Commit Graph

32 Commits

Author SHA1 Message Date
Kristof Provost
08851be187 ndp tests: fix cleanup
Fix the cleanup function name so we actually remove our test jail and
interfaces.

Sponsored by:	Rubicon Communications, LLC ("Netgate")
2021-12-13 18:14:59 +01:00
Kristof Provost
a26e895f3d tests: Only log critical errors from scapy
Since 2.4.5 scapy started issuing warnings about a few different
configurations during our tests. These are harmless, but they generate
stderr output, which upsets atf_check.

Configure scapy to only log critical errors (and thus not warnings) to
fix these tests.

MFC after:	1 week
Sponsored by:	Rubicon Communications, LLC ("Netgate")
2021-05-12 20:54:30 +02:00
Kristof Provost
80430c15ca netinet6 tests: Fix Python warning
Python 3.8 warns about line 112:
    'SyntaxWarning: "is" with a literal. Did you mean "=="?'

Use '==' as Python suggests.

MFC after:	1 week
Sponsored by:	Rubicon Communications, LLC ("Netgate")
2021-05-11 17:10:42 +02:00
Alexander V. Chernikov
f17f94cd1b Add arp/ndp tests in addition to rtsock ll tests. 2021-02-20 18:26:36 +00:00
Alan Somers
01f3f35447 ping: fix some man pages and tests after r368045
MFC-with:	r368045
2020-11-26 04:55:02 +00:00
Alexander V. Chernikov
a3525bd166 Try to enable multipath routing in flowid tests. 2020-10-16 21:51:17 +00:00
Alexander V. Chernikov
4a8c6300e9 Use atf_fail instead of exit 1 to indicate mpath tests failure. 2020-09-18 07:27:01 +00:00
Alexander V. Chernikov
99efb80d00 Add basic test for net.fibs dynamic growth.
Reviewed by:	kp
Differential Revision:	https://reviews.freebsd.org/D26382
2020-09-10 19:25:51 +00:00
Alexander V. Chernikov
eddfb2e86f Fix IPv6 regression introduced by r362900.
PR:		kern/247729
2020-07-03 08:06:26 +00:00
Li-Wen Hsu
2749666d01 Temporarily skip sys.netinet6.redirect.valid_redirect in CI
PR:		247729
Sponsored by:	The FreeBSD Foundation
2020-07-03 02:02:34 +00:00
Shteryana Shopova
a7a64b722b Proper check if divert(4) module is present by the relevant tests
Fix the netinet/netinet6 divert tests falsely reporting 'ipdivert module is
not loaded' when the divert module is built into the kernel

Sponsored by:	Axiado
Differential Revision:	https://reviews.freebsd.org/D25026
2020-05-27 16:33:00 +00:00
Edward Tomasz Napierala
b43bd1070c Make sys.netinet.output and sys.netinet6.output6 tests depend on python;
they need to be able to run net_receiver.py.

MFC after:	2 weeks
Sponsored by:	DARPA
2020-05-19 21:48:45 +00:00
Alexander V. Chernikov
768c98a737 Add basic routing LPM tests.
Differential Revision:	https://reviews.freebsd.org/D24684
2020-05-06 07:48:37 +00:00
Alexander V. Chernikov
b4a4a3b82f Add tests verifying IPv4/IPv6 output for TCP/UDP/raw paths.
Reviewed by:	kp
MFC after:	2 weeks
Differential Revision:	https://reviews.freebsd.org/D24138
2020-03-23 12:21:32 +00:00
Alexander V. Chernikov
d7cdd89777 Add basic IPv4/IPv6 forwarding tests.
MFC after:	2 weeks
Differential Revision:	https://reviews.freebsd.org/D24002
2020-03-10 19:52:19 +00:00
Alexander V. Chernikov
ea2773323c Fix dynamic redrects by adding forgotten RTF_HOST flag.
Improve tests to verify the generated route flags.

Reported by:	jtl
MFC after:	2 weeks
2020-03-03 15:33:43 +00:00
Li-Wen Hsu
314ef80dc4 Temporarily skip flakey test case sys.netinet6.frag6.frag6_07.frag6_07 in CI
PR:		244170
Sponsored by:	The FreeBSD Foundation
2020-02-16 17:36:16 +00:00
Alexander V. Chernikov
2207447bf4 Add basic IPDIVERT tests.
Reviewed by:	lwhsu,kp
Differential Revision:	https://reviews.freebsd.org/D23316
2020-02-14 09:36:35 +00:00
Alexander V. Chernikov
34a5582c47 Bring back redirect route expiration.
Redirect (and temporal) route expiration was broken a while ago.
This change brings route expiration back, with unified IPv4/IPv6 handling code.

