1# $FreeBSD$ 2# 3# SPDX-License-Identifier: BSD-2-Clause 4# 5# Copyright (c) 2018 Orange Business Services 6# 7# Redistribution and use in source and binary forms, with or without 8# modification, are permitted provided that the following conditions 9# are met: 10# 1. Redistributions of source code must retain the above copyright 11# notice, this list of conditions and the following disclaimer. 12# 2. Redistributions in binary form must reproduce the above copyright 13# notice, this list of conditions and the following disclaimer in the 14# documentation and/or other materials provided with the distribution. 15# 16# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 17# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 20# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26# SUCH DAMAGE. 27 28. $(atf_get_srcdir)/utils.subr 29 30common_dir=$(atf_get_srcdir)/../common 31 32atf_test_case "basic" "cleanup" 33basic_head() 34{ 35 atf_set descr 'Basic pfsync test' 36 atf_set require.user root 37} 38 39basic_body() 40{ 41 common_body 42} 43 44common_body() 45{ 46 defer=$1 47 pfsynct_init 48 49 epair_sync=$(vnet_mkepair) 50 epair_one=$(vnet_mkepair) 51 epair_two=$(vnet_mkepair) 52 53 vnet_mkjail one ${epair_one}a ${epair_sync}a 54 vnet_mkjail two ${epair_two}a ${epair_sync}b 55 56 # pfsync interface 57 jexec one ifconfig ${epair_sync}a 192.0.2.1/24 up 58 jexec one ifconfig ${epair_one}a 198.51.100.1/24 up 59 jexec one ifconfig pfsync0 \ 60 syncdev ${epair_sync}a \ 61 maxupd 1 \ 62 $defer \ 63 up 64 jexec two ifconfig ${epair_two}a 198.51.100.2/24 up 65 jexec two ifconfig ${epair_sync}b 192.0.2.2/24 up 66 jexec two ifconfig pfsync0 \ 67 syncdev ${epair_sync}b \ 68 maxupd 1 \ 69 $defer \ 70 up 71 72 # Enable pf! 73 jexec one pfctl -e 74 pft_set_rules one \ 75 "set skip on ${epair_sync}a" \ 76 "pass out keep state" 77 jexec two pfctl -e 78 pft_set_rules two \ 79 "set skip on ${epair_sync}b" \ 80 "pass out keep state" 81 82 ifconfig ${epair_one}b 198.51.100.254/24 up 83 84 ping -c 1 -S 198.51.100.254 198.51.100.1 85 86 # Give pfsync time to do its thing 87 sleep 2 88 89 if ! jexec two pfctl -s states | grep icmp | grep 198.51.100.1 | \ 90 grep 198.51.100.254 ; then 91 atf_fail "state not found on synced host" 92 fi 93} 94 95basic_cleanup() 96{ 97 pfsynct_cleanup 98} 99 100atf_test_case "basic_defer" "cleanup" 101basic_defer_head() 102{ 103 atf_set descr 'Basic defer mode pfsync test' 104 atf_set require.user root 105} 106 107basic_defer_body() 108{ 109 common_body defer 110} 111 112basic_defer_cleanup() 113{ 114 pfsynct_cleanup 115} 116 117atf_test_case "defer" "cleanup" 118defer_head() 119{ 120 atf_set descr 'Defer mode pfsync test' 121 atf_set require.user root 122} 123 124defer_body() 125{ 126 pfsynct_init 127 128 epair_sync=$(vnet_mkepair) 129 epair_in=$(vnet_mkepair) 130 epair_out=$(vnet_mkepair) 131 132 vnet_mkjail alcatraz ${epair_sync}a ${epair_in}a ${epair_out}a 133 134 jexec alcatraz ifconfig ${epair_sync}a 192.0.2.1/24 up 135 jexec alcatraz ifconfig ${epair_out}a 198.51.100.1/24 up 136 jexec alcatraz ifconfig ${epair_in}a 203.0.113.1/24 up 137 jexec alcatraz arp -s 203.0.113.2 00:01:02:03:04:05 138 jexec alcatraz sysctl