Index: head/tests/sys/netinet6/exthdr.sh =================================================================== --- head/tests/sys/netinet6/exthdr.sh (revision 354552) +++ head/tests/sys/netinet6/exthdr.sh (revision 354553) @@ -1,129 +1,124 @@ # $FreeBSD$ #- # SPDX-License-Identifier: BSD-2-Clause # # Copyright (c) 2019 Netflix, Inc. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # . $(atf_get_srcdir)/../common/vnet.subr atf_test_case "exthdr" "cleanup" exthdr_head() { atf_set descr 'Test IPv6 extension header code paths' atf_set require.user root atf_set require.progs scapy } exthdr_body() { - if [ "$(atf_config_get ci false)" = "true" ] && \ - [ "$(uname -p)" = "i386" ]; then - atf_skip "https://bugs.freebsd.org/241493" - fi - ids=65533 id=`printf "%x" ${ids}` if [ $$ -gt 65535 ]; then xl=`printf "%x" $(($$ - 65535))` yl="1" else xl=`printf "%x" $$` yl="" fi vnet_init ip6a="2001:db8:6666:0000:${yl}:${id}:1:${xl}" ip6b="2001:db8:6666:0000:${yl}:${id}:2:${xl}" epair=$(vnet_mkepair) ifconfig ${epair}a up ifconfig ${epair}a inet6 ${ip6a}/64 jname="v6t-${id}-${yl}-${xl}" vnet_mkjail ${jname} ${epair}b jexec ${jname} ifconfig ${epair}b up jexec ${jname} ifconfig ${epair}b inet6 ${ip6b}/64 # Let IPv6 ND do its thing. #ping6 -q -c 1 ff02::1%${epair}a #ping6 -q -c 1 ${ip6b} sleep 3 # Clear statistics. jexec ${jname} netstat -z -s > /dev/null # Run extension header tests. pyname=$(atf_get ident) pyname=${pyname%*_[0-9]} atf_check -s exit:0 $(atf_get_srcdir)/${pyname}.py \ --sendif ${epair}a --recvif ${epair}a \ --src ${ip6a} --to ${ip6b} atf_check -s exit:0 $(atf_get_srcdir)/${pyname}.py \ --sendif ${epair}a --recvif ${epair}a \ --src ${ip6a} --to ${ip6b} \ --hbh atf_check -s exit:0 $(atf_get_srcdir)/${pyname}.py \ --sendif ${epair}a --recvif ${epair}a \ --src ${ip6a} --to ${ip6b} \ --rh atf_check -s exit:0 $(atf_get_srcdir)/${pyname}.py \ --sendif ${epair}a --recvif ${epair}a \ --src ${ip6a} --to ${ip6b} \ --frag6 atf_check -s exit:0 $(atf_get_srcdir)/${pyname}.py \ --sendif ${epair}a --recvif ${epair}a \ --src ${ip6a} --to ${ip6b} \ --dest atf_check -s exit:0 $(atf_get_srcdir)/${pyname}.py \ --sendif ${epair}a --recvif ${epair}a \ --src ${ip6a} --to ${ip6b} \ --hbh --dest atf_check -s exit:1 $(atf_get_srcdir)/${pyname}.py \ --sendif ${epair}a --recvif ${epair}a \ --src ${ip6a} --to ${ip6b} \ --dest --hbhbad } exthdr_cleanup() { vnet_cleanup } atf_init_test_cases() { atf_add_test_case "exthdr" } # end Index: head/tests/sys/netinet6/scapyi386.sh =================================================================== --- head/tests/sys/netinet6/scapyi386.sh (revision 354552) +++ head/tests/sys/netinet6/scapyi386.sh (revision 354553) @@ -1,94 +1,89 @@ # $FreeBSD$ #- # SPDX-License-Identifier: BSD-2-Clause # # Copyright (c) 2019 Netflix, Inc. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # . $(atf_get_srcdir)/../common/vnet.subr atf_test_case "scapyi386" "cleanup" scapyi386_head() { atf_set descr 'Test for correct Ethernet Destination MAC address' atf_set require.user root atf_set require.progs scapy } scapyi386_body() { - if [ "$(atf_config_get ci false)" = "true" ] && \ - [ "$(uname -p)" = "i386" ]; then - atf_skip "https://bugs.freebsd.org/239380" - fi - ids=65533 id=`printf "%x" ${ids}` if [ $$ -gt 65535 ]; then xl=`printf "%x" $(($$ - 65535))` yl="1" else xl=`printf "%x" $$` yl="" fi vnet_init ip6a="2001:db8:6666:0000:${yl}:${id}:1:${xl}" ip6b="2001:db8:6666:0000:${yl}:${id}:2:${xl}" epair=$(vnet_mkepair) ifconfig ${epair}a up ifconfig ${epair}a inet6 ${ip6a}/64 jname="v6t-${id}-${yl}-${xl}" vnet_mkjail ${jname} ${epair}b jexec ${jname} ifconfig ${epair}b up jexec ${jname} ifconfig ${epair}b inet6 ${ip6b}/64 # Let IPv6 ND do its thing. #ping6 -q -c 1 ff02::1%${epair}a #ping6 -q -c 1 ${ip6b} sleep 3 pyname=$(atf_get ident) pyname=${pyname%*_[0-9]} atf_check -s exit:0 $(atf_get_srcdir)/${pyname}.py \ --sendif ${epair}a --recvif ${epair}a \ --src ${ip6a} --to ${ip6b} } scapyi386_cleanup() { vnet_cleanup } atf_init_test_cases() { atf_add_test_case "scapyi386" } # end Index: head/tests/sys/netpfil/common/forward.sh =================================================================== --- head/tests/sys/netpfil/common/forward.sh (revision 354552) +++ head/tests/sys/netpfil/common/forward.sh (revision 354553) @@ -1,105 +1,101 @@ #- # SPDX-License-Identifier: BSD-2-Clause-FreeBSD # # Copyright (c) 2019 Ahsan Barkati # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # # $FreeBSD$ # . $(atf_get_srcdir)/utils.subr . $(atf_get_srcdir)/runner.subr v4_head() { atf_set descr 'Basic forwarding test' atf_set require.user root atf_set require.progs scapy } v4_body() { firewall=$1 - if [ "$(atf_config_get ci false)" = "true" ] && \ - [ "$(uname -p)" = "i386" ] && [ "${firewall}" = "pf" ]; then - atf_skip "https://bugs.freebsd.org/240085" - fi firewall_init $firewall epair_send=$(vnet_mkepair) ifconfig ${epair_send}a 192.0.2.1/24 up epair_recv=$(vnet_mkepair) ifconfig ${epair_recv}a up vnet_mkjail iron ${epair_send}b ${epair_recv}b jexec iron ifconfig ${epair_send}b 192.0.2.2/24 up jexec iron ifconfig ${epair_recv}b 198.51.100.2/24 up jexec iron sysctl net.inet.ip.forwarding=1 jexec iron arp -s 198.51.100.3 00:01:02:03:04:05 route add -net 198.51.100.0/24 192.0.2.2 atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \ --sendif ${epair_send}a \ --to 198.51.100.3 \ --recvif ${epair_recv}a firewall_config "iron" ${firewall} \ "pf" \ "block in" \ "ipfw" \ "ipfw -q add 100 deny all from any to any in" \ "ipf" \ "block in all" \ atf_check -s exit:1 $(atf_get_srcdir)/pft_ping.py \ --sendif ${epair_send}a \ --to 198.51.100.3 \ --recvif ${epair_recv}a firewall_config "iron" ${firewall} \ "pf" \ "block out" \ "ipfw" \ "ipfw -q add 100 deny all from any to any out" \ "ipf" \ "block out all" \ atf_check -s exit:1 $(atf_get_srcdir)/pft_ping.py \ --sendif ${epair_send}a \ --to 198.51.100.3 \ --recv ${epair_recv}a } v4_cleanup() { firewall=$1 firewall_cleanup $firewall } setup_tests \ v4 \ pf \ ipfw \ ipf Index: head/tests/sys/netpfil/common/tos.sh =================================================================== --- head/tests/sys/netpfil/common/tos.sh (revision 354552) +++ head/tests/sys/netpfil/common/tos.sh (revision 354553) @@ -1,122 +1,118 @@ #- # SPDX-License-Identifier: BSD-2-Clause-FreeBSD # # Copyright (c) 2019 Ahsan Barkati # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # # $FreeBSD$ # . $(atf_get_srcdir)/utils.subr . $(atf_get_srcdir)/runner.subr tos_head() { atf_set descr 'set-tos test' atf_set require.user root atf_set require.progs scapy } tos_body() { firewall=$1 - if [ "$(atf_config_get ci false)" = "true" ] && \ - [ "$(uname -p)" = "i386" ] && [ "${firewall}" = "pf" ]; then - atf_skip "https://bugs.freebsd.org/240086" - fi firewall_init $firewall epair_send=$(vnet_mkepair) ifconfig ${epair_send}a 192.0.2.1/24 up epair_recv=$(vnet_mkepair) ifconfig ${epair_recv}a up vnet_mkjail iron ${epair_send}b ${epair_recv}b jexec iron ifconfig ${epair_send}b 192.0.2.2/24 up jexec iron ifconfig ${epair_recv}b 198.51.100.2/24 up jexec iron sysctl net.inet.ip.forwarding=1 jexec iron arp -s 198.51.100.3 00:01:02:03:04:05 route add -net 198.51.100.0/24 192.0.2.2 # Check if the firewall is able to set the ToS bits firewall_config "iron" ${firewall} \ "pf" \ "scrub out proto icmp set-tos 36" \ "ipfw" \ "ipfw -q add 100 setdscp 9 ip from any to any" # dscp is set to 9 because last two bits are for # EN and hence tos would be 36 atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \ --sendif ${epair_send}a \ --to 198.51.100.3 \ --recvif ${epair_recv}a \ --expect-tos 36 # Check if the firewall is able to set the ToS bits # and persists the EN bits (if already set) firewall_config "iron" ${firewall} \ "pf" \ "scrub out proto icmp set-tos 36" \ "ipfw" \ "ipfw -q add 100 setdscp 9 ip from any to any" atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \ --sendif ${epair_send}a \ --to 198.51.100.3 \ --recvif ${epair_recv}a \ --send-tos 3 \ --expect-tos 39 # Check if the firewall is able to filter the # packets based on the ToS value firewall_config "iron" ${firewall} \ "pf" \ "block all tos 36" \ "ipfw" \ "ipfw -q add 100 deny all from any to any dscp 9" atf_check -s exit:1 $(atf_get_srcdir)/pft_ping.py \ --sendif ${epair_send}a \ --to 198.51.100.3 \ --recvif ${epair_recv}a \ --send-tos 36 atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \ --sendif ${epair_send}a \ --to 198.51.100.3 \ --recvif ${epair_recv}a \ --send-tos 32 } tos_cleanup() { firewall=$1 firewall_cleanup $firewall } setup_tests \ "tos" \ "pf" \ "ipfw" Index: head/tests/sys/netpfil/pf/forward.sh =================================================================== --- head/tests/sys/netpfil/pf/forward.sh (revision 354552) +++ head/tests/sys/netpfil/pf/forward.sh (revision 354553) @@ -1,184 +1,176 @@ # $FreeBSD$ # # SPDX-License-Identifier: BSD-2-Clause-FreeBSD # # Copyright (c) 2017 Kristof Provost # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. . $(atf_get_srcdir)/utils.subr common_dir=$(atf_get_srcdir)/../common atf_test_case "v4" "cleanup" v4_head() { atf_set descr 'Basic forwarding test' atf_set require.user root # We need scapy to be installed for out test scripts to