pf tests: Test that 'set skip on <group>' works on new group members

There's a know issue where new group members don't get the 'set skip on' applied until the rules are re-loaded. Do this by setting rules that block all traffic, but skip members of the 'epair' group. If we can communicate over the epair interface we know the set skip rule took effect, even if the rule was set before the interface was created. MFC after: 2 weeks
2020-10-12 12:41:10 +00:00 · 2020-10-12 12:41:10 +00:00 · 7b56445c20
commit 7b56445c20
parent 8dde2795cd
1 changed files with 33 additions and 0 deletions
--- a/tests/sys/netpfil/pf/set_skip.sh
+++ b/tests/sys/netpfil/pf/set_skip.sh
@ -85,8 +85,41 @@ set_skip_group_lo_cleanup()
 	pft_cleanup
 }

+atf_test_case "set_skip_dynamic" "cleanup"
+set_skip_dynamic_head()
+{
+	atf_set descr "Cope with group changes"
+	atf_set require.user root
+}
+
+set_skip_dynamic_body()
+{
+	pft_init
+
+	set -x
+
+	vnet_mkjail alcatraz
+	jexec alcatraz pfctl -e
+	pft_set_rules alcatraz "set skip on epair" \
+		"block"
+
+	epair=$(vnet_mkepair)
+	ifconfig ${epair}a 192.0.2.2/24 up
+	ifconfig ${epair}b vnet alcatraz
+
+	jexec alcatraz ifconfig ${epair}b 192.0.2.1/24 up
+
+	atf_check -s exit:0 -o ignore jexec alcatraz ping -c 1 192.0.2.2
+}
+
+set_skip_dynamic_cleanup()
+{
+	pft_cleanup
+}
+
 atf_init_test_cases()
 {
 	atf_add_test_case "set_skip_group"
 	atf_add_test_case "set_skip_group_lo"
+	atf_add_test_case "set_skip_dynamic"
 }