net.inet.ip.forwarding=1 139 140 # Set a long defer delay 141 jexec alcatraz sysctl net.pfsync.defer_delay=2500 142 143 jexec alcatraz ifconfig pfsync0 \ 144 syncdev ${epair_sync}a \ 145 maxupd 1 \ 146 defer \ 147 up 148 149 ifconfig ${epair_sync}b 192.0.2.2/24 up 150 ifconfig ${epair_out}b 198.51.100.2/24 up 151 ifconfig ${epair_in}b up 152 route add -net 203.0.113.0/24 198.51.100.1 153 154 # Enable pf 155 jexec alcatraz sysctl net.pf.filter_local=0 156 jexec alcatraz pfctl -e 157 pft_set_rules alcatraz \ 158 "set skip on ${epair_sync}a" \ 159 "pass keep state" 160 161 atf_check -s exit:0 env PYTHONPATH=${common_dir} \ 162 $(atf_get_srcdir)/pfsync_defer.py \ 163 --syncdev ${epair_sync}b \ 164 --indev ${epair_in}b \ 165 --outdev ${epair_out}b 166 167 # Now disable defer mode and expect failure. 168 jexec alcatraz ifconfig pfsync0 -defer 169 170 # Flush state 171 pft_set_rules alcatraz \ 172 "set skip on ${epair_sync}a" \ 173 "pass keep state" 174 175 atf_check -s exit:3 env PYTHONPATH=${common_dir} \ 176 $(atf_get_srcdir)/pfsync_defer.py \ 177 --syncdev ${epair_sync}b \ 178 --indev ${epair_in}b \ 179 --outdev ${epair_out}b 180} 181 182defer_cleanup() 183{ 184 pfsynct_cleanup 185} 186 187atf_test_case "bulk" "cleanup" 188bulk_head() 189{ 190 atf_set descr 'Test bulk updates' 191 atf_set require.user root 192} 193 194bulk_body() 195{ 196 pfsynct_init 197 198 epair_sync=$(vnet_mkepair) 199 epair_one=$(vnet_mkepair) 200 epair_two=$(vnet_mkepair) 201 202 vnet_mkjail one ${epair_one}a ${epair_sync}a 203 vnet_mkjail two ${epair_two}a ${epair_sync}b 204 205 # pfsync interface 206 jexec one ifconfig ${epair_sync}a 192.0.2.1/24 up 207 jexec one ifconfig ${epair_one}a 198.51.100.1/24 up 208 jexec one ifconfig pfsync0 \ 209 syncdev ${epair_sync}a \ 210 maxupd 1\ 211 up 212 jexec two ifconfig ${epair_two}a 198.51.100.2/24 up 213 jexec two ifconfig ${epair_sync}b 192.0.2.2/24 up 214 215 # Enable pf 216 jexec one pfctl -e 217 pft_set_rules one \ 218 "set skip on ${epair_sync}a" \ 219 "pass keep state" 220 jexec two pfctl -e 221 pft_set_rules two \ 222 "set skip on ${epair_sync}b" \ 223 "pass keep state" 224 225 ifconfig ${epair_one}b 198.51.100.254/24 up 226 227 # Create state prior to setting up pfsync 228 ping -c 1 -S 198.51.100.254 198.51.100.1 229 230 # Wait before setting up pfsync on two, so we don't accidentally catch 231 # the update anyway. 232 sleep 1 233 234 # Now set up pfsync in jail two 235 jexec two ifconfig pfsync0 \ 236 syncdev ${epair_sync}b \ 237 up 238 239 # Give pfsync time to do its thing 240 sleep 2 241 242 jexec two pfctl -s states 243 if ! jexec two pfctl -s states | grep icmp | grep 198.51.100.1 | \ 244 grep 198.51.100.2 ; then 245 atf_fail "state not found on synced host" 246 fi 247} 248 249bulk_cleanup() 250{ 251 pfsynct_cleanup 252} 253 254atf_test_case "pbr" "cleanup" 255pbr_head() 256{ 257 atf_set descr 'route_to and reply_to directives test' 258 atf_set require.user root 259 atf_set timeout '600' 260} 261 262pbr_body() 263{ 264 pbr_common_body 265} 266 267pbr_cleanup() 268{ 269 pbr_common_cleanup 270} 271 272atf_test_case "pfsync_pbr" "cleanup" 273pfsync_pbr_head() 274{ 275 atf_set descr 'route_to and reply_to directives pfsync test' 276 atf_set require.user root 277 atf_set timeout '600' 278} 279 280pfsync_pbr_body() 281{ 282 pbr_common_body backup_promotion 283} 284 285pfsync_pbr_cleanup() 286{ 287 pbr_common_cleanup 288} 289 290pbr_common_body() 291{ 292 # + builds bellow topology and initiate a single ping session 293 # from client to server. 