aboutsummaryrefslogtreecommitdiff
path: root/tests/sys/netpfil/pf/src_track.sh
diff options
context:
space:
mode:
Diffstat (limited to 'tests/sys/netpfil/pf/src_track.sh')
-rwxr-xr-xtests/sys/netpfil/pf/src_track.sh38
1 files changed, 31 insertions, 7 deletions
diff --git a/tests/sys/netpfil/pf/src_track.sh b/tests/sys/netpfil/pf/src_track.sh
index 68e7e72f5018..d86b4ce6c466 100755
--- a/tests/sys/netpfil/pf/src_track.sh
+++ b/tests/sys/netpfil/pf/src_track.sh
@@ -523,11 +523,15 @@ mixed_af_body()
pft_set_rules router \
"set reassemble yes" \
"set state-policy if-bound" \
+ "block" \
+ "pass inet6 proto icmp6 icmp6-type { neighbrsol, neighbradv }" \
"pass in on ${epair_tester}b \
- route-to { (${epair_server1}a ${net_server1_4_host_server}) \
- } sticky-address \
- inet6 proto tcp from any to 64:ff9b::/96 \
- af-to inet from ${net_clients_4}.0/${net_clients_4_mask} round-robin sticky-address"
+ route-to { \
+ (${epair_server1}a ${net_server1_4_host_server}) \
+ (${epair_server2}a ${net_server2_6_host_server}) \
+ } prefer-ipv6-nexthop sticky-address \
+ inet6 proto tcp from any to 64:ff9b::/96 \
+ af-to inet from ${net_clients_4}.0/${net_clients_4_mask} round-robin sticky-address"
atf_check -s exit:0 ${common_dir}/pft_ping.py \
--sendif ${epair_tester}a \
@@ -536,6 +540,20 @@ mixed_af_body()
--to 64:ff9b::192.0.2.100 \
--ping-type=tcp3way \
--send-sport=4201
+ atf_check -s exit:0 ${common_dir}/pft_ping.py \
+ --sendif ${epair_tester}a \
+ --replyif ${epair_tester}a \
+ --fromaddr 2001:db8:44::1 \
+ --to 64:ff9b::192.0.2.100 \
+ --ping-type=tcp3way \
+ --send-sport=4202
+ atf_check -s exit:0 ${common_dir}/pft_ping.py \
+ --sendif ${epair_tester}a \
+ --replyif ${epair_tester}a \
+ --fromaddr 2001:db8:44::2 \
+ --to 64:ff9b::192.0.2.100 \
+ --ping-type=tcp3way \
+ --send-sport=4203
states=$(mktemp) || exit 1
jexec router pfctl -qvvss | normalize_pfctl_s > $states
@@ -544,16 +562,22 @@ mixed_af_body()
# States are checked for proper route-to information.
# The route-to gateway is IPv4.
+ # FIXME: Sticky-address is broken for af-to pools!
+ # The SN is created but apparently not used, as seen in states.
for state_regexp in \
- "${epair_tester}b tcp 203.0.113.0:4201 \(2001:db8:44::1\[4201\]\) -> 192.0.2.100:9 \(64:ff9b::c000:264\[9\]\) .* route-to: 198.51.100.18@${epair_server1}a" \
+ "${epair_server2}a tcp 203.0.113.0:4201 \(2001:db8:44::1\[4201\]\) -> 192.0.2.100:9 \(64:ff9b::c000:264\[9\]\) .* route-to: 2001:db8:4202::2@${epair_server2}a origif: ${epair_tester}b" \
+ "${epair_server2}a tcp 203.0.113.1:4202 \(2001:db8:44::1\[4202\]\) -> 192.0.2.100:9 \(64:ff9b::c000:264\[9\]\) .* route-to: 2001:db8:4202::2@${epair_server2}a origif: ${epair_tester}b" \
+ "${epair_server1}a tcp 203.0.113.2:4203 \(2001:db8:44::2\[4203\]\) -> 192.0.2.100:9 \(64:ff9b::c000:264\[9\]\) .* route-to: 198.51.100.18@${epair_server1}a origif: ${epair_tester}b" \
; do
grep -qE "${state_regexp}" $states || atf_fail "State not found for '${state_regexp}'"
done
# Source nodes map IPv6 source address onto IPv4 gateway and IPv4 SNAT address.
for node_regexp in \
- '2001:db8:44::1 -> 203.0.113.0 .* states 1, .* NAT/RDR sticky-address' \
- '2001:db8:44::1 -> 198.51.100.18 .* states 1, .* route sticky-address' \
+ '2001:db8:44::2 -> 203.0.113.2 .* states 1, .* NAT/RDR sticky-address' \
+ '2001:db8:44::2 -> 198.51.100.18 .* states 1, .* route sticky-address' \
+ '2001:db8:44::1 -> 203.0.113.0 .* states 2, .* NAT/RDR sticky-address' \
+ '2001:db8:44::1 -> 2001:db8:4202::2 .* states 2, .* route sticky-address' \
; do
grep -qE "${node_regexp}" $nodes || atf_fail "Source node not found for '${node_regexp}'"
done
generated by cgit v1.2.3 (git 2.25.1) at 2025-10-19 08:51:16 +0000