diff options
| author | Kristof Provost <kp@FreeBSD.org> | 2021-09-30 15:09:57 +0000 |
|---|---|---|
| committer | Kristof Provost <kp@FreeBSD.org> | 2022-03-02 16:00:07 +0000 |
| commit | 87a89d6e14ac5730572d454ec12a3a30d492816e (patch) | |
| tree | bfe45eebf11f2d3fa65d3a4c43e39dd48785579d /tests | |
| parent | ab1868a7d18293cfb8a104da955b99485e64e95c (diff) | |
| download | src-87a89d6e14ac5730572d454ec12a3a30d492816e.tar.gz src-87a89d6e14ac5730572d454ec12a3a30d492816e.zip | |
pfctl: support lists of mac addresses
Teach the 'ether' rules to accept { mac1, mac2, ... } lists, similar to
the lists of interfaces or IP addresses we already supported for layer 3
filtering.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D32481
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/sys/netpfil/pf/ether.sh | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/tests/sys/netpfil/pf/ether.sh b/tests/sys/netpfil/pf/ether.sh index a7e23779396f..8ca8d3fbf0c8 100644 --- a/tests/sys/netpfil/pf/ether.sh +++ b/tests/sys/netpfil/pf/ether.sh @@ -66,6 +66,11 @@ mac_body() "ether block to 00:01:02:03:04:05" atf_check -s exit:0 -o ignore ping -c 1 -t 1 192.0.2.2 + # Should still fail for 'to', even if it's in a list + pft_set_rules alcatraz \ + "ether block to { ${epair_a_mac}, 00:01:02:0:04:05 }" + atf_check -s exit:2 -o ignore ping -c 1 -t 1 192.0.2.2 + # Now try this with an interface specified pft_set_rules alcatraz \ "ether block on ${epair}b from ${epair_a_mac}" @@ -84,6 +89,16 @@ mac_body() pft_set_rules alcatraz \ "ether block out on ${epair}b to ! ${epair_a_mac}" atf_check -s exit:0 -o ignore ping -c 1 -t 1 192.0.2.2 + + # Block everything not us + pft_set_rules alcatraz \ + "ether block out on ${epair}b to { ! ${epair_a_mac} }" + atf_check -s exit:0 -o ignore ping -c 1 -t 1 192.0.2.2 + + # Block us now + pft_set_rules alcatraz \ + "ether block out on ${epair}b to { ! 00:01:02:03:04:05 }" + atf_check -s exit:2 -o ignore ping -c 1 -t 1 192.0.2.2 } mac_cleanup() |