From 44f1544a0749abac845e541cd856c4ec059c4742 Mon Sep 17 00:00:00 2001 From: sashan Date: Mon, 9 Jan 2023 10:21:40 +0000 Subject: [PATCH] yet another set of regression tests for pf(4). Unlike tests found in pf_forward the tests in pf_policy use local bound traffic to provide simple testing of various pf features. The initial commit brings few tests using icmp echo to test anchor rules. anton@ helped a lot to improve pf_policy/Makefile OK anton@ --- regress/sys/net/Makefile | 6 +- regress/sys/net/pf_policy/Makefile | 85 ++++++++++++++++++++ regress/sys/net/pf_policy/absolute.conf | 14 ++++ regress/sys/net/pf_policy/list.conf | 11 +++ regress/sys/net/pf_policy/loop-relative.conf | 11 +++ regress/sys/net/pf_policy/loop.conf | 11 +++ regress/sys/net/pf_policy/nesting-once.conf | 13 +++ regress/sys/net/pf_policy/nesting.conf | 10 +++ regress/sys/net/pf_policy/once.conf | 7 ++ regress/sys/net/pf_policy/quick.conf | 11 +++ regress/sys/net/pf_policy/relative.conf | 14 ++++ regress/sys/net/pf_policy/simple.conf | 8 ++ 12 files changed, 198 insertions(+), 3 deletions(-) create mode 100644 regress/sys/net/pf_policy/Makefile create mode 100644 regress/sys/net/pf_policy/absolute.conf create mode 100644 regress/sys/net/pf_policy/list.conf create mode 100644 regress/sys/net/pf_policy/loop-relative.conf create mode 100644 regress/sys/net/pf_policy/loop.conf create mode 100644 regress/sys/net/pf_policy/nesting-once.conf create mode 100644 regress/sys/net/pf_policy/nesting.conf create mode 100644 regress/sys/net/pf_policy/once.conf create mode 100644 regress/sys/net/pf_policy/quick.conf create mode 100644 regress/sys/net/pf_policy/relative.conf create mode 100644 regress/sys/net/pf_policy/simple.conf diff --git a/regress/sys/net/Makefile b/regress/sys/net/Makefile index 7680f3f3bf5..c7b0873fd0d 100644 --- a/regress/sys/net/Makefile +++ b/regress/sys/net/Makefile @@ -1,8 +1,8 @@ -# $OpenBSD: Makefile,v 1.18 2022/04/29 17:27:37 bluhm Exp $ +# $OpenBSD: Makefile,v 1.19 2023/01/09 10:21:40 sashan Exp $ SUBDIR += etherip gif loop -SUBDIR += pf_divert pf_forward pf_fragment pf_opts pf_print pf_state -SUBDIR += pf_table +SUBDIR += pf_divert pf_forward pf_fragment pf_opts pf_policy pf_print +SUBDIR += pf_state pf_table SUBDIR += pair pflog pflow rdomains rtable vxlan wg .include diff --git a/regress/sys/net/pf_policy/Makefile b/regress/sys/net/pf_policy/Makefile new file mode 100644 index 00000000000..1797cc15387 --- /dev/null +++ b/regress/sys/net/pf_policy/Makefile @@ -0,0 +1,85 @@ +# $OpenBSD: Makefile,v 1.1 2023/01/09 10:21:40 sashan Exp $ + +# Copyright (c) 2022 Alexandr Nedvedicky +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +# + +# +# PROBE_HOST use any remote host which is +# reachable for ping(8) +# +PROBE_HOST ?= 10.188.210.50 + +TESTS_PASS = absolute \ + quick \ + relative + +TESTS_BLOCK = list \ + loop-relative \ + loop \ + nesting \ + simple + +TESTS_ONCE = nesting-once \ + once + +REGRESS_SETUP_ONCE = enable-pf +enable-pf: + ${SUDO} pfctl -e || true + +REACHABLE != ping -c 1 -w 1 ${PROBE_HOST} > /dev/null 2>&1 && echo yes || : +.if empty(REACHABLE) +regress: + @echo Cannot reach ${PROBE_HOST} + @echo SKIPPED +.endif + +REGRESS_TARGETS += check-probe-host + +check-probe-host: + ping -c 1 -w 1 ${PROBE_HOST} + +.for rules in ${TESTS_PASS} +REGRESS_TARGETS += run-pass-${rules} +run-pass-${rules}: + ${SUDO} pfctl -a "regress/*" -Fa + ${SUDO} pfctl -a "regress" -f ${.CURDIR}/${rules}.conf + ping -c 1 -w 1 ${PROBE_HOST} +.endfor + +.for rules in ${TESTS_BLOCK} +REGRESS_TARGETS += run-block-${rules} +run-block-${rules}: + ${SUDO} pfctl -a "regress/*" -Fa + ping -c 1 -w 1 ${PROBE_HOST} + ${SUDO} pfctl -a "regress" -f ${.CURDIR}/${rules}.conf + ping -c 1 -w 1 ${PROBE_HOST} || true +.endfor + +.for rules in ${TESTS_ONCE} +REGRESS_TARGETS += run-once-${rules} +run-once-${rules}: + ${SUDO} pfctl -a "regress/*" -Fa + ${SUDO} pfctl -a "regress" -f ${.CURDIR}/${rules}.conf + ping -c 1 -w 1 ${PROBE_HOST} + ping -c 1 -w 1 ${PROBE_HOST} || true +.endfor + +REGRESS_CLEANUP += clean + +clean: + ${SUDO} pfctl -a "regress/*" -Fa + ${SUDO} pfctl -d + +.include diff --git a/regress/sys/net/pf_policy/absolute.conf b/regress/sys/net/pf_policy/absolute.conf