3 . $(atf_get_srcdir)/utils.subr
5 common_dir=$(atf_get_srcdir)/../common
7 atf_test_case "v4" "cleanup"
10 atf_set descr 'Basic forwarding test'
11 atf_set require.user root
13 # We need scapy to be installed for out test scripts to work
14 atf_set require.progs scapy
21 epair_send=$(vnet_mkepair)
22 ifconfig ${epair_send}a 192.0.2.1/24 up
24 epair_recv=$(vnet_mkepair)
25 ifconfig ${epair_recv}a up
27 vnet_mkjail alcatraz ${epair_send}b ${epair_recv}b
28 jexec alcatraz ifconfig ${epair_send}b 192.0.2.2/24 up
29 jexec alcatraz ifconfig ${epair_recv}b 198.51.100.2/24 up
30 jexec alcatraz sysctl net.inet.ip.forwarding=1
31 jexec alcatraz arp -s 198.51.100.3 00:01:02:03:04:05
32 route add -net 198.51.100.0/24 192.0.2.2
34 # Sanity check, can we forward ICMP echo requests without pf?
35 atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \
36 --sendif ${epair_send}a \
38 --recvif ${epair_recv}a
40 jexec alcatraz pfctl -e
42 # Forward with pf enabled
43 pft_set_rules alcatraz "block in"
44 atf_check -s exit:1 ${common_dir}/pft_ping.py \
45 --sendif ${epair_send}a \
47 --recvif ${epair_recv}a
49 pft_set_rules alcatraz "block out"
50 atf_check -s exit:1 ${common_dir}/pft_ping.py \
51 --sendif ${epair_send}a \
56 pft_set_rules alcatraz "block in" "pass in proto icmp"
57 atf_check -s exit:0 ${common_dir}/pft_ping.py \
58 --sendif ${epair_send}a \
60 --recvif ${epair_recv}a
68 atf_test_case "v6" "cleanup"
71 atf_set descr 'Basic IPv6 forwarding test'
72 atf_set require.user root
73 atf_set require.progs scapy
80 epair_send=$(vnet_mkepair)
81 epair_recv=$(vnet_mkepair)
83 ifconfig ${epair_send}a inet6 2001:db8:42::1/64 up no_dad -ifdisabled
84 ifconfig ${epair_recv}a up
86 vnet_mkjail alcatraz ${epair_send}b ${epair_recv}b
88 jexec alcatraz ifconfig ${epair_send}b inet6 2001:db8:42::2/64 up no_dad
89 jexec alcatraz ifconfig ${epair_recv}b inet6 2001:db8:43::2/64 up no_dad
90 jexec alcatraz sysctl net.inet6.ip6.forwarding=1
91 jexec alcatraz ndp -s 2001:db8:43::3 00:01:02:03:04:05
92 route add -6 2001:db8:43::/64 2001:db8:42::2
94 # Sanity check, can we forward ICMP echo requests without pf?
95 atf_check -s exit:0 ${common_dir}/pft_ping.py \
97 --sendif ${epair_send}a \
99 --recvif ${epair_recv}a
101 jexec alcatraz pfctl -e
103 # Block incoming echo request packets
104 pft_set_rules alcatraz \
105 "block in inet6 proto icmp6 icmp6-type echoreq"
106 atf_check -s exit:1 ${common_dir}/pft_ping.py \
108 --sendif ${epair_send}a \
109 --to 2001:db8:43::3 \
110 --recvif ${epair_recv}a
112 # Block outgoing echo request packets
113 pft_set_rules alcatraz \
114 "block out inet6 proto icmp6 icmp6-type echoreq"
115 atf_check -s exit:1 -e ignore ${common_dir}/pft_ping.py \
117 --sendif ${epair_send}a \
118 --to 2001:db8:43::3 \
119 --recvif ${epair_recv}a
121 # Allow ICMPv6 but nothing else
122 pft_set_rules alcatraz \
124 "pass out inet6 proto icmp6"
125 atf_check -s exit:0 ${common_dir}/pft_ping.py \
127 --sendif ${epair_send}a \
128 --to 2001:db8:43::3 \
129 --recvif ${epair_recv}a
131 # Allowing ICMPv4 does not allow ICMPv6
132 pft_set_rules alcatraz \
133 "block out inet6 proto icmp6 icmp6-type echoreq" \
135 atf_check -s exit:1 ${common_dir}/pft_ping.py \
137 --sendif ${epair_send}a \
138 --to 2001:db8:43::3 \
139 --recvif ${epair_recv}a
147 atf_init_test_cases()
149 atf_add_test_case "v4"
150 atf_add_test_case "v6"