From 6ab3ac5afaeea226f9e6db19adaf09d39104e356 Mon Sep 17 00:00:00 2001 From: Kristof Provost Date: Fri, 2 Nov 2018 16:59:55 +0000 Subject: [PATCH] pf tests: Basic pfsync test Set up two jails, configure pfsync between them and create state in one of them, verify that this state is copied to the other jail. MFC after: 2 weeks Sponsored by: Orange Business Services Differential Revision: https://reviews.freebsd.org/D17504 --- tests/sys/netpfil/pf/Makefile | 3 +- tests/sys/netpfil/pf/pfsync.sh | 70 +++++++++++++++++++++++++++++++++ tests/sys/netpfil/pf/utils.subr | 14 +++++++ 3 files changed, 86 insertions(+), 1 deletion(-) create mode 100755 tests/sys/netpfil/pf/pfsync.sh diff --git a/tests/sys/netpfil/pf/Makefile b/tests/sys/netpfil/pf/Makefile index 5477f2ed8bc4..d2b56bffd3dc 100644 --- a/tests/sys/netpfil/pf/Makefile +++ b/tests/sys/netpfil/pf/Makefile @@ -11,7 +11,8 @@ ATF_TESTS_SH+= pass_block \ set_tos \ route_to \ synproxy \ - set_skip + set_skip \ + pfsync ${PACKAGE}FILES+= utils.subr \ echo_inetd.conf \ diff --git a/tests/sys/netpfil/pf/pfsync.sh b/tests/sys/netpfil/pf/pfsync.sh new file mode 100755 index 000000000000..c4e453274b67 --- /dev/null +++ b/tests/sys/netpfil/pf/pfsync.sh @@ -0,0 +1,70 @@ +# $FreeBSD$ + +. $(atf_get_srcdir)/utils.subr + +atf_test_case "basic" "cleanup" +basic_head() +{ + atf_set descr 'Basic pfsync test' + atf_set require.user root + + atf_set require.progs scapy +} + +basic_body() +{ + pfsynct_init + + epair_sync=$(pft_mkepair) + epair_one=$(pft_mkepair) + epair_two=$(pft_mkepair) + + pft_mkjail one ${epair_one}a ${epair_sync}a + pft_mkjail two ${epair_two}a ${epair_sync}b + + # pfsync interface + jexec one ifconfig ${epair_sync}a 192.0.2.1/24 up + jexec one ifconfig ${epair_one}a 198.51.100.1/24 up + jexec one ifconfig pfsync0 \ + syncdev ${epair_sync}a \ + maxupd 1 \ + up + jexec two ifconfig ${epair_two}a 198.51.100.2/24 up + jexec two ifconfig ${epair_sync}b 192.0.2.2/24 up + jexec two ifconfig pfsync0 \ + syncdev ${epair_sync}b \ + maxupd 1 \ + up + + # Enable pf! + jexec one pfctl -e + pft_set_rules one \ + "set skip on ${epair_sync}a" \ + "pass keep state" + jexec two pfctl -e + pft_set_rules two \ + "set skip on ${epair_sync}b" \ + "pass keep state" + + ifconfig ${epair_one}b 198.51.100.254/24 up + + ping -c 1 -S 198.51.100.254 198.51.100.1 + + # Give pfsync time to do its thing + sleep 2 + + if ! jexec two pfctl -s states | grep icmp | grep 198.51.100.1 | \ + grep 198.51.100.2 ; then + atf_fail "state not found on synced host" + fi +} + +basic_cleanup() +{ + pfsynct_cleanup +} + +atf_init_test_cases() +{ + atf_add_test_case "basic" +} diff --git a/tests/sys/netpfil/pf/utils.subr b/tests/sys/netpfil/pf/utils.subr index f2f28ed0c66a..8816a45ccffd 100644 --- a/tests/sys/netpfil/pf/utils.subr +++ b/tests/sys/netpfil/pf/utils.subr @@ -13,6 +13,15 @@ pft_init() fi } +pfsynct_init() +{ + pft_init + + if ! kldstat -q -m pfsync; then + atf_skip "This test requires pfsync" + fi +} + pft_mkepair() { ifname=$(ifconfig epair create) @@ -67,3 +76,8 @@ pft_cleanup() rm created_interfaces.lst fi } + +pfsynct_cleanup() +{ + pft_cleanup +}