xref: /freebsd/tests/sys/netpfil/common/dummynet.sh (revision a46c121db4a50748eae0a32bed786f68349c95f5)

#
# SPDX-License-Identifier: BSD-2-Clause
#
# Copyright (c) 2021 Rubicon Communications, LLC (Netgate)
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
#    notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
#    notice, this list of conditions and the following disclaimer in the
#    documentation and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.

. $(atf_get_srcdir)/utils.subr
. $(atf_get_srcdir)/runner.subr

interface_removal_head()
{
	atf_set descr 'Test removing interfaces with dummynet delayed traffic'
	atf_set require.user root
}

interface_removal_body()
{
	fw=$1
	firewall_init $fw
	dummynet_init $fw

	epair=$(vnet_mkepair)
	vnet_mkjail alcatraz ${epair}b

	ifconfig ${epair}a 192.0.2.1/24 up
	jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up

	# Sanity check
	atf_check -s exit:0 -o ignore ping -i .1 -c 3 -s 1200 192.0.2.2

	jexec alcatraz dnctl pipe 1 config delay 1500

	firewall_config alcatraz ${fw} \
		"ipfw"	\
			"ipfw add 1000 pipe 1 ip from any to any" \
		"pf"	\
			"pass on ${epair}b dnpipe 1"

	# single ping succeeds just fine
	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2

	# Send traffic that'll still be pending when we remove the interface
	ping -c 5 -s 1200 192.0.2.2 &
	sleep 1 # Give ping the chance to start.

	# Remove the interface, but keep the jail around for a bit
	ifconfig ${epair}a destroy

	sleep 3
}

interface_removal_cleanup()
{
	firewall_cleanup $1
}

pipe_head()
{
	atf_set descr 'Basic pipe test'
	atf_set require.user root
}

pipe_body()
{
	fw=$1
	firewall_init $fw
	dummynet_init $fw

	epair=$(vnet_mkepair)
	vnet_mkjail alcatraz ${epair}b

	ifconfig ${epair}a 192.0.2.1/24 up
	jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up

	# Sanity check
	atf_check -s exit:0 -o ignore ping -i .1 -c 3 -s 1200 192.0.2.2

	jexec alcatraz dnctl pipe 1 config bw 30Byte/s

	firewall_config alcatraz ${fw} \
		"ipfw"	\
			"ipfw add 1000 pipe 1 ip from any to any" \
		"pf"	\
			"pass on ${epair}b dnpipe 1"

	# single ping succeeds just fine
	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2

	# Saturate the link
	ping -i .1 -c 5 -s 1200 192.0.2.2

	# We should now be hitting the limits and get this packet dropped.
	atf_check -s exit:2 -o ignore ping -c 1 -s 1200 192.0.2.2
}

pipe_cleanup()
{
	firewall_cleanup $1
}

pipe_v6_head()
{
	atf_set descr 'Basic IPv6 pipe test'
	atf_set require.user root
}

pipe_v6_body()
{
	fw=$1
	firewall_init $fw
	dummynet_init $fw

	epair=$(vnet_mkepair)
	vnet_mkjail alcatraz ${epair}b

	ifconfig ${epair}a inet6 2001:db8:42::1/64 up no_dad
	jexec alcatraz ifconfig ${epair}b inet6 2001:db8:42::2/64 up no_dad

	# Sanity check
	atf_check -s exit:0 -o ignore ping6 -i .1 -c 3 -s 1200 2001:db8:42::2

	jexec alcatraz dnctl pipe 1 config bw 100Byte/s

	firewall_config alcatraz ${fw} \
		"ipfw"	\
			"ipfw add 1000 pipe 1 ip6 from any to any" \
		"pf"	\
			"pass on ${epair}b dnpipe 1"

