3 . $(atf_get_srcdir)/utils.subr
5 atf_test_case "v4" "cleanup"
8 atf_set descr 'Basic forwarding test'
9 atf_set require.user root
11 # We need scapy to be installed for out test scripts to work
12 atf_set require.progs scapy
19 epair_send=$(pft_mkepair)
20 ifconfig ${epair_send}a 192.0.2.1/24 up
22 epair_recv=$(pft_mkepair)
23 ifconfig ${epair_recv}a up
25 pft_mkjail alcatraz ${epair_send}b ${epair_recv}b
26 jexec alcatraz ifconfig ${epair_send}b 192.0.2.2/24 up
27 jexec alcatraz ifconfig ${epair_recv}b 198.51.100.2/24 up
28 jexec alcatraz sysctl net.inet.ip.forwarding=1
29 jexec alcatraz arp -s 198.51.100.3 00:01:02:03:04:05
30 route add -net 198.51.100.0/24 192.0.2.2
32 # Sanity check, can we forward ICMP echo requests without pf?
33 atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \
34 --sendif ${epair_send}a \
36 --recvif ${epair_recv}a
38 jexec alcatraz pfctl -e
40 # Forward with pf enabled
41 pft_set_rules alcatraz "block in"
42 atf_check -s exit:1 $(atf_get_srcdir)/pft_ping.py \
43 --sendif ${epair_send}a \
45 --recvif ${epair_recv}a
47 pft_set_rules alcatraz "block out"
48 atf_check -s exit:1 $(atf_get_srcdir)/pft_ping.py \
49 --sendif ${epair_send}a \
54 pft_set_rules alcatraz "block in" "pass in proto icmp"
55 atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \
56 --sendif ${epair_send}a \
58 --recvif ${epair_recv}a
66 atf_test_case "v6" "cleanup"
69 atf_set descr 'Basic IPv6 forwarding test'
70 atf_set require.user root
71 atf_set require.progs scapy
78 epair_send=$(pft_mkepair)
79 epair_recv=$(pft_mkepair)
81 ifconfig ${epair_send}a inet6 2001:db8:42::1/64 up no_dad -ifdisabled
82 ifconfig ${epair_recv}a up
84 pft_mkjail alcatraz ${epair_send}b ${epair_recv}b
86 jexec alcatraz ifconfig ${epair_send}b inet6 2001:db8:42::2/64 up no_dad
87 jexec alcatraz ifconfig ${epair_recv}b inet6 2001:db8:43::2/64 up no_dad
88 jexec alcatraz sysctl net.inet6.ip6.forwarding=1
89 jexec alcatraz ndp -s 2001:db8:43::3 00:01:02:03:04:05
90 route add -6 2001:db8:43::/64 2001:db8:42::2
92 # Sanity check, can we forward ICMP echo requests without pf?
93 atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \
95 --sendif ${epair_send}a \
97 --recvif ${epair_recv}a
99 jexec alcatraz pfctl -e
101 # Block incoming echo request packets
102 pft_set_rules alcatraz \
103 "block in inet6 proto icmp6 icmp6-type echoreq"
104 atf_check -s exit:1 $(atf_get_srcdir)/pft_ping.py \
106 --sendif ${epair_send}a \
107 --to 2001:db8:43::3 \
108 --recvif ${epair_recv}a
110 # Block outgoing echo request packets
111 pft_set_rules alcatraz \
112 "block out inet6 proto icmp6 icmp6-type echoreq"
113 atf_check -s exit:1 -e ignore $(atf_get_srcdir)/pft_ping.py \
115 --sendif ${epair_send}a \
116 --to 2001:db8:43::3 \
117 --recvif ${epair_recv}a
119 # Allow ICMPv6 but nothing else
120 pft_set_rules alcatraz \
122 "pass out inet6 proto icmp6"
123 atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \
125 --sendif ${epair_send}a \
126 --to 2001:db8:43::3 \
127 --recvif ${epair_recv}a
129 # Allowing ICMPv4 does not allow ICMPv6
130 pft_set_rules alcatraz \
131 "block out inet6 proto icmp6 icmp6-type echoreq" \
133 atf_check -s exit:1 $(atf_get_srcdir)/pft_ping.py \
135 --sendif ${epair_send}a \
136 --to 2001:db8:43::3 \
137 --recvif ${epair_recv}a
145 atf_init_test_cases()
147 atf_add_test_case "v4"
148 atf_add_test_case "v6"