diff options
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/sys/fs/fusefs/pre-init.cc | 72 | ||||
| -rw-r--r-- | tests/sys/kern/ptrace_test.c | 2 | ||||
| -rwxr-xr-x | tests/sys/net/if_bridge_test.sh | 105 | ||||
| -rw-r--r-- | tests/sys/net/if_gif.sh | 154 | ||||
| -rw-r--r-- | tests/sys/netpfil/pf/Makefile | 1 | ||||
| -rw-r--r-- | tests/sys/netpfil/pf/frag4.py | 72 | ||||
| -rw-r--r-- | tests/sys/netpfil/pf/nat64.py | 6 | ||||
| -rw-r--r-- | tests/sys/netpfil/pf/nat64.sh | 182 | ||||
| -rw-r--r-- | tests/sys/netpfil/pf/sctp.py | 33 | ||||
| -rwxr-xr-x | tests/sys/netpfil/pf/src_track.sh | 2 | ||||
| -rw-r--r-- | tests/sys/netpfil/pf/table.sh | 42 |
11 files changed, 591 insertions, 80 deletions
diff --git a/tests/sys/fs/fusefs/pre-init.cc b/tests/sys/fs/fusefs/pre-init.cc index e990d3cafffa..2d3257500304 100644 --- a/tests/sys/fs/fusefs/pre-init.cc +++ b/tests/sys/fs/fusefs/pre-init.cc @@ -44,12 +44,26 @@ using namespace testing; /* Tests for behavior that happens before the server responds to FUSE_INIT */ class PreInit: public FuseTest { +public: void SetUp() { m_no_auto_init = true; FuseTest::SetUp(); } }; +/* + * Tests for behavior that happens before the server responds to FUSE_INIT, + * parameterized on default_permissions + */ +class PreInitP: public PreInit, + public WithParamInterface<bool> +{ +void SetUp() { + m_default_permissions = GetParam(); + PreInit::SetUp(); +} +}; + static void* unmount1(void* arg __unused) { ssize_t r; @@ -152,3 +166,61 @@ TEST_F(PreInit, signal_during_unmount_before_init) sem_post(&sem0); m_mock->join_daemon(); } + +/* + * If some process attempts VOP_GETATTR for the mountpoint before init is + * complete, fusefs should wait, just like it does for other VOPs. + * + * To verify that fuse_vnop_getattr does indeed wait for FUSE_INIT to complete, + * invoke the test like this: + * +> sudo cpuset -c -l 0 dtrace -i 'fbt:fusefs:fuse_internal_init_callback:' -i 'fbt:fusefs:fuse_vnop_getattr:' -c "./pre-init --gtest_filter=PI/PreInitP.getattr_before_init/0" +... +dtrace: pid 4224 has exited +CPU ID FUNCTION:NAME + 0 68670 fuse_vnop_getattr:entry + 0 68893 fuse_internal_init_callback:entry + 0 68894 fuse_internal_init_callback:return + 0 68671 fuse_vnop_getattr:return + * + * Note that fuse_vnop_getattr was entered first, but exitted last. + */ +TEST_P(PreInitP, getattr_before_init) +{ + struct stat sb; + nlink_t nlink = 12345; + + EXPECT_CALL(*m_mock, process( + ResultOf([=](auto in) { + return (in.header.opcode == FUSE_INIT); + }, Eq(true)), + _) + ).WillOnce(Invoke(ReturnImmediate([&](auto in, auto& out) { + SET_OUT_HEADER_LEN(out, init); + out.body.init.major = FUSE_KERNEL_VERSION; + out.body.init.minor = FUSE_KERNEL_MINOR_VERSION; + out.body.init.flags = in.body.init.flags & m_init_flags; + out.body.init.max_write = m_maxwrite; + out.body.init.max_readahead = m_maxreadahead; + out.body.init.time_gran = m_time_gran; + nap(); /* Allow stat() to run first */ + }))); + EXPECT_CALL(*m_mock, process( + ResultOf([=](auto in) { + return (in.header.opcode == FUSE_GETATTR && + in.header.nodeid == FUSE_ROOT_ID); + }, Eq(true)), + _) + ).WillOnce(Invoke(ReturnImmediate([=](auto& in, auto& out) { + SET_OUT_HEADER_LEN(out, attr); + out.body.attr.attr.ino = in.header.nodeid; + out.body.attr.attr.mode = S_IFDIR | 0644; + out.body.attr.attr.nlink = nlink; + out.body.attr.attr_valid = UINT64_MAX; + }))); + + EXPECT_EQ(0, stat("mountpoint", &sb)); + EXPECT_EQ(nlink, sb.st_nlink); +} + +INSTANTIATE_TEST_SUITE_P(PI, PreInitP, Bool()); diff --git a/tests/sys/kern/ptrace_test.c b/tests/sys/kern/ptrace_test.c index d36dfe951e20..fee0bd2ffa38 100644 --- a/tests/sys/kern/ptrace_test.c +++ b/tests/sys/kern/ptrace_test.c @@ -3239,7 +3239,7 @@ ATF_TC_BODY(ptrace__PT_REGSET, tc) ATF_REQUIRE(ptrace(PT_GETREGSET, wpid, (caddr_t)&vec, NT_ARM_ADDR_MASK) != -1); REQUIRE_EQ(addr_mask.code, addr_mask.data); - ATF_REQUIRE(addr_mask.code == 0 || + ATF_REQUIRE(addr_mask.code == 0xff00000000000000ul || addr_mask.code == 0xff7f000000000000UL); #endif diff --git a/tests/sys/net/if_bridge_test.sh b/tests/sys/net/if_bridge_test.sh index 534144f46632..906f586d2483 100755 --- a/tests/sys/net/if_bridge_test.sh +++ b/tests/sys/net/if_bridge_test.sh @@ -922,15 +922,15 @@ vlan_pvid_body() ifconfig ${bridge} vlanfilter up ifconfig ${epone}a up ifconfig ${eptwo}a up - ifconfig ${bridge} addm ${epone}a untagged ${epone}a 20 - ifconfig ${bridge} addm ${eptwo}a untagged ${eptwo}a 20 + ifconfig ${bridge} addm ${epone}a untagged 20 + ifconfig ${bridge} addm ${eptwo}a untagged 20 # With VLAN filtering enabled, traffic should be passed. atf_check -s exit:0 -o ignore jexec one ping -c 3 -t 1 192.0.2.2 atf_check -s exit:0 -o ignore jexec two ping -c 3 -t 1 192.0.2.1 # Removed the untagged VLAN on one port; traffic should not be passed. - ifconfig ${bridge} -untagged ${epone}a + ifconfig ${bridge} -ifuntagged ${epone}a atf_check -s exit:2 -o ignore jexec one ping -c 3 -t 1 192.0.2.2 atf_check -s exit:2 -o ignore jexec two ping -c 3 -t 1 192.0.2.1 } @@ -966,10 +966,8 @@ vlan_pvid_filtered_body() atf_check -s exit:0 ifconfig ${bridge} vlanfilter up atf_check -s exit:0 ifconfig ${epone}a up atf_check -s exit:0 ifconfig ${eptwo}a up - atf_check -s exit:0 ifconfig ${bridge} \ - addm ${epone}a untagged ${epone}a 20 - atf_check -s exit:0 ifconfig ${bridge} \ - addm ${eptwo}a untagged ${eptwo}a 30 + atf_check -s exit:0 ifconfig ${bridge} addm ${epone}a untagged 20 + atf_check -s exit:0 ifconfig ${bridge} addm ${eptwo}a untagged 30 atf_check -s exit:2 -o ignore jexec one ping -c 3 -t 1 192.0.2.2 atf_check -s exit:2 -o ignore jexec two ping -c 3 -t 1 192.0.2.1 @@ -1011,10 +1009,8 @@ vlan_pvid_tagged_body() atf_check -s exit:0 ifconfig ${bridge} vlanfilter up atf_check -s exit:0 ifconfig ${epone}a up atf_check -s exit:0 ifconfig ${eptwo}a up - atf_check -s exit:0 ifconfig ${bridge} \ - addm ${epone}a untagged ${epone}a 20 - atf_check -s exit:0 ifconfig ${bridge} \ - addm ${eptwo}a untagged ${eptwo}a 20 + atf_check -s exit:0 ifconfig ${bridge} addm ${epone}a untagged 20 + atf_check -s exit:0 ifconfig ${bridge} addm ${eptwo}a untagged 20 # Tagged frames should not be passed. atf_check -s exit:2 -o ignore jexec one ping -c 3 -t 1 192.0.2.2 @@ -1055,10 +1051,8 @@ vlan_pvid_1q_body() bridge=$(vnet_mkbridge) atf_check -s exit:0 ifconfig ${bridge} vlanfilter up - atf_check -s exit:0 ifconfig ${bridge} \ - addm ${epone}a untagged ${epone}a 20 - atf_check -s exit:0 ifconfig ${bridge} addm ${eptwo}a \ - tagged ${eptwo}a 20 + atf_check -s exit:0 ifconfig ${bridge} addm ${epone}a untagged 20 + atf_check -s exit:0 ifconfig ${bridge} addm ${eptwo}a tagged 20 atf_check -s exit:0 ifconfig ${epone}a up atf_check -s exit:0 ifconfig ${eptwo}a up @@ -1116,25 +1110,25 @@ vlan_filtering_body() # Set the untagged vlan on both ports to 20 and make sure traffic is # still blocked. We intentionally do not pass tagged traffic for the # untagged vlan. - atf_check -s exit:0 ifconfig ${bridge} untagged ${epone}a 20 - atf_check -s exit:0 ifconfig ${bridge} untagged ${eptwo}a 20 + atf_check -s exit:0 ifconfig ${bridge} ifuntagged ${epone}a 20 + atf_check -s exit:0 ifconfig ${bridge} ifuntagged ${eptwo}a 20 atf_check -s exit:2 -o ignore jexec one ping -c 3 -t 1 192.0.2.2 atf_check -s exit:2 -o ignore jexec two ping -c 3 -t 1 192.0.2.1 - atf_check -s exit:0 ifconfig ${bridge} -untagged ${epone}a - atf_check -s exit:0 ifconfig ${bridge} -untagged ${eptwo}a + atf_check -s exit:0 ifconfig ${bridge} -ifuntagged ${epone}a + atf_check -s exit:0 ifconfig ${bridge} -ifuntagged ${eptwo}a # Add VLANs 10-30 to the access list; now access should be allowed. - atf_check -s exit:0 ifconfig ${bridge} +tagged ${epone}a 10-30 - atf_check -s exit:0 ifconfig ${bridge} +tagged ${eptwo}a 10-30 + atf_check -s exit:0 ifconfig ${bridge} +iftagged ${epone}a 10-30 + atf_check -s exit:0 ifconfig ${bridge} +iftagged ${eptwo}a 10-30 atf_check -s exit:0 -o ignore jexec one ping -c 3 -t 1 192.0.2.2 atf_check -s exit:0 -o ignore jexec two ping -c 3 -t 1 192.0.2.1 # Remove vlan 20 from the access list, now access should be blocked # again. - atf_check -s exit:0 ifconfig ${bridge} -tagged ${epone}a 20 - atf_check -s exit:0 ifconfig ${bridge} -tagged ${eptwo}a 20 + atf_check -s exit:0 ifconfig ${bridge} -iftagged ${epone}a 20 + atf_check -s exit:0 ifconfig ${bridge} -iftagged ${eptwo}a 20 atf_check -s exit:2 -o ignore jexec one ping -c 3 -t 1 192.0.2.2 atf_check -s exit:2 -o ignore jexec two ping -c 3 -t 1 192.0.2.1 } @@ -1145,16 +1139,16 @@ vlan_filtering_cleanup() } # -# Test the ifconfig 'tagged' option. +# Test the ifconfig 'iftagged' option. # -atf_test_case "vlan_ifconfig_tagged" "cleanup" -vlan_ifconfig_tagged_head() +atf_test_case "vlan_ifconfig_iftagged" "cleanup" +vlan_ifconfig_iftagged_head() { - atf_set descr 'test the ifconfig tagged option' + atf_set descr 'test the ifconfig iftagged option' atf_set require.user root } -vlan_ifconfig_tagged_body() +vlan_ifconfig_iftagged_body() { vnet_init vnet_init_bridge @@ -1170,34 +1164,34 @@ vlan_ifconfig_tagged_body() atf_check -s exit:0 -o not-match:"tagged" ifconfig ${bridge} # Add vlans 100-149. - atf_check -s exit:0 ifconfig ${bridge} tagged ${ep}a 100-149 + atf_check -s exit:0 ifconfig ${bridge} iftagged ${ep}a 100-149 atf_check -s exit:0 -o match:"tagged 100-149" ifconfig ${bridge} # Replace the vlan list with 139-199. - atf_check -s exit:0 ifconfig ${bridge} tagged ${ep}a 139-199 + atf_check -s exit:0 