	# Single ping succeeds
	atf_check -s exit:0 -o ignore ping6 -c 1 2001:db8:42::2

	# Saturate the link
	ping6 -i .1 -c 5 -s 1200 2001:db8:42::2

	# We should now be hitting the limit and get this packet dropped.
	atf_check -s exit:2 -o ignore ping6 -c 1 -s 1200 2001:db8:42::2
}

pipe_v6_cleanup()
{
	firewall_cleanup $1
}

codel_head()
{
	atf_set descr 'FQ_CODEL basic test'
	atf_set require.user root
}

codel_body()
{
	fw=$1
	firewall_init $fw
	dummynet_init $fw

	epair=$(vnet_mkepair)
	vnet_mkjail alcatraz ${epair}b

	ifconfig ${epair}a 192.0.2.1/24 up
	jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up

	# Sanity check
	atf_check -s exit:0 -o ignore ping -i .1 -c 3 -s 1200 192.0.2.2

	jexec alcatraz dnctl pipe 1 config  bw 10Mb queue 100 droptail
	jexec alcatraz dnctl sched 1 config pipe 1 type fq_codel target 0ms interval 0ms quantum 1514 limit 10240 flows 1024 ecn
	jexec alcatraz dnctl queue 1 config pipe 1 droptail

	firewall_config alcatraz ${fw} \
		"ipfw"	\
			"ipfw add 1000 queue 1 ip from any to any" \
		"pf"	\
			"pass dnqueue 1"

	# single ping succeeds just fine
	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2
}

codel_cleanup()
{
	firewall_cleanup $1
}

wf2q_heap_head()
{
	atf_set descr 'Test WF2Q+, attempting to provoke use-after-free'
	atf_set require.user root
}

wf2q_heap_body()
{
	fw=$1
	firewall_init $fw
	dummynet_init $fw

       j=dummynet_wf2q_heap_${fw}_

       epair=$(vnet_mkepair)
       epair_other=$(vnet_mkepair)
       vnet_mkjail ${j}a ${epair}a
       vnet_mkjail ${j}b ${epair}b ${epair_other}b

       jexec ${j}a ifconfig ${epair}a up mtu 9000
       va=$(jexec ${j}a ifconfig vlan create vlan 42 vlandev ${epair}a)
       jexec ${j}a ifconfig ${va} 192.0.2.1/24 up #mtu 8000

       jexec ${j}b ifconfig ${epair}b up mtu 9000
       vb=$(jexec ${j}b ifconfig vlan create vlan 42 vlandev ${epair}b)
       jexec ${j}b ifconfig ${vb} 192.0.2.2/24 up #mtu 8000
       jexec ${j}b ifconfig ${epair_other}b up

       # Sanity check
       atf_check -s exit:0 -o ignore \
           jexec ${j}b ping -c 1 192.0.2.1

       jexec ${j}b dnctl pipe 1 config bw 10Mb queue 100 delay 500 droptail
       jexec ${j}b dnctl sched 1 config pipe 1 type wf2q+
       jexec ${j}b dnctl queue 1 config pipe 1 droptail

       firewall_config ${j}b ${fw} \
               "pf"    \
                       "pass dnqueue 1"

       jexec ${j}a ping -f 192.0.2.2 &
       sleep 1

       jexec ${j}b ifconfig ${vb} destroy

       sleep 2
}

wf2q_heap_cleanup()
{
	firewall_cleanup $1
}

queue_head()
{
	atf_set descr 'Basic queue test'
	atf_set require.user root
}

queue_body()
{
	fw=$1

	if [ $fw = "ipfw" ] && [ "$(atf_config_get ci false)" = "true" ]; then
		atf_skip "https://bugs.freebsd.org/264805"
	fi

	firewall_init $fw
	dummynet_init $fw

	epair=$(vnet_mkepair)
	vnet_mkjail alcatraz ${epair}b

	ifconfig ${epair}a 192.0.2.1/24 up
	jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up
	jexec alcatraz /usr/sbin/inetd -p ${PWD}/inetd-alcatraz.pid \
	    $(atf_get_srcdir)/../pf/echo_inetd.conf

