Lines Matching +full:one +full:- +full:to +full:- +full:one
2 # SPDX-License-Identifier: BSD-2-Clause
16 # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20 # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
52 vnet_mkjail one ${epair_one}a ${epair_sync}a
56 jexec one ifconfig ${epair_sync}a 192.0.2.1/24 up
57 jexec one ifconfig ${epair_one}a 198.51.100.1/24 up
58 jexec one ifconfig pfsync0 \
72 jexec one pfctl -e
73 pft_set_rules one \
76 jexec two pfctl -e
81 hostid_one=$(jexec one pfctl -si -v | awk '/Hostid:/ { gsub(/0x/, "", $2); printf($2); }')
85 ping -c 1 -S 198.51.100.254 198.51.100.1
87 # Give pfsync time to do its thing
90 if ! jexec two pfctl -s states | grep icmp | grep 198.51.100.1 | \
95 if ! jexec two pfctl -sc | grep ""${hostid_one}"";
97 jexec two pfctl -sc
98 atf_fail "HostID for host one not found on two"
145 jexec alcatraz arp -s 203.0.113.2 00:01:02:03:04:05
160 route add -net 203.0.113.0/24 198.51.100.1
164 jexec alcatraz pfctl -e
169 atf_check -s exit:0 env PYTHONPATH=${common_dir} \
171 --syncdev ${epair_sync}b \
172 --indev ${epair_in}b \
173 --outdev ${epair_out}b
176 jexec alcatraz ifconfig pfsync0 -defer
183 atf_check -s exit:3 env PYTHONPATH=${common_dir} \
185 --syncdev ${epair_sync}b \
186 --indev ${epair_in}b \
187 --outdev ${epair_out}b
210 vnet_mkjail one ${epair_one}a ${epair_sync}a
214 jexec one ifconfig ${epair_sync}a 192.0.2.1/24 up
215 jexec one ifconfig ${epair_one}a 198.51.100.1/24 up
216 jexec one ifconfig pfsync0 \
224 jexec one pfctl -e
225 pft_set_rules one \
228 jexec two pfctl -e
235 # Create state prior to setting up pfsync
236 ping -c 1 -S 198.51.100.254 198.51.100.1
247 # Give pfsync time to do its thing
250 jexec two pfctl -s states
251 if ! jexec two pfctl -s states | grep icmp | grep 198.51.100.1 | \
301 # from client to server.
333 if ! kldstat -q -m carp
443 "pass quick on if_pfsync proto pfsync keep state (no-sync)" \
444 "pass quick on { if_br0 if_br1 } proto carp keep state (no-sync)" \
445 "block drop in quick to 224.0.0.18/32" \
447 …"pass in quick log on if_br0 route-to (if_br1 198.18.1.20) proto { icmp udp tcp } from 198.18.0.0/…
448 jexec gw_route_to_master pfctl -e
475 "pass quick on if_pfsync proto pfsync keep state (no-sync)" \
476 "pass quick on { if_br0 if_br1 } proto carp keep state (no-sync)" \
477 "block drop in quick to 224.0.0.18/32" \
479 …"pass in quick log on if_br0 route-to (if_br1 198.18.1.20) proto { icmp udp tcp } from 198.18.0.0/…
480 jexec gw_route_to_backup pfctl -e
507 "pass quick on if_pfsync proto pfsync keep state (no-sync)" \
508 "pass quick on { if_br1 if_br2 } proto carp keep state (no-sync)" \
509 "block drop in quick to 224.0.0.18/32" \
510 "pass out quick on if_br2 reply-to (if_br1 198.18.1.10) tagged auth_packet_reply_to keep state" \
511 …"pass in quick log on if_br1 proto { icmp udp tcp } from 198.18.0.0/24 to 198.18.2.0/24 tag auth_p…
