Add pflog(4) tests for IPv6.

author: bluhm <bluhm@openbsd.org> 2021-01-13 00:26:17 +0000
committer: bluhm <bluhm@openbsd.org> 2021-01-13 00:26:17 +0000
commit: e668bc1827bd107a56fab5ce62b3d94db16fead8 (patch)
tree: 23838b066e2549c1c03b178f416e16d53c60ee69 /regress/sys
parent: Tweak previous. (diff)
download: wireguard-openbsd-e668bc1827bd107a56fab5ce62b3d94db16fead8.tar.xz
wireguard-openbsd-e668bc1827bd107a56fab5ce62b3d94db16fead8.zip
2 files changed, 74 insertions, 8 deletions
diff --git a/regress/sys/net/pflog/Makefile b/regress/sys/net/pflog/Makefile
index d0653310795..35f8f8fd3da 100644
--- a/regress/sys/net/pflog/Makefile
+++ b/regress/sys/net/pflog/Makefile
@@ -1,4 +1,4 @@
-#	$OpenBSD: Makefile,v 1.2 2021/01/12 00:15:02 bluhm Exp $
+#	$OpenBSD: Makefile,v 1.3 2021/01/13 00:26:17 bluhm Exp $
 
 # Copyright (c) 2021 Alexander Bluhm <bluhm@openbsd.org>
 #
@@ -15,7 +15,7 @@
 # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
 # Basic testing of the pflog(4) interface.  Create special routing
-# doamin, load rules into pf(4) regress anchor, tcpdump on pflog, 
+# domain, load rules into pf(4) regress anchor, tcpdump on pflog,
 # send packets over lo(4), grep for expected result in tcpdump output.
 
 # This test uses routing domain 11 and pflog interface number 11, 12, 13.
@@ -75,8 +75,10 @@ ifconfig: unconfig
 .endfor
 	${SUDO} ifconfig lo$N rdomain $N
 	${SUDO} ifconfig lo$N inet 127.0.0.1/8
+	${SUDO} ifconfig lo$N inet6 ::1/128
 .for i in ${IPS:N1}
 	${SUDO} ifconfig lo$N inet 127.0.0.$i/32 alias
+	${SUDO} ifconfig lo$N inet6 fe80::$i/128
 .endfor
 
 REGRESS_CLEANUP +=	unconfig
@@ -84,7 +86,9 @@ unconfig: stamp-stop
 	# Destroy interfaces.
 .for i in ${IPS}
 	-${SUDO} ifconfig lo$N inet 127.0.0.$i delete
+	-${SUDO} ifconfig lo$N inet6 fe80::$i%lo$N delete
 .endfor
+	-${SUDO} ifconfig lo$N inet6 ::1 delete
 .for n in ${NUMS}
 	-${SUDO} ifconfig pflog$n destroy
 .endfor
@@ -136,14 +140,31 @@ REGRESS_TARGETS +=	run-ping-$i
 run-ping-$i: stamp-bpf
 	ping -n -w 1 -c 1 -V $N 127.0.0.$i
 
+REGRESS_TARGETS +=	run-ping6-$i
+run-ping6-$i: stamp-bpf
+	ping6 -n -w 1 -c 1 -V $N fe80::$i%lo$N
+
 REGRESS_TARGETS +=	run-udp-$i
 run-udp-$i: stamp-bpf
-	echo foo | nc -u -V $N 127.0.0.$i discard
+	echo foo | nc -u -w 1 -V $N 127.0.0.$i discard
+
+REGRESS_TARGETS +=	run-udp6-$i
+run-udp6-$i: stamp-bpf
+	echo foo | nc -u -w 1 -V $N fe80::$i%lo$N discard
 .endfor
 
+REGRESS_TARGETS +=	run-ping6-0
+run-ping6-0: stamp-bpf
+	ping6 -n -w 1 -c 1 -V $N ::1
+
+REGRESS_TARGETS +=	run-udp6-0
+run-udp6-0: stamp-bpf
+	echo foo | nc -u -w 1 -V $N ::1 discard
+
 .for n in ${NUMS}
 REGRESS_TARGETS +=	run-bpf-$n
 run-bpf-$n: stamp-stop
+	# show full logs
 	cat pflog$n.tcpdump
 .endfor
 
@@ -159,18 +180,38 @@ run-bpf-everything: stamp-stop
 	grep 'regress\.1/.* > 127.0.0.$i:' pflog${N2}.tcpdump
 .endfor
 