294 # + gw* forward traffic through pbr not fib lookups. 295 # + if backup_promotion arg is given, a carp failover event occurs 296 # during the ping session on both gateways. 297 # ┌──────┐ 298 # │client│ 299 # └───┬──┘ 300 # │ 301 # ┌───┴───┐ 302 # │bridge0│ 303 # └┬─────┬┘ 304 # │ │ 305 # ┌────────────────┴─┐ ┌─┴────────────────┐ 306 # │gw_route_to_master├─┤gw_route_to_backup│ 307 # └────────────────┬─┘ └─┬────────────────┘ 308 # │ │ 309 # ┌┴─────┴┐ 310 # │bridge1│ 311 # └┬─────┬┘ 312 # │ │ 313 # ┌────────────────┴─┐ ┌─┴────────────────┐ 314 # │gw_reply_to_master├─┤gw_reply_to_backup│ 315 # └────────────────┬─┘ └─┬────────────────┘ 316 # │ │ 317 # ┌┴─────┴┐ 318 # │bridge2│ 319 # └───┬───┘ 320 # │ 321 # ┌───┴──┐ 322 # │server│ 323 # └──────┘ 324 325 if ! kldstat -q -m carp 326 then 327 atf_skip "This test requires carp" 328 fi 329 pfsynct_init 330 331 bridge0=$(vnet_mkbridge) 332 bridge1=$(vnet_mkbridge) 333 bridge2=$(vnet_mkbridge) 334 335 epair_sync_gw_route_to=$(vnet_mkepair) 336 epair_sync_gw_reply_to=$(vnet_mkepair) 337 epair_client_bridge0=$(vnet_mkepair) 338 339 epair_gw_route_to_master_bridge0=$(vnet_mkepair) 340 epair_gw_route_to_backup_bridge0=$(vnet_mkepair) 341 epair_gw_route_to_master_bridge1=$(vnet_mkepair) 342 epair_gw_route_to_backup_bridge1=$(vnet_mkepair) 343 344 epair_gw_reply_to_master_bridge1=$(vnet_mkepair) 345 epair_gw_reply_to_backup_bridge1=$(vnet_mkepair) 346 epair_gw_reply_to_master_bridge2=$(vnet_mkepair) 347 epair_gw_reply_to_backup_bridge2=$(vnet_mkepair) 348 349 epair_server_bridge2=$(vnet_mkepair) 350 351 ifconfig ${bridge0} up 352 ifconfig ${epair_client_bridge0}b up 353 ifconfig ${epair_gw_route_to_master_bridge0}b up 354 ifconfig ${epair_gw_route_to_backup_bridge0}b up 355 ifconfig ${bridge0} \ 356 addm ${epair_client_bridge0}b \ 357 addm ${epair_gw_route_to_master_bridge0}b \ 358 addm ${epair_gw_route_to_backup_bridge0}b 359 360 ifconfig ${bridge1} up 361 ifconfig ${epair_gw_route_to_master_bridge1}b up 362 ifconfig ${epair_gw_route_to_backup_bridge1}b up 363 ifconfig ${epair_gw_reply_to_master_bridge1}b up 364 ifconfig ${epair_gw_reply_to_backup_bridge1}b up 365 ifconfig ${bridge1} \ 366 addm ${epair_gw_route_to_master_bridge1}b \ 367 addm ${epair_gw_route_to_backup_bridge1}b \ 368 addm ${epair_gw_reply_to_master_bridge1}b \ 369 addm ${epair_gw_reply_to_backup_bridge1}b 370 371 ifconfig ${bridge2} up 372 ifconfig ${epair_gw_reply_to_master_bridge2}b up 373 ifconfig ${epair_gw_reply_to_backup_bridge2}b up 374 ifconfig ${epair_server_bridge2}b up 375 ifconfig ${bridge2} \ 376 addm ${epair_gw_reply_to_master_bridge2}b \ 377 addm ${epair_gw_reply_to_backup_bridge2}b \ 378 addm ${epair_server_bridge2}b 379 380 vnet_mkjail client ${epair_client_bridge0}a 381 jexec client hostname client 382 vnet_mkjail gw_route_to_master \ 383 ${epair_gw_route_to_master_bridge0}a \ 384 ${epair_gw_route_to_master_bridge1}a \ 385 ${epair_sync_gw_route_to}a 386 jexec gw_route_to_master hostname gw_route_to_master 387 vnet_mkjail gw_route_to_backup \ 388 ${epair_gw_route_to_backup_bridge0}a \ 389 ${epair_gw_route_to_backup_bridge1}a \ 390 ${epair_sync_gw_route_to}b 391 jexec gw_route_to_backup hostname gw_route_to_backup 392 vnet_mkjail gw_reply_to_master \ 393 ${epair_gw_reply_to_master_bridge1}a \ 394 ${epair_gw_reply_to_master_bridge2}a \ 395 ${epair_sync_gw_reply_to}a 396 jexec gw_reply_to_master hostname gw_reply_to_master 397 vnet_mkjail gw_reply_to_backup \ 398 ${epair_gw_reply_to_backup_bridge1}a \ 399 ${epair_gw_reply_to_backup_bridge2}a \ 400 ${epair_sync_gw_reply_to}b 401 jexec gw_reply_to_backup hostname gw_reply_to_backup 402 vnet_mkjail server ${epair_server_bridge2}a 403 jexec server hostname server 404 405 jexec client ifconfig ${epair_client_bridge0}a inet 198.18.0.1/24 up 406 jexec client route add 198.18.2.0/24 198.18.0.10 407 408 jexec gw_route_to_master ifconfig ${epair_sync_gw_route_to}a \ 409 inet 198.19.10.1/24 up 410 jexec gw_route_to_master ifconfig ${epair_gw_route_to_master_bridge0}a \ 411 inet 198.18.0.8/24 up 412 jexec gw_route_to_master ifconfig ${epair_gw_route_to_master_bridge0}a \ 413 alias 198.18.0.10/32 vhid 10 pass 3WjvVVw7 advskew 50 414 jexec gw_route_to_master ifconfig ${epair_gw_route_to_master_bridge1}a \ 415 inet 198.18.1.8/24 up 416 jexec gw_route_to_master ifconfig ${epair_gw_route_to_master_bridge1}a \ 417 alias 198.18.1.10/32 vhid 11 pass 3WjvVVw7 advskew 50 418 jexec gw_route_to_master sysctl net.inet.ip.forwarding=1 419 jexec gw_route_to_master sysctl net.inet.carp.preempt=1 420 421 vnet_ifrename_jail gw_route_to_master ${epair_sync_gw_route_to}a if_pfsync 422 vnet_ifrename_jail gw_route_to_master ${epair_gw_route_to_master_bridge0}a if_br0 423 vnet_ifrename_jail gw_route_to_master ${epair_gw_route_to_master_bridge1}a if_br1 424 425 jexec gw_route_to_master ifconfig pfsync0 \ 426 syncpeer 198.19.10.2 \ 427 syncdev if_pfsync \ 428 maxupd 1 \ 429 up 430 pft_set_rules gw_route_to_master \ 431 "keep_state = 'tag auth_packet keep state'" \ 432 "set timeout { icmp.first 120, icmp.error 60 }" \ 433 "block log all" \ 434 "pass quick on if_pfsync proto pfsync keep state (no-sync)" \ 435 "pass quick on { if_br0 if_br1 } proto carp keep state (no-sync)" \ 436 "block drop in quick to 224.0.0.18/32" \ 437 "pass out quick tagged auth_packet keep state" \ 438 "pass in quick log on if_br0 route-to (if_br1 198.18.1.20) proto { icmp udp tcp } from 198.18.0.0/24 to 198.18.2.0/24 \$keep_state" 439 jexec gw_route_to_master pfctl -e 440 441 jexec gw_route_to_backup ifconfig ${epair_sync_gw_route_to}b \ 442 inet 198.19.10.2/24 up 443 jexec gw_route_to_backup ifconfig ${epair_gw_route_to_backup_bridge0}a \ 444 inet 198.18.0.9/24 up 445 jexec gw_route_to_backup ifconfig ${epair_gw_route_to_backup_bridge0}a \ 446 alias 198.18.0.10/32 vhid 10 pass 3WjvVVw7 advskew 100 447 jexec gw_route_to_backup ifconfig ${epair_gw_route_to_backup_bridge1}a \ 448 inet 198.18.1.9/24 up 449 jexec gw_route_to_backup ifconfig ${epair_gw_route_to_backup_bridge1}a \ 450 alias 198.18.1.10/32 vhid 11 pass 3WjvVVw7 advskew 100 451 jexec gw_route_to_backup