	# Sanity check
	atf_check -s exit:0 -o ignore ping -i .1 -c 3 -s 1200 192.0.2.2
	reply=$(echo "foo" | nc -N 192.0.2.2 7)
	if [ "$reply" != "foo" ];
	then
		atf_fail "Echo sanity check failed"
	fi

	jexec alcatraz dnctl pipe 1 config bw 1MByte/s
	jexec alcatraz dnctl sched 1 config pipe 1 type wf2q+
	jexec alcatraz dnctl queue 100 config sched 1 weight 99 mask all
	jexec alcatraz dnctl queue 200 config sched 1 weight 1 mask all

	firewall_config alcatraz ${fw} \
		"ipfw"	\
			"ipfw add 1000 queue 100 tcp from 192.0.2.2 to any out" \
			"ipfw add 1001 queue 200 icmp from 192.0.2.2 to any out" \
			"ipfw add 1002 allow ip from any to any" \
		"pf"	\
			"pass in proto tcp dnqueue (0, 100)" \
			"pass in proto icmp dnqueue (0, 200)"

	# Single ping succeeds
	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2

	# Unsaturated TCP succeeds
	reply=$(echo "foo" | nc -w 5 -N 192.0.2.2 7)
	if [ "$reply" != "foo" ];
	then
		atf_fail "Unsaturated echo failed"
	fi

	# Saturate the link
	ping -f -s 1300 192.0.2.2 &

	# Allow this to fill the queue
	sleep 1

	# TCP should still just pass
	fails=0
	for i in `seq 1 5`
	do
		result=$(dd if=/dev/zero bs=1024 count=2000 | timeout 3 nc -w 5 -N 192.0.2.2 7 | wc -c)
		if [ $result -ne 2048000 ];
		then
			echo "Failed to prioritise TCP traffic. Got only $result bytes"
			fails=$(( ${fails} + 1 ))
		fi
	done
	if [ ${fails} -gt 2 ];
	then
		atf_fail "We failed prioritisation ${fails} times"
	fi

	# This will fail if we reverse the pola^W priority
	firewall_config alcatraz ${fw} \
		"ipfw"	\
			"ipfw add 1000 queue 200 tcp from 192.0.2.2 to any out" \
			"ipfw add 1001 queue 100 icmp from 192.0.2.2 to any out" \
			"ipfw add 1002 allow ip from any to any" \
		"pf"	\
			"pass in proto tcp dnqueue (0, 200)" \
			"pass in proto icmp dnqueue (0, 100)"

	jexec alcatraz ping -f -s 1300 192.0.2.1 &
	sleep 1

	fails=0
	for i in `seq 1 5`
	do
		result=$(dd if=/dev/zero bs=1024 count=2000 | timeout 3 nc -w 5 -N 192.0.2.2 7 | wc -c)
		if [ $result -ne 2048000 ];
		then
			echo "Failed to prioritise TCP traffic. Got only $result bytes"
			fails=$(( ${fails} + 1 ))
		fi
	done
	if [ ${fails} -lt 3 ];
	then
		atf_fail "We failed reversed prioritisation only ${fails} times."
	fi
}

queue_cleanup()
{
	firewall_cleanup $1
}

queue_v6_head()
{
	atf_set descr 'Basic queue test'
	atf_set require.user root
}

queue_v6_body()
{
	fw=$1
	firewall_init $fw
	dummynet_init $fw

	epair=$(vnet_mkepair)
	vnet_mkjail alcatraz ${epair}b

	ifconfig ${epair}a inet6 2001:db8:42::1/64 no_dad up
	jexec alcatraz ifconfig ${epair}b inet6 2001:db8:42::2 no_dad up
	jexec alcatraz /usr/sbin/inetd -p ${PWD}/inetd-alcatraz.pid \
	    $(atf_get_srcdir)/../pf/echo_inetd.conf
	jexec alcatraz sysctl net.inet6.icmp6.errppslimit=0