512 jexec gw_reply_to_master pfctl -e
538 "pass quick on if_pfsync proto pfsync keep state (no-sync)" \
539 "pass quick on { if_br1 if_br2 } proto carp keep state (no-sync)" \
540 "block drop in quick to 224.0.0.18/32" \
541 "pass out quick on if_br2 reply-to (if_br1 198.18.1.10) tagged auth_packet_reply_to keep state" \
542 …"pass in quick log on if_br1 proto { icmp udp tcp } from 198.18.0.0/24 to 198.18.2.0/24 tag auth_p…
543 jexec gw_reply_to_backup pfctl -e
548 # Waiting for platform to settle
557 while ! jexec client ping -c 10 198.18.2.1 | grep ', 0.0% packet loss'
563 …ute_to_master_checksum=$(jexec gw_route_to_master pfctl -si -v | grep 'Checksum:' | cut -d ' ' -f …
564 …ute_to_backup_checksum=$(jexec gw_route_to_backup pfctl -si -v | grep 'Checksum:' | cut -d ' ' -f …
565 …ply_to_master_checksum=$(jexec gw_reply_to_master pfctl -si -v | grep 'Checksum:' | cut -d ' ' -f …
566 …ply_to_backup_checksum=$(jexec gw_reply_to_backup pfctl -si -v | grep 'Checksum:' | cut -d ' ' -f …
577 (jexec client ping -c 10 198.18.2.1 >ping.stdout) &
587 while ! grep -q -e 'packet loss' ping.stdout
592 atf_check -s exit:0 -e ignore -o ignore grep ', 0.0% packet loss' ping.stdout
609 if ! sysctl -q kern.features.ipsec >/dev/null ; then
613 # Run the common test, to set up pfsync
617 jexec one ifconfig pfsync0 syncpeer 192.0.2.2
621 jexec one pfctl -Fs
622 jexec two pfctl -Fs
624 # Now define an ipsec policy to run over the epair_sync interfaces
627 spdadd 192.0.2.1/32 192.0.2.2/32 any -P out ipsec esp/transport//require;
628 spdadd 192.0.2.2/32 192.0.2.1/32 any -P in ipsec esp/transport//require;
629 add 192.0.2.1 192.0.2.2 esp 0x1000 -E aes-gcm-16 \"12345678901234567890\";
630 add 192.0.2.2 192.0.2.1 esp 0x1001 -E aes-gcm-16 \"12345678901234567890\";" \
631 | jexec one setkey -c
635 spdadd 192.0.2.2/32 192.0.2.1/32 any -P out ipsec esp/transport//require;
636 spdadd 192.0.2.1/32 192.0.2.2/32 any -P in ipsec esp/transport//require;
637 add 192.0.2.1 192.0.2.2 esp 0x1000 -E aes-gcm-16 \"12345678901234567891\";
638 add 192.0.2.2 192.0.2.1 esp 0x1001 -E aes-gcm-16 \"12345678901234567891\";" \
639 | jexec two setkey -c
642 ping -c 1 -S 198.51.100.254 198.51.100.1
644 # Give pfsync time to do its thing
647 if jexec two pfctl -s states | grep icmp | grep 198.51.100.1 | \
653 jexec one pfctl -Fs
654 jexec two pfctl -Fs
656 # Fix the IPSec key to match
659 spdadd 192.0.2.2/32 192.0.2.1/32 any -P out ipsec esp/transport//require;
660 spdadd 192.0.2.1/32 192.0.2.2/32 any -P in ipsec esp/transport//require;
661 add 192.0.2.1 192.0.2.2 esp 0x1000 -E aes-gcm-16 \"12345678901234567890\";
662 add 192.0.2.2 192.0.2.1 esp 0x1001 -E aes-gcm-16 \"12345678901234567890\";" \
663 | jexec two setkey -c
665 ping -c 1 -S 198.51.100.254 198.51.100.1
667 # Give pfsync time to do its thing
