3 . $(atf_get_srcdir)/utils.subr
5 atf_test_case "v4" "cleanup"
8 atf_set descr 'Basic pass/block test for IPv4'
9 atf_set require.user root
17 ifconfig ${epair}a 192.0.2.1/24 up
19 # Set up a simple jail with one interface
20 pft_mkjail alcatraz ${epair}b
21 jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up
23 # Trivial ping to the jail, without pf
24 atf_check -s exit:0 -o ignore ping -c 1 -t 1 192.0.2.2
26 # pf without policy will let us ping
27 jexec alcatraz pfctl -e
28 atf_check -s exit:0 -o ignore ping -c 1 -t 1 192.0.2.2
31 pft_set_rules alcatraz "block in"
32 atf_check -s exit:2 -o ignore ping -c 1 -t 1 192.0.2.2
34 # Block everything but ICMP
35 pft_set_rules alcatraz "block in" "pass in proto icmp"
36 atf_check -s exit:0 -o ignore ping -c 1 -t 1 192.0.2.2
44 atf_test_case "v6" "cleanup"
47 atf_set descr 'Basic pass/block test for IPv6'
48 atf_set require.user root
56 ifconfig ${epair}a inet6 2001:db8:42::1/64 up no_dad
58 # Set up a simple jail with one interface
59 pft_mkjail alcatraz ${epair}b
60 jexec alcatraz ifconfig ${epair}b inet6 2001:db8:42::2/64 up no_dad
62 # Trivial ping to the jail, without pf
63 atf_check -s exit:0 -o ignore ping6 -c 1 -x 1 2001:db8:42::2
65 # pf without policy will let us ping
66 jexec alcatraz pfctl -e
67 atf_check -s exit:0 -o ignore ping6 -c 1 -x 1 2001:db8:42::2
70 pft_set_rules alcatraz "block in"
71 atf_check -s exit:2 -o ignore ping6 -c 1 -x 1 2001:db8:42::2
73 # Block everything but ICMP
74 pft_set_rules alcatraz "block in" "pass in proto icmp6"
75 atf_check -s exit:0 -o ignore ping6 -c 1 -x 1 2001:db8:42::2
77 # Allowing ICMPv4 does not allow ICMPv6
78 pft_set_rules alcatraz "block in" "pass in proto icmp"
79 atf_check -s exit:2 -o ignore ping6 -c 1 -x 1 2001:db8:42::2
89 atf_add_test_case "v4"
90 atf_add_test_case "v6"