	# Sanity check
	atf_check -s exit:0 -o ignore ping6 -i .1 -c 3 -s 1200 2001:db8:42::2
	reply=$(echo "foo" | nc -N 2001:db8:42::2 7)
	if [ "$reply" != "foo" ];
	then
		atf_fail "Echo sanity check failed"
	fi

	jexec alcatraz dnctl pipe 1 config bw 1MByte/s
	jexec alcatraz dnctl sched 1 config pipe 1 type wf2q+
	jexec alcatraz dnctl queue 100 config sched 1 weight 99 mask all
	jexec alcatraz dnctl queue 200 config sched 1 weight 1 mask all

	firewall_config alcatraz ${fw} \
		"ipfw"	\
			"ipfw add 1001 queue 100 tcp from 2001:db8:42::2 to any out" \
			"ipfw add 1000 queue 200 ipv6-icmp from 2001:db8:42::2 to any out" \
			"ipfw add 1002 allow ip6 from any to any" \
		"pf" \
			"pass in proto tcp dnqueue (0, 100)"	\
			"pass in proto icmp6 dnqueue (0, 200)"

	# Single ping succeeds
	atf_check -s exit:0 -o ignore ping6 -c 1 2001:db8:42::2

	# Unsaturated TCP succeeds
	reply=$(echo "foo" | nc -w 5 -N 2001:db8:42::2 7)
	if [ "$reply" != "foo" ];
	then
		atf_fail "Unsaturated echo failed"
	fi

	# Saturate the link
	ping6 -f -s 1200 2001:db8:42::2 &

	# Allow this to fill the queue
	sleep 1

	# TCP should still just pass
	fails=0
	for i in `seq 1 5`
	do
		result=$(dd if=/dev/zero bs=1024 count=1000 | timeout 3 nc -w 5 -N 2001:db8:42::2 7 | wc -c)
		if [ $result -ne 1024000 ];
		then
			echo "Failed to prioritise TCP traffic. Got only $result bytes"
			fails=$(( ${fails} + 1 ))
		fi
	done
	if [ ${fails} -gt 2 ];
	then
		atf_fail "We failed prioritisation ${fails} times"
	fi

	# What happens if we prioritise ICMP over TCP?
	firewall_config alcatraz ${fw} \
		"ipfw"	\
			"ipfw add 1001 queue 200 tcp from 2001:db8:42::2 to any out" \
			"ipfw add 1000 queue 100 ipv6-icmp from 2001:db8:42::2 to any out" \
			"ipfw add 1002 allow ip6 from any to any" \
		"pf" \
			"pass in proto tcp dnqueue (0, 200)"	\
			"pass in proto icmp6 dnqueue (0, 100)"

	fails=0
	for i in `seq 1 5`
	do
		result=$(dd if=/dev/zero bs=1024 count=1000 | timeout 3 nc -w 5 -N 2001:db8:42::2 7 | wc -c)
		if [ $result -ne 1024000 ];
		then
			echo "Failed to prioritise TCP traffic. Got only $result bytes"
			fails=$(( ${fails} + 1 ))
		fi
	done
	if [ ${fails} -lt 3 ];
	then
		atf_fail "We failed reversed prioritisation only ${fails} times."
	fi
}

queue_v6_cleanup()
{
	firewall_cleanup $1
}

nat_head()
{
	atf_set descr 'Basic dummynet + NAT test'
	atf_set require.user root
}

nat_body()
{
	fw=$1
	firewall_init $fw
	dummynet_init $fw
	nat_init $fw

	epair=$(vnet_mkepair)
	epair_two=$(vnet_mkepair)

	ifconfig ${epair}a 192.0.2.2/24 up
	route add -net 198.51.100.0/24 192.0.2.1

	vnet_mkjail gw ${epair}b ${epair_two}a
	jexec gw ifconfig ${epair}b 192.0.2.1/24 up
	jexec gw ifconfig ${epair_two}a 198.51.100.1/24 up
	jexec gw sysctl net.inet.ip.forwarding=1

	vnet_mkjail srv ${epair_two}b
	jexec srv ifconfig ${epair_two}b 198.51.100.2/24 up

	jexec gw dnctl pipe 1 config bw 300Byte/s

	firewall_config gw $fw \
		"pf"	\
			"nat on ${epair_two}a inet from 192.0.2.0/24 to any -> (${epair_two}a)" \
			"pass dnpipe 1"

