165d553b0SKristof Provost# 24d846d26SWarner Losh# SPDX-License-Identifier: BSD-2-Clause 365d553b0SKristof Provost# 465d553b0SKristof Provost# Copyright (c) 2018 Orange Business Services 565d553b0SKristof Provost# 665d553b0SKristof Provost# Redistribution and use in source and binary forms, with or without 765d553b0SKristof Provost# modification, are permitted provided that the following conditions 865d553b0SKristof Provost# are met: 965d553b0SKristof Provost# 1. Redistributions of source code must retain the above copyright 1065d553b0SKristof Provost# notice, this list of conditions and the following disclaimer. 1165d553b0SKristof Provost# 2. Redistributions in binary form must reproduce the above copyright 1265d553b0SKristof Provost# notice, this list of conditions and the following disclaimer in the 1365d553b0SKristof Provost# documentation and/or other materials provided with the distribution. 1465d553b0SKristof Provost# 1565d553b0SKristof Provost# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 1665d553b0SKristof Provost# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 1765d553b0SKristof Provost# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 1865d553b0SKristof Provost# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 1965d553b0SKristof Provost# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 2065d553b0SKristof Provost# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 2165d553b0SKristof Provost# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 2265d553b0SKristof Provost# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 2365d553b0SKristof Provost# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 2465d553b0SKristof Provost# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 2565d553b0SKristof Provost# SUCH DAMAGE. 266ab3ac5aSKristof Provost 276ab3ac5aSKristof Provost. $(atf_get_srcdir)/utils.subr 286ab3ac5aSKristof Provost 2960a3a371SKristof Provostcommon_dir=$(atf_get_srcdir)/../common 3060a3a371SKristof Provost 316ab3ac5aSKristof Provostatf_test_case "basic" "cleanup" 326ab3ac5aSKristof Provostbasic_head() 336ab3ac5aSKristof Provost{ 346ab3ac5aSKristof Provost atf_set descr 'Basic pfsync test' 356ab3ac5aSKristof Provost atf_set require.user root 366ab3ac5aSKristof Provost} 376ab3ac5aSKristof Provost 386ab3ac5aSKristof Provostbasic_body() 396ab3ac5aSKristof Provost{ 40369d9a2cSKristof Provost common_body 41369d9a2cSKristof Provost} 42369d9a2cSKristof Provost 43369d9a2cSKristof Provostcommon_body() 44369d9a2cSKristof Provost{ 45369d9a2cSKristof Provost defer=$1 466ab3ac5aSKristof Provost pfsynct_init 476ab3ac5aSKristof Provost 4806aac31aSKristof Provost epair_sync=$(vnet_mkepair) 4906aac31aSKristof Provost epair_one=$(vnet_mkepair) 5006aac31aSKristof Provost epair_two=$(vnet_mkepair) 516ab3ac5aSKristof Provost 5206aac31aSKristof Provost vnet_mkjail one ${epair_one}a ${epair_sync}a 5306aac31aSKristof Provost vnet_mkjail two ${epair_two}a ${epair_sync}b 546ab3ac5aSKristof Provost 556ab3ac5aSKristof Provost # pfsync interface 566ab3ac5aSKristof Provost jexec one ifconfig ${epair_sync}a 192.0.2.1/24 up 576ab3ac5aSKristof Provost jexec one ifconfig ${epair_one}a 198.51.100.1/24 up 586ab3ac5aSKristof Provost jexec one ifconfig pfsync0 \ 596ab3ac5aSKristof Provost syncdev ${epair_sync}a \ 606ab3ac5aSKristof Provost maxupd 1 \ 61369d9a2cSKristof Provost $defer \ 626ab3ac5aSKristof Provost up 636ab3ac5aSKristof Provost jexec two ifconfig ${epair_two}a 198.51.100.2/24 up 646ab3ac5aSKristof Provost jexec two ifconfig ${epair_sync}b 192.0.2.2/24 up 656ab3ac5aSKristof Provost jexec two ifconfig pfsync0 \ 666ab3ac5aSKristof Provost syncdev ${epair_sync}b \ 676ab3ac5aSKristof Provost maxupd 1 \ 68369d9a2cSKristof Provost $defer \ 696ab3ac5aSKristof Provost up 706ab3ac5aSKristof Provost 716ab3ac5aSKristof Provost # Enable pf! 726ab3ac5aSKristof Provost jexec one pfctl -e 736ab3ac5aSKristof Provost pft_set_rules one \ 746ab3ac5aSKristof Provost "set skip on ${epair_sync}a" \ 75afa77b69SKristof Provost "pass out keep state" 766ab3ac5aSKristof Provost jexec two pfctl -e 776ab3ac5aSKristof Provost pft_set_rules two \ 786ab3ac5aSKristof Provost "set skip on ${epair_sync}b" \ 79afa77b69SKristof Provost "pass out keep state" 806ab3ac5aSKristof Provost 81a7191e5dSKristof Provost hostid_one=$(jexec one pfctl -si -v | awk '/Hostid:/ { gsub(/0x/, "", $2); printf($2); }') 82a7191e5dSKristof Provost 836ab3ac5aSKristof Provost ifconfig ${epair_one}b 198.51.100.254/24 up 846ab3ac5aSKristof Provost 856ab3ac5aSKristof Provost ping -c 1 -S 198.51.100.254 198.51.100.1 866ab3ac5aSKristof Provost 876ab3ac5aSKristof Provost # Give pfsync time to do its thing 886ab3ac5aSKristof Provost sleep 2 896ab3ac5aSKristof Provost 906ab3ac5aSKristof Provost if ! jexec two pfctl -s states | grep icmp | grep 198.51.100.1 | \ 910d574d8bSKristof Provost grep 198.51.100.254 ; then 926ab3ac5aSKristof Provost atf_fail "state not found on synced host" 936ab3ac5aSKristof Provost fi 94a7191e5dSKristof Provost 95a7191e5dSKristof Provost if ! jexec two pfctl -sc | grep ""${hostid_one}""; 96a7191e5dSKristof Provost then 97a7191e5dSKristof Provost jexec two pfctl -sc 98a7191e5dSKristof Provost atf_fail "HostID for host one not found on two" 99a7191e5dSKristof Provost fi 1006ab3ac5aSKristof Provost} 1016ab3ac5aSKristof Provost 1026ab3ac5aSKristof Provostbasic_cleanup() 1036ab3ac5aSKristof Provost{ 1046ab3ac5aSKristof Provost pfsynct_cleanup 1056ab3ac5aSKristof Provost} 1066ab3ac5aSKristof Provost 10760a3a371SKristof Provostatf_test_case "basic_defer" "cleanup" 10860a3a371SKristof Provostbasic_defer_head() 10960a3a371SKristof Provost{ 11060a3a371SKristof Provost atf_set descr 'Basic defer mode pfsync test' 11160a3a371SKristof Provost atf_set require.user root 11260a3a371SKristof Provost} 11360a3a371SKristof Provost 11460a3a371SKristof Provostbasic_defer_body() 11560a3a371SKristof Provost{ 11660a3a371SKristof Provost common_body defer 11760a3a371SKristof Provost} 11860a3a371SKristof Provost 11960a3a371SKristof Provostbasic_defer_cleanup() 12060a3a371SKristof Provost{ 12160a3a371SKristof Provost pfsynct_cleanup 12260a3a371SKristof Provost} 12360a3a371SKristof Provost 124369d9a2cSKristof Provostatf_test_case "defer" "cleanup" 125369d9a2cSKristof Provostdefer_head() 126369d9a2cSKristof Provost{ 127369d9a2cSKristof Provost atf_set descr 'Defer mode pfsync test' 128369d9a2cSKristof Provost atf_set require.user root 129*c46af893SJose Luis Duran atf_set require.progs python3 scapy 130369d9a2cSKristof Provost} 131369d9a2cSKristof Provost 132369d9a2cSKristof Provostdefer_body() 133369d9a2cSKristof Provost{ 13460a3a371SKristof Provost pfsynct_init 13560a3a371SKristof Provost 13660a3a371SKristof Provost epair_sync=$(vnet_mkepair) 13760a3a371SKristof Provost epair_in=$(vnet_mkepair) 13860a3a371SKristof Provost epair_out=$(vnet_mkepair) 13960a3a371SKristof Provost 14060a3a371SKristof Provost vnet_mkjail alcatraz ${epair_sync}a ${epair_in}a ${epair_out}a 14160a3a371SKristof Provost 14260a3a371SKristof Provost jexec alcatraz ifconfig ${epair_sync}a 192.0.2.1/24 up 14360a3a371SKristof Provost jexec alcatraz ifconfig ${epair_out}a 198.51.100.1/24 up 14460a3a371SKristof Provost jexec alcatraz ifconfig ${epair_in}a 203.0.113.1/24 up 14560a3a371SKristof Provost jexec alcatraz arp -s 203.0.113.2 00:01:02:03:04:05 14660a3a371SKristof Provost jexec alcatraz sysctl net.inet.ip.forwarding=1 14760a3a371SKristof Provost 148f25ceb05SKristof Provost # Set a long defer delay 149f25ceb05SKristof Provost jexec alcatraz sysctl net.pfsync.defer_delay=2500 150f25ceb05SKristof Provost 15160a3a371SKristof Provost jexec alcatraz ifconfig pfsync0 \ 15260a3a371SKristof Provost syncdev ${epair_sync}a \ 15360a3a371SKristof Provost maxupd 1 \ 15460a3a371SKristof Provost defer \ 15560a3a371SKristof Provost up 15660a3a371SKristof Provost 15760a3a371SKristof Provost ifconfig ${epair_sync}b 192.0.2.2/24 up 15860a3a371SKristof Provost ifconfig ${epair_out}b 198.51.100.2/24 up 15960a3a371SKristof Provost ifconfig ${epair_in}b up 16060a3a371SKristof Provost route add -net 203.0.113.0/24 198.51.100.1 16160a3a371SKristof Provost 16260a3a371SKristof Provost # Enable pf 1633a1f834bSDoug Rabson jexec alcatraz sysctl net.pf.filter_local=0 16460a3a371SKristof Provost jexec alcatraz pfctl -e 16560a3a371SKristof Provost pft_set_rules alcatraz \ 16660a3a371SKristof Provost "set skip on ${epair_sync}a" \ 16760a3a371SKristof Provost "pass keep state" 16860a3a371SKristof Provost 16960a3a371SKristof Provost atf_check -s exit:0 env PYTHONPATH=${common_dir} \ 17060a3a371SKristof Provost $(atf_get_srcdir)/pfsync_defer.py \ 17160a3a371SKristof Provost --syncdev ${epair_sync}b \ 17260a3a371SKristof Provost --indev ${epair_in}b \ 17360a3a371SKristof Provost --outdev ${epair_out}b 17460a3a371SKristof Provost 17560a3a371SKristof Provost # Now disable defer mode and expect failure. 