sysctl net.inet.ip.forwarding=1 452 jexec gw_route_to_backup sysctl net.inet.carp.preempt=1 453 454 vnet_ifrename_jail gw_route_to_backup ${epair_sync_gw_route_to}b if_pfsync 455 vnet_ifrename_jail gw_route_to_backup ${epair_gw_route_to_backup_bridge0}a if_br0 456 vnet_ifrename_jail gw_route_to_backup ${epair_gw_route_to_backup_bridge1}a if_br1 457 458 jexec gw_route_to_backup ifconfig pfsync0 \ 459 syncpeer 198.19.10.1 \ 460 syncdev if_pfsync \ 461 up 462 pft_set_rules gw_route_to_backup \ 463 "keep_state = 'tag auth_packet keep state'" \ 464 "set timeout { icmp.first 120, icmp.error 60 }" \ 465 "block log all" \ 466 "pass quick on if_pfsync proto pfsync keep state (no-sync)" \ 467 "pass quick on { if_br0 if_br1 } proto carp keep state (no-sync)" \ 468 "block drop in quick to 224.0.0.18/32" \ 469 "pass out quick tagged auth_packet keep state" \ 470 "pass in quick log on if_br0 route-to (if_br1 198.18.1.20) proto { icmp udp tcp } from 198.18.0.0/24 to 198.18.2.0/24 \$keep_state" 471 jexec gw_route_to_backup pfctl -e 472 473 jexec gw_reply_to_master ifconfig ${epair_sync_gw_reply_to}a \ 474 inet 198.19.20.1/24 up 475 jexec gw_reply_to_master ifconfig ${epair_gw_reply_to_master_bridge1}a \ 476 inet 198.18.1.18/24 up 477 jexec gw_reply_to_master ifconfig ${epair_gw_reply_to_master_bridge1}a \ 478 alias 198.18.1.20/32 vhid 21 pass 3WjvVVw7 advskew 50 479 jexec gw_reply_to_master ifconfig ${epair_gw_reply_to_master_bridge2}a \ 480 inet 198.18.2.18/24 up 481 jexec gw_reply_to_master ifconfig ${epair_gw_reply_to_master_bridge2}a \ 482 alias 198.18.2.20/32 vhid 22 pass 3WjvVVw7 advskew 50 483 jexec gw_reply_to_master sysctl net.inet.ip.forwarding=1 484 jexec gw_reply_to_master sysctl net.inet.carp.preempt=1 485 486 vnet_ifrename_jail gw_reply_to_master ${epair_sync_gw_reply_to}a if_pfsync 487 vnet_ifrename_jail gw_reply_to_master ${epair_gw_reply_to_master_bridge1}a if_br1 488 vnet_ifrename_jail gw_reply_to_master ${epair_gw_reply_to_master_bridge2}a if_br2 489 490 jexec gw_reply_to_master ifconfig pfsync0 \ 491 syncpeer 198.19.20.2 \ 492 syncdev if_pfsync \ 493 maxupd 1 \ 494 up 495 pft_set_rules gw_reply_to_master \ 496 "set timeout { icmp.first 120, icmp.error 60 }" \ 497 "block log all" \ 498 "pass quick on if_pfsync proto pfsync keep state (no-sync)" \ 499 "pass quick on { if_br1 if_br2 } proto carp keep state (no-sync)" \ 500 "block drop in quick to 224.0.0.18/32" \ 501 "pass out quick on if_br2 reply-to (if_br1 198.18.1.10) tagged auth_packet_reply_to keep state" \ 502 "pass in quick log on if_br1 proto { icmp udp tcp } from 198.18.0.0/24 to 198.18.2.0/24 tag auth_packet_reply_to keep state" 503 jexec gw_reply_to_master pfctl -e 504 505 jexec gw_reply_to_backup ifconfig ${epair_sync_gw_reply_to}b \ 506 inet 198.19.20.2/24 up 507 jexec gw_reply_to_backup ifconfig ${epair_gw_reply_to_backup_bridge1}a \ 508 inet 198.18.1.19/24 up 509 jexec gw_reply_to_backup ifconfig ${epair_gw_reply_to_backup_bridge1}a \ 510 alias 198.18.1.20/32 vhid 21 pass 3WjvVVw7 advskew 100 511 jexec gw_reply_to_backup ifconfig ${epair_gw_reply_to_backup_bridge2}a \ 512 inet 198.18.2.19/24 up 513 jexec gw_reply_to_backup ifconfig ${epair_gw_reply_to_backup_bridge2}a \ 514 alias 198.18.2.20/32 vhid 22 pass 3WjvVVw7 advskew 100 515 jexec gw_reply_to_backup sysctl net.inet.ip.forwarding=1 516 jexec gw_reply_to_backup sysctl net.inet.carp.preempt=1 517 518 vnet_ifrename_jail gw_reply_to_backup ${epair_sync_gw_reply_to}b if_pfsync 519 vnet_ifrename_jail gw_reply_to_backup ${epair_gw_reply_to_backup_bridge1}a if_br1 520 vnet_ifrename_jail gw_reply_to_backup ${epair_gw_reply_to_backup_bridge2}a if_br2 521 522 jexec gw_reply_to_backup ifconfig pfsync0 \ 523 syncpeer 198.19.20.1 \ 524 syncdev if_pfsync \ 525 up 526 pft_set_rules gw_reply_to_backup \ 527 "set timeout { icmp.first 120, icmp.error 60 }" \ 528 "block log all" \ 529 "pass quick on if_pfsync proto pfsync keep state (no-sync)" \ 530 "pass quick on { if_br1 if_br2 } proto carp keep state (no-sync)" \ 531 "block drop in quick to 224.0.0.18/32" \ 532 "pass out quick on if_br2 reply-to (if_br1 198.18.1.10) tagged auth_packet_reply_to keep state" \ 533 "pass in quick log on if_br1 proto { icmp udp tcp } from 198.18.0.0/24 to 198.18.2.0/24 tag auth_packet_reply_to keep state" 534 jexec gw_reply_to_backup pfctl -e 535 536 jexec server ifconfig ${epair_server_bridge2}a inet 198.18.2.1/24 up 537 jexec server route add 198.18.0.0/24 198.18.2.20 538 539 # Waiting for platform to settle 540 while ! jexec gw_route_to_backup ifconfig | grep 'carp: BACKUP' 541 do 542 sleep 1 543 done 544 while ! jexec gw_reply_to_backup ifconfig | grep 'carp: BACKUP' 545 do 546 sleep 1 547 done 548 while ! jexec client ping -c 10 198.18.2.1 | grep ', 0.0% packet loss' 549 do 550 sleep 1 551 done 552 553 # Checking cluster members pf.conf checksums match 554 gw_route_to_master_checksum=$(jexec gw_route_to_master pfctl -si -v | grep 'Checksum:' | cut -d ' ' -f 2) 555 gw_route_to_backup_checksum=$(jexec gw_route_to_backup pfctl -si -v | grep 'Checksum:' | cut -d ' ' -f 2) 556 gw_reply_to_master_checksum=$(jexec gw_reply_to_master pfctl -si -v | grep 'Checksum:' | cut -d ' ' -f 2) 557 gw_reply_to_backup_checksum=$(jexec gw_reply_to_backup pfctl -si -v | grep 'Checksum:' | cut -d ' ' -f 2) 558 if [ "$gw_route_to_master_checksum" != "$gw_route_to_backup_checksum" ] 559 then 560 atf_fail "gw_route_to cluster members pf.conf do not match each others" 561 fi 562 if [ "$gw_reply_to_master_checksum" != "$gw_reply_to_backup_checksum" ] 563 then 564 atf_fail "gw_reply_to cluster members pf.conf do not match each others" 565 fi 566 567 # Creating state entries 568 (jexec client ping -c 10 198.18.2.1 >ping.stdout) & 569 570 if [ "$1" = "backup_promotion" ] 571 then 572 sleep 1 573 jexec gw_route_to_backup ifconfig if_br0 vhid 10 advskew 0 574 jexec gw_route_to_backup ifconfig if_br1 vhid 11 advskew 0 575 jexec gw_reply_to_backup ifconfig if_br1 vhid 21 advskew 0 576 jexec gw_reply_to_backup ifconfig if_br2 vhid 22 advskew 0 577 fi 578 while ! grep -q -e 'packet loss' ping.stdout 579 do 580 sleep 1 581 done 582 583 atf_check -s exit:0 -e ignore -o ignore grep ', 0.0% packet loss' ping.stdout 584} 585 586pbr_common_cleanup() 587{ 588 pft_cleanup 589} 590 591atf_test_case "ipsec" "cleanup" 592ipsec_head() 593{ 594 atf_set descr 'Transport pfsync over IPSec' 595 atf_set require.user root 596} 597 