b9daf172a0
GSoC 2008 project. These were originally inside the kernel subdirectory but I think they belong in their own top-level directory because ipf consists of more components than just the kernel-level packet filter.
399 lines
10 KiB
Plaintext
399 lines
10 KiB
Plaintext
# $NetBSD: t_ipf.in,v 1.1 2009/02/20 21:42:59 jmmv Exp $
|
|
#
|
|
# Copyright (c) 2008 The NetBSD Foundation, Inc.
|
|
# All rights reserved.
|
|
#
|
|
# Redistribution and use in source and binary forms, with or without
|
|
# modification, are permitted provided that the following conditions
|
|
# are met:
|
|
# 1. Redistributions of source code must retain the above copyright
|
|
# notice, this list of conditions and the following disclaimer.
|
|
# 2. Redistributions in binary form must reproduce the above copyright
|
|
# notice, this list of conditions and the following disclaimer in the
|
|
# documentation and/or other materials provided with the distribution.
|
|
#
|
|
# THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
|
|
# ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
|
|
# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
|
|
# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
|
|
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
|
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
|
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
|
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
|
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
|
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
|
# POSSIBILITY OF SUCH DAMAGE.
|
|
#
|
|
#
|
|
# (C)opyright 1993-1996 by Darren Reed.
|
|
#
|
|
# See the IPFILTER.LICENCE file for details on licencing.
|
|
#
|
|
|
|
h_copydata()
|
|
{
|
|
test -f $(atf_get_srcdir)/input/$1 && \
|
|
cp $(atf_get_srcdir)/input/$1 in
|
|
test -f $(atf_get_srcdir)/regress/$1 && \
|
|
cp $(atf_get_srcdir)/regress/$1 reg
|
|
test -f $(atf_get_srcdir)/expected/$1 && \
|
|
cp $(atf_get_srcdir)/expected/$1 exp
|
|
}
|
|
|
|
h_dotest()
|
|
{
|
|
h_copydata $1
|
|
|
|
{ while read rule; do
|
|
atf_check -x "echo \"$rule\" | ipftest -F \
|
|
$2 -Rbr - -i in $4 >>out"
|
|
echo "--------" >>out
|
|
done; } <reg
|
|
|
|
diff -u exp out || atf_fail "results differ"
|
|
}
|
|
|
|
h_mtest()
|
|
{
|
|
h_copydata $1
|
|
|
|
atf_check -o save:out ipftest -F $2 -Rbr reg -i in
|
|
echo "--------" >>out
|
|
|
|
diff -u exp out || atf_fail "results differ"
|
|
}
|
|
|
|
h_itest()
|
|
{
|
|
h_copydata $1
|
|
|
|
case $3 in
|
|
ipf)
|
|
atf_check -o file:exp -e ignore ipf -Rnvf reg
|
|
;;
|
|
ipftest)
|
|
atf_check -o file:exp ipftest -D -r reg -i /dev/null
|
|
;;
|
|
esac
|
|
}
|
|
|
|
h_itest_i19()
|
|
{
|
|
cp "$(atf_get_srcdir)/expected/i19.dist" .
|
|
|
|
if [ "`grep LOG_SECURITY /usr/include/sys/syslog.h 2>&1`" = "" ] ; then
|
|
if [ "`grep LOG_AUDIT /usr/include/sys/syslog.h 2>&1`" = "" ] ; then
|
|
sed -e 's/security/!!!/g' i19.dist > i19.p1;
|
|
else
|
|
sed -e 's/security/audit/g' i19.dist > i19.p1;
|
|
fi
|
|
else
|
|
cp i19.dist i19.p1;
|
|
fi
|
|
if [ "`grep LOG_AUTHPRIV /usr/include/sys/syslog.h 2>&1`" = "" ] ; then
|
|
sed -e 's/authpriv/!!!/g' i19.p1 > i19.p2;
|
|
else
|
|
cp i19.p1 i19.p2;
|
|
fi
|
|
if [ "`grep LOG_LOGALERT /usr/include/sys/syslog.h 2>&1`" = "" ] ; then
|
|
sed -e 's/logalert/!!!/g' i19.p2 > i19.p1;
|
|
else
|
|
cp i19.p2 i19.p1;
|
|
fi
|
|
if [ "`grep LOG_FTP /usr/include/sys/syslog.h 2>&1`" = "" ] ; then
|
|
sed -e 's/ftp/!!!/g' i19.p1 > i19.p2;
|
|
else
|
|
cp i19.p1 i19.p2;
|
|
fi
|
|
if [ "`egrep 'LOG_CRON.*15' /usr/include/sys/syslog.h 2>&1`" != "" ] ; then
|
|
sed -e 's/cron/cron2/g' i19.p2 > i19;
|
|
else
|
|
cp i19.p2 i19;
|
|
fi
|
|
/bin/rm i19.p?
