xref: /freebsd/tests/sys/netpfil/pf/pfsync.sh (revision ec0ea6efa1ad229d75c394c1a9b9cac33af2b1d3)
1# $FreeBSD$
2#
3# SPDX-License-Identifier: BSD-2-Clause-FreeBSD
4#
5# Copyright (c) 2018 Orange Business Services
6#
7# Redistribution and use in source and binary forms, with or without
8# modification, are permitted provided that the following conditions
9# are met:
10# 1. Redistributions of source code must retain the above copyright
11#    notice, this list of conditions and the following disclaimer.
12# 2. Redistributions in binary form must reproduce the above copyright
13#    notice, this list of conditions and the following disclaimer in the
14#    documentation and/or other materials provided with the distribution.
15#
16# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
17# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
20# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26# SUCH DAMAGE.
27
28. $(atf_get_srcdir)/utils.subr
29
30common_dir=$(atf_get_srcdir)/../common
31
32atf_test_case "basic" "cleanup"
33basic_head()
34{
35	atf_set descr 'Basic pfsync test'
36	atf_set require.user root
37}
38
39basic_body()
40{
41	common_body
42}
43
44common_body()
45{
46	defer=$1
47	pfsynct_init
48
49	epair_sync=$(vnet_mkepair)
50	epair_one=$(vnet_mkepair)
51	epair_two=$(vnet_mkepair)
52
53	vnet_mkjail one ${epair_one}a ${epair_sync}a
54	vnet_mkjail two ${epair_two}a ${epair_sync}b
55
56	# pfsync interface
57	jexec one ifconfig ${epair_sync}a 192.0.2.1/24 up
58	jexec one ifconfig ${epair_one}a 198.51.100.1/24 up
59	jexec one ifconfig pfsync0 \
60		syncdev ${epair_sync}a \
61		maxupd 1 \
62		$defer \
63		up
64	jexec two ifconfig ${epair_two}a 198.51.100.2/24 up
65	jexec two ifconfig ${epair_sync}b 192.0.2.2/24 up
66	jexec two ifconfig pfsync0 \
67		syncdev ${epair_sync}b \
68		maxupd 1 \
69		$defer \
70		up
71
72	# Enable pf!
73	jexec one pfctl -e
74	pft_set_rules one \
75		"set skip on ${epair_sync}a" \
76		"pass keep state"
77	jexec two pfctl -e
78	pft_set_rules two \
79		"set skip on ${epair_sync}b" \
80		"pass keep state"
81
82	ifconfig ${epair_one}b 198.51.100.254/24 up
83
84	ping -c 1 -S 198.51.100.254 198.51.100.1
85
86	# Give pfsync time to do its thing
87	sleep 2
88
89	if ! jexec two pfctl -s states | grep icmp | grep 198.51.100.1 | \
90	    grep 198.51.100.2 ; then
91		atf_fail "state not found on synced host"
92	fi
93}
94
95basic_cleanup()
96{
97	pfsynct_cleanup
98}
99
100atf_test_case "basic_defer" "cleanup"
101basic_defer_head()
102{
103	atf_set descr 'Basic defer mode pfsync test'
104	atf_set require.user root
105}
106
107basic_defer_body()
108{
109	common_body defer
110}
111
112basic_defer_cleanup()
113{
114	pfsynct_cleanup
115}
116
117atf_test_case "defer" "cleanup"
118defer_head()
119{
120	atf_set descr 'Defer mode pfsync test'
121	atf_set require.user root
122}
123
124defer_body()
125{
126	pfsynct_init
127
128	if [ "$(atf_config_get ci false)" = "true" ]; then
129		atf_skip "Skip know failing test (likely related to https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=260460)"
130	fi
131
132	epair_sync=$(vnet_mkepair)
133	epair_in=$(vnet_mkepair)
134	epair_out=$(vnet_mkepair)
135
136	vnet_mkjail alcatraz ${epair_sync}a ${epair_in}a ${epair_out}a
137
138	jexec alcatraz ifconfig ${epair_sync}a 192.0.2.1/24 up
139	jexec alcatraz ifconfig ${epair_out}a 198.51.100.1/24 up
140	jexec alcatraz ifconfig ${epair_in}a 203.0.113.1/24 up
141	jexec alcatraz arp -s 203.0.113.2 00:01:02:03:04:05
142	jexec alcatraz sysctl net.inet.ip.forwarding=1
143
144	jexec alcatraz ifconfig pfsync0 \
145		syncdev ${epair_sync}a \
146		maxupd 1 \
147		defer \
148		up
149
150	ifconfig ${epair_sync}b 192.0.2.2/24 up
151	ifconfig ${epair_out}b 198.51.100.2/24 up
152	ifconfig ${epair_in}b up
153	route add -net 203.0.113.0/24 198.51.100.1
154
155	# Enable pf
156	jexec alcatraz pfctl -e
157	pft_set_rules alcatraz \
158		"set skip on ${epair_sync}a" \
159		"pass keep state"
160
161	atf_check -s exit:0 env PYTHONPATH=${common_dir} \
162		$(atf_get_srcdir)/pfsync_defer.py \
163		--syncdev ${epair_sync}b \
164		--indev ${epair_in}b \
165		--outdev ${epair_out}b
166
167	# Now disable defer mode and expect failure.