+REGRESS_TARGETS +=	run-bpf-everything6
+run-bpf-everything6: stamp-stop
+	# rule with pflog${N2} matches on every packet
+.for i in ${IPS}
+	grep 'regress\.1/.* > fe80::$i:' pflog${N2}.tcpdump
+.endfor
+
 REGRESS_TARGETS +=	run-bpf-all
 run-bpf-all: stamp-stop
 	# reply without keep state
 	grep 'regress\.3/.* > 127.0.0.1: icmp: echo request' pflog${N1}.tcpdump
-	grep 'regress\.3/.* > 127.0.0.1: icmp: echo reply' pflog${N1}.tcpdump
+	grep 'regress\.3/.* 127.0.0.1 .*: icmp: echo reply' pflog${N1}.tcpdump
 	# no reply with keep state and without all
 	grep 'regress\.4/.* > 127.0.0.2: icmp: echo request' pflog${N1}.tcpdump
-	! grep 'regress\.4/.* > 127.0.0.2: icmp: echo reply' pflog${N1}.tcpdump
+	! grep 'regress\.4/.* 127.0.0.2 .*: icmp: echo reply' pflog${N1}.tcpdump
 	# reply with keep state and with all
 	grep 'regress\.5/.* > 127.0.0.3: icmp: echo request' pflog${N1}.tcpdump
 	# XXX anchor name missing
-	grep '/.* > 127.0.0.3: icmp: echo reply' pflog${N1}.tcpdump
+	grep '/.* 127.0.0.3 .*: icmp: echo reply' pflog${N1}.tcpdump
+
+REGRESS_TARGETS +=	run-bpf-all6
+run-bpf-all6: stamp-stop
+	# reply without keep state
+	grep 'regress\.11/.* > fe80::1: icmp6: echo request' pflog${N1}.tcpdump
+	grep 'regress\.11/.* fe80::1 .*: icmp6: echo reply' pflog${N1}.tcpdump
+	# no reply with keep state and without all
+	grep 'regress\.12/.* > fe80::2: icmp6: echo request' pflog${N1}.tcpdump
+	! grep 'regress\.12/.* fe80::2 .*: icmp6: echo reply' pflog${N1}.tcpdump
+	# reply with keep state and with all
+	grep 'regress\.13/.* > fe80::3: icmp6: echo request' pflog${N1}.tcpdump
+	# XXX anchor name missing
+	grep '/.* fe80::3 .*: icmp6: echo reply' pflog${N1}.tcpdump
 
 REGRESS_TARGETS +=	run-bpf-user
 run-bpf-user: stamp-stop
@@ -187,7 +228,22 @@ run-bpf-user: stamp-stop
 	grep 'regress\.3/.* pass out on lo$N:\
 	    127.* > 127.0.0.1.9:.* udp' pflog${N1}.tcpdump
 
-run-bpf-matches:
+REGRESS_TARGETS +=	run-bpf-user6
+run-bpf-user6: stamp-stop
+	# out rule creates log entry with uid
+	grep 'regress\.14/.* pass out on lo$N: \[uid ${UID}, pid [0-9]*\]\
+	    ::1.* > ::1.9:.* udp' pflog${N1}.tcpdump
+	# in rule has no uid at log entry
+	grep 'regress\.14/.* pass in on lo$N:\
+	    ::1.* > ::1.9:.* udp' pflog${N1}.tcpdump
+	# icmp has no uid at log entry
+	grep 'regress\.14/.* pass out on lo$N:\
+	    ::1.* > ::1: icmp6: echo request' pflog${N1}.tcpdump
+	# rule without user has no uid in log entry
+	grep 'regress\.11/.* pass out on lo$N:\
+	    fe80.* > fe80::1.9:.* udp' pflog${N1}.tcpdump
+
+run-bpf-matches run-bpf-matches6:
 	# XXX The log matches keyword seems to be totally broken.
 	# pf_log_matches() is never called.  Investigate later.
 	@echo DISABLED
diff --git a/regress/sys/net/pflog/pf.conf b/regress/sys/net/pflog/pf.conf
index 8e948974272..d5d06429de6 100644
--- a/regress/sys/net/pflog/pf.conf
+++ b/regress/sys/net/pflog/pf.conf
@@ -9,7 +9,7 @@ pass log (to $PFLOG_N3) on $LO no state
 match log (to $PFLOG_N2) on $LO no state
 
 # specific test to pflog N1
-pass log (to $PFLOG_N1) on $LO
+pass log (to $PFLOG_N1) on $LO inet
 pass log (to $PFLOG_N1) on $LO to 127.0.0.1 no state
 pass log (to $PFLOG_N1) on $LO to 127.0.0.2 keep state
 pass log (all to $PFLOG_N1) on $LO to 127.0.0.3 keep state
@@ -17,3 +17,13 @@ pass log (user to $PFLOG_N1) on $LO to 127.0.0.4
 pass on $LO to 127.0.0.5
 pass log (matches to $PFLOG_N1) on $LO to 127.0.0.6
 pass on $LO to 127.0.0.6
+
+pass log (to $PFLOG_N1) on $LO inet6
+pass log (to $PFLOG_N1) on $LO to fe80::1 no state
+pass log (to $PFLOG_N1) on $LO to fe80::2 keep state
+pass log (all to $PFLOG_N1) on $LO to fe80::3 keep state
+# XXX Socket lookup with embeded scope does not match.  Use ::1 instead.
+pass log (user to $PFLOG_N1) on $LO to ::1
+pass on $LO to fe80::5
+pass log (matches to $PFLOG_N1) on $LO to fe80::6
+pass on $LO to fe80::6
author	bluhm <bluhm@openbsd.org>	2021-01-13 00:26:17 +0000
committer	bluhm <bluhm@openbsd.org>	2021-01-13 00:26:17 +0000
commit	e668bc1827bd107a56fab5ce62b3d94db16fead8 (patch)
tree	23838b066e2549c1c03b178f416e16d53c60ee69 /regress/sys
parent	Tweak previous. (diff)
download	wireguard-openbsd-e668bc1827bd107a56fab5ce62b3d94db16fead8.tar.xz wireguard-openbsd-e668bc1827bd107a56fab5ce62b3d94db16fead8.zip