mirror of
https://git.FreeBSD.org/src.git
synced 2024-11-27 08:00:11 +00:00
Add common firewall test suite
Add a common test suite for the firewalls included in the base system. The test suite allows common test infrastructure to test pf, ipfw and ipf firewalls from test files containing the setup for all three firewalls. Add the pass block test for pf, ipfw and ipf. The pass block test checks the allow/deny functionality of the firewalls tested. Submitted by: Ahsan Barkati Sponsored by: Google, Inc. (GSoC 2019) Reviewed by: kp Approved by: bz (co-mentor) MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D21065
This commit is contained in:
parent
9cb1a47af2
commit
f97a8a3615
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=350586
@ -793,6 +793,8 @@
|
||||
netmap
|
||||
..
|
||||
netpfil
|
||||
common
|
||||
..
|
||||
pf
|
||||
ioctl
|
||||
..
|
||||
|
@ -5,7 +5,8 @@
|
||||
TESTSDIR= ${TESTSBASE}/sys/netpfil
|
||||
|
||||
.if ${MK_PF} != "no"
|
||||
TESTS_SUBDIRS+= pf
|
||||
TESTS_SUBDIRS+= pf \
|
||||
common
|
||||
.endif
|
||||
|
||||
.include <bsd.test.mk>
|
||||
|
13
tests/sys/netpfil/common/Makefile
Normal file
13
tests/sys/netpfil/common/Makefile
Normal file
@ -0,0 +1,13 @@
|
||||
# $FreeBSD$
|
||||
|
||||
PACKAGE= tests
|
||||
|
||||
TESTSDIR= ${TESTSBASE}/sys/netpfil/common
|
||||
|
||||
|
||||
ATF_TESTS_SH+= pass_block \
|
||||
|
||||
${PACKAGE}FILES+= utils.subr \
|
||||
runner.subr
|
||||
|
||||
.include <bsd.test.mk>
|
129
tests/sys/netpfil/common/pass_block.sh
Normal file
129
tests/sys/netpfil/common/pass_block.sh
Normal file
@ -0,0 +1,129 @@
|
||||
#-
|
||||
# SPDX-License-Identifier: BSD-2-Clause-FreeBSD
|
||||
#
|
||||
# Copyright (c) 2019 Ahsan Barkati
|
||||
#
|
||||
# Redistribution and use in source and binary forms, with or without
|
||||
# modification, are permitted provided that the following conditions
|
||||
# are met:
|
||||
# 1. Redistributions of source code must retain the above copyright
|
||||
# notice, this list of conditions and the following disclaimer.
|
||||
# 2. Redistributions in binary form must reproduce the above copyright
|
||||
# notice, this list of conditions and the following disclaimer in the
|
||||
# documentation and/or other materials provided with the distribution.
|
||||
#
|
||||
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
||||
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
||||
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
# SUCH DAMAGE.
|
||||
#
|
||||
# $FreeBSD$
|
||||
#
|
||||
|
||||
. $(atf_get_srcdir)/utils.subr
|
||||
. $(atf_get_srcdir)/runner.subr
|
||||
|
||||
v4_head()
|
||||
{
|
||||
atf_set require.user root
|
||||
}
|
||||
|
||||
v4_body()
|
||||
{
|
||||
firewall=$1
|
||||
firewall_init $firewall
|
||||
|
||||
epair=$(vnet_mkepair)
|
||||
ifconfig ${epair}a 192.0.2.1/24 up
|
||||
vnet_mkjail iron ${epair}b
|
||||
jexec iron ifconfig ${epair}b 192.0.2.2/24 up
|
||||
|
||||
# Block All
|
||||
firewall_config "iron" ${firewall} \
|
||||
"pf" \
|
||||
"block in" \
|
||||
"ipfw" \
|
||||
"ipfw -q add 100 deny all from any to any" \
|
||||
"ipf" \
|
||||
"block in all"
|
||||
|
||||
atf_check -s exit:2 -o ignore ping -c 1 -t 1 192.0.2.2
|
||||
|
||||
# Pass All
|
||||
firewall_config "iron" ${firewall} \
|
||||
"pf" \
|
||||
"pass in" \
|
||||
"ipfw" \
|
||||
