netpfil tests: Move pft_ping.py and sniffer.py to the common test directory
The pft_ping.py and sniffer.py tool is moved from tests/sys/netpfil/pf to tests/sys/netpfil/common directory because these tools are to be used in common for all the firewalls. Submitted by: Ahsan Barkati Reviewed by: kp, thj Sponsored by: Google, Inc. (GSoC 2019) Differential Revision: https://reviews.freebsd.org/D21276
This commit is contained in:
parent
de567a4bef
commit
9531253098
@ -38,6 +38,9 @@
|
||||
# xargs -n1 | sort | uniq -d;
|
||||
# done
|
||||
|
||||
# 20190817: pft_ping.py and sniffer.py moved to /usr/tests/sys/netpfil/common
|
||||
OLD_FILES+=usr/tests/sys/netpfil/pf/sniffer.py
|
||||
OLD_FILES+=usr/tests/sys/netpfil/pf/pft_ping.py
|
||||
# 20190816: dir.h removed from POSIX
|
||||
OLD_FILES+=usr/include/sys/dir.h
|
||||
# 20190729: gzip'ed a.out support removed
|
||||
|
@ -11,6 +11,10 @@ ATF_TESTS_SH+= \
|
||||
|
||||
${PACKAGE}FILES+= \
|
||||
utils.subr \
|
||||
runner.subr
|
||||
runner.subr \
|
||||
pft_ping.py \
|
||||
sniffer.py
|
||||
|
||||
${PACKAGE}FILESMODE_pft_ping.py= 0555
|
||||
|
||||
.include <bsd.test.mk>
|
||||
|
@ -21,12 +21,9 @@ ATF_TESTS_SH+= anchor \
|
||||
|
||||
${PACKAGE}FILES+= utils.subr \
|
||||
echo_inetd.conf \
|
||||
sniffer.py \
|
||||
pft_ping.py \
|
||||
CVE-2019-5597.py \
|
||||
CVE-2019-5598.py
|
||||
|
||||
${PACKAGE}FILESMODE_pft_ping.py= 0555
|
||||
${PACKAGE}FILESMODE_CVE-2019-5597.py= 0555
|
||||
${PACKAGE}FILESMODE_CVE-2019-5598.py= 0555
|
||||
|
||||
|
@ -2,6 +2,8 @@
|
||||
|
||||
. $(atf_get_srcdir)/utils.subr
|
||||
|
||||
common_dir=$(atf_get_srcdir)/../common
|
||||
|
||||
atf_test_case "v4" "cleanup"
|
||||
v4_head()
|
||||
{
|
||||
@ -43,20 +45,20 @@ v4_body()
|
||||
|
||||
# Forward with pf enabled
|
||||
pft_set_rules alcatraz "block in"
|
||||
atf_check -s exit:1 $(atf_get_srcdir)/pft_ping.py \
|
||||
atf_check -s exit:1 ${common_dir}/pft_ping.py \
|
||||
--sendif ${epair_send}a \
|
||||
--to 198.51.100.3 \
|
||||
--recvif ${epair_recv}a
|
||||
|
||||
pft_set_rules alcatraz "block out"
|
||||
atf_check -s exit:1 $(atf_get_srcdir)/pft_ping.py \
|
||||
atf_check -s exit:1 ${common_dir}/pft_ping.py \
|
||||
--sendif ${epair_send}a \
|
||||
--to 198.51.100.3 \
|
||||
--recv ${epair_recv}a
|
||||
|
||||
# Allow ICMP
|
||||
pft_set_rules alcatraz "block in" "pass in proto icmp"
|
||||
atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \
|
||||
atf_check -s exit:0 ${common_dir}/pft_ping.py \
|
||||
--sendif ${epair_send}a \
|
||||
--to 198.51.100.3 \
|
||||
--recvif ${epair_recv}a
|
||||
@ -98,7 +100,7 @@ v6_body()