670 if ! jexec two pfctl -s states | grep icmp | grep 198.51.100.1 | \
692 vnet_mkjail one
694 jexec one ifconfig lo0 127.0.0.1/8 up
695 jexec one ifconfig lo0 inet6 ::1/128 up
697 pft_set_rules one \
699 jexec one pfctl -e
700 jexec one ifconfig pfsync0 defer up
702 jexec one ping -c 1 ::1
703 jexec one ping -c 1 127.0.0.1
705 # Give pfsync_timeout() time to fire (a callout on a 1 second delay)
729 vnet_mkjail one ${epair_one}a ${epair_sync}a
733 jexec one ifconfig ${epair_sync}a inet6 fd2c::1/64 no_dad up
734 jexec one ifconfig ${epair_one}a inet6 fd2b::1/64 no_dad up
735 jexec one ifconfig pfsync0 \
749 jexec one pfctl -e
750 pft_set_rules one \
753 jexec two pfctl -e
760 ping6 -c 1 -S fd2b::f0 fd2b::1
762 # Give pfsync time to do its thing
765 if ! jexec two pfctl -s states | grep icmp | grep fd2b::1 | \
791 vnet_mkjail one ${epair_one}a ${epair_sync}a
795 jexec one ifconfig ${epair_sync}a inet6 fd2c::1/64 no_dad up
796 jexec one ifconfig ${epair_one}a inet6 fd2b::1/64 no_dad up
797 jexec one ifconfig pfsync0 \
811 jexec one pfctl -e
812 pft_set_rules one \
815 jexec two pfctl -e
822 ping6 -c 1 -S fd2b::f0 fd2b::1
824 # Give pfsync time to do its thing
827 if ! jexec two pfctl -s states | grep icmp | grep fd2b::1 | \
853 vnet_mkjail one ${epair_one}a ${epair_sync}a
857 jexec one ifconfig ${epair_sync}a 192.0.2.1/24 up
858 jexec one ifconfig ${epair_one}a 198.51.100.1/24 up
859 jexec one ifconfig pfsync0 \
871 mac=$(jexec one ifconfig ${epair_one}a | awk '/ether/ { print($2); }')
875 jexec one /sbin/sysctl net.fibs=8
876 jexec one pfctl -e
877 pft_set_rules one \
881 jexec two pfctl -e
892 --sendif ${epair_one}b \
893 --fromaddr 198.51.100.254 \
894 --to 198.51.100.1 \
895 --recvif ${epair_one}b
898 jexec one pfctl -ss -vv
901 # Now try to use that state on jail two
904 --sendif ${epair_two}b \
905 --fromaddr 198.51.100.254 \
906 --to 198.51.100.1 \
907 --recvif ${epair_two}b
909 echo one
910 jexec one pfctl -ss -vv
911 jexec one pfctl -sr -vv
913 jexec two pfctl -ss -vv
914 jexec two pfctl -sr -vv
935 vnet_mkjail one ${epair_one}a ${epair_sync}a ${epair_out_one}a
939 jexec one ifconfig ${epair_sync}a 192.0.2.1/24 up
940 jexec one ifconfig ${epair_one}a 198.51.100.1/24 up
941 jexec one ifconfig ${epair_out_one}a 203.0.113.1/24 up
942 jexec one ifconfig ${epair_out_one}a name outif
943 jexec one sysctl net.inet.ip.forwarding=1
944 jexec one arp -s 203.0.113.254 00:01:02:03:04:05
945 jexec one ifconfig pfsync0 \
956 jexec two arp -s 203.0.113.254 00:01:02:03:04:05
965 route add -net 203.0.113.0/24 198.51.100.1
973 atf_check -s exit:0 env PYTHONPATH=${common_dir} \
975 --sendif ${epair_one}b \
976 --fromaddr 198.51.100.254 \
977 --to 203.0.113.254 \
978 --recvif ${epair_out_one}b
985 jexec one pfctl -qvvss | normalize_pfctl_s > $states_one
986 jexec two pfctl -qvvss | normalize_pfctl_s > $states_two
992 atf_set descr 'Test route-to with pfsync version 13.1'