|
|
|
|
mv i19 exp
|
|
h_itest "$@"
|
|
}
|
|
|
|
h_nattest()
|
|
{
|
|
h_copydata $1
|
|
|
|
if [ $3 = hex ] ; then
|
|
format="-xF $2"
|
|
else
|
|
format="-F $2"
|
|
fi
|
|
|
|
format="$4 $format"
|
|
|
|
{ while read rule; do
|
|
atf_check -o save:save -x \
|
|
"echo \"$rule\" | ipftest $format -RbN - -i in"
|
|
cat save >>out
|
|
echo "-------------------------------" >>out
|
|
done; } <reg
|
|
|
|
diff -u exp out || atf_fail "results differ"
|
|
}
|
|
|
|
h_natipftest()
|
|
{
|
|
h_copydata $1
|
|
cp $(atf_get_srcdir)/regress/$1.nat nat
|
|
cp $(atf_get_srcdir)/regress/$1.ipf ipf
|
|
|
|
if [ $4 = hex ] ; then
|
|
format="-xF $3"
|
|
else
|
|
format="-F $3"
|
|
fi
|
|
|
|
case $2 in
|
|
single)
|
|
{ while read rule; do
|
|
atf_check -o save:save -x "echo \"$rule\" | \
|
|
ipftest -R $5 $format -b -r ipf -N - -i in"
|
|
cat save >>out
|
|
echo "-------------------------------" >>out
|
|
done; } <nat
|
|
;;
|
|
multi)
|
|
atf_check -o save:out ipftest -R $5 \
|
|
$format -b -r ipf -N nat -i in
|
|
echo "-------------------------------" >>out
|
|
;;
|
|
esac
|
|
|
|
diff -u exp out || atf_fail "results differ"
|
|
}
|
|
|
|
h_intest()
|
|
{
|
|
h_copydata $1
|
|
|
|
atf_check -o file:exp -e ignore ipnat -Rnvf reg
|
|
}
|
|
|
|
h_iptest()
|
|
{
|
|
h_copydata $1
|
|
mkdir input
|
|
cp $(atf_get_srcdir)/input/ip2.data input/
|
|
|
|
atf_check -o file:exp -e ignore ippool -f reg -nRv
|
|
}
|
|
|
|
h_logtest()
|
|
{
|
|
h_copydata $1
|
|
cp $(atf_get_srcdir)/expected/$1.b exp.b
|
|
|
|
case `uname -s` in
|
|
OSF1)
|
|
GMT=:
|
|
;;
|
|
*)
|
|
GMT=GMT
|
|
;;
|
|
esac
|
|
|
|
{ while read rule; do
|
|
echo $rule >>out
|
|
atf_check -o ignore -x \
|
|
"echo $rule | ipftest -br - -F $2 -i in -l logout"
|
|
|
|
atf_check -o save:save -x "TZ=$GMT ipmon -P /dev/null -f logout"
|
|
cat save >>out
|
|
echo "--------" >>out
|
|
|
|
atf_check -o save:save -x "TZ=$GMT ipmon -P /dev/null -bf logout"
|
|
cat save >>out.b
|
|
echo "--------" >>out.b
|
|
done; } <reg
|
|
|
|
atf_check -o ignore ipftest -br reg -F $2 -i in -l logout
|
|
|
|
atf_check -o save:save -x "TZ=$GMT ipmon -P /dev/null -f logout"
|
|
cat save >>out
|
|
echo "--------" >>out
|
|
|
|
atf_check -o save:save -x "TZ=$GMT ipmon -P /dev/null -bf logout"
|
|
cat save >>out.b
|
|
echo "--------" >>out.b
|
|
|
|
diff -u exp out || atf_fail "results differ"
|
|
diff -u exp.b out.b || atf_fail "results differ"
|
|
}
|
|
|
|
h_dotest6()
|
|
{
|
|
h_copydata $(echo ${1} | tr _ .)
