pf tests: Test the match keyword

The new match keyword can currently only assign queues, so we can only test it with ALTQ. Set up a basic scenario where we use 'match' to assign ICMP traffic to a slow queue, and confirm that it's really getting slowed down. MFC after: 2 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D31116
2021-03-02 16:57:27 +01:00 · 2021-03-02 16:57:27 +01:00 · d363ebc78c
commit d363ebc78c
parent ef950daa35
1 changed files with 45 additions and 0 deletions
--- a/tests/sys/netpfil/pf/altq.sh
+++ b/tests/sys/netpfil/pf/altq.sh
@ -42,8 +42,53 @@ hfsc_cleanup()
 	altq_cleanup
 }

+atf_test_case "match" "cleanup"
+match_head()
+{
+	atf_set descr 'Basic match keyword test'
+	atf_set require.user root
+}
+
+match_body()
+{
+	altq_init
+	is_altq_supported hfsc
+
+	epair=$(vnet_mkepair)
+	vnet_mkjail altq_match ${epair}b
+
+	ifconfig ${epair}a 192.0.2.1/24 up
+	jexec altq_match ifconfig ${epair}b 192.0.2.2/24 up
+
+	# Sanity check
+	atf_check -s exit:0 -o ignore ping -i .1 -c 3 -s 1200 192.0.2.2
+
+	jexec altq_match pfctl -e
+	pft_set_rules altq_match \
+	    "altq on ${epair}b bandwidth 100000000b hfsc queue { default, slow }" \
+	    "queue default hfsc(default linkshare 80000000b)" \
+	    "queue slow hfsc(linkshare 80b upperlimit 80b)" \
+	    "match proto icmp queue slow" \
+	    "pass"
+
+	# single ping succeeds just fine
+	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2
+
+	# "Saturate the link"
+	ping -i .1 -c 5 -s 1200 192.0.2.2
+
+	# We should now be hitting the limits and get this packet dropped.
+	atf_check -s exit:2 -o ignore ping -c 1 -s 1200 192.0.2.2
+}
+
+match_cleanup()
+{
+	altq_cleanup
+}
+
 atf_init_test_cases()
 {
 	atf_add_test_case "hfsc"
+	atf_add_test_case "match"
 }