diff --git a/sbin/pfctl/tests/Makefile b/sbin/pfctl/tests/Makefile index 21eae016f4d1..9ba132de9244 100644 --- a/sbin/pfctl/tests/Makefile +++ b/sbin/pfctl/tests/Makefile @@ -2,9 +2,11 @@ PACKAGE= tests -ATF_TESTS_SH= pfctl_test \ - macro +ATF_TESTS_C= pfctl_test +ATF_TESTS_SH= macro +LIBADD+= sbuf SUBDIR+= files +WARNS=6 .include diff --git a/sbin/pfctl/tests/files/Makefile b/sbin/pfctl/tests/files/Makefile index af0d4bbf0bfb..aa066c0ff2ac 100644 --- a/sbin/pfctl/tests/files/Makefile +++ b/sbin/pfctl/tests/files/Makefile @@ -7,6 +7,5 @@ BINDIR= ${TESTSDIR} # We use ${.CURDIR} as workaround so that the glob patterns work. FILES!= echo ${.CURDIR}/pf????.in ${.CURDIR}/pf????.include ${.CURDIR}/pf????.ok -FILES+= ${.CURDIR}/pfctl_test_descr.sh .include diff --git a/sbin/pfctl/tests/files/pfctl_test_descr.sh b/sbin/pfctl/tests/files/pfctl_test_descr.sh deleted file mode 100755 index 1f164c8c2596..000000000000 --- a/sbin/pfctl/tests/files/pfctl_test_descr.sh +++ /dev/null @@ -1,82 +0,0 @@ -# $FreeBSD$ -# atf-sh, to be sourced by run.sh - -pf0001_descr () { echo "Pass with labels" ; } -pf0002_descr () { echo "Block/pass" ; } -pf0003_descr () { echo "Block/pass with flags" ; } -pf0004_descr () { echo "Block" ; } -pf0005_descr () { echo "Block with variables" ; } -pf0006_descr () { echo "Variables" ; } -pf0007_descr () { echo "Block/pass with return" ; } -pf0008_descr () { echo "Block with address list" ; } -pf0009_descr () { echo "Block with interface list" ; } -pf0010_descr () { echo "Block/pass with return" ; } -pf0011_descr () { echo "Block/pass ICMP" ; } -pf0012_descr () { echo "Pass to subnets" ; } -pf0013_descr () { echo "Pass quick" ; } -pf0014_descr () { echo "Pass quick IPv6" ; } -pf0016_descr () { echo "Pass with no state" ; } -pf0018_descr () { echo "Address lists" ; } -pf0019_descr () { echo "Lists" ; } -pf0020_descr () { echo "Lists" ; } -pf0022_descr () { echo "Set options" ; } -pf0023_descr () { echo "Block on negated interface" ; } -pf0024_descr () { echo "Variable concatenation" ; } -pf0025_descr () { echo "Antispoof" ; } -pf0026_descr () { echo "Block from negated interface" ; } -pf0028_descr () { echo "Block with log and quick" ; } -pf0030_descr () { echo "Line continuation" ; } -pf0031_descr () { echo "Block policy" ; } -pf0032_descr () { echo "Pass to any" ; } -pf0034_descr () { echo "Pass with probability" ; } -pf0035_descr () { echo "Matching on TOS" ; } -pf0038_descr () { echo "Pass with user" ; } -pf0039_descr () { echo "Ordered opts" ; } -pf0040_descr () { echo "Block/pass" ; } -pf0041_descr () { echo "Anchors" ; } -pf0047_descr () { echo "Pass with labels" ; } -pf0048_descr () { echo "Tables" ; } -pf0049_descr () { echo "Broadcast and network modifiers" ; } -pf0050_descr () { echo "Double macro set" ; } -pf0052_descr () { echo "Set optimization" ; } -pf0053_descr () { echo "Pass with labels" ; } -pf0055_descr () { echo "Set options" ; } -pf0056_descr () { echo "State opts" ; } -pf0057_descr () { echo "Variables" ; } -pf0060_descr () { echo "Pass from multicast" ; } -pf0061_descr () { echo "Dynaddr with netmask" ; } -pf0065_descr () { echo "Antispoof with labels" ; } -pf0067_descr () { echo "Tags" ; } -pf0069_descr () { echo "Tags" ; } -pf0070_descr () { echo "Tags" ; } -pf0071_descr () { echo "Tags" ; } -pf0072_descr () { echo "Tags" ; } -pf0074_descr () { echo "Synproxy" ; } -pf0075_descr () { echo "Block quick with tags" ; } -pf0077_descr () { echo "Dynaddr with netmask" ; } -pf0078_descr () { echo "Table with label" ; } -pf0079_descr () { echo "No-route with label" ; } -pf0081_descr () { echo "Address list and table list with no-route" ; } -pf0082_descr () { echo "Pass with interface, table and no-route" ; } -pf0084_descr () { echo "Source track" ; } -pf0085_descr () { echo "Tag macro expansion" ; } -pf0087_descr () { echo "Optimization rule reordering" ; } -pf0088_descr () { echo "Optimization duplicate rules handling" ; } -pf0089_descr () { echo "TCP connection tracking" ; } -pf0090_descr () { echo "Log opts" ; } -pf0091_descr () { echo "Nested anchors" ; } -pf0092_descr () { echo "Comments" ; } -pf0094_descr () { echo "Address ranges" ; } -pf0095_descr () { echo "Include" ; } -pf0096_descr () { echo "Variables" ; } -pf0097_descr () { echo "Divert-to" ; } -pf0098_descr () { echo "Pass" ; } -pf0100_descr () { echo "Anchor with multiple path components" ; } -pf0101_descr () { echo "Prio" ; } -pf0102_descr () { echo "Address lists with mixed address family" ; } -pf0104_descr () { echo "Divert-to with localhost" ; } -pf1001_descr () { echo "Binat" ; } -pf1002_descr () { echo "Set timeout interval" ; } -pf1003_descr () { echo "ALTQ" ; } -pf1004_descr () { echo "ALTQ with Codel" ; } -pf1005_descr () { echo "PR 231323" ; } diff --git a/sbin/pfctl/tests/pfctl_test.c b/sbin/pfctl/tests/pfctl_test.c new file mode 100644 index 000000000000..a95cbc73bbaa --- /dev/null +++ b/sbin/pfctl/tests/pfctl_test.c @@ -0,0 +1,230 @@ +/*- + * SPDX-License-Identifier: BSD-2-Clause + * + * Copyright 2020 Alex Richardson + * + * This software was developed by SRI International and the University of + * Cambridge Computer Laboratory (Department of Computer Science and + * Technology) under DARPA contract HR0011-18-C-0016 ("ECATS"), as part of the + * DARPA SSITH research programme. + * + * This work was supported by Innovate UK project 105694, "Digital Security by + * Design (DSbD) Technology Platform Prototype". + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND ANY + * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY + * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND + * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ +#include +__FBSDID("$FreeBSD$"); + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include + +/* + * Tests 0001-0999 are copied from OpenBSD's regress/sbin/pfctl. + * Tests 1001-1999 are ours (FreeBSD's own). + * + * pf: Run pfctl -nv on pfNNNN.in and check that the output matches pfNNNN.ok. + * Copied from OpenBSD. Main differences are some things not working + * in FreeBSD: + * * The action 'match' + * * The command 'set reassemble' + * * The 'from'/'to' options together with 'route-to' + * * The option 'scrub' (it is an action in FreeBSD) + * * Accepting undefined routing tables in actions (??: see pf0093.in) + * * The 'route' option + * * The 'set queue def' option + * selfpf: Feed pfctl output through pfctl again and verify it stays the same. + * Copied from OpenBSD. + */ + +static bool +check_pf_module_available() +{ + int modid; + struct module_stat stat; + + if ((modid = modfind("pf")) < 0) { + warn("pf module not found"); + return false; + } + stat.version = sizeof(struct module_stat); + if (modstat(modid, &stat) < 0) { + warn("can't stat pf module id %d", modid); + return