17660a3a371SKristof Provost jexec alcatraz ifconfig pfsync0 -defer 17760a3a371SKristof Provost 17860a3a371SKristof Provost # Flush state 17960a3a371SKristof Provost pft_set_rules alcatraz \ 18060a3a371SKristof Provost "set skip on ${epair_sync}a" \ 18160a3a371SKristof Provost "pass keep state" 18260a3a371SKristof Provost 18306012728SKajetan Staszkiewicz atf_check -s exit:3 env PYTHONPATH=${common_dir} \ 18460a3a371SKristof Provost $(atf_get_srcdir)/pfsync_defer.py \ 18560a3a371SKristof Provost --syncdev ${epair_sync}b \ 18660a3a371SKristof Provost --indev ${epair_in}b \ 18760a3a371SKristof Provost --outdev ${epair_out}b 188369d9a2cSKristof Provost} 189369d9a2cSKristof Provost 190369d9a2cSKristof Provostdefer_cleanup() 191369d9a2cSKristof Provost{ 192369d9a2cSKristof Provost pfsynct_cleanup 193369d9a2cSKristof Provost} 194369d9a2cSKristof Provost 1958ad7d25dSKristof Provostatf_test_case "bulk" "cleanup" 1968ad7d25dSKristof Provostbulk_head() 1978ad7d25dSKristof Provost{ 1988ad7d25dSKristof Provost atf_set descr 'Test bulk updates' 1998ad7d25dSKristof Provost atf_set require.user root 2008ad7d25dSKristof Provost} 2018ad7d25dSKristof Provost 2028ad7d25dSKristof Provostbulk_body() 2038ad7d25dSKristof Provost{ 2048ad7d25dSKristof Provost pfsynct_init 2058ad7d25dSKristof Provost 2068ad7d25dSKristof Provost epair_sync=$(vnet_mkepair) 2078ad7d25dSKristof Provost epair_one=$(vnet_mkepair) 2088ad7d25dSKristof Provost epair_two=$(vnet_mkepair) 2098ad7d25dSKristof Provost 2108ad7d25dSKristof Provost vnet_mkjail one ${epair_one}a ${epair_sync}a 2118ad7d25dSKristof Provost vnet_mkjail two ${epair_two}a ${epair_sync}b 2128ad7d25dSKristof Provost 2138ad7d25dSKristof Provost # pfsync interface 2148ad7d25dSKristof Provost jexec one ifconfig ${epair_sync}a 192.0.2.1/24 up 2158ad7d25dSKristof Provost jexec one ifconfig ${epair_one}a 198.51.100.1/24 up 2168ad7d25dSKristof Provost jexec one ifconfig pfsync0 \ 2178ad7d25dSKristof Provost syncdev ${epair_sync}a \ 2188ad7d25dSKristof Provost maxupd 1\ 2198ad7d25dSKristof Provost up 2208ad7d25dSKristof Provost jexec two ifconfig ${epair_two}a 198.51.100.2/24 up 2218ad7d25dSKristof Provost jexec two ifconfig ${epair_sync}b 192.0.2.2/24 up 2228ad7d25dSKristof Provost 2238ad7d25dSKristof Provost # Enable pf 2248ad7d25dSKristof Provost jexec one pfctl -e 2258ad7d25dSKristof Provost pft_set_rules one \ 2268ad7d25dSKristof Provost "set skip on ${epair_sync}a" \ 2278ad7d25dSKristof Provost "pass keep state" 2288ad7d25dSKristof Provost jexec two pfctl -e 2298ad7d25dSKristof Provost pft_set_rules two \ 2308ad7d25dSKristof Provost "set skip on ${epair_sync}b" \ 2318ad7d25dSKristof Provost "pass keep state" 2328ad7d25dSKristof Provost 2338ad7d25dSKristof Provost ifconfig ${epair_one}b 198.51.100.254/24 up 2348ad7d25dSKristof Provost 2358ad7d25dSKristof Provost # Create state prior to setting up pfsync 2368ad7d25dSKristof Provost ping -c 1 -S 198.51.100.254 198.51.100.1 2378ad7d25dSKristof Provost 2388ad7d25dSKristof Provost # Wait before setting up pfsync on two, so we don't accidentally catch 2398ad7d25dSKristof Provost # the update anyway. 2408ad7d25dSKristof Provost sleep 1 2418ad7d25dSKristof Provost 2428ad7d25dSKristof Provost # Now set up pfsync in jail two 2438ad7d25dSKristof Provost jexec two ifconfig pfsync0 \ 2448ad7d25dSKristof Provost syncdev ${epair_sync}b \ 2458ad7d25dSKristof Provost up 2468ad7d25dSKristof Provost 2478ad7d25dSKristof Provost # Give pfsync time to do its thing 2488ad7d25dSKristof Provost sleep 2 2498ad7d25dSKristof Provost 2508ad7d25dSKristof Provost jexec two pfctl -s states 2518ad7d25dSKristof Provost if ! jexec two pfctl -s states | grep icmp | grep 198.51.100.1 | \ 2528ad7d25dSKristof Provost grep 198.51.100.2 ; then 2538ad7d25dSKristof Provost atf_fail "state not found on synced host" 2548ad7d25dSKristof Provost fi 2558ad7d25dSKristof Provost} 2568ad7d25dSKristof Provost 2578ad7d25dSKristof Provostbulk_cleanup() 2588ad7d25dSKristof Provost{ 2598ad7d25dSKristof Provost pfsynct_cleanup 2608ad7d25dSKristof Provost} 2618ad7d25dSKristof Provost 262536e1da1SThomas Pasqualiniatf_test_case "pbr" "cleanup" 263536e1da1SThomas Pasqualinipbr_head() 264536e1da1SThomas Pasqualini{ 265536e1da1SThomas Pasqualini atf_set descr 'route_to and reply_to directives test' 266536e1da1SThomas Pasqualini atf_set require.user root 267536e1da1SThomas Pasqualini atf_set timeout '600' 268536e1da1SThomas Pasqualini} 269536e1da1SThomas Pasqualini 270536e1da1SThomas Pasqualinipbr_body() 271536e1da1SThomas Pasqualini{ 272536e1da1SThomas Pasqualini pbr_common_body 273536e1da1SThomas Pasqualini} 274536e1da1SThomas Pasqualini 275536e1da1SThomas Pasqualinipbr_cleanup() 276536e1da1SThomas Pasqualini{ 277536e1da1SThomas Pasqualini pbr_common_cleanup 278536e1da1SThomas Pasqualini} 279536e1da1SThomas Pasqualini 280536e1da1SThomas Pasqualiniatf_test_case "pfsync_pbr" "cleanup" 281536e1da1SThomas Pasqualinipfsync_pbr_head() 282536e1da1SThomas Pasqualini{ 283536e1da1SThomas Pasqualini atf_set descr 'route_to and reply_to directives pfsync test' 284536e1da1SThomas Pasqualini atf_set require.user root 285536e1da1SThomas Pasqualini atf_set timeout '600' 286536e1da1SThomas Pasqualini} 287536e1da1SThomas Pasqualini 288536e1da1SThomas Pasqualinipfsync_pbr_body() 289536e1da1SThomas Pasqualini{ 290536e1da1SThomas Pasqualini pbr_common_body backup_promotion 291536e1da1SThomas Pasqualini} 292536e1da1SThomas Pasqualini 293536e1da1SThomas Pasqualinipfsync_pbr_cleanup() 294536e1da1SThomas Pasqualini{ 295536e1da1SThomas Pasqualini pbr_common_cleanup 296536e1da1SThomas Pasqualini} 297536e1da1SThomas Pasqualini 298536e1da1SThomas Pasqualinipbr_common_body() 299536e1da1SThomas Pasqualini{ 300536e1da1SThomas Pasqualini # + builds bellow topology and initiate a single ping session 301536e1da1SThomas Pasqualini # from client to server. 302536e1da1SThomas Pasqualini # + gw* forward traffic through pbr not fib lookups. 303536e1da1SThomas Pasqualini # + if backup_promotion arg is given, a carp failover event occurs 304536e1da1SThomas Pasqualini # during the ping session on both gateways. 