diff --git a/tests/sys/netpfil/pf/Makefile b/tests/sys/netpfil/pf/Makefile --- a/tests/sys/netpfil/pf/Makefile +++ b/tests/sys/netpfil/pf/Makefile @@ -7,11 +7,13 @@ ATF_TESTS_SH+= altq \ anchor \ - checksum \ + scrub_compat \ + scrub_pass \ dup \ ether \ forward \ fragmentation \ + fragmentation_compat \ get_state \ icmp \ killstate \ @@ -27,6 +29,7 @@ rdr \ ridentifier \ route_to \ + rtable \ rules_counter \ set_skip \ set_tos \ diff --git a/tests/sys/netpfil/pf/checksum.sh b/tests/sys/netpfil/pf/checksum.sh deleted file mode 100644 --- a/tests/sys/netpfil/pf/checksum.sh +++ /dev/null @@ -1,86 +0,0 @@ -# SPDX-License-Identifier: BSD-2-Clause-FreeBSD -# -# Copyright (c) 2020 Kristof Provost -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -# SUCH DAMAGE. - -. $(atf_get_srcdir)/utils.subr - -common_dir=$(atf_get_srcdir)/../common - -atf_test_case "unaligned" "cleanup" -unaligned_head() -{ - atf_set descr 'Test unaligned checksum updates' - atf_set require.user root - atf_set require.progs scapy -} - -unaligned_body() -{ - pft_init - - epair_in=$(vnet_mkepair) - epair_out=$(vnet_mkepair) - - vnet_mkjail alcatraz ${epair_in}b ${epair_out}a - - ifconfig ${epair_in}a 192.0.2.2/24 up - route add -net 198.51.100.0/24 192.0.2.1 - - jexec alcatraz ifconfig ${epair_in}b 192.0.2.1/24 up - jexec alcatraz sysctl net.inet.ip.forwarding=1 - - jexec alcatraz ifconfig ${epair_out}a 198.51.100.1/24 up - jexec alcatraz arp -s 198.51.100.2 00:01:02:03:04:05 - - ifconfig ${epair_out}b up - - jexec alcatraz pfctl -e - pft_set_rules alcatraz \ - "scrub on ${epair_in}b reassemble tcp max-mss 1200" - - # Check aligned - atf_check -s exit:0 ${common_dir}/pft_ping.py \ - --sendif ${epair_in}a \ - --to 198.51.100.2 \ - --recvif ${epair_out}b \ - --tcpsyn - - # And unaligned - atf_check -s exit:0 ${common_dir}/pft_ping.py \ - --sendif ${epair_in}a \ - --to 198.51.100.2 \ - --recvif ${epair_out}b \ - --tcpsyn \ - --tcpopt_unaligned -} - -unaligned_cleanup() -{ - pft_cleanup -} - -atf_init_test_cases() -{ - atf_add_test_case "unaligned" -} diff --git a/tests/sys/netpfil/pf/fragmentation.sh b/tests/sys/netpfil/pf/fragmentation.sh --- a/tests/sys/netpfil/pf/fragmentation.sh +++ b/tests/sys/netpfil/pf/fragmentation.sh @@ -27,6 +27,8 @@ . $(atf_get_srcdir)/utils.subr +common_dir=$(atf_get_srcdir)/../common + atf_test_case "too_many_fragments" "cleanup" too_many_fragments_head() @@ -50,7 +52,8 @@ jexec alcatraz pfctl -e pft_set_rules alcatraz \ - "scrub all fragment reassemble" + "set reassemble yes" \ + "pass keep state" # So we know pf is limiting things jexec alcatraz sysctl net.inet.ip.maxfragsperpacket=1024 @@ -105,7 +108,8 @@ jexec alcatraz pfctl -e pft_set_rules alcatraz \ - "scrub fragment reassemble" \ + "set reassemble yes" \ + "pass keep state" \ "block in" \ "pass in inet6 proto icmp6 icmp6-type { neighbrsol, neighbradv }" \ "pass in inet6 proto icmp6 icmp6-type { echoreq, echorep }" @@ -172,7 +176,8 @@ jexec first pfctl -e pft_set_rules first \ - "scrub all fragment reassemble" + "set