Index: head/tests/sys/netpfil/common/pft_ping.py =================================================================== --- head/tests/sys/netpfil/common/pft_ping.py (revision 354144) +++ head/tests/sys/netpfil/common/pft_ping.py (revision 354145) @@ -1,135 +1,161 @@ #!/usr/bin/env python +# +# SPDX-License-Identifier: BSD-2-Clause +# +# Copyright (c) 2017 Kristof Provost +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# import argparse import scapy.all as sp import sys from sniffer import Sniffer PAYLOAD_MAGIC = bytes.fromhex('42c0ffee') def check_ping_request(args, packet): if args.ip6: return check_ping6_request(args, packet) else: return check_ping4_request(args, packet) def check_ping4_request(args, packet): """ Verify that the packet matches what we'd have sent """ dst_ip = args.to[0] ip = packet.getlayer(sp.IP) if not ip: return False if ip.dst != dst_ip: return False icmp = packet.getlayer(sp.ICMP) if not icmp: return False if sp.icmptypes[icmp.type] != 'echo-request': return False raw = packet.getlayer(sp.Raw) if not raw: return False if raw.load != PAYLOAD_MAGIC: return False # Wait to check expectations until we've established this is the packet we # sent. if args.expect_tos: if ip.tos != int(args.expect_tos[0]): print("Unexpected ToS value %d, expected %d" \ % (ip.tos, int(args.expect_tos[0]))) return False return True def check_ping6_request(args, packet): """ Verify that the packet matches what we'd have sent """ dst_ip = args.to[0] ip = packet.getlayer(sp.IPv6) if not ip: return False if ip.dst != dst_ip: return False icmp = packet.getlayer(sp.ICMPv6EchoRequest) if not icmp: return False if icmp.data != PAYLOAD_MAGIC: return False return True def ping(send_if, dst_ip, args): ether = sp.Ether() ip = sp.IP(dst=dst_ip) icmp = sp.ICMP(type='echo-request') raw = sp.raw(PAYLOAD_MAGIC) if args.send_tos: ip.tos = int(args.send_tos[0]) req = ether / ip / icmp / raw sp.sendp(req, iface=send_if, verbose=False) def ping6(send_if, dst_ip, args): ether = sp.Ether() ip6 = sp.IPv6(dst=dst_ip) icmp = sp.ICMPv6EchoRequest(data=sp.raw(PAYLOAD_MAGIC)) req = ether / ip6 / icmp sp.sendp(req, iface=send_if, verbose=False) def main(): parser = argparse.ArgumentParser("pft_ping.py", description="Ping test tool") parser.add_argument('--sendif', nargs=1, required=True, help='The interface through which the packet(s) will be sent') parser.add_argument('--recvif', nargs=1, help='The interface on which to expect the ICMP echo response') parser.add_argument('--ip6', action='store_true', help='Use IPv6') parser.add_argument('--to', nargs=1, required=True, help='The destination IP address for the ICMP echo request') # Packet settings parser.add_argument('--send-tos', nargs=1, help='Set the ToS value for the transmitted packet') # Expectations parser.add_argument('--expect-tos', nargs=1, help='The expected ToS value in the received packet') args = parser.parse_args() # We may not have a default route. Tell scapy where to start looking for routes sp.conf.iface6 = args.sendif[0] sniffer = None if not args.recvif is None: sniffer = Sniffer(args, check_ping_request) if args.ip6: ping6(args.sendif[0], args.to[0], args) else: ping(args.sendif[0], args.to[0], args) if sniffer: sniffer.join() if sniffer.foundCorrectPacket: sys.exit(0) else: sys.exit(1) if __name__ == '__main__': main() Index: head/tests/sys/netpfil/common/sniffer.py =================================================================== --- head/tests/sys/netpfil/common/sniffer.py (revision 354144) +++ head/tests/sys/netpfil/common/sniffer.py (revision 354145) @@ -1,25 +1,51 @@ # $FreeBSD$ +# +# SPDX-License-Identifier: BSD-2-Clause-FreeBSD +# +# Copyright (c) 2017 Kristof Provost +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# import threading import scapy.all as sp class Sniffer(threading.Thread): def __init__(self, args, check_function): threading.Thread.__init__(self) self._args = args self._recvif = args.recvif[0] self._check_function = check_function self.foundCorrectPacket = False self.start() def _checkPacket(self, packet): ret = self._check_function(self._args, packet) if ret: self.foundCorrectPacket = True return ret def run(self): self.packets = sp.sniff(iface=self._recvif, stop_filter=self._checkPacket, timeout=3) Index: head/tests/sys/netpfil/pf/CVE-2019-5597.py =================================================================== --- head/tests/sys/netpfil/pf/CVE-2019-5597.py (revision 354144) +++ head/tests/sys/netpfil/pf/CVE-2019-5597.py (revision 354145) @@ -1,36 +1,61 @@ #!