It introduces net.inet.icmp.redirtimeout sysctl, allowing to set
 an expiration time for redirected routes. It defaults to 10 minutes,
 analogues with net.inet6.icmp6.redirtimeout.

Implementation uses separate file, route_temporal.c, as route.c is already
 bloated with tons of different functions.
Internally, expiration is implemented as an per-rnh callout scheduled when
 route with non-zero rt_expire time is added or rt_expire is changed.
 It does not add any overhead when no temporal routes are present.

Callout traverses entire routing tree under wlock, scheduling expired routes
 for deletion and calculating the next time it needs to be run. The rationale
 for such implemention is the following: typically workloads requiring large
 amount of routes have redirects turned off already, while the systems with
 small amount of routes will not inhibit large overhead during tree traversal.

This changes also fixes netstat -rn display of route expiration time, which
 has been broken since the conversion from kread() to sysctl.

Reviewed by:	bz
MFC after:	3 weeks
Differential Revision:	https://reviews.freebsd.org/D23075
2020-01-22 13:53:18 +00:00
Bjoern A. Zeeb
32af08ecad icmpv6: Fix mbuf change in mld
After r354748 mld_input() can change the mbuf.  The new pointer
is never returned to icmp6_input() and when passed to
icmp6_rip6_input() the mbuf may no longer valid leading to
a panic.
Pass a pointer to the mbuf to mld_input() so we can return an
updated version in the non-error case.

Add a test sending an MLD packet case which will trigger this bug.

Pointyhat to:	bz
Reported by:	gallatin, thj
MFC After:	2 weeks
X-MFC with:	r354748
Sponsored by:	Netflix
2019-11-18 21:59:47 +00:00
Bjoern A. Zeeb
20241072c8 ipv6 tests
Add a simple ping6 test as well.

MFC after:	2 weeks
Sponsored by:	Netflix
2019-11-18 21:54:29 +00:00
Li-Wen Hsu
09bc401f9d Reenable netinet6 and netpfil tests on i386, net/scapy 2.4.3_2 contains the fix
PR:		239380
Sponsored by:	The FreeBSD Foundation
2019-11-08 18:56:02 +00:00
Bjoern A. Zeeb
c1131de6f1 frag6: properly handle atomic fragments according to RFCs.
RFC 8200 says:
	"If the fragment is a whole datagram (that is, both the Fragment
         Offset field and the M flag are zero), then it does not need
         any further reassembly and should be processed as a fully
         reassembled packet (i.e., updating Next Header, adjust Payload
         Length, removing the Fragment header, etc.).  .."

That means we should remove the fragment header and make all the adjustments
rather than just skipping over the fragment header.  The difference should
be noticeable in that a properly handled atomic fragment triggering an ICMPv6
message at an upper layer (e.g. dest unreach, unreachable port) will not
include the fragment header.

Update the test cases to also test for an unfragmentable part.  That is
needed so that the next header is properly updated (not just lengths).

MFC after:	3 weeks
Sponsored by:	Netflix
Differential Revision:	https://reviews.freebsd.org/D22155
2019-11-08 14:36:44 +00:00
Bjoern A. Zeeb
ed91ae7fe6 IPv6 tests: test case for scapy bpf parsing bug
PR:		239380
Reported by:	lwhsu, CI system
MFC after:	3 weeks
Sponsored by:	Netflix
2019-11-06 14:43:35 +00:00
Bjoern A. Zeeb
f21d32079f ipv6 tests: cleanup
Remove mentions of fragmentation tests from extension header test.
Remove setting an MTU > IF_MAXMTU from the test cases to avoid warnings;
this was only possible in a local research tree.

MFC after:		2 weeks
Sponsored by:		Netflix
2019-11-06 14:30:56 +00:00
Li-Wen Hsu
b0460c4c22 Temporarily disable sys.netinet6.exthdr on i386
PR:		241493
Sponsored by:	The FreeBSD Foundation
2019-11-05 17:49:15 +00:00
Bjoern A. Zeeb
1e19cdbbbf ip6 tests: Add very simplistic extension header tests
Add a simple test case which can exercise some of the IPv6 extension
header code paths.  At the moment only a small set of extension headers
is implemented and no options to the ones which take them.
Also implements a "bad" case to make sure that error handling works.