	# We've deliberately not set a route to 192.0.2.0/24 on srv, so the
	# only way it can respond to this is if NAT is applied correctly.
	atf_check -s exit:0 -o ignore ping -c 1 198.51.100.2
}

nat_cleanup()
{
	firewall_cleanup $1
}

pls_basic_head()
{
	atf_set descr 'Basic dummynet packet loss rate test'
	atf_set require.user root
}

pls_basic_body()
{
	fw=$1
	firewall_init $fw
	dummynet_init $fw

	epair=$(vnet_mkepair)
	vnet_mkjail alcatraz ${epair}b

	ifconfig ${epair}a 192.0.2.1/24 up
	jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up

	firewall_config alcatraz ${fw} \
		"ipfw"	\
			"ipfw add 65432 ip from any to any" \
		"pf"	\
			"pass on ${epair}b"

	# Sanity check
	atf_check -s exit:0 -o match:'100 packets transmitted, 100 packets received' ping -i .1 -c 100 192.0.2.2

	jexec alcatraz dnctl pipe 1 config plr 0.1

	firewall_config alcatraz ${fw} \
		"ipfw"	\
			"ipfw add 1000 pipe 1 ip from 192.0.2.1 to 192.0.2.2" \
		"pf"	\
			"pass on ${epair}b dnpipe 1"

	# check if the expected number of pings
	# are dropped (84 - 96 responses).
	# repeat up to 6 times if the initial
	# checks fail
	atf_check -s exit:0 -o match:'100 packets transmitted, (8[4-9]|9[0-6]) packets received' -r 20:10 ping -i 0.010 -c 100 192.0.2.2
}

pls_basic_cleanup()
{
	firewall_cleanup $1
}

pls_gilbert_head()
{
	atf_set descr 'dummynet Gilbert-Elliott packet loss model test'
	atf_set require.user root
}

pls_gilbert_body()
{
	fw=$1
	firewall_init $fw
	dummynet_init $fw

	epair=$(vnet_mkepair)
	vnet_mkjail alcatraz ${epair}b

	ifconfig ${epair}a 192.0.2.1/24 up
	jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up

	firewall_config alcatraz ${fw} \
		"ipfw"	\
			"ipfw add 65432 ip from any to any" \
		"pf"	\
			"pass on ${epair}b"

	# Sanity check
	atf_check -s exit:0 -o match:'100 packets transmitted, 100 packets received' ping -i .1 -c 100 192.0.2.2

	jexec alcatraz dnctl pipe 1 config plr 0.01,0.1,0.8,0.2

	firewall_config alcatraz ${fw} \
		"ipfw"	\
			"ipfw add 1000 pipe 1 ip from 192.0.2.1 to 192.0.2.2" \
		"pf"	\
			"pass on ${epair}b dnpipe 1"

	# check if the expected number of pings
	# are dropped (70 - 85 responses).
	# repeat up to 6 times if the initial
	# checks fail
	atf_check -s exit:0 -o match:'100 packets transmitted, (7[0-9]|8[0-5]) packets received' -r 20:10 ping -i 0.010 -c 100 192.0.2.2
}

pls_gilbert_cleanup()
{
	firewall_cleanup $1
}



setup_tests		\
	interface_removal	\
		ipfw	\
		pf	\
	pipe		\
		ipfw	\
		pf	\
	pipe_v6		\
		ipfw	\
		pf	\
	codel		\
		ipfw	\
		pf	\
	wf2q_heap	\
		pf	\
	queue		\
		ipfw	\
		pf	\
	queue_v6	\
		ipfw	\
		pf	\
	nat		\
		pf	\
	pls_basic	\
		ipfw	\
		pf	\
	pls_gilbert	\
		ipfw	\
		pf