/usr/bin/env python +# +# SPDX-License-Identifier: BSD-2-Clause-FreeBSD +# +# Copyright (c) 2019 Synacktiv +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. import random import scapy.all as sp import sys UDP_PROTO = 17 AH_PROTO = 51 FRAG_PROTO = 44 def main(): intf = sys.argv[1] ipv6_src = sys.argv[2] ipv6_dst = sys.argv[3] ipv6_main = sp.IPv6(dst=ipv6_dst, src=ipv6_src) padding = 8 fid = random.randint(0,100000) frag_0 = sp.IPv6ExtHdrFragment(id=fid, nh=UDP_PROTO, m=1, offset=0) foff_1 = (int)(padding/8) frag_1 = sp.IPv6ExtHdrFragment(id=fid, nh=UDP_PROTO, m=0, offset=foff_1) pkt1_opts = sp.AH(nh=AH_PROTO, payloadlen=200) \ / sp.Raw('XXXX' * 199) \ / sp.AH(nh=FRAG_PROTO, payloadlen=1) \ / frag_1 pkt0 = sp.Ether() / ipv6_main / frag_0 / sp.Raw('A' * padding) pkt1 = sp.Ether() / ipv6_main / pkt1_opts / sp.Raw('B' * padding) sp.sendp(pkt0, iface=intf, verbose=False) sp.sendp(pkt1, iface=intf, verbose=False) if __name__ == '__main__': main() Index: head/tests/sys/netpfil/pf/CVE-2019-5598.py =================================================================== --- head/tests/sys/netpfil/pf/CVE-2019-5598.py (revision 354144) +++ head/tests/sys/netpfil/pf/CVE-2019-5598.py (revision 354145) @@ -1,65 +1,90 @@ #!/usr/bin/env python +# +# SPDX-License-Identifier: BSD-2-Clause-FreeBSD +# +# Copyright (c) 2019 Kristof Provost +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. import argparse import scapy.all as sp import sys from sniffer import Sniffer def check_icmp_error(args, packet): ip = packet.getlayer(sp.IP) if not ip: return False if ip.dst != args.to[0]: return False icmp = packet.getlayer(sp.ICMP) if not icmp: return False if icmp.type != 3 or icmp.code != 3: return False return True def main(): parser = argparse.ArgumentParser("CVE-2019-icmp.py", description="CVE-2019-icmp test tool") parser.add_argument('--sendif', nargs=1, required=True, help='The interface through which the packet will be sent') parser.add_argument('--recvif', nargs=1, required=True, help='The interface on which to check for the packet') parser.add_argument('--src', nargs=1, required=True, help='The source IP address') parser.add_argument('--to', nargs=1, required=True, help='The destination IP address') args = parser.parse_args() # Send the allowed packet to establish state udp = sp.Ether() / \ sp.IP(src=args.src[0], dst=args.to[0]) / \ sp.UDP(dport=53, sport=1234) sp.sendp(udp, iface=args.sendif[0], verbose=False) # Start sniffing on recvif sniffer = Sniffer(args, check_icmp_error) # Send the bad error packet icmp_reachable = sp.Ether() / \ sp.IP(src=args.src[0], dst=args.to[0]) / \ sp.ICMP(type=3, code=3) / \ sp.IP(src="4.3.2.1", dst="1.2.3.4") / \ sp.UDP(dport=53, sport=1234) sp.sendp(icmp_reachable, iface=args.sendif[0], verbose=False) sniffer.join() if sniffer.foundCorrectPacket: sys.exit(1) sys.exit(0) if __name__ == '__main__': main() Index: head/tests/sys/netpfil/pf/anchor.sh =================================================================== --- head/tests/sys/netpfil/pf/anchor.sh (revision 354144) +++ head/tests/sys/netpfil/pf/anchor.sh (revision 354145) @@ -1,40 +1,65 @@ # $FreeBSD$ +# +# SPDX-License-Identifier: BSD-2-Clause-FreeBSD +# +# Copyright (c) 2018 Kristof Provost +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. . $(atf_get_srcdir)/utils.subr atf_test_case "pr183198" "cleanup" pr183198_head() { atf_set descr 'Test tables referenced by rules in anchors' atf_set require.user root } pr183198_body() { pft_init epair=$(vnet_mkepair) vnet_mkjail alcatraz ${epair}b jexec alcatraz pfctl -e # Forward with pf enabled pft_set_rules alcatraz \ "table { 10.0.0.1, 10.0.0.2, 10.0.0.3 }" \ "block in" \ "anchor \"epair\" on ${epair}b { \n\ pass in from \n\ }" atf_check -s exit:0 -o ignore jexec alcatraz pfctl -sr -a '*' atf_check -s exit:0 -o ignore jexec alcatraz pfctl -t test -T show } pr183198_cleanup() { pft_cleanup } atf_init_test_cases() { atf_add_test_case "pr183198" } Index: head/tests/sys/netpfil/pf/echo_inetd.conf =================================================================== --- head/tests/sys/netpfil/pf/echo_inetd.conf (revision 354144) +++ head/tests/sys/netpfil/pf/echo_inetd.conf (revision 354145) @@ -1,6 +1,31 @@ # $FreeBSD$ +# +# SPDX-License-Identifier: BSD-2-Clause-FreeBSD +# +# Copyright (c) 2019 Kristof Provost +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. echo stream tcp nowait root internal echo stream tcp6 nowait root internal echo dgram udp wait root internal echo dgram udp6 wait root internal Index: head/tests/sys/netpfil/pf/forward.sh =================================================================== --- head/tests/sys/netpfil/pf/forward.sh (revision 354144) +++ head/tests/sys/netpfil/pf/forward.sh (revision 354145) @@ -1,159 +1,184 @@ # $FreeBSD$ +# +# SPDX-License-Identifier: BSD-2-Clause-FreeBSD +# +# Copyright (c) 2017 Kristof Provost +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. . $(atf_get_srcdir)/utils.subr common_dir=$(atf_get_srcdir)/../common atf_test_case "v4" "cleanup" v4_head() { atf_set descr 'Basic forwarding test' atf_set require.user root # We need scapy to be installed for out test scripts to work atf_set require.progs scapy } v4_body() { if [ `uname -p` = "i386" ]; then atf_skip "https://bugs.freebsd.org/239380" fi pft_init epair_send=$(vnet_mkepair) ifconfig ${epair_send}a 192.0.2.1/24 up epair_recv=$(vnet_mkepair) ifconfig ${epair_recv}a up vnet_mkjail alcatraz ${epair_send}b ${epair_recv}b jexec alcatraz ifconfig ${epair_send}b 192.0.2.2/24 up jexec alcatraz ifconfig ${epair_recv}b 198.51.100.2/24 up jexec alcatraz sysctl net.inet.ip.forwarding=1 jexec alcatraz arp -s 198.51.100.3 00:01:02:03:04:05 route add -net 198.51.100.0/24 192.0.2.2 # Sanity check, can we forward ICMP echo requests without pf? atf_check -s exit:0 ${common_dir}/pft_ping.py \ --sendif ${epair_send}a \ --to 198.51.100.3 \ --recvif ${epair_recv}a jexec alcatraz pfctl -e # Forward with pf enabled pft_set_rules alcatraz "block in" atf_check -s exit:1 ${common_dir}/pft_ping.py \ --sendif ${epair_send}a \ --to 198.51.100.3 \ --recvif ${epair_recv}a pft_set_rules alcatraz "block out" atf_check -s exit:1 ${common_dir}/pft_ping.py \ --sendif ${epair_send}a \ --to 198.51.100.3 \ --recv ${epair_recv}a # Allow ICMP pft_set_rules alcatraz "block in" "pass in proto icmp" atf_check -s exit:0 ${common_dir}/pft_ping.py \ --sendif ${epair_send}a \ --to 198.51.100.3 \ --recvif ${epair_recv}a } v4_cleanup() { pft_cleanup } atf_test_case "v6" "cleanup" v6_head() { atf_set descr 'Basic IPv6 forwarding test' atf_set require.user root atf_set require.progs scapy } v6_body() { if [ `uname -p` = "i386" ]; then atf_skip "https://bugs.freebsd.org/239380" fi pft_init epair_send=$(vnet_mkepair) epair_recv=$(vnet_mkepair) ifconfig ${epair_send}a inet6 2001:db8:42::1/64 up no_dad -ifdisabled ifconfig ${epair_recv}a up vnet_mkjail alcatraz ${epair_send}b ${epair_recv}b jexec alcatraz ifconfig ${epair_send}b inet6 2001:db8:42::2/64 up no_dad jexec alcatraz ifconfig ${epair_recv}b inet6 2001:db8:43::2/64 up no_dad jexec alcatraz sysctl net.inet6.ip6.forwarding=1 jexec alcatraz ndp -s 2001:db8:43::3 00:01:02:03:04:05 route add -6 2001:db8:43::/64 2001:db8:42::2 # Sanity check, can we forward ICMP echo requests without pf? atf_check -s exit:0 ${common_dir}/pft_ping.py \ --ip6 \ --sendif ${epair_send}a \ --to 2001:db8:43::3 \ --recvif ${epair_recv}a jexec alcatraz pfctl -e # Block incoming echo request packets pft_set_rules alcatraz \ "block in inet6 proto icmp6 icmp6-type echoreq" atf_check -s exit:1 ${common_dir}/pft_ping.py \ --ip6 \ --sendif ${epair_send}a \ --to 2001:db8:43::3 \ --recvif ${epair_recv}a # Block outgoing echo request packets pft_set_rules alcatraz \ "block out inet6 proto icmp6 icmp6-type echoreq" atf_check -s exit:1 -e ignore ${common_dir}/pft_ping.py \ --ip6 \ --sendif ${epair_send}a \ --to 2001:db8:43::3 \ --recvif ${epair_recv}a # Allow ICMPv6 but nothing else pft_set_rules alcatraz \ "block out" \ "pass out inet6 proto icmp6" atf_check -s exit:0 ${common_dir}/pft_ping.py \ --ip6 \ --sendif ${epair_send}a \ --to 2001:db8:43::3 \ --recvif ${epair_recv}a # Allowing ICMPv4 does not allow ICMPv6 pft_set_rules alcatraz \ "block out inet6 proto icmp6 icmp6-type echoreq" \ "pass in proto icmp" atf_check -s exit:1 ${common_dir}/pft_ping.py \ --ip6 \ --sendif ${epair_send}a \ --to 2001:db8:43::3 \ --recvif ${epair_recv}a } v6_cleanup() { pft_cleanup } atf_init_test_cases() { atf_add_test_case "v4" atf_add_test_case "v6" } Index: head/tests/sys/netpfil/pf/fragmentation.sh =================================================================== --- head/tests/sys/netpfil/pf/fragmentation.sh (revision 354144) +++ head/tests/sys/netpfil/pf/fragmentation.sh (revision 354145) @@ -1,123 +1,148 @@ # $FreeBSD$ +# +# SPDX-License-Identifier: BSD-2-Clause-FreeBSD +# +# Copyright (c) 2017 Kristof Provost +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. . $(atf_get_srcdir)/utils.subr atf_test_case "too_many_fragments" "cleanup" too_many_fragments_head() { atf_set descr 'IPv4 fragment limitation test' atf_set require.user root } too_many_fragments_body() { pft_init epair=$(vnet_mkepair) vnet_mkjail alcatraz ${epair}a ifconfig ${epair}b inet 192.0.2.1/24 up jexec alcatraz ifconfig ${epair}a 192.0.2.2/24 up ifconfig ${epair}b mtu 200 jexec alcatraz ifconfig ${epair}a mtu 200 jexec alcatraz