From nobody Wed Mar 02 16:00:46 2022 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 44E9E19E0A07; Wed, 2 Mar 2022 16:00:48 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4K7zNv3kFdz3NS5; Wed, 2 Mar 2022 16:00:47 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1646236847; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Lx+7Hm6oARAf/sD7igwaRUeeewvh16CEgLo1fB2jjLY=; b=W8Ki1p5jZ9xpPA5L4FhJyKoyWmYem/PTZH553cfQqXgqWk6BLgOU89lTk7OIVFV6moklM0 oD5X3uzN1kREZcwcU5LDRQtEAARZobygmj9scI70A43AquCa607m85CNGSU00EArgg5hjj o7t/YD8p8xIrI+g7xg6b/7PnAxi6xaen3pZr5pYne51dU5QIDVuT8UUDpaEyUGQy2PGywC 6j4A2dGgFD6mhsq1FgpYSUhiR1qbgo6YN393/csHLem+hSc3otFlc2FF9miVU6TvLgXh+s X81bjx+X16Chm99JSRvQj498ZwJvcWDB+B9QmLmzFWZDWIC3is6bpox5cVV3rQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 1504F261CB; Wed, 2 Mar 2022 16:00:47 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 222G0k18091079; Wed, 2 Mar 2022 16:00:46 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 222G0ksp091078; Wed, 2 Mar 2022 16:00:46 GMT (envelope-from git) Date: Wed, 2 Mar 2022 16:00:46 GMT Message-Id: <202203021600.222G0ksp091078@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Kristof Provost Subject: git: d6fc3ee2e76e - main - pf tests: MAC address filtering test List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: d6fc3ee2e76ea7ed84f6d71d75d1821d52492529 Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1646236847; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Lx+7Hm6oARAf/sD7igwaRUeeewvh16CEgLo1fB2jjLY=; b=xhhaH8slz3XN//3pVriMfAsnWt5pyt21z+Tcoa5HWlebl/neG+Yo2USmWMDHBFq/IFUyEt BctR1Cl/k8ZJv85pU3HGcR11XK2EJCW69h9h/hLWp5gYKnN1yPjfdHKrQmuSf20zlUMXBA YzXlfZXVYfV4fHqf0aql/rJnJ2qiuoBaxCpBH0qFsS9o/1FAJziOyMOheyJPNp2ndWH6ex Ox0P8A6yk1a1hpHvNr8dEcRdoGB3Kvf8dZt7wrV1S48ObL9xM9LOS4DCf6GsWX1lIlMWnx C2qTADnkGKxwa95lG0pQx8uhKFHlC73fVxPXEdTacdT05z5tIDhLa0dKK36new== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1646236847; a=rsa-sha256; cv=none; b=FGmwrAACGRGD1xiI60JFGPpdRvISFroLN2Z6QA3hqh1Uq+BTPU1yqyX2oWfgpi9UHNnTj6 s+JhQuitS2WxnrDdolnRdbmQu66n3eqnsxhDfvsX+X8zvS8lqvq21tLR8j5rwJY7qan6xm 2gwB3/d3p10C50ZIOkwGWCMCbOMn8aWy3NUC439kBwglleW8vrpKLpLuogk/j1jqAzMGFC hJI/2o6nIl22OMXulQa0zcCxSG5Wn5vwSw+JuEaxOOQeKl7+Gp2GE0IOcnjYtp8pdAb1Jw kwEV50OVaJ5hZTJjxEYT+3ZCrCHB7l96e1u4gMDwP6YhJPNsAxkbY9y00CvEKQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=d6fc3ee2e76ea7ed84f6d71d75d1821d52492529 commit d6fc3ee2e76ea7ed84f6d71d75d1821d52492529 Author: Kristof Provost AuthorDate: 2021-02-09 10:04:36 +0000 Commit: Kristof Provost CommitDate: 2022-03-02 16:00:04 +0000 pf tests: MAC address filtering test Test the MAC address filtering capability in the new 'ether' feature in pf. Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D31743 --- tests/sys/netpfil/pf/Makefile | 1 + tests/sys/netpfil/pf/ether.sh | 88 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 89 insertions(+) diff --git a/tests/sys/netpfil/pf/Makefile b/tests/sys/netpfil/pf/Makefile index e3079c7c139d..6521d7fa6218 100644 --- a/tests/sys/netpfil/pf/Makefile +++ b/tests/sys/netpfil/pf/Makefile @@ -9,6 +9,7 @@ ATF_TESTS_SH+= altq \ anchor \ checksum \ dup \ + ether \ forward \ fragmentation \ get_state \ diff --git a/tests/sys/netpfil/pf/ether.sh b/tests/sys/netpfil/pf/ether.sh new file mode 100644 index 000000000000..5724d6102505 --- /dev/null +++ b/tests/sys/netpfil/pf/ether.sh @@ -0,0 +1,88 @@ +# $FreeBSD$ +# +# SPDX-License-Identifier: BSD-2-Clause-FreeBSD +# +# Copyright © 2021. Rubicon Communications, LLC (Netgate). All Rights Reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. + +. $(atf_get_srcdir)/utils.subr + +atf_test_case "mac" "cleanup" +mac_head() +{ + atf_set descr 'Test MAC address filtering' + atf_set require.user root +} + +mac_body() +{ + pft_init + + epair=$(vnet_mkepair) + epair_a_mac=$(ifconfig ${epair}a ether | awk '/ether/ { print $2; }') + + ifconfig ${epair}a 192.0.2.1/24 up + + vnet_mkjail alcatraz ${epair}b + jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up + + pft_set_rules alcatraz \ + "ether block from ${epair_a_mac}" + + atf_check -s exit:0 -o ignore ping -c 1 -t 1 192.0.2.2 + + # Now enable. Ping should fail. + jexec alcatraz pfctl -e + + atf_check -s exit:2 -o ignore ping -c 1 -t 1 192.0.2.2 + + # Should still fail for 'to' + pft_set_rules alcatraz \ + "ether block to ${epair_a_mac}" + atf_check -s exit:2 -o ignore ping -c 1 -t 1 192.0.2.2 + + # Succeeds if we block a different MAC address + pft_set_rules alcatraz \ + "ether block to 00:01:02:03:04:05" + atf_check -s exit:0 -o ignore ping -c 1 -t 1 192.0.2.2 + + # Now try this with an interface specified + pft_set_rules alcatraz \ + "ether block on ${epair}b from ${epair_a_mac}" + atf_check -s exit:2 -o ignore ping -c 1 -t 1 192.0.2.2 + + # Wrong interface should not match + pft_set_rules alcatraz \ + "ether block on ${epair}a from ${epair_a_mac}" + atf_check -s exit:0 -o ignore ping -c 1 -t 1 192.0.2.2 +} + +mac_cleanup() +{ + pft_cleanup +} + +atf_init_test_cases() +{ + atf_add_test_case "mac" +}