work atf_set require.progs scapy } v4_body() { - if [ `uname -p` = "i386" ]; then - atf_skip "https://bugs.freebsd.org/239380" - fi - pft_init epair_send=$(vnet_mkepair) ifconfig ${epair_send}a 192.0.2.1/24 up epair_recv=$(vnet_mkepair) ifconfig ${epair_recv}a up vnet_mkjail alcatraz ${epair_send}b ${epair_recv}b jexec alcatraz ifconfig ${epair_send}b 192.0.2.2/24 up jexec alcatraz ifconfig ${epair_recv}b 198.51.100.2/24 up jexec alcatraz sysctl net.inet.ip.forwarding=1 jexec alcatraz arp -s 198.51.100.3 00:01:02:03:04:05 route add -net 198.51.100.0/24 192.0.2.2 # Sanity check, can we forward ICMP echo requests without pf? atf_check -s exit:0 ${common_dir}/pft_ping.py \ --sendif ${epair_send}a \ --to 198.51.100.3 \ --recvif ${epair_recv}a jexec alcatraz pfctl -e # Forward with pf enabled pft_set_rules alcatraz "block in" atf_check -s exit:1 ${common_dir}/pft_ping.py \ --sendif ${epair_send}a \ --to 198.51.100.3 \ --recvif ${epair_recv}a pft_set_rules alcatraz "block out" atf_check -s exit:1 ${common_dir}/pft_ping.py \ --sendif ${epair_send}a \ --to 198.51.100.3 \ --recv ${epair_recv}a # Allow ICMP pft_set_rules alcatraz "block in" "pass in proto icmp" atf_check -s exit:0 ${common_dir}/pft_ping.py \ --sendif ${epair_send}a \ --to 198.51.100.3 \ --recvif ${epair_recv}a } v4_cleanup() { pft_cleanup } atf_test_case "v6" "cleanup" v6_head() { atf_set descr 'Basic IPv6 forwarding test' atf_set require.user root atf_set require.progs scapy } v6_body() { - if [ `uname -p` = "i386" ]; then - atf_skip "https://bugs.freebsd.org/239380" - fi - pft_init epair_send=$(vnet_mkepair) epair_recv=$(vnet_mkepair) ifconfig ${epair_send}a inet6 2001:db8:42::1/64 up no_dad -ifdisabled ifconfig ${epair_recv}a up vnet_mkjail alcatraz ${epair_send}b ${epair_recv}b jexec alcatraz ifconfig ${epair_send}b inet6 2001:db8:42::2/64 up no_dad jexec alcatraz ifconfig ${epair_recv}b inet6 2001:db8:43::2/64 up no_dad jexec alcatraz sysctl net.inet6.ip6.forwarding=1 jexec alcatraz ndp -s 2001:db8:43::3 00:01:02:03:04:05 route add -6 2001:db8:43::/64 2001:db8:42::2 # Sanity check, can we forward ICMP echo requests without pf? atf_check -s exit:0 ${common_dir}/pft_ping.py \ --ip6 \ --sendif ${epair_send}a \ --to 2001:db8:43::3 \ --recvif ${epair_recv}a jexec alcatraz pfctl -e # Block incoming echo request packets pft_set_rules alcatraz \ "block in inet6 proto icmp6 icmp6-type echoreq" atf_check -s exit:1 ${common_dir}/pft_ping.py \ --ip6 \ --sendif ${epair_send}a \ --to 2001:db8:43::3 \ --recvif ${epair_recv}a # Block outgoing echo request packets pft_set_rules alcatraz \ "block out inet6 proto icmp6 icmp6-type echoreq" atf_check -s exit:1 -e ignore ${common_dir}/pft_ping.py \ --ip6 \ --sendif ${epair_send}a \ --to 2001:db8:43::3 \ --recvif ${epair_recv}a # Allow ICMPv6 but nothing else pft_set_rules alcatraz \ "block out" \ "pass out inet6 proto icmp6" atf_check -s exit:0 ${common_dir}/pft_ping.py \ --ip6 \ --sendif ${epair_send}a \ --to 2001:db8:43::3 \ --recvif ${epair_recv}a # Allowing ICMPv4 does not allow ICMPv6 pft_set_rules alcatraz \ "block