false; + } + return (true); +} + +extern char **environ; + +static struct sbuf * +read_fd(int fd, size_t sizehint) +{ + struct sbuf *sb; + ssize_t count; + char buffer[MAXBSIZE]; + + sb = sbuf_new(NULL, NULL, sizehint, SBUF_AUTOEXTEND); + errno = 0; + while ((count = read(fd, buffer, sizeof(buffer) - 1)) > 0) { + sbuf_bcat(sb, buffer, count); + } + ATF_REQUIRE_ERRNO(0, count == 0 && "Should have reached EOF"); + sbuf_finish(sb); /* Ensure NULL-termination */ + return (sb); +} + +static struct sbuf * +read_file(const char *filename) +{ + struct stat s; + struct sbuf *result; + int fd; + + errno = 0; + ATF_REQUIRE_EQ_MSG(stat(filename, &s), 0, "cannot stat %s", filename); + fd = open(filename, O_RDONLY); + ATF_REQUIRE_ERRNO(0, fd > 0); + result = read_fd(fd, s.st_size); + ATF_REQUIRE_ERRNO(0, close(fd) == 0); + return (result); +} + +static void +run_pfctl_test(const char *input_path, const char *expected_path, + const atf_tc_t *tc) +{ + int status; + pid_t pid; + int pipefds[2]; + char input_files_path[PATH_MAX]; + struct sbuf *expected_output; + struct sbuf *real_output; + posix_spawn_file_actions_t action; + + if (!check_pf_module_available()) + atf_tc_skip("pf(4) is not loaded"); + + /* The test inputs need to be able to use relative includes. */ + snprintf(input_files_path, sizeof(input_files_path), "%s/files", + atf_tc_get_config_var(tc, "srcdir")); + ATF_REQUIRE_ERRNO(0, chdir(input_files_path) == 0); + + ATF_REQUIRE_ERRNO(0, pipe(pipefds) == 0); + expected_output = read_file(expected_path); + + posix_spawn_file_actions_init(&action); + posix_spawn_file_actions_addclose(&action, STDIN_FILENO); + posix_spawn_file_actions_addclose(&action, pipefds[1]); + posix_spawn_file_actions_adddup2(&action, pipefds[0], STDOUT_FILENO); + posix_spawn_file_actions_adddup2(&action, pipefds[0], STDERR_FILENO); + + const char *argv[] = { "pfctl", "-o", "none", "-nvf", input_path, + NULL }; + printf("Running %s %s %s %s %s\n", argv[0], argv[1], argv[2], argv[3], + argv[4]); + status = posix_spawnp( + &pid, "pfctl", &action, NULL, __DECONST(char **, argv), environ); + ATF_REQUIRE_EQ_MSG( + status, 0, "posix_spawn failed: %s", strerror(errno)); + posix_spawn_file_actions_destroy(&action); + close(pipefds[0]); + + real_output = read_fd(pipefds[1], 0); + printf("---\n%s---\n", sbuf_data(real_output)); + ATF_REQUIRE_EQ(waitpid(pid, &status, 0), pid); + ATF_REQUIRE_MSG(WIFEXITED(status), + "pfctl returned non-zero! Output:\n %s", sbuf_data(real_output)); + + ATF_CHECK_STREQ(sbuf_data(expected_output), sbuf_data(real_output)); + sbuf_delete(expected_output); + sbuf_delete(real_output); + close(pipefds[1]); +} + +static void +do_pf_test(const char *number, const atf_tc_t *tc) +{ + char *input_path; + char *expected_path; + asprintf(&input_path, "%s/files/pf%s.in", + atf_tc_get_config_var(tc, "srcdir"), number); + asprintf(&expected_path, "%s/files/pf%s.ok", + atf_tc_get_config_var(tc, "srcdir"), number); + run_pfctl_test(input_path, expected_path, tc); + free(input_path); + free(expected_path); +} + +static void +do_selfpf_test(const char *number, const atf_tc_t *tc) +{ + char *expected_path; + asprintf(&expected_path, "%s/files/pf%s.ok", + atf_tc_get_config_var(tc, "srcdir"), number); + run_pfctl_test(expected_path, expected_path, tc); + free(expected_path); +} + +#define PFCTL_TEST(number, descr) \ + ATF_TC(pf##number); \ + ATF_TC_HEAD(pf##number, tc) \ + { \ + atf_tc_set_md_var(tc, "descr", descr); \ + } \ + ATF_TC_BODY(pf##number, tc) \ + { \ + do_pf_test(#number, tc); \ + } \ + ATF_TC(selfpf##number); \ + ATF_TC_HEAD(selfpf##number, tc) \ + { \ + atf_tc_set_md_var(tc, "descr", "Self " descr); \ + } \ + ATF_TC_BODY(selfpf##number, tc) \ + { \ + do_selfpf_test(#number, tc); \ + } +#include "pfctl_test_list.inc" +#undef PFCTL_TEST + +ATF_TP_ADD_TCS(tp) +{ +#define PFCTL_TEST(number, descr) \ + ATF_TP_ADD_TC(tp, pf##number); \ + ATF_TP_ADD_TC(tp, selfpf##number); +#include "pfctl_test_list.inc" +#undef PFCTL_TEST + + return atf_no_error(); +} diff --git a/sbin/pfctl/tests/pfctl_test.sh b/sbin/pfctl/tests/pfctl_test.sh deleted file mode 100755 index 60a8db67e42d..000000000000 --- a/sbin/pfctl/tests/pfctl_test.sh +++ /dev/null @@ -1,49 +0,0 @@ -# $FreeBSD$ -# Make will add a #! line at the top of this file. - -# Tests 0001-0999 are copied from OpenBSD's regress/sbin/pfctl. -# Tests 1001-1999 are ours (FreeBSD's own). - -# pf: Run pfctl -nv on pfNNNN.in and check that the output matches pfNNNN.ok. -# Copied from OpenBSD. Main differences are some things not working -# in FreeBSD: -# * The action 'match' -# * The command 'set reassemble' -# * The 'from'/'to' options together with 'route-to' -# * The option 'scrub' (it is an action in FreeBSD) -# * Accepting undefined routing tables in actions (??: see pf0093.in) -# * The 'route' option -# * The 'set queue def' option -# selfpf: Feed pfctl output through pfctl again and verify it stays the same. -# Copied from OpenBSD. - -pftests="0001 0002 0003 0004 0005 0006 0007 0008 0009 0010 0011 0012 -0013 0014 0016 0018 0019 0020 0022 0023 0024 0025 0026 0028 0030 0031 -0032 0034 0035 0038 0039 0040 0041 0047 0048 0049 0050 0052 0053 0055 -0056 0057 0060 0061 0065 0067 0069 0070 0071 0072 0074 0075 0077 0078 -0079 0081 0082 0084 0085 0087 0088 0089 0090 0091 0092 0094 0095 0096 -0097 0098 0100 0101 0102 0104 1001 1002 1003 1004 1005" - -atf_srcdir=$(atf_get_srcdir) -. "${atf_srcdir}/files/pfctl_test_descr.sh" - -for i in ${pftests} ; do - atf_test_case "pf${i}" - eval "pf${i}_head () { atf_set descr \"$(pf${i}_descr)\" ; }" - eval "pf${i}_body () { \ - kldstat -m pf || atf_skip \"pf(4) is not loaded\" && \ - cd ${atf_srcdir}/files && \ - atf_check -o file:pf${i}.ok \ - pfctl -o none -nvf - < pf${i}.in ; }" - - atf_test_case "selfpf${i}" - eval "selfpf${i}_head () { atf_set descr \"self$(pf${i}_descr)\" ; }" - eval "selfpf${i}_body () { \ - cd ${atf_srcdir}/files && \ - atf_check -o file:pf${i}.ok \ - pfctl -o none -nvf - < pf${i}.ok ; }" -done - -atf_init_test_cases () { - for i in ${pftests} ; do atf_add_test_case "pf${i}" - atf_add_test_case "selfpf${i}" ; done ; } diff --git a/sbin/pfctl/tests/pfctl_test_list.inc b/sbin/pfctl/tests/pfctl_test_list.inc new file mode 100644 index 000000000000..337dff640f42 --- /dev/null +++ b/sbin/pfctl/tests/pfctl_test_list.inc @@ -0,0 +1,118 @@ +/*- + * SPDX-License-Identifier: BSD-2-Clause + * + * Copyright 2020 Alex Richardson + * + * This software was developed by SRI International and the University of + * Cambridge Computer Laboratory (Department of Computer Science and + * Technology) under DARPA contract HR0011-18-C-0016 ("ECATS"), as part of the + * DARPA SSITH research programme. + * + * This work was supported by Innovate UK project 105694, "Digital Security by + * Design (DSbD) Technology Platform Prototype". + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND ANY + * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY + * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND + * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + * $FreeBSD$ + */ + +/* + * No include guards since this file is included multiple times by pfctl_test + * to avoid duplicating code. + */ +PFCTL_TEST(0001, "Pass with labels") +PFCTL_TEST(0002, "Block/pass") +PFCTL_TEST(0003, "Block/pass with flags") +PFCTL_TEST(0004, "Block") +PFCTL_TEST(0005, "Block with variables") +PFCTL_TEST(0006, "Variables") +PFCTL_TEST(0007, "Block/pass with return") +PFCTL_TEST(0008, "Block with address list") +PFCTL_TEST(0009, "Block with interface list") +PFCTL_TEST(0010, "Block/pass with return") +PFCTL_TEST(0011, "Block/pass ICMP") +PFCTL_TEST(0012, "Pass to subnets") +PFCTL_TEST(0013, "Pass quick") +PFCTL_TEST(0014, "Pass quick IPv6") +PFCTL_TEST(0016, "Pass with no state") +PFCTL_TEST(0018, "Address lists") +PFCTL_TEST(0019, "Lists") +PFCTL_TEST(0020, "Lists") +PFCTL_TEST(0022, "Set options") +PFCTL_TEST(0023, "Block on negated interface") +PFCTL_TEST(0024, "Variable concatenation") +PFCTL_TEST(0025, "Antispoof") +PFCTL_TEST(0026, "Block from negated interface") +PFCTL_TEST(0028, "Block with log and quick") +PFCTL_TEST(0030, "Line continuation") +PFCTL_TEST(0031, "Block policy") +PFCTL_TEST(0032, "Pass to any") +PFCTL_TEST(0034, "Pass with probability") +PFCTL_TEST(0035, "Matching on TOS") +PFCTL_TEST(0038, "Pass with user") +PFCTL_TEST(0039, "Ordered opts") +PFCTL_TEST(0040, "Block/pass") +PFCTL_TEST(0041, "Anchors") +PFCTL_TEST(0047, "Pass with labels") +PFCTL_TEST(0048, "Tables") +PFCTL_TEST(0049, "Broadcast and network modifiers") +PFCTL_TEST(0050, "Double macro set") +PFCTL_TEST(0052, "Set optimization") +PFCTL_TEST(0053, "Pass with labels") +PFCTL_TEST(0055, "Set options") +PFCTL_TEST(0056, "State opts") +PFCTL_TEST(0057, "Variables") +PFCTL_TEST(0060, "Pass from multicast") +PFCTL_TEST(0061, "Dynaddr with netmask") +PFCTL_TEST(0065, "Antispoof with labels") +PFCTL_TEST(0067, "Tags") +PFCTL_TEST(0069, "Tags") +PFCTL_TEST(0070, "Tags") +PFCTL_TEST(0071, "Tags") +PFCTL_TEST(0072, "Tags") +PFCTL_TEST(0074, "Synproxy") +PFCTL_TEST(0075, "Block quick with tags") +PFCTL_TEST(0077, "Dynaddr with netmask") +PFCTL_TEST(0078, "Table with label") +PFCTL_TEST(0079, "No-route with label") +PFCTL_TEST(0081, "Address list and table list with no-route") +PFCTL_TEST(0082, "Pass with interface, table and no-route") +PFCTL_TEST(0084, "Source track") +PFCTL_TEST(0085, "Tag macro expansion") +PFCTL_TEST(0087, "Optimization rule reordering") +PFCTL_TEST(0088, "Optimization duplicate rules handling") +PFCTL_TEST(0089, "TCP connection tracking") +PFCTL_TEST(0090, "Log opts") +PFCTL_TEST(0091, "Nested anchors") +PFCTL_TEST(0092, "Comments") +PFCTL_TEST(0094, "Address ranges") +PFCTL_TEST(0095, "Include") +PFCTL_TEST(0096, "Variables") +PFCTL_TEST(0097, "Divert-to") +PFCTL_TEST(0098, "Pass") +PFCTL_TEST(0100, "Anchor with multiple path components") +PFCTL_TEST(0101, "Prio") +PFCTL_TEST(0102, "Address lists with mixed address family") +PFCTL_TEST(0104, "Divert-to with localhost") +PFCTL_TEST(1001, "Binat") +PFCTL_TEST(1002, "Set timeout interval") +PFCTL_TEST(1003, "ALTQ") +PFCTL_TEST(1004, "ALTQ with Codel") +PFCTL_TEST(1005, "PR 231323")