Add common firewall test suite

Add a common test suite for the firewalls included in the base system. The test
suite allows common test infrastructure to test pf, ipfw and ipf firewalls from
test files containing the setup for all three firewalls.

Add the pass block test for pf, ipfw and ipf. The pass block test checks the
allow/deny functionality of the firewalls tested.

Submitted by:   Ahsan Barkati
Sponsored by:   Google, Inc. (GSoC 2019)
Reviewed by:    kp
Approved by:    bz (co-mentor)
MFC after:      2 weeks
Differential Revision: https://reviews.freebsd.org/D21065

etc/mtree/BSD.tests.dist

@@ -793,6 +793,8 @@
     netmap
     ..
         netpfil
+            common
+            ..
             pf
                 ioctl
                 ..

tests/sys/netpfil/Makefile

@@ -5,7 +5,8 @@
 TESTSDIR=		${TESTSBASE}/sys/netpfil
 
 .if ${MK_PF} != "no"
-TESTS_SUBDIRS+=		pf
+TESTS_SUBDIRS+=		pf \
+					common
 .endif
 
 .include <bsd.test.mk>

tests/sys/netpfil/common/Makefile

@@ -0,0 +1,13 @@
+# $FreeBSD$
+
+PACKAGE=	tests
+
+TESTSDIR=	${TESTSBASE}/sys/netpfil/common
+
+
+ATF_TESTS_SH+=	pass_block \
+
+${PACKAGE}FILES+=	utils.subr \
+					runner.subr
+
+.include <bsd.test.mk>

tests/sys/netpfil/common/pass_block.sh

@@ -0,0 +1,129 @@
+#-
+# SPDX-License-Identifier: BSD-2-Clause-FreeBSD
+#
+# Copyright (c) 2019 Ahsan Barkati
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $FreeBSD$
+#
+
+. $(atf_get_srcdir)/utils.subr
+. $(atf_get_srcdir)/runner.subr
+
+v4_head()
+{
+	atf_set require.user root
+}
+
+v4_body()
+{   
+	firewall=$1
+	firewall_init $firewall
+	
+	epair=$(vnet_mkepair)
+	ifconfig ${epair}a 192.0.2.1/24 up
+	vnet_mkjail iron ${epair}b
+	jexec iron ifconfig ${epair}b 192.0.2.2/24 up
+	
+	# Block All
+	firewall_config "iron" ${firewall} \
+		"pf" \
+			"block in" \
+		"ipfw" \
+			"ipfw -q add 100 deny all from any to any" \
+		"ipf" \
+			"block in all"
+
+	atf_check -s exit:2 -o ignore ping -c 1 -t 1 192.0.2.2
+	
+	# Pass All
+	firewall_config "iron" ${firewall} \
+		"pf" \
+			"pass in" \
+		"ipfw" \
+			"ipfw -q add 100 allow all from any to any" \
+		"ipf" \
+			"pass in all"
+
+	atf_check -s exit:0 -o ignore ping -c 1 -t 1 192.0.2.2
+}
+
+v4_cleanup()
+{
+	firewall=$1
+	firewall_cleanup $firewall
+}
+
+v6_head()
+{
+	atf_set require.user root
+}
+
+v6_body()
+{   
+	firewall=$1
+	firewall_init $firewall
+	
+	epair=$(vnet_mkepair)
+	ifconfig ${epair}a inet6 fd7a:803f:cc4b::1/64 up no_dad
+
+	vnet_mkjail iron ${epair}b
+	jexec iron ifconfig ${epair}b inet6 fd7a:803f:cc4b::2/64 up no_dad
+	
+	# Block All
+	firewall_config "iron" ${firewall} \
+		"pf" \
+			"block in" \
+		"ipfw" \
+			"ipfw -q add 100 deny all from any to any" \
+		"ipf" \
+			"block in all"
+
+	atf_check -s exit:2 -o ignore ping6 -c 1 -x 1 fd7a:803f:cc4b::2
+	
+	# Pass All
+	firewall_config "iron" ${firewall} \
+		"pf" \
+			"pass in" \
+		"ipfw" \
+			"ipfw -q add 100 allow all from any to any" \
+		"ipf" \
+			"pass in all"
+
+	atf_check -s exit:0 -o ignore ping6 -c 1 -x 1 fd7a:803f:cc4b::2
+}
+
+v6_cleanup()
+{
+	firewall=$1
+	firewall_cleanup $firewall
+}
+
+setup_tests "v4" \
+				"pf" \
+				"ipfw" \
+				"ipf" \
+			"v6" \
+				"pf" \
+				"ipfw" \
+				"ipf"