The tests were used to test m_pullup() changes to the code paths while
removing the KAME PULLDOWN_TEST cases and related macros.

MFC after:	3 weeks
Sponsored by:	Netflix
2019-11-05 10:59:33 +00:00
Bjoern A. Zeeb
cc07e75f30 frag6 tests: set end to catch timeout as error
There are times when we have to wait for reply packets.  There are
either an ICMPv6 (error) reply or the expiration timeout.
In these cases synchonous ICMPv6 replies should arrive, always,
unless the packet is lost.  Due to errors experienced with the
test software sending an invlaid request on at least i386 (*) these
packets are not generated.  That means we are waiting for a long time
for the replies or even timeout the test case.

Manually set the "End" flag on these test cases as well, so they do
fail rather than timeout as the sniffer timeout happens.  This improves
debugging options, reflects the error properly, and saves time on each
test suit run.

(*) The real cause for that is still to be found (see the referenced PRs)

PR:			241493, 239380
MFC after:		2 weeks
Sponsored by:		Netflix
2019-11-05 10:53:55 +00:00
Bjoern A. Zeeb
c0750d9d04 frag6-test: update for r354046, conform to 8200 for overlapping fragments
The change to conform to RFC 8200 for overlapping fragments now frees
the entire reassembly queue if the overlapping fragments are not an
exact match.
As a result we do see one less packet in the timeout statistics from
expiry.  No other statistics change as the event is not counted.
It can be argued that we should improve the statistics counters in
that case.
This test case update should have been committed alongside the original
commit.

Pointyhat to:	bz
MFC after:	3 weeks
X-MFC with:	r354046
Sponsored by:	Netflix
2019-10-25 17:41:08 +00:00
Bjoern A. Zeeb
619456bb59 frag6: prevent overwriting initial fragoff=0 packet meta-data.
When we receive the packet with the first fragmented part (fragoff=0)
we remember the length of the unfragmentable part and the next header
(and should probably also remember ECN) as meta-data on the reassembly
queue.
Someone replying this packet so far could change these 2 (3) values.
While changing the next header seems more severe, for a full size
fragmented UDP packet, for example, adding an extension header to the
unfragmentable part would go unnoticed (as the framented part would be
considered an exact duplicate) but make reassembly fail.
So do not allow updating the meta-data after we have seen the first
fragmented part anymore.

The frag6_20 test case is added which failed before triggering an
ICMPv6 "param prob" due to the check for each queued fragment for
a max-size violation if a fragoff=0 packet was received.

MFC after:	3 weeks
Sponsored by:	Netflix
2019-10-24 22:07:45 +00:00
Bjoern A. Zeeb
4527b28baf frag6 test cases: check more counters, wait for expiry
When done with tests check that both the per-VNET and the global-fragmented-
packets-in-system counters are zero to make sure we do not leak counters or
queue entries.

This implies that for all test cases we either have to check for the ICMPv6
packet sent in case of TLL=0 expiry (if it is sent) or sleep at least long
enough for the TTL to expire for all packets (e.g., fragments where we do not
have the off=0 packet).

This also means that statistics are now updated to include all the expired
packets.

There are cases when we do not check for counters to be zero and this is
when testing VNET teardown to behave properly and not panic, when we are
intentionally leaving fragments in the system.

MFC after:	3 weeks
Sponsored by:	Netflix
2019-10-24 20:08:33 +00:00
Bjoern A. Zeeb
f74e6e494f frag6: import a set of test cases
In order to ensure that changing the frag6 code does not change behaviour
or break code a set of test cases were implemented.

Like some other test cases these use Scapy to generate packets and possibly
wait for expected answers.  In most cases we do check the global and
per interface (netstat) statistics output using the libxo output and grep
to validate fields and numbers.  This is a bit hackish but we currently have
no better way to match a selected number of stats only (we have to ignore
some of the ND6 variables; otherwise we could use the entire list).

Test cases include atomic fragments, single fragments, multi-fragments,
and try to cover most error cases in the code currently.
In addition vnet teardown is tested to not panic.

A separate set (not in-tree currently) of probes were used in order to
make sure that the test cases actually test what they should.

The "sniffer" code was copied and adjusted from the netpfil version
as we sometimes will not get packets or have longer timeouts to deal with.

Sponsored by:	Netflix
2019-10-21 09:33:45 +00:00