From owner-svn-src-all@freebsd.org Mon Oct 16 15:05:34 2017 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1494DE3CC30; Mon, 16 Oct 2017 15:05:34 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E186D83F56; Mon, 16 Oct 2017 15:05:33 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v9GF5X4P065878; Mon, 16 Oct 2017 15:05:33 GMT (envelope-from kp@FreeBSD.org) Received: (from kp@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id v9GF5WRM065874; Mon, 16 Oct 2017 15:05:32 GMT (envelope-from kp@FreeBSD.org) Message-Id: <201710161505.v9GF5WRM065874@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: kp set sender to kp@FreeBSD.org using -f From: Kristof Provost Date: Mon, 16 Oct 2017 15:05:32 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r324664 - head/tests/sys/netpfil/pf X-SVN-Group: head X-SVN-Commit-Author: kp X-SVN-Commit-Paths: head/tests/sys/netpfil/pf X-SVN-Commit-Revision: 324664 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Oct 2017 15:05:34 -0000 Author: kp Date: Mon Oct 16 15:05:32 2017 New Revision: 324664 URL: https://svnweb.freebsd.org/changeset/base/324664 Log: pf tests: Use pft_set_rules everywhere We now have a utility function to set pf rules in the jail. Use it whenever we need to set the pf rules in the test jail. Modified: head/tests/sys/netpfil/pf/forward.sh head/tests/sys/netpfil/pf/pass_block.sh head/tests/sys/netpfil/pf/set_tos.sh Modified: head/tests/sys/netpfil/pf/forward.sh ============================================================================== --- head/tests/sys/netpfil/pf/forward.sh Mon Oct 16 15:03:45 2017 (r324663) +++ head/tests/sys/netpfil/pf/forward.sh Mon Oct 16 15:05:32 2017 (r324664) @@ -35,21 +35,23 @@ v4_body() --to 198.51.100.3 \ --recvif ${epair_recv}a + jexec alcatraz pfctl -e + # Forward with pf enabled - printf "block in\n" | jexec alcatraz pfctl -ef - + pft_set_rules alcatraz "block in" atf_check -s exit:1 $(atf_get_srcdir)/pft_ping.py \ --sendif ${epair_send}a \ --to 198.51.100.3 \ --recvif ${epair_recv}a - printf "block out\n" | jexec alcatraz pfctl -f - + pft_set_rules alcatraz "block out" atf_check -s exit:1 $(atf_get_srcdir)/pft_ping.py \ --sendif ${epair_send}a \ --to 198.51.100.3 \ --recv ${epair_recv}a # Allow ICMP - printf "block in\npass in proto icmp\n" | jexec alcatraz pfctl -f - + pft_set_rules alcatraz "block in" "pass in proto icmp" atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \ --sendif ${epair_send}a \ --to 198.51.100.3 \ Modified: head/tests/sys/netpfil/pf/pass_block.sh ============================================================================== --- head/tests/sys/netpfil/pf/pass_block.sh Mon Oct 16 15:03:45 2017 (r324663) +++ head/tests/sys/netpfil/pf/pass_block.sh Mon Oct 16 15:05:32 2017 (r324664) @@ -28,11 +28,11 @@ v4_body() atf_check -s exit:0 -o ignore ping -c 1 -t 1 192.0.2.2 # Block everything - printf "block in\n" | jexec alcatraz pfctl -f - + pft_set_rules alcatraz "block in" atf_check -s exit:2 -o ignore ping -c 1 -t 1 192.0.2.2 # Block everything but ICMP - printf "block in\npass in proto icmp\n" | jexec alcatraz pfctl -f - + pft_set_rules alcatraz "block in" "pass in proto icmp" atf_check -s exit:0 -o ignore ping -c 1 -t 1 192.0.2.2 } @@ -67,15 +67,15 @@ v6_body() atf_check -s exit:0 -o ignore ping6 -c 1 -x 1 2001:db8:42::2 # Block everything - printf "block in\n" | jexec alcatraz pfctl -f - + pft_set_rules alcatraz "block in" atf_check -s exit:2 -o ignore ping6 -c 1 -x 1 2001:db8:42::2 # Block everything but ICMP - printf "block in\npass in proto icmp6\n" | jexec alcatraz pfctl -f - + pft_set_rules alcatraz "block in" "pass in proto icmp6" atf_check -s exit:0 -o ignore ping6 -c 1 -x 1 2001:db8:42::2 # Allowing ICMPv4 does not allow ICMPv6 - printf "block in\npass in proto icmp\n" | jexec alcatraz pfctl -f - + pft_set_rules alcatraz "block in" "pass in proto icmp" atf_check -s exit:2 -o ignore ping6 -c 1 -x 1 2001:db8:42::2 } Modified: head/tests/sys/netpfil/pf/set_tos.sh ============================================================================== --- head/tests/sys/netpfil/pf/set_tos.sh Mon Oct 16 15:03:45 2017 (r324663) +++ head/tests/sys/netpfil/pf/set_tos.sh Mon Oct 16 15:05:32 2017 (r324664) @@ -29,8 +29,10 @@ v4_body() jexec alcatraz arp -s 198.51.100.3 00:01:02:03:04:05 route add -net 198.51.100.0/24 192.0.2.2 + jexec alcatraz pfctl -e + # No change is done if not requested - printf "scrub out proto icmp\n" | jexec alcatraz pfctl -ef - + pft_set_rules alcatraz "scrub out proto icmp" atf_check -s exit:1 -o ignore $(atf_get_srcdir)/pft_ping.py \ --sendif ${epair_send}a \ --to 198.51.100.3 \ @@ -38,7 +40,7 @@ v4_body() --expect-tos 42 # The requested ToS is set - printf "scrub out proto icmp set-tos 42\n" | jexec alcatraz pfctl -f - + pft_set_rules alcatraz "scrub out proto icmp set-tos 42" atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \ --sendif ${epair_send}a \ --to 198.51.100.3 \ @@ -46,7 +48,7 @@ v4_body() --expect-tos 42 # ToS is not changed if the scrub rule does not match - printf "scrub out proto tcp set-tos 42\n" | jexec alcatraz pfctl -f - + pft_set_rules alcatraz "scrub out proto tcp set-tos 42" atf_check -s exit:1 -o ignore $(atf_get_srcdir)/pft_ping.py \ --sendif ${epair_send}a \ --to 198.51.100.3 \ @@ -54,8 +56,8 @@ v4_body() --expect-tos 42 # Multiple scrub rules match as expected - printf "scrub out proto tcp set-tos 13\nscrub out proto icmp set-tos 14\n" \ - | jexec alcatraz pfctl -f - + pft_set_rules alcatraz "scrub out proto tcp set-tos 13" \ + "scrub out proto icmp set-tos 14" atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \ --sendif ${epair_send}a \ --to 198.51.100.3 \ @@ -71,8 +73,7 @@ v4_body() --expect-tos 14 # ToS values are unmolested if the packets do not match a scrub rule - printf "scrub out proto tcp set-tos 13\n" \ - | jexec alcatraz pfctl -f - + pft_set_rules alcatraz "scrub out proto tcp set-tos 13" atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \ --sendif ${epair_send}a \ --to 198.51.100.3 \