|
|
|
|
ipftest -6 -r /dev/null -i /dev/null >/dev/null 2>&1 \
|
|
|| atf_skip "skipping IPv6 tests"
|
|
|
|
{ while read rule; do
|
|
atf_check -o save:save -x "echo \"$rule\" | \
|
|
ipftest -F $2 -6br - -i in"
|
|
cat save >>out
|
|
echo "--------" >>out
|
|
done; } <reg
|
|
|
|
diff -u exp out || atf_fail "results differ"
|
|
}
|
|
|
|
h_ptest()
|
|
{
|
|
h_copydata $1
|
|
cp $(atf_get_srcdir)/regress/$1.pool pool 2>/dev/null
|
|
cp $(atf_get_srcdir)/regress/$1.ipf ipf
|
|
|
|
if [ -f pool ] ; then
|
|
atf_check -o save:out ipftest -RD -b -P pool -r ipf -i in
|
|
else
|
|
atf_check -o save:out ipftest -RD -b -r ipf -i in
|
|
fi
|
|
|
|
echo "-------------------------------" >>out
|
|
|
|
}
|
|
|
|
h_bpftest()
|
|
{
|
|
h_copydata $(echo ${1} | tr _ .)
|
|
cp "$(atf_get_srcdir)/input/$(echo ${1} | sed s,bpf_,,)" in
|
|
|
|
{ while read rule; do
|
|
atf_check -o save:save -x "echo '$rule' | ipftest -Rbr - -i in"
|
|
cat save >>out
|
|
echo "--------" >>out
|
|
done; } <reg
|
|
|
|
diff -u exp out || atf_fail "results differ"
|
|
}
|
|
|
|
tc_desc:desc_f:Checks filter rules
|
|
tc:f1:dotest:desc_f:text:text
|
|
tc:f2:dotest:desc_f:text:text
|
|
tc:f3:dotest:desc_f:text:text
|
|
tc:f4:dotest:desc_f:text:text
|
|
tc:f5:dotest:desc_f:text:text
|
|
tc:f6:dotest:desc_f:text:text
|
|
tc:f7:dotest:desc_f:text:text
|
|
tc:f8:dotest:desc_f:text:text
|
|
tc:f9:dotest:desc_f:text:text
|
|
tc:f10:dotest:desc_f:text:text
|
|
tc:f11:dotest:desc_f:text:text:-D
|
|
tc:f12:dotest:desc_f:hex:hex
|
|
tc:f13:dotest:desc_f:hex:hex
|
|
tc:f14:dotest:desc_f:text:text
|
|
tc:f15:mtest:desc_f:text:text
|
|
tc:f16:mtest:desc_f:text:text
|
|
tc:f17:mtest:desc_f:hex:hex
|
|
tc:f18:mtest:desc_f:text:text
|
|
tc:f19:dotest:desc_f:text:text:-T fr_statemax=3
|
|
tc:f20:mtest:desc_f:text:text
|
|
tc:f24:mtest:desc_f:hex:text
|
|
|
|
tc_desc:desc_i:Checks parsing and printing of ipf rules
|
|
tc:i1:itest:desc_i:text:ipf
|
|
tc:i2:itest:desc_i:text:ipf
|
|
tc:i3:itest:desc_i:text:ipf
|
|
tc:i4:itest:desc_i:text:ipf
|
|
tc:i5:itest:desc_i:text:ipf
|
|
tc:i6:itest:desc_i:text:ipf
|
|
tc:i7:itest:desc_i:text:ipf
|
|
tc:i8:itest:desc_i:text:ipf
|
|
tc:i9:itest:desc_i:text:ipf
|
|
tc:i10:itest:desc_i:text:ipf
|
|
tc:i11:itest:desc_i:text:ipf
|
|
tc:i12:itest:desc_i:text:ipf
|
|
tc:i13:itest:desc_i:text:ipf
|
|
tc:i14:itest:desc_i:text:ipf
|
|
tc:i15:itest:desc_i:text:ipf
|
|
tc:i16:itest:desc_i:text:ipf
|
|
tc:i17:itest:desc_i:text:ipftest
|
|
tc:i18:itest:desc_i:text:ipf
|
|
tc:i19:itest_i19:desc_i:text:ipf
|
|
tc:i20:itest:desc_i:text:ipf
|
|
tc:i21:itest:desc_i:text:ipf
|
|
|
|
tc_desc:desc_n:Checks NAT
|
|
tc:n1:nattest:desc_n:text:text
|
|
tc:n2:nattest:desc_n:text:text
|
|
tc:n3:nattest:desc_n:text:text
|
|
tc:n4:nattest:desc_n:text:text
|
|
tc:n5:nattest:desc_n:text:text
|
|
tc:n6:nattest:desc_n:text:text
