xref: /freebsd/tests/sys/netpfil/pf/pfsync.sh (revision fe6060f10f634930ff71b7c50291ddc610da2475)
1# $FreeBSD$
2#
3# SPDX-License-Identifier: BSD-2-Clause-FreeBSD
4#
5# Copyright (c) 2018 Orange Business Services
6#
7# Redistribution and use in source and binary forms, with or without
8# modification, are permitted provided that the following conditions
9# are met:
10# 1. Redistributions of source code must retain the above copyright
11#    notice, this list of conditions and the following disclaimer.
12# 2. Redistributions in binary form must reproduce the above copyright
13#    notice, this list of conditions and the following disclaimer in the
14#    documentation and/or other materials provided with the distribution.
15#
16# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
17# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
20# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26# SUCH DAMAGE.
27
28. $(atf_get_srcdir)/utils.subr
29
30atf_test_case "basic" "cleanup"
31basic_head()
32{
33	atf_set descr 'Basic pfsync test'
34	atf_set require.user root
35}
36
37basic_body()
38{
39	common_body
40}
41
42common_body()
43{
44	defer=$1
45	pfsynct_init
46
47	epair_sync=$(vnet_mkepair)
48	epair_one=$(vnet_mkepair)
49	epair_two=$(vnet_mkepair)
50
51	vnet_mkjail one ${epair_one}a ${epair_sync}a
52	vnet_mkjail two ${epair_two}a ${epair_sync}b
53
54	# pfsync interface
55	jexec one ifconfig ${epair_sync}a 192.0.2.1/24 up
56	jexec one ifconfig ${epair_one}a 198.51.100.1/24 up
57	jexec one ifconfig pfsync0 \
58		syncdev ${epair_sync}a \
59		maxupd 1 \
60		$defer \
61		up
62	jexec two ifconfig ${epair_two}a 198.51.100.2/24 up
63	jexec two ifconfig ${epair_sync}b 192.0.2.2/24 up
64	jexec two ifconfig pfsync0 \
65		syncdev ${epair_sync}b \
66		maxupd 1 \
67		$defer \
68		up
69
70	# Enable pf!
71	jexec one pfctl -e
72	pft_set_rules one \
73		"set skip on ${epair_sync}a" \
74		"pass keep state"
75	jexec two pfctl -e
76	pft_set_rules two \
77		"set skip on ${epair_sync}b" \
78		"pass keep state"
79
80	ifconfig ${epair_one}b 198.51.100.254/24 up
81
82	ping -c 1 -S 198.51.100.254 198.51.100.1
83
84	# Give pfsync time to do its thing
85	sleep 2
86
87	if ! jexec two pfctl -s states | grep icmp | grep 198.51.100.1 | \
88	    grep 198.51.100.2 ; then
89		atf_fail "state not found on synced host"
90	fi
91}
92
93basic_cleanup()
94{
95	pfsynct_cleanup
96}
97
98atf_test_case "defer" "cleanup"
99defer_head()
100{
101	atf_set descr 'Defer mode pfsync test'
102	atf_set require.user root
103}
104
105defer_body()
106{
107	common_body defer
108}
109
110defer_cleanup()
111{
112	pfsynct_cleanup
113}
114
115atf_test_case "bulk" "cleanup"
116bulk_head()
117{
118	atf_set descr 'Test bulk updates'
119	atf_set require.user root
120}
121
122bulk_body()
123{
124	pfsynct_init
125
126	epair_sync=$(vnet_mkepair)
127	epair_one=$(vnet_mkepair)
128	epair_two=$(vnet_mkepair)
129
130	vnet_mkjail one ${epair_one}a ${epair_sync}a
131	vnet_mkjail two ${epair_two}a ${epair_sync}b
132
133	# pfsync interface
134	jexec one ifconfig ${epair_sync}a 192.0.2.1/24 up
135	jexec one ifconfig ${epair_one}a 198.51.100.1/24 up
136	jexec one ifconfig pfsync0 \
137		syncdev ${epair_sync}a \
138		maxupd 1\
139		up
140	jexec two ifconfig ${epair_two}a 198.51.100.2/24 up
141	jexec two ifconfig ${epair_sync}b 192.0.2.2/24 up
142
143	# Enable pf
144	jexec one pfctl -e
145	pft_set_rules one \
146		"set skip on ${epair_sync}a" \
147		"pass keep state"
148	jexec two pfctl -e
149	pft_set_rules two \
150		"set skip on ${epair_sync}b" \
151		"pass keep state"
152
153	ifconfig ${epair_one}b 198.51.100.254/24 up
154
155	# Create state prior to setting up pfsync
156	ping -c 1 -S 198.51.100.254 198.51.100.1
157
158	# Wait before setting up pfsync on two, so we don't accidentally catch
159	# the update anyway.
160	sleep 1
161
162	# Now set up pfsync in jail two
163	jexec two ifconfig pfsync0 \
164		syncdev ${epair_sync}b \
165		up
166
167	# Give pfsync time to do its thing
168	sleep 2
169
170	jexec two pfctl -s states
171	if ! jexec two pfctl -s states | grep icmp | grep 198.51.100.1 | \
172	    grep 198.51.100.2 ; then
173		atf_fail "state not found on synced host"
174	fi
175}
176
177bulk_cleanup()
178{
179	pfsynct_cleanup
180}
181
182atf_init_test_cases()
183{
184	atf_add_test_case "basic"
185	atf_add_test_case "defer"
186	atf_add_test_case "bulk"
187}
188