diff options
| author | Kristof Provost <kp@FreeBSD.org> | 2021-03-15 13:10:55 +0000 |
|---|---|---|
| committer | Kristof Provost <kp@FreeBSD.org> | 2021-03-31 13:09:08 +0000 |
| commit | e99aa5c2cf6b0eadcc29c62243d51de0eb36937c (patch) | |
| tree | 2bd021677934a4117da63626d89fdf5f0f54231a | |
| parent | 343fee4cd023da0f7ed64e19f3d2351083fe963c (diff) | |
pf tests: pfsync bulk update test
Test that pfsync works as expected with bulk updates. That is, create
some state before setting up the second firewall. Let that firewall
request a bulk update so it can catch up, and check that it got the
state which was created before it enable pfsync.
PR: 254236
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D29272
(cherry picked from commit 8ad7d25dfc808ca00300f7553a9b28dfc0e99c18)
| -rw-r--r-- | tests/sys/netpfil/pf/pfsync.sh | 68 |
1 files changed, 68 insertions, 0 deletions
diff --git a/tests/sys/netpfil/pf/pfsync.sh b/tests/sys/netpfil/pf/pfsync.sh index d8cb0a13efb7..a6fc7ec9f7e9 100644 --- a/tests/sys/netpfil/pf/pfsync.sh +++ b/tests/sys/netpfil/pf/pfsync.sh @@ -112,8 +112,76 @@ defer_cleanup() pfsynct_cleanup } +atf_test_case "bulk" "cleanup" +bulk_head() +{ + atf_set descr 'Test bulk updates' + atf_set require.user root +} + +bulk_body() +{ + pfsynct_init + + epair_sync=$(vnet_mkepair) + epair_one=$(vnet_mkepair) + epair_two=$(vnet_mkepair) + + vnet_mkjail one ${epair_one}a ${epair_sync}a + vnet_mkjail two ${epair_two}a ${epair_sync}b + + # pfsync interface + jexec one ifconfig ${epair_sync}a 192.0.2.1/24 up + jexec one ifconfig ${epair_one}a 198.51.100.1/24 up + jexec one ifconfig pfsync0 \ + syncdev ${epair_sync}a \ + maxupd 1\ + up + jexec two ifconfig ${epair_two}a 198.51.100.2/24 up + jexec two ifconfig ${epair_sync}b 192.0.2.2/24 up + + # Enable pf + jexec one pfctl -e + pft_set_rules one \ + "set skip on ${epair_sync}a" \ + "pass keep state" + jexec two pfctl -e + pft_set_rules two \ + "set skip on ${epair_sync}b" \ + "pass keep state" + + ifconfig ${epair_one}b 198.51.100.254/24 up + + # Create state prior to setting up pfsync + ping -c 1 -S 198.51.100.254 198.51.100.1 + + # Wait before setting up pfsync on two, so we don't accidentally catch + # the update anyway. + sleep 1 + + # Now set up pfsync in jail two + jexec two ifconfig pfsync0 \ + syncdev ${epair_sync}b \ + up + + # Give pfsync time to do its thing + sleep 2 + + jexec two pfctl -s states + if ! jexec two pfctl -s states | grep icmp | grep 198.51.100.1 | \ + grep 198.51.100.2 ; then + atf_fail "state not found on synced host" + fi +} + +bulk_cleanup() +{ + pfsynct_cleanup +} + atf_init_test_cases() { atf_add_test_case "basic" atf_add_test_case "defer" + atf_add_test_case "bulk" } |