pfctl -e pft_set_rules alcatraz \ "scrub all fragment reassemble" # So we know pf is limiting things jexec alcatraz sysctl net.inet.ip.maxfragsperpacket=1024 # Sanity check atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2 # We can ping with < 64 fragments atf_check -s exit:0 -o ignore ping -c 1 -s 800 192.0.2.2 # Too many fragments should fail atf_check -s exit:2 -o ignore ping -c 1 -s 20000 192.0.2.2 } too_many_fragments_cleanup() { pft_cleanup } atf_test_case "v6" "cleanup" v6_head() { atf_set descr 'IPv6 fragmentation test' atf_set require.user root atf_set require.progs scapy } v6_body() { pft_init epair_send=$(vnet_mkepair) epair_link=$(vnet_mkepair) vnet_mkjail alcatraz ${epair_send}b ${epair_link}a vnet_mkjail singsing ${epair_link}b ifconfig ${epair_send}a inet6 2001:db8:42::1/64 no_dad up jexec alcatraz ifconfig ${epair_send}b inet6 2001:db8:42::2/64 no_dad up jexec alcatraz ifconfig ${epair_link}a inet6 2001:db8:43::2/64 no_dad up jexec alcatraz sysctl net.inet6.ip6.forwarding=1 jexec singsing ifconfig ${epair_link}b inet6 2001:db8:43::3/64 no_dad up jexec singsing route add -6 2001:db8:42::/64 2001:db8:43::2 route add -6 2001:db8:43::/64 2001:db8:42::2 jexec alcatraz ifconfig ${epair_send}b inet6 -ifdisabled jexec alcatraz ifconfig ${epair_link}a inet6 -ifdisabled jexec singsing ifconfig ${epair_link}b inet6 -ifdisabled ifconfig ${epair_send}a inet6 -ifdisabled jexec alcatraz pfctl -e pft_set_rules alcatraz \ "scrub fragment reassemble" \ "block in" \ "pass in inet6 proto icmp6 icmp6-type { neighbrsol, neighbradv }" \ "pass in inet6 proto icmp6 icmp6-type { echoreq, echorep }" # Host test atf_check -s exit:0 -o ignore \ ping6 -c 1 2001:db8:42::2 atf_check -s exit:0 -o ignore \ ping6 -c 1 -s 4500 2001:db8:42::2 atf_check -s exit:0 -o ignore\ ping6 -c 1 -b 70000 -s 65000 2001:db8:42::2 # Forwarding test atf_check -s exit:0 -o ignore \ ping6 -c 1 2001:db8:43::3 atf_check -s exit:0 -o ignore \ ping6 -c 1 -s 4500 2001:db8:43::3 atf_check -s exit:0 -o ignore\ ping6 -c 1 -b 70000 -s 65000 2001:db8:43::3 $(atf_get_srcdir)/CVE-2019-5597.py \ ${epair_send}a \ 2001:db8:42::1 \ 2001:db8:43::3 } v6_cleanup() { pft_cleanup } atf_init_test_cases() { atf_add_test_case "too_many_fragments" atf_add_test_case "v6" } Index: head/tests/sys/netpfil/pf/icmp.sh =================================================================== --- head/tests/sys/netpfil/pf/icmp.sh (revision 354144) +++ head/tests/sys/netpfil/pf/icmp.sh (revision 354145) @@ -1,53 +1,78 @@ # $FreeBSD$ +# +# SPDX-License-Identifier: BSD-2-Clause-FreeBSD +# +# Copyright (c) 2019 Kristof Provost +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. . $(atf_get_srcdir)/utils.subr common_dir=$(atf_get_srcdir)/../common atf_test_case "cve_2019_5598" "cleanup" cve_2019_5598_head() { atf_set descr 'Test CVE-2019-5598' atf_set require.user root atf_set require.progs scapy } cve_2019_5598_body() { pft_init epair_in=$(vnet_mkepair) epair_out=$(vnet_mkepair) ifconfig ${epair_in}a 192.0.2.1/24 up ifconfig ${epair_out}a up vnet_mkjail alcatraz ${epair_in}b ${epair_out}b jexec alcatraz ifconfig ${epair_in}b 192.0.2.2/24 up jexec alcatraz ifconfig ${epair_out}b 198.51.100.2/24 up jexec alcatraz sysctl net.inet.ip.forwarding=1 jexec alcatraz arp -s 198.51.100.3 00:01:02:03:04:05 jexec alcatraz route add default 198.51.100.3 route add -net 198.51.100.0/24 192.0.2.2 jexec alcatraz pfctl -e pft_set_rules alcatraz "block all" \ "pass in proto udp to 198.51.100.3 port 53" \ "pass out proto udp to 198.51.100.3 port 53" atf_check -s exit:0 env PYTHONPATH=${common_dir} \ $(atf_get_srcdir)/CVE-2019-5598.py \ --sendif ${epair_in}a \ --recvif ${epair_out}a \ --src 192.0.2.1 \ --to 198.51.100.3 } cve_2019_5598_cleanup() { pft_cleanup } atf_init_test_cases() { atf_add_test_case "cve_2019_5598" } Index: head/tests/sys/netpfil/pf/names.sh =================================================================== --- head/tests/sys/netpfil/pf/names.sh (revision 354144) +++ head/tests/sys/netpfil/pf/names.sh (revision 354145) @@ -1,35 +1,60 @@ # $FreeBSD$ +# +# SPDX-License-Identifier: BSD-2-Clause-FreeBSD +# +# Copyright (c) 2018 Kristof Provost +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. . $(atf_get_srcdir)/utils.subr atf_test_case "names" "cleanup" names_head() { atf_set descr 'Test overlapping names' atf_set require.user root } names_body() { atf_skip "Kernel panics when flushing epair queue (bug238870)" pft_init epair=$(vnet_mkepair) vnet_mkjail alcatraz ${epair}b ifconfig ${epair}a name foo jexec alcatraz ifconfig ${epair}b name foo jail -r alcatraz ifconfig foo destroy } names_cleanup() { pft_cleanup } atf_init_test_cases() { atf_add_test_case "names" } Index: head/tests/sys/netpfil/pf/nat.sh =================================================================== --- head/tests/sys/netpfil/pf/nat.sh (revision 354144) +++ head/tests/sys/netpfil/pf/nat.sh (revision 354145) @@ -1,64 +1,89 @@ # $FreeBSD$ +# +# SPDX-License-Identifier: BSD-2-Clause-FreeBSD +# +# Copyright (c) 2018 Kristof Provost +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. . $(atf_get_srcdir)/utils.subr atf_test_case "exhaust" "cleanup" exhaust_head() { atf_set descr 'Test exhausting the NAT pool' atf_set require.user root } exhaust_body() { pft_init epair_nat=$(vnet_mkepair) epair_echo=$(vnet_mkepair) vnet_mkjail nat ${epair_nat}b ${epair_echo}a vnet_mkjail echo ${epair_echo}b ifconfig ${epair_nat}a 192.0.2.2/24 up route add -net 198.51.100.0/24 192.0.2.1 jexec nat ifconfig ${epair_nat}b 192.0.2.1/24 up jexec nat ifconfig ${epair_echo}a 198.51.100.1/24 up jexec nat sysctl net.inet.ip.forwarding=1 jexec echo ifconfig ${epair_echo}b 198.51.100.2/24 up jexec echo /usr/sbin/inetd $(atf_get_srcdir)/echo_inetd.conf # Enable pf! jexec nat pfctl -e pft_set_rules nat \ "nat pass on ${epair_echo}a inet from 192.0.2.0/24 to any -> (${epair_echo}a) port 30000:30001 sticky-address" # Sanity check atf_check -s exit:0 -o ignore ping -c 3 198.51.100.2 echo "foo" | nc -N 198.51.100.2 7 echo "foo" | nc -N 198.51.100.2 7 # This one will fail, but that's expected echo "foo" | nc -N 198.51.100.2 7 & sleep 1 # If the kernel is stuck in pf_get_sport() this will not succeed either. timeout 2 jexec nat pfctl -sa if [ $? -eq 124 ]; then # Timed out atf_fail "pfctl timeout" fi } exhaust_cleanup() { pft_cleanup } atf_init_test_cases() { atf_add_test_case "exhaust" } Index: head/tests/sys/netpfil/pf/pass_block.sh =================================================================== --- head/tests/sys/netpfil/pf/pass_block.sh (revision 354144) +++ head/tests/sys/netpfil/pf/pass_block.sh (revision 354145) @@ -1,173 +1,198 @@ # $FreeBSD$ +# +# SPDX-License-Identifier: BSD-2-Clause-FreeBSD +# +# Copyright (c) 2018 Kristof Provost +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. . $(atf_get_srcdir)/utils.subr atf_test_case "v4" "cleanup" v4_head() { atf_set descr 'Basic pass/block test for IPv4' atf_set require.user root } v4_body() { pft_init epair=$(vnet_mkepair) ifconfig ${epair}a 192.0.2.1/24 up # Set up a simple jail with one interface vnet_mkjail alcatraz ${epair}b jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up # Trivial ping to the jail, without pf atf_check -s exit:0 -o ignore ping -c 1 -t 1 192.0.2.2 # pf without policy will let us ping jexec alcatraz pfctl -e atf_check -s exit:0 -o ignore ping -c 1 -t 1 192.0.2.2 # Block everything pft_set_rules alcatraz "block in" atf_check -s exit:2 -o ignore ping -c 1 -t 1 192.0.2.2 # Block everything but ICMP pft_set_rules alcatraz "block in" "pass in proto icmp" atf_check -s exit:0 -o ignore ping -c 1 -t 1 192.0.2.2 } v4_cleanup() { pft_cleanup } atf_test_case "v6" "cleanup" v6_head() { atf_set descr 'Basic pass/block test for IPv6' atf_set require.user root } v6_body() { pft_init epair=$(vnet_mkepair) ifconfig ${epair}a inet6 2001:db8:42::1/64 up no_dad # Set up a simple jail with one interface vnet_mkjail alcatraz ${epair}b jexec alcatraz ifconfig ${epair}b inet6 2001:db8:42::2/64 up no_dad # Trivial ping to the jail, without pf atf_check -s exit:0 -o ignore ping6 -c 1 -W 1 2001:db8:42::2 # pf without policy will let us ping jexec alcatraz pfctl -e atf_check -s exit:0 -o ignore ping6 -c 1 -W 1 2001:db8:42::2 # Block everything pft_set_rules alcatraz "block in" atf_check -s exit:2 -o ignore ping6 -c 1 -W 1 2001:db8:42::2 # Block everything but ICMP pft_set_rules alcatraz "block in" "pass in proto icmp6" atf_check -s exit:0 -o ignore ping6 -c 1 -W 1 2001:db8:42::2 # Allowing ICMPv4 does not allow ICMPv6 pft_set_rules alcatraz "block in" "pass in proto icmp" atf_check -s exit:2 -o ignore ping6 -c 1 -W 1 2001:db8:42::2 } v6_cleanup() { pft_cleanup } atf_test_case "noalias" "cleanup" noalias_head() { atf_set descr 'Test the :0 noalias option' atf_set require.user root } noalias_body() { pft_init epair=$(vnet_mkepair) ifconfig ${epair}a inet6 2001:db8:42::1/64 up no_dad vnet_mkjail alcatraz ${epair}b jexec alcatraz ifconfig ${epair}b inet6 2001:db8:42::2/64 up no_dad linklocaladdr=$(jexec alcatraz ifconfig ${epair}b inet6 \ | grep %${epair}b \ | awk '{ print $2; }' \ | cut -d % -f 1) # Sanity check atf_check -s exit:0 -o ignore ping6 -c 3 -W 1 2001:db8:42::2 atf_check -s exit:0 -o ignore ping6 -c 3 -W 1 ${linklocaladdr}%${epair}a jexec