ifconfig ${bridge} iftagged ${ep}a 139-199 atf_check -s exit:0 -o match:"tagged 139-199" ifconfig ${bridge} # Add vlans 100-170. - atf_check -s exit:0 ifconfig ${bridge} +tagged ${ep}a 100-170 + atf_check -s exit:0 ifconfig ${bridge} +iftagged ${ep}a 100-170 atf_check -s exit:0 -o match:"tagged 100-199" ifconfig ${bridge} # Remove vlans 104, 105, and 150-159 - atf_check -s exit:0 ifconfig ${bridge} -tagged ${ep}a 104,105,150-159 + atf_check -s exit:0 ifconfig ${bridge} -iftagged ${ep}a 104,105,150-159 atf_check -s exit:0 -o match:"tagged 100-103,106-149,160-199" \ ifconfig ${bridge} # Remove the entire vlan list. - atf_check -s exit:0 ifconfig ${bridge} tagged ${ep}a none + atf_check -s exit:0 ifconfig ${bridge} iftagged ${ep}a none atf_check -s exit:0 -o not-match:"tagged" ifconfig ${bridge} # Test some invalid vlans sets. for bad_vlan in -1 0 4096 4097 foo 0-10 4000-5000 foo-40 40-foo; do atf_check -s exit:1 -e ignore \ - ifconfig ${bridge} tagged "$bad_vlan" + ifconfig ${bridge} iftagged "$bad_vlan" done } -vlan_ifconfig_tagged_cleanup() +vlan_ifconfig_iftagged_cleanup() { vnet_cleanup } @@ -1229,8 +1223,7 @@ vlan_svi_body() atf_check -s exit:0 ifconfig ${bridge} vlanfilter up atf_check -s exit:0 ifconfig ${epone}a up - atf_check -s exit:0 ifconfig ${bridge} addm ${epone}a \ - tagged ${epone}a 20 + atf_check -s exit:0 ifconfig ${bridge} addm ${epone}a tagged 20 svi=$(vnet_mkvlan) atf_check -s exit:0 ifconfig ${svi} vlan 20 vlandev ${bridge} @@ -1268,21 +1261,25 @@ vlan_qinq_body() # Create a QinQ trunk between the two jails. The outer (provider) tag # is 5, and the inner tag is 10. - jexec one ifconfig ${epone}b up - jexec one ifconfig ${epone}b.5 create vlanproto 802.1ad up - jexec one ifconfig ${epone}b.5.10 create inet 192.0.2.1/24 up + atf_check -s exit:0 jexec one ifconfig ${epone}b up + atf_check -s exit:0 jexec one \ + ifconfig ${epone}b.5 create vlanproto 802.1ad up + atf_check -s exit:0 jexec one \ + ifconfig ${epone}b.5.10 create inet 192.0.2.1/24 up - jexec two ifconfig ${eptwo}b up - jexec two ifconfig ${eptwo}b.5 create vlanproto 802.1ad up - jexec two ifconfig ${eptwo}b.5.10 create inet 192.0.2.2/24 up + atf_check -s exit:0 jexec two ifconfig ${eptwo}b up + atf_check -s exit:0 jexec two ifconfig \ + ${eptwo}b.5 create vlanproto 802.1ad up + atf_check -s exit:0 jexec two ifconfig \ + ${eptwo}b.5.10 create inet 192.0.2.2/24 up bridge=$(vnet_mkbridge) - ifconfig ${bridge} up - ifconfig ${epone}a up - ifconfig ${eptwo}a up - ifconfig ${bridge} addm ${epone}a vlanfilter ${epone}a - ifconfig ${bridge} addm ${eptwo}a vlanfilter ${eptwo}a + atf_check -s exit:0 ifconfig ${bridge} vlanfilter defqinq up + atf_check -s exit:0 ifconfig ${epone}a up + atf_check -s exit:0 ifconfig ${eptwo}a up + atf_check -s exit:0 ifconfig ${bridge} addm ${epone}a + atf_check -s exit:0 ifconfig ${bridge} addm ${eptwo}a # Right now there are no VLANs on the access list, so everything # should be blocked. @@ -1290,10 +1287,16 @@ vlan_qinq_body() atf_check -s exit:2 -o ignore jexec two ping -c 3 -t 1 192.0.2.1 # Add the provider tag to the access list; now traffic should be passed. - ifconfig ${bridge} +tagged ${epone}a 5 - ifconfig ${bridge} +tagged ${eptwo}a 5 + atf_check -s exit:0 ifconfig ${bridge} +iftagged ${epone}a 5 + atf_check -s exit:0 ifconfig ${bridge} +iftagged ${eptwo}a 5 atf_check -s exit:0 -o ignore jexec one ping -c 3 -t 1 192.0.2.2 atf_check -s exit:0 -o ignore jexec two ping -c 3 -t 1 192.0.2.1 + + # Remove the qinq flag from one of the interfaces; traffic should + # be blocked again. + atf_check -s exit:0 ifconfig ${bridge} -qinq ${epone}a + atf_check -s exit:2 -o ignore jexec one ping -c 3 -t 1 192.0.2.2 + atf_check -s exit:2 -o ignore jexec two ping -c 3 -t 1 192.0.2.1 } vlan_qinq_cleanup() @@ -1401,7 +1404,7 @@ atf_init_test_cases() atf_add_test_case "vlan_pvid_filtered" atf_add_test_case "vlan_pvid_tagged" atf_add_test_case "vlan_filtering" - atf_add_test_case "vlan_ifconfig_tagged" + atf_add_test_case "vlan_ifconfig_iftagged" atf_add_test_case "vlan_svi" atf_add_test_case "vlan_qinq" atf_add_test_case "vlan_defuntagged" diff --git a/tests/sys/net/if_gif.sh b/tests/sys/net/if_gif.sh index 5c7278d17e8f..bff88f9e75b6 100644 --- a/tests/sys/net/if_gif.sh +++ b/tests/sys/net/if_gif.sh @@ -202,10 +202,164 @@ atf_test_case "6in6" "cleanup" vnet_cleanup } +atf_test_case "etherip" "cleanup" +etherip_head() +{ + atf_set descr 'EtherIP regression' + atf_set require.user root +} + +etherip_body() +{ + vnet_init + vnet_init_bridge + + if ! kldstat -q -m if_gif; then + atf_skip "This test requires if_gif" + fi + + epair=$(vnet_mkepair) + + vnet_mkjail one ${epair}a + gone=$(jexec one ifconfig gif create) + jexec one ifconfig ${epair}a 