305536e1da1SThomas Pasqualini # ┌──────┐ 306536e1da1SThomas Pasqualini # │client│ 307536e1da1SThomas Pasqualini # └───┬──┘ 308536e1da1SThomas Pasqualini # │ 309536e1da1SThomas Pasqualini # ┌───┴───┐ 310536e1da1SThomas Pasqualini # │bridge0│ 311536e1da1SThomas Pasqualini # └┬─────┬┘ 312536e1da1SThomas Pasqualini # │ │ 313536e1da1SThomas Pasqualini # ┌────────────────┴─┐ ┌─┴────────────────┐ 314536e1da1SThomas Pasqualini # │gw_route_to_master├─┤gw_route_to_backup│ 315536e1da1SThomas Pasqualini # └────────────────┬─┘ └─┬────────────────┘ 316536e1da1SThomas Pasqualini # │ │ 317536e1da1SThomas Pasqualini # ┌┴─────┴┐ 318536e1da1SThomas Pasqualini # │bridge1│ 319536e1da1SThomas Pasqualini # └┬─────┬┘ 320536e1da1SThomas Pasqualini # │ │ 321536e1da1SThomas Pasqualini # ┌────────────────┴─┐ ┌─┴────────────────┐ 322536e1da1SThomas Pasqualini # │gw_reply_to_master├─┤gw_reply_to_backup│ 323536e1da1SThomas Pasqualini # └────────────────┬─┘ └─┬────────────────┘ 324536e1da1SThomas Pasqualini # │ │ 325536e1da1SThomas Pasqualini # ┌┴─────┴┐ 326536e1da1SThomas Pasqualini # │bridge2│ 327536e1da1SThomas Pasqualini # └───┬───┘ 328536e1da1SThomas Pasqualini # │ 329536e1da1SThomas Pasqualini # ┌───┴──┐ 330536e1da1SThomas Pasqualini # │server│ 331536e1da1SThomas Pasqualini # └──────┘ 332536e1da1SThomas Pasqualini 333536e1da1SThomas Pasqualini if ! kldstat -q -m carp 334536e1da1SThomas Pasqualini then 335536e1da1SThomas Pasqualini atf_skip "This test requires carp" 336536e1da1SThomas Pasqualini fi 337536e1da1SThomas Pasqualini pfsynct_init 338480ad405SKristof Provost vnet_init_bridge 339536e1da1SThomas Pasqualini 340536e1da1SThomas Pasqualini bridge0=$(vnet_mkbridge) 341536e1da1SThomas Pasqualini bridge1=$(vnet_mkbridge) 342536e1da1SThomas Pasqualini bridge2=$(vnet_mkbridge) 343536e1da1SThomas Pasqualini 344536e1da1SThomas Pasqualini epair_sync_gw_route_to=$(vnet_mkepair) 345536e1da1SThomas Pasqualini epair_sync_gw_reply_to=$(vnet_mkepair) 346536e1da1SThomas Pasqualini epair_client_bridge0=$(vnet_mkepair) 347536e1da1SThomas Pasqualini 348536e1da1SThomas Pasqualini epair_gw_route_to_master_bridge0=$(vnet_mkepair) 349536e1da1SThomas Pasqualini epair_gw_route_to_backup_bridge0=$(vnet_mkepair) 350536e1da1SThomas Pasqualini epair_gw_route_to_master_bridge1=$(vnet_mkepair) 351536e1da1SThomas Pasqualini epair_gw_route_to_backup_bridge1=$(vnet_mkepair) 352536e1da1SThomas Pasqualini 353536e1da1SThomas Pasqualini epair_gw_reply_to_master_bridge1=$(vnet_mkepair) 354536e1da1SThomas Pasqualini epair_gw_reply_to_backup_bridge1=$(vnet_mkepair) 355536e1da1SThomas Pasqualini epair_gw_reply_to_master_bridge2=$(vnet_mkepair) 356536e1da1SThomas Pasqualini epair_gw_reply_to_backup_bridge2=$(vnet_mkepair) 357536e1da1SThomas Pasqualini 358536e1da1SThomas Pasqualini epair_server_bridge2=$(vnet_mkepair) 359536e1da1SThomas Pasqualini 360536e1da1SThomas Pasqualini ifconfig ${bridge0} up 361536e1da1SThomas Pasqualini ifconfig ${epair_client_bridge0}b up 362536e1da1SThomas Pasqualini ifconfig ${epair_gw_route_to_master_bridge0}b up 363536e1da1SThomas Pasqualini ifconfig ${epair_gw_route_to_backup_bridge0}b up 364536e1da1SThomas Pasqualini ifconfig ${bridge0} \ 365536e1da1SThomas Pasqualini addm ${epair_client_bridge0}b \ 366536e1da1SThomas Pasqualini addm ${epair_gw_route_to_master_bridge0}b \ 367536e1da1SThomas Pasqualini addm ${epair_gw_route_to_backup_bridge0}b 368536e1da1SThomas Pasqualini 369536e1da1SThomas Pasqualini ifconfig ${bridge1} up 370536e1da1SThomas Pasqualini ifconfig ${epair_gw_route_to_master_bridge1}b up 371536e1da1SThomas Pasqualini ifconfig ${epair_gw_route_to_backup_bridge1}b up 372536e1da1SThomas Pasqualini ifconfig ${epair_gw_reply_to_master_bridge1}b up 373536e1da1SThomas Pasqualini ifconfig ${epair_gw_reply_to_backup_bridge1}b up 374536e1da1SThomas Pasqualini ifconfig ${bridge1} \ 375536e1da1SThomas Pasqualini addm ${epair_gw_route_to_master_bridge1}b \ 376536e1da1SThomas Pasqualini addm ${epair_gw_route_to_backup_bridge1}b \ 377536e1da1SThomas Pasqualini addm ${epair_gw_reply_to_master_bridge1}b \ 378536e1da1SThomas Pasqualini addm ${epair_gw_reply_to_backup_bridge1}b 379536e1da1SThomas Pasqualini 380536e1da1SThomas Pasqualini ifconfig ${bridge2} up 381536e1da1SThomas Pasqualini ifconfig ${epair_gw_reply_to_master_bridge2}b up 382536e1da1SThomas Pasqualini ifconfig ${epair_gw_reply_to_backup_bridge2}b up 383536e1da1SThomas Pasqualini ifconfig ${epair_server_bridge2}b up 384536e1da1SThomas Pasqualini ifconfig ${bridge2} \ 385536e1da1SThomas Pasqualini addm ${epair_gw_reply_to_master_bridge2}b \ 386536e1da1SThomas Pasqualini addm ${epair_gw_reply_to_backup_bridge2}b \ 387536e1da1SThomas Pasqualini addm ${epair_server_bridge2}b 388536e1da1SThomas Pasqualini 389536e1da1SThomas Pasqualini vnet_mkjail client ${epair_client_bridge0}a 390536e1da1SThomas Pasqualini jexec client hostname client 391536e1da1SThomas Pasqualini vnet_mkjail gw_route_to_master \ 392536e1da1SThomas Pasqualini ${epair_gw_route_to_master_bridge0}a \ 393536e1da1SThomas Pasqualini ${epair_gw_route_to_master_bridge1}a \ 394536e1da1SThomas Pasqualini ${epair_sync_gw_route_to}a 395536e1da1SThomas Pasqualini jexec gw_route_to_master hostname gw_route_to_master 396536e1da1SThomas Pasqualini vnet_mkjail gw_route_to_backup \ 397536e1da1SThomas Pasqualini ${epair_gw_route_to_backup_bridge0}a \ 398536e1da1SThomas Pasqualini ${epair_gw_route_to_backup_bridge1}a \ 399536e1da1SThomas Pasqualini ${epair_sync_gw_route_to}b 400536e1da1SThomas Pasqualini jexec gw_route_to_backup hostname gw_route_to_backup 401536e1da1SThomas Pasqualini vnet_mkjail gw_reply_to_master \ 402536e1da1SThomas Pasqualini ${epair_gw_reply_to_master_bridge1}a \ 403536e1da1SThomas Pasqualini ${epair_gw_reply_to_master_bridge2}a \ 404536e1da1SThomas Pasqualini ${epair_sync_gw_reply_to}a 405536e1da1SThomas Pasqualini jexec gw_reply_to_master hostname gw_reply_to_master 406536e1da1SThomas Pasqualini vnet_mkjail gw_reply_to_backup \ 407536e1da1SThomas Pasqualini ${epair_gw_reply_to_backup_bridge1}a \ 408536e1da1SThomas Pasqualini ${epair_gw_reply_to_backup_bridge2}a \ 409536e1da1SThomas Pasqualini ${epair_sync_gw_reply_to}b 410536e1da1SThomas Pasqualini jexec gw_reply_to_backup hostname gw_reply_to_backup 411536e1da1SThomas Pasqualini vnet_mkjail server ${epair_server_bridge2}a 412536e1da1SThomas Pasqualini jexec server hostname server 413536e1da1SThomas Pasqualini 414536e1da1SThomas Pasqualini jexec client ifconfig ${epair_client_bridge0}a inet 198.18.0.1/24 up 415536e1da1SThomas Pasqualini jexec client route add 198.18.2.0/24 198.18.0.10 416536e1da1SThomas Pasqualini 417536e1da1SThomas Pasqualini jexec gw_route_to_master ifconfig ${epair_sync_gw_route_to}a \ 418536e1da1SThomas Pasqualini inet 198.19.10.1/24 up 419536e1da1SThomas Pasqualini jexec gw_route_to_master ifconfig ${epair_gw_route_to_master_bridge0}a \ 420536e1da1SThomas Pasqualini inet 198.18.0.8/24 up 421536e1da1SThomas Pasqualini jexec gw_route_to_master ifconfig ${epair_gw_route_to_master_bridge0}a \ 422536e1da1SThomas Pasqualini alias 198.18.0.10/32 vhid 10 pass 3WjvVVw7 advskew 50 423536e1da1SThomas Pasqualini jexec gw_route_to_master ifconfig ${epair_gw_route_to_master_bridge1}a \ 424536e1da1SThomas Pasqualini inet 198.18.1.8/24 up 425536e1da1SThomas Pasqualini jexec gw_route_to_master ifconfig ${epair_gw_route_to_master_bridge1}a \ 426536e1da1SThomas Pasqualini alias 198.18.1.10/32 vhid 11 pass 3WjvVVw7 advskew 50 427536e1da1SThomas Pasqualini jexec gw_route_to_master sysctl net.inet.ip.forwarding=1 428536e1da1SThomas Pasqualini jexec gw_route_to_master sysctl net.inet.carp.preempt=1 429ddcdb534SKajetan Staszkiewicz 430ddcdb534SKajetan Staszkiewicz vnet_ifrename_jail gw_route_to_master ${epair_sync_gw_route_to}a if_pfsync 431ddcdb534SKajetan Staszkiewicz vnet_ifrename_jail gw_route_to_master ${epair_gw_route_to_master_bridge0}a if_br0 432ddcdb534SKajetan Staszkiewicz vnet_ifrename_jail gw_route_to_master ${epair_gw_route_to_master_bridge1}a if_br1 433ddcdb534SKajetan Staszkiewicz 434536e1da1SThomas Pasqualini jexec gw_route_to_master ifconfig pfsync0 \ 435536e1da1SThomas Pasqualini syncpeer 198.19.10.2 \ 436536e1da1SThomas Pasqualini syncdev if_pfsync \ 437536e1da1SThomas Pasqualini maxupd 1 \ 438536e1da1SThomas Pasqualini up 439536e1da1SThomas Pasqualini pft_set_rules gw_route_to_master \ 440536e1da1SThomas Pasqualini "keep_state = 'tag auth_packet keep state'" \ 441536e1da1SThomas Pasqualini "set timeout { icmp.first 120, icmp.error 60 }" \ 442536e1da1SThomas Pasqualini "block log all" \ 443536e1da1SThomas Pasqualini "pass quick on if_pfsync proto pfsync keep state (no-sync)" \ 444536e1da1SThomas Pasqualini "pass quick on { if_br0 if_br1 } proto carp keep state (no-sync)" \ 445536e1da1SThomas Pasqualini "block drop in quick to 224.0.0.18/32" \ 446536e1da1SThomas Pasqualini "pass out quick tagged auth_packet keep state" \ 447536e1da1SThomas Pasqualini "pass in quick log on if_br0 route-to (if_br1 198.18.1.20) proto { icmp udp tcp } from 198.18.0.0/24 