git: c39084799647 - stable/14 - wg tests: Add a simple regression test case for netmap support

From: Mark Johnston <markj_at_FreeBSD.org>
Date: Mon, 20 May 2024 13:46:45 UTC
The branch stable/14 has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=c39084799647c0c085c6e3433a232c668d9447a9

commit c39084799647c0c085c6e3433a232c668d9447a9
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2024-04-20 16:01:53 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2024-05-20 13:42:46 +0000

    wg tests: Add a simple regression test case for netmap support
    
    MFC after:      1 month
    Sponsored by:   Klara, Inc.
    Sponsored by:   Zenarmor
    
    (cherry picked from commit c0f13232410cf881475d6e4dbd0ec28ab3476c59)
---
 tests/sys/net/Makefile |  6 +++-
 tests/sys/net/if_wg.sh | 92 ++++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 97 insertions(+), 1 deletion(-)

diff --git a/tests/sys/net/Makefile b/tests/sys/net/Makefile
index 75596028688b..95ab86156a0a 100644
--- a/tests/sys/net/Makefile
+++ b/tests/sys/net/Makefile
@@ -1,4 +1,3 @@
-
 PACKAGE=	tests
 
 TESTSDIR=	${TESTSBASE}/sys/net
@@ -19,6 +18,11 @@ ATF_TESTS_SH+=	if_wg
 TESTS_SUBDIRS+=	if_ovpn
 TESTS_SUBDIRS+=	routing
 
+# The netmap bridge application is used by if_wg tests.
+.PATH:	${SRCTOP}/tools/tools/netmap
+PROGS+=		bridge
+LIBADD.bridge+=	netmap
+
 # The tests are written to be run in parallel, but doing so leads to random
 # panics.  I think it's because the kernel's list of interfaces isn't properly
 # locked.
diff --git a/tests/sys/net/if_wg.sh b/tests/sys/net/if_wg.sh
index 1f2ea308853a..b43b40f25018 100644
--- a/tests/sys/net/if_wg.sh
+++ b/tests/sys/net/if_wg.sh
@@ -92,6 +92,97 @@ wg_basic_cleanup()
 	vnet_cleanup
 }
 
+atf_test_case "wg_basic_netmap" "cleanup"
+wg_basic_netmap_head()
+{
+	atf_set descr 'Create a wg(4) tunnel over an epair and pass traffic between jails with netmap'
+	atf_set require.user root
+}
+
+wg_basic_netmap_body()
+{
+	local epair pri1 pri2 pub1 pub2 wg1 wg2
+        local endpoint1 endpoint2 tunnel1 tunnel2 tunnel3 tunnel4
+	local pid status
+
+	kldload -n if_wg || atf_skip "This test requires if_wg and could not load it"
+	kldload -n netmap || atf_skip "This test requires netmap and could not load it"
+
+	pri1=$(wg genkey)
+	pri2=$(wg genkey)
+
+	endpoint1=192.168.2.1
+	endpoint2=192.168.2.2
+	tunnel1=192.168.3.1
+	tunnel2=192.168.3.2
+	tunnel3=192.168.3.3
+	tunnel4=192.168.3.4
+
+	epair=$(vnet_mkepair)
+
+	vnet_init
+
+	vnet_mkjail wgtest1 ${epair}a
+	vnet_mkjail wgtest2 ${epair}b
+
+	jexec wgtest1 ifconfig ${epair}a ${endpoint1}/24 up
+	jexec wgtest2 ifconfig ${epair}b ${endpoint2}/24 up
+
+	wg1=$(jexec wgtest1 ifconfig wg create)
+	echo "$pri1" | jexec wgtest1 wg set $wg1 listen-port 12345 \
+	    private-key /dev/stdin
+	pub1=$(jexec wgtest1 wg show $wg1 public-key)
+	wg2=$(jexec wgtest2 ifconfig wg create)
+	echo "$pri2" | jexec wgtest2 wg set $wg2 listen-port 12345 \
+	    private-key /dev/stdin
+	pub2=$(jexec wgtest2 wg show $wg2 public-key)
+
+	atf_check -s exit:0 -o ignore \
+	    jexec wgtest1 wg set $wg1 peer "$pub2" \
+	    endpoint ${endpoint2}:12345 allowed-ips ${tunnel2}/32,${tunnel4}/32
+	atf_check -s exit:0 \
+	    jexec wgtest1 ifconfig $wg1 inet ${tunnel1}/24 up
+
+	atf_check -s exit:0 -o ignore \
+	    jexec wgtest2 wg set $wg2 peer "$pub1" \
+	    endpoint ${endpoint1}:12345 allowed-ips ${tunnel1}/32,${tunnel3}/32
+	atf_check -s exit:0 \
+	    jexec wgtest2 ifconfig $wg2 inet ${tunnel2}/24 up
+
+	atf_check -s exit:0 -o ignore \
+	    jexec wgtest1 sysctl net.inet.ip.forwarding=1
+	atf_check -s exit:0 -o ignore \
+	    jexec wgtest2 sysctl net.inet.ip.forwarding=1
+
+	jexec wgtest1 $(atf_get_srcdir)/bridge -w 0 -i netmap:wg0 -i netmap:wg0^ &
+	pid=$!
+
+	# Generous timeout since the handshake takes some time.
+	atf_check -s exit:0 -o ignore jexec wgtest1 ping -c 1 -t 5 $tunnel2
+	atf_check -s exit:0 -o ignore jexec wgtest2 ping -c 1 $tunnel1
+
+	# Verify that we cannot ping non-existent tunnel addresses.  In general
+	# the remote side should respond with an ICMP message.
+	atf_check -s exit:2 -o ignore jexec wgtest1 ping -c 1 -t 2 $tunnel4
+	atf_check -s exit:2 -o ignore jexec wgtest2 ping -c 1 -t 2 $tunnel3
+
+	# Make sure that the bridge is still functional.
+	atf_check -s exit:0 -o ignore jexec wgtest1 ping -c 1 $tunnel2
+	atf_check -s exit:0 -o ignore jexec wgtest2 ping -c 1 $tunnel1
+
+	atf_check -s exit:0 kill -TERM $pid
+	wait $pid
+	status=$?
+
+	# Make sure that SIGTERM was received and handled.
+	atf_check_equal $status 143
+}
+
+wg_basic_netmap_cleanup()
+{
+	vnet_cleanup
+}
+
 # The kernel is expected to silently ignore any attempt to add a peer with a
 # public key identical to the host's.
 atf_test_case "wg_key_peerdev_shared" "cleanup"
@@ -258,6 +349,7 @@ wg_vnet_parent_routing_cleanup()
 atf_init_test_cases()
 {
 	atf_add_test_case "wg_basic"
+	atf_add_test_case "wg_basic_netmap"
 	atf_add_test_case "wg_key_peerdev_shared"
 	atf_add_test_case "wg_key_peerdev_makeshared"
 	atf_add_test_case "wg_vnet_parent_routing"