svn commit: r324375 - in head: etc/mtree tests/sys tests/sys/netpfil tests/sys/netpfil/pf

Kristof Provost kp at FreeBSD.org
Fri Oct 6 20:43:16 UTC 2017 

Author: kp
Date: Fri Oct  6 20:43:14 2017
New Revision: 324375
URL: https://svnweb.freebsd.org/changeset/base/324375

Log:
  pf: Basic automated test using VIMAGE
  
  If VIMAGE is present we can start jails with their own pf instance. This
  makes it fairly easy to run tests.
  For example, this basic test verifies that drop/pass and icmp
  classification works. It's a basic sanity test for pf, and hopefully an
  example on how to write more pf tests.
  
  The tests are skipped if VIMAGE is not enabled.
  
  This work is inspired by the GSoC work of Panagiotes Mousikides.
  
  Differential Revision:	https://reviews.freebsd.org/D12580

Added:
  head/tests/sys/netpfil/
  head/tests/sys/netpfil/Makefile   (contents, props changed)
  head/tests/sys/netpfil/pf/
  head/tests/sys/netpfil/pf/Makefile   (contents, props changed)
  head/tests/sys/netpfil/pf/pass_block.sh   (contents, props changed)
  head/tests/sys/netpfil/pf/utils.subr   (contents, props changed)
Modified:
  head/etc/mtree/BSD.tests.dist
  head/tests/sys/Makefile

Modified: head/etc/mtree/BSD.tests.dist
==============================================================================
--- head/etc/mtree/BSD.tests.dist	Fri Oct  6 20:33:40 2017	(r324374)
+++ head/etc/mtree/BSD.tests.dist	Fri Oct  6 20:43:14 2017	(r324375)
@@ -476,6 +476,10 @@
         ..
         netinet
         ..
+        netpfil
+            pf
+            ..
+        ..
         opencrypto
         ..
         pjdfstest

Modified: head/tests/sys/Makefile
==============================================================================
--- head/tests/sys/Makefile	Fri Oct  6 20:33:40 2017	(r324374)
+++ head/tests/sys/Makefile	Fri Oct  6 20:43:14 2017	(r324375)
@@ -13,6 +13,7 @@ TESTS_SUBDIRS+=		kqueue
 TESTS_SUBDIRS+=		mac
 TESTS_SUBDIRS+=		mqueue
 TESTS_SUBDIRS+=		netinet
+TESTS_SUBDIRS+=		netpfil
 TESTS_SUBDIRS+=		opencrypto
 TESTS_SUBDIRS+=		posixshm
 TESTS_SUBDIRS+=		sys

Added: head/tests/sys/netpfil/Makefile
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/tests/sys/netpfil/Makefile	Fri Oct  6 20:43:14 2017	(r324375)
@@ -0,0 +1,7 @@
+# $FreeBSD$
+
+TESTSDIR=		${TESTSBASE}/sys/netpfil
+
+TESTS_SUBDIRS+=		pf
+
+.include <bsd.test.mk>

Added: head/tests/sys/netpfil/pf/Makefile
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/tests/sys/netpfil/pf/Makefile	Fri Oct  6 20:43:14 2017	(r324375)
@@ -0,0 +1,11 @@
+# $FreeBSD$
+
+PACKAGE=	tests
+
+TESTSDIR=       ${TESTSBASE}/sys/netpfil/pf
+
+ATF_TESTS_SH+=	pass_block
+
+${PACKAGE}FILES+=	utils.subr
+
+.include <bsd.test.mk>