to 198.18.2.0/24 \$keep_state" 448536e1da1SThomas Pasqualini jexec gw_route_to_master pfctl -e 449536e1da1SThomas Pasqualini 450536e1da1SThomas Pasqualini jexec gw_route_to_backup ifconfig ${epair_sync_gw_route_to}b \ 451536e1da1SThomas Pasqualini inet 198.19.10.2/24 up 452536e1da1SThomas Pasqualini jexec gw_route_to_backup ifconfig ${epair_gw_route_to_backup_bridge0}a \ 453536e1da1SThomas Pasqualini inet 198.18.0.9/24 up 454536e1da1SThomas Pasqualini jexec gw_route_to_backup ifconfig ${epair_gw_route_to_backup_bridge0}a \ 455536e1da1SThomas Pasqualini alias 198.18.0.10/32 vhid 10 pass 3WjvVVw7 advskew 100 456536e1da1SThomas Pasqualini jexec gw_route_to_backup ifconfig ${epair_gw_route_to_backup_bridge1}a \ 457536e1da1SThomas Pasqualini inet 198.18.1.9/24 up 458536e1da1SThomas Pasqualini jexec gw_route_to_backup ifconfig ${epair_gw_route_to_backup_bridge1}a \ 459536e1da1SThomas Pasqualini alias 198.18.1.10/32 vhid 11 pass 3WjvVVw7 advskew 100 460536e1da1SThomas Pasqualini jexec gw_route_to_backup sysctl net.inet.ip.forwarding=1 461536e1da1SThomas Pasqualini jexec gw_route_to_backup sysctl net.inet.carp.preempt=1 462ddcdb534SKajetan Staszkiewicz 463ddcdb534SKajetan Staszkiewicz vnet_ifrename_jail gw_route_to_backup ${epair_sync_gw_route_to}b if_pfsync 464ddcdb534SKajetan Staszkiewicz vnet_ifrename_jail gw_route_to_backup ${epair_gw_route_to_backup_bridge0}a if_br0 465ddcdb534SKajetan Staszkiewicz vnet_ifrename_jail gw_route_to_backup ${epair_gw_route_to_backup_bridge1}a if_br1 466ddcdb534SKajetan Staszkiewicz 467536e1da1SThomas Pasqualini jexec gw_route_to_backup ifconfig pfsync0 \ 468536e1da1SThomas Pasqualini syncpeer 198.19.10.1 \ 469536e1da1SThomas Pasqualini syncdev if_pfsync \ 470536e1da1SThomas Pasqualini up 471536e1da1SThomas Pasqualini pft_set_rules gw_route_to_backup \ 472536e1da1SThomas Pasqualini "keep_state = 'tag auth_packet keep state'" \ 473536e1da1SThomas Pasqualini "set timeout { icmp.first 120, icmp.error 60 }" \ 474536e1da1SThomas Pasqualini "block log all" \ 475536e1da1SThomas Pasqualini "pass quick on if_pfsync proto pfsync keep state (no-sync)" \ 476536e1da1SThomas Pasqualini "pass quick on { if_br0 if_br1 } proto carp keep state (no-sync)" \ 477536e1da1SThomas Pasqualini "block drop in quick to 224.0.0.18/32" \ 478536e1da1SThomas Pasqualini "pass out quick tagged auth_packet keep state" \ 479536e1da1SThomas Pasqualini "pass in quick log on if_br0 route-to (if_br1 198.18.1.20) proto { icmp udp tcp } from 198.18.0.0/24 to 198.18.2.0/24 \$keep_state" 480536e1da1SThomas Pasqualini jexec gw_route_to_backup pfctl -e 481536e1da1SThomas Pasqualini 482536e1da1SThomas Pasqualini jexec gw_reply_to_master ifconfig ${epair_sync_gw_reply_to}a \ 483536e1da1SThomas Pasqualini inet 198.19.20.1/24 up 484536e1da1SThomas Pasqualini jexec gw_reply_to_master ifconfig ${epair_gw_reply_to_master_bridge1}a \ 485536e1da1SThomas Pasqualini inet 198.18.1.18/24 up 486536e1da1SThomas Pasqualini jexec gw_reply_to_master ifconfig ${epair_gw_reply_to_master_bridge1}a \ 487536e1da1SThomas Pasqualini alias 198.18.1.20/32 vhid 21 pass 3WjvVVw7 advskew 50 488536e1da1SThomas Pasqualini jexec gw_reply_to_master ifconfig ${epair_gw_reply_to_master_bridge2}a \ 489536e1da1SThomas Pasqualini inet 198.18.2.18/24 up 490536e1da1SThomas Pasqualini jexec gw_reply_to_master ifconfig ${epair_gw_reply_to_master_bridge2}a \ 491536e1da1SThomas Pasqualini alias 198.18.2.20/32 vhid 22 pass 3WjvVVw7 advskew 50 492536e1da1SThomas Pasqualini jexec gw_reply_to_master sysctl net.inet.ip.forwarding=1 493536e1da1SThomas Pasqualini jexec gw_reply_to_master sysctl net.inet.carp.preempt=1 494ddcdb534SKajetan Staszkiewicz 495ddcdb534SKajetan Staszkiewicz vnet_ifrename_jail gw_reply_to_master ${epair_sync_gw_reply_to}a if_pfsync 496ddcdb534SKajetan Staszkiewicz vnet_ifrename_jail gw_reply_to_master ${epair_gw_reply_to_master_bridge1}a if_br1 497ddcdb534SKajetan Staszkiewicz vnet_ifrename_jail gw_reply_to_master ${epair_gw_reply_to_master_bridge2}a if_br2 498ddcdb534SKajetan Staszkiewicz 499536e1da1SThomas Pasqualini jexec gw_reply_to_master ifconfig pfsync0 \ 500536e1da1SThomas Pasqualini syncpeer 198.19.20.2 \ 501536e1da1SThomas Pasqualini syncdev if_pfsync \ 502536e1da1SThomas Pasqualini maxupd 1 \ 503536e1da1SThomas Pasqualini up 504536e1da1SThomas Pasqualini pft_set_rules gw_reply_to_master \ 505536e1da1SThomas Pasqualini "set timeout { icmp.first 120, icmp.error 60 }" \ 506536e1da1SThomas Pasqualini "block log all" \ 507536e1da1SThomas Pasqualini "pass quick on if_pfsync proto pfsync keep state (no-sync)" \ 508536e1da1SThomas Pasqualini "pass quick on { if_br1 if_br2 } proto carp keep state (no-sync)" \ 509536e1da1SThomas Pasqualini "block drop in quick to 224.0.0.18/32" \ 510536e1da1SThomas Pasqualini "pass out quick on if_br2 reply-to (if_br1 198.18.1.10) tagged auth_packet_reply_to keep state" \ 511536e1da1SThomas Pasqualini "pass in quick log on if_br1 proto { icmp udp tcp } from 198.18.0.0/24 to 198.18.2.0/24 tag auth_packet_reply_to keep state" 512536e1da1SThomas Pasqualini jexec gw_reply_to_master pfctl -e 513536e1da1SThomas Pasqualini 514536e1da1SThomas Pasqualini jexec gw_reply_to_backup ifconfig ${epair_sync_gw_reply_to}b \ 515536e1da1SThomas Pasqualini inet 198.19.20.2/24 up 516536e1da1SThomas Pasqualini jexec gw_reply_to_backup ifconfig ${epair_gw_reply_to_backup_bridge1}a \ 517536e1da1SThomas Pasqualini inet 198.18.1.19/24 up 518536e1da1SThomas Pasqualini jexec gw_reply_to_backup ifconfig ${epair_gw_reply_to_backup_bridge1}a \ 519536e1da1SThomas Pasqualini alias 198.18.1.20/32 vhid 21 pass 3WjvVVw7 advskew 100 520536e1da1SThomas Pasqualini jexec gw_reply_to_backup ifconfig ${epair_gw_reply_to_backup_bridge2}a \ 521536e1da1SThomas Pasqualini inet 198.18.2.19/24 up 522536e1da1SThomas Pasqualini jexec gw_reply_to_backup ifconfig ${epair_gw_reply_to_backup_bridge2}a \ 523536e1da1SThomas Pasqualini alias 198.18.2.20/32 vhid 22 pass 3WjvVVw7 advskew 100 524536e1da1SThomas Pasqualini jexec gw_reply_to_backup sysctl net.inet.ip.forwarding=1 525536e1da1SThomas Pasqualini jexec gw_reply_to_backup sysctl net.inet.carp.preempt=1 526ddcdb534SKajetan Staszkiewicz 527ddcdb534SKajetan Staszkiewicz vnet_ifrename_jail gw_reply_to_backup ${epair_sync_gw_reply_to}b if_pfsync 528ddcdb534SKajetan Staszkiewicz vnet_ifrename_jail gw_reply_to_backup ${epair_gw_reply_to_backup_bridge1}a if_br1 529ddcdb534SKajetan Staszkiewicz vnet_ifrename_jail gw_reply_to_backup ${epair_gw_reply_to_backup_bridge2}a if_br2 530ddcdb534SKajetan Staszkiewicz 531536e1da1SThomas Pasqualini jexec gw_reply_to_backup ifconfig pfsync0 \ 532536e1da1SThomas Pasqualini syncpeer 198.19.20.1 \ 533536e1da1SThomas Pasqualini syncdev if_pfsync \ 534536e1da1SThomas Pasqualini up 535536e1da1SThomas Pasqualini pft_set_rules gw_reply_to_backup \ 536536e1da1SThomas Pasqualini "set timeout { icmp.first 120, icmp.error 60 }" \ 537536e1da1SThomas Pasqualini "block log all" \ 538536e1da1SThomas Pasqualini "pass quick on if_pfsync proto pfsync keep state (no-sync)" \ 539536e1da1SThomas Pasqualini "pass quick on { if_br1 if_br2 } proto carp keep state (no-sync)" \ 540536e1da1SThomas Pasqualini "block drop in quick to 224.0.0.18/32" \ 541536e1da1SThomas Pasqualini "pass out quick on if_br2 reply-to (if_br1 198.18.1.10) tagged auth_packet_reply_to keep state" \ 542536e1da1SThomas Pasqualini "pass in quick log on if_br1 proto { icmp udp tcp } from 198.18.0.0/24 to 198.18.2.0/24 tag auth_packet_reply_to keep state" 543536e1da1SThomas Pasqualini jexec gw_reply_to_backup pfctl -e 544536e1da1SThomas Pasqualini 545536e1da1SThomas Pasqualini jexec server ifconfig ${epair_server_bridge2}a inet 198.18.2.1/24 up 546536e1da1SThomas Pasqualini jexec server route add 198.18.0.0/24 198.18.2.20 547536e1da1SThomas Pasqualini 548536e1da1SThomas Pasqualini # Waiting for platform to settle 549536e1da1SThomas Pasqualini while ! jexec gw_route_to_backup ifconfig | grep 'carp: BACKUP' 550536e1da1SThomas Pasqualini do 551536e1da1SThomas