|
||||
route add -6 2001:db8:43::/64 2001:db8:42::2
|
||||
|
||||
# Sanity check, can we forward ICMP echo requests without pf?
|
||||
atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \
|
||||
atf_check -s exit:0 ${common_dir}/pft_ping.py \
|
||||
--ip6 \
|
||||
--sendif ${epair_send}a \
|
||||
--to 2001:db8:43::3 \
|
||||
@ -109,7 +111,7 @@ v6_body()
|
||||
# Block incoming echo request packets
|
||||
pft_set_rules alcatraz \
|
||||
"block in inet6 proto icmp6 icmp6-type echoreq"
|
||||
atf_check -s exit:1 $(atf_get_srcdir)/pft_ping.py \
|
||||
atf_check -s exit:1 ${common_dir}/pft_ping.py \
|
||||
--ip6 \
|
||||
--sendif ${epair_send}a \
|
||||
--to 2001:db8:43::3 \
|
||||
@ -118,7 +120,7 @@ v6_body()
|
||||
# Block outgoing echo request packets
|
||||
pft_set_rules alcatraz \
|
||||
"block out inet6 proto icmp6 icmp6-type echoreq"
|
||||
atf_check -s exit:1 -e ignore $(atf_get_srcdir)/pft_ping.py \
|
||||
atf_check -s exit:1 -e ignore ${common_dir}/pft_ping.py \
|
||||
--ip6 \
|
||||
--sendif ${epair_send}a \
|
||||
--to 2001:db8:43::3 \
|
||||
@ -128,7 +130,7 @@ v6_body()
|
||||
pft_set_rules alcatraz \
|
||||
"block out" \
|
||||
"pass out inet6 proto icmp6"
|
||||
atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \
|
||||
atf_check -s exit:0 ${common_dir}/pft_ping.py \
|
||||
--ip6 \
|
||||
--sendif ${epair_send}a \
|
||||
--to 2001:db8:43::3 \
|
||||
@ -138,7 +140,7 @@ v6_body()
|
||||
pft_set_rules alcatraz \
|
||||
"block out inet6 proto icmp6 icmp6-type echoreq" \
|
||||
"pass in proto icmp"
|
||||
atf_check -s exit:1 $(atf_get_srcdir)/pft_ping.py \
|
||||
atf_check -s exit:1 ${common_dir}/pft_ping.py \
|
||||
--ip6 \
|
||||
--sendif ${epair_send}a \
|
||||
--to 2001:db8:43::3 \
|
||||
|
@ -2,6 +2,8 @@
|
||||
|
||||
. $(atf_get_srcdir)/utils.subr
|
||||
|
||||
common_dir=$(atf_get_srcdir)/../common
|
||||
|
||||
atf_test_case "v4" "cleanup"
|
||||
v4_head()
|
||||
{
|
||||
@ -37,7 +39,7 @@ v4_body()
|
||||
|
||||
# No change is done if not requested
|
||||
pft_set_rules alcatraz "scrub out proto icmp"
|
||||
atf_check -s exit:1 -o ignore $(atf_get_srcdir)/pft_ping.py \
|
||||
atf_check -s exit:1 -o ignore ${common_dir}/pft_ping.py \
|
||||
--sendif ${epair_send}a \
|
||||
--to 198.51.100.3 \
|
||||
--recvif ${epair_recv}a \
|
||||
@ -45,7 +47,7 @@ v4_body()
|
||||
|
||||
# The requested ToS is set
|
||||
pft_set_rules alcatraz "scrub out proto icmp set-tos 42"
|
||||
atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \
|
||||
atf_check -s exit:0 ${common_dir}/pft_ping.py \
|
||||
--sendif ${epair_send}a \
|
||||
--to 198.51.100.3 \
|
||||
--recvif ${epair_recv}a \
|
||||
@ -53,7 +55,7 @@ v4_body()
|
||||
|
||||
# ToS is not changed if the scrub rule does not match
|
||||
pft_set_rules alcatraz "scrub out proto tcp set-tos 42"
|
||||
atf_check -s exit:1 -o ignore $(atf_get_srcdir)/pft_ping.py \
|
||||
atf_check -s exit:1 -o ignore ${common_dir}/pft_ping.py \
|
||||
--sendif ${epair_send}a \
|
||||
--to 198.51.100.3 \
|
||||
--recvif ${epair_recv}a \
|
||||
@ -62,14 +64,14 @@ v4_body()
|
||||
# Multiple scrub rules match as expected
|
||||
pft_set_rules alcatraz "scrub out proto tcp set-tos 13" \
|
||||
"scrub out proto icmp set-tos 14"
|
||||
atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \
|
||||
atf_check -s exit:0 ${common_dir}/pft_ping.py \
|
||||
--sendif ${epair_send}a \
|
||||
--to 198.51.100.3 \
|
||||
--recvif ${epair_recv}a \
|
||||
--expect-tos 14
|
||||
|
||||
# And this works even if the packet already has ToS values set
|
||||
atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \
|
||||
atf_check -s exit:0 ${common_dir}/pft_ping.py \
|
||||
--sendif ${epair_send}a \
|
||||
--to 198.51.100.3 \
|
||||
--recvif ${epair_recv}a \
|
||||
@ -78,7 +80,7 @@ v4_body()
|
||||
|
||||
# ToS values are unmolested if the packets do not match a scrub rule
|
||||
pft_set_rules alcatraz "scrub out proto tcp set-tos 13"
|
||||
atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \
|
||||
atf_check -s exit:0 ${common_dir}/pft_ping.py \
|
||||
--sendif ${epair_send}a \
|
||||
--to 198.51.100.3 \
|
||||
--recvif ${epair_recv}a \
|
||||
|
Loading…
Reference in New Issue
Block a user