Added: head/tests/sys/netpfil/pf/pass_block.sh
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/tests/sys/netpfil/pf/pass_block.sh	Fri Oct  6 20:43:14 2017	(r324375)
@@ -0,0 +1,91 @@
+# $FreeBSD$
+
+. $(atf_get_srcdir)/utils.subr
+
+atf_test_case "v4" "cleanup"
+v4_head()
+{
+	atf_set descr 'Basic pass/block test for IPv4'
+	atf_set require.user root
+}
+
+v4_body()
+{
+	pft_init
+
+	epair=$(pft_mkepair)
+	ifconfig ${epair}a 192.0.2.1/24 up
+
+	# Set up a simple jail with one interface
+	pft_mkjail alcatraz ${epair}b
+	jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up
+
+	# Trivial ping to the jail, without pf
+	atf_check -s exit:0 -o ignore ping -c 1 -t 1 192.0.2.2
+
+	# pf without policy will let us ping
+	jexec alcatraz pfctl -e
+	atf_check -s exit:0 -o ignore ping -c 1 -t 1 192.0.2.2
+
+	# Block everything
+	printf "block in\n" | jexec alcatraz pfctl -f -
+	atf_check -s exit:2 -o ignore ping -c 1 -t 1 192.0.2.2
+
+	# Block everything but ICMP
+	printf "block in\npass in proto icmp\n" | jexec alcatraz pfctl -f -
+	atf_check -s exit:0 -o ignore ping -c 1 -t 1 192.0.2.2
+}
+
+v4_cleanup()
+{
+	pft_cleanup
+}
+
+atf_test_case "v6" "cleanup"
+v6_head()
+{
+	atf_set descr 'Basic pass/block test for IPv6'
+	atf_set require.user root
+}
+
+v6_body()
+{
+	pft_init
+
+	epair=$(pft_mkepair)
+	ifconfig ${epair}a inet6 2001:db8:42::1/64 up no_dad
+
+	# Set up a simple jail with one interface
+	pft_mkjail alcatraz ${epair}b
+	jexec alcatraz ifconfig ${epair}b inet6 2001:db8:42::2/64 up no_dad
+
+	# Trivial ping to the jail, without pf
+	atf_check -s exit:0 -o ignore ping6 -c 1 -x 1 2001:db8:42::2
+
+	# pf without policy will let us ping
+	jexec alcatraz pfctl -e
+	atf_check -s exit:0 -o ignore ping6 -c 1 -x 1 2001:db8:42::2
+
+	# Block everything
+	printf "block in\n" | jexec alcatraz pfctl -f -
+	atf_check -s exit:2 -o ignore ping6 -c 1 -x 1 2001:db8:42::2
+
+	# Block everything but ICMP
+	printf "block in\npass in proto icmp6\n" | jexec alcatraz pfctl -f -
+	atf_check -s exit:0 -o ignore ping6 -c 1 -x 1 2001:db8:42::2
+
+	# Allowing ICMPv4 does not allow ICMPv6
+	printf "block in\npass in proto icmp\n" | jexec alcatraz pfctl -f -
+	atf_check -s exit:2 -o ignore ping6 -c 1 -x 1 2001:db8:42::2
+}
+
+v6_cleanup()
+{
+	pft_cleanup
+}
+
+atf_init_test_cases()
+{
+	atf_add_test_case "v4"
+	atf_add_test_case "v6"
+}

Added: head/tests/sys/netpfil/pf/utils.subr
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/tests/sys/netpfil/pf/utils.subr	Fri Oct  6 20:43:14 2017	(r324375)
@@ -0,0 +1,47 @@
+# $FreeBSD$
+# Utility functions
+##
+
+pft_init()
+{
+	if [ ! -c /dev/pf ]; then
+		atf_skip "This test requires pf"
+	fi
+
+	if [ "`sysctl -i -n kern.features.vimage`" != 1 ]; then
+		atf_skip "This test requires VIMAGE"
+	fi
+}
+
+pft_mkepair()
+{
+	ifname=$(ifconfig epair create)
+	echo $ifname >> created_interfaces.lst
+	echo ${ifname%a}
+}
+
+pft_mkjail()
+{
+	jailname=$1
+	ifname=$2
+	jail -c name=${jailname} persist vnet vnet.interface=${ifname}
+
+	echo $jailname >> created_jails.lst
+}
+
+pft_cleanup()
+{
+	if [ -f created_interfaces.lst ]; then
+		for ifname in `cat created_interfaces.lst`
+		do
+			ifconfig ${ifname} destroy
+		done
+	fi
+
+	if [ -f created_jails.lst ]; then
+		for jailname in `cat created_jails.lst`
+		do
+			jail -r ${jailname}
+		done
+	fi
+}

More information about the svn-src-all mailing list