new file mode 100644 index 00000000000..6c930bd7123 --- /dev/null +++ b/regress/sys/net/pf_policy/absolute.conf @@ -0,0 +1,14 @@ +# $OpenBSD: absolute.conf,v 1.1 2023/01/09 10:21:40 sashan Exp $ +# +# ping succeeds +# +anchor "first" { + anchor "../second" + block proto {icmp,icmp6} all +} + +anchor "second" { + pass quick proto {icmp,icmp6} all +} + +block proto {icmp,icmp6} all diff --git a/regress/sys/net/pf_policy/list.conf b/regress/sys/net/pf_policy/list.conf new file mode 100644 index 00000000000..505f45de914 --- /dev/null +++ b/regress/sys/net/pf_policy/list.conf @@ -0,0 +1,11 @@ +# $OpenBSD: list.conf,v 1.1 2023/01/09 10:21:40 sashan Exp $ +# +# ping fails +# +anchor "first" { + pass proto { icmp, icmp6 } all +} + +anchor "second" { + block proto { icmp, icmp6 } all +} diff --git a/regress/sys/net/pf_policy/loop-relative.conf b/regress/sys/net/pf_policy/loop-relative.conf new file mode 100644 index 00000000000..abb6c21abba --- /dev/null +++ b/regress/sys/net/pf_policy/loop-relative.conf @@ -0,0 +1,11 @@ +# $OpenBSD: loop-relative.conf,v 1.1 2023/01/09 10:21:40 sashan Exp $ +# +# ping fails +# +anchor "first" { + anchor "../second" +} + +anchor "second" { + anchor "../first" +} diff --git a/regress/sys/net/pf_policy/loop.conf b/regress/sys/net/pf_policy/loop.conf new file mode 100644 index 00000000000..a3db64200a6 --- /dev/null +++ b/regress/sys/net/pf_policy/loop.conf @@ -0,0 +1,11 @@ +# $OpenBSD: loop.conf,v 1.1 2023/01/09 10:21:40 sashan Exp $ +# +# ping fails + +anchor "first" { + anchor "/second" +} + +anchor "second" { + anchor "/first" +} diff --git a/regress/sys/net/pf_policy/nesting-once.conf b/regress/sys/net/pf_policy/nesting-once.conf new file mode 100644 index 00000000000..a055dfbf2b0 --- /dev/null +++ b/regress/sys/net/pf_policy/nesting-once.conf @@ -0,0 +1,13 @@ +# $OpenBSD: nesting-once.conf,v 1.1 2023/01/09 10:21:40 sashan Exp $ +# +# ping succeeds +# +anchor "first" { + anchor "second" { + pass proto { icmp, icmp6 } all + anchor "third" { + pass quick proto {icmp, icmp6} once + } + } + block proto { icmp, icmp6 } all +} diff --git a/regress/sys/net/pf_policy/nesting.conf b/regress/sys/net/pf_policy/nesting.conf new file mode 100644 index 00000000000..462fd865aa7 --- /dev/null +++ b/regress/sys/net/pf_policy/nesting.conf @@ -0,0 +1,10 @@ +# $OpenBSD: nesting.conf,v 1.1 2023/01/09 10:21:40 sashan Exp $ +# +# ping fails +# +anchor "first" { + anchor "second" { + pass proto { icmp, icmp6 } all + } + block proto { icmp, icmp6 } all +} diff --git a/regress/sys/net/pf_policy/once.conf b/regress/sys/net/pf_policy/once.conf new file mode 100644 index 00000000000..2015e6faefa --- /dev/null +++ b/regress/sys/net/pf_policy/once.conf @@ -0,0 +1,7 @@ +# $OpenBSD: once.conf,v 1.1 2023/01/09 10:21:40 sashan Exp $ +# +# first ping succeeds +# following ping fails +# +pass quick proto {icmp, icmp6} all once +block proto {icmp, icmp6} diff --git a/regress/sys/net/pf_policy/quick.conf b/regress/sys/net/pf_policy/quick.conf new file mode 100644 index 00000000000..200b9606fac --- /dev/null +++ b/regress/sys/net/pf_policy/quick.conf @@ -0,0 +1,11 @@ +# $OpenBSD: quick.conf,v 1.1 2023/01/09 10:21:40 sashan Exp $ +# +# ping succeeds +# +anchor "first" { + pass quick proto {icmp, icmp6} all +} + +anchor "second" { + block proto {icmp, icmp6} all +} diff --git a/regress/sys/net/pf_policy/relative.conf b/regress/sys/net/pf_policy/relative.conf new file mode 100644 index 00000000000..8ceb68b9345 --- /dev/null +++ b/regress/sys/net/pf_policy/relative.conf @@ -0,0 +1,14 @@ +# $OpenBSD: relative.conf,v 1.1 2023/01/09 10:21:40 sashan Exp $ +# +# ping succeeds +# +anchor "first" { + anchor "../second" + block proto {icmp,icmp6} all +} + +anchor "second" { + pass quick proto {icmp,icmp6} all +} + +block proto {icmp,icmp6} all diff --git a/regress/sys/net/pf_policy/simple.conf b/regress/sys/net/pf_policy/simple.conf new file mode 100644 index 00000000000..78efee9dee2 --- /dev/null +++ b/regress/sys/net/pf_policy/simple.conf @@ -0,0 +1,8 @@ +# $OpenBSD: simple.conf,v 1.1 2023/01/09 10:21:40 sashan Exp $ +# +# ping fails +# +anchor "test" { + pass proto {icmp, icmp6} all +} +block proto {icmp, icmp6} all -- 2.20.1