192.0.2.1/24 up + jexec one ifconfig $gone tunnel 192.0.2.1 192.0.2.2 + jexec one ifconfig $gone 198.51.100.1/24 198.51.100.2 up + jexec one ifconfig $gone inet6 no_dad 2001:db8:1::1/64 + + bone=$(jexec one ifconfig bridge create) + jexec one ifconfig $bone addm $gone + jexec one ifconfig $bone 192.168.169.253/24 up + jexec one ifconfig $bone inet6 no_dad 2001:db8:2::1/64 + + vnet_mkjail two ${epair}b + gtwo=$(jexec two ifconfig gif create) + jexec two ifconfig ${epair}b 192.0.2.2/24 up + jexec two ifconfig $gtwo tunnel 192.0.2.2 192.0.2.1 + jexec two ifconfig $gtwo 198.51.100.2/24 198.51.100.1 up + jexec two ifconfig $gtwo inet6 no_dad 2001:db8:1::2/64 + + btwo=$(jexec two ifconfig bridge create) + jexec two ifconfig $btwo addm $gtwo + jexec two ifconfig $btwo 192.168.169.254/24 up + jexec two ifconfig $btwo inet6 no_dad 2001:db8:2::2/64 + + # Sanity check + atf_check -s exit:0 -o ignore \ + jexec one ping -c 1 192.0.2.2 + + # EtherIP tunnel test + atf_check -s exit:0 -o ignore \ + jexec one ping -c 1 192.168.169.254 + atf_check -s exit:0 -o ignore \ + jexec one ping -6 -c 1 2001:db8:2::2 + atf_check -s exit:0 -o ignore \ + jexec two ping -c 1 192.168.169.253 + atf_check -s exit:0 -o ignore \ + jexec two ping -6 -c 1 2001:db8:2::1 + + # EtherIP should not affect normal IPv[46] over IPv4 tunnel + # See bugzilla PR 227450 + # IPv4 in IPv4 Tunnel test + atf_check -s exit:0 -o ignore \ + jexec one ping -c 1 198.51.100.2 + atf_check -s exit:0 -o ignore \ + jexec two ping -c 1 198.51.100.1 + + # IPv6 in IPv4 tunnel test + atf_check -s exit:0 -o ignore \ + jexec one ping -6 -c 1 2001:db8:1::2 + atf_check -s exit:0 -o ignore \ + jexec two ping -6 -c 1 2001:db8:1::1 +} + +etherip_cleanup() +{ + vnet_cleanup +} + +atf_test_case "etherip6" "cleanup" +etherip6_head() +{ + atf_set descr 'EtherIP over IPv6 regression' + atf_set require.user root +} + +etherip6_body() +{ + vnet_init + vnet_init_bridge + + if ! kldstat -q -m if_gif; then + atf_skip "This test requires if_gif" + fi + + epair=$(vnet_mkepair) + + vnet_mkjail one ${epair}a + gone=$(jexec one ifconfig gif create) + jexec one ifconfig ${epair}a inet6 no_dad 2001:db8::1/64 up + jexec one ifconfig $gone inet6 tunnel 2001:db8::1 2001:db8::2 + jexec one ifconfig $gone 198.51.100.1/24 198.51.100.2 up + jexec one ifconfig $gone inet6 no_dad 2001:db8:1::1/64 + + bone=$(jexec one ifconfig bridge create) + jexec one ifconfig $bone addm $gone + jexec one ifconfig $bone 192.168.169.253/24 up + jexec one ifconfig $bone inet6 no_dad 2001:db8:2::1/64 + + vnet_mkjail two ${epair}b + gtwo=$(jexec two ifconfig gif create) + jexec two ifconfig ${epair}b inet6 no_dad 2001:db8::2/64 up + jexec two ifconfig $gtwo inet6 tunnel 2001:db8::2 2001:db8::1 + jexec two ifconfig $gtwo 198.51.100.2/24 198.51.100.1 up + jexec two ifconfig $gtwo inet6 no_dad 2001:db8:1::2/64 + + btwo=$(jexec two ifconfig bridge create) + jexec two ifconfig $btwo addm $gtwo + jexec two ifconfig $btwo 192.168.169.254/24 up + jexec two ifconfig $btwo inet6 no_dad 2001:db8:2::2/64 + + # Sanity check + atf_check -s exit:0 -o ignore \ + jexec one ping -6 -c 1 2001:db8::2 + + # EtherIP tunnel test + atf_check -s exit:0 -o ignore \ + jexec one ping -c 1 192.168.169.254 + atf_check -s exit:0 -o ignore \ + jexec one ping -6 -c 1 2001:db8:2::2 + atf_check -s exit:0 -o ignore \ + jexec two ping -c 1 192.168.169.253 + atf_check -s exit:0 -o ignore \ + jexec two ping -6 -c 1 2001:db8:2::1 + + # EtherIP should not affect normal IPv[46] over IPv6 tunnel + # See bugzilla PR 227450 + # IPv4 in IPv6 Tunnel test + atf_check -s exit:0 -o ignore \ + jexec one ping -c 1 198.51.100.2 + atf_check -s exit:0 -o ignore \ + jexec two ping -c 1 198.51.100.1 + + # IPv6 in IPv6 tunnel test + atf_check -s exit:0 -o ignore \ + jexec one ping -6 -c 1 2001:db8:1::2 + atf_check -s exit:0 -o ignore \ + jexec two ping -6 -c 1 2001:db8:1::1 +} + +etherip6_cleanup() +{ + vnet_cleanup +} + atf_init_test_cases() { atf_add_test_case "4in4" atf_add_test_case "6in4" atf_add_test_case "4in6" atf_add_test_case "6in6" + atf_add_test_case "etherip" + atf_add_test_case "etherip6" } diff --git a/tests/sys/netpfil/pf/Makefile b/tests/sys/netpfil/pf/Makefile index 404d5adfb07a..616ffe560b3a 100644 --- a/tests/sys/netpfil/pf/Makefile +++ b/tests/sys/netpfil/pf/Makefile @@ -55,6 +55,7 @@ ATF_TESTS_SH+= altq \ tcp \ tos +ATF_TESTS_PYTEST+= frag4.py ATF_TESTS_PYTEST+= frag6.py ATF_TESTS_PYTEST+= header.py ATF_TESTS_PYTEST+= icmp.py diff --git a/tests/sys/netpfil/pf/frag4.py b/tests/sys/netpfil/pf/frag4.py new file mode 100644 index 000000000000..3303d2ee7780 --- /dev/null +++ b/tests/sys/netpfil/pf/frag4.py @@ -0,0 +1,72 @@ +# +# SPDX-License-Identifier: BSD-2-Clause +# +# Copyright (c) 2025 