aboutsummaryrefslogtreecommitdiff
path: root/tests/sys/netpfil/pf/match.sh
diff options
context:
space:
mode:
Diffstat (limited to 'tests/sys/netpfil/pf/match.sh')
-rw-r--r--tests/sys/netpfil/pf/match.sh112
1 files changed, 112 insertions, 0 deletions
diff --git a/tests/sys/netpfil/pf/match.sh b/tests/sys/netpfil/pf/match.sh
index bb088c5bf47c..58c1e021310a 100644
--- a/tests/sys/netpfil/pf/match.sh
+++ b/tests/sys/netpfil/pf/match.sh
@@ -26,6 +26,8 @@
. $(atf_get_srcdir)/utils.subr
+common_dir=$(atf_get_srcdir)/../common
+
atf_test_case "dummynet" "cleanup"
dummynet_head()
{
@@ -67,7 +69,117 @@ dummynet_cleanup()
pft_cleanup
}
+atf_test_case "quick" "cleanup"
+quick_head()
+{
+ atf_set descr 'Test quick on match rules'
+ atf_set require.user root
+}
+
+quick_body()
+{
+ pft_init
+
+ epair=$(vnet_mkepair)
+ vnet_mkjail alcatraz ${epair}b
+
+ ifconfig ${epair}a 192.0.2.1/24 up
+ jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up
+
+ # Sanity check
+ atf_check -s exit:0 -o ignore \
+ ping -c 1 192.0.2.2
+
+ jexec alcatraz pfctl -e
+ pft_set_rules alcatraz \
+ "pass" \
+ "match in quick proto icmp" \
+ "block"
+
+ # 'match quick' should retain the previous pass/block state
+ atf_check -s exit:0 -o ignore \
+ ping -c 1 192.0.2.2
+
+ pft_set_rules alcatraz \
+ "block" \
+ "match in quick proto icmp" \
+ "pass"
+
+ atf_check -s exit:2 -o ignore \
+ ping -c 1 192.0.2.2
+}
+
+quick_cleanup()
+{
+ pft_cleanup
+}
+
+atf_test_case "allow_opts" "cleanup"
+allow_opts_head()
+{
+ atf_set descr 'Test allowing IP options via match'
+ atf_set require.user root
+ atf_set require.progs python3 scapy
+}
+
+allow_opts_body()
+{
+ pft_init
+
+ epair=$(vnet_mkepair)
+
+ ifconfig ${epair}b 192.0.2.2/24 up
+
+ vnet_mkjail alcatraz ${epair}a
+ jexec alcatraz ifconfig ${epair}a 192.0.2.1/24 up
+
+ jexec alcatraz pfctl -e
+ jexec alcatraz pfctl -x loud
+ pft_set_rules alcatraz \
+ "match proto icmp allow-opts" \
+ "pass"
+
+ # Sanity check
+ atf_check -s exit:0 -o ignore \
+ ping -c 1 192.0.2.1
+
+ atf_check -s exit:0 -o ignore \
+ ${common_dir}/pft_ping.py \
+ --sendif ${epair}b \
+ --to 192.0.2.1 \
+ --send-nop \
+ --replyif ${epair}b
+
+ # This doesn't work without 'allow-opts'
+ pft_set_rules alcatraz \
+ "match proto icmp" \
+ "pass"
+ atf_check -s exit:1 -o ignore \
+ ${common_dir}/pft_ping.py \
+ --sendif ${epair}b \
+ --to 192.0.2.1 \
+ --send-nop \
+ --replyif ${epair}b
+
+ # Setting it on a pass rule still works.
+ pft_set_rules alcatraz \
+ "pass allow-opts"
+ atf_check -s exit:0 -o ignore \
+ ${common_dir}/pft_ping.py \
+ --sendif ${epair}b \
+ --to 192.0.2.1 \
+ --send-nop \
+ --replyif ${epair}b
+}
+
+allow_opts_cleanup()
+{
+ pft_cleanup
+}
+
atf_init_test_cases()
{
atf_add_test_case "dummynet"
+ atf_add_test_case "quick"
+ atf_add_test_case "allow_opts"
}
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-01 20:14:16 +0000