifaroUnsubmitted Done Inline Actions Could you also add the tests, verifying that: me4 does NOT match non-local IPv4 address (probably can rely on the fact that firewalling local outbound connection results in EPERM for the deny rule) me4 does NOT match IPv6 traffic ? melifaro: Could you also add the tests, verifying that: * me4 does NOT match non-local IPv4 address…
				{
				firewall=$1
				firewall_init $firewall
				jname_cli="client"
				jname_srv="server"

				epair=$(vnet_mkepair)
				vnet_mkjail ${jname_cli} ${epair}a
				jexec ${jname_cli} ifconfig ${epair}a 192.0.2.1/30 up
				vnet_mkjail ${jname_srv} ${epair}b
				jexec ${jname_srv} ifconfig ${epair}b 192.0.2.2/30 up

				firewall_config ${jname_srv} ${firewall} \
				"ipfw" \
				"ipfw -q add 100 deny all from any to me4"
				firewall_config ${jname_cli} ${firewall} \
				"ipfw" \
				"ipfw -q add 100 allow all from any to any"
				atf_check -s exit:2 -o ignore jexec ${jname_cli} ping -c 1 -t 1 192.0.2.2

				firewall_config ${jname_srv} ${firewall} \
				"ipfw" \
				"ipfw -q add 100 deny all from me4 to any"
				firewall_config ${jname_cli} ${firewall} \
				"ipfw" \
				"ipfw -q add 100 allow all from any to any"
				atf_check -s exit:2 -o ignore jexec ${jname_cli} ping -c 1 -t 1 192.0.2.2
				}

				me4_deny_cleanup()
				{
				firewall=$1
				firewall_cleanup $firewall
				}

				me4_nonlocal_head()
				{
				atf_set descr 'IPFW me4 non-local identifier test'
				atf_set require.user root
				}

				me4_nonlocal_body()
				{
				firewall=$1
				firewall_init $firewall
				jname_cli="client"
				jname_srv="server"

				epair1=$(vnet_mkepair)
				epair2=$(vnet_mkepair)

				vnet_mkjail ${jname_cli} ${epair1}a
				jexec ${jname_cli} ifconfig ${epair1}a 192.0.2.1/30 up

				vnet_mkjail ${jname_srv} ${epair1}b ${epair2}b
				jexec ${jname_srv} ifconfig ${epair1}a 192.0.2.2/30 up
				jexec ${jname_srv} ifconfig ${epair2}b 198.51.100.1/30 up

				ifconfig ${epair2}a 198.51.100.2/30 up

				jexec ${jname_srv} sysctl net.inet.ip.forwarding=1
				jexec ${jname_cli} route add -net 198.51.100.0/30 192.0.2.2
				route add -net 192.0.2.0/30 198.51.100.1

				firewall_config ${jname_srv} ${firewall} \
				"ipfw" \
				"ipfw -q add 100 deny tcp from any to me4 7" \
				"ipfw -q add 200 allow all from any to any"
				firewall_config ${jname_cli} ${firewall} \
				"ipfw" \
				"ipfw -q add 100 allow all from any to any"

				atf_check -s exit:2 -o ignore jexec ${jname_cli} ping -c 1 -t 1 198.51.100.2
				}

				me4_nonlocal_cleanup()
				{
				firewall=$1
				firewall_cleanup $firewall
				}

				me4_ipv6_head()
				{
				atf_set descr 'IPFW me4 identifier ipv6 test'
				atf_set require.user root
				}

				me4_ipv6_body()
				{
				firewall=$1
				firewall_init $firewall
				jname_cli="client"
				jname_srv="server"

				epair=$(vnet_mkepair)
				vnet_mkjail ${jname_cli} ${epair}a
				jexec ${jname_cli} ifconfig ${epair}a 192.0.2.1/30 up
				jexec ${jname_cli} ifconfig ${epair}a inet6 fd7a:803f:cc4b::1/64 up no_dad
				vnet_mkjail ${jname_srv} ${epair}b
				jexec ${jname_srv} ifconfig ${epair}b 192.0.2.2/30 up
				jexec ${jname_srv} ifconfig ${epair}b inet6 fd7a:803f:cc4b::2/64 up no_dad

				firewall_config ${jname_srv} ${firewall} \
				"ipfw" \
				"ipfw -q add 100 deny all from any to me4" \
				"ipfw -q add 200 allow all from any to any"
				firewall_config ${jname_cli} ${firewall} \
				"ipfw" \
				"ipfw -q add 100 allow all from any to any"

				atf_check -s exit:0 -o ignore jexec ${jname_cli} ping6 -c 1 -W 1 fd7a:803f:cc4b::2
				}

				me4_ipv6_cleanup()
				{
				firewall=$1
				firewall_cleanup $firewall
				}


				setup_tests \
				me4_allow \
				ipfw \
				me4_deny \
				ipfw \
				me4_ipv6 \
				ipfw \
				me4_nonlocal \
				ipfw