598ipsec_body() 599{ 600 if ! sysctl -q kern.features.ipsec >/dev/null ; then 601 atf_skip "This test requires ipsec" 602 fi 603 604 # Run the common test, to set up pfsync 605 common_body 606 607 # But we want unicast pfsync 608 jexec one ifconfig pfsync0 syncpeer 192.0.2.2 609 jexec two ifconfig pfsync0 syncpeer 192.0.2.1 610 611 # Flush existing states 612 jexec one pfctl -Fs 613 jexec two pfctl -Fs 614 615 # Now define an ipsec policy to run over the epair_sync interfaces 616 echo "flush; 617 spdflush; 618 spdadd 192.0.2.1/32 192.0.2.2/32 any -P out ipsec esp/transport//require; 619 spdadd 192.0.2.2/32 192.0.2.1/32 any -P in ipsec esp/transport//require; 620 add 192.0.2.1 192.0.2.2 esp 0x1000 -E aes-gcm-16 \"12345678901234567890\"; 621 add 192.0.2.2 192.0.2.1 esp 0x1001 -E aes-gcm-16 \"12345678901234567890\";" \ 622 | jexec one setkey -c 623 624 echo "flush; 625 spdflush; 626 spdadd 192.0.2.2/32 192.0.2.1/32 any -P out ipsec esp/transport//require; 627 spdadd 192.0.2.1/32 192.0.2.2/32 any -P in ipsec esp/transport//require; 628 add 192.0.2.1 192.0.2.2 esp 0x1000 -E aes-gcm-16 \"12345678901234567891\"; 629 add 192.0.2.2 192.0.2.1 esp 0x1001 -E aes-gcm-16 \"12345678901234567891\";" \ 630 | jexec two setkey -c 631 632 # We've set incompatible keys, so pfsync will be broken. 633 ping -c 1 -S 198.51.100.254 198.51.100.1 634 635 # Give pfsync time to do its thing 636 sleep 2 637 638 if jexec two pfctl -s states | grep icmp | grep 198.51.100.1 | \ 639 grep 198.51.100.2 ; then 640 atf_fail "state synced although IPSec should have prevented it" 641 fi 642 643 # Flush existing states 644 jexec one pfctl -Fs 645 jexec two pfctl -Fs 646 647 # Fix the IPSec key to match 648 echo "flush; 649 spdflush; 650 spdadd 192.0.2.2/32 192.0.2.1/32 any -P out ipsec esp/transport//require; 651 spdadd 192.0.2.1/32 192.0.2.2/32 any -P in ipsec esp/transport//require; 652 add 192.0.2.1 192.0.2.2 esp 0x1000 -E aes-gcm-16 \"12345678901234567890\"; 653 add 192.0.2.2 192.0.2.1 esp 0x1001 -E aes-gcm-16 \"12345678901234567890\";" \ 654 | jexec two setkey -c 655 656 ping -c 1 -S 198.51.100.254 198.51.100.1 657 658 # Give pfsync time to do its thing 659 sleep 2 660 661 if ! jexec two pfctl -s states | grep icmp | grep 198.51.100.1 | \ 662 grep 198.51.100.2 ; then 663 atf_fail "state not found on synced host" 664 fi 665} 666 667ipsec_cleanup() 668{ 669 pft_cleanup 670} 671 672atf_test_case "timeout" "cleanup" 673timeout_head() 674{ 675 atf_set descr 'Trigger pfsync_timeout()' 676 atf_set require.user root 677} 678 679timeout_body() 680{ 681 pft_init 682 683 vnet_mkjail one 684 685 jexec one ifconfig lo0 127.0.0.1/8 up 686 jexec one ifconfig lo0 inet6 ::1/128 up 687 688 pft_set_rules one \ 689 "pass all" 690 jexec one pfctl -e 691 jexec one ifconfig pfsync0 defer up 692 693 jexec one ping -c 1 ::1 694 jexec one ping -c 1 127.0.0.1 695 696 # Give pfsync_timeout() time to fire (a callout on a 1 second delay) 697 sleep 2 698} 699 700timeout_cleanup() 701{ 702 pft_cleanup 703} 704 705atf_test_case "basic_ipv6_unicast" "cleanup" 706basic_ipv6_unicast_head() 707{ 708 atf_set descr 'Basic pfsync test (IPv6)' 709 atf_set require.user root 710} 711 712basic_ipv6_unicast_body() 713{ 