xref: /openbsd/regress/sys/net/pf_state/Makefile (revision 4cfece93) 
1#	$OpenBSD: Makefile,v 1.10 2020/01/15 20:47:13 bluhm Exp $
2
3# Copyright (c) 2016-2020 Alexander Bluhm <bluhm@openbsd.org>
4#
5# Permission to use, copy, modify, and distribute this software for any
6# purpose with or without fee is hereby granted, provided that the above
7# copyright notice and this permission notice appear in all copies.
8#
9# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16
17# The following ports must be installed:
18#
19# scapy               powerful interactive packet manipulation in python
20
21.include <bsd.own.mk>
22
23.if ! (make(clean) || make(cleandir) || make(obj))
24
25.if ! exists(/usr/local/bin/scapy)
26regress:
27	@echo Install scapy package to run this regress.
28	@echo SKIPPED
29.endif
30
31PF_STATUS !=	${SUDO} pfctl -si | sed -n 's/^Status: \([^ ]*\) .*/\1/p'
32PF_ANCHOR !=	${SUDO} pfctl -sr | sed -n 's/^anchor "\([^"]*\)" all$$/\1/p'
33.if ! empty(PF_STATUS:MEnabled) && empty(PF_ANCHOR:Mregress)
34regress:
35	@echo pf status: "${PF_STATUS}"
36	@echo pf anchor: "${PF_ANCHOR}"
37	@echo This test cannot run with pf filtering packets on localhost.
38	@echo Either disable pf or add a line 'anchor "regress"' to pf.conf.
39	@echo There the test will add a stateless rule that passes all packets.
40	@echo SKIPPED
41.endif
42
43.endif
44
45# This test needs a manual setup of two machines
46# Set up machines: LOCAL REMOTE
47# LOCAL is the machine where this makefile is running.
48# REMOTE is running OpenBSD with echo server to test PMTU
49# FAKE is an non existing machine in a non existing network.
50# REMOTE_SSH is the hostname to log in on the REMOTE machine.
51
52# Configure Addresses on the machines.
53# Adapt interface and addresse variables to your local setup.
54#
55LOCAL_IF ?=
56REMOTE_SSH ?=
57
58LOCAL_ADDR ?=
59REMOTE_ADDR ?=
60FAKE_NET ?=
61FAKE_NET_ADDR ?=
62
63.if empty (LOCAL_IF) || empty (REMOTE_SSH) || \
64    empty (LOCAL_ADDR) || \
65    empty (REMOTE_ADDR) || \
66    empty (FAKE_NET) || \
67    empty (FAKE_NET_ADDR)
68.BEGIN:
69	@true
70regress:
71	@echo This tests needs a remote machine to operate on
72	@echo LOCAL_IF REMOTE_SSH LOCAL_ADDR REMOTE_ADDR FAKE_NET FAKE_NET_ADDR
73	@echo are empty.  Fill out these variables for additional tests.
74	@echo SKIPPED
75.endif
76
77.MAIN: all
78
79.if make (regress) || make (all)
80.BEGIN:
81	@echo
82	${SUDO} true
83	ssh -t ${REMOTE_SSH} ${SUDO} true
84	rm -f stamp-pfctl
85.endif
86
87# Create python include file containing the addresses.
88addr.py: Makefile
89	rm -f $@ $@.tmp
90	echo 'LOCAL_IF = "${LOCAL_IF}"' >>$@.tmp
91.for var in LOCAL REMOTE FAKE_NET
92	echo '${var}_ADDR = "${${var}_ADDR}"' >>$@.tmp
93.endfor
94	echo 'FAKE_NET = "${FAKE_NET}"' >>$@.tmp
95	mv $@.tmp $@
96
97# load the pf rules into the kernel of the REMOTE and LOCAL machine
98REGRESS_SETUP +=	stamp-pfctl
99stamp-pfctl: addr.py pf.conf
100	cat addr.py ${.CURDIR}/pf.conf | /sbin/pfctl -n -f -
101	cat addr.py ${.CURDIR}/pf.conf | \
102	    ssh ${REMOTE_SSH} ${SUDO} pfctl -a regress -f -
103.if ! empty(PF_ANCHOR:Mregress)
104	echo 'pass on ${LOCAL_IF} no state' | ${SUDO} pfctl -a regress -f -
105.endif
106	@date >$@
107
108# Set variables so that make runs with and without obj directory.
109# Only do that if necessary to keep visible output short.
110.if ${.CURDIR} == ${.OBJDIR}
111PYTHON =	python2.7 -u ./
112.else
113PYTHON =	PYTHONPATH=${.OBJDIR} python2.7 -u ${.CURDIR}/
114.endif
115
116REGRESS_TARGETS +=	run-challenge-ack
117run-challenge-ack: challenge_ack.py addr.py
118	@echo '\n======== $@ ========'
119	${SUDO} ${PYTHON}challenge_ack.py
120
121.if ! empty(PF_ANCHOR:Mregress)
122REGRESS_CLEANUP +=	cleanup
123cleanup:
124	@echo '\n======== $@ ========'
125	${SUDO} pfctl -a regress -Fr
126	rm -f stamp-pfctl
127.endif
128
129CLEANFILES +=		addr.py *.pyc *.log stamp-*
130
131.PHONY: check-setup check-setup-local check-setup-remote
132
133# Check wether the address, route and remote setup is correct
134check-setup: check-setup-local check-setup-remote
135
136check-setup-local:
137	@echo '\n======== $@ ========'
138	ping -n -c 1 ${LOCAL_ADDR}  # LOCAL_ADDR
139	route -n get -inet ${LOCAL_ADDR} | grep -q 'flags: .*LOCAL'  # LOCAL_ADDR
140	ping -n -c 1 ${REMOTE_ADDR}  # REMOTE_ADDR
141	route -n get -inet ${REMOTE_ADDR} | fgrep -q 'interface: ${LOCAL_IF}'  # REMOTE_ADDR LOCAL_IF
142	! ping -n -c 1 -w 1 ${FAKE_NET_ADDR}  # FAKE_NET_ADDR
143.for ip in FAKE_NET FAKE_NET_ADDR
144	route -n get -inet ${${ip}} | grep -q 'flags: .*BLACKHOLE'  # ${ip}
145.endfor
146
147check-setup-remote:
148	@echo '\n======== $@ ========'
149	ssh ${REMOTE_SSH} ping -n -c 1 ${REMOTE_ADDR}  # REMOTE_ADDR
150	ssh ${REMOTE_SSH} route -n get -inet ${REMOTE_ADDR} | grep -q 'flags: .*LOCAL'  # REMOTE_ADDR
151	ssh ${REMOTE_SSH} ping -n -c 1 ${LOCAL_ADDR}  # LOCAL_ADDR
152.for ip in FAKE_NET FAKE_NET_ADDR
153	ssh ${REMOTE_SSH} route -n get -inet ${${ip}} | fgrep -q 'gateway: ${LOCAL_ADDR}'  # ${ip} LOCAL_ADDR
154.endfor
155	ssh ${REMOTE_SSH} netstat -na -f inet -p tcp | fgrep ' *.7 '
156	ssh ${REMOTE_SSH} ${SUDO} pfctl -sr | grep '^anchor "regress" all$$'
157	ssh ${REMOTE_SSH} ${SUDO} pfctl -si | grep '^Status: Enabled '
158
159.include <bsd.regress.mk>
160