src_track.sh - OpenGrok cross reference for /freebsd/tests/sys/netpfil/pf/src

Lines Matching +full:c +full:- +full:states
2 # SPDX-License-Identifier: BSD-2-Clause
4 # Copyright (c) 2020 Kristof Provost <kp@FreeBSD.org>
5 # Copyright (c) 2024 Kajetan Staszkiewicz <vegeta@tuxpowered.net>
49 	jexec alcatraz pfctl -e
51 		"pass in keep state (source-track)" \
52 		"pass out keep state (source-track)"
54 	ping -c 3 192.0.2.1
55 	atf_check -s exit:0 -o match:'192.0.2.2 -> 0.0.0.0 \( states 1,.*' \
56 	    jexec alcatraz pfctl -sS
59 	jexec alcatraz pfctl -FS
62 	atf_check -s exit:0 -o not-match:'192.0.2.2 -> 0.0.0.0 \( states 1,.*' \
63 	    jexec alcatraz pfctl -sS
66 	atf_check -s exit:0 -o match:'all icmp 192.0.2.1:8 <- 192.0.2.2:.*' \
67 	    jexec alcatraz pfctl -ss
94 	jexec alcatraz pfctl -e
96 		"pass in keep state (source-track)" \
97 		"pass out keep state (source-track)"
100 	atf_check -s exit:0 -o ignore \
101 	    ping -c 1 -S 192.0.2.2 192.0.2.1
102 	atf_check -s exit:0 -o ignore \
103 	    ping -c 1 -S 192.0.2.3 192.0.2.1
106 	atf_check -s exit:0 -o match:'192.0.2.2 -> 0.0.0.0 \( states 1,.*' \
107 	    jexec alcatraz pfctl -sS
108 	atf_check -s exit:0 -o match:'192.0.2.3 -> 0.0.0.0 \( states 1,.*' \
109 	    jexec alcatraz pfctl -sS
112 jexec alcatraz pfctl -sS
115 	jexec alcatraz pfctl -K 192.0.2.2
118 	atf_check -s exit:0 -o match:'192.0.2.3 -> 0.0.0.0 \( states 1,.*' \
119 	    jexec alcatraz pfctl -sS
122 	atf_check -s exit:0 -o not-match:'192.0.2.2 -> 0.0.0.0 \( states 1,.*' \
123 	    jexec alcatraz pfctl -sS
145 	jexec router route add -6 2001:db8:44::0/64 2001:db8:42::2
146 	jexec server route add -6 2001:db8:44::0/64 2001:db8:43::1
150 		"pass inet6 proto icmp6 icmp6-type { neighbrsol, neighbradv }" \
151 …"pass in  on ${epair_tester}b inet6 proto tcp keep state (max-src-conn 3 source-track rule overloa…
155 	# finished the 3-way handshake. Once the handshake is done, the state
160 	ping_server_check_reply exit:0 --ping-type=tcp3way --send-sport=4201 --fromaddr 2001:db8:44::1
161 	ping_server_check_reply exit:0 --ping-type=tcp3way --send-sport=4202 --fromaddr 2001:db8:44::1
162 	ping_server_check_reply exit:0 --ping-type=tcp3way --send-sport=4203 --fromaddr 2001:db8:44::1
164 	ping_server_check_reply exit:0 --ping-type=tcp3way --send-sport=4204 --fromaddr 2001:db8:44::1
166 	ping_server_check_reply exit:0 --ping-type=tcp3way --send-sport=4205 --fromaddr 2001:db8:44::2
168 	states=$(mktemp) || exit 1
169 	jexec router pfctl -qss | normalize_pfctl_s | grep 'tcp 2001:db8:43::2\[9\] <-' > $states
171 …grep -qE '2001:db8:44::1\[4201\] ESTABLISHED:ESTABLISHED' $states || atf_fail "State for port 4201…
172 …grep -qE '2001:db8:44::1\[4202\] ESTABLISHED:ESTABLISHED' $states || atf_fail "State for port 4202…
173 …grep -qE '2001:db8:44::1\[4203\] ESTABLISHED:ESTABLISHED' $states || atf_fail "State for port 4203…
174 …grep -qE '2001:db8:44::2\[4205\] ESTABLISHED:ESTABLISHED' $states || atf_fail "State for port 4205…
177 		grep -qE '2001:db8:44::1\[4204\] ' $states &&
178 		! grep -qE '2001:db8:44::1\[4204\] CLOSED:CLOSED' $states
183 …jexec router pfctl -T test -t bad_hosts 2001:db8:44::1 || atf_fail "Host not found in overload tab…
193 	atf_set descr 'Max states per source per rule'
205 	jexec router route add -6 2001:db8:44::0/64 2001:db8:42::2
206 	jexec server route add -6 2001:db8:44::0/64 2001:db8:43::1
210 		"pass inet6 proto icmp6 icmp6-type { neighbrsol, neighbradv }" \
211 …epair_tester}b inet6 proto tcp from port 4210:4219 keep state (max-src-states 3 source-track rule)…
212 …epair_tester}b inet6 proto tcp from port 4220:4229 keep state (max-src-states 3 source-track rule)…
215 	# The option max-src-states prevents even the initial SYN packet going
217 	# bother checking created states.
