Index: head/tests/sys/Makefile =================================================================== --- head/tests/sys/Makefile (revision 344763) +++ head/tests/sys/Makefile (revision 344764) @@ -1,42 +1,44 @@ # $FreeBSD$ .include TESTSDIR= ${TESTSBASE}/sys TESTS_SUBDIRS+= acl TESTS_SUBDIRS+= aio TESTS_SUBDIRS+= ${_audit} TESTS_SUBDIRS+= auditpipe TESTS_SUBDIRS+= capsicum TESTS_SUBDIRS+= ${_cddl} TESTS_SUBDIRS+= fifo TESTS_SUBDIRS+= file TESTS_SUBDIRS+= fs TESTS_SUBDIRS+= geom TESTS_SUBDIRS+= kern TESTS_SUBDIRS+= kqueue TESTS_SUBDIRS+= mac TESTS_SUBDIRS+= mqueue TESTS_SUBDIRS+= netinet TESTS_SUBDIRS+= netipsec TESTS_SUBDIRS+= netmap TESTS_SUBDIRS+= netpfil TESTS_SUBDIRS+= opencrypto TESTS_SUBDIRS+= posixshm TESTS_SUBDIRS+= sys TESTS_SUBDIRS+= vfs TESTS_SUBDIRS+= vm .if ${MK_AUDIT} != "no" _audit= audit .endif .if ${MK_CDDL} != "no" _cddl= cddl .endif # Items not integrated into kyua runs by default SUBDIR+= pjdfstest +SUBDIR+= common + .include Index: head/tests/sys/common/Makefile =================================================================== --- head/tests/sys/common/Makefile (nonexistent) +++ head/tests/sys/common/Makefile (revision 344764) @@ -0,0 +1,7 @@ +# $FreeBSD$ + +PACKAGE= common +TESTSDIR= ${TESTSBASE}/sys/common +${PACKAGE}FILES+= vnet.subr + +.include Property changes on: head/tests/sys/common/Makefile ___________________________________________________________________ Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:keywords ## -0,0 +1 ## +FreeBSD=%H \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: head/tests/sys/common/vnet.subr =================================================================== --- head/tests/sys/common/vnet.subr (nonexistent) +++ head/tests/sys/common/vnet.subr (revision 344764) @@ -0,0 +1,51 @@ +# $FreeBSD$ +# VNAT/jail utility functions +## + +vnet_init() +{ + if [ "`sysctl -i -n kern.features.vimage`" != 1 ]; then + atf_skip "This test requires VIMAGE" + fi +} + +vnet_mkepair() +{ + ifname=$(ifconfig epair create) + echo $ifname >> created_interfaces.lst + echo ${ifname%a} +} + +vnet_mkjail() +{ + jailname=$1 + shift + + vnet_interfaces= + for ifname in $@ + do + vnet_interfaces="${vnet_interfaces} vnet.interface=${ifname}" + done + jail -c name=${jailname} persist vnet ${vnet_interfaces} + + echo $jailname >> created_jails.lst +} + +vnet_cleanup() +{ + if [ -f created_jails.lst ]; then + for jailname in `cat created_jails.lst` + do + jail -r ${jailname} + done + rm created_jails.lst + fi + + if [ -f created_interfaces.lst ]; then + for ifname in `cat created_interfaces.lst` + do + ifconfig ${ifname} destroy + done + rm created_interfaces.lst + fi +} Property changes on: head/tests/sys/common/vnet.subr ___________________________________________________________________ Added: svn:keywords ## -0,0 +1 ## +FreeBSD=%H \ No newline at end of property Index: head/tests/sys/netipsec/tunnel/utils.subr =================================================================== --- head/tests/sys/netipsec/tunnel/utils.subr (revision 344763) +++ head/tests/sys/netipsec/tunnel/utils.subr (revision 344764) @@ -1,166 +1,129 @@ # $FreeBSD$ # Utility functions (mainly from pf tests, should be merged one day) ## : ${TMPDIR=/tmp} +. $(atf_get_srcdir)/../../common/vnet.subr + ist_init() { - if [ "$(sysctl -i -n kern.features.vimage)" != 1 ]; then - atf_skip "This test requires VIMAGE" - fi + vnet_init } -pft_mkepair() -{ - ifname=$(ifconfig epair create) - echo $ifname >> created_interfaces.lst - echo ${ifname%a} -} - -pft_mkjail() -{ - jailname=$1 - shift - - vnet_interfaces= - for ifname in $@ - do - vnet_interfaces="${vnet_interfaces} vnet.interface=${ifname}" - done - jail -c name=${jailname} persist vnet ${vnet_interfaces} - - echo $jailname >> created_jails.lst -} - ist_labsetup () { - epair_LAN_A=$(pft_mkepair) + epair_LAN_A=$(vnet_mkepair) ifconfig ${epair_LAN_A}a up - epair_PUB_A=$(pft_mkepair) + epair_PUB_A=$(vnet_mkepair) ifconfig ${epair_PUB_A}a up - epair_LAN_B=$(pft_mkepair) + epair_LAN_B=$(vnet_mkepair) ifconfig ${epair_LAN_B}a up - epair_PUB_B=$(pft_mkepair) + epair_PUB_B=$(vnet_mkepair) ifconfig ${epair_PUB_B}a up - pft_mkjail hostA ${epair_LAN_A}a - pft_mkjail ipsecA ${epair_LAN_A}b ${epair_PUB_A}a - pft_mkjail router ${epair_PUB_A}b ${epair_PUB_B}b - pft_mkjail ipsecB ${epair_LAN_B}b ${epair_PUB_B}a - pft_mkjail hostB ${epair_LAN_B}a + vnet_mkjail hostA ${epair_LAN_A}a + vnet_mkjail ipsecA ${epair_LAN_A}b ${epair_PUB_A}a + vnet_mkjail router ${epair_PUB_A}b ${epair_PUB_B}b + vnet_mkjail ipsecB ${epair_LAN_B}b ${epair_PUB_B}a + vnet_mkjail hostB ${epair_LAN_B}a } ist_v4_setup () { jexec hostA ifconfig ${epair_LAN_A}a 192.0.2.1/30 up jexec ipsecA ifconfig ${epair_LAN_A}b 192.0.2.2/30 up jexec ipsecA ifconfig ${epair_PUB_A}a 198.51.100.2/30 up jexec router ifconfig ${epair_PUB_A}b 198.51.100.1/30 up jexec router ifconfig ${epair_PUB_B}b 198.51.100.5/30 up jexec ipsecB ifconfig ${epair_PUB_B}a 198.51.100.6/30 up jexec ipsecB ifconfig ${epair_LAN_B}b 203.0.113.2/30 up jexec hostB ifconfig ${epair_LAN_B}a 203.0.113.1/30 up jexec ipsecA sysctl net.inet.ip.forwarding=1 jexec router sysctl net.inet.ip.forwarding=1 jexec ipsecB sysctl net.inet.ip.forwarding=1 jexec hostA route add default 192.0.2.2 jexec ipsecA route add default 198.51.100.1 jexec ipsecB route add default 198.51.100.5 jexec hostB route add default 203.0.113.2 } ist_v6_setup () { jexec hostA ifconfig ${epair_LAN_A}a inet6 2001:db8:1::1/64 up no_dad jexec ipsecA ifconfig ${epair_LAN_A}b inet6 2001:db8:1::2/64 up no_dad jexec ipsecA ifconfig ${epair_PUB_A}a inet6 2001:db8:23::2/64 up no_dad jexec router ifconfig ${epair_PUB_A}b inet6 2001:db8:23::3/64 up no_dad jexec router ifconfig ${epair_PUB_B}b inet6 2001:db8:34::3/64 up no_dad jexec ipsecB ifconfig ${epair_PUB_B}a inet6 2001:db8:34::2/64 up no_dad jexec ipsecB ifconfig ${epair_LAN_B}b inet6 2001:db8:45::2/64 up no_dad jexec hostB ifconfig ${epair_LAN_B}a inet6 2001:db8:45::1/64 up no_dad jexec ipsecA sysctl net.inet6.ip6.forwarding=1 jexec router sysctl net.inet6.ip6.forwarding=1 jexec ipsecB sysctl net.inet6.ip6.forwarding=1 jexec hostA route -6 add default 2001:db8:1::2 jexec ipsecA route -6 add default 2001:db8:23::3 jexec ipsecB route -6 add default 2001:db8:34::3 jexec hostB route -6 add default 2001:db8:45::2 } ist_setkey() { jname=$1 dir=$2 afnet=$3 enc_algo=$4 enc_key=$5 auth_algo=$6 auth_key=$7 # Load ( printf "#arguments debug: ${jname} ${afnet} ${dir} ${enc_algo} " printf "${enc_key} ${auth_algo} ${auth_key}\n" printf "flush;\n" printf "spdflush;\n" if [ ${afnet} -eq 4 ]; then SRC_LAN="192.0.2.0/24" DST_LAN="203.0.113.0/24" SRC_GW="198.51.100.2" DST_GW="198.51.100.6" else SRC_LAN="2001:db8:1::/64" DST_LAN="2001:db8:45::/64" SRC_GW="2001:db8:23::2" DST_GW="2001:db8:34::2" fi printf "spdadd ${SRC_LAN} ${DST_LAN} any -P " [ ${dir} = "out" ] && printf "out" || printf "in" printf " ipsec esp/tunnel/${SRC_GW}-${DST_GW}/require;\n" printf "spdadd ${DST_LAN} ${SRC_LAN} any -P " [ ${dir} = "out" ] && printf "in" || printf "out" printf " ipsec esp/tunnel/${DST_GW}-${SRC_GW}/require;\n" printf "add ${SRC_GW} ${DST_GW} esp 0x1000 -E ${enc_algo} \"${enc_key}\"" [ -n "${auth_algo}" ] && printf " -A ${auth_algo} \"${auth_key}\";\n" || printf ";\n" printf "add ${DST_GW} ${SRC_GW} esp 0x1001 -E ${enc_algo} \"${enc_key}\"" [ -n "$auth_algo" ] && printf " -A ${auth_algo} \"${auth_key}\";\n" || printf ";\n" ) > ${TMPDIR}/ipsec.${jname}.conf } ist_test() { ist_init ist_labsetup [ $1 -eq 4 ] && ist_v4_setup || ist_v6_setup ist_setkey ipsecA out $@ atf_check -s exit:0 -o ignore jexec ipsecA setkey -f ${TMPDIR}/ipsec.ipsecA.conf ist_setkey ipsecB in $@ atf_check -s exit:0 -o ignore jexec ipsecB setkey -f ${TMPDIR}/ipsec.ipsecB.conf # Check ipsec tunnel if [ $1 -eq 4 ]; then atf_check -s exit:0 -o ignore jexec hostA ping -c 1 203.0.113.1 else atf_check -s exit:0 -o ignore jexec hostA ping6 -c 1 2001:db8:45::1 fi } ist_cleanup() { - if [ -f created_jails.lst ]; then - for jailname in $(cat created_jails.lst) - do - jail -r ${jailname} - rm -f ${TMPDIR}/ipsec.${jailname}.conf - done - rm created_jails.lst - fi - - if [ -f created_interfaces.lst ]; then - for ifname in $(cat created_interfaces.lst) - do - ifconfig ${ifname} destroy - done - rm created_interfaces.lst - fi + vnet_cleanup } Index: head/tests/sys/netpfil/pf/anchor.sh =================================================================== --- head/tests/sys/netpfil/pf/anchor.sh (revision 344763) +++ head/tests/sys/netpfil/pf/anchor.sh (revision 344764) @@ -1,40 +1,40 @@ # $FreeBSD$ . $(atf_get_srcdir)/utils.subr atf_test_case "pr183198" "cleanup" pr183198_head() { atf_set descr 'Test tables referenced by rules in anchors' atf_set require.user root } pr183198_body() { pft_init - epair=$(pft_mkepair) - pft_mkjail alcatraz ${epair}b + epair=$(vnet_mkepair) + vnet_mkjail alcatraz ${epair}b jexec alcatraz pfctl -e # Forward with pf enabled pft_set_rules alcatraz \ "table { 10.0.0.1, 10.0.0.2, 10.0.0.3 }" \ "block in" \ "anchor \"epair\" on ${epair}b { \n\ pass in from \n\ }" atf_check -s exit:0 -o ignore jexec alcatraz pfctl -sr -a '*' atf_check -s exit:0 -o ignore jexec alcatraz pfctl -t test -T show } pr183198_cleanup() { pft_cleanup } atf_init_test_cases() { atf_add_test_case "pr183198" } Index: head/tests/sys/netpfil/pf/forward.sh =================================================================== --- head/tests/sys/netpfil/pf/forward.sh (revision 344763) +++ head/tests/sys/netpfil/pf/forward.sh (revision 344764) @@ -1,149 +1,149 @@ # $FreeBSD$ . $(atf_get_srcdir)/utils.subr atf_test_case "v4" "cleanup" v4_head() { atf_set descr 'Basic forwarding test' atf_set require.user root # We need scapy to be installed for out test scripts to work atf_set require.progs scapy } v4_body() { pft_init - epair_send=$(pft_mkepair) + epair_send=$(vnet_mkepair) ifconfig ${epair_send}a 192.0.2.1/24 up - epair_recv=$(pft_mkepair) + epair_recv=$(vnet_mkepair) ifconfig ${epair_recv}a up - pft_mkjail alcatraz ${epair_send}b ${epair_recv}b + vnet_mkjail alcatraz ${epair_send}b ${epair_recv}b jexec alcatraz ifconfig ${epair_send}b 192.0.2.2/24 up jexec alcatraz ifconfig ${epair_recv}b 198.51.100.2/24 up jexec alcatraz sysctl net.inet.ip.forwarding=1 jexec alcatraz arp -s 198.51.100.3 00:01:02:03:04:05 route add -net 198.51.100.0/24 192.0.2.2 # Sanity check, can we forward ICMP echo requests without pf? atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \ --sendif ${epair_send}a \ --to 198.51.100.3 \ --recvif ${epair_recv}a jexec alcatraz pfctl -e # Forward with pf enabled pft_set_rules alcatraz "block in" atf_check -s exit:1 $(atf_get_srcdir)/pft_ping.py \ --sendif ${epair_send}a \ --to 198.51.100.3 \ --recvif ${epair_recv}a pft_set_rules alcatraz "block out" atf_check -s exit:1 $(atf_get_srcdir)/pft_ping.py \ --sendif ${epair_send}a \ --to 198.51.100.3 \ --recv ${epair_recv}a # Allow ICMP pft_set_rules alcatraz "block in" "pass in proto icmp" atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \ --sendif ${epair_send}a \ --to 198.51.100.3 \ --recvif ${epair_recv}a } v4_cleanup() { pft_cleanup } atf_test_case "v6" "cleanup" v6_head() { atf_set descr 'Basic IPv6 forwarding test' atf_set require.user root atf_set require.progs scapy } v6_body() { pft_init - epair_send=$(pft_mkepair) - epair_recv=$(pft_mkepair) + epair_send=$(vnet_mkepair) + epair_recv=$(vnet_mkepair) ifconfig ${epair_send}a inet6 2001:db8:42::1/64 up no_dad -ifdisabled ifconfig ${epair_recv}a up - pft_mkjail alcatraz ${epair_send}b ${epair_recv}b + vnet_mkjail alcatraz ${epair_send}b ${epair_recv}b jexec alcatraz ifconfig ${epair_send}b inet6 2001:db8:42::2/64 up no_dad jexec alcatraz ifconfig ${epair_recv}b inet6 2001:db8:43::2/64 up no_dad jexec alcatraz sysctl net.inet6.ip6.forwarding=1 jexec alcatraz ndp -s 2001:db8:43::3 00:01:02:03:04:05 route add -6 2001:db8:43::/64 2001:db8:42::2 # Sanity check, can we forward ICMP echo requests without pf? atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \ --ip6 \ --sendif ${epair_send}a \ --to 2001:db8:43::3 \ --recvif ${epair_recv}a jexec alcatraz pfctl -e # Block incoming echo request packets pft_set_rules alcatraz \ "block in inet6 proto icmp6 icmp6-type echoreq" atf_check -s exit:1 $(atf_get_srcdir)/pft_ping.py \ --ip6 \ --sendif ${epair_send}a \ --to 2001:db8:43::3 \ --recvif ${epair_recv}a # Block outgoing echo request packets pft_set_rules alcatraz \ "block out inet6 proto icmp6 icmp6-type echoreq" atf_check -s exit:1 -e ignore $(atf_get_srcdir)/pft_ping.py \ --ip6 \ --sendif ${epair_send}a \ --to 2001:db8:43::3 \ --recvif ${epair_recv}a # Allow ICMPv6 but nothing else pft_set_rules alcatraz \ "block out" \ "pass out inet6 proto icmp6" atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \ --ip6 \ --sendif ${epair_send}a \ --to 2001:db8:43::3 \ --recvif ${epair_recv}a # Allowing ICMPv4 does not allow ICMPv6 pft_set_rules alcatraz \ "block out inet6 proto icmp6 icmp6-type echoreq" \ "pass in proto icmp" atf_check -s exit:1 $(atf_get_srcdir)/pft_ping.py \ --ip6 \ --sendif ${epair_send}a \ --to 2001:db8:43::3 \ --recvif ${epair_recv}a } v6_cleanup() { pft_cleanup } atf_init_test_cases() { atf_add_test_case "v4" atf_add_test_case "v6" } Index: head/tests/sys/netpfil/pf/fragmentation.sh =================================================================== --- head/tests/sys/netpfil/pf/fragmentation.sh (revision 344763) +++ head/tests/sys/netpfil/pf/fragmentation.sh (revision 344764) @@ -1,123 +1,123 @@ # $FreeBSD$ . $(atf_get_srcdir)/utils.subr atf_test_case "too_many_fragments" "cleanup" too_many_fragments_head() { atf_set descr 'IPv4 fragment limitation test' atf_set require.user root } too_many_fragments_body() { pft_init - epair=$(pft_mkepair) - pft_mkjail alcatraz ${epair}a + epair=$(vnet_mkepair) + vnet_mkjail alcatraz ${epair}a ifconfig ${epair}b inet 192.0.2.1/24 up jexec alcatraz ifconfig ${epair}a 192.0.2.2/24 up ifconfig ${epair}b mtu 200 jexec alcatraz ifconfig ${epair}a mtu 200 jexec alcatraz pfctl -e pft_set_rules alcatraz \ "scrub all fragment reassemble" # So we know pf is limiting things jexec alcatraz sysctl net.inet.ip.maxfragsperpacket=1024 # Sanity check atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2 # We can ping with < 64 fragments atf_check -s exit:0 -o ignore ping -c 1 -s 800 192.0.2.2 # Too many fragments should fail atf_check -s exit:2 -o ignore ping -c 1 -s 20000 192.0.2.2 } too_many_fragments_cleanup() { pft_cleanup } atf_test_case "v6" "cleanup" v6_head() { atf_set descr 'IPv6 fragmentation test' atf_set require.user root atf_set require.progs scapy } v6_body() { pft_init - epair_send=$(pft_mkepair) - epair_link=$(pft_mkepair) + epair_send=$(vnet_mkepair) + epair_link=$(vnet_mkepair) - pft_mkjail alcatraz ${epair_send}b ${epair_link}a - pft_mkjail singsing ${epair_link}b + vnet_mkjail alcatraz ${epair_send}b ${epair_link}a + vnet_mkjail singsing ${epair_link}b ifconfig ${epair_send}a inet6 2001:db8:42::1/64 no_dad up jexec alcatraz ifconfig ${epair_send}b inet6 2001:db8:42::2/64 no_dad up jexec alcatraz ifconfig ${epair_link}a inet6 2001:db8:43::2/64 no_dad up jexec alcatraz sysctl net.inet6.ip6.forwarding=1 jexec singsing ifconfig ${epair_link}b inet6 2001:db8:43::3/64 no_dad up jexec singsing route add -6 2001:db8:42::/64 2001:db8:43::2 route add -6 2001:db8:43::/64 2001:db8:42::2 jexec alcatraz ifconfig ${epair_send}b inet6 -ifdisabled jexec alcatraz ifconfig ${epair_link}a inet6 -ifdisabled jexec singsing ifconfig ${epair_link}b inet6 -ifdisabled ifconfig ${epair_send}a inet6 -ifdisabled jexec alcatraz pfctl -e pft_set_rules alcatraz \ "scrub fragment reassemble" \ "block in" \ "pass in inet6 proto icmp6 icmp6-type { neighbrsol, neighbradv }" \ "pass in inet6 proto icmp6 icmp6-type { echoreq, echorep }" # Host test atf_check -s exit:0 -o ignore \ ping6 -c 1 2001:db8:42::2 atf_check -s exit:0 -o ignore \ ping6 -c 1 -s 4500 2001:db8:42::2 atf_check -s exit:0 -o ignore\ ping6 -c 1 -b 70000 -s 65000 2001:db8:42::2 # Forwarding test atf_check -s exit:0 -o ignore \ ping6 -c 1 2001:db8:43::3 atf_check -s exit:0 -o ignore \ ping6 -c 1 -s 4500 2001:db8:43::3 atf_check -s exit:0 -o ignore\ ping6 -c 1 -b 70000 -s 65000 2001:db8:43::3 $(atf_get_srcdir)/CVE-2019-5597.py \ ${epair_send}a \ 2001:db8:42::1 \ 2001:db8:43::3 } v6_cleanup() { pft_cleanup } atf_init_test_cases() { atf_add_test_case "too_many_fragments" atf_add_test_case "v6" } Index: head/tests/sys/netpfil/pf/names.sh =================================================================== --- head/tests/sys/netpfil/pf/names.sh (revision 344763) +++ head/tests/sys/netpfil/pf/names.sh (revision 344764) @@ -1,34 +1,34 @@ # $FreeBSD$ . $(atf_get_srcdir)/utils.subr atf_test_case "names" "cleanup" names_head() { atf_set descr 'Test overlapping names' atf_set require.user root } names_body() { pft_init - epair=$(pft_mkepair) + epair=$(vnet_mkepair) - pft_mkjail alcatraz ${epair}b + vnet_mkjail alcatraz ${epair}b ifconfig ${epair}a name foo jexec alcatraz ifconfig ${epair}b name foo jail -r alcatraz ifconfig foo destroy } names_cleanup() { pft_cleanup } atf_init_test_cases() { atf_add_test_case "names" } Index: head/tests/sys/netpfil/pf/nat.sh =================================================================== --- head/tests/sys/netpfil/pf/nat.sh (revision 344763) +++ head/tests/sys/netpfil/pf/nat.sh (revision 344764) @@ -1,64 +1,64 @@ # $FreeBSD$ . $(atf_get_srcdir)/utils.subr atf_test_case "exhaust" "cleanup" exhaust_head() { atf_set descr 'Test exhausting the NAT pool' atf_set require.user root } exhaust_body() { pft_init - epair_nat=$(pft_mkepair) - epair_echo=$(pft_mkepair) + epair_nat=$(vnet_mkepair) + epair_echo=$(vnet_mkepair) - pft_mkjail nat ${epair_nat}b ${epair_echo}a - pft_mkjail echo ${epair_echo}b + vnet_mkjail nat ${epair_nat}b ${epair_echo}a + vnet_mkjail echo ${epair_echo}b ifconfig ${epair_nat}a 192.0.2.2/24 up route add -net 198.51.100.0/24 192.0.2.1 jexec nat ifconfig ${epair_nat}b 192.0.2.1/24 up