d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

pf tests: Use pft_set_rules everywhere

Browse Source 
We now have a utility function to set pf rules in the jail. Use it
whenever we need to set the pf rules in the test jail.
This commit is contained in:
kp 2017-10-16 15:05:32 +00:00
parent eb4416b626
commit df7329fbf7
3 changed files with 18 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
tests/sys/netpfil/pf/forward.sh
View File

@ -35,21 +35,23 @@ v4_body()
--to 198.51.100.3 \
--recvif ${epair_recv}a
jexec alcatraz pfctl -e
# Forward with pf enabled
printf "block in\n" | jexec alcatraz pfctl -ef -
pft_set_rules alcatraz "block in"
atf_check -s exit:1 $(atf_get_srcdir)/pft_ping.py \
--sendif ${epair_send}a \
--to 198.51.100.3 \
--recvif ${epair_recv}a
printf "block out\n" | jexec alcatraz pfctl -f -
pft_set_rules alcatraz "block out"
atf_check -s exit:1 $(atf_get_srcdir)/pft_ping.py \
--sendif ${epair_send}a \
--to 198.51.100.3 \
--recv ${epair_recv}a
# Allow ICMP
printf "block in\npass in proto icmp\n" | jexec alcatraz pfctl -f -
pft_set_rules alcatraz "block in" "pass in proto icmp"
atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \
--sendif ${epair_send}a \
--to 198.51.100.3 \

10
tests/sys/netpfil/pf/pass_block.sh
View File

@ -28,11 +28,11 @@ v4_body()
atf_check -s exit:0 -o ignore ping -c 1 -t 1 192.0.2.2
# Block everything
printf "block in\n" | jexec alcatraz pfctl -f -
pft_set_rules alcatraz "block in"
atf_check -s exit:2 -o ignore ping -c 1 -t 1 192.0.2.2
# Block everything but ICMP
printf "block in\npass in proto icmp\n" | jexec alcatraz pfctl -f -
pft_set_rules alcatraz "block in" "pass in proto icmp"
atf_check -s exit:0 -o ignore ping -c 1 -t 1 192.0.2.2
}
@ -67,15 +67,15 @@ v6_body()
atf_check -s exit:0 -o ignore ping6 -c 1 -x 1 2001:db8:42::2
# Block everything
printf "block in\n" | jexec alcatraz pfctl -f -
pft_set_rules alcatraz "block in"
atf_check -s exit:2 -o ignore ping6 -c 1 -x 1 2001:db8:42::2
# Block everything but ICMP
printf "block in\npass in proto icmp6\n" | jexec alcatraz pfctl -f -
pft_set_rules alcatraz "block in" "pass in proto icmp6"
atf_check -s exit:0 -o ignore ping6 -c 1 -x 1 2001:db8:42::2
# Allowing ICMPv4 does not allow ICMPv6
printf "block in\npass in proto icmp\n" | jexec alcatraz pfctl -f -
pft_set_rules alcatraz "block in" "pass in proto icmp"
atf_check -s exit:2 -o ignore ping6 -c 1 -x 1 2001:db8:42::2
}

15
tests/sys/netpfil/pf/set_tos.sh
View File

@ -29,8 +29,10 @@ v4_body()
jexec alcatraz arp -s 198.51.100.3 00:01:02:03:04:05
route add -net 198.51.100.0/24 192.0.2.2
jexec alcatraz pfctl -e
# No change is done if not requested
printf "scrub out proto icmp\n" | jexec alcatraz pfctl -ef -
pft_set_rules alcatraz "scrub out proto icmp"
atf_check -s exit:1 -o ignore $(atf_get_srcdir)/pft_ping.py \
--sendif ${epair_send}a \
--to 198.51.100.3 \
@ -38,7 +40,7 @@ v4_body()
--expect-tos 42
# The requested ToS is set
printf "scrub out proto icmp set-tos 42\n" | jexec alcatraz pfctl -f -
pft_set_rules alcatraz "scrub out proto icmp set-tos 42"
atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \
--sendif ${epair_send}a \
--to 198.51.100.3 \
@ -46,7 +48,7 @@ v4_body()
--expect-tos 42
# ToS is not changed if the scrub rule does not match
printf "scrub out proto tcp set-tos 42\n" | jexec alcatraz pfctl -f -
pft_set_rules alcatraz "scrub out proto tcp set-tos 42"
atf_check -s exit:1 -o ignore $(atf_get_srcdir)/pft_ping.py \
--sendif ${epair_send}a \
--to 198.51.100.3 \
@ -54,8 +56,8 @@ v4_body()
--expect-tos 42
# Multiple scrub rules match as expected
printf "scrub out proto tcp set-tos 13\nscrub out proto icmp set-tos 14\n" \
| jexec alcatraz pfctl -f -
pft_set_rules alcatraz "scrub out proto tcp set-tos 13" \
"scrub out proto icmp set-tos 14"
atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \
--sendif ${epair_send}a \
--to 198.51.100.3 \
@ -71,8 +73,7 @@ v4_body()
--expect-tos 14
# ToS values are unmolested if the packets do not match a scrub rule
printf "scrub out proto tcp set-tos 13\n" \
| jexec alcatraz pfctl -f -
pft_set_rules alcatraz "scrub out proto tcp set-tos 13"
atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \
--sendif ${epair_send}a \
--to 198.51.100.3 \