1001 jexec one pfctl -e
1002 pft_set_rules one \
1004 "pass out route-to (outif 203.0.113.254)"
1006 jexec two pfctl -e
1009 "pass out route-to (outif 203.0.113.254)"
1014 …grep -qE 'all icmp 198.51.100.254 -> 203.0.113.254:8 .*, rule 0 .* route-to: 203.0.113.254@outif o…
1015 atf_fail "State missing on router one"
1018 …grep -qE 'all icmp 198.51.100.254 -> 203.0.113.254:8 .*, rule 0 .* route-to: 203.0.113.254@outif' …
1032 atf_set descr 'Test route-to with pfsync version 13.1 and incompatible ruleset'
1041 jexec one pfctl -e
1042 pft_set_rules one \
1044 "pass out route-to (outif 203.0.113.254)"
1046 jexec two pfctl -e
1050 "pass out route-to (outif 203.0.113.254)" \
1053 atf_check -s exit:0 env PYTHONPATH=${common_dir} \
1055 --sendif ${epair_one}b \
1056 --fromaddr 198.51.100.254 \
1057 --to 203.0.113.254 \
1058 --recvif ${epair_out_one}b
1063 …grep -qE 'all icmp 198.51.100.254 -> 203.0.113.254:8 .*, rule 0 .* route-to: 203.0.113.254@outif o…
1064 atf_fail "State missing on router one"
1068 grep -qE 'all icmp 198.51.100.254 -> 203.0.113.254:8 .*' $states_two &&
1082 atf_set descr 'Test route-to with pfsync version 13.1 and different interface'
1091 jexec one pfctl -e
1092 pft_set_rules one \
1094 "pass out route-to { (outif 203.0.113.254) (outif 203.0.113.254) }"
1096 jexec two pfctl -e
1099 "pass out route-to { (outif 203.0.113.254) (outif 203.0.113.254) }"
1101 atf_check -s exit:0 env PYTHONPATH=${common_dir} \
1103 --sendif ${epair_one}b \
1104 --fromaddr 198.51.100.254 \
1105 --to 203.0.113.254 \
1106 --recvif ${epair_out_one}b
1111 …grep -qE 'all icmp 198.51.100.254 -> 203.0.113.254:8 .*, rule 0 .* route-to: 203.0.113.254@outif o…
1112 atf_fail "State missing on router one"
1115 # pfsync will not attempt to recover the routing information from the rule.
1116 grep -qE 'all icmp 198.51.100.254 -> 203.0.113.254:8 .*' $states_two &&
1130 atf_set descr 'Test route-to with pfsync version 14.0'
1139 jexec one pfctl -e
1140 pft_set_rules one \
1142 "pass out route-to (outif 203.0.113.254)"
1144 jexec two pfctl -e
1151 …grep -qE 'all icmp 198.51.100.254 -> 203.0.113.254:8 .*, rule 0 .* route-to: 203.0.113.254@outif o…
1152 atf_fail "State missing on router one"
1156 …grep -qE 'all icmp 198.51.100.254 -> 203.0.113.254:8 .* route-to: 203.0.113.254@outif' $states_two…
1170 atf_set descr 'Test route-to with pfsync version 14.0'
1179 jexec one pfctl -e
1180 pft_set_rules one \
1182 "pass out route-to (outif 203.0.113.254)"
1184 jexec two pfctl -e
1188 "pass out route-to (outif_new 203.0.113.254)"
1193 …grep -qE 'all icmp 198.51.100.254 -> 203.0.113.254:8 .*, rule 0 .* route-to: 203.0.113.254@outif o…
1194 atf_fail "State missing on router one"
1197 # a state synced to a router with a different interface name is dropped.
1198 grep -qE 'all icmp 198.51.100.254 -> 203.0.113.254:8 .*' $states_two &&