jexec nat ifconfig ${epair_echo}a 198.51.100.1/24 up jexec nat sysctl net.inet.ip.forwarding=1 jexec echo ifconfig ${epair_echo}b 198.51.100.2/24 up jexec echo /usr/sbin/inetd $(atf_get_srcdir)/echo_inetd.conf # Enable pf! jexec nat pfctl -e pft_set_rules nat \ "nat pass on ${epair_echo}a inet from 192.0.2.0/24 to any -> (${epair_echo}a) port 30000:30001 sticky-address" # Sanity check atf_check -s exit:0 -o ignore ping -c 3 198.51.100.2 echo "foo" | nc -N 198.51.100.2 7 echo "foo" | nc -N 198.51.100.2 7 # This one will fail, but that's expected echo "foo" | nc -N 198.51.100.2 7 & sleep 1 # If the kernel is stuck in pf_get_sport() this will not succeed either. timeout 2 jexec nat pfctl -sa if [ $? -eq 124 ]; then # Timed out atf_fail "pfctl timeout" fi } exhaust_cleanup() { pft_cleanup } atf_init_test_cases() { atf_add_test_case "exhaust" } Index: head/tests/sys/netpfil/pf/pass_block.sh =================================================================== --- head/tests/sys/netpfil/pf/pass_block.sh (revision 344763) +++ head/tests/sys/netpfil/pf/pass_block.sh (revision 344764) @@ -1,173 +1,173 @@ # $FreeBSD$ . $(atf_get_srcdir)/utils.subr atf_test_case "v4" "cleanup" v4_head() { atf_set descr 'Basic pass/block test for IPv4' atf_set require.user root } v4_body() { pft_init - epair=$(pft_mkepair) + epair=$(vnet_mkepair) ifconfig ${epair}a 192.0.2.1/24 up # Set up a simple jail with one interface - pft_mkjail alcatraz ${epair}b + vnet_mkjail alcatraz ${epair}b jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up # Trivial ping to the jail, without pf atf_check -s exit:0 -o ignore ping -c 1 -t 1 192.0.2.2 # pf without policy will let us ping jexec alcatraz pfctl -e atf_check -s exit:0 -o ignore ping -c 1 -t 1 192.0.2.2 # Block everything pft_set_rules alcatraz "block in" atf_check -s exit:2 -o ignore ping -c 1 -t 1 192.0.2.2 # Block everything but ICMP pft_set_rules alcatraz "block in" "pass in proto icmp" atf_check -s exit:0 -o ignore ping -c 1 -t 1 192.0.2.2 } v4_cleanup() { pft_cleanup } atf_test_case "v6" "cleanup" v6_head() { atf_set descr 'Basic pass/block test for IPv6' atf_set require.user root } v6_body() { pft_init - epair=$(pft_mkepair) + epair=$(vnet_mkepair) ifconfig ${epair}a inet6 2001:db8:42::1/64 up no_dad # Set up a simple jail with one interface - pft_mkjail alcatraz ${epair}b + vnet_mkjail alcatraz ${epair}b jexec alcatraz ifconfig ${epair}b inet6 2001:db8:42::2/64 up no_dad # Trivial ping to the jail, without pf atf_check -s exit:0 -o ignore ping6 -c 1 -x 1 2001:db8:42::2 # pf without policy will let us ping jexec alcatraz pfctl -e atf_check -s exit:0 -o ignore ping6 -c 1 -x 1 2001:db8:42::2 # Block everything pft_set_rules alcatraz "block in" atf_check -s exit:2 -o ignore ping6 -c 1 -x 1 2001:db8:42::2 # Block everything but ICMP pft_set_rules alcatraz "block in" "pass in proto icmp6" atf_check -s exit:0 -o ignore ping6 -c 1 -x 1 2001:db8:42::2 # Allowing ICMPv4 does not allow ICMPv6 pft_set_rules alcatraz "block in" "pass in proto icmp" atf_check -s exit:2 -o ignore ping6 -c 1 -x 1 2001:db8:42::2 } v6_cleanup() { pft_cleanup } atf_test_case "noalias" "cleanup" noalias_head() { atf_set descr 'Test the :0 noalias option' atf_set require.user root } noalias_body() { pft_init - epair=$(pft_mkepair) + epair=$(vnet_mkepair) ifconfig ${epair}a inet6 2001:db8:42::1/64 up no_dad - pft_mkjail alcatraz ${epair}b + vnet_mkjail alcatraz ${epair}b jexec alcatraz ifconfig ${epair}b inet6 2001:db8:42::2/64 up no_dad linklocaladdr=$(jexec alcatraz ifconfig ${epair}b inet6 \ | grep %${epair}b \ | awk '{ print $2; }' \ | cut -d % -f 1) # Sanity check atf_check -s exit:0 -o ignore ping6 -c 3 -x 1 2001:db8:42::2 atf_check -s exit:0 -o ignore ping6 -c 3 -x 1 ${linklocaladdr}%${epair}a jexec alcatraz pfctl -e pft_set_rules alcatraz "block out inet6 from (${epair}b:0) to any" atf_check -s exit:2 -o ignore ping6 -c 3 -x 1 2001:db8:42::2 # We should still be able to ping the link-local address atf_check -s exit:0 -o ignore ping6 -c 3 -x 1 ${linklocaladdr}%${epair}a pft_set_rules alcatraz "block out inet6 from (${epair}b) to any" # We cannot ping to the link-local address atf_check -s exit:2 -o ignore ping6 -c 3 -x 1 ${linklocaladdr}%${epair}a } noalias_cleanup() { pft_cleanup } atf_test_case "nested_inline" "cleanup" nested_inline_head() { atf_set descr "Test nested inline anchors, PR196314" atf_set require.user root } nested_inline_body() { pft_init epair=$(vnet_mkepair) ifconfig ${epair}a inet 192.0.2.1/24 