tests/sys/netpfil/common/runner.subr

@@ -0,0 +1,67 @@
+#-
+# SPDX-License-Identifier: BSD-2-Clause-FreeBSD
+#
+# Copyright (c) 2019 Ahsan Barkati
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $FreeBSD$
+#
+
+. $(atf_get_srcdir)/utils.subr
+
+setup_tests()
+{   
+	tests=""
+	while [ $# -gt 0 ]; do
+		if [ $(is_firewall $1) -eq  1 ]; then
+			fw=$1
+			shift
+			if [ -z "${testcase}" ]; then
+				echo "no testcase passed to setup_test"
+				return
+			fi
+			atf_test_case "${fw}_${testcase}" "cleanup"
+			eval "${fw}_${testcase}_head(){ ${testcase}_head; }"
+			eval "${fw}_${testcase}_body(){ ${testcase}_body $fw; }"
+			eval "${fw}_${testcase}_cleanup(){ ${testcase}_cleanup $fw; }"
+			tests="$tests ${fw}_${testcase}"
+		else
+			testcase=$1
+			shift
+		fi
+	done
+	init_testcases "$tests"
+}
+
+
+init_testcases()
+{
+	args="$@"
+	atf_init_test_cases()
+	{
+		for testcase in $args;
+		do 
+			atf_add_test_case "$testcase"
+		done
+	}
+}

tests/sys/netpfil/common/utils.subr

@@ -0,0 +1,113 @@
+#-
+# SPDX-License-Identifier: BSD-2-Clause-FreeBSD
+#
+# Copyright (c) 2019 Ahsan Barkati
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $FreeBSD$
+#
+
+. $(atf_get_srcdir)/../../common/vnet.subr
+
+firewall_config()
+{
+	jname=$1
+	shift
+	fw=$1
+	shift
+
+	while [ $# -gt 0 ]; do
+		if [ $(is_firewall $fw) -eq  1 ]; then
+			current_fw="$1"
+			shift
+			filename=${current_fw}.rule
+			cwd=$(pwd)
+			if [ -f ${current_fw}.rule ]; then
+				rm ${current_fw}.rule
+			fi
+		fi
+		rule=$1
+		echo $rule >> $filename
+		shift
+	done
+
+	if [ ${fw} == "ipfw" ]; then
+		jexec ${jname} ipfw -q -f flush
+		jexec ${jname} /bin/sh $cwd/ipfw.rule
+	elif [ ${fw} == "pf" ]; then
+		jexec ${jname} pfctl -e
+		jexec ${jname} pfctl -F all
+		jexec ${jname} pfctl -f $cwd/pf.rule
+	elif [ ${fw} == "ipf" ]; then
+		jexec ${jname} ipf -E
+		jexec ${jname} ipf -Fa -f $cwd/ipf.rule
+	elif [ ${fw} == "ipfnat" ]; then
+		jexec ${jname} service ipfilter start
+		jexec ${jname} ipnat -CF -f $cwd/ipfnat.rule
+	else
+		atf_fail "$fw is not a valid firewall to configure"
+	fi
+}
+
+firewall_cleanup()
+{
+	firewall=$1
+	echo "Cleaning $firewall"
+	vnet_cleanup
+}
+
+firewall_init()
+{
+	firewall=$1
+	vnet_init
+
+	if [ ${firewall} == "ipfw" ]; then
+		if ! kldstat -q -m ipfw; then
+			atf_skip "This test requires ipfw"
+		fi
+	elif [ ${firewall} == "pf" ]; then
+		if [ ! -c /dev/pf ]; then
+			atf_skip "This test requires pf"
+		fi
+	elif [ ${firewall} == "ipf" ]; then
+		if ! kldstat -q -m ipfilter; then
+			atf_skip "This test requires ipf"
+		fi
+	elif [ ${firewall} == "ipfnat" ]; then
+		if ! kldstat -q -m ipfw_nat; then
+			atf_skip "This test requires ipfw_nat"
+		fi
+	else
+		atf_fail "$fw is not a valid firewall to initialize"
+	fi
+
+}
+
+is_firewall()
+{
+	if [ "$1" = "pf" -o "$1" = "ipfw" -o "$1" = "ipf" -o "$1" = "ipfnat" ]; then
+		echo 1
+	else
+		echo 0
+	fi
+}