diff options
| -rw-r--r-- | regress/sys/net/Makefile | 4 | ||||
| -rw-r--r-- | regress/sys/net/pflog/Makefile | 204 | ||||
| -rw-r--r-- | regress/sys/net/pflog/pf.conf | 19 |
3 files changed, 225 insertions, 2 deletions
diff --git a/regress/sys/net/Makefile b/regress/sys/net/Makefile index 6cc1d55e04f..3f43845dc04 100644 --- a/regress/sys/net/Makefile +++ b/regress/sys/net/Makefile @@ -1,7 +1,7 @@ -# $OpenBSD: Makefile,v 1.15 2020/12/17 12:44:21 bluhm Exp $ +# $OpenBSD: Makefile,v 1.16 2021/01/11 12:02:53 bluhm Exp $ SUBDIR += etherip gif loop SUBDIR += pf_divert pf_forward pf_fragment pf_print pf_state pf_table -SUBDIR += pflow rdomains rtable vxlan wg +SUBDIR += pflog pflow rdomains rtable vxlan wg .include <bsd.subdir.mk> diff --git a/regress/sys/net/pflog/Makefile b/regress/sys/net/pflog/Makefile new file mode 100644 index 00000000000..6b2b381b108 --- /dev/null +++ b/regress/sys/net/pflog/Makefile @@ -0,0 +1,204 @@ +# $OpenBSD: Makefile,v 1.1 2021/01/11 12:02:53 bluhm Exp $ + +# Copyright (c) 2021 Alexander Bluhm <bluhm@openbsd.org> +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + +# Basic testing of the pflog(4) interface. Create special routing +# doamin, load rules into pf(4) regress anchor, tcpdump on pflog, +# send packets over lo(4), grep for expected result in tcpdump output. + +# This test uses routing domain 11 and pflog interface number 11, 12, 13. +# Adjust it here, if you want to use something else. +N1 = 11 +N2 = 12 +N3 = 13 +N = ${N1} +NUMS = ${N1} ${N2} ${N3} +IPS = 1 2 3 4 5 6 + +UID !!= id -u + +.include <bsd.own.mk> + +.if ! (make(clean) || make(cleandir) || make(obj)) + +PF_STATUS != ${SUDO} pfctl -si | sed -n 's/^Status: \([^ ]*\) .*/\1/p' +.if empty(PF_STATUS:MEnabled) +regress: + @echo pf status: "${PF_STATUS}" + @echo Enable pf to run this regress. + @echo SKIPPED +.endif + +PF_SKIP != ${SUDO} pfctl -sI -v | sed -n 's/ (skip)//p' +.if ! empty(PF_SKIP:Mlo*:Nlo0) +regress: + @echo pf skip: "${PF_SKIP}" + @echo Do not set skip on interface lo or lo$N. + @echo SKIPPED +.endif + +PF_ANCHOR != ${SUDO} pfctl -sr | sed -n 's/^anchor "\([^"]*\)" all$$/\1/p' +.if empty(PF_ANCHOR:Mregress) +regress: + @echo pf anchor: "${PF_ANCHOR}" + @echo Need anchor '"regress"' in pf.conf to load additional rules. + @echo SKIPPED +.endif + +.endif + +.PHONY: busy-rdomains ifconfig unconfig pfctl + +REGRESS_SETUP_ONCE += busy-rdomains +busy-rdomains: + # Check if rdomains are busy. + @if /sbin/ifconfig | grep -v '^lo$N:' | grep ' rdomain $N '; then\ + echo routing domain $N is already used >&2; exit 1; fi + +REGRESS_SETUP_ONCE += ifconfig +ifconfig: unconfig + # Create and configure pflog and loopback interfaces. +.for n in ${NUMS} + ${SUDO} ifconfig pflog$n create +.endfor + ${SUDO} ifconfig lo$N rdomain $N + ${SUDO} ifconfig lo$N inet 127.0.0.1/8 +.for i in ${IPS:N1} + ${SUDO} ifconfig lo$N inet 127.0.0.$i/32 alias +.endfor + +REGRESS_CLEANUP += unconfig +unconfig: stamp-stop + # Destroy interfaces. +.for i in ${IPS} + -${SUDO} ifconfig lo$N inet 127.0.0.$i delete +.endfor +.for n in ${NUMS} + -${SUDO} ifconfig pflog$n destroy +.endfor + rm -f stamp-ifconfig + +addr.py: Makefile + # Create python include file containing the addresses. + rm -f $@ $@.tmp + echo 'N="$N"' >>$@.tmp + echo 'LO="lo$N"' >>$@.tmp +.for var in N1 N2 N3 + echo '${var}="${${var}}"' >>$@.tmp + echo 'PFLOG_${var}="pflog${${var}}"' >>$@.tmp +.endfor + mv $@.tmp $@ + +REGRESS_SETUP_ONCE += pfctl +pfctl: addr.py pf.conf + # Load the pf rules into the kernel. + cat addr.py ${.CURDIR}/pf.conf | /sbin/pfctl -n -f - + cat addr.py ${.CURDIR}/pf.conf | ${SUDO} pfctl -a regress -f - + +# Run tcpdump on pflog devices. +DUMPCMD = /usr/sbin/tcpdump -l -e -vvv -s 2048 -ni + +stamp-bpf: stamp-bpf-${N1} stamp-bpf-${N2} stamp-bpf-${N3} + sleep 2 # XXX + @date >$@ + +.for n in ${NUMS} + +stamp-bpf-$n: stamp-ifconfig + rm -f pflog$n.tcpdump + ${SUDO} pkill -f '^${DUMPCMD} pflog$n' || true + ${SUDO} ${DUMPCMD} pflog$n >pflog$n.tcpdump & + rm -f stamp-stop + @date >$@ + +.endfor + +stamp-stop: + sleep 2 # XXX + -${SUDO} pkill -f '^${DUMPCMD}' + rm -f stamp-bpf* + @date >$@ + +.for i in ${IPS} +REGRESS_TARGETS += run-ping-$i +run-ping-$i: stamp-bpf + ping -n -w 1 -c 1 -V $N 127.0.0.