1#!/usr/bin/ksh 2 3# 4# This file and its contents are supplied under the terms of the 5# Common Development and Distribution License ("CDDL"), version 1.0. 6# You may only use this file in accordance with the terms of version 7# 1.0 of the CDDL. 8# 9# A full copy of the text of the CDDL should have accompanied this 10# source. A copy of the CDDL is also available via the Internet at 11# http://www.illumos.org/license/CDDL. 12# 13 14# 15# Copyright 2019 Joyent, Inc. 16# 17 18# 19# This test sprays many concurrent ACQUIRE messages and checks the 20# monitor. 21# 22# Note that it's not run by default, as the monitor is best-efforts and 23# therefore not reliable under this kind of load. 24# 25 26if [ `id -u` -ne 0 ]; then 27 echo "Need to be root or have effective UID of root." 28 exit 255 29fi 30 31if [[ `zonename` != "global" ]]; then 32 echo "Need to be the in the global zone for lock detection." 33 exit 254 34fi 35 36PREFIX=10.21.12.0/24 37MONITOR_LOG=/var/tmp/ipseckey-monitor.$$ 38 39# The program that sends an extended REGISTER to enable extended ACQUIREs. 40EACQ_PROG=/opt/os-tests/tests/pf_key/eacq-enabler 41 42$EACQ_PROG & 43eapid=$! 44 45# Tunnels will be preserved by using -f instead of -F. 46ipsecconf -qf 47 48# Simple one-type-of-ESP setup... 49echo "{ raddr $PREFIX } ipsec { encr_algs aes encr_auth_algs sha512 }" | \ 50 ipsecconf -qa - 51# ipsecconf -ln 52 53echo "Starting monitor, logging to $MONITOR_LOG" 54 55# Get monitoring PF_KEY for at least regular ACQUIREs. 56ipseckey -n monitor > $MONITOR_LOG & 57IPSECKEY_PID=$! 58 59# Flush out the SADB to make damned sure we don't have straggler acquire 60# records internally. 61ipseckey flush 62 63# wait for the monitor 64sleep 5 65 66echo "Starting pings" 67 68# Launch 254 pings to different addresses (each requiring an ACQUIRE). 69i=1 70while [ $i -le 254 ]; do 71 truss -Topen -o /dev/null ping -svn 10.21.12.$i 1024 1 2>&1 > /dev/null & 72 i=$(($i + 1)) 73done 74 75# Unleash the pings in 10 seconds, Smithers. 76( sleep 10 ; prun `pgrep ping` ) & 77 78echo "Waiting for pings to finish" 79 80# wait for the pings; not so charming 81while :; do 82 pids="$(pgrep ping)" 83 [[ -n "$pids" ]] || break 84 pwait $pids 85done 86 87# wait for the monitor 88sleep 10 89 90kill $IPSECKEY_PID 91kill $eapid 92# Use SMF to restore anything that may have been there. "restart" on 93# a disabled service is a NOP, but an enabled one will get 94# /etc/inet/ipsecinit.conf reloaded. 95svcadm restart ipsec/policy 96 97# See if we have decent results. 98 99i=1 100while [ $i -le 254 ]; do 101 c=$(grep -c "^DST: AF_INET: port 0, 10\.21\.12\.$i\." $MONITOR_LOG) 102 if [[ "$c" -ne 2 ]]; then 103 echo "One or more log entries missing for 10.21.12.$i" >&2 104 exit 1 105 fi 106 i=$(($i + 1)) 107done 108 109rm -f $MONITOR_LOG 110exit 0 111