714 pfsynct_init 715 716 epair_sync=$(vnet_mkepair) 717 epair_one=$(vnet_mkepair) 718 epair_two=$(vnet_mkepair) 719 720 vnet_mkjail one ${epair_one}a ${epair_sync}a 721 vnet_mkjail two ${epair_two}a ${epair_sync}b 722 723 # pfsync interface 724 jexec one ifconfig ${epair_sync}a inet6 fd2c::1/64 no_dad up 725 jexec one ifconfig ${epair_one}a inet6 fd2b::1/64 no_dad up 726 jexec one ifconfig pfsync0 \ 727 syncdev ${epair_sync}a \ 728 syncpeer fd2c::2 \ 729 maxupd 1 \ 730 up 731 jexec two ifconfig ${epair_two}a inet6 fd2b::2/64 no_dad up 732 jexec two ifconfig ${epair_sync}b inet6 fd2c::2/64 no_dad up 733 jexec two ifconfig pfsync0 \ 734 syncdev ${epair_sync}b \ 735 syncpeer fd2c::1 \ 736 maxupd 1 \ 737 up 738 739 # Enable pf! 740 jexec one pfctl -e 741 pft_set_rules one \ 742 "block on ${epair_sync}a inet" \ 743 "pass out keep state" 744 jexec two pfctl -e 745 pft_set_rules two \ 746 "block on ${epair_sync}b inet" \ 747 "pass out keep state" 748 749 ifconfig ${epair_one}b inet6 fd2b::f0/64 no_dad up 750 751 ping6 -c 1 -S fd2b::f0 fd2b::1 752 753 # Give pfsync time to do its thing 754 sleep 2 755 756 if ! jexec two pfctl -s states | grep icmp | grep fd2b::1 | \ 757 grep fd2b::f0 ; then 758 atf_fail "state not found on synced host" 759 fi 760} 761 762basic_ipv6_unicast_cleanup() 763{ 764 pfsynct_cleanup 765} 766 767atf_test_case "basic_ipv6" "cleanup" 768basic_ipv6_head() 769{ 770 atf_set descr 'Basic pfsync test (IPv6)' 771 atf_set require.user root 772} 773 774basic_ipv6_body() 775{ 776 pfsynct_init 777 778 epair_sync=$(vnet_mkepair) 779 epair_one=$(vnet_mkepair) 780 epair_two=$(vnet_mkepair) 781 782 vnet_mkjail one ${epair_one}a ${epair_sync}a 783 vnet_mkjail two ${epair_two}a ${epair_sync}b 784 785 # pfsync interface 786 jexec one ifconfig ${epair_sync}a inet6 fd2c::1/64 no_dad up 787 jexec one ifconfig ${epair_one}a inet6 fd2b::1/64 no_dad up 788 jexec one ifconfig pfsync0 \ 789 syncdev ${epair_sync}a \ 790 syncpeer ff12::f0 \ 791 maxupd 1 \ 792 up 793 jexec two ifconfig ${epair_two}a inet6 fd2b::2/64 no_dad up 794 jexec two ifconfig ${epair_sync}b inet6 fd2c::2/64 no_dad up 795 jexec two ifconfig pfsync0 \ 796 syncdev ${epair_sync}b \ 797 syncpeer ff12::f0 \ 798 maxupd 1 \ 799 up 800 801 # Enable pf! 802 jexec one pfctl -e 803 pft_set_rules one \ 804 "block on ${epair_sync}a inet" \ 805 "pass out keep state" 806 jexec two pfctl -e 807 pft_set_rules two \ 808 "block on ${epair_sync}b inet" \ 809 "pass out keep state" 810 811 ifconfig ${epair_one}b inet6 fd2b::f0/64 no_dad up 812 813 ping6 -c 1 -S fd2b::f0 fd2b::1 814 815 # Give pfsync time to do its thing 816 sleep 2 817 818 if ! jexec two pfctl -s states | grep icmp | grep fd2b::1 | \ 819 grep fd2b::f0 ; then 820 atf_fail "state not found on synced host" 821 fi 822} 823 824basic_ipv6_cleanup() 825{ 826 pfsynct_cleanup 827} 828 829atf_init_test_cases() 830{ 831 atf_add_test_case "basic" 832 atf_add_test_case "basic_defer" 833 atf_add_test_case "defer" 834 atf_add_test_case "bulk" 835 atf_add_test_case "pbr" 836 atf_add_test_case "pfsync_pbr" 837 atf_add_test_case "ipsec" 838 atf_add_test_case "timeout" 839 atf_add_test_case "basic_ipv6_unicast" 840 atf_add_test_case "basic_ipv6" 841} 842