Pasqualini sleep 1 552536e1da1SThomas Pasqualini done 553536e1da1SThomas Pasqualini while ! jexec gw_reply_to_backup ifconfig | grep 'carp: BACKUP' 554536e1da1SThomas Pasqualini do 555536e1da1SThomas Pasqualini sleep 1 556536e1da1SThomas Pasqualini done 557536e1da1SThomas Pasqualini while ! jexec client ping -c 10 198.18.2.1 | grep ', 0.0% packet loss' 558536e1da1SThomas Pasqualini do 559536e1da1SThomas Pasqualini sleep 1 560536e1da1SThomas Pasqualini done 561536e1da1SThomas Pasqualini 562536e1da1SThomas Pasqualini # Checking cluster members pf.conf checksums match 563536e1da1SThomas Pasqualini gw_route_to_master_checksum=$(jexec gw_route_to_master pfctl -si -v | grep 'Checksum:' | cut -d ' ' -f 2) 564536e1da1SThomas Pasqualini gw_route_to_backup_checksum=$(jexec gw_route_to_backup pfctl -si -v | grep 'Checksum:' | cut -d ' ' -f 2) 565536e1da1SThomas Pasqualini gw_reply_to_master_checksum=$(jexec gw_reply_to_master pfctl -si -v | grep 'Checksum:' | cut -d ' ' -f 2) 566536e1da1SThomas Pasqualini gw_reply_to_backup_checksum=$(jexec gw_reply_to_backup pfctl -si -v | grep 'Checksum:' | cut -d ' ' -f 2) 567536e1da1SThomas Pasqualini if [ "$gw_route_to_master_checksum" != "$gw_route_to_backup_checksum" ] 568536e1da1SThomas Pasqualini then 569536e1da1SThomas Pasqualini atf_fail "gw_route_to cluster members pf.conf do not match each others" 570536e1da1SThomas Pasqualini fi 571536e1da1SThomas Pasqualini if [ "$gw_reply_to_master_checksum" != "$gw_reply_to_backup_checksum" ] 572536e1da1SThomas Pasqualini then 573536e1da1SThomas Pasqualini atf_fail "gw_reply_to cluster members pf.conf do not match each others" 574536e1da1SThomas Pasqualini fi 575536e1da1SThomas Pasqualini 576536e1da1SThomas Pasqualini # Creating state entries 577536e1da1SThomas Pasqualini (jexec client ping -c 10 198.18.2.1 >ping.stdout) & 578536e1da1SThomas Pasqualini 579536e1da1SThomas Pasqualini if [ "$1" = "backup_promotion" ] 580536e1da1SThomas Pasqualini then 581536e1da1SThomas Pasqualini sleep 1 582536e1da1SThomas Pasqualini jexec gw_route_to_backup ifconfig if_br0 vhid 10 advskew 0 583536e1da1SThomas Pasqualini jexec gw_route_to_backup ifconfig if_br1 vhid 11 advskew 0 584536e1da1SThomas Pasqualini jexec gw_reply_to_backup ifconfig if_br1 vhid 21 advskew 0 585536e1da1SThomas Pasqualini jexec gw_reply_to_backup ifconfig if_br2 vhid 22 advskew 0 586536e1da1SThomas Pasqualini fi 587536e1da1SThomas Pasqualini while ! grep -q -e 'packet loss' ping.stdout 588536e1da1SThomas Pasqualini do 589536e1da1SThomas Pasqualini sleep 1 590536e1da1SThomas Pasqualini done 591536e1da1SThomas Pasqualini 592536e1da1SThomas Pasqualini atf_check -s exit:0 -e ignore -o ignore grep ', 0.0% packet loss' ping.stdout 593536e1da1SThomas Pasqualini} 594536e1da1SThomas Pasqualini 595536e1da1SThomas Pasqualinipbr_common_cleanup() 596536e1da1SThomas Pasqualini{ 597ddcdb534SKajetan Staszkiewicz pft_cleanup 598536e1da1SThomas Pasqualini} 599536e1da1SThomas Pasqualini 6002a02d3daSKristof Provostatf_test_case "ipsec" "cleanup" 6012a02d3daSKristof Provostipsec_head() 6022a02d3daSKristof Provost{ 6032a02d3daSKristof Provost atf_set descr 'Transport pfsync over IPSec' 6042a02d3daSKristof Provost atf_set require.user root 6052a02d3daSKristof Provost} 6062a02d3daSKristof Provost 6072a02d3daSKristof Provostipsec_body() 6082a02d3daSKristof Provost{ 6092a02d3daSKristof Provost if ! sysctl -q kern.features.ipsec >/dev/null ; then 6102a02d3daSKristof Provost atf_skip "This test requires ipsec" 6112a02d3daSKristof Provost fi 6122a02d3daSKristof Provost 6132a02d3daSKristof Provost # Run the common test, to set up pfsync 6142a02d3daSKristof Provost common_body 6152a02d3daSKristof Provost 6162a02d3daSKristof Provost # But we want unicast pfsync 6172a02d3daSKristof Provost jexec one ifconfig pfsync0 syncpeer 192.0.2.2 6182a02d3daSKristof Provost jexec two ifconfig pfsync0 syncpeer 192.0.2.1 6192a02d3daSKristof Provost 6202a02d3daSKristof Provost # Flush existing states 6212a02d3daSKristof Provost jexec one pfctl -Fs 6222a02d3daSKristof Provost jexec two pfctl -Fs 6232a02d3daSKristof Provost 6242a02d3daSKristof Provost # Now define an ipsec policy to run over the epair_sync interfaces 6252a02d3daSKristof Provost echo "flush; 6262a02d3daSKristof Provost spdflush; 6272a02d3daSKristof Provost spdadd 192.0.2.1/32 192.0.2.2/32 any -P out ipsec esp/transport//require; 6282a02d3daSKristof Provost spdadd 192.0.2.2/32 192.0.2.1/32 any -P in ipsec esp/transport//require; 6292a02d3daSKristof Provost add 192.0.2.1 192.0.2.2 esp 0x1000 -E aes-gcm-16 \"12345678901234567890\"; 6302a02d3daSKristof Provost add 192.0.2.2 192.0.2.1 esp 0x1001 -E aes-gcm-16 \"12345678901234567890\";" \ 6312a02d3daSKristof Provost | jexec one setkey -c 6322a02d3daSKristof Provost 6332a02d3daSKristof Provost echo "flush; 6342a02d3daSKristof Provost spdflush; 6352a02d3daSKristof Provost spdadd 192.0.2.2/32 192.0.2.1/32 any -P out ipsec esp/transport//require; 6362a02d3daSKristof Provost spdadd 192.0.2.1/32 192.0.2.2/32 any -P in ipsec esp/transport//require; 6372a02d3daSKristof Provost add 192.0.2.1 192.0.2.2 esp 0x1000 -E aes-gcm-16 \"12345678901234567891\"; 6382a02d3daSKristof Provost add 192.0.2.2 192.0.2.1 esp 0x1001 -E aes-gcm-16 \"12345678901234567891\";" \ 6392a02d3daSKristof Provost | jexec two setkey -c 6402a02d3daSKristof Provost 6412a02d3daSKristof Provost # We've set incompatible keys, so pfsync will be broken. 6422a02d3daSKristof Provost ping -c 1 -S 198.51.100.254 198.51.100.1 6432a02d3daSKristof Provost 6442a02d3daSKristof Provost # Give pfsync time to do its thing 6452a02d3daSKristof Provost sleep 2 6462a02d3daSKristof Provost 6472a02d3daSKristof Provost if jexec two pfctl -s states | grep icmp | grep 198.51.100.1 | \ 6482a02d3daSKristof Provost grep 198.51.100.2 ; then 6492a02d3daSKristof Provost atf_fail "state synced although IPSec should have prevented it" 6502a02d3daSKristof Provost fi 6512a02d3daSKristof Provost 6522a02d3daSKristof Provost # Flush existing states 6532a02d3daSKristof Provost jexec one pfctl -Fs 6542a02d3daSKristof Provost jexec two pfctl -Fs 6552a02d3daSKristof Provost 6562a02d3daSKristof Provost # Fix the IPSec key to match 6572a02d3daSKristof Provost echo "flush; 6582a02d3daSKristof Provost spdflush; 6592a02d3daSKristof Provost spdadd 192.0.2.2/32 192.0.2.1/32 any -P out ipsec esp/transport//require; 6602a02d3daSKristof Provost spdadd 192.0.2.1/32 192.0.2.2/32 any -P in ipsec esp/transport//require; 6612a02d3daSKristof Provost add 192.0.2.1 192.0.2.2 esp 0x1000 -E aes-gcm-16 \"12345678901234567890\"; 6622a02d3daSKristof Provost add 192.0.2.2 192.0.2.1 esp 0x1001 -E aes-gcm-16 \"12345678901234567890\";" \ 6632a02d3daSKristof Provost | jexec two setkey -c 6642a02d3daSKristof Provost 6652a02d3daSKristof Provost ping -c 1 -S 198.51.100.254 198.51.100.1 6662a02d3daSKristof Provost 6672a02d3daSKristof Provost # Give pfsync time to do its thing 6682a02d3daSKristof Provost sleep 2 6692a02d3daSKristof Provost 6702a02d3daSKristof Provost if ! jexec two pfctl -s states | grep icmp | grep 198.51.100.1 | \ 6712a02d3daSKristof Provost grep 198.51.100.2 ; then 6722a02d3daSKristof Provost atf_fail "state not found on synced host" 6732a02d3daSKristof Provost fi 6742a02d3daSKristof Provost} 6752a02d3daSKristof Provost 6762a02d3daSKristof Provostipsec_cleanup() 6772a02d3daSKristof Provost{ 6782a02d3daSKristof Provost pft_cleanup 6792a02d3daSKristof Provost} 6802a02d3daSKristof Provost 681a6719858SKristof Provostatf_test_case "timeout" "cleanup" 682a6719858SKristof Provosttimeout_head() 683a6719858SKristof Provost{ 684a6719858SKristof Provost atf_set descr 'Trigger pfsync_timeout()' 685a6719858SKristof Provost atf_set require.user root 686a6719858SKristof Provost} 687a6719858SKristof Provost 688a6719858SKristof Provosttimeout_body() 689a6719858SKristof Provost{ 690a6719858SKristof Provost pft_init 691a6719858SKristof Provost 692a6719858SKristof Provost vnet_mkjail one 693a6719858SKristof Provost 694a6719858SKristof Provost jexec one