"ipfw -q add 100 allow all from any to any" \
|
||||
"ipf" \
|
||||
"pass in all"
|
||||
|
||||
atf_check -s exit:0 -o ignore ping -c 1 -t 1 192.0.2.2
|
||||
}
|
||||
|
||||
v4_cleanup()
|
||||
{
|
||||
firewall=$1
|
||||
firewall_cleanup $firewall
|
||||
}
|
||||
|
||||
v6_head()
|
||||
{
|
||||
atf_set require.user root
|
||||
}
|
||||
|
||||
v6_body()
|
||||
{
|
||||
firewall=$1
|
||||
firewall_init $firewall
|
||||
|
||||
epair=$(vnet_mkepair)
|
||||
ifconfig ${epair}a inet6 fd7a:803f:cc4b::1/64 up no_dad
|
||||
|
||||
vnet_mkjail iron ${epair}b
|
||||
jexec iron ifconfig ${epair}b inet6 fd7a:803f:cc4b::2/64 up no_dad
|
||||
|
||||
# Block All
|
||||
firewall_config "iron" ${firewall} \
|
||||
"pf" \
|
||||
"block in" \
|
||||
"ipfw" \
|
||||
"ipfw -q add 100 deny all from any to any" \
|
||||
"ipf" \
|
||||
"block in all"
|
||||
|
||||
atf_check -s exit:2 -o ignore ping6 -c 1 -x 1 fd7a:803f:cc4b::2
|
||||
|
||||
# Pass All
|
||||
firewall_config "iron" ${firewall} \
|
||||
"pf" \
|
||||
"pass in" \
|
||||
"ipfw" \
|
||||
"ipfw -q add 100 allow all from any to any" \
|
||||
"ipf" \
|
||||
"pass in all"
|
||||
|
||||
atf_check -s exit:0 -o ignore ping6 -c 1 -x 1 fd7a:803f:cc4b::2
|
||||
}
|
||||
|
||||
v6_cleanup()
|
||||
{
|
||||
firewall=$1
|
||||
firewall_cleanup $firewall
|
||||
}
|
||||
|
||||
setup_tests "v4" \
|
||||
"pf" \
|
||||
"ipfw" \
|
||||
"ipf" \
|
||||
"v6" \
|
||||
"pf" \
|
||||
"ipfw" \
|
||||
"ipf"
|
67
tests/sys/netpfil/common/runner.subr
Normal file
67
tests/sys/netpfil/common/runner.subr
Normal file
@ -0,0 +1,67 @@
|
||||
#-
|
||||
# SPDX-License-Identifier: BSD-2-Clause-FreeBSD
|
||||
#
|
||||
# Copyright (c) 2019 Ahsan Barkati
|
||||
#
|
||||
# Redistribution and use in source and binary forms, with or without
|
||||
# modification, are permitted provided that the following conditions
|
||||
# are met:
|
||||
# 1. Redistributions of source code must retain the above copyright
|
||||
# notice, this list of conditions and the following disclaimer.
|
||||
# 2. Redistributions in binary form must reproduce the above copyright
|
||||
# notice, this list of conditions and the following disclaimer in the
|
||||
# documentation and/or other materials provided with the distribution.
|
||||
#
|
||||
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
||||
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
||||
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
# SUCH DAMAGE.
|
||||
#
|
||||
# $FreeBSD$
|
||||
#
|
||||
|
||||
. $(atf_get_srcdir)/utils.subr
|
||||
|
||||
setup_tests()
|
||||
{
|
||||
tests=""
|
||||
while [ $# -gt 0 ]; do
|
||||
if [ $(is_firewall $1) -eq 1 ]; then
|
||||
fw=$1
|
||||
shift
|
||||
if [ -z "${testcase}" ]; then
|
||||
echo "no testcase passed to setup_test"
|
||||
return
|
||||
fi
|
||||
atf_test_case "${fw}_${testcase}" "cleanup"
|
||||
eval "${fw}_${testcase}_head(){ ${testcase}_head; }"
|
||||
eval "${fw}_${testcase}_body(){ ${testcase}_body $fw; }"
|
||||
eval "${fw}_${testcase}_cleanup(){ ${testcase}_cleanup $fw; }"
|
||||
tests="$tests ${fw}_${testcase}"
|
||||
else
|
||||
testcase=$1
|
||||
shift
|
||||
fi
|
||||
done
|
||||
init_testcases "$tests"
|
||||
}
|
||||
|
||||
|
||||
init_testcases()
|
||||
{
|
||||
args="$@"
|
||||
atf_init_test_cases()
|
||||
{
|
||||
for testcase in $args;
|
||||
do
|
||||
atf_add_test_case "$testcase"
