git: 3e79ec993dc7 - stable/15 - pf tests: fix intermittent mld test failures

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Kristof Provost <kp_at_FreeBSD.org>
Date: Sun, 05 Oct 2025 20:51:51 UTC
The branch stable/15 has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=3e79ec993dc7f6a454705ff5e820aa977583a5f7

commit 3e79ec993dc7f6a454705ff5e820aa977583a5f7
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2025-09-27 14:41:30 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2025-10-05 20:47:35 +0000

    pf tests: fix intermittent mld test failures
    
    We can't reliably check for the absence of replies to our MLD queries (because
    a host may announce its multicast subscriptions), so enable pf logging and check
    for the relevant error message instead.
    
    PR:             289821
    MFC after:      1 week
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
    Differential Revision:  https://reviews.freebsd.org/D52762
    
    (cherry picked from commit a57f6ce4792f12bebdbe3e46d6d9d39da10055db)
---
 tests/sys/netpfil/pf/Makefile |  2 +-
 tests/sys/netpfil/pf/mld.py   | 35 +++++++++++++++--------------------
 2 files changed, 16 insertions(+), 21 deletions(-)

diff --git a/tests/sys/netpfil/pf/Makefile b/tests/sys/netpfil/pf/Makefile
index d63431e64a96..720086bbbccd 100644
--- a/tests/sys/netpfil/pf/Makefile
+++ b/tests/sys/netpfil/pf/Makefile
@@ -71,7 +71,7 @@ ATF_TESTS_PYTEST+=	tcp.py
 
 # Allow tests to run in parallel in their own jails
 TEST_METADATA+= execenv="jail"
-TEST_METADATA+= execenv_jail_params="vnet allow.raw_sockets"
+TEST_METADATA+= execenv_jail_params="vnet allow.raw_sockets allow.read_msgbuf"
 
 ${PACKAGE}FILES+=	\
 			bsnmpd.conf \
diff --git a/tests/sys/netpfil/pf/mld.py b/tests/sys/netpfil/pf/mld.py
index d118a34c8a7d..b3ef6c21b3de 100644
--- a/tests/sys/netpfil/pf/mld.py
+++ b/tests/sys/netpfil/pf/mld.py
@@ -32,23 +32,22 @@ from atf_python.sys.net.vnet import VnetTestTemplate
 class TestMLD(VnetTestTemplate):
     REQUIRED_MODULES = [ "pf" ]
     TOPOLOGY = {
-        "vnet1": {"ifaces": ["if1"]},
+        "vnet1": {"ifaces": ["if1"], "opts": ["allow.read_msgbuf"]},
         "vnet2": {"ifaces": ["if1"]},
         "if1": {"prefixes6": [("2001:db8::2/64", "2001:db8::1/64")]},
     }
 
     def vnet2_handler(self, vnet):
         ifname = vnet.iface_alias_map["if1"].name
-        #ToolsHelper.print_output("/sbin/pfctl -e")
+        ToolsHelper.print_output("/sbin/pfctl -e")
         ToolsHelper.pf_rules([
             "pass",
             ])
         ToolsHelper.print_output("/sbin/pfctl -x loud")
-        #ToolsHelper.print_output("echo \"j 230.0.0.1 %s\ns 3600\nq\" | /usr/sbin/mtest" % ifname)
 
     def find_mld_reply(self, pkt, ifname):
         pkt.show()
-        s = DelayedSend(pkt)
+        s = DelayedSend(pkt, ifname)
 
         found = False
         packets = self.sp.sniff(iface=ifname, timeout=5)
@@ -66,7 +65,6 @@ class TestMLD(VnetTestTemplate):
     def test_router_alert(self):
         """Verify that we allow MLD packets with router alert extension header"""
         ifname = self.vnet.iface_alias_map["if1"].name
-        #ToolsHelper.print_output("/sbin/ifconfig %s inet6 -ifdisable" % ifname)
         ToolsHelper.print_output("/sbin/ifconfig")
 
         # Import in the correct vnet, so at to not confuse Scapy
@@ -76,20 +74,17 @@ class TestMLD(VnetTestTemplate):
         self.sp = sp
         self.sc = sc
 
-        # A correct MLD query gets a reply
-        pkt = sp.IPv6(src="fe80::1%%%s" % ifname, dst="ff02::1", hlim=1) \
-            / sp.RouterAlert(value=0) \
+        # MLD packets with an incorrect hop limit get dropped.
+        pkt = sp.Ether() \
+            / sp.IPv6(src="fe80::1%%%s" % ifname, dst="ff02::1", hlim=2) \
+            / sp.IPv6ExtHdrHopByHop(options=[ \
+                sp.RouterAlert(value=0) \
+                ]) \
             / sp.ICMPv6MLQuery2()
-        assert self.find_mld_reply(pkt, ifname)
+        # We can't reliably test this by checking for a reply, because
+        # the other jail may just send a spontaneous MLD reply.
+        self.find_mld_reply(pkt, ifname)
 
-        # The wrong extension header does not
-        pkt = sp.IPv6(src="fe80::1%%%s" % ifname, dst="ff02::1", hlim=1) \
-            / sp.IPv6ExtHdrRouting() \
-            / sp.ICMPv6MLQuery2()
-        assert not self.find_mld_reply(pkt, ifname)
-
-        # Neither does an incorrect hop limit
-        pkt = sp.IPv6(src="fe80::1%%%s" % ifname, dst="ff02::1", hlim=2) \
-            / sp.RouterAlert(value=0) \
-            / sp.ICMPv6MLQuery2()
-        assert not self.find_mld_reply(pkt, ifname)
+        # Check if we logged dropping the MLD paacket
+        dmesg = ToolsHelper.get_output("/sbin/dmesg")
+        assert dmesg.find("Invalid MLD") != -1