up vnet_mkjail alcatraz ${epair}b jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up jexec alcatraz pfctl -e pft_set_rules alcatraz \ "block in" \ "anchor \"an1\" {" \ "pass in quick proto tcp to port time" \ "anchor \"an2\" {" \ "pass in quick proto icmp" \ "}" \ "}" atf_check -s exit:0 -o ignore ping -c 1 -t 1 192.0.2.2 } nested_inline_cleanup() { pft_cleanup } atf_init_test_cases() { atf_add_test_case "v4" atf_add_test_case "v6" atf_add_test_case "noalias" atf_add_test_case "nested_inline" } Index: head/tests/sys/netpfil/pf/pfsync.sh =================================================================== --- head/tests/sys/netpfil/pf/pfsync.sh (revision 344763) +++ head/tests/sys/netpfil/pf/pfsync.sh (revision 344764) @@ -1,94 +1,94 @@ # $FreeBSD$ . $(atf_get_srcdir)/utils.subr atf_test_case "basic" "cleanup" basic_head() { atf_set descr 'Basic pfsync test' atf_set require.user root } basic_body() { common_body } common_body() { defer=$1 pfsynct_init - epair_sync=$(pft_mkepair) - epair_one=$(pft_mkepair) - epair_two=$(pft_mkepair) + epair_sync=$(vnet_mkepair) + epair_one=$(vnet_mkepair) + epair_two=$(vnet_mkepair) - pft_mkjail one ${epair_one}a ${epair_sync}a - pft_mkjail two ${epair_two}a ${epair_sync}b + vnet_mkjail one ${epair_one}a ${epair_sync}a + vnet_mkjail two ${epair_two}a ${epair_sync}b # pfsync interface jexec one ifconfig ${epair_sync}a 192.0.2.1/24 up jexec one ifconfig ${epair_one}a 198.51.100.1/24 up jexec one ifconfig pfsync0 \ syncdev ${epair_sync}a \ maxupd 1 \ $defer \ up jexec two ifconfig ${epair_two}a 198.51.100.2/24 up jexec two ifconfig ${epair_sync}b 192.0.2.2/24 up jexec two ifconfig pfsync0 \ syncdev ${epair_sync}b \ maxupd 1 \ $defer \ up # Enable pf! jexec one pfctl -e pft_set_rules one \ "set skip on ${epair_sync}a" \ "pass keep state" jexec two pfctl -e pft_set_rules two \ "set skip on ${epair_sync}b" \ "pass keep state" ifconfig ${epair_one}b 198.51.100.254/24 up ping -c 1 -S 198.51.100.254 198.51.100.1 # Give pfsync time to do its thing sleep 2 if ! jexec two pfctl -s states | grep icmp | grep 198.51.100.1 | \ grep 198.51.100.2 ; then atf_fail "state not found on synced host" fi } basic_cleanup() { pfsynct_cleanup } atf_test_case "defer" "cleanup" defer_head() { atf_set descr 'Defer mode pfsync test' atf_set require.user root } defer_body() { common_body defer } defer_cleanup() { pfsynct_cleanup } atf_init_test_cases() { atf_add_test_case "basic" atf_add_test_case "defer" } Index: head/tests/sys/netpfil/pf/rdr.sh =================================================================== --- head/tests/sys/netpfil/pf/rdr.sh (revision 344763) +++ head/tests/sys/netpfil/pf/rdr.sh (revision 344764) @@ -1,48 +1,48 @@ # $FreeBSD$ . $(atf_get_srcdir)/utils.subr atf_test_case "basic" "cleanup" basic_head() { atf_set descr 'Basic rdr test' atf_set require.user root } basic_body() { pft_init - epair=$(pft_mkepair) + epair=$(vnet_mkepair) - pft_mkjail alcatraz ${epair}b + vnet_mkjail alcatraz ${epair}b ifconfig ${epair}a 192.0.2.2/24 up route add -net 198.51.100.0/24 192.0.2.1 jexec alcatraz ifconfig ${epair}b 192.0.2.1/24 up jexec alcatraz sysctl net.inet.ip.forwarding=1 # Enable pf! jexec alcatraz pfctl -e pft_set_rules alcatraz \ "rdr pass on ${epair}b proto tcp from any to 198.51.100.0/24 port 1234 -> 192.0.2.1 port 4321" echo "foo" | jexec alcatraz nc -N -l 4321 & sleep 1 result=$(nc -N -w 3 198.51.100.2 1234) if [ "$result" != "foo" ]; then atf_fail "Redirect failed" fi } basic_cleanup() { pft_cleanup } atf_init_test_cases() { atf_add_test_case "basic" } Index: head/tests/sys/netpfil/pf/route_to.sh =================================================================== --- head/tests/sys/netpfil/pf/route_to.sh (revision 344763) +++ head/tests/sys/netpfil/pf/route_to.sh (revision 344764) @@ -1,81 +1,81 @@ # $FreeBSD$ . $(atf_get_srcdir)/utils.subr atf_test_case "v4" "cleanup" v4_head() { atf_set descr 'Basic route-to test' atf_set require.user root } v4_body() { pft_init - epair_send=$(pft_mkepair) + epair_send=$(vnet_mkepair) ifconfig ${epair_send}a 192.0.2.1/24 up - epair_route=$(pft_mkepair) + epair_route=$(vnet_mkepair) ifconfig ${epair_route}a 203.0.113.1/24 up - pft_mkjail alcatraz ${epair_send}b ${epair_route}b + vnet_mkjail alcatraz ${epair_send}b ${epair_route}b jexec alcatraz ifconfig ${epair_send}b 192.0.2.2/24 up jexec alcatraz ifconfig ${epair_route}b 203.0.113.2/24 up jexec alcatraz route add -net 198.51.100.0/24 192.0.2.1 jexec alcatraz pfctl -e # Attempt to provoke