pf tests: pfsync bulk update test
Test that pfsync works as expected with bulk updates. That is, create some state before setting up the second firewall. Let that firewall request a bulk update so it can catch up, and check that it got the state which was created before it enable pfsync. PR: 254236 MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D29272
This commit is contained in:
Kristof Provost
parent
9f2e518417
commit
8ad7d25dfc
@ -112,8 +112,76 @@ defer_cleanup()
|
||||
pfsynct_cleanup
|
||||
}
|
||||
|
||||
atf_test_case "bulk" "cleanup"
|
||||
bulk_head()
|
||||
{
|
||||
atf_set descr 'Test bulk updates'
|
||||
atf_set require.user root
|
||||
}
|
||||
|
||||
bulk_body()
|
||||
{
|
||||
pfsynct_init
|
||||
|
||||
epair_sync=$(vnet_mkepair)
|
||||
epair_one=$(vnet_mkepair)
|
||||
epair_two=$(vnet_mkepair)
|
||||
|
||||
vnet_mkjail one ${epair_one}a ${epair_sync}a
|
||||
vnet_mkjail two ${epair_two}a ${epair_sync}b
|
||||
|
||||
# pfsync interface
|
||||
jexec one ifconfig ${epair_sync}a 192.0.2.1/24 up
|
||||
jexec one ifconfig ${epair_one}a 198.51.100.1/24 up
|
||||
jexec one ifconfig pfsync0 \
|
||||
syncdev ${epair_sync}a \
|
||||
maxupd 1\
|
||||
up
|
||||
jexec two ifconfig ${epair_two}a 198.51.100.2/24 up
|
||||
jexec two ifconfig ${epair_sync}b 192.0.2.2/24 up
|
||||
|
||||
# Enable pf
|
||||
jexec one pfctl -e
|
||||
pft_set_rules one \
|
||||
"set skip on ${epair_sync}a" \
|
||||
"pass keep state"
|
||||
jexec two pfctl -e
|
||||
pft_set_rules two \
|
||||
"set skip on ${epair_sync}b" \
|
||||
"pass keep state"
|
||||
|
||||
ifconfig ${epair_one}b 198.51.100.254/24 up
|
||||
|
||||
# Create state prior to setting up pfsync
|
||||
ping -c 1 -S 198.51.100.254 198.51.100.1
|
||||
|
||||
# Wait before setting up pfsync on two, so we don't accidentally catch
|
||||
# the update anyway.
|
||||
sleep 1
|
||||
|
||||
# Now set up pfsync in jail two
|
||||
jexec two ifconfig pfsync0 \
|
||||
syncdev ${epair_sync}b \
|
||||
up
|
||||
|
||||
# Give pfsync time to do its thing
|
||||
sleep 2
|
||||
|
||||
jexec two pfctl -s states
|
||||
if ! jexec two pfctl -s states | grep icmp | grep 198.51.100.1 | \
|
||||
grep 198.51.100.2 ; then
|
||||
atf_fail "state not found on synced host"
|
||||
fi
|
||||
}
|
||||
|
||||
bulk_cleanup()
|
||||
{
|
||||
pfsynct_cleanup
|
||||
}
|
||||
|
||||
atf_init_test_cases()
|
||||
{
|
||||
atf_add_test_case "basic"
|
||||
atf_add_test_case "defer"
|
||||
atf_add_test_case "bulk"
|
||||
}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user