From 87a89d6e14ac5730572d454ec12a3a30d492816e Mon Sep 17 00:00:00 2001 From: Kristof Provost Date: Thu, 30 Sep 2021 17:09:57 +0200 Subject: pfctl: support lists of mac addresses Teach the 'ether' rules to accept { mac1, mac2, ... } lists, similar to the lists of interfaces or IP addresses we already supported for layer 3 filtering. Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D32481 --- tests/sys/netpfil/pf/ether.sh | 15 +++++++++++++++ 1 file changed, 15 insertions(+) (limited to 'tests') diff --git a/tests/sys/netpfil/pf/ether.sh b/tests/sys/netpfil/pf/ether.sh index a7e23779396f..8ca8d3fbf0c8 100644 --- a/tests/sys/netpfil/pf/ether.sh +++ b/tests/sys/netpfil/pf/ether.sh @@ -66,6 +66,11 @@ mac_body() "ether block to 00:01:02:03:04:05" atf_check -s exit:0 -o ignore ping -c 1 -t 1 192.0.2.2 + # Should still fail for 'to', even if it's in a list + pft_set_rules alcatraz \ + "ether block to { ${epair_a_mac}, 00:01:02:0:04:05 }" + atf_check -s exit:2 -o ignore ping -c 1 -t 1 192.0.2.2 + # Now try this with an interface specified pft_set_rules alcatraz \ "ether block on ${epair}b from ${epair_a_mac}" @@ -84,6 +89,16 @@ mac_body() pft_set_rules alcatraz \ "ether block out on ${epair}b to ! ${epair_a_mac}" atf_check -s exit:0 -o ignore ping -c 1 -t 1 192.0.2.2 + + # Block everything not us + pft_set_rules alcatraz \ + "ether block out on ${epair}b to { ! ${epair_a_mac} }" + atf_check -s exit:0 -o ignore ping -c 1 -t 1 192.0.2.2 + + # Block us now + pft_set_rules alcatraz \ + "ether block out on ${epair}b to { ! 00:01:02:03:04:05 }" + atf_check -s exit:2 -o ignore ping -c 1 -t 1 192.0.2.2 } mac_cleanup() -- cgit v1.2.3