ifconfig lo0 127.0.0.1/8 up 695a6719858SKristof Provost jexec one ifconfig lo0 inet6 ::1/128 up 696a6719858SKristof Provost 697a6719858SKristof Provost pft_set_rules one \ 698a6719858SKristof Provost "pass all" 699a6719858SKristof Provost jexec one pfctl -e 700a6719858SKristof Provost jexec one ifconfig pfsync0 defer up 701a6719858SKristof Provost 702a6719858SKristof Provost jexec one ping -c 1 ::1 703a6719858SKristof Provost jexec one ping -c 1 127.0.0.1 704a6719858SKristof Provost 705a6719858SKristof Provost # Give pfsync_timeout() time to fire (a callout on a 1 second delay) 706a6719858SKristof Provost sleep 2 707a6719858SKristof Provost} 708a6719858SKristof Provost 709a6719858SKristof Provosttimeout_cleanup() 710a6719858SKristof Provost{ 711a6719858SKristof Provost pft_cleanup 712a6719858SKristof Provost} 713a6719858SKristof Provost 7146fc7fc2dSLuiz Amaralatf_test_case "basic_ipv6_unicast" "cleanup" 7156fc7fc2dSLuiz Amaralbasic_ipv6_unicast_head() 7166fc7fc2dSLuiz Amaral{ 7176fc7fc2dSLuiz Amaral atf_set descr 'Basic pfsync test (IPv6)' 7186fc7fc2dSLuiz Amaral atf_set require.user root 7196fc7fc2dSLuiz Amaral} 7206fc7fc2dSLuiz Amaral 7216fc7fc2dSLuiz Amaralbasic_ipv6_unicast_body() 7226fc7fc2dSLuiz Amaral{ 7236fc7fc2dSLuiz Amaral pfsynct_init 7246fc7fc2dSLuiz Amaral 7256fc7fc2dSLuiz Amaral epair_sync=$(vnet_mkepair) 7266fc7fc2dSLuiz Amaral epair_one=$(vnet_mkepair) 7276fc7fc2dSLuiz Amaral epair_two=$(vnet_mkepair) 7286fc7fc2dSLuiz Amaral 7296fc7fc2dSLuiz Amaral vnet_mkjail one ${epair_one}a ${epair_sync}a 7306fc7fc2dSLuiz Amaral vnet_mkjail two ${epair_two}a ${epair_sync}b 7316fc7fc2dSLuiz Amaral 7326fc7fc2dSLuiz Amaral # pfsync interface 7336fc7fc2dSLuiz Amaral jexec one ifconfig ${epair_sync}a inet6 fd2c::1/64 no_dad up 7346fc7fc2dSLuiz Amaral jexec one ifconfig ${epair_one}a inet6 fd2b::1/64 no_dad up 7356fc7fc2dSLuiz Amaral jexec one ifconfig pfsync0 \ 7366fc7fc2dSLuiz Amaral syncdev ${epair_sync}a \ 7376fc7fc2dSLuiz Amaral syncpeer fd2c::2 \ 7386fc7fc2dSLuiz Amaral maxupd 1 \ 7396fc7fc2dSLuiz Amaral up 7406fc7fc2dSLuiz Amaral jexec two ifconfig ${epair_two}a inet6 fd2b::2/64 no_dad up 7416fc7fc2dSLuiz Amaral jexec two ifconfig ${epair_sync}b inet6 fd2c::2/64 no_dad up 7426fc7fc2dSLuiz Amaral jexec two ifconfig pfsync0 \ 7436fc7fc2dSLuiz Amaral syncdev ${epair_sync}b \ 7446fc7fc2dSLuiz Amaral syncpeer fd2c::1 \ 7456fc7fc2dSLuiz Amaral maxupd 1 \ 7466fc7fc2dSLuiz Amaral up 7476fc7fc2dSLuiz Amaral 7486fc7fc2dSLuiz Amaral # Enable pf! 7496fc7fc2dSLuiz Amaral jexec one pfctl -e 7506fc7fc2dSLuiz Amaral pft_set_rules one \ 7516fc7fc2dSLuiz Amaral "block on ${epair_sync}a inet" \ 7526fc7fc2dSLuiz Amaral "pass out keep state" 7536fc7fc2dSLuiz Amaral jexec two pfctl -e 7546fc7fc2dSLuiz Amaral pft_set_rules two \ 7556fc7fc2dSLuiz Amaral "block on ${epair_sync}b inet" \ 7566fc7fc2dSLuiz Amaral "pass out keep state" 7576fc7fc2dSLuiz Amaral 7586fc7fc2dSLuiz Amaral ifconfig ${epair_one}b inet6 fd2b::f0/64 no_dad up 7596fc7fc2dSLuiz Amaral 7606fc7fc2dSLuiz Amaral ping6 -c 1 -S fd2b::f0 fd2b::1 7616fc7fc2dSLuiz Amaral 7626fc7fc2dSLuiz Amaral # Give pfsync time to do its thing 7636fc7fc2dSLuiz Amaral sleep 2 7646fc7fc2dSLuiz Amaral 7656fc7fc2dSLuiz Amaral if ! jexec two pfctl -s states | grep icmp | grep fd2b::1 | \ 7666fc7fc2dSLuiz Amaral grep fd2b::f0 ; then 7676fc7fc2dSLuiz Amaral atf_fail "state not found on synced host" 7686fc7fc2dSLuiz Amaral fi 7696fc7fc2dSLuiz Amaral} 7706fc7fc2dSLuiz Amaral 7716fc7fc2dSLuiz Amaralbasic_ipv6_unicast_cleanup() 7726fc7fc2dSLuiz Amaral{ 7736fc7fc2dSLuiz Amaral pfsynct_cleanup 7746fc7fc2dSLuiz Amaral} 7756fc7fc2dSLuiz Amaral 7766fc7fc2dSLuiz Amaralatf_test_case "basic_ipv6" "cleanup" 7776fc7fc2dSLuiz Amaralbasic_ipv6_head() 7786fc7fc2dSLuiz Amaral{ 7796fc7fc2dSLuiz Amaral atf_set descr 'Basic pfsync test (IPv6)' 7806fc7fc2dSLuiz Amaral atf_set require.user root 7816fc7fc2dSLuiz Amaral} 7826fc7fc2dSLuiz Amaral 7836fc7fc2dSLuiz Amaralbasic_ipv6_body() 7846fc7fc2dSLuiz Amaral{ 7856fc7fc2dSLuiz Amaral pfsynct_init 7866fc7fc2dSLuiz Amaral 7876fc7fc2dSLuiz Amaral epair_sync=$(vnet_mkepair) 7886fc7fc2dSLuiz Amaral epair_one=$(vnet_mkepair) 7896fc7fc2dSLuiz Amaral epair_two=$(vnet_mkepair) 7906fc7fc2dSLuiz Amaral 7916fc7fc2dSLuiz Amaral vnet_mkjail one ${epair_one}a ${epair_sync}a 7926fc7fc2dSLuiz Amaral vnet_mkjail two ${epair_two}a ${epair_sync}b 7936fc7fc2dSLuiz Amaral 7946fc7fc2dSLuiz Amaral # pfsync interface 7956fc7fc2dSLuiz Amaral jexec one ifconfig ${epair_sync}a inet6 fd2c::1/64 no_dad up 7966fc7fc2dSLuiz Amaral jexec one ifconfig ${epair_one}a inet6 fd2b::1/64 no_dad up 7976fc7fc2dSLuiz Amaral jexec one ifconfig pfsync0 \ 7986fc7fc2dSLuiz Amaral syncdev ${epair_sync}a \ 7996fc7fc2dSLuiz Amaral syncpeer ff12::f0 \ 8006fc7fc2dSLuiz Amaral maxupd 1 \ 8016fc7fc2dSLuiz Amaral up 8026fc7fc2dSLuiz Amaral jexec two ifconfig ${epair_two}a inet6 fd2b::2/64 no_dad up 8036fc7fc2dSLuiz Amaral jexec two ifconfig ${epair_sync}b inet6 fd2c::2/64 no_dad up 8046fc7fc2dSLuiz Amaral jexec two ifconfig pfsync0 \ 8056fc7fc2dSLuiz Amaral syncdev ${epair_sync}b \ 8066fc7fc2dSLuiz Amaral syncpeer ff12::f0 \ 8076fc7fc2dSLuiz Amaral maxupd 1 \ 8086fc7fc2dSLuiz Amaral up 8096fc7fc2dSLuiz Amaral 8106fc7fc2dSLuiz Amaral # Enable pf! 8116fc7fc2dSLuiz Amaral jexec one pfctl -e 8126fc7fc2dSLuiz Amaral pft_set_rules one \ 8136fc7fc2dSLuiz Amaral "block on ${epair_sync}a inet" \ 8146fc7fc2dSLuiz Amaral "pass out keep state" 8156fc7fc2dSLuiz Amaral jexec two pfctl -e 8166fc7fc2dSLuiz Amaral pft_set_rules two \ 8176fc7fc2dSLuiz Amaral "block on ${epair_sync}b inet" \ 8186fc7fc2dSLuiz Amaral "pass out keep state" 8196fc7fc2dSLuiz Amaral 8206fc7fc2dSLuiz Amaral ifconfig ${epair_one}b inet6 fd2b::f0/64 no_dad up 8216fc7fc2dSLuiz Amaral 8226fc7fc2dSLuiz Amaral ping6 -c 1 -S fd2b::f0 fd2b::1 8236fc7fc2dSLuiz Amaral 8246fc7fc2dSLuiz Amaral # Give pfsync time to do its thing 8256fc7fc2dSLuiz Amaral sleep 2 8266fc7fc2dSLuiz Amaral 8276fc7fc2dSLuiz Amaral if ! jexec two pfctl -s states | grep icmp | grep fd2b::1 | \ 8286fc7fc2dSLuiz Amaral grep fd2b::f0 ; then 8296fc7fc2dSLuiz Amaral atf_fail "state not found on synced host" 8306fc7fc2dSLuiz Amaral fi 8316fc7fc2dSLuiz Amaral} 8326fc7fc2dSLuiz Amaral 8336fc7fc2dSLuiz Amaralbasic_ipv6_cleanup() 8346fc7fc2dSLuiz Amaral{ 8356fc7fc2dSLuiz Amaral pfsynct_cleanup 8366fc7fc2dSLuiz Amaral} 8376fc7fc2dSLuiz Amaral 838ad6562ecSKajetan Staszkiewiczroute_to_common_head() 83974c24613SKristof Provost{ 840ad6562ecSKajetan Staszkiewicz pfsync_version=$1 841ad6562ecSKajetan Staszkiewicz shift 84274c24613SKristof Provost 84374c24613SKristof Provost pfsynct_init 84474c24613SKristof Provost 84574c24613SKristof Provost epair_sync=$(vnet_mkepair) 84674c24613SKristof Provost epair_one=$(vnet_mkepair) 84774c24613SKristof Provost epair_two=$(vnet_mkepair) 84874c24613SKristof Provost epair_out_one=$(vnet_mkepair) 84974c24613SKristof Provost epair_out_two=$(vnet_mkepair) 85074c24613SKristof Provost 85174c24613SKristof Provost vnet_mkjail one ${epair_one}a ${epair_sync}a ${epair_out_one}a 85274c24613SKristof Provost vnet_mkjail two ${epair_two}a ${epair_sync}b ${epair_out_two}a 85374c24613SKristof Provost 85474c24613SKristof Provost # pfsync interface 85574c24613SKristof Provost jexec one ifconfig ${epair_sync}a 192.0.2.1/24 up 85674c24613SKristof Provost jexec one ifconfig ${epair_one}a 198.51.100.1/24 up 85774c24613SKristof Provost jexec one ifconfig ${epair_out_one}a 203.0.113.1/24 up 85874c24613SKristof Provost jexec one ifconfig ${epair_out_one}a name outif 85974c24613SKristof Provost jexec one sysctl net.inet.ip.forwarding=1 86074c24613SKristof Provost jexec one arp -s 203.0.113.254 00:01:02:03:04:05 86174c24613SKristof Provost jexec one ifconfig pfsync0 \ 86274c24613SKristof Provost syncdev ${epair_sync}a \ 86374c24613SKristof Provost maxupd 1 \ 864ad6562ecSKajetan Staszkiewicz version $pfsync_version \ 86574c24613SKristof Provost up 86674c24613SKristof Provost 86774c24613SKristof Provost jexec two ifconfig ${epair_sync}b 192.0.2.2/24 up 86874c24613SKristof Provost jexec two ifconfig ${epair_two}a 198.51.100.2/24 up 86974c24613SKristof Provost jexec two ifconfig ${epair_out_two}a 203.0.113.2/24 up 870ad6562ecSKajetan Staszkiewicz jexec two ifconfig ${epair_out_two}a name outif 87174c24613SKristof Provost jexec two sysctl net.inet.ip.forwarding=1 87274c24613SKristof Provost jexec two arp -s 203.0.113.254 00:01:02:03:04:05 87374c24613SKristof Provost jexec two ifconfig pfsync0 \ 87474c24613SKristof Provost syncdev ${epair_sync}b \ 87574c24613SKristof Provost maxupd 1 \ 876ad6562ecSKajetan Staszkiewicz version $pfsync_version \ 87774c24613SKristof Provost up 87874c24613SKristof Provost 87974c24613SKristof Provost ifconfig ${epair_one}b 198.51.100.254/24 up 88074c24613SKristof Provost ifconfig ${epair_two}b 198.51.100.253/24 up 88174c24613SKristof Provost route add -net 203.0.113.0/24 198.51.100.1 88274c24613SKristof Provost ifconfig ${epair_two}b up 88374c24613SKristof Provost ifconfig ${epair_out_one}b up 88474c24613SKristof Provost ifconfig ${epair_out_two}b up 885ad6562ecSKajetan Staszkiewicz} 88674c24613SKristof Provost 887ad6562ecSKajetan Staszkiewiczroute_to_common_tail() 888ad6562ecSKajetan Staszkiewicz{ 88974c24613SKristof Provost atf_check -s exit:0 env PYTHONPATH=${common_dir} \ 89074c24613SKristof Provost ${common_dir}/pft_ping.py \ 89174c24613SKristof Provost --sendif ${epair_one}b \ 89274c24613SKristof Provost --fromaddr 198.51.100.254 \ 89374c24613SKristof Provost --to 203.0.113.254 \ 89474c24613SKristof Provost --recvif ${epair_out_one}b 89574c24613SKristof Provost 89674c24613SKristof Provost # Allow time for sync 89774c24613SKristof Provost sleep 2 89874c24613SKristof Provost 899ad6562ecSKajetan Staszkiewicz states_one=$(mktemp) 900ad6562ecSKajetan Staszkiewicz states_two=$(mktemp) 901ad6562ecSKajetan Staszkiewicz jexec one pfctl -qvvss | normalize_pfctl_s > $states_one 902ad6562ecSKajetan Staszkiewicz jexec two pfctl -qvvss | normalize_pfctl_s > $states_two 903ad6562ecSKajetan Staszkiewicz} 904ad6562ecSKajetan Staszkiewicz 905ad6562ecSKajetan Staszkiewiczatf_test_case "route_to_1301_body" "cleanup" 906ad6562ecSKajetan Staszkiewiczroute_to_1301_head() 907ad6562ecSKajetan Staszkiewicz{ 908ad6562ecSKajetan Staszkiewicz atf_set descr 'Test route-to with pfsync version 13.1' 909ad6562ecSKajetan Staszkiewicz atf_set require.user root 910*c46af893SJose Luis Duran atf_set require.progs python3 scapy 911ad6562ecSKajetan Staszkiewicz} 912ad6562ecSKajetan Staszkiewicz 913ad6562ecSKajetan Staszkiewiczroute_to_1301_body() 914ad6562ecSKajetan Staszkiewicz{ 915ad6562ecSKajetan Staszkiewicz route_to_common_head 1301 916ad6562ecSKajetan Staszkiewicz 917ad6562ecSKajetan Staszkiewicz jexec one pfctl -e 918ad6562ecSKajetan Staszkiewicz pft_set_rules one \ 919ad6562ecSKajetan Staszkiewicz "set skip on ${epair_sync}a" \ 920ad6562ecSKajetan Staszkiewicz "pass out route-to (outif 203.0.113.254)" 921ad6562ecSKajetan Staszkiewicz 922ad6562ecSKajetan Staszkiewicz jexec two pfctl -e 923ad6562ecSKajetan Staszkiewicz pft_set_rules two \ 924ad6562ecSKajetan Staszkiewicz "set skip on ${epair_sync}b" \ 925ad6562ecSKajetan Staszkiewicz "pass out route-to (outif 203.0.113.254)" 926ad6562ecSKajetan Staszkiewicz 927ad6562ecSKajetan Staszkiewicz route_to_common_tail 928ad6562ecSKajetan Staszkiewicz 929ad6562ecSKajetan Staszkiewicz # Sanity check 930ad6562ecSKajetan Staszkiewicz grep -qE 'all icmp 198.51.100.254 -> 203.0.113.254:8 .*, rule 0 .* route-to: 203.0.113.254@outif origif: outif' $states_one || 931ad6562ecSKajetan Staszkiewicz atf_fail "State missing on router one" 932ad6562ecSKajetan Staszkiewicz 933ad6562ecSKajetan Staszkiewicz # With identical ruleset the routing information is recovered from the matching rule. 934ad6562ecSKajetan Staszkiewicz grep -qE 'all icmp 198.51.100.254 -> 203.0.113.254:8 .*, rule 0 .* route-to: 203.0.113.254@outif' $states_two || 935ad6562ecSKajetan Staszkiewicz atf_fail "State missing on router two" 93674c24613SKristof Provost 93774c24613SKristof Provost true 93874c24613SKristof Provost} 93974c24613SKristof Provost 940ad6562ecSKajetan Staszkiewiczroute_to_1301_cleanup() 941ad6562ecSKajetan Staszkiewicz{ 942ad6562ecSKajetan Staszkiewicz pfsynct_cleanup 943ad6562ecSKajetan Staszkiewicz} 944ad6562ecSKajetan Staszkiewicz 945ad6562ecSKajetan Staszkiewiczatf_test_case "route_to_1301_bad_ruleset" "cleanup" 946ad6562ecSKajetan Staszkiewiczroute_to_1301_bad_ruleset_head() 947ad6562ecSKajetan Staszkiewicz{ 948ad6562ecSKajetan Staszkiewicz atf_set descr 'Test route-to with pfsync version 13.1 and incompatible ruleset' 949ad6562ecSKajetan Staszkiewicz atf_set require.user root 950*c46af893SJose Luis Duran atf_set require.progs python3 scapy 951ad6562ecSKajetan Staszkiewicz} 952ad6562ecSKajetan Staszkiewicz 953ad6562ecSKajetan Staszkiewiczroute_to_1301_bad_ruleset_body() 954ad6562ecSKajetan Staszkiewicz{ 955ad6562ecSKajetan Staszkiewicz route_to_common_head 1301 956ad6562ecSKajetan Staszkiewicz 957ad6562ecSKajetan Staszkiewicz jexec one pfctl -e 958ad6562ecSKajetan Staszkiewicz pft_set_rules one \ 959ad6562ecSKajetan Staszkiewicz "set skip on ${epair_sync}a" \ 960ad6562ecSKajetan Staszkiewicz "pass out route-to (outif 203.0.113.254)" 961ad6562ecSKajetan Staszkiewicz 962ad6562ecSKajetan Staszkiewicz jexec two pfctl -e 963ad6562ecSKajetan Staszkiewicz pft_set_rules two \ 964ad6562ecSKajetan Staszkiewicz "set debug loud" \ 965ad6562ecSKajetan Staszkiewicz "set skip on ${epair_sync}b" \ 966ad6562ecSKajetan Staszkiewicz "pass out route-to (outif 203.0.113.254)" \ 967ad6562ecSKajetan Staszkiewicz "pass out proto tcp" 968ad6562ecSKajetan Staszkiewicz 969ad6562ecSKajetan Staszkiewicz atf_check -s exit:0 env PYTHONPATH=${common_dir} \ 970ad6562ecSKajetan Staszkiewicz ${common_dir}/pft_ping.py \ 971ad6562ecSKajetan Staszkiewicz --sendif ${epair_one}b \ 972ad6562ecSKajetan Staszkiewicz --fromaddr 198.51.100.254 \ 973ad6562ecSKajetan Staszkiewicz --to 203.0.113.254 \ 974ad6562ecSKajetan Staszkiewicz --recvif ${epair_out_one}b 975ad6562ecSKajetan Staszkiewicz 976ad6562ecSKajetan Staszkiewicz route_to_common_tail 977ad6562ecSKajetan Staszkiewicz 978ad6562ecSKajetan Staszkiewicz # Sanity check 979ad6562ecSKajetan Staszkiewicz grep -qE 'all icmp 198.51.100.254 -> 203.0.113.254:8 .*, rule 0 .* route-to: 203.0.113.254@outif origif: outif' $states_one || 980ad6562ecSKajetan Staszkiewicz atf_fail "State missing on router one" 981ad6562ecSKajetan Staszkiewicz 982ad6562ecSKajetan Staszkiewicz # Different ruleset on each router means the routing information recovery 983ad6562ecSKajetan Staszkiewicz # from rule is impossible. The state is not synced. 984ad6562ecSKajetan Staszkiewicz grep -qE 'all icmp 198.51.100.254 -> 203.0.113.254:8 .*' $states_two && 985ad6562ecSKajetan Staszkiewicz atf_fail "State present on router two" 986ad6562ecSKajetan Staszkiewicz 987ad6562ecSKajetan Staszkiewicz true 988ad6562ecSKajetan Staszkiewicz} 989ad6562ecSKajetan Staszkiewicz 990ad6562ecSKajetan Staszkiewiczroute_to_1301_bad_ruleset_cleanup() 991ad6562ecSKajetan Staszkiewicz{ 992ad6562ecSKajetan Staszkiewicz pfsynct_cleanup 993ad6562ecSKajetan Staszkiewicz} 994ad6562ecSKajetan Staszkiewicz 995ad6562ecSKajetan Staszkiewiczatf_test_case "route_to_1301_bad_rpool" "cleanup" 996ad6562ecSKajetan Staszkiewiczroute_to_1301_bad_rpool_head() 997ad6562ecSKajetan Staszkiewicz{ 998ad6562ecSKajetan Staszkiewicz atf_set descr 'Test route-to with pfsync version 13.1 and different interface' 999ad6562ecSKajetan Staszkiewicz atf_set require.user root 1000*c46af893SJose Luis Duran atf_set require.progs python3 scapy 1001ad6562ecSKajetan Staszkiewicz} 1002ad6562ecSKajetan Staszkiewicz 1003ad6562ecSKajetan Staszkiewiczroute_to_1301_bad_rpool_body() 1004ad6562ecSKajetan Staszkiewicz{ 1005ad6562ecSKajetan Staszkiewicz route_to_common_head 1301 1006ad6562ecSKajetan Staszkiewicz 1007ad6562ecSKajetan Staszkiewicz jexec one pfctl -e 1008ad6562ecSKajetan Staszkiewicz pft_set_rules one \ 1009ad6562ecSKajetan Staszkiewicz "set skip on ${epair_sync}a" \ 1010ad6562ecSKajetan Staszkiewicz "pass out route-to { (outif 203.0.113.254) (outif 203.0.113.254) }" 1011ad6562ecSKajetan Staszkiewicz 1012ad6562ecSKajetan Staszkiewicz jexec two pfctl -e 1013ad6562ecSKajetan Staszkiewicz pft_set_rules two \ 1014ad6562ecSKajetan Staszkiewicz "set skip on ${epair_sync}b" \ 1015ad6562ecSKajetan Staszkiewicz "pass out route-to { (outif 203.0.113.254) (outif 203.0.113.254) }" 1016ad6562ecSKajetan Staszkiewicz 1017ad6562ecSKajetan Staszkiewicz atf_check -s exit:0 env PYTHONPATH=${common_dir} \ 1018ad6562ecSKajetan Staszkiewicz ${common_dir}/pft_ping.py \ 1019ad6562ecSKajetan Staszkiewicz --sendif ${epair_one}b \ 1020ad6562ecSKajetan Staszkiewicz --fromaddr 198.51.100.254 \ 1021ad6562ecSKajetan Staszkiewicz --to 203.0.113.254 \ 1022ad6562ecSKajetan Staszkiewicz --recvif ${epair_out_one}b 1023ad6562ecSKajetan Staszkiewicz 1024ad6562ecSKajetan Staszkiewicz route_to_common_tail 1025ad6562ecSKajetan Staszkiewicz 1026ad6562ecSKajetan Staszkiewicz # Sanity check 1027ad6562ecSKajetan Staszkiewicz grep -qE 'all icmp 198.51.100.254 -> 203.0.113.254:8 .