alcatraz pfctl -e pft_set_rules alcatraz "block out inet6 from (${epair}b:0) to any" atf_check -s exit:2 -o ignore ping6 -c 3 -W 1 2001:db8:42::2 # We should still be able to ping the link-local address atf_check -s exit:0 -o ignore ping6 -c 3 -W 1 ${linklocaladdr}%${epair}a pft_set_rules alcatraz "block out inet6 from (${epair}b) to any" # We cannot ping to the link-local address atf_check -s exit:2 -o ignore ping6 -c 3 -W 1 ${linklocaladdr}%${epair}a } noalias_cleanup() { pft_cleanup } atf_test_case "nested_inline" "cleanup" nested_inline_head() { atf_set descr "Test nested inline anchors, PR196314" atf_set require.user root } nested_inline_body() { pft_init epair=$(vnet_mkepair) ifconfig ${epair}a inet 192.0.2.1/24 up vnet_mkjail alcatraz ${epair}b jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up jexec alcatraz pfctl -e pft_set_rules alcatraz \ "block in" \ "anchor \"an1\" {" \ "pass in quick proto tcp to port time" \ "anchor \"an2\" {" \ "pass in quick proto icmp" \ "}" \ "}" atf_check -s exit:0 -o ignore ping -c 1 -t 1 192.0.2.2 } nested_inline_cleanup() { pft_cleanup } atf_init_test_cases() { atf_add_test_case "v4" atf_add_test_case "v6" atf_add_test_case "noalias" atf_add_test_case "nested_inline" } Index: head/tests/sys/netpfil/pf/pfsync.sh =================================================================== --- head/tests/sys/netpfil/pf/pfsync.sh (revision 354144) +++ head/tests/sys/netpfil/pf/pfsync.sh (revision 354145) @@ -1,94 +1,119 @@ # $FreeBSD$ +# +# SPDX-License-Identifier: BSD-2-Clause-FreeBSD +# +# Copyright (c) 2018 Orange Business Services +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. . $(atf_get_srcdir)/utils.subr atf_test_case "basic" "cleanup" basic_head() { atf_set descr 'Basic pfsync test' atf_set require.user root } basic_body() { common_body } common_body() { defer=$1 pfsynct_init epair_sync=$(vnet_mkepair) epair_one=$(vnet_mkepair) epair_two=$(vnet_mkepair) vnet_mkjail one ${epair_one}a ${epair_sync}a vnet_mkjail two ${epair_two}a ${epair_sync}b # pfsync interface jexec one ifconfig ${epair_sync}a 192.0.2.1/24 up jexec one ifconfig ${epair_one}a 198.51.100.1/24 up jexec one ifconfig pfsync0 \ syncdev ${epair_sync}a \ maxupd 1 \ $defer \ up jexec two ifconfig ${epair_two}a 198.51.100.2/24 up jexec two ifconfig ${epair_sync}b 192.0.2.2/24 up jexec two ifconfig pfsync0 \ syncdev ${epair_sync}b \ maxupd 1 \ $defer \ up # Enable pf! jexec one pfctl -e pft_set_rules one \ "set skip on ${epair_sync}a" \ "pass keep state" jexec two pfctl -e pft_set_rules two \ "set skip on ${epair_sync}b" \ "pass keep state" ifconfig ${epair_one}b 198.51.100.254/24 up ping -c 1 -S 198.51.100.254 198.51.100.1 # Give pfsync time to do its thing sleep 2 if ! jexec two pfctl -s states | grep icmp | grep 198.51.100.1 | \ grep 198.51.100.2 ; then atf_fail "state not found on synced host" fi } basic_cleanup() { pfsynct_cleanup } atf_test_case "defer" "cleanup" defer_head() { atf_set descr 'Defer mode pfsync test' atf_set require.user root } defer_body() { common_body defer } defer_cleanup() { pfsynct_cleanup } atf_init_test_cases() { atf_add_test_case "basic" atf_add_test_case "defer" } Index: head/tests/sys/netpfil/pf/rdr.sh =================================================================== --- head/tests/sys/netpfil/pf/rdr.sh (revision 354144) +++ head/tests/sys/netpfil/pf/rdr.sh (revision 354145) @@ -1,48 +1,73 @@ # $FreeBSD$ +# +# SPDX-License-Identifier: BSD-2-Clause-FreeBSD +# +# Copyright (c) 2018 Kristof Provost +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. . $(atf_get_srcdir)/utils.subr atf_test_case "basic" "cleanup" basic_head() { atf_set descr 'Basic rdr test' atf_set require.user root } basic_body() { pft_init epair=$(vnet_mkepair) vnet_mkjail alcatraz ${epair}b ifconfig ${epair}a 192.0.2.2/24 up route add -net 198.51.100.0/24 192.0.2.1 jexec alcatraz ifconfig ${epair}b 192.0.2.1/24 up jexec alcatraz sysctl net.inet.ip.forwarding=1 # Enable pf! jexec alcatraz pfctl -e pft_set_rules alcatraz \ "rdr pass on ${epair}b proto tcp from any to 198.51.100.0/24 port 1234 -> 192.0.2.1 port 4321" echo "foo" | jexec alcatraz nc -N -l 4321 & sleep 1 result=$(nc -N -w 3 198.51.100.2 1234) if [ "$result" != "foo" ]; then atf_fail "Redirect failed" fi } basic_cleanup() { pft_cleanup } atf_init_test_cases() { atf_add_test_case "basic" } Index: head/tests/sys/netpfil/pf/route_to.sh =================================================================== --- head/tests/sys/netpfil/pf/route_to.sh (revision 354144) +++ head/tests/sys/netpfil/pf/route_to.sh (revision 354145) @@ -1,81 +1,106 @@ # $FreeBSD$ +# +# SPDX-License-Identifier: BSD-2-Clause-FreeBSD +# +# Copyright (c) 2018 Kristof Provost +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. . $(atf_get_srcdir)/utils.subr atf_test_case "v4" "cleanup" v4_head() { atf_set descr 'Basic route-to test' atf_set require.user root } v4_body() { pft_init epair_send=$(vnet_mkepair) ifconfig ${epair_send}a 192.0.2.1/24 up epair_route=$(vnet_mkepair) ifconfig ${epair_route}a 203.0.113.1/24 up vnet_mkjail alcatraz ${epair_send}b ${epair_route}b jexec alcatraz ifconfig ${epair_send}b 192.0.2.2/24 up jexec alcatraz ifconfig ${epair_route}b 203.0.113.2/24 up jexec alcatraz route add -net 198.51.100.0/24 192.0.2.1 jexec alcatraz pfctl -e # Attempt to provoke PR 228782 pft_set_rules alcatraz "block all" "pass user 2" \ "pass out route-to (${epair_route}b 203.0.113.1) from 192.0.2.2 to 198.51.100.1 no state" jexec alcatraz nc -w 3 -s 192.0.2.2 198.51.100.1 22 # atf wants us to not return an error, but our netcat will fail true } v4_cleanup() { pft_cleanup } atf_test_case "v6" "cleanup" v6_head() { atf_set descr 'Basic route-to test (IPv6)' atf_set require.user root } v6_body() { pft_init epair_send=$(vnet_mkepair) ifconfig ${epair_send}a inet6 2001:db8:42::1/64 up no_dad -ifdisabled epair_route=$(vnet_mkepair) ifconfig ${epair_route}a inet6 2001:db8:43::1/64 up no_dad -ifdisabled vnet_mkjail alcatraz ${epair_send}b ${epair_route}b jexec alcatraz ifconfig ${epair_send}b inet6 2001:db8:42::2/64 up no_dad jexec alcatraz ifconfig ${epair_route}b inet6 2001:db8:43::2/64 up no_dad jexec alcatraz route add -6 2001:db8:666::/64 2001:db8:42::2 jexec alcatraz pfctl -e # Attempt to provoke PR 228782 pft_set_rules alcatraz "block all" "pass user 2" \ "pass out route-to (${epair_route}b 2001:db8:43::1) from 2001:db8:42::2 to 2001:db8:666::1 no state" jexec alcatraz nc -6 -w 3 -s 2001:db8:42::2 2001:db8:666::1 22 # atf wants us to not return an error, but our netcat will fail true } v6_cleanup() { pft_cleanup } atf_init_test_cases() { atf_add_test_case "v4" atf_add_test_case "v6" } Index: head/tests/sys/netpfil/pf/set_skip.sh =================================================================== --- head/tests/sys/netpfil/pf/set_skip.sh (revision 354144) +++ head/tests/sys/netpfil/pf/set_skip.sh (revision 354145) @@ -1,67 +1,92 @@ # $FreeBSD$ +# +# SPDX-License-Identifier: BSD-2-Clause-FreeBSD +# +# Copyright (c) 2018 Kristof Provost +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. . $(atf_get_srcdir)/utils.subr atf_test_case "set_skip_group" "cleanup" set_skip_group_head() { atf_set descr 'Basic set skip test' atf_set require.user root } set_skip_group_body() { # See PR 229241 pft_init vnet_mkjail alcatraz jexec alcatraz ifconfig lo0 127.0.0.1/8 up jexec alcatraz ifconfig lo0 group foo jexec alcatraz pfctl -e pft_set_rules alcatraz "set skip on foo" \ "block in proto icmp" jexec alcatraz ifconfig atf_check -s exit:0 -o ignore jexec alcatraz ping -c 1 127.0.0.1 } set_skip_group_cleanup() { pft_cleanup } atf_test_case "set_skip_group_lo" "cleanup" set_skip_group_lo_head() { atf_set descr 'Basic set skip test, lo' atf_set require.user root } set_skip_group_lo_body() { # See PR 229241 pft_init vnet_mkjail alcatraz jexec alcatraz ifconfig lo0 127.0.0.1/8 up jexec alcatraz pfctl -e pft_set_rules alcatraz "set skip on lo" \ "block on lo0" atf_check -s exit:0 -o ignore jexec alcatraz ping -c 1 127.0.0.1 pft_set_rules noflush alcatraz "set skip on lo" \ "block on lo0" atf_check -s exit:0 -o ignore jexec alcatraz ping -c 1 127.0.0.1 jexec alcatraz pfctl -s rules } set_skip_group_lo_cleanup() { pft_cleanup } atf_init_test_cases() { atf_add_test_case "set_skip_group" atf_add_test_case "set_skip_group_lo" } Index: head/tests/sys/netpfil/pf/set_tos.sh =================================================================== --- head/tests/sys/netpfil/pf/set_tos.sh (revision 354144) +++ head/tests/sys/netpfil/pf/set_tos.sh (revision 354145) @@ -1,99 +1,124 @@ # $FreeBSD$ +# +# SPDX-License-Identifier: BSD-2-Clause-FreeBSD +# +# Copyright (c) 2017 Kristof Provost +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. . $(atf_get_srcdir)/utils.subr common_dir=$(atf_get_srcdir)/../common atf_test_case "v4" "cleanup" v4_head() { atf_set descr 'set-tos test' atf_set require.user root # We need scapy to be installed for out test scripts to work atf_set require.progs scapy } v4_body() { if [ `uname -p` = "i386" ]; then atf_skip "https://bugs.freebsd.org/239380" fi pft_init epair_send=$(vnet_mkepair) ifconfig ${epair_send}a 192.0.2.1/24 up epair_recv=$(vnet_mkepair) ifconfig ${epair_recv}a up vnet_mkjail alcatraz ${epair_send}b ${epair_recv}b jexec alcatraz ifconfig ${epair_send}b 192.0.2.2/24 up jexec alcatraz ifconfig ${epair_recv}b 198.51.100.2/24 up jexec alcatraz sysctl net.inet.ip.forwarding=1 jexec alcatraz arp -s 198.51.100.3 00:01:02:03:04:05 route add -net 198.51.100.0/24 192.0.2.2 jexec alcatraz pfctl -e # No change is done if not requested pft_set_rules alcatraz "scrub out proto icmp" atf_check -s exit:1 -o ignore ${common_dir}/pft_ping.py \ --sendif ${epair_send}a \ --to 198.51.100.3 \ --recvif ${epair_recv}a \ --expect-tos 42 # The requested ToS is set pft_set_rules alcatraz "scrub out proto icmp set-tos 42" atf_check -s exit:0 ${common_dir}/pft_ping.py \ --sendif ${epair_send}a \ --to 198.51.100.3 \ --recvif ${epair_recv}a \ --expect-tos 42 # ToS is not changed if the scrub rule does not match pft_set_rules alcatraz "scrub out proto tcp set-tos 42" atf_check -s exit:1 -o ignore ${common_dir}/pft_ping.py \ --sendif ${epair_send}a \ --to 198.51.100.3 \ --recvif ${epair_recv}a \ --expect-tos 42 # Multiple scrub rules match as expected pft_set_rules alcatraz "scrub out proto tcp set-tos 13" \ "scrub out proto icmp set-tos 14" atf_check -s exit:0 ${common_dir}/pft_ping.py \ --sendif ${epair_send}a \ --to 198.51.100.3 \ --recvif ${epair_recv}a \ --expect-tos 14 # And this works even if the packet already has ToS values set atf_check -s exit:0 ${common_dir}/pft_ping.py \ --sendif ${epair_send}a \ --to 198.51.100.3 \ --recvif ${epair_recv}a \ --send-tos 42 \ --expect-tos 14 # ToS values are unmolested if the packets do not match a scrub rule pft_set_rules alcatraz "scrub out proto tcp set-tos 13" atf_check -s exit:0 ${common_dir}/pft_ping.py \ --sendif ${epair_send}a \ --to 198.51.100.3 \ --recvif ${epair_recv}a \ --send-tos 42 \ --expect-tos 42 } v4_cleanup() { pft_cleanup } atf_init_test_cases() { atf_add_test_case "v4" } Index: head/tests/sys/netpfil/pf/synproxy.sh =================================================================== --- head/tests/sys/netpfil/pf/synproxy.sh (revision 354144) +++ head/tests/sys/netpfil/pf/synproxy.sh (revision 354145) @@ -1,60 +1,85 @@ # $FreeBSD$ +# +# SPDX-License-Identifier: BSD-2-Clause-FreeBSD +# +# Copyright (c) 2018 Kristof Provost +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. . $(atf_get_srcdir)/utils.subr atf_test_case "synproxy" "cleanup" synproxy_head() { atf_set descr 'Basic synproxy test' atf_set require.user root } synproxy_body() { atf_skip "Kernel panics when flushing epair queue (bug238870)" pft_init epair=$(vnet_mkepair) ifconfig ${epair}a 192.0.2.1/24 up route add -net 198.51.100.0/24 192.0.2.2 link=$(vnet_mkepair) vnet_mkjail alcatraz ${epair}b ${link}a jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up jexec alcatraz ifconfig ${link}a 198.51.100.1/24 up jexec alcatraz sysctl net.inet.ip.forwarding=1 vnet_mkjail singsing ${link}b jexec singsing ifconfig ${link}b 198.51.100.2/24 up jexec singsing route add default 198.51.100.1 jexec singsing /usr/sbin/inetd $(atf_get_srcdir)/echo_inetd.conf jexec alcatraz pfctl -e pft_set_rules alcatraz "set fail-policy return" \ "scrub in all fragment reassemble" \ "pass out quick on ${epair}b all no state allow-opts" \ "pass in quick on ${epair}b proto tcp from any to any port 7 synproxy state" \ "pass in quick on ${epair}b all no state" # Sanity check, can we ping singing atf_check -s exit:0 -o ignore ping -c 1 198.51.100.2 # Check that we can talk to the singsing jail, after synproxying reply=$(echo ping | nc -N 198.51.100.2 7) if [ "${reply}" != "ping" ]; then atf_fail "echo failed" fi } synproxy_cleanup() { pft_cleanup } atf_init_test_cases() { atf_add_test_case "synproxy" } Index: head/tests/sys/netpfil/pf/utils.subr =================================================================== --- head/tests/sys/netpfil/pf/utils.subr (revision 354144) +++ head/tests/sys/netpfil/pf/utils.subr (revision 354145) @@ -1,57 +1,81 @@ # $FreeBSD$ # Utility functions ## +# SPDX-License-Identifier: BSD-2-Clause-FreeBSD +# +# Copyright (c) 2017 Kristof Provost +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. . $(atf_get_srcdir)/../../common/vnet.subr pft_init() { vnet_init if [ ! -c /dev/pf ]; then atf_skip "This test requires pf" fi } pfsynct_init() { pft_init if ! kldstat -q -m pfsync; then atf_skip "This test requires pfsync" fi } pft_set_rules() { jname=$1 shift if [ $jname == "noflush" ]; then jname=$1 shift else # Flush all states, rules, fragments, ... jexec ${jname} pfctl -F all fi while [ $# -gt 0 ]; do printf "$1\n" shift done | jexec ${jname} pfctl -f - if [ $? -ne 0 ]; then atf_fail "Failed to set PF rules in ${jname}" fi } pft_cleanup() { vnet_cleanup } pfsynct_cleanup() { pft_cleanup }