Date: Mon, 16 Oct 2017 15:05:32 +0000 (UTC) From: Kristof Provost <kp@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r324664 - head/tests/sys/netpfil/pf Message-ID: <201710161505.v9GF5WRM065874@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: kp Date: Mon Oct 16 15:05:32 2017 New Revision: 324664 URL: https://svnweb.freebsd.org/changeset/base/324664 Log: pf tests: Use pft_set_rules everywhere We now have a utility function to set pf rules in the jail. Use it whenever we need to set the pf rules in the test jail. Modified: head/tests/sys/netpfil/pf/forward.sh head/tests/sys/netpfil/pf/pass_block.sh head/tests/sys/netpfil/pf/set_tos.sh Modified: head/tests/sys/netpfil/pf/forward.sh ============================================================================== --- head/tests/sys/netpfil/pf/forward.sh Mon Oct 16 15:03:45 2017 (r324663) +++ head/tests/sys/netpfil/pf/forward.sh Mon Oct 16 15:05:32 2017 (r324664) @@ -35,21 +35,23 @@ v4_body() --to 198.51.100.3 \ --recvif ${epair_recv}a + jexec alcatraz pfctl -e + # Forward with pf enabled - printf "block in\n" | jexec alcatraz pfctl -ef - + pft_set_rules alcatraz "block in" atf_check -s exit:1 $(atf_get_srcdir)/pft_ping.py \ --sendif ${epair_send}a \ --to 198.51.100.3 \ --recvif ${epair_recv}a - printf "block out\n" | jexec alcatraz pfctl -f - + pft_set_rules alcatraz "block out" atf_check -s exit:1 $(atf_get_srcdir)/pft_ping.py \ --sendif ${epair_send}a \ --to 198.51.100.3 \ --recv ${epair_recv}a # Allow ICMP - printf "block in\npass in proto icmp\n" | jexec alcatraz pfctl -f - + pft_set_rules alcatraz "block in" "pass in proto icmp" atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \ --sendif ${epair_send}a \ --to 198.51.100.3 \ Modified: head/tests/sys/netpfil/pf/pass_block.sh ============================================================================== --- head/tests/sys/netpfil/pf/pass_block.sh Mon Oct 16 15:03:45 2017 (r324663) +++ head/tests/sys/netpfil/pf/pass_block.sh Mon Oct 16 15:05:32 2017 (r324664) @@ -28,11 +28,11 @@ v4_body() atf_check -s exit:0 -o ignore ping -c 1 -t 1 192.0.2.2 # Block everything - printf "block in\n" | jexec alcatraz pfctl -f - + pft_set_rules alcatraz "block in" atf_check -s exit:2 -o ignore ping -c 1 -t 1 192.0.2.2 # Block everything but ICMP - printf "block in\npass in proto icmp\n" | jexec alcatraz pfctl -f - + pft_set_rules alcatraz "block in" "pass in proto icmp" atf_check -s exit:0 -o ignore ping -c 1 -t 1 192.0.2.2 } @@ -67,15 +67,15 @@ v6_body() atf_check -s exit:0 -o ignore ping6 -c 1 -x 1 2001:db8:42::2 # Block everything - printf "block in\n" | jexec alcatraz pfctl -f - + pft_set_rules alcatraz "block in" atf_check -s exit:2 -o ignore ping6 -c 1 -x 1 2001:db8:42::2 # Block everything but ICMP - printf "block in\npass in proto icmp6\n" | jexec alcatraz pfctl -f - + pft_set_rules alcatraz "block in" "pass in proto icmp6" atf_check -s exit:0 -o ignore ping6 -c 1 -x 1 2001:db8:42::2 # Allowing ICMPv4 does not allow ICMPv6 - printf "block in\npass in proto icmp\n" | jexec alcatraz pfctl -f - + pft_set_rules alcatraz "block in" "pass in proto icmp" atf_check -s exit:2 -o ignore ping6 -c 1 -x 1 2001:db8:42::2 } Modified: head/tests/sys/netpfil/pf/set_tos.sh ============================================================================== --- head/tests/sys/netpfil/pf/set_tos.sh Mon Oct 16 15:03:45 2017 (r324663) +++ head/tests/sys/netpfil/pf/set_tos.sh Mon Oct 16 15:05:32 2017 (r324664) @@ -29,8 +29,10 @@ v4_body() jexec alcatraz arp -s 198.51.100.3 00:01:02:03:04:05 route add -net 198.51.100.0/24 192.0.2.2 + jexec alcatraz pfctl -e + # No change is done if not requested - printf "scrub out proto icmp\n" | jexec alcatraz pfctl -ef - + pft_set_rules alcatraz "scrub out proto icmp" atf_check -s exit:1 -o ignore $(atf_get_srcdir)/pft_ping.py \ --sendif ${epair_send}a \ --to 198.51.100.3 \ @@ -38,7 +40,7 @@ v4_body() --expect-tos 42 # The requested ToS is set - printf "scrub out proto icmp set-tos 42\n" | jexec alcatraz pfctl -f - + pft_set_rules alcatraz "scrub out proto icmp set-tos 42" atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \ --sendif ${epair_send}a \ --to 198.51.100.3 \ @@ -46,7 +48,7 @@ v4_body() --expect-tos 42 # ToS is not changed if the scrub rule does not match - printf "scrub out proto tcp set-tos 42\n" | jexec alcatraz pfctl -f - + pft_set_rules alcatraz "scrub out proto tcp set-tos 42" atf_check -s exit:1 -o ignore $(atf_get_srcdir)/pft_ping.py \ --sendif ${epair_send}a \ --to 198.51.100.3 \ @@ -54,8 +56,8 @@ v4_body() --expect-tos 42 # Multiple scrub rules match as expected - printf "scrub out proto tcp set-tos 13\nscrub out proto icmp set-tos 14\n" \ - | jexec alcatraz pfctl -f - + pft_set_rules alcatraz "scrub out proto tcp set-tos 13" \ + "scrub out proto icmp set-tos 14" atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \ --sendif ${epair_send}a \ --to 198.51.100.3 \ @@ -71,8 +73,7 @@ v4_body() --expect-tos 14 # ToS values are unmolested if the packets do not match a scrub rule - printf "scrub out proto tcp set-tos 13\n" \ - | jexec alcatraz pfctl -f - + pft_set_rules alcatraz "scrub out proto tcp set-tos 13" atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \ --sendif ${epair_send}a \ --to 198.51.100.3 \
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201710161505.v9GF5WRM065874>