220 	ping_server_check_reply exit:0 --ping-type=tcp3way --send-sport=4211 --fromaddr 2001:db8:44::1
221 	ping_server_check_reply exit:0 --ping-type=tcp3way --send-sport=4212 --fromaddr 2001:db8:44::1
222 	ping_server_check_reply exit:0 --ping-type=tcp3way --send-sport=4213 --fromaddr 2001:db8:44::1
223 	ping_server_check_reply exit:1 --ping-type=tcp3way --send-sport=4214 --fromaddr 2001:db8:44::1
227 	ping_server_check_reply exit:0 --ping-type=tcp3way --send-sport=4221 --fromaddr 2001:db8:44::1
228 	ping_server_check_reply exit:0 --ping-type=tcp3way --send-sport=4222 --fromaddr 2001:db8:44::1
229 	ping_server_check_reply exit:0 --ping-type=tcp3way --send-sport=4223 --fromaddr 2001:db8:44::1
230 	ping_server_check_reply exit:1 --ping-type=tcp3way --send-sport=4224 --fromaddr 2001:db8:44::1
234 	ping_server_check_reply exit:0 --ping-type=tcp3way --send-sport=4224 --fromaddr 2001:db8:44::2
235 	ping_server_check_reply exit:0 --ping-type=tcp3way --send-sport=4225 --fromaddr 2001:db8:44::2
236 	ping_server_check_reply exit:0 --ping-type=tcp3way --send-sport=4226 --fromaddr 2001:db8:44::2
237 	ping_server_check_reply exit:1 --ping-type=tcp3way --send-sport=4227 --fromaddr 2001:db8:44::2
242 	jexec router pfctl -qvsS | normalize_pfctl_s > $nodes
244 …'2001:db8:44::1 -> :: \( states 3, connections 3, rate [0-9/\.]+s \) age [0-9:]+, 9 pkts, [0-9]+ b…
245 …'2001:db8:44::1 -> :: \( states 3, connections 3, rate [0-9/\.]+s \) age [0-9:]+, 9 pkts, [0-9]+ b…
246 …'2001:db8:44::2 -> :: \( states 3, connections 3, rate [0-9/\.]+s \) age [0-9:]+, 9 pkts, [0-9]+ b…
248 		grep -qE "${node_regexp}" $nodes || atf_fail "Source node not found for '${node_regexp}'"
252 …jexec router pfctl -qvvsi | grep -qE 'max-src-states\s+3\s+' || atf_fail "max-src-states not set t…
262 	atf_set descr 'Max states per source global'
274 	jexec router route add -6 2001:db8:44::0/64 2001:db8:42::2
275 	jexec server route add -6 2001:db8:44::0/64 2001:db8:43::1
279 		"pass inet6 proto icmp6 icmp6-type { neighbrsol, neighbradv }" \
280 …epair_tester}b inet6 proto tcp from port 4210:4219 keep state (max-src-states 3 source-track globa…
281 …epair_tester}b inet6 proto tcp from port 4220:4229 keep state (max-src-states 3 source-track globa…
285 	# rules for each connecting source IP address and counts states created
286 	# by all rules. Each rule has its own max-src-conn value checked against
290 	ping_server_check_reply exit:0 --ping-type=tcp3way --send-sport=4211 --fromaddr 2001:db8:44::1
291 	ping_server_check_reply exit:0 --ping-type=tcp3way --send-sport=4212 --fromaddr 2001:db8:44::1
292 	ping_server_check_reply exit:0 --ping-type=tcp3way --send-sport=4213 --fromaddr 2001:db8:44::1
294 	ping_server_check_reply exit:1 --ping-type=tcp3way --send-sport=4214 --fromaddr 2001:db8:44::1
296 	ping_server_check_reply exit:1 --ping-type=tcp3way --send-sport=4221 --fromaddr 2001:db8:44::1
299 	jexec router pfctl -qvsS | normalize_pfctl_s > $nodes
301 …de_regexp='2001:db8:44::1 -> :: \( states 3, connections 3, rate [0-9/\.]+s \) age [0-9:]+, 9 pkts…
302 	grep -qE "$node_regexp" $nodes || atf_fail "Source nodes not matching expected output"
323 	jexec router route add -6 2001:db8:44::0/64 2001:db8:42::2
325 	# Additional gateways for route-to.