PR 228782 pft_set_rules alcatraz "block all" "pass user 2" \ "pass out route-to (${epair_route}b 203.0.113.1) from 192.0.2.2 to 198.51.100.1 no state" jexec alcatraz nc -w 3 -s 192.0.2.2 198.51.100.1 22 # atf wants us to not return an error, but our netcat will fail true } v4_cleanup() { pft_cleanup } atf_test_case "v6" "cleanup" v6_head() { atf_set descr 'Basic route-to test (IPv6)' atf_set require.user root } v6_body() { pft_init - epair_send=$(pft_mkepair) + epair_send=$(vnet_mkepair) ifconfig ${epair_send}a inet6 2001:db8:42::1/64 up no_dad -ifdisabled - epair_route=$(pft_mkepair) + epair_route=$(vnet_mkepair) ifconfig ${epair_route}a inet6 2001:db8:43::1/64 up no_dad -ifdisabled - pft_mkjail alcatraz ${epair_send}b ${epair_route}b + vnet_mkjail alcatraz ${epair_send}b ${epair_route}b jexec alcatraz ifconfig ${epair_send}b inet6 2001:db8:42::2/64 up no_dad jexec alcatraz ifconfig ${epair_route}b inet6 2001:db8:43::2/64 up no_dad jexec alcatraz route add -6 2001:db8:666::/64 2001:db8:42::2 jexec alcatraz pfctl -e # Attempt to provoke PR 228782 pft_set_rules alcatraz "block all" "pass user 2" \ "pass out route-to (${epair_route}b 2001:db8:43::1) from 2001:db8:42::2 to 2001:db8:666::1 no state" jexec alcatraz nc -6 -w 3 -s 2001:db8:42::2 2001:db8:666::1 22 # atf wants us to not return an error, but our netcat will fail true } v6_cleanup() { pft_cleanup } atf_init_test_cases() { atf_add_test_case "v4" atf_add_test_case "v6" } Index: head/tests/sys/netpfil/pf/set_skip.sh =================================================================== --- head/tests/sys/netpfil/pf/set_skip.sh (revision 344763) +++ head/tests/sys/netpfil/pf/set_skip.sh (revision 344764) @@ -1,67 +1,67 @@ # $FreeBSD$ . $(atf_get_srcdir)/utils.subr atf_test_case "set_skip_group" "cleanup" set_skip_group_head() { atf_set descr 'Basic set skip test' atf_set require.user root } set_skip_group_body() { # See PR 229241 pft_init - pft_mkjail alcatraz + vnet_mkjail alcatraz jexec alcatraz ifconfig lo0 127.0.0.1/8 up jexec alcatraz ifconfig lo0 group foo jexec alcatraz pfctl -e pft_set_rules alcatraz "set skip on foo" \ "block in proto icmp" jexec alcatraz ifconfig atf_check -s exit:0 -o ignore jexec alcatraz ping -c 1 127.0.0.1 } set_skip_group_cleanup() { pft_cleanup } atf_test_case "set_skip_group_lo" "cleanup" set_skip_group_lo_head() { atf_set descr 'Basic set skip test, lo' atf_set require.user root } set_skip_group_lo_body() { # See PR 229241 pft_init - pft_mkjail alcatraz + vnet_mkjail alcatraz jexec alcatraz ifconfig lo0 127.0.0.1/8 up jexec alcatraz pfctl -e pft_set_rules alcatraz "set skip on lo" \ "block on lo0" atf_check -s exit:0 -o ignore jexec alcatraz ping -c 1 127.0.0.1 pft_set_rules noflush alcatraz "set skip on lo" \ "block on lo0" atf_check -s exit:0 -o ignore jexec alcatraz ping -c 1 127.0.0.1 jexec alcatraz pfctl -s rules } set_skip_group_lo_cleanup() { pft_cleanup } atf_init_test_cases() { atf_add_test_case "set_skip_group" atf_add_test_case "set_skip_group_lo" } Index: head/tests/sys/netpfil/pf/set_tos.sh =================================================================== --- head/tests/sys/netpfil/pf/set_tos.sh (revision 344763) +++ head/tests/sys/netpfil/pf/set_tos.sh (revision 344764) @@ -1,93 +1,93 @@ # $FreeBSD$ . $(atf_get_srcdir)/utils.subr atf_test_case "v4" "cleanup" v4_head() { atf_set descr 'set-tos test' atf_set require.user root # We need scapy to be installed for out test scripts to work atf_set require.progs scapy } v4_body() { pft_init - epair_send=$(pft_mkepair) + epair_send=$(vnet_mkepair) ifconfig ${epair_send}a 192.0.2.1/24 up - epair_recv=$(pft_mkepair) + epair_recv=$(vnet_mkepair) ifconfig ${epair_recv}a up - pft_mkjail alcatraz ${epair_send}b ${epair_recv}b + vnet_mkjail alcatraz ${epair_send}b ${epair_recv}b jexec alcatraz ifconfig ${epair_send}b 192.0.2.2/24 up jexec alcatraz ifconfig ${epair_recv}b 198.51.100.2/24 up jexec alcatraz sysctl net.inet.ip.forwarding=1 jexec alcatraz arp -s 198.51.100.3 00:01:02:03:04:05 route add -net 198.51.100.0/24 192.0.2.2 jexec alcatraz pfctl -e # No change is done if not requested pft_set_rules alcatraz "scrub out proto icmp" atf_check -s exit:1 -o ignore $(atf_get_srcdir)/pft_ping.py \ --sendif ${epair_send}a \ --to 198.51.100.3 \ --recvif ${epair_recv}a \ --expect-tos 42 # The requested ToS is set pft_set_rules alcatraz "scrub out proto icmp set-tos 42" atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \ --sendif ${epair_send}a \ --to 198.51.100.3 \ --recvif ${epair_recv}a \ --expect-tos 42 # ToS is not changed if the scrub rule does not match pft_set_rules alcatraz "scrub out proto tcp set-tos 42" atf_check -s exit:1 -o ignore $(atf_get_srcdir)/pft_ping.py \ --sendif ${epair_send}a \ --to 198.51.100.3 \ --recvif ${epair_recv}a \ --expect-tos 42 # Multiple scrub rules match as expected pft_set_rules alcatraz "scrub out proto tcp set-tos 13" \ "scrub out proto icmp set-tos 14" atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \ --sendif ${epair_send}a \ --to 198.51.100.3 \ --recvif ${epair_recv}a \ --expect-tos 14 # And this works even if the packet already has ToS values set atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \ --sendif ${epair_send}a \ --to 198.51.100.3 \ --recvif ${epair_recv}a \ --send-tos 42 \ --expect-tos 14 # ToS values are unmolested if the packets do not match a scrub rule pft_set_rules alcatraz "scrub out proto tcp set-tos 13" atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \ --sendif ${epair_send}a \ --to 198.51.100.3 \ --recvif ${epair_recv}a \ --send-tos 42 \ --expect-tos 42 } v4_cleanup() { pft_cleanup } atf_init_test_cases() { atf_add_test_case "v4" } Index: head/tests/sys/netpfil/pf/synproxy.sh =================================================================== --- head/tests/sys/netpfil/pf/synproxy.sh (revision 344763) +++ head/tests/sys/netpfil/pf/synproxy.sh (revision 344764) @@ -1,59 +1,59 @@ # $FreeBSD$ . $(atf_get_srcdir)/utils.subr atf_test_case "synproxy" "cleanup" synproxy_head() { atf_set descr 'Basic synproxy test' atf_set require.user root } synproxy_body() { pft_init - epair=$(pft_mkepair) + epair=$(vnet_mkepair) ifconfig ${epair}a 192.0.2.1/24 up route add -net 198.51.100.0/24 192.0.2.2 - link=$(pft_mkepair) + link=$(vnet_mkepair) - pft_mkjail alcatraz ${epair}b ${link}a + vnet_mkjail alcatraz ${epair}b ${link}a jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up jexec alcatraz ifconfig ${link}a 198.51.100.1/24 up jexec alcatraz sysctl net.inet.ip.forwarding=1 - pft_mkjail singsing ${link}b + vnet_mkjail singsing ${link}b jexec singsing ifconfig ${link}b 198.51.100.2/24 up jexec singsing route add default 198.51.100.1 jexec singsing /usr/sbin/inetd $(atf_get_srcdir)/echo_inetd.conf jexec alcatraz pfctl -e pft_set_rules alcatraz "set fail-policy return" \ "scrub in all fragment reassemble" \ "pass out quick on ${epair}b all no state allow-opts" \ "pass in quick on ${epair}b proto tcp from any to any port 7 synproxy state" \ "pass in quick on ${epair}b all no state" # Sanity check, can we ping singing atf_check -s exit:0 -o ignore ping -c 1 198.51.100.2 # Check that we can talk to the singsing jail, after synproxying reply=$(echo ping | nc -N 198.51.100.2 7) if [ "${reply}" != "ping" ]; then atf_fail "echo failed" fi } synproxy_cleanup() { pft_cleanup } atf_init_test_cases() { atf_add_test_case "synproxy" } Index: head/tests/sys/netpfil/pf/utils.subr =================================================================== --- head/tests/sys/netpfil/pf/utils.subr (revision 344763) +++ head/tests/sys/netpfil/pf/utils.subr (revision 344764) @@ -1,89 +1,53 @@ # $FreeBSD$ # Utility functions ## +. $(atf_get_srcdir)/../../common/vnet.subr + pft_init() { + vnet_init + if [ ! -c /dev/pf ]; then atf_skip "This test requires pf" fi - - if [ "`sysctl -i -n kern.features.vimage`" != 1 ]; then - atf_skip "This test requires VIMAGE" - fi } pfsynct_init() { pft_init if ! kldstat -q -m pfsync; then atf_skip "This test requires pfsync" fi } -pft_mkepair() -{ - ifname=$(ifconfig epair create) - echo $ifname >> created_interfaces.lst - echo ${ifname%a} -} - -pft_mkjail() -{ - jailname=$1 - shift - - vnet_interfaces= - for ifname in $@ - do - vnet_interfaces="${vnet_interfaces} vnet.interface=${ifname}" - done - jail -c name=${jailname} persist vnet ${vnet_interfaces} - - echo $jailname >> created_jails.lst -} - pft_set_rules() { jname=$1 shift if [ $jname == "noflush" ]; then jname=$1 shift else # Flush all states, rules, fragments, ... jexec ${jname} pfctl -F all fi while [ $# -gt 0 ]; do printf "$1\n" shift done | jexec ${jname} pfctl -f - } pft_cleanup() { - if [ -f created_jails.lst ]; then - for jailname in `cat created_jails.lst` - do - jail -r ${jailname} - done - rm created_jails.lst - fi - - if [ -f created_interfaces.lst ]; then - for ifname in `cat created_interfaces.lst` - do - ifconfig ${ifname} destroy - done - rm created_interfaces.lst - fi + vnet_cleanup } pfsynct_cleanup() { pft_cleanup }