netpfil tests: Move pft_ping.py and sniffer.py to the common test directory

The pft_ping.py and sniffer.py tool is moved from tests/sys/netpfil/pf to
tests/sys/netpfil/common directory because these tools are to be used in
common for all the firewalls.

Submitted by:	Ahsan Barkati
Reviewed by:	kp, thj
Sponsored by:	Google, Inc. (GSoC 2019)
Differential Revision:	https://reviews.freebsd.org/D21276
This commit is contained in:
Kristof Provost 2019-08-19 10:48:27 +00:00
parent de567a4bef
commit 9531253098
7 changed files with 26 additions and 18 deletions

View File

@ -38,6 +38,9 @@
# xargs -n1 | sort | uniq -d;
# done
# 20190817: pft_ping.py and sniffer.py moved to /usr/tests/sys/netpfil/common
OLD_FILES+=usr/tests/sys/netpfil/pf/sniffer.py
OLD_FILES+=usr/tests/sys/netpfil/pf/pft_ping.py
# 20190816: dir.h removed from POSIX
OLD_FILES+=usr/include/sys/dir.h
# 20190729: gzip'ed a.out support removed

View File

@ -11,6 +11,10 @@ ATF_TESTS_SH+= \
${PACKAGE}FILES+= \
utils.subr \
runner.subr
runner.subr \
pft_ping.py \
sniffer.py
${PACKAGE}FILESMODE_pft_ping.py= 0555
.include <bsd.test.mk>

View File

@ -21,12 +21,9 @@ ATF_TESTS_SH+= anchor \
${PACKAGE}FILES+= utils.subr \
echo_inetd.conf \
sniffer.py \
pft_ping.py \
CVE-2019-5597.py \
CVE-2019-5598.py
${PACKAGE}FILESMODE_pft_ping.py= 0555
${PACKAGE}FILESMODE_CVE-2019-5597.py= 0555
${PACKAGE}FILESMODE_CVE-2019-5598.py= 0555

View File

@ -2,6 +2,8 @@
. $(atf_get_srcdir)/utils.subr
common_dir=$(atf_get_srcdir)/../common
atf_test_case "v4" "cleanup"
v4_head()
{
@ -43,20 +45,20 @@ v4_body()
# Forward with pf enabled
pft_set_rules alcatraz "block in"
atf_check -s exit:1 $(atf_get_srcdir)/pft_ping.py \
atf_check -s exit:1 ${common_dir}/pft_ping.py \
--sendif ${epair_send}a \
--to 198.51.100.3 \
--recvif ${epair_recv}a
pft_set_rules alcatraz "block out"
atf_check -s exit:1 $(atf_get_srcdir)/pft_ping.py \
atf_check -s exit:1 ${common_dir}/pft_ping.py \
--sendif ${epair_send}a \
--to 198.51.100.3 \
--recv ${epair_recv}a
# Allow ICMP
pft_set_rules alcatraz "block in" "pass in proto icmp"
atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \
atf_check -s exit:0 ${common_dir}/pft_ping.py \
--sendif ${epair_send}a \
--to 198.51.100.3 \
--recvif ${epair_recv}a
@ -98,7 +100,7 @@ v6_body()
route add -6 2001:db8:43::/64 2001:db8:42::2
# Sanity check, can we forward ICMP echo requests without pf?
atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \
atf_check -s exit:0 ${common_dir}/pft_ping.py \
--ip6 \
--sendif ${epair_send}a \
--to 2001:db8:43::3 \
@ -109,7 +111,7 @@ v6_body()
# Block incoming echo request packets
pft_set_rules alcatraz \
"block in inet6 proto icmp6 icmp6-type echoreq"
atf_check -s exit:1 $(atf_get_srcdir)/pft_ping.py \
atf_check -s exit:1 ${common_dir}/pft_ping.py \
--ip6 \
--sendif ${epair_send}a \
--to 2001:db8:43::3 \
@ -118,7 +120,7 @@ v6_body()
# Block outgoing echo request packets
pft_set_rules alcatraz \
"block out inet6 proto icmp6 icmp6-type echoreq"
atf_check -s exit:1 -e ignore $(atf_get_srcdir)/pft_ping.py \
atf_check -s exit:1 -e ignore ${common_dir}/pft_ping.py \
--ip6 \
--sendif ${epair_send}a \
--to 2001:db8:43::3 \
@ -128,7 +130,7 @@ v6_body()
pft_set_rules alcatraz \
"block out" \
"pass out inet6 proto icmp6"
atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \
atf_check -s exit:0 ${common_dir}/pft_ping.py \
--ip6 \
--sendif ${epair_send}a \
--to 2001:db8:43::3 \
@ -138,7 +140,7 @@ v6_body()
pft_set_rules alcatraz \
"block out inet6 proto icmp6 icmp6-type echoreq" \
"pass in proto icmp"
atf_check -s exit:1 $(atf_get_srcdir)/pft_ping.py \
atf_check -s exit:1 ${common_dir}/pft_ping.py \
--ip6 \
--sendif ${epair_send}a \
--to 2001:db8:43::3 \

View File

@ -2,6 +2,8 @@
. $(atf_get_srcdir)/utils.subr
common_dir=$(atf_get_srcdir)/../common
atf_test_case "v4" "cleanup"
v4_head()
{
@ -37,7 +39,7 @@ v4_body()
# No change is done if not requested
pft_set_rules alcatraz "scrub out proto icmp"
atf_check -s exit:1 -o ignore $(atf_get_srcdir)/pft_ping.py \
atf_check -s exit:1 -o ignore ${common_dir}/pft_ping.py \
--sendif ${epair_send}a \
--to 198.51.100.3 \
--recvif ${epair_recv}a \
@ -45,7 +47,7 @@ v4_body()
# The requested ToS is set
pft_set_rules alcatraz "scrub out proto icmp set-tos 42"
atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \
atf_check -s exit:0 ${common_dir}/pft_ping.py \
--sendif ${epair_send}a \
--to 198.51.100.3 \
--recvif ${epair_recv}a \
@ -53,7 +55,7 @@ v4_body()
# ToS is not changed if the scrub rule does not match
pft_set_rules alcatraz "scrub out proto tcp set-tos 42"
atf_check -s exit:1 -o ignore $(atf_get_srcdir)/pft_ping.py \
atf_check -s exit:1 -o ignore ${common_dir}/pft_ping.py \
--sendif ${epair_send}a \
--to 198.51.100.3 \
--recvif ${epair_recv}a \
@ -62,14 +64,14 @@ v4_body()
# Multiple scrub rules match as expected
pft_set_rules alcatraz "scrub out proto tcp set-tos 13" \
"scrub out proto icmp set-tos 14"
atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \
atf_check -s exit:0 ${common_dir}/pft_ping.py \
--sendif ${epair_send}a \
--to 198.51.100.3 \
--recvif ${epair_recv}a \
--expect-tos 14
# And this works even if the packet already has ToS values set
atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \
atf_check -s exit:0 ${common_dir}/pft_ping.py \
--sendif ${epair_send}a \
--to 198.51.100.3 \
--recvif ${epair_recv}a \
@ -78,7 +80,7 @@ v4_body()
# ToS values are unmolested if the packets do not match a scrub rule
pft_set_rules alcatraz "scrub out proto tcp set-tos 13"
atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \
atf_check -s exit:0 ${common_dir}/pft_ping.py \
--sendif ${epair_send}a \
--to 198.51.100.3 \
--recvif ${epair_recv}a \