out inet6 proto icmp6 icmp6-type echoreq" \ "pass in proto icmp" atf_check -s exit:1 ${common_dir}/pft_ping.py \ --ip6 \ --sendif ${epair_send}a \ --to 2001:db8:43::3 \ --recvif ${epair_recv}a } v6_cleanup() { pft_cleanup } atf_init_test_cases() { atf_add_test_case "v4" atf_add_test_case "v6" } Index: head/tests/sys/netpfil/pf/set_tos.sh =================================================================== --- head/tests/sys/netpfil/pf/set_tos.sh (revision 354552) +++ head/tests/sys/netpfil/pf/set_tos.sh (revision 354553) @@ -1,124 +1,120 @@ # $FreeBSD$ # # SPDX-License-Identifier: BSD-2-Clause-FreeBSD # # Copyright (c) 2017 Kristof Provost # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. . $(atf_get_srcdir)/utils.subr common_dir=$(atf_get_srcdir)/../common atf_test_case "v4" "cleanup" v4_head() { atf_set descr 'set-tos test' atf_set require.user root # We need scapy to be installed for out test scripts to work atf_set require.progs scapy } v4_body() { - if [ `uname -p` = "i386" ]; then - atf_skip "https://bugs.freebsd.org/239380" - fi - pft_init epair_send=$(vnet_mkepair) ifconfig ${epair_send}a 192.0.2.1/24 up epair_recv=$(vnet_mkepair) ifconfig ${epair_recv}a up vnet_mkjail alcatraz ${epair_send}b ${epair_recv}b jexec alcatraz ifconfig ${epair_send}b 192.0.2.2/24 up jexec alcatraz ifconfig ${epair_recv}b 198.51.100.2/24 up jexec alcatraz sysctl net.inet.ip.forwarding=1 jexec alcatraz arp -s 198.51.100.3 00:01:02:03:04:05 route add -net 198.51.100.0/24 192.0.2.2 jexec alcatraz pfctl -e # No change is done if not requested pft_set_rules alcatraz "scrub out proto icmp" atf_check -s exit:1 -o ignore ${common_dir}/pft_ping.py \ --sendif ${epair_send}a \ --to 198.51.100.3 \ --recvif ${epair_recv}a \ --expect-tos 42 # The requested ToS is set pft_set_rules alcatraz "scrub out proto icmp set-tos 42" atf_check -s exit:0 ${common_dir}/pft_ping.py \ --sendif ${epair_send}a \ --to 198.51.100.3 \ --recvif ${epair_recv}a \ --expect-tos 42 # ToS is not changed if the scrub rule does not match pft_set_rules alcatraz "scrub out proto tcp set-tos 42" atf_check -s exit:1 -o ignore ${common_dir}/pft_ping.py \ --sendif ${epair_send}a \ --to 198.51.100.3 \ --recvif ${epair_recv}a \ --expect-tos 42 # Multiple scrub rules match as expected pft_set_rules alcatraz "scrub out proto tcp set-tos 13" \ "scrub out proto icmp set-tos 14" atf_check -s exit:0 ${common_dir}/pft_ping.py \ --sendif ${epair_send}a \ --to 198.51.100.3 \ --recvif ${epair_recv}a \ --expect-tos 14 # And this works even if the packet already has ToS values set atf_check -s exit:0 ${common_dir}/pft_ping.py \ --sendif ${epair_send}a \ --to 198.51.100.3 \ --recvif ${epair_recv}a \ --send-tos 42 \ --expect-tos 14 # ToS values are unmolested if the packets do not match a scrub rule pft_set_rules alcatraz "scrub out proto tcp set-tos 13" atf_check -s exit:0 ${common_dir}/pft_ping.py \ --sendif ${epair_send}a \ --to 198.51.100.3 \ --recvif ${epair_recv}a \ --send-tos 42 \ --expect-tos 42 } v4_cleanup() { pft_cleanup } atf_init_test_cases() { atf_add_test_case "v4" }