From owner-svn-src-head@freebsd.org Fri Oct 6 20:43:16 2017 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8CCF4E414FB; Fri, 6 Oct 2017 20:43:16 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 688626F25C; Fri, 6 Oct 2017 20:43:16 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v96KhFGS057898; Fri, 6 Oct 2017 20:43:15 GMT (envelope-from kp@FreeBSD.org) Received: (from kp@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id v96KhFqZ057892; Fri, 6 Oct 2017 20:43:15 GMT (envelope-from kp@FreeBSD.org) Message-Id: <201710062043.v96KhFqZ057892@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: kp set sender to kp@FreeBSD.org using -f From: Kristof Provost Date: Fri, 6 Oct 2017 20:43:15 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r324375 - in head: etc/mtree tests/sys tests/sys/netpfil tests/sys/netpfil/pf X-SVN-Group: head X-SVN-Commit-Author: kp X-SVN-Commit-Paths: in head: etc/mtree tests/sys tests/sys/netpfil tests/sys/netpfil/pf X-SVN-Commit-Revision: 324375 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Oct 2017 20:43:16 -0000 Author: kp Date: Fri Oct 6 20:43:14 2017 New Revision: 324375 URL: https://svnweb.freebsd.org/changeset/base/324375 Log: pf: Basic automated test using VIMAGE If VIMAGE is present we can start jails with their own pf instance. This makes it fairly easy to run tests. For example, this basic test verifies that drop/pass and icmp classification works. It's a basic sanity test for pf, and hopefully an example on how to write more pf tests. The tests are skipped if VIMAGE is not enabled. This work is inspired by the GSoC work of Panagiotes Mousikides. Differential Revision: https://reviews.freebsd.org/D12580 Added: head/tests/sys/netpfil/ head/tests/sys/netpfil/Makefile (contents, props changed) head/tests/sys/netpfil/pf/ head/tests/sys/netpfil/pf/Makefile (contents, props changed) head/tests/sys/netpfil/pf/pass_block.sh (contents, props changed) head/tests/sys/netpfil/pf/utils.subr (contents, props changed) Modified: head/etc/mtree/BSD.tests.dist head/tests/sys/Makefile Modified: head/etc/mtree/BSD.tests.dist ============================================================================== --- head/etc/mtree/BSD.tests.dist Fri Oct 6 20:33:40 2017 (r324374) +++ head/etc/mtree/BSD.tests.dist Fri Oct 6 20:43:14 2017 (r324375) @@ -476,6 +476,10 @@ .. netinet .. + netpfil + pf + .. + .. opencrypto .. pjdfstest Modified: head/tests/sys/Makefile ============================================================================== --- head/tests/sys/Makefile Fri Oct 6 20:33:40 2017 (r324374) +++ head/tests/sys/Makefile Fri Oct 6 20:43:14 2017 (r324375) @@ -13,6 +13,7 @@ TESTS_SUBDIRS+= kqueue TESTS_SUBDIRS+= mac TESTS_SUBDIRS+= mqueue TESTS_SUBDIRS+= netinet +TESTS_SUBDIRS+= netpfil TESTS_SUBDIRS+= opencrypto TESTS_SUBDIRS+= posixshm TESTS_SUBDIRS+= sys Added: head/tests/sys/netpfil/Makefile ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/tests/sys/netpfil/Makefile Fri Oct 6 20:43:14 2017 (r324375) @@ -0,0 +1,7 @@ +# $FreeBSD$ + +TESTSDIR= ${TESTSBASE}/sys/netpfil + +TESTS_SUBDIRS+= pf + +.include Added: head/tests/sys/netpfil/pf/Makefile ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/tests/sys/netpfil/pf/Makefile Fri Oct 6 20:43:14 2017 (r324375) @@ -0,0 +1,11 @@ +# $FreeBSD$ + +PACKAGE= tests + +TESTSDIR= ${TESTSBASE}/sys/netpfil/pf + +ATF_TESTS_SH+= pass_block + +${PACKAGE}FILES+= utils.subr + +.include Added: head/tests/sys/netpfil/pf/pass_block.sh ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/tests/sys/netpfil/pf/pass_block.sh Fri Oct 6 20:43:14 2017 (r324375) @@ -0,0 +1,91 @@ +# $FreeBSD$ + +. $(atf_get_srcdir)/utils.subr + +atf_test_case "v4" "cleanup" +v4_head() +{ + atf_set descr 'Basic pass/block test for IPv4' + atf_set require.user root +} + +v4_body() +{ + pft_init + + epair=$(pft_mkepair) + ifconfig ${epair}a 192.0.2.1/24 up + + # Set up a simple jail with one interface + pft_mkjail alcatraz ${epair}b + jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up + + # Trivial ping to the jail, without pf + atf_check -s exit:0 -o ignore ping -c 1 -t 1 192.0.2.2 + + # pf without policy will let us ping + jexec alcatraz pfctl -e + atf_check -s exit:0 -o ignore ping -c 1 -t 1 192.0.2.2 + + # Block everything + printf "block in\n" | jexec alcatraz pfctl -f - + atf_check -s exit:2 -o ignore ping -c 1 -t 1 192.0.2.2 + + # Block everything but ICMP + printf "block in\npass in proto icmp\n" | jexec alcatraz pfctl -f - + atf_check -s exit:0 -o ignore ping -c 1 -t 1 192.0.2.2 +} + +v4_cleanup() +{ + pft_cleanup +} + +atf_test_case "v6" "cleanup" +v6_head() +{ + atf_set descr 'Basic pass/block test for IPv6' + atf_set require.user root +} + +v6_body() +{ + pft_init + + epair=$(pft_mkepair) + ifconfig ${epair}a inet6 2001:db8:42::1/64 up no_dad + + # Set up a simple jail with one interface + pft_mkjail alcatraz ${epair}b + jexec alcatraz ifconfig ${epair}b inet6 2001:db8:42::2/64 up no_dad + + # Trivial ping to the jail, without pf + atf_check -s exit:0 -o ignore ping6 -c 1 -x 1 2001:db8:42::2 + + # pf without policy will let us ping + jexec alcatraz pfctl -e + atf_check -s exit:0 -o ignore ping6 -c 1 -x 1 2001:db8:42::2 + + # Block everything + printf "block in\n" | jexec alcatraz pfctl -f - + atf_check -s exit:2 -o ignore ping6 -c 1 -x 1 2001:db8:42::2 + + # Block everything but ICMP + printf "block in\npass in proto icmp6\n" | jexec alcatraz pfctl -f - + atf_check -s exit:0 -o ignore ping6 -c 1 -x 1 2001:db8:42::2 + + # Allowing ICMPv4 does not allow ICMPv6 + printf "block in\npass in proto icmp\n" | jexec alcatraz pfctl -f - + atf_check -s exit:2 -o ignore ping6 -c 1 -x 1 2001:db8:42::2 +} + +v6_cleanup() +{ + pft_cleanup +} + +atf_init_test_cases() +{ + atf_add_test_case "v4" + atf_add_test_case "v6" +} Added: head/tests/sys/netpfil/pf/utils.subr ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/tests/sys/netpfil/pf/utils.subr Fri Oct 6 20:43:14 2017 (r324375) @@ -0,0 +1,47 @@ +# $FreeBSD$ +# Utility functions +## + +pft_init() +{ + if [ ! -c /dev/pf ]; then + atf_skip "This test requires pf" + fi + + if [ "`sysctl -i -n kern.features.vimage`" != 1 ]; then + atf_skip "This test requires VIMAGE" + fi +} + +pft_mkepair() +{ + ifname=$(ifconfig epair create) + echo $ifname >> created_interfaces.lst + echo ${ifname%a} +} + +pft_mkjail() +{ + jailname=$1 + ifname=$2 + jail -c name=${jailname} persist vnet vnet.interface=${ifname} + + echo $jailname >> created_jails.lst +} + +pft_cleanup() +{ + if [ -f created_interfaces.lst ]; then + for ifname in `cat created_interfaces.lst` + do + ifconfig ${ifname} destroy + done + fi + + if [ -f created_jails.lst ]; then + for jailname in `cat created_jails.lst` + do + jail -r ${jailname} + done + fi +}