git: c0f13232410c - main - wg tests: Add a simple regression test case for netmap support
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sat, 20 Apr 2024 16:05:07 UTC
The branch main has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=c0f13232410cf881475d6e4dbd0ec28ab3476c59 commit c0f13232410cf881475d6e4dbd0ec28ab3476c59 Author: Mark Johnston <markj@FreeBSD.org> AuthorDate: 2024-04-20 16:01:53 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2024-04-20 16:04:42 +0000 wg tests: Add a simple regression test case for netmap support MFC after: 1 month Sponsored by: Klara, Inc. Sponsored by: Zenarmor --- tests/sys/net/Makefile | 6 +++- tests/sys/net/if_wg.sh | 92 ++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 97 insertions(+), 1 deletion(-) diff --git a/tests/sys/net/Makefile b/tests/sys/net/Makefile index 75596028688b..95ab86156a0a 100644 --- a/tests/sys/net/Makefile +++ b/tests/sys/net/Makefile @@ -1,4 +1,3 @@ - PACKAGE= tests TESTSDIR= ${TESTSBASE}/sys/net @@ -19,6 +18,11 @@ ATF_TESTS_SH+= if_wg TESTS_SUBDIRS+= if_ovpn TESTS_SUBDIRS+= routing +# The netmap bridge application is used by if_wg tests. +.PATH: ${SRCTOP}/tools/tools/netmap +PROGS+= bridge +LIBADD.bridge+= netmap + # The tests are written to be run in parallel, but doing so leads to random # panics. I think it's because the kernel's list of interfaces isn't properly # locked. diff --git a/tests/sys/net/if_wg.sh b/tests/sys/net/if_wg.sh index 1f2ea308853a..b43b40f25018 100644 --- a/tests/sys/net/if_wg.sh +++ b/tests/sys/net/if_wg.sh @@ -92,6 +92,97 @@ wg_basic_cleanup() vnet_cleanup } +atf_test_case "wg_basic_netmap" "cleanup" +wg_basic_netmap_head() +{ + atf_set descr 'Create a wg(4) tunnel over an epair and pass traffic between jails with netmap' + atf_set require.user root +} + +wg_basic_netmap_body() +{ + local epair pri1 pri2 pub1 pub2 wg1 wg2 + local endpoint1 endpoint2 tunnel1 tunnel2 tunnel3 tunnel4 + local pid status + + kldload -n if_wg || atf_skip "This test requires if_wg and could not load it" + kldload -n netmap || atf_skip "This test requires netmap and could not load it" + + pri1=$(wg genkey) + pri2=$(wg genkey) + + endpoint1=192.168.2.1 + endpoint2=192.168.2.2 + tunnel1=192.168.3.1 + tunnel2=192.168.3.2 + tunnel3=192.168.3.3 + tunnel4=192.168.3.4 + + epair=$(vnet_mkepair) + + vnet_init + + vnet_mkjail wgtest1 ${epair}a + vnet_mkjail wgtest2 ${epair}b + + jexec wgtest1 ifconfig ${epair}a ${endpoint1}/24 up + jexec wgtest2 ifconfig ${epair}b ${endpoint2}/24 up + + wg1=$(jexec wgtest1 ifconfig wg create) + echo "$pri1" | jexec wgtest1 wg set $wg1 listen-port 12345 \ + private-key /dev/stdin + pub1=$(jexec wgtest1 wg show $wg1 public-key) + wg2=$(jexec wgtest2 ifconfig wg create) + echo "$pri2" | jexec wgtest2 wg set $wg2 listen-port 12345 \ + private-key /dev/stdin + pub2=$(jexec wgtest2 wg show $wg2 public-key) + + atf_check -s exit:0 -o ignore \ + jexec wgtest1 wg set $wg1 peer "$pub2" \ + endpoint ${endpoint2}:12345 allowed-ips ${tunnel2}/32,${tunnel4}/32 + atf_check -s exit:0 \ + jexec wgtest1 ifconfig $wg1 inet ${tunnel1}/24 up + + atf_check -s exit:0 -o ignore \ + jexec wgtest2 wg set $wg2 peer "$pub1" \ + endpoint ${endpoint1}:12345 allowed-ips ${tunnel1}/32,${tunnel3}/32 + atf_check -s exit:0 \ + jexec wgtest2 ifconfig $wg2 inet ${tunnel2}/24 up + + atf_check -s exit:0 -o ignore \ + jexec wgtest1 sysctl net.inet.ip.forwarding=1 + atf_check -s exit:0 -o ignore \ + jexec wgtest2 sysctl net.inet.ip.forwarding=1 + + jexec wgtest1 $(atf_get_srcdir)/bridge -w 0 -i netmap:wg0 -i netmap:wg0^ & + pid=$! + + # Generous timeout since the handshake takes some time. + atf_check -s exit:0 -o ignore jexec wgtest1 ping -c 1 -t 5 $tunnel2 + atf_check -s exit:0 -o ignore jexec wgtest2 ping -c 1 $tunnel1 + + # Verify that we cannot ping non-existent tunnel addresses. In general + # the remote side should respond with an ICMP message. + atf_check -s exit:2 -o ignore jexec wgtest1 ping -c 1 -t 2 $tunnel4 + atf_check -s exit:2 -o ignore jexec wgtest2 ping -c 1 -t 2 $tunnel3 + + # Make sure that the bridge is still functional. + atf_check -s exit:0 -o ignore jexec wgtest1 ping -c 1 $tunnel2 + atf_check -s exit:0 -o ignore jexec wgtest2 ping -c 1 $tunnel1 + + atf_check -s exit:0 kill -TERM $pid + wait $pid + status=$? + + # Make sure that SIGTERM was received and handled. + atf_check_equal $status 143 +} + +wg_basic_netmap_cleanup() +{ + vnet_cleanup +} + # The kernel is expected to silently ignore any attempt to add a peer with a # public key identical to the host's. atf_test_case "wg_key_peerdev_shared" "cleanup" @@ -258,6 +349,7 @@ wg_vnet_parent_routing_cleanup() atf_init_test_cases() { atf_add_test_case "wg_basic" + atf_add_test_case "wg_basic_netmap" atf_add_test_case "wg_key_peerdev_shared" atf_add_test_case "wg_key_peerdev_makeshared" atf_add_test_case "wg_vnet_parent_routing"