327 	jexec router ndp -s ${rtgw} 00:01:02:03:04:05
330 	# max-src-states -> PF_SN_LIMIT
331 	# sticky-address -> PF_SN_NAT
332 	# route-to -> PF_SN_ROUTE
339 …}b inet6 proto tcp from 2001:db8:44::10/124 to 2001:db8:45::1 -> <rdrgws> port 4242 sticky-address…
341 		"pass inet6 proto icmp6 icmp6-type { neighbrsol, neighbradv }" \
342 …"pass in  quick  on ${epair_tester}b route-to ( ${epair_server}a <rtgws>)                inet6 pro…
343 …"pass in  quick  on ${epair_tester}b route-to ( ${epair_server}a <rtgws>) sticky-address inet6 pro…
344 …pair_tester}b route-to ( ${epair_server}a <rtgws>)                inet6 proto tcp from port 4213 k…
345 …pair_tester}b route-to ( ${epair_server}a <rtgws>) sticky-address inet6 proto tcp from port 4214 k…
351 …ping_dummy_check_request exit:0 --ping-type=tcpsyn --send-sport=4211 --fromaddr 2001:db8:44::01 --…
352 …ping_dummy_check_request exit:0 --ping-type=tcpsyn --send-sport=4212 --fromaddr 2001:db8:44::02 --…
353 …ping_dummy_check_request exit:0 --ping-type=tcpsyn --send-sport=4213 --fromaddr 2001:db8:44::03 --…
354 …ping_dummy_check_request exit:0 --ping-type=tcpsyn --send-sport=4214 --fromaddr 2001:db8:44::04 --…
356 …ping_dummy_check_request exit:0 --ping-type=tcpsyn --send-sport=4211 --fromaddr 2001:db8:44::11 --…
357 …ping_dummy_check_request exit:0 --ping-type=tcpsyn --send-sport=4212 --fromaddr 2001:db8:44::12 --…
358 …ping_dummy_check_request exit:0 --ping-type=tcpsyn --send-sport=4213 --fromaddr 2001:db8:44::13 --…
359 …ping_dummy_check_request exit:0 --ping-type=tcpsyn --send-sport=4214 --fromaddr 2001:db8:44::14 --…
361 	states=$(mktemp) || exit 1
362 	jexec router pfctl -qvss | normalize_pfctl_s > $states
364 	jexec router pfctl -qvvsS | normalize_pfctl_s > $nodes
366 	# Order of states in output is not guaranteed, find each one separately.