|
||||
done
|
||||
}
|
||||
}
|
113
tests/sys/netpfil/common/utils.subr
Normal file
113
tests/sys/netpfil/common/utils.subr
Normal file
@ -0,0 +1,113 @@
|
||||
#-
|
||||
# SPDX-License-Identifier: BSD-2-Clause-FreeBSD
|
||||
#
|
||||
# Copyright (c) 2019 Ahsan Barkati
|
||||
#
|
||||
# Redistribution and use in source and binary forms, with or without
|
||||
# modification, are permitted provided that the following conditions
|
||||
# are met:
|
||||
# 1. Redistributions of source code must retain the above copyright
|
||||
# notice, this list of conditions and the following disclaimer.
|
||||
# 2. Redistributions in binary form must reproduce the above copyright
|
||||
# notice, this list of conditions and the following disclaimer in the
|
||||
# documentation and/or other materials provided with the distribution.
|
||||
#
|
||||
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
||||
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
||||
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
# SUCH DAMAGE.
|
||||
#
|
||||
# $FreeBSD$
|
||||
#
|
||||
|
||||
. $(atf_get_srcdir)/../../common/vnet.subr
|
||||
|
||||
firewall_config()
|
||||
{
|
||||
jname=$1
|
||||
shift
|
||||
fw=$1
|
||||
shift
|
||||
|
||||
while [ $# -gt 0 ]; do
|
||||
if [ $(is_firewall $fw) -eq 1 ]; then
|
||||
current_fw="$1"
|
||||
shift
|
||||
filename=${current_fw}.rule
|
||||
cwd=$(pwd)
|
||||
if [ -f ${current_fw}.rule ]; then
|
||||
rm ${current_fw}.rule
|
||||
fi
|
||||
fi
|
||||
rule=$1
|
||||
echo $rule >> $filename
|
||||
shift
|
||||
done
|
||||
|
||||
if [ ${fw} == "ipfw" ]; then
|
||||
jexec ${jname} ipfw -q -f flush
|
||||
jexec ${jname} /bin/sh $cwd/ipfw.rule
|
||||
elif [ ${fw} == "pf" ]; then
|
||||
jexec ${jname} pfctl -e
|
||||
jexec ${jname} pfctl -F all
|
||||
jexec ${jname} pfctl -f $cwd/pf.rule
|
||||
elif [ ${fw} == "ipf" ]; then
|
||||
jexec ${jname} ipf -E
|
||||
jexec ${jname} ipf -Fa -f $cwd/ipf.rule
|
||||
elif [ ${fw} == "ipfnat" ]; then
|
||||
jexec ${jname} service ipfilter start
|
||||
jexec ${jname} ipnat -CF -f $cwd/ipfnat.rule
|
||||
else
|
||||
atf_fail "$fw is not a valid firewall to configure"
|
||||
fi
|
||||
}
|
||||
|
||||
firewall_cleanup()
|
||||
{
|
||||
firewall=$1
|
||||
echo "Cleaning $firewall"
|
||||
vnet_cleanup
|
||||
}
|
||||
|
||||
firewall_init()
|
||||
{
|
||||
firewall=$1
|
||||
vnet_init
|
||||
|
||||
if [ ${firewall} == "ipfw" ]; then
|
||||
if ! kldstat -q -m ipfw; then
|
||||
atf_skip "This test requires ipfw"
|
||||
fi
|
||||
elif [ ${firewall} == "pf" ]; then
|
||||
if [ ! -c /dev/pf ]; then
|
||||
atf_skip "This test requires pf"
|
||||
fi
|
||||
elif [ ${firewall} == "ipf" ]; then
|
||||
if ! kldstat -q -m ipfilter; then
|
||||
atf_skip "This test requires ipf"
|
||||
fi
|
||||
elif [ ${firewall} == "ipfnat" ]; then
|
||||
if ! kldstat -q -m ipfw_nat; then
|
||||
atf_skip "This test requires ipfw_nat"
|
||||
fi
|
||||
else
|
||||
atf_fail "$fw is not a valid firewall to initialize"
|
||||
fi
|
||||
|
||||
}
|
||||
|
||||
is_firewall()
|
||||
{
|
||||
if [ "$1" = "pf" -o "$1" = "ipfw" -o "$1" = "ipf" -o "$1" = "ipfnat" ]; then
|
||||
echo 1
|
||||
else
|
||||
echo 0
|
||||
fi
|
||||
}
|
Loading…
Reference in New Issue
Block a user