pf: Basic automated test using VIMAGE

If VIMAGE is present we can start jails with their own pf instance. This
makes it fairly easy to run tests.
For example, this basic test verifies that drop/pass and icmp
classification works. It's a basic sanity test for pf, and hopefully an
example on how to write more pf tests.

The tests are skipped if VIMAGE is not enabled.

This work is inspired by the GSoC work of Panagiotes Mousikides.

Differential Revision:	https://reviews.freebsd.org/D12580
This commit is contained in:
kp 2017-10-06 20:43:14 +00:00
parent d48dcca311
commit 2646db1c87
6 changed files with 161 additions and 0 deletions

View File

@ -476,6 +476,10 @@
..
netinet
..
netpfil
pf
..
..
opencrypto
..
pjdfstest

View File

@ -13,6 +13,7 @@ TESTS_SUBDIRS+= kqueue
TESTS_SUBDIRS+= mac
TESTS_SUBDIRS+= mqueue
TESTS_SUBDIRS+= netinet
TESTS_SUBDIRS+= netpfil
TESTS_SUBDIRS+= opencrypto
TESTS_SUBDIRS+= posixshm
TESTS_SUBDIRS+= sys

View File

@ -0,0 +1,7 @@
# $FreeBSD$
TESTSDIR= ${TESTSBASE}/sys/netpfil
TESTS_SUBDIRS+= pf
.include <bsd.test.mk>

View File

@ -0,0 +1,11 @@
# $FreeBSD$
PACKAGE= tests
TESTSDIR= ${TESTSBASE}/sys/netpfil/pf
ATF_TESTS_SH+= pass_block
${PACKAGE}FILES+= utils.subr
.include <bsd.test.mk>

View File

@ -0,0 +1,91 @@
# $FreeBSD$
. $(atf_get_srcdir)/utils.subr
atf_test_case "v4" "cleanup"
v4_head()
{
atf_set descr 'Basic pass/block test for IPv4'
atf_set require.user root
}
v4_body()
{
pft_init
epair=$(pft_mkepair)
ifconfig ${epair}a 192.0.2.1/24 up
# Set up a simple jail with one interface
pft_mkjail alcatraz ${epair}b
jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up
# Trivial ping to the jail, without pf
atf_check -s exit:0 -o ignore ping -c 1 -t 1 192.0.2.2
# pf without policy will let us ping
jexec alcatraz pfctl -e
atf_check -s exit:0 -o ignore ping -c 1 -t 1 192.0.2.2
# Block everything
printf "block in\n" | jexec alcatraz pfctl -f -
atf_check -s exit:2 -o ignore ping -c 1 -t 1 192.0.2.2
# Block everything but ICMP
printf "block in\npass in proto icmp\n" | jexec alcatraz pfctl -f -
atf_check -s exit:0 -o ignore ping -c 1 -t 1 192.0.2.2
}
v4_cleanup()
{
pft_cleanup
}
atf_test_case "v6" "cleanup"
v6_head()
{
atf_set descr 'Basic pass/block test for IPv6'
atf_set require.user root
}
v6_body()
{
pft_init
epair=$(pft_mkepair)
ifconfig ${epair}a inet6 2001:db8:42::1/64 up no_dad
# Set up a simple jail with one interface
pft_mkjail alcatraz ${epair}b
jexec alcatraz ifconfig ${epair}b inet6 2001:db8:42::2/64 up no_dad
# Trivial ping to the jail, without pf
atf_check -s exit:0 -o ignore ping6 -c 1 -x 1 2001:db8:42::2
# pf without policy will let us ping
jexec alcatraz pfctl -e
atf_check -s exit:0 -o ignore ping6 -c 1 -x 1 2001:db8:42::2
# Block everything
printf "block in\n" | jexec alcatraz pfctl -f -
atf_check -s exit:2 -o ignore ping6 -c 1 -x 1 2001:db8:42::2
# Block everything but ICMP
printf "block in\npass in proto icmp6\n" | jexec alcatraz pfctl -f -
atf_check -s exit:0 -o ignore ping6 -c 1 -x 1 2001:db8:42::2
# Allowing ICMPv4 does not allow ICMPv6
printf "block in\npass in proto icmp\n" | jexec alcatraz pfctl -f -
atf_check -s exit:2 -o ignore ping6 -c 1 -x 1 2001:db8:42::2
}
v6_cleanup()
{
pft_cleanup
}
atf_init_test_cases()
{
atf_add_test_case "v4"
atf_add_test_case "v6"
}

View File

@ -0,0 +1,47 @@
# $FreeBSD$
# Utility functions
##
pft_init()
{
if [ ! -c /dev/pf ]; then
atf_skip "This test requires pf"
fi
if [ "`sysctl -i -n kern.features.vimage`" != 1 ]; then
atf_skip "This test requires VIMAGE"
fi
}
pft_mkepair()
{
ifname=$(ifconfig epair create)
echo $ifname >> created_interfaces.lst
echo ${ifname%a}
}
pft_mkjail()
{
jailname=$1
ifname=$2
jail -c name=${jailname} persist vnet vnet.interface=${ifname}
echo $jailname >> created_jails.lst
}
pft_cleanup()
{
if [ -f created_interfaces.lst ]; then
for ifname in `cat created_interfaces.lst`
do
ifconfig ${ifname} destroy
done
fi
if [ -f created_jails.lst ]; then
for jailname in `cat created_jails.lst`
do
jail -r ${jailname}
done
fi
}