*, rule 0 .* route-to: 203.0.113.254@outif origif: outif' $states_one || 1028ad6562ecSKajetan Staszkiewicz atf_fail "State missing on router one" 1029ad6562ecSKajetan Staszkiewicz 1030ad6562ecSKajetan Staszkiewicz # The ruleset is identical but since the redirection pool contains multiple interfaces 1031ad6562ecSKajetan Staszkiewicz # pfsync will not attempt to recover the routing information from the rule. 1032ad6562ecSKajetan Staszkiewicz grep -qE 'all icmp 198.51.100.254 -> 203.0.113.254:8 .*' $states_two && 1033ad6562ecSKajetan Staszkiewicz atf_fail "State present on router two" 1034ad6562ecSKajetan Staszkiewicz 1035ad6562ecSKajetan Staszkiewicz true 1036ad6562ecSKajetan Staszkiewicz} 1037ad6562ecSKajetan Staszkiewicz 1038ad6562ecSKajetan Staszkiewiczroute_to_1301_bad_rpool_cleanup() 1039ad6562ecSKajetan Staszkiewicz{ 1040ad6562ecSKajetan Staszkiewicz pfsynct_cleanup 1041ad6562ecSKajetan Staszkiewicz} 1042ad6562ecSKajetan Staszkiewicz 1043ad6562ecSKajetan Staszkiewiczatf_test_case "route_to_1400_bad_ruleset" "cleanup" 1044ad6562ecSKajetan Staszkiewiczroute_to_1400_bad_ruleset_head() 1045ad6562ecSKajetan Staszkiewicz{ 1046ad6562ecSKajetan Staszkiewicz atf_set descr 'Test route-to with pfsync version 14.0' 1047ad6562ecSKajetan Staszkiewicz atf_set require.user root 1048*c46af893SJose Luis Duran atf_set require.progs python3 scapy 1049ad6562ecSKajetan Staszkiewicz} 1050ad6562ecSKajetan Staszkiewicz 1051ad6562ecSKajetan Staszkiewiczroute_to_1400_bad_ruleset_body() 1052ad6562ecSKajetan Staszkiewicz{ 1053ad6562ecSKajetan Staszkiewicz route_to_common_head 1400 1054ad6562ecSKajetan Staszkiewicz 1055ad6562ecSKajetan Staszkiewicz jexec one pfctl -e 1056ad6562ecSKajetan Staszkiewicz pft_set_rules one \ 1057ad6562ecSKajetan Staszkiewicz "set skip on ${epair_sync}a" \ 1058ad6562ecSKajetan Staszkiewicz "pass out route-to (outif 203.0.113.254)" 1059ad6562ecSKajetan Staszkiewicz 1060ad6562ecSKajetan Staszkiewicz jexec two pfctl -e 1061ad6562ecSKajetan Staszkiewicz pft_set_rules two \ 1062ad6562ecSKajetan Staszkiewicz "set skip on ${epair_sync}b" 1063ad6562ecSKajetan Staszkiewicz 1064ad6562ecSKajetan Staszkiewicz route_to_common_tail 1065ad6562ecSKajetan Staszkiewicz 1066ad6562ecSKajetan Staszkiewicz # Sanity check 1067ad6562ecSKajetan Staszkiewicz grep -qE 'all icmp 198.51.100.254 -> 203.0.113.254:8 .*, rule 0 .* route-to: 203.0.113.254@outif origif: outif' $states_one || 1068ad6562ecSKajetan Staszkiewicz atf_fail "State missing on router one" 1069ad6562ecSKajetan Staszkiewicz 1070ad6562ecSKajetan Staszkiewicz # Even with a different ruleset FreeBSD 14 syncs the state just fine. 1071ad6562ecSKajetan Staszkiewicz # There's no recovery involved, the pfsync packet contains the routing information. 1072ad6562ecSKajetan Staszkiewicz grep -qE 'all icmp 198.51.100.254 -> 203.0.113.254:8 .* route-to: 203.0.113.254@outif' $states_two || 1073ad6562ecSKajetan Staszkiewicz atf_fail "State missing on router two" 1074ad6562ecSKajetan Staszkiewicz 1075ad6562ecSKajetan Staszkiewicz true 1076ad6562ecSKajetan Staszkiewicz} 1077ad6562ecSKajetan Staszkiewicz 1078ad6562ecSKajetan Staszkiewiczroute_to_1400_bad_ruleset_cleanup() 1079ad6562ecSKajetan Staszkiewicz{ 1080ad6562ecSKajetan Staszkiewicz pfsynct_cleanup 1081ad6562ecSKajetan Staszkiewicz} 1082ad6562ecSKajetan Staszkiewicz 1083ad6562ecSKajetan Staszkiewiczatf_test_case "route_to_1400_bad_ifname" "cleanup" 1084ad6562ecSKajetan Staszkiewiczroute_to_1400_bad_ifname_head() 1085ad6562ecSKajetan Staszkiewicz{ 1086ad6562ecSKajetan Staszkiewicz atf_set descr 'Test route-to with pfsync version 14.0' 1087ad6562ecSKajetan Staszkiewicz atf_set require.user root 1088*c46af893SJose Luis Duran atf_set require.progs python3 scapy 1089ad6562ecSKajetan Staszkiewicz} 1090ad6562ecSKajetan Staszkiewicz 1091ad6562ecSKajetan Staszkiewiczroute_to_1400_bad_ifname_body() 1092ad6562ecSKajetan Staszkiewicz{ 1093ad6562ecSKajetan Staszkiewicz route_to_common_head 1400 1094ad6562ecSKajetan Staszkiewicz 1095ad6562ecSKajetan Staszkiewicz jexec one pfctl -e 1096ad6562ecSKajetan Staszkiewicz pft_set_rules one \ 1097ad6562ecSKajetan Staszkiewicz "set skip on ${epair_sync}a" \ 1098ad6562ecSKajetan Staszkiewicz "pass out route-to (outif 203.0.113.254)" 1099ad6562ecSKajetan Staszkiewicz 1100ad6562ecSKajetan Staszkiewicz jexec two pfctl -e 1101ad6562ecSKajetan Staszkiewicz jexec two ifconfig outif name outif_new 1102ad6562ecSKajetan Staszkiewicz pft_set_rules two \ 1103ad6562ecSKajetan Staszkiewicz "set skip on ${epair_sync}b" \ 1104ad6562ecSKajetan Staszkiewicz "pass out route-to (outif_new 203.0.113.254)" 1105ad6562ecSKajetan Staszkiewicz 1106ad6562ecSKajetan Staszkiewicz route_to_common_tail 1107ad6562ecSKajetan Staszkiewicz 1108ad6562ecSKajetan Staszkiewicz # Sanity check 1109ad6562ecSKajetan Staszkiewicz grep -qE 'all icmp 198.51.100.254 -> 203.0.113.254:8 .*, rule 0 .* route-to: 203.0.113.254@outif origif: outif' $states_one || 1110ad6562ecSKajetan Staszkiewicz atf_fail "State missing on router one" 1111ad6562ecSKajetan Staszkiewicz 1112ad6562ecSKajetan Staszkiewicz # Since FreeBSD 14 never attempts recovery of missing routing information 1113ad6562ecSKajetan Staszkiewicz # a state synced to a router with a different interface name is dropped. 1114ad6562ecSKajetan Staszkiewicz grep -qE 'all icmp 198.51.100.254 -> 203.0.113.254:8 .*' $states_two && 1115ad6562ecSKajetan Staszkiewicz atf_fail "State present on router two" 1116ad6562ecSKajetan Staszkiewicz 1117ad6562ecSKajetan Staszkiewicz true 1118ad6562ecSKajetan Staszkiewicz} 1119ad6562ecSKajetan Staszkiewicz 1120ad6562ecSKajetan Staszkiewiczroute_to_1400_bad_ifname_cleanup() 112174c24613SKristof Provost{ 112274c24613SKristof Provost pfsynct_cleanup 112374c24613SKristof Provost} 112474c24613SKristof Provost 11256ab3ac5aSKristof Provostatf_init_test_cases() 11266ab3ac5aSKristof Provost{ 11276ab3ac5aSKristof Provost atf_add_test_case "basic" 112860a3a371SKristof Provost atf_add_test_case "basic_defer" 1129369d9a2cSKristof Provost atf_add_test_case "defer" 11308ad7d25dSKristof Provost atf_add_test_case "bulk" 1131536e1da1SThomas Pasqualini atf_add_test_case "pbr" 1132536e1da1SThomas Pasqualini atf_add_test_case "pfsync_pbr" 11332a02d3daSKristof Provost atf_add_test_case "ipsec" 1134a6719858SKristof Provost atf_add_test_case "timeout" 11356fc7fc2dSLuiz Amaral atf_add_test_case "basic_ipv6_unicast" 11366fc7fc2dSLuiz Amaral atf_add_test_case "basic_ipv6" 1137ad6562ecSKajetan Staszkiewicz atf_add_test_case "route_to_1301" 1138ad6562ecSKajetan Staszkiewicz atf_add_test_case "route_to_1301_bad_ruleset" 1139ad6562ecSKajetan Staszkiewicz atf_add_test_case "route_to_1301_bad_rpool" 1140ad6562ecSKajetan Staszkiewicz atf_add_test_case "route_to_1400_bad_ruleset" 1141ad6562ecSKajetan Staszkiewicz atf_add_test_case "route_to_1400_bad_ifname" 11426ab3ac5aSKristof Provost} 1143