1# $FreeBSD$ 2# 3# SPDX-License-Identifier: BSD-2-Clause-FreeBSD 4# 5# Copyright (c) 2018 Orange Business Services 6# 7# Redistribution and use in source and binary forms, with or without 8# modification, are permitted provided that the following conditions 9# are met: 10# 1. Redistributions of source code must retain the above copyright 11# notice, this list of conditions and the following disclaimer. 12# 2. Redistributions in binary form must reproduce the above copyright 13# notice, this list of conditions and the following disclaimer in the 14# documentation and/or other materials provided with the distribution. 15# 16# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 17# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 20# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26# SUCH DAMAGE. 27 28. $(atf_get_srcdir)/utils.subr 29 30common_dir=$(atf_get_srcdir)/../common 31 32atf_test_case "basic" "cleanup" 33basic_head() 34{ 35 atf_set descr 'Basic pfsync test' 36 atf_set require.user root 37} 38 39basic_body() 40{ 41 common_body 42} 43 44common_body() 45{ 46 defer=$1 47 pfsynct_init 48 49 epair_sync=$(vnet_mkepair) 50 epair_one=$(vnet_mkepair) 51 epair_two=$(vnet_mkepair) 52 53 vnet_mkjail one ${epair_one}a ${epair_sync}a 54 vnet_mkjail two ${epair_two}a ${epair_sync}b 55 56 # pfsync interface 57 jexec one ifconfig ${epair_sync}a 192.0.2.1/24 up 58 jexec one ifconfig ${epair_one}a 198.51.100.1/24 up 59 jexec one ifconfig pfsync0 \ 60 syncdev ${epair_sync}a \ 61 maxupd 1 \ 62 $defer \ 63 up 64 jexec two ifconfig ${epair_two}a 198.51.100.2/24 up 65 jexec two ifconfig ${epair_sync}b 192.0.2.2/24 up 66 jexec two ifconfig pfsync0 \ 67 syncdev ${epair_sync}b \ 68 maxupd 1 \ 69 $defer \ 70 up 71 72 # Enable pf! 73 jexec one pfctl -e 74 pft_set_rules one \ 75 "set skip on ${epair_sync}a" \ 76 "pass keep state" 77 jexec two pfctl -e 78 pft_set_rules two \ 79 "set skip on ${epair_sync}b" \ 80 "pass keep state" 81 82 ifconfig ${epair_one}b 198.51.100.254/24 up 83 84 ping -c 1 -S 198.51.100.254 198.51.100.1 85 86 # Give pfsync time to do its thing 87 sleep 2 88 89 if ! jexec two pfctl -s states | grep icmp | grep 198.51.100.1 | \ 90 grep 198.51.100.2 ; then 91 atf_fail "state not found on synced host" 92 fi 93} 94 95basic_cleanup() 96{ 97 pfsynct_cleanup 98} 99 100atf_test_case "basic_defer" "cleanup" 101basic_defer_head() 102{ 103 atf_set descr 'Basic defer mode pfsync test' 104 atf_set require.user root 105} 106 107basic_defer_body() 108{ 109 common_body defer 110} 111 112basic_defer_cleanup() 113{ 114 pfsynct_cleanup 115} 116 117atf_test_case "defer" "cleanup" 118defer_head() 119{ 120 atf_set descr 'Defer mode pfsync test' 121 atf_set require.user root 122} 123 124defer_body() 125{ 126 pfsynct_init 127 128 if [ "$(atf_config_get ci false)" = "true" ]; then 129 atf_skip "Skip know failing test (likely related to https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=260460)" 130 fi 131 132 epair_sync=$(vnet_mkepair) 133 epair_in=$(vnet_mkepair) 134 epair_out=$(vnet_mkepair) 135 136 vnet_mkjail alcatraz ${epair_sync}a ${epair_in}a ${epair_out}a 