368 		'all tcp 2001:db8:45::1\[9\] <- 2001:db8:44::1\[4211\] .* 1:0 pkts, 76:0 bytes, rule 3$' \
369 …'all tcp 2001:db8:45::1\[9\] <- 2001:db8:44::2\[4212\] .* 1:0 pkts, 76:0 bytes, rule 4, route stic…
370 …'all tcp 2001:db8:45::1\[9\] <- 2001:db8:44::3\[4213\] .* 1:0 pkts, 76:0 bytes, rule 5, limit sour…
371 …'all tcp 2001:db8:45::1\[9\] <- 2001:db8:44::4\[4214\] .* 1:0 pkts, 76:0 bytes, rule 6, limit sour…
372 …45::1\[4242\] \(2001:db8:45::1\[9\]\) <- 2001:db8:44::11\[4211\] .* 1:0 pkts, 76:0 bytes, rule 3, …
373 …\] \(2001:db8:45::1\[9\]\) <- 2001:db8:44::12\[4212\] .* 1:0 pkts, 76:0 bytes, rule 4, NAT/RDR sti…
374 …2\] \(2001:db8:45::1\[9\]\) <- 2001:db8:44::13\[4213\] .* 1:0 pkts, 76:0 bytes, rule 5, limit sour…
375 …db8:45::1\[9\]\) <- 2001:db8:44::14\[4214\] .* 1:0 pkts, 76:0 bytes, rule 6, limit source-track, N…
377 		grep -qE "${state_regexp}" $states || atf_fail "State not found for '${state_regexp}'"
382 …2001:db8:44::2 -> 2001:db8:43::2:1 \( states 1, connections 0, rate 0.0/0s \) age [0-9:]+, 1 pkts,…
383 …'2001:db8:44::3 -> :: \( states 1, connections 0, rate 0.0/0s \) age [0-9:]+, 1 pkts, 76 bytes, fi…
384 …'2001:db8:44::4 -> 2001:db8:43::2:1 \( states 1, connections 0, rate 0.0/0s ) age [0-9:]+, 1 pkts,…
385 …'2001:db8:44::4 -> :: \( states 1, connections 0, rate 0.0/0s \) age [0-9:]+, 1 pkts, 76 bytes, fi…
386 …'2001:db8:44::11 -> 2001:db8:45::1 \( states 1, connections 0, rate 0.0/0s \) age [0-9:]+, 1 pkts,…
387 …'2001:db8:44::12 -> 2001:db8:45::1 \( states 1, connections 0, rate 0.0/0s \) age [0-9:]+, 1 pkts,…
388 …001:db8:44::12 -> 2001:db8:43::2:1 \( states 1, connections 0, rate 0.0/0s \) age [0-9:]+, 1 pkts,…
389 …'2001:db8:44::13 -> 2001:db8:45::1 \( states 1, connections 0, rate 0.0/0s \) age [0-9:]+, 1 pkts,…
390 …'2001:db8:44::13 -> :: \( states 1, connections 0, rate 0.0/0s \) age [0-9:]+, 1 pkts, 76 bytes, f…
391 …'2001:db8:44::14 -> 2001:db8:45::1 \( states 1, connections 0, rate 0.0/0s \) age [0-9:]+, 1 pkts,…
392 …2001:db8:44::14 -> 2001:db8:43::2:1 \( states 1, connections 0, rate 0.0/0s ) age [0-9:]+, 1 pkts,…
393 …'2001:db8:44::14 -> :: \( states 1, connections 0, rate 0.0/0s \) age [0-9:]+, 1 pkts, 76 bytes, f…
395 		grep -qE "${node_regexp}" $nodes || atf_fail "Source node not found for '${node_regexp}'"
398 	! grep -q 'filter rule 3' $nodes || atf_fail "Source node found for rule 3"
419 	jexec router route add -6 2001:db8:44::0/64 2001:db8:42::2
421 	# Additional gateways for route-to.
423 	jexec router ndp -s ${rtgw} 00:01:02:03:04:05
426 	# max-src-states -> PF_SN_LIMIT
427 	# sticky-address -> PF_SN_NAT
428 	# route-to -> PF_SN_ROUTE
436 		"pass inet6 proto icmp6 icmp6-type { neighbrsol, neighbradv }" \
437 …net6 proto tcp from 2001:db8:44::10/124 to 2001:db8:45::1 rdr-to <rdrgws> port 4242 sticky-address…
438 …"pass  in quick on ${epair_tester}b route-to ( ${epair_server}a <rtgws>)                inet6 prot…
439 …"pass  in quick on ${epair_tester}b route-to ( ${epair_server}a <rtgws>) sticky-address inet6 prot…
440 …pair_tester}b route-to ( ${epair_server}a <rtgws>)                inet6 proto tcp from port 4213 k…
441 …pair_tester}b route-to ( ${epair_server}a <rtgws>) sticky-address inet6 proto tcp from port 4214 k…
447 …ping_dummy_check_request exit:0 --ping-type=tcpsyn --send-sport=4211 --fromaddr 2001:db8:44::01 --…
448 …ping_dummy_check_request exit:0 --ping-type=tcpsyn --send-sport=4212 --fromaddr 2001:db8:44::02 --…
449 …ping_dummy_check_request exit:0 --ping-type=tcpsyn --send-sport=4213 --fromaddr 2001:db8:44::03 --…
450 …ping_dummy_check_request exit:0 --ping-type=tcpsyn --send-sport=4214 --fromaddr 2001:db8:44::04 --…
452 …ping_dummy_check_request exit:0 --ping-type=tcpsyn --send-sport=4211 --fromaddr 2001:db8:44::11 --…
453 …ping_dummy_check_request exit:0 --ping-type=tcpsyn --send-sport=4212 --fromaddr 2001:db8:44::12 --…
454 …ping_dummy_check_request exit:0 --ping-type=tcpsyn --send-sport=4213 --fromaddr 2001:db8:44::13 --…
455 …ping_dummy_check_request exit:0 --ping-type=tcpsyn --send-sport=4214 --fromaddr 2001:db8:44::14 --…
457 	states=$(mktemp) || exit 1
458 	jexec router pfctl -qvss | normalize_pfctl_s > $states
460 	jexec router pfctl -qvvsS | normalize_pfctl_s > $nodes
462 	echo " === states ==="
463 	cat $states
468 	# Order of states in output is not guaranteed, find each one separately.