Rubicon Communications, LLC (Netgate) +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. + +import pytest +from utils import DelayedSend +from atf_python.sys.net.tools import ToolsHelper +from atf_python.sys.net.vnet import VnetTestTemplate + +class TestFrag4_NoReassemble(VnetTestTemplate): + REQUIRED_MODULES = [ "pf" ] + TOPOLOGY = { + "vnet1": {"ifaces": ["if1"]}, + "vnet2": {"ifaces": ["if1", "if2"]}, + "vnet3": {"ifaces": ["if2"]}, + "if1": {"prefixes4": [("192.0.2.1/24", "192.0.2.2/24")]}, + "if2": {"prefixes4": [("198.51.100.1/24", "198.51.100.2/24")]}, + } + + def vnet2_handler(self, vnet): + outifname = vnet.iface_alias_map["if2"].name + + ToolsHelper.print_output("/sbin/pfctl -e") + ToolsHelper.pf_rules([ + "set reassemble no", + "nat on %s from 192.0.2.0/24 to any -> (%s)" % (outifname, outifname), + "pass out" + ]) + + ToolsHelper.print_output("/sbin/sysctl net.inet.ip.forwarding=1") + + def vnet3_handler(self, vnet): + # We deliberately don't set the default gateway here, so if we get a + # reply from this we know we did NAT in vnet2 + pass + + @pytest.mark.require_user("root") + @pytest.mark.require_progs(["scapy"]) + def test_udp_frag(self): + ToolsHelper.print_output("/sbin/route add default 192.0.2.2") + ToolsHelper.print_output("/sbin/ping -c 3 198.51.100.2") + + # Import in the correct vnet, so at to not confuse Scapy + import scapy.all as sp + + pkt = sp.IP(dst="198.51.100.2", frag=123) \ + / sp.UDP(dport=12345, sport=54321) + reply = sp.sr1(pkt, timeout=3) + # We don't expect a reply + assert not reply diff --git a/tests/sys/netpfil/pf/nat64.py b/tests/sys/netpfil/pf/nat64.py index 0908c90c34a0..705de72f5bc4 100644 --- a/tests/sys/netpfil/pf/nat64.py +++ b/tests/sys/netpfil/pf/nat64.py @@ -96,8 +96,10 @@ class TestNAT64(VnetTestTemplate): ToolsHelper.print_output("/sbin/route add default 192.0.2.2") ToolsHelper.print_output("/sbin/pfctl -e") ToolsHelper.pf_rules([ - "pass inet6 proto icmp6", - "pass in on %s inet6 af-to inet from 192.0.2.1" % ifname]) + "block", + "pass inet6 proto icmp6 icmp6-type { neighbrsol, neighbradv }", + "pass in on %s inet6 af-to inet from 192.0.2.1" % ifname, + ]) vnet.pipe.send(socket.if_nametoindex("pflog0")) diff --git a/tests/sys/netpfil/pf/nat64.sh b/tests/sys/netpfil/pf/nat64.sh index da95a7bf9893..4438ad6abb85 100644 --- a/tests/sys/netpfil/pf/nat64.sh +++ b/tests/sys/netpfil/pf/nat64.sh @@ -55,15 +55,19 @@ nat64_setup_base() nat64_setup_in() { + state_policy="${1:-if-bound}" nat64_setup_base pft_set_rules rtr \ "set reassemble yes" \ - "set state-policy if-bound" \ + "set state-policy ${state_policy}" \ + "block" \ + "pass inet6 proto icmp6 icmp6-type { neighbrsol, neighbradv }" \ "pass in on ${epair}b inet6 from any to 64:ff9b::/96 af-to inet from (${epair_link}a)" } nat64_setup_out() { + state_policy="${1:-if-bound}" nat64_setup_base jexec rtr sysctl net.inet6.ip6.forwarding=1 # AF translation happens post-routing, traffic must be directed @@ -72,11 +76,11 @@ nat64_setup_out() jexec rtr route add -inet6 64:ff9b::/96 -iface ${epair_link}a; pft_set_rules rtr \ "set reassemble yes" \ - "set state-policy if-bound" \ - "pass quick inet6 proto icmp6 icmp6-type { neighbrsol, neighbradv }" \ - "pass in quick on ${epair}b from any to 64:ff9b::/96" \ - "pass out quick on ${epair_link}a from any to 64:ff9b::/96 af-to inet from (${epair_link}a)" \ - "block" + "set state-policy ${state_policy}" \ + "block" \ + "pass inet6 proto icmp6 icmp6-type { neighbrsol, neighbradv }" \ + "pass in on ${epair}b from any to 64:ff9b::/96" \ + "pass out on ${epair_link}a from any to 64:ff9b::/96 af-to inet from (${epair_link}a)" } atf_test_case "icmp_echo_in" "cleanup" @@ -185,14 +189,14 @@ fragmentation_out_cleanup() pft_cleanup } -atf_test_case "tcp_in" "cleanup" -tcp_in_head() +atf_test_case "tcp_in_if_bound" "cleanup" +tcp_in_if_bound_head() { - atf_set descr 'TCP NAT64 test on inbound interface' + atf_set descr 'TCP NAT64 test on inbound interface, if-bound states' atf_set require.user root } -tcp_in_body() +tcp_in_if_bound_body() { nat64_setup_in @@ -200,7 +204,7 @@ tcp_in_body() # Sanity check & delay for nc startup atf_check -s exit:0 -o ignore \ - ping6 -c 1 64:ff9b::192.0.2.2 + ping6 -c 3 64:ff9b::192.0.2.2 rcv=$(nc -w 3 -6 64:ff9b::c000:202 1234) if [ "${rcv}" != "foo" ]; @@ -208,21 +212,32 @@ tcp_in_body() echo "rcv=${rcv}" atf_fail "Failed to connect to TCP server" fi + + # Interfaces of the state are reversed when doing inbound NAT64! + # FIXME: Packets counters seem wrong! + states=$(mktemp) || exit 1 + jexec rtr pfctl -qvvss | normalize_pfctl_s > $states + for state_regexp in \ + "${epair_link}a tcp 192.0.2.1:[0-9]+ \(2001:db8::2\[[0-9]+\]\) -> 192.0.2.2:1234 \(64:ff9b::c000:202\[1234\]\) .