137 138 jexec alcatraz ifconfig ${epair_sync}a 192.0.2.1/24 up 139 jexec alcatraz ifconfig ${epair_out}a 198.51.100.1/24 up 140 jexec alcatraz ifconfig ${epair_in}a 203.0.113.1/24 up 141 jexec alcatraz arp -s 203.0.113.2 00:01:02:03:04:05 142 jexec alcatraz sysctl net.inet.ip.forwarding=1 143 144 jexec alcatraz ifconfig pfsync0 \ 145 syncdev ${epair_sync}a \ 146 maxupd 1 \ 147 defer \ 148 up 149 150 ifconfig ${epair_sync}b 192.0.2.2/24 up 151 ifconfig ${epair_out}b 198.51.100.2/24 up 152 ifconfig ${epair_in}b up 153 route add -net 203.0.113.0/24 198.51.100.1 154 155 # Enable pf 156 jexec alcatraz pfctl -e 157 pft_set_rules alcatraz \ 158 "set skip on ${epair_sync}a" \ 159 "pass keep state" 160 161 atf_check -s exit:0 env PYTHONPATH=${common_dir} \ 162 $(atf_get_srcdir)/pfsync_defer.py \ 163 --syncdev ${epair_sync}b \ 164 --indev ${epair_in}b \ 165 --outdev ${epair_out}b 166 167 # Now disable defer mode and expect failure. 168 jexec alcatraz ifconfig pfsync0 -defer 169 170 # Flush state 171 pft_set_rules alcatraz \ 172 "set skip on ${epair_sync}a" \ 173 "pass keep state" 174 175 atf_check -s exit:1 env PYTHONPATH=${common_dir} \ 176 $(atf_get_srcdir)/pfsync_defer.py \ 177 --syncdev ${epair_sync}b \ 178 --indev ${epair_in}b \ 179 --outdev ${epair_out}b 180} 181 182defer_cleanup() 183{ 184 pfsynct_cleanup 185} 186 187atf_test_case "bulk" "cleanup" 188bulk_head() 189{ 190 atf_set descr 'Test bulk updates' 191 atf_set require.user root 192} 193 194bulk_body() 195{ 196 pfsynct_init 197 198 epair_sync=$(vnet_mkepair) 199 epair_one=$(vnet_mkepair) 200 epair_two=$(vnet_mkepair) 201 202 vnet_mkjail one ${epair_one}a ${epair_sync}a 203 vnet_mkjail two ${epair_two}a ${epair_sync}b 204 205 # pfsync interface 206 jexec one ifconfig ${epair_sync}a 192.0.2.1/24 up 207 jexec one ifconfig ${epair_one}a 198.51.100.1/24 up 208 jexec one ifconfig pfsync0 \ 209 syncdev ${epair_sync}a \ 210 maxupd 1\ 211 up 212 jexec two ifconfig ${epair_two}a 198.51.100.2/24 up 213 jexec two ifconfig ${epair_sync}b 192.0.2.2/24 up 214 215 # Enable pf 216 jexec one pfctl -e 217 pft_set_rules one \ 218 "set skip on ${epair_sync}a" \ 219 "pass keep state" 220 jexec two pfctl -e 221 pft_set_rules two \ 222 "set skip on ${epair_sync}b" \ 223 "pass keep state" 224 225 ifconfig ${epair_one}b 198.51.100.254/24 up 226 227 # Create state prior to setting up pfsync 228 ping -c 1 -S 198.51.100.254 198.51.100.1 229 230 # Wait before setting up pfsync on two, so we don't accidentally catch 231 # the update anyway. 232 sleep 1 233 234 # Now set up pfsync in jail two 235 jexec two ifconfig pfsync0 \ 236 syncdev ${epair_sync}b \ 237 up 238 239 # Give pfsync time to do its thing 240 sleep 2 241 242 jexec two pfctl -s states 243 if ! jexec two pfctl -s states | grep icmp | grep 198.51.100.1 | \ 244 grep 198.51.100.2 ; then 245 atf_fail "state not found on synced host" 246 fi 247} 248 249bulk_cleanup() 250{ 251 pfsynct_cleanup 252} 253 254atf_init_test_cases() 255{ 256 atf_add_test_case "basic" 257 atf_add_test_case "basic_defer" 258 atf_add_test_case "defer" 259 atf_add_test_case "bulk" 260} 261