reassemble yes" \ + "pass keep state" # Sanity checks atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2 @@ -203,7 +208,8 @@ jexec alcatraz pfctl -e pft_set_rules alcatraz \ - "scrub all fragment reassemble" + "set reassemble yes" \ + "pass keep state" # Sanity check atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2 @@ -302,7 +308,7 @@ atf_check -s exit:2 -o ignore ping -c 1 -s 2000 192.0.2.2 pft_set_rules alcatraz \ - "scrub in" \ + "set reassemble yes" \ "pass out" \ "block in" \ "pass in inet proto icmp all icmp-type echoreq" @@ -310,19 +316,64 @@ # Both single packet & fragmented pass when we scrub atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2 atf_check -s exit:0 -o ignore ping -c 1 -s 2000 192.0.2.2 +} - pft_set_rules alcatraz \ - "scrub in fragment no reassemble" \ +reassemble_cleanup() +{ + pft_cleanup +} + +atf_test_case "no_df" "cleanup" +no_df_head() +{ + atf_set descr 'Test removing of DF flag' + atf_set require.user root +} + +no_df_body() +{ + setup_router_server_ipv4 + + ifconfig ${epair_tester}a mtu 9000 + jexec router ifconfig ${epair_tester}b mtu 9000 + jexec router ifconfig ${epair_server}a mtu 1500 + jexec server ifconfig ${epair_server}b mtu 1500 + + # Sanity check. + ping_server_reply 0 --ping-type=icmp + + pft_set_rules router \ + "set reassemble no" \ "pass out" \ "block in" \ "pass in inet proto icmp all icmp-type echoreq" - # And the fragmented ping doesn't pass if we do not reassemble - atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2 - atf_check -s exit:2 -o ignore ping -c 1 -s 2000 192.0.2.2 -} + # Ping with normal, fragmentable packets. + ping_server_reply 1 --ping-type=icmp --send-length=2000 -reassemble_cleanup() + pft_set_rules router \ + "set reassemble yes" \ + "pass out" \ + "block in" \ + "pass in inet proto icmp all icmp-type echoreq" + + # Ping with normal, fragmentable packets. + ping_server_reply 0 --ping-type=icmp --send-length=2000 + + # Ping with non-fragmentable packets. + ping_server_reply 1 --ping-type=icmp --send-length=2000 --send-flags DF + + pft_set_rules router \ + "set reassemble yes no-df" \ + "pass out" \ + "block in" \ + "pass in inet proto icmp all icmp-type echoreq" + + # Ping with non-fragmentable packets again. + # This time pf will strip the DF flag. + ping_server_reply 0 --ping-type=icmp --send-length=2000 --send-flags DF +} +no_df_cleanup() { pft_cleanup } @@ -336,4 +387,5 @@ atf_add_test_case "overindex" atf_add_test_case "overlimit" atf_add_test_case "reassemble" + atf_add_test_case "no_df" } diff --git a/tests/sys/netpfil/pf/fragmentation.sh b/tests/sys/netpfil/pf/fragmentation_compat.sh copy from tests/sys/netpfil/pf/fragmentation.sh copy to tests/sys/netpfil/pf/fragmentation_compat.sh --- a/tests/sys/netpfil/pf/fragmentation.sh +++ b/tests/sys/netpfil/pf/fragmentation_compat.sh @@ -327,6 +327,53 @@ pft_cleanup } +atf_test_case "no_df" "cleanup" +no_df_head() +{ + atf_set descr 'Test removing of DF flag' + atf_set require.user root +} + +no_df_body() +{ + setup_router_server_ipv4 + + ifconfig ${epair_tester}a mtu 9000 + jexec router ifconfig ${epair_tester}b mtu 9000 + jexec router ifconfig ${epair_server}a mtu 1500 + jexec server ifconfig ${epair_server}b mtu 1500 + + # Sanity check. + ping_server_reply 0 --ping-type=icmp + + pft_set_rules router \ + "scrub fragment reassemble" \ + "pass out" \ + "block in" \ + "pass in inet proto icmp all icmp-type echoreq" + + # Ping with normal, fragmentable packets. + ping_server_reply 0 --ping-type=icmp --send-length=2000 + + # Ping with non-fragmentable packets, this will fail. + ping_server_reply 1 --ping-type=icmp --send-length=2000 --send-flags DF + + pft_set_rules router \ + "scrub any reassemble" \ + "pass out" \ + "block in" \ + "pass in inet proto icmp all icmp-type echoreq" + + # Ping with non-fragmentable packets again. + # This time pf will strip the DF flag. + ping_server_reply 0 --ping-type=icmp --send-length=2000 --send-flags DF +} + +no_df_cleanup() +{ + pft_cleanup +} + atf_init_test_cases() { atf_add_test_case "too_many_fragments" diff --git a/tests/sys/netpfil/pf/rtable.sh b/tests/sys/netpfil/pf/rtable.sh new file mode 100644 --- /dev/null +++ b/tests/sys/netpfil/pf/rtable.sh @@ -0,0 +1,133 @@ +# $FreeBSD$ +# +# SPDX-License-Identifier: BSD-2-Clause-FreeBSD +# +# Copyright (c) 2023 Kajetan Staszkiewicz +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. + +. $(atf_get_srcdir)/utils.subr + +common_dir=$(atf_get_srcdir)/../common + +atf_test_case "forward_v4" "cleanup" +forward_v4_head() +{ + atf_set descr 'Test IPv4 forwarding with rtable' + atf_set require.user root + atf_set require.progs scapy +} + +forward_v4_body() +{ + setup_router_server_ipv4 + + # Sanity check + ping_server_reply 0 + + jexec router sysctl net.fibs=2 + jexec router ifconfig ${epair_server}a fib 1 + jexec router route del -net ${net_server} + jexec router route add -fib 1 -net ${net_server} -iface ${epair_server}a + + # Sanity check + ping_server_reply 1 + + # This rule is not enough. + # Echo requests will be properly forwarded but replies can't be routed back. + pft_set_rules router \ + "pass in on ${epair_tester}b inet proto icmp all icmp-type echoreq rtable 1" + ping_server_reply 1 + + # Allow replies coming back to the tester properly via stateful filtering post-routing. + pft_set_rules router \ + "pass in on ${epair_tester}b inet proto icmp all icmp-type echoreq rtable 1" \ + "pass out on ${epair_server}a inet proto icmp all icmp-type echoreq rtable 0" + ping_server_reply 0 + + # Allow replies coming back to the tester properly via provding extra routes in rtable 1 + pft_set_rules router \ + "pass in on ${epair_tester}b inet proto icmp all icmp-type echoreq rtable 1" + jexec router route add -fib 1 -net ${net_tester} -iface ${epair_tester}b + ping_server_reply 0 +} + +forward_v4_cleanup() +{ + pft_cleanup +} + +atf_test_case "forward_v6" "cleanup" +forward_v6_head() +{ + atf_set descr 'Test IPv4 forwarding with rtable' + atf_set require.user root + atf_set require.progs scapy +} + +forward_v6_body() +{ + setup_router_server_ipv6 + + # Sanity check + ping_server_reply 0 + + jexec router sysctl net.fibs=2 + jexec router ifconfig ${epair_server}a fib 1 + jexec router route del -6 ${net_server} + jexec router route add -fib 1 -6 ${net_server} -iface ${epair_server}a + + # Sanity check + ping_server_reply 1 + + # This rule is not enough. + # Echo requests will be properly forwarded but replies can't be routed back. + pft_set_rules router \ + "pass inet6 proto icmp6 icmp6-type { neighbrsol, neighbradv }" \ + "pass in on ${epair_tester}b inet6 proto icmp6 icmp6-type echoreq" + ping_server_reply 1 + + # Allow replies coming back to the tester properly via stateful filtering post-routing. + pft_set_rules router \ + "pass inet6 proto icmp6 icmp6-type { neighbrsol, neighbradv }" \ + "pass in on ${epair_tester}b inet6 proto icmp6 icmp6-type echoreq rtable 1" \ + "pass out on ${epair_server}a inet6 proto icmp6 icmp6-type echoreq rtable 0" + ping_server_reply 0 + + # Allow replies coming back to the tester properly via provding extra routes in rtable 1 + pft_set_rules router \ + "pass inet6 proto icmp6 icmp6-type { neighbrsol, neighbradv }" \ + "pass in on ${epair_tester}b inet6 proto icmp6 icmp6-type echoreq rtable 1" + jexec router route add -fib 1 -6 ${net_tester} -iface ${epair_tester}b + ping_server_reply 0 +} + +forward_v6_cleanup() +{ + pft_cleanup +} + +atf_init_test_cases() +{ + atf_add_test_case "forward_v4" + atf_add_test_case "forward_v6" +} diff --git a/tests/sys/netpfil/pf/scrub_compat.sh b/tests/sys/netpfil/pf/scrub_compat.sh new file mode 100644 --- /dev/null +++ b/tests/sys/netpfil/pf/scrub_compat.sh @@ -0,0 +1,221 @@ +# SPDX-License-Identifier: BSD-2-Clause-FreeBSD +# +# Copyright (c) 2020 Kristof Provost +# Copyright (c) 2023 Kajetan Staszkiewicz +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. + +. $(atf_get_srcdir)/utils.subr + +common_dir=$(atf_get_srcdir)/../common + +atf_test_case "max_mss_v4" "cleanup" +max_mss_v4_head() +{ + atf_set descr 'Test IPv4 scrub "mss" rule' + atf_set require.user root + atf_set require.progs scapy +} + +max_mss_v4_body() +{ + setup_router_dummy_ipv4 + pft_set_rules router "scrub on ${epair_tester}b max-mss 1300" + # Check aligned + ping_dummy 0 --ping-type=tcpsyn --send-mss=1400 --expect-mss=1300 + # And unaligned + ping_dummy 0 --ping-type=tcpsyn --send-mss=1400 --expect-mss=1300 \ + --send-tcpopt-unaligned +} + +max_mss_v4_cleanup() +{ + pft_cleanup +} + + +atf_test_case "max_mss_v6" "cleanup" +max_mss_v6_head() +{ + atf_set descr 'Test IPv6 scrub "mss" rule' + atf_set require.user root + atf_set require.progs scapy +} + +max_mss_v6_body() +{ + setup_router_dummy_ipv6 + pft_set_rules router "scrub on ${epair_tester}b max-mss 1300" + # Check aligned + ping_dummy 0 --ping-type=tcpsyn --send-mss=1400 --expect-mss=1300 + # And unaligned + ping_dummy 0 --ping-type=tcpsyn --send-mss=1400 --expect-mss=1300 \ + --send-tcpopt-unaligned +} + +max_mss_v6_cleanup() +{ + pft_cleanup +} + + +atf_test_case "set_tos_v4" "cleanup" +set_tos_v4_head() +{ + atf_set descr 'Test IPv4 scub "set-tos" rule' + atf_set require.user root + atf_set require.progs scapy +} + +set_tos_v4_body() +{ + setup_router_dummy_ipv4 + pft_set_rules router "scrub on ${epair_tester}b set-tos 0x42" + ping_dummy 0 --send-tc=0 --expect-tc=66 +} + +set_tos_v4_cleanup() +{ + pft_cleanup +} + + +atf_test_case "set_tos_v6" "cleanup" +set_tos_v6_head() +{ + atf_set descr 'Test IPv6 scub "set-tos" rule' + atf_set require.user root + atf_set require.progs scapy +} + +set_tos_v6_body() +{ + setup_router_dummy_ipv6 + pft_set_rules router "scrub on ${epair_tester}b set-tos 0x42" + ping_dummy 0 --ping-type=tcpsyn --send-tc=0 --expect-tc=66 +} + +set_tos_v6_cleanup() +{ + pft_cleanup +} + + +atf_test_case "min_ttl_v4" "cleanup" +min_ttl_v4_head() +{ + atf_set descr 'Test IPv4 scub "min-ttl" rule' + atf_set require.user root + atf_set require.progs scapy +} + +min_ttl_v4_body() +{ + setup_router_dummy_ipv4 + pft_set_rules router "scrub on ${epair_tester}b min-ttl 50" + ping_dummy 0 --ping-type=tcpsyn --send-hlim=40 --expect-hlim=49 +} + +min_ttl_v4_cleanup() +{ + pft_cleanup +} + + +atf_test_case "min_ttl_v6" "cleanup" +min_ttl_v6_head() +{ + atf_set descr 'Test IPv6 scub "min-ttl" rule' + atf_set require.user root + atf_set require.progs scapy +} + +min_ttl_v6_body() +{ + setup_router_dummy_ipv6 + pft_set_rules router "scrub on ${epair_tester}b min-ttl 50" + ping_dummy 0 --ping-type=tcpsyn --send-hlim=40 --expect-hlim=49 +} + +min_ttl_v6_cleanup() +{ + pft_cleanup +} + + +atf_test_case "no_scrub_v4" "cleanup" +no_scrub_v4_head() +{ + atf_set descr 'Test IPv4 "no scrub" rule' + atf_set require.user root + atf_set require.progs scapy +} + +no_scrub_v4_body() +{ + setup_router_dummy_ipv4 + pft_set_rules router\ + "no scrub on ${epair_tester}b to ${net_server_host_server}" + "scrub on ${epair_tester}b set-tos 0x42" + ping_dummy 0 --send-tc=0 --expect-tc=0 +} + +no_scrub_v4_cleanup() +{ + pft_cleanup +} + + +atf_test_case "no_scrub_v6" "cleanup" +no_scrub_v6_head() +{ + atf_set descr 'Test IPv6 "no scrub" rule' + atf_set require.user root + atf_set require.progs scapy +} + +no_scrub_v6_body() +{ + setup_router_dummy_ipv6 + pft_set_rules router \ + "no scrub on ${epair_tester}b to ${net_server_host_server}" + "scrub on ${epair_tester}b set-tos 0x42" + ping_dummy 0 --send-tc=0 --expect-tc=0 +} + +no_scrub_v6_cleanup() +{ + pft_cleanup +} + + +atf_init_test_cases() +{ + atf_add_test_case "max_mss_v4" + atf_add_test_case "max_mss_v6" + atf_add_test_case "set_tos_v4" + atf_add_test_case "set_tos_v6" + atf_add_test_case "min_ttl_v4" + atf_add_test_case "min_ttl_v6" + atf_add_test_case "no_scrub_v4" + atf_add_test_case "no_scrub_v6" +} diff --git a/tests/sys/netpfil/pf/scrub_pass.sh b/tests/sys/netpfil/pf/scrub_pass.sh new file mode 100644 --- /dev/null +++ b/tests/sys/netpfil/pf/scrub_pass.sh @@ -0,0 +1,173 @@ +# SPDX-License-Identifier: BSD-2-Clause-FreeBSD +# +# Copyright (c) 2020 Kristof Provost +# Copyright (c) 2023 Kajetan Staszkiewicz +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. + +. $(atf_get_srcdir)/utils.subr + +common_dir=$(atf_get_srcdir)/../common + +atf_test_case "max_mss_v4" "cleanup" +max_mss_v4_head() +{ + atf_set descr 'Test IPv4 pass "mss" rule' + atf_set require.user root + atf_set require.progs scapy +} + +max_mss_v4_body() +{ + setup_router_dummy_ipv4 + pft_set_rules router "pass on ${epair_tester}b scrub ( max-mss 1300 )" + # Check aligned + ping_dummy 0 --ping-type=tcpsyn --send-mss=1400 --expect-mss=1300 + # And unaligned + ping_dummy 0 --ping-type=tcpsyn --send-mss=1400 --expect-mss=1300 \ + --send-tcpopt-unaligned +} + +max_mss_v4_cleanup() +{ + pft_cleanup +} + + +atf_test_case "max_mss_v6" "cleanup" +max_mss_v6_head() +{ + atf_set descr 'Test IPv6 pass "mss" rule' + atf_set require.user root + atf_set require.progs scapy +} + +max_mss_v6_body() +{ + setup_router_dummy_ipv6 + pft_set_rules router "pass on ${epair_tester}b scrub ( max-mss 1300 )" + # Check aligned + ping_dummy 0 --ping-type=tcpsyn --send-mss=1400 --expect-mss=1300 + # And unaligned + ping_dummy 0 --ping-type=tcpsyn --send-mss=1400 --expect-mss=1300 \ + --send-tcpopt-unaligned +} + +max_mss_v6_cleanup() +{ + pft_cleanup +} + + +atf_test_case "set_tos_v4" "cleanup" +set_tos_v4_head() +{ + atf_set descr 'Test IPv4 pass "set-tos" rule' + atf_set require.user root + atf_set require.progs scapy +} + +set_tos_v4_body() +{ + setup_router_dummy_ipv4 + pft_set_rules router "pass on ${epair_tester}b set ( tos 0x42 )" + ping_dummy 0 --send-tc=66 --expect-tc=66 +} + +set_tos_v4_cleanup() +{ + pft_cleanup +} + + +atf_test_case "set_tos_v6" "cleanup" +set_tos_v6_head() +{ + atf_set descr 'Test IPv6 pass "set-tos" rule' + atf_set require.user root + atf_set require.progs scapy +} + +set_tos_v6_body() +{ + setup_router_dummy_ipv4 + pft_set_rules router "pass on ${epair_tester}b set ( tos 0x42 )" + ping_dummy 0 --ping-type=tcpsyn --send-tc=66 --expect-tc=66 +} + +set_tos_v6_cleanup() +{ + pft_cleanup +} + + +atf_test_case "min_ttl_v4" "cleanup" +min_ttl_v4_head() +{ + atf_set descr 'Test IPv4 pass "min-ttl" rule' + atf_set require.user root + atf_set require.progs scapy +} + +min_ttl_v4_body() +{ + setup_router_dummy_ipv4 + pft_set_rules router "pass on ${epair_tester}b scrub ( min-ttl 50 )" + ping_dummy 0 --ping-type=tcpsyn --send-hlim=40 --expect-hlim=49 +} + +min_ttl_v4_cleanup() +{ + pft_cleanup +} + + +atf_test_case "min_ttl_v6" "cleanup" +min_ttl_v6_head() +{ + atf_set descr 'Test IPv6 pass "min-ttl" rule' + atf_set require.user root + atf_set require.progs scapy +} + +min_ttl_v6_body() +{ + setup_router_dummy_ipv6 + pft_set_rules router "pass on ${epair_tester}b scrub ( min-ttl 50 )" + ping_dummy 0 --ping-type=tcpsyn --send-hlim=40 --expect-hlim=49 +} + +min_ttl_v6_cleanup() +{ + pft_cleanup +} + + +atf_init_test_cases() +{ + atf_add_test_case "max_mss_v4" + atf_add_test_case "max_mss_v6" + atf_add_test_case "set_tos_v4" + atf_add_test_case "set_tos_v6" + atf_add_test_case "min_ttl_v4" + atf_add_test_case "min_ttl_v6" +}