470 		'all tcp 2001:db8:45::1\[9\] <- 2001:db8:44::1\[4211\] .* 1:0 pkts, 76:0 bytes, rule 4$' \
471 …'all tcp 2001:db8:45::1\[9\] <- 2001:db8:44::2\[4212\] .* 1:0 pkts, 76:0 bytes, rule 5, route stic…
472 …'all tcp 2001:db8:45::1\[9\] <- 2001:db8:44::3\[4213\] .* 1:0 pkts, 76:0 bytes, rule 6, limit sour…
473 …'all tcp 2001:db8:45::1\[9\] <- 2001:db8:44::4\[4214\] .* 1:0 pkts, 76:0 bytes, rule 7, limit sour…
474 …45::1\[4242\] \(2001:db8:45::1\[9\]\) <- 2001:db8:44::11\[4211\] .* 1:0 pkts, 76:0 bytes, rule 4, …
475 …\] \(2001:db8:45::1\[9\]\) <- 2001:db8:44::12\[4212\] .* 1:0 pkts, 76:0 bytes, rule 5, NAT/RDR sti…
476 …2\] \(2001:db8:45::1\[9\]\) <- 2001:db8:44::13\[4213\] .* 1:0 pkts, 76:0 bytes, rule 6, limit sour…
477 …db8:45::1\[9\]\) <- 2001:db8:44::14\[4214\] .* 1:0 pkts, 76:0 bytes, rule 7, limit source-track, N…
479 		grep -qE "${state_regexp}" $states || atf_fail "State not found for '${state_regexp}'"
484 …2001:db8:44::2 -> 2001:db8:43::2:1 \( states 1, connections 0, rate 0.0/0s \) age [0-9:]+, 1 pkts,…
485 …'2001:db8:44::3 -> :: \( states 1, connections 0, rate 0.0/0s \) age [0-9:]+, 1 pkts, 76 bytes, fi…
486 …'2001:db8:44::4 -> 2001:db8:43::2:1 \( states 1, connections 0, rate 0.0/0s ) age [0-9:]+, 1 pkts,…
487 …'2001:db8:44::4 -> :: \( states 1, connections 0, rate 0.0/0s \) age [0-9:]+, 1 pkts, 76 bytes, fi…
488 …001:db8:44::11 -> 2001:db8:45::1 \( states 1, connections 0, rate 0.0/0s \) age [0-9:]+, 1 pkts, 7…
489 …001:db8:44::12 -> 2001:db8:45::1 \( states 1, connections 0, rate 0.0/0s \) age [0-9:]+, 1 pkts, 7…
490 …001:db8:44::12 -> 2001:db8:43::2:1 \( states 1, connections 0, rate 0.0/0s \) age [0-9:]+, 1 pkts,…
491 …001:db8:44::13 -> 2001:db8:45::1 \( states 1, connections 0, rate 0.0/0s \) age [0-9:]+, 1 pkts, 7…
492 …'2001:db8:44::13 -> :: \( states 1, connections 0, rate 0.0/0s \) age [0-9:]+, 1 pkts, 76 bytes, f…
493 …001:db8:44::14 -> 2001:db8:45::1 \( states 1, connections 0, rate 0.0/0s \) age [0-9:]+, 1 pkts, 7…
494 …2001:db8:44::14 -> 2001:db8:43::2:1 \( states 1, connections 0, rate 0.0/0s ) age [0-9:]+, 1 pkts,…
495 …'2001:db8:44::14 -> :: \( states 1, connections 0, rate 0.0/0s \) age [0-9:]+, 1 pkts, 76 bytes, f…
497 		grep -qE "${node_regexp}" $nodes || atf_fail "Source node not found for '${node_regexp}'"