Changeset View
Changeset View
Standalone View
Standalone View
tests/sys/netpfil/pf/ether.sh
| Show First 20 Lines • Show All 127 Lines • ▼ Show 20 Lines | proto_body() | ||||
| atf_check -s exit:2 -o ignore ping -c 1 -t 1 192.0.2.2 | atf_check -s exit:2 -o ignore ping -c 1 -t 1 192.0.2.2 | ||||
| } | } | ||||
| proto_cleanup() | proto_cleanup() | ||||
| { | { | ||||
| pft_cleanup | pft_cleanup | ||||
| } | } | ||||
| atf_test_case "direction" "cleanup" | |||||
| direction_head() | |||||
| { | |||||
| atf_set descr 'Test directionality of ether rules' | |||||
| atf_set require.user root | |||||
| atf_set require.progs jq | |||||
| } | |||||
| direction_body() | |||||
| { | |||||
| pft_init | |||||
| epair=$(vnet_mkepair) | |||||
| epair_a_mac=$(ifconfig ${epair}a ether | awk '/ether/ { print $2; }') | |||||
| epair_b_mac=$(ifconfig ${epair}b ether | awk '/ether/ { print $2; }') | |||||
| ifconfig ${epair}a 192.0.2.1/24 up | |||||
| vnet_mkjail alcatraz ${epair}b | |||||
| jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up | |||||
| pft_set_rules alcatraz \ | |||||
| "ether block in proto 0x0806" | |||||
| jexec alcatraz pfctl -e | |||||
| arp -d 192.0.2.2 | |||||
| jexec alcatraz arp -d 192.0.2.1 | |||||
| # We don't allow the jail to receive ARP requests, so if we try to ping | |||||
| # from host to jail the host can't resolve the MAC address | |||||
| ping -c 1 -t 1 192.0.2.2 | |||||
| mac=$(arp -an --libxo json \ | |||||
| | jq '."arp"."arp-cache"[] | | |||||
| select(."ip-address"=="192.0.2.2")."mac-address"') | |||||
| atf_check_not_equal "$mac" "$epair_b_mac" | |||||
| # Clear ARP table again | |||||
| arp -d 192.0.2.2 | |||||
| jexec alcatraz arp -d 192.0.2.1 | |||||
| # However, we allow outbound ARP, so the host will learn our MAC if the | |||||
| # jail tries to ping | |||||
| jexec alcatraz ping -c 1 -t 1 192.0.2.1 | |||||
| mac=$(arp -an --libxo json \ | |||||
| | jq '."arp"."arp-cache"[] | | |||||
| select(."ip-address"=="192.0.2.2")."mac-address"') | |||||
| atf_check_equal "$mac" "$epair_b_mac" | |||||
| # Now do the same, but with outbound ARP blocking | |||||
| pft_set_rules alcatraz \ | |||||
| "ether block out proto 0x0806" | |||||
| # Clear ARP table again | |||||
| arp -d 192.0.2.2 | |||||
| jexec alcatraz arp -d 192.0.2.1 | |||||
| # The jail can't send ARP requests to us, so we'll never learn our MAC | |||||
| # address | |||||
| jexec alcatraz ping -c 1 -t 1 192.0.2.1 | |||||
| mac=$(jexec alcatraz arp -an --libxo json \ | |||||
| | jq '."arp"."arp-cache"[] | | |||||
| select(."ip-address"=="192.0.2.1")."mac-address"') | |||||
| atf_check_not_equal "$mac" "$epair_a_mac" | |||||
| } | |||||
| direction_cleanup() | |||||
| { | |||||
| pft_cleanup | |||||
| } | |||||
| atf_test_case "captive" "cleanup" | atf_test_case "captive" "cleanup" | ||||
| captive_head() | captive_head() | ||||
| { | { | ||||
| atf_set descr 'Test a basic captive portal-like setup' | atf_set descr 'Test a basic captive portal-like setup' | ||||
| atf_set require.user root | atf_set require.user root | ||||
| } | } | ||||
| captive_body() | captive_body() | ||||
| ▲ Show 20 Lines • Show All 62 Lines • ▼ Show 20 Lines | |||||
| { | { | ||||
| pft_cleanup | pft_cleanup | ||||
| } | } | ||||
| atf_init_test_cases() | atf_init_test_cases() | ||||
| { | { | ||||
| atf_add_test_case "mac" | atf_add_test_case "mac" | ||||
| atf_add_test_case "proto" | atf_add_test_case "proto" | ||||
| atf_add_test_case "direction" | |||||
| atf_add_test_case "captive" | atf_add_test_case "captive" | ||||
| } | } | ||||