* 9:9 pkts.* rule 3 .* origif: ${epair}b" \ + ; do + grep -qE "${state_regexp}" $states || atf_fail "State not found for '${state_regexp}'" + done + [ $(cat $states | grep tcp | wc -l) -eq 1 ] || atf_fail "Not exactly 1 state found!" } -tcp_in_cleanup() +tcp_in_if_bound_cleanup() { pft_cleanup } -atf_test_case "tcp_out" "cleanup" -tcp_out_head() +atf_test_case "tcp_out_if_bound" "cleanup" +tcp_out_if_bound_head() { - atf_set descr 'TCP NAT64 test on outbound interface' + atf_set descr 'TCP NAT64 test on outbound interface, if-bound states' atf_set require.user root } -tcp_out_body() +tcp_out_if_bound_body() { nat64_setup_out @@ -230,7 +245,7 @@ tcp_out_body() # Sanity check & delay for nc startup atf_check -s exit:0 -o ignore \ - ping6 -c 1 64:ff9b::192.0.2.2 + ping6 -c 3 64:ff9b::192.0.2.2 rcv=$(nc -w 3 -6 64:ff9b::c000:202 1234) if [ "${rcv}" != "foo" ]; @@ -238,9 +253,102 @@ tcp_out_body() echo "rcv=${rcv}" atf_fail "Failed to connect to TCP server" fi + + # Origif is not printed when identical as if. + states=$(mktemp) || exit 1 + jexec rtr pfctl -qvvss | normalize_pfctl_s > $states + for state_regexp in \ + "${epair}b tcp 64:ff9b::c000:202\[1234\] <- 2001:db8::2\[[0-9]+\] .* 5:4 pkts.* rule 3 .*creatorid" \ + "${epair_link}a tcp 192.0.2.1:[0-9]+ \(64:ff9b::c000:202\[1234\]\) -> 192.0.2.2:1234 \(2001:db8::2\[[0-9]+\]\).* 5:4 pkts.* rule 4 .*creatorid" \ + ; do + grep -qE "${state_regexp}" $states || atf_fail "State not found for '${state_regexp}'" + done + [ $(cat $states | grep tcp | wc -l) -eq 2 ] || atf_fail "Not exactly 2 states found!" } -tcp_out_cleanup() +tcp_out_if_bound_cleanup() +{ + pft_cleanup +} + +atf_test_case "tcp_in_floating" "cleanup" +tcp_in_floating_head() +{ + atf_set descr 'TCP NAT64 test on inbound interface, floating states' + atf_set require.user root +} + +tcp_in_floating_body() +{ + nat64_setup_in "floating" + + echo "foo" | jexec dst nc -l 1234 & + + # Sanity check & delay for nc startup + atf_check -s exit:0 -o ignore \ + ping6 -c 3 64:ff9b::192.0.2.2 + + rcv=$(nc -w 3 -6 64:ff9b::c000:202 1234) + if [ "${rcv}" != "foo" ]; + then + echo "rcv=${rcv}" + atf_fail "Failed to connect to TCP server" + fi + + # Interfaces of the state are reversed when doing inbound NAT64! + # FIXME: Packets counters seem wrong! + states=$(mktemp) || exit 1 + jexec rtr pfctl -qvvss | normalize_pfctl_s > $states + for state_regexp in \ + "all tcp 192.0.2.1:[0-9]+ \(2001:db8::2\[[0-9]+\]\) -> 192.0.2.2:1234 \(64:ff9b::c000:202\[1234\]\).* 9:9 pkts.* rule 3 .* origif: ${epair}b" \ + ; do + grep -qE "${state_regexp}" $states || atf_fail "State not found for '${state_regexp}'" + done + [ $(cat $states | grep tcp | wc -l) -eq 1 ] || atf_fail "Not exactly 1 state found!" +} + +tcp_in_floating_cleanup() +{ + pft_cleanup +} + +atf_test_case "tcp_out_floating" "cleanup" +tcp_out_floating_head() +{ + atf_set descr 'TCP NAT64 test on outbound interface, floating states' + atf_set require.user root +} + +tcp_out_floating_body() +{ + nat64_setup_out "floating" + + echo "foo" | jexec dst nc -l 1234 & + + # Sanity check & delay for nc startup + atf_check -s exit:0 -o ignore \ + ping6 -c 3 64:ff9b::192.0.2.2 + + rcv=$(nc -w 3 -6 64:ff9b::c000:202 1234) + if [ "${rcv}" != "foo" ]; + then + echo "rcv=${rcv}" + atf_fail "Failed to connect to TCP server" + fi + + # Origif is not printed when identical as if. + states=$(mktemp) || exit 1 + jexec rtr pfctl -qvvss | normalize_pfctl_s > $states + for state_regexp in \ + "all tcp 64:ff9b::c000:202\[1234\] <- 2001:db8::2\[[0-9]+\] .* 5:4 pkts,.* rule 3 .*creatorid"\ + "all tcp 192.0.2.1:[0-9]+ \(64:ff9b::c000:202\[1234\]\) -> 192.0.2.2:1234 \(2001:db8::2\[[0-9]+\]\) .* 5:4 pkts,.* rule 4 .*creatorid"\ + ; do + grep -qE "${state_regexp}" $states || atf_fail "State not found for '${state_regexp}'" + done + [ $(cat $states | grep tcp | wc -l) -eq 2 ] || atf_fail "Not exactly 2 states found!" +} + +tcp_out_floating_cleanup() { pft_cleanup } @@ -260,7 +368,7 @@ udp_in_body() # Sanity check & delay for nc startup atf_check -s exit:0 -o ignore \ - ping6 -c 1 64:ff9b::192.0.2.2 + ping6 -c 3 64:ff9b::192.0.2.2 rcv=$(echo bar | nc -w 3 -6 -u 64:ff9b::c000:202 1234) if [ "${rcv}" != "foo" ]; @@ -290,7 +398,7 @@ udp_out_body() # Sanity check & delay for nc startup atf_check -s exit:0 -o ignore \ - ping6 -c 1 64:ff9b::192.0.2.2 + ping6 -c 3 64:ff9b::192.0.2.2 rcv=$(echo bar | nc -w 3 -6 -u 64:ff9b::c000:202 1234) if [ "${rcv}" != "foo" ]; @@ -323,7 +431,7 @@ sctp_in_body() # Sanity check & delay for nc startup atf_check -s exit:0 -o ignore \ - ping6 -c 1 64:ff9b::192.0.2.2 + ping6 -c 3 64:ff9b::192.0.2.2 rcv=$(echo bar | nc --sctp -w 3 -6 64:ff9b::c000:202 1234) if [ "${rcv}" != "foo" ]; @@ -356,7 +464,7 @@ sctp_out_body() # Sanity check & delay for nc startup atf_check -s exit:0 -o ignore \ - ping6 -c 1 64:ff9b::192.0.2.2 + ping6 -c 3 64:ff9b::192.0.2.2 rcv=$(echo bar | nc --sctp -w 3 -6 64:ff9b::c000:202 1234) if [ "${rcv}" != "foo" ]; @@ -433,7 +541,9 @@ no_v4_body() jexec rtr pfctl -e pft_set_rules rtr \ - "pass in on ${epair}b inet6 from any to 64:ff9b::/96 af-to inet from (${epair_link}a)" + "block" \ + "pass inet6 proto icmp6 icmp6-type { neighbrsol, neighbradv }" \ + "pass in on ${epair}b inet6 from any to 64:ff9b::/96 af-to inet from (${epair_link}a)" \ atf_check -s exit:2 -o ignore \ ping6 -c 3 64:ff9b::192.0.2.2 @@ -484,7 +594,9 @@ range_body() pft_set_rules rtr \ "set reassemble yes" \ "set state-policy if-bound" \ - "pass in on ${epair}b inet6 from any to 64:ff9b::/96 af-to inet from 192.0.2.2/31 round-robin" + "block" \ + "pass inet6 proto icmp6 icmp6-type { neighbrsol, neighbradv }" \ + "pass in on ${epair}b inet6 from any to 64:ff9b::/96 af-to inet from 192.0.2.2/31 round-robin" \ # Use pf to count sources jexec dst pfctl -e @@ -545,6 +657,8 @@ pool_body() pft_set_rules rtr \ "set reassemble yes" \ "set state-policy if-bound" \ + "block" \ + "pass inet6 proto icmp6 icmp6-type { neighbrsol, neighbradv }" \ "pass in on ${epair}b inet6 from any to 64:ff9b::/96 af-to inet from { 192.0.2.1, 192.0.2.3, 192.0.2.4 } round-robin" # Use pf to count sources @@ -642,6 +756,8 @@ table_range_body() "set reassemble yes" \ "set state-policy if-bound" \ "table <wanaddrs> { 192.0.2.2/31 }" \ + "block" \ + "pass inet6 proto icmp6 icmp6-type { neighbrsol, neighbradv }" \ "pass in on ${epair}b inet6 from any to 64:ff9b::/96 af-to inet from <wanaddrs> round-robin" # Use pf to count sources @@ -699,6 +815,8 @@ table_common_body() "set reassemble yes" \ "set state-policy if-bound" \ "table <wanaddrs> { 192.0.2.1, 192.0.2.3, 192.0.2.4 }" \ + "block" \ + "pass inet6 proto icmp6 icmp6-type { neighbrsol, neighbradv }" \ "pass in on ${epair}b inet6 from any to 64:ff9b::/96 af-to inet from <wanaddrs> ${pool_type}" # Use pf to count sources @@ -798,6 +916,8 @@ dummynet_body() pft_set_rules rtr \ "set reassemble yes" \ "set state-policy if-bound" \ + "block" \ + "pass inet6 proto icmp6 icmp6-type { neighbrsol, neighbradv }" \ "pass in on ${epair}b inet6 from any to 64:ff9b::/96 dnpipe 1 af-to inet from (${epair_link}a)" # The ping request will pass, but take 1.2 seconds (.6 in, .6 out) @@ -860,6 +980,8 @@ gateway6_body() pft_set_rules rtr \ "set reassemble yes" \ "set state-policy if-bound" \ + "block" \ + "pass inet6 proto icmp6 icmp6-type { neighbrsol, neighbradv }" \ "pass in on ${epair_lan_link}b inet6 from any to 64:ff9b::/96 af-to inet from (${epair_link}a)" # One ping @@ -912,6 +1034,8 @@ route_to_body() pft_set_rules rtr \ "set reassemble yes" \ "set state-policy if-bound" \ + "block" \ + "pass inet6 proto icmp6 icmp6-type { neighbrsol, neighbradv }" \ "pass in on ${epair}b route-to (${epair_link}a 192.0.2.2) inet6 from any to 64:ff9b::/96 af-to inet from (${epair_link}a)" atf_check -s exit:0 -o ignore \ @@ -965,6 +1089,8 @@ reply_to_body() pft_set_rules rtr \ "set reassemble yes" \ "set state-policy if-bound" \ + "block" \ + "pass inet6 proto icmp6 icmp6-type { neighbrsol, neighbradv }" \ "pass in on ${epair}b reply-to (${epair}b 2001:db8::2) inet6 from any to 64:ff9b::/96 af-to inet from 192.0.2.1" atf_check -s exit:0 -o ignore \ @@ -1024,6 +1150,8 @@ v6_gateway_body() pft_set_rules rtr \ "set reassemble yes" \ "set state-policy if-bound" \ + "block" \ + "pass inet6 proto icmp6 icmp6-type { neighbrsol, neighbradv }" \ "pass in on ${epair_lan}b inet6 from any to 64:ff9b::/96 af-to inet from (${epair_wan_one}a)" atf_check -s exit:0 -o ignore \ @@ -1043,8 +1171,10 @@ atf_init_test_cases() atf_add_test_case "icmp_echo_out" atf_add_test_case "fragmentation_in" atf_add_test_case "fragmentation_out" - atf_add_test_case "tcp_in" - atf_add_test_case "tcp_out" + atf_add_test_case "tcp_in_if_bound" + atf_add_test_case "tcp_out_if_bound" + atf_add_test_case "tcp_in_floating" + atf_add_test_case "tcp_out_floating" atf_add_test_case "udp_in" atf_add_test_case "udp_out" atf_add_test_case "sctp_in" diff --git a/tests/sys/netpfil/pf/sctp.py b/tests/sys/netpfil/pf/sctp.py index da42ce527195..f492f26b63a1 100644 --- a/tests/sys/netpfil/pf/sctp.py +++ b/tests/sys/netpfil/pf/sctp.py @@ -271,6 +271,9 @@ class TestSCTP(VnetTestTemplate): "pass inet proto sctp to 192.0.2.0/24", "pass on lo"]) + # Give the server some time to come up + time.sleep(3) + # Sanity check, we can communicate with the primary address. client = SCTPClient("192.0.2.3", 1234) client.send(b"hello", 0) @@ -309,6 +312,9 @@ class TestSCTP(VnetTestTemplate): "pass on lo", "pass inet proto sctp from 