168	jexec alcatraz ifconfig pfsync0 -defer
169
170	# Flush state
171	pft_set_rules alcatraz \
172		"set skip on ${epair_sync}a" \
173		"pass keep state"
174
175	atf_check -s exit:1 env PYTHONPATH=${common_dir} \
176		$(atf_get_srcdir)/pfsync_defer.py \
177		--syncdev ${epair_sync}b \
178		--indev ${epair_in}b \
179		--outdev ${epair_out}b
180}
181
182defer_cleanup()
183{
184	pfsynct_cleanup
185}
186
187atf_test_case "bulk" "cleanup"
188bulk_head()
189{
190	atf_set descr 'Test bulk updates'
191	atf_set require.user root
192}
193
194bulk_body()
195{
196	pfsynct_init
197
198	epair_sync=$(vnet_mkepair)
199	epair_one=$(vnet_mkepair)
200	epair_two=$(vnet_mkepair)
201
202	vnet_mkjail one ${epair_one}a ${epair_sync}a
203	vnet_mkjail two ${epair_two}a ${epair_sync}b
204
205	# pfsync interface
206	jexec one ifconfig ${epair_sync}a 192.0.2.1/24 up
207	jexec one ifconfig ${epair_one}a 198.51.100.1/24 up
208	jexec one ifconfig pfsync0 \
209		syncdev ${epair_sync}a \
210		maxupd 1\
211		up
212	jexec two ifconfig ${epair_two}a 198.51.100.2/24 up
213	jexec two ifconfig ${epair_sync}b 192.0.2.2/24 up
214
215	# Enable pf
216	jexec one pfctl -e
217	pft_set_rules one \
218		"set skip on ${epair_sync}a" \
219		"pass keep state"
220	jexec two pfctl -e
221	pft_set_rules two \
222		"set skip on ${epair_sync}b" \
223		"pass keep state"
224
225	ifconfig ${epair_one}b 198.51.100.254/24 up
226
227	# Create state prior to setting up pfsync
228	ping -c 1 -S 198.51.100.254 198.51.100.1
229
230	# Wait before setting up pfsync on two, so we don't accidentally catch
231	# the update anyway.
232	sleep 1
233
234	# Now set up pfsync in jail two
235	jexec two ifconfig pfsync0 \
236		syncdev ${epair_sync}b \
237		up
238
239	# Give pfsync time to do its thing
240	sleep 2
241
242	jexec two pfctl -s states
243	if ! jexec two pfctl -s states | grep icmp | grep 198.51.100.1 | \
244	    grep 198.51.100.2 ; then
245		atf_fail "state not found on synced host"
246	fi
247}
248
249bulk_cleanup()
250{
251	pfsynct_cleanup
252}
253
254atf_init_test_cases()
255{
256	atf_add_test_case "basic"
257	atf_add_test_case "basic_defer"
258	atf_add_test_case "defer"
259	atf_add_test_case "bulk"
260}
261