|
|
tc:n7:nattest:desc_n:text:text
|
|
tc:n8:nattest:desc_n:hex:hex:-T fr_update_ipid=0
|
|
tc:n9:nattest:desc_n:hex:hex:-T fr_update_ipid=0
|
|
tc:n10:nattest:desc_n:hex:hex:-T fr_update_ipid=0
|
|
tc:n11:nattest:desc_n:text:text
|
|
tc:n12:nattest:desc_n:hex:hex:-T fr_update_ipid=0
|
|
tc:n13:nattest:desc_n:text:text
|
|
tc:n14:nattest:desc_n:text:text
|
|
tc:n16:nattest:desc_n:hex:hex:-D
|
|
tc:n17:nattest:desc_n:hex:hex:-D
|
|
|
|
tc_desc:desc_ni:Checks combined NAT and IPF
|
|
tc:ni1:natipftest:desc_ni:multi:hex:hex:-T fr_update_ipid=1
|
|
tc:ni2:natipftest:desc_ni:single:hex:hex:-T fr_update_ipid=1
|
|
tc:ni3:natipftest:desc_ni:single:hex:hex:-T fr_update_ipid=1
|
|
tc:ni4:natipftest:desc_ni:single:hex:hex:-T fr_update_ipid=1
|
|
tc:ni5:natipftest:desc_ni:single:hex:hex:-T fr_update_ipid=1
|
|
tc:ni6:natipftest:desc_ni:multi:hex:hex:-T fr_update_ipid=1
|
|
tc:ni7:natipftest:desc_ni:single:hex:hex:-T fr_update_ipid=1
|
|
tc:ni8:natipftest:desc_ni:single:hex:hex:-T fr_update_ipid=1
|
|
tc:ni9:natipftest:desc_ni:single:hex:hex:-T fr_update_ipid=1
|
|
tc:ni10:natipftest:desc_ni:single:hex:hex:-T fr_update_ipid=1
|
|
tc:ni11:natipftest:desc_ni:single:hex:hex:-T fr_update_ipid=1
|
|
tc:ni12:natipftest:desc_ni:single:hex:hex:-T fr_update_ipid=1
|
|
tc:ni13:natipftest:desc_ni:single:hex:hex:-T fr_update_ipid=1
|
|
tc:ni14:natipftest:desc_ni:single:hex:hex:-T fr_update_ipid=1
|
|
tc:ni15:natipftest:desc_ni:single:hex:hex:-T fr_update_ipid=1
|
|
tc:ni16:natipftest:desc_ni:single:hex:hex:-T fr_update_ipid=1
|
|
tc:ni19:natipftest:desc_ni:single:hex:hex:-T fr_update_ipid=0
|
|
tc:ni20:natipftest:desc_ni:single:hex:hex:-T fr_update_ipid=0
|
|
tc:ni21:natipftest:desc_ni:multi:text:text
|
|
tc:ni23:natipftest:desc_ni:multi:text:text:-D
|
|
|
|
tc_desc:desc_in:Checks parsing and printing of ipnat rules
|
|
tc:in1:intest:desc_in:text:text
|
|
tc:in2:intest:desc_in:text:text
|
|
tc:in3:intest:desc_in:text:text
|
|
tc:in4:intest:desc_in:text:text
|
|
tc:in5:intest:desc_in:text:text
|
|
tc:in6:intest:desc_in:text:text
|
|
|
|
tc_desc:desc_p:Checks pools
|
|
tc:p1:ptest:desc_p:text:text
|
|
tc:p2:ptest:desc_p:text:text
|
|
tc:p3:ptest:desc_p:text:text
|
|
tc:p5:ptest:desc_p:text:text
|
|
|
|
tc_desc:desc_ip:Checks pools
|
|
tc:ip1:iptest:desc_ip:text:text
|
|
tc:ip2:iptest:desc_ip:text:text
|
|
|
|
tc_desc:desc_log:Checks logging
|
|
tc:l1:logtest:desc_log:hex:hex
|
|
|
|
tc_desc:desc_ipv6:Checks ipv6 filter rules
|
|
tc:ipv6_1:dotest6:desc_ipv6:hex:hex
|
|
tc:ipv6_2:dotest6:desc_ipv6:hex:hex
|
|
tc:ipv6_3:dotest6:desc_ipv6:hex:hex
|
|
tc:ipv6_5:dotest6:desc_ipv6:hex:hex
|
|
tc:ipv6_6:dotest6:desc_ipv6:hex:text
|
|
|
|
tc_desc:desc_bpf:Checks BPF
|
|
tc:bpf1:itest:desc_bpf:text:ipf
|
|
tc:bpf_f1:bpftest:desc_bpf:text:text
|
|
|
|
atf_init_test_cases()
|
|
{
|
|
tc_list
|
|
}
|