3 # SPDX-License-Identifier: BSD-2-Clause-FreeBSD
5 # Copyright (c) 2018 Kristof Provost <kp@FreeBSD.org>
7 # Redistribution and use in source and binary forms, with or without
8 # modification, are permitted provided that the following conditions
10 # 1. Redistributions of source code must retain the above copyright
11 # notice, this list of conditions and the following disclaimer.
12 # 2. Redistributions in binary form must reproduce the above copyright
13 # notice, this list of conditions and the following disclaimer in the
14 # documentation and/or other materials provided with the distribution.
16 # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
17 # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
20 # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21 # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22 # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23 # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24 # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28 . $(atf_get_srcdir)/utils.subr
30 atf_test_case "v4" "cleanup"
33 atf_set descr 'Basic pass/block test for IPv4'
34 atf_set require.user root
42 ifconfig ${epair}a 192.0.2.1/24 up
44 # Set up a simple jail with one interface
45 vnet_mkjail alcatraz ${epair}b
46 jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up
48 # Trivial ping to the jail, without pf
49 atf_check -s exit:0 -o ignore ping -c 1 -t 1 192.0.2.2
51 # pf without policy will let us ping
52 jexec alcatraz pfctl -e
53 atf_check -s exit:0 -o ignore ping -c 1 -t 1 192.0.2.2
56 pft_set_rules alcatraz "block in"
57 atf_check -s exit:2 -o ignore ping -c 1 -t 1 192.0.2.2
59 # Block everything but ICMP
60 pft_set_rules alcatraz "block in" "pass in proto icmp"
61 atf_check -s exit:0 -o ignore ping -c 1 -t 1 192.0.2.2
69 atf_test_case "v6" "cleanup"
72 atf_set descr 'Basic pass/block test for IPv6'
73 atf_set require.user root
81 ifconfig ${epair}a inet6 2001:db8:42::1/64 up no_dad
83 # Set up a simple jail with one interface
84 vnet_mkjail alcatraz ${epair}b
85 jexec alcatraz ifconfig ${epair}b inet6 2001:db8:42::2/64 up no_dad
87 # Trivial ping to the jail, without pf
88 atf_check -s exit:0 -o ignore ping6 -c 1 -x 1 2001:db8:42::2
90 # pf without policy will let us ping
91 jexec alcatraz pfctl -e
92 atf_check -s exit:0 -o ignore ping6 -c 1 -x 1 2001:db8:42::2
95 pft_set_rules alcatraz "block in"
96 atf_check -s exit:2 -o ignore ping6 -c 1 -x 1 2001:db8:42::2
98 # Block everything but ICMP
99 pft_set_rules alcatraz "block in" "pass in proto icmp6"
100 atf_check -s exit:0 -o ignore ping6 -c 1 -x 1 2001:db8:42::2
102 # Allowing ICMPv4 does not allow ICMPv6
103 pft_set_rules alcatraz "block in" "pass in proto icmp"
104 atf_check -s exit:2 -o ignore ping6 -c 1 -x 1 2001:db8:42::2
112 atf_test_case "noalias" "cleanup"
115 atf_set descr 'Test the :0 noalias option'
116 atf_set require.user root
123 epair=$(vnet_mkepair)
124 ifconfig ${epair}a inet6 2001:db8:42::1/64 up no_dad
126 vnet_mkjail alcatraz ${epair}b
127 jexec alcatraz ifconfig ${epair}b inet6 2001:db8:42::2/64 up no_dad
129 linklocaladdr=$(jexec alcatraz ifconfig ${epair}b inet6 \
131 | awk '{ print $2; }' \
135 atf_check -s exit:0 -o ignore ping6 -c 3 -x 1 2001:db8:42::2
136 atf_check -s exit:0 -o ignore ping6 -c 3 -x 1 ${linklocaladdr}%${epair}a
138 jexec alcatraz pfctl -e
139 pft_set_rules alcatraz "block out inet6 from (${epair}b:0) to any"
141 atf_check -s exit:2 -o ignore ping6 -c 3 -x 1 2001:db8:42::2
143 # We should still be able to ping the link-local address
144 atf_check -s exit:0 -o ignore ping6 -c 3 -x 1 ${linklocaladdr}%${epair}a
146 pft_set_rules alcatraz "block out inet6 from (${epair}b) to any"
148 # We cannot ping to the link-local address
149 atf_check -s exit:2 -o ignore ping6 -c 3 -x 1 ${linklocaladdr}%${epair}a
157 atf_test_case "nested_inline" "cleanup"
160 atf_set descr "Test nested inline anchors, PR196314"
161 atf_set require.user root
168 epair=$(vnet_mkepair)
169 ifconfig ${epair}a inet 192.0.2.1/24 up
171 vnet_mkjail alcatraz ${epair}b
172 jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up
174 jexec alcatraz pfctl -e
175 pft_set_rules alcatraz \
178 "pass in quick proto tcp to port time" \
180 "pass in quick proto icmp" \
184 atf_check -s exit:0 -o ignore ping -c 1 -t 1 192.0.2.2
187 nested_inline_cleanup()
192 atf_init_test_cases()
194 atf_add_test_case "v4"
195 atf_add_test_case "v6"
196 #atf_add_test_case "noalias"
197 atf_add_test_case "nested_inline"