$i + +REGRESS_TARGETS += run-udp-$i +run-udp-$i: stamp-bpf + echo foo | nc -u -V $N 127.0.0.$i discard +.endfor + +.for n in ${NUMS} +REGRESS_TARGETS += run-bpf-$n +run-bpf-$n: stamp-stop + cat pflog$n.tcpdump +.endfor + +REGRESS_TARGETS += run-bpf-nothing +run-bpf-nothing: stamp-stop + # rule with pflog${N3} is never used + ! grep . pflog${N3}.tcpdump + +REGRESS_TARGETS += run-bpf-everything +run-bpf-everything: stamp-stop + # rule with pflog${N2} matches on every packet +.for i in ${IPS} + grep 'regress\.1/.* > 127.0.0.$i:' pflog${N2}.tcpdump +.endfor + +REGRESS_TARGETS += run-bpf-all +run-bpf-all: stamp-stop + # reply without keep state + grep 'regress\.3/.* > 127.0.0.1: icmp: echo request' pflog${N1}.tcpdump + grep 'regress\.3/.* > 127.0.0.1: icmp: echo reply' pflog${N1}.tcpdump + # no reply with keep state and without all + grep 'regress\.4/.* > 127.0.0.2: icmp: echo request' pflog${N1}.tcpdump + ! grep 'regress\.4/.* > 127.0.0.2: icmp: echo reply' pflog${N1}.tcpdump + # reply with keep state and with all + grep 'regress\.5/.* > 127.0.0.3: icmp: echo request' pflog${N1}.tcpdump + # XXX anchor name missing + grep '/.* > 127.0.0.3: icmp: echo reply' pflog${N1}.tcpdump + +REGRESS_TARGETS += run-bpf-user +run-bpf-user: stamp-stop + # out rule creates log entry with uid + grep 'regress\.6/.* pass out on lo$N: \[uid ${UID}, pid [0-9]*\]\ + 127.* > 127.0.0.4.9:.* udp' pflog${N1}.tcpdump + # in rule has no uid at log entry + grep 'regress\.6/.* pass in on lo$N:\ + 127.* > 127.0.0.4.9:.* udp' pflog${N1}.tcpdump + # icmp has no uid at log entry + grep 'regress\.6/.* pass out on lo$N:\ + 127.* > 127.0.0.4: icmp: echo request' pflog${N1}.tcpdump + # XXX rule without user sometimes has uid in log entry + #grep 'regress\.3/.* pass out on lo$N:\ + 127.* > 127.0.0.1.9:.* udp' pflog${N1}.tcpdump + @echo DISABLED + +run-bpf-matches: + # XXX The log matches keyword seems to be totally broken. + # pf_log_matches() is never called. Investigate later. + @echo DISABLED + +REGRESS_TARGETS += run-bpf-matches +run-bpf-matches: stamp-stop + grep 'regress\.9/.* > 127.0.0.6: icmp: echo request' pflog${N1}.tcpdump + ! grep 'regress\.8/.* icmp: echo request' pflog${N1}.tcpdump + ! grep 'regress\.7/.* icmp: echo request' pflog${N1}.tcpdump + +CLEANFILES += addr.py *.pyc *.tcpdump *.log stamp-* + +.include <bsd.regress.mk> diff --git a/regress/sys/net/pflog/pf.conf b/regress/sys/net/pflog/pf.conf new file mode 100644 index 00000000000..8e948974272 --- /dev/null +++ b/regress/sys/net/pflog/pf.conf @@ -0,0 +1,19 @@ +# pf must have these rules in the regress anchor + +set ruleset-optimization none + +# nothing to pflog N3, will be overridden by later rule +pass log (to $PFLOG_N3) on $LO no state + +# everything to pflog N2 +match log (to $PFLOG_N2) on $LO no state + +# specific test to pflog N1 +pass log (to $PFLOG_N1) on $LO +pass log (to $PFLOG_N1) on $LO to 127.0.0.1 no state +pass log (to $PFLOG_N1) on $LO to 127.0.0.2 keep state +pass log (all to $PFLOG_N1) on $LO to 127.0.0.3 keep state +pass log (user to $PFLOG_N1) on $LO to 127.0.0.4 +pass on $LO to 127.0.0.5 +pass log (matches to $PFLOG_N1) on $LO to 127.0.0.6 +pass on $LO to 127.0.0.6 |