3 . $(atf_get_srcdir)/utils.subr
5 atf_test_case "v4" "cleanup"
8 atf_set descr 'Basic pass/block test for IPv4'
9 atf_set require.user root
17 ifconfig ${epair}a 192.0.2.1/24 up
19 # Set up a simple jail with one interface
20 vnet_mkjail alcatraz ${epair}b
21 jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up
23 # Trivial ping to the jail, without pf
24 atf_check -s exit:0 -o ignore ping -c 1 -t 1 192.0.2.2
26 # pf without policy will let us ping
27 jexec alcatraz pfctl -e
28 atf_check -s exit:0 -o ignore ping -c 1 -t 1 192.0.2.2
31 pft_set_rules alcatraz "block in"
32 atf_check -s exit:2 -o ignore ping -c 1 -t 1 192.0.2.2
34 # Block everything but ICMP
35 pft_set_rules alcatraz "block in" "pass in proto icmp"
36 atf_check -s exit:0 -o ignore ping -c 1 -t 1 192.0.2.2
44 atf_test_case "v6" "cleanup"
47 atf_set descr 'Basic pass/block test for IPv6'
48 atf_set require.user root
56 ifconfig ${epair}a inet6 2001:db8:42::1/64 up no_dad
58 # Set up a simple jail with one interface
59 vnet_mkjail alcatraz ${epair}b
60 jexec alcatraz ifconfig ${epair}b inet6 2001:db8:42::2/64 up no_dad
62 # Trivial ping to the jail, without pf
63 atf_check -s exit:0 -o ignore ping6 -c 1 -x 1 2001:db8:42::2
65 # pf without policy will let us ping
66 jexec alcatraz pfctl -e
67 atf_check -s exit:0 -o ignore ping6 -c 1 -x 1 2001:db8:42::2
70 pft_set_rules alcatraz "block in"
71 atf_check -s exit:2 -o ignore ping6 -c 1 -x 1 2001:db8:42::2
73 # Block everything but ICMP
74 pft_set_rules alcatraz "block in" "pass in proto icmp6"
75 atf_check -s exit:0 -o ignore ping6 -c 1 -x 1 2001:db8:42::2
77 # Allowing ICMPv4 does not allow ICMPv6
78 pft_set_rules alcatraz "block in" "pass in proto icmp"
79 atf_check -s exit:2 -o ignore ping6 -c 1 -x 1 2001:db8:42::2
87 atf_test_case "noalias" "cleanup"
90 atf_set descr 'Test the :0 noalias option'
91 atf_set require.user root
99 ifconfig ${epair}a inet6 2001:db8:42::1/64 up no_dad
101 vnet_mkjail alcatraz ${epair}b
102 jexec alcatraz ifconfig ${epair}b inet6 2001:db8:42::2/64 up no_dad
104 linklocaladdr=$(jexec alcatraz ifconfig ${epair}b inet6 \
106 | awk '{ print $2; }' \
110 atf_check -s exit:0 -o ignore ping6 -c 3 -x 1 2001:db8:42::2
111 atf_check -s exit:0 -o ignore ping6 -c 3 -x 1 ${linklocaladdr}%${epair}a
113 jexec alcatraz pfctl -e
114 pft_set_rules alcatraz "block out inet6 from (${epair}b:0) to any"
116 atf_check -s exit:2 -o ignore ping6 -c 3 -x 1 2001:db8:42::2
118 # We should still be able to ping the link-local address
119 atf_check -s exit:0 -o ignore ping6 -c 3 -x 1 ${linklocaladdr}%${epair}a
121 pft_set_rules alcatraz "block out inet6 from (${epair}b) to any"
123 # We cannot ping to the link-local address
124 atf_check -s exit:2 -o ignore ping6 -c 3 -x 1 ${linklocaladdr}%${epair}a
132 atf_test_case "nested_inline" "cleanup"
135 atf_set descr "Test nested inline anchors, PR196314"
136 atf_set require.user root
143 epair=$(vnet_mkepair)
144 ifconfig ${epair}a inet 192.0.2.1/24 up
146 vnet_mkjail alcatraz ${epair}b
147 jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up
149 jexec alcatraz pfctl -e
150 pft_set_rules alcatraz \
153 "pass in quick proto tcp to port time" \
155 "pass in quick proto icmp" \
159 atf_check -s exit:0 -o ignore ping -c 1 -t 1 192.0.2.2
162 nested_inline_cleanup()
167 atf_init_test_cases()
169 atf_add_test_case "v4"
170 atf_add_test_case "v6"
171 atf_add_test_case "noalias"
172 atf_add_test_case "nested_inline"