192.0.2.0/24"]) + # Give the server some time to come up + time.sleep(3) + # Sanity check, we can communicate with the primary address. client = SCTPClient("192.0.2.3", 1234, "192.0.2.1") client.send(b"hello", 0) @@ -379,6 +385,9 @@ class TestSCTP(VnetTestTemplate): "pass on lo", "pass inet proto sctp to 192.0.2.0/24"]) + # Give the server some time to come up + time.sleep(3) + # Sanity check, we can communicate with the primary address. client = SCTPClient("192.0.2.3", 1234) client.send(b"hello", 0) @@ -410,6 +419,9 @@ class TestSCTP(VnetTestTemplate): "pass on lo", "pass inet proto sctp to 192.0.2.0/24"]) + # Give the server some time to come up + time.sleep(3) + # Sanity check, we can communicate with the primary address. client = SCTPClient("192.0.2.3", 1234) client.send(b"hello", 0) @@ -440,6 +452,9 @@ class TestSCTP(VnetTestTemplate): "pass on lo", "pass inet proto sctp to 192.0.2.0/24"]) + # Give the server some time to come up + time.sleep(3) + # Set up a connection, which will try to create states for all addresses # we have assigned client = SCTPClient("192.0.2.3", 1234) @@ -464,6 +479,9 @@ class TestSCTP(VnetTestTemplate): "pass inet proto sctp to 192.0.2.3", "pass on lo"]) + # Give the server some time to come up + time.sleep(3) + # Sanity check, we can communicate with the primary address. client = SCTPClient("192.0.2.3", 1234) client.send(b"hello", 0) @@ -502,6 +520,9 @@ class TestSCTP(VnetTestTemplate): "pass inet proto sctp to 192.0.2.3 keep state (allow-related)", "pass on lo"]) + # Give the server some time to come up + time.sleep(3) + # Sanity check, we can communicate with the primary address. client = SCTPClient("192.0.2.3", 1234) client.send(b"hello", 0) @@ -558,6 +579,9 @@ class TestSCTPv6(VnetTestTemplate): "pass on lo", "pass inet6 proto sctp to 2001:db8::0/64"]) + # Give the server some time to come up + time.sleep(3) + # Sanity check, we can communicate with the primary address. client = SCTPClient("2001:db8::3", 1234) client.send(b"hello", 0) @@ -596,6 +620,9 @@ class TestSCTPv6(VnetTestTemplate): "pass on lo", "pass inet6 proto sctp from 2001:db8::/64"]) + # Give the server some time to come up + time.sleep(3) + # Sanity check, we can communicate with the primary address. client = SCTPClient("2001:db8::3", 1234, "2001:db8::1") client.send(b"hello", 0) @@ -665,6 +692,9 @@ class TestSCTPv6(VnetTestTemplate): "pass on lo", "pass inet6 proto sctp to 2001:db8::0/64"]) + # Give the server some time to come up + time.sleep(3) + # Sanity check, we can communicate with the primary address. client = SCTPClient("2001:db8::3", 1234) client.send(b"hello", 0) @@ -696,6 +726,9 @@ class TestSCTPv6(VnetTestTemplate): "pass on lo", "pass inet6 proto sctp to 2001:db8::0/64"]) + # Give the server some time to come up + time.sleep(3) + # Sanity check, we can communicate with the primary address. client = SCTPClient("2001:db8::3", 1234) client.send(b"hello", 0) diff --git a/tests/sys/netpfil/pf/src_track.sh b/tests/sys/netpfil/pf/src_track.sh index 68e7e72f5018..ae60a5df809b 100755 --- a/tests/sys/netpfil/pf/src_track.sh +++ b/tests/sys/netpfil/pf/src_track.sh @@ -523,6 +523,8 @@ mixed_af_body() pft_set_rules router \ "set reassemble yes" \ "set state-policy if-bound" \ + "block" \ + "pass inet6 proto icmp6 icmp6-type { neighbrsol, neighbradv }" \ "pass in on ${epair_tester}b \ route-to { (${epair_server1}a ${net_server1_4_host_server}) \ } sticky-address \ diff --git a/tests/sys/netpfil/pf/table.sh b/tests/sys/netpfil/pf/table.sh index 5e5fccdaca20..c773518e95e4 100644 --- a/tests/sys/netpfil/pf/table.sh +++ b/tests/sys/netpfil/pf/table.sh @@ -610,6 +610,47 @@ flush_cleanup() pft_cleanup } +atf_test_case "large" "cleanup" +large_head() +{ + atf_set descr 'Test loading a large list of addresses' + atf_set require.user root +} + +large_body() +{ + pft_init + pwd=$(pwd) + + vnet_mkjail alcatraz + + for i in `seq 1 255`; do + for j in `seq 1 255`; do + echo "1.2.${i}.${j}" >> ${pwd}/foo.lst + done + done + expected=$(wc -l foo.lst | awk '{ print $1; }') + + jexec alcatraz pfctl -e + pft_set_rules alcatraz \ + "table <foo>" \ + "pass in from <foo>" \ + "pass" + + atf_check -s exit:0 \ + -e match:"${expected}/${expected} addresses added." \ + jexec alcatraz pfctl -t foo -T add -f ${pwd}/foo.lst + actual=$(jexec alcatraz pfctl -t foo -T show | wc -l | awk '{ print $1; }') + if [[ $actual -ne $expected ]]; then + atf_fail "Unexpected number of table entries $expected $acual" + fi +} + +large_cleanup() +{ + pft_cleanup +} + atf_init_test_cases() { atf_add_test_case "v4_counters" @@ -625,4 +666,5 @@ atf_init_test_cases() atf_add_test_case "precreate" atf_add_test_case "anchor" atf_add_test_case "flush" + atf_add_test_case "large" } |