git: 8ad7d25dfc80 - main - pf tests: pfsync bulk update test

Kristof Provost kp at FreeBSD.org
Wed Mar 17 19:21:28 UTC 2021 

The branch main has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=8ad7d25dfc808ca00300f7553a9b28dfc0e99c18

commit 8ad7d25dfc808ca00300f7553a9b28dfc0e99c18
Author:     Kristof Provost <kp at FreeBSD.org>
AuthorDate: 2021-03-15 13:10:55 +0000
Commit:     Kristof Provost <kp at FreeBSD.org>
CommitDate: 2021-03-17 18:18:14 +0000

    pf tests: pfsync bulk update test
    
    Test that pfsync works as expected with bulk updates. That is, create
    some state before setting up the second firewall. Let that firewall
    request a bulk update so it can catch up, and check that it got the
    state which was created before it enable pfsync.
    
    PR:             254236
    MFC after:      2 weeks
    Differential Revision:  https://reviews.freebsd.org/D29272
---
 tests/sys/netpfil/pf/pfsync.sh | 68 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 68 insertions(+)

diff --git a/tests/sys/netpfil/pf/pfsync.sh b/tests/sys/netpfil/pf/pfsync.sh
index d8cb0a13efb7..a6fc7ec9f7e9 100644
--- a/tests/sys/netpfil/pf/pfsync.sh
+++ b/tests/sys/netpfil/pf/pfsync.sh
@@ -112,8 +112,76 @@ defer_cleanup()
 	pfsynct_cleanup
 }
 
+atf_test_case "bulk" "cleanup"
+bulk_head()
+{
+	atf_set descr 'Test bulk updates'
+	atf_set require.user root
+}
+
+bulk_body()
+{
+	pfsynct_init
+
+	epair_sync=$(vnet_mkepair)
+	epair_one=$(vnet_mkepair)
+	epair_two=$(vnet_mkepair)
+
+	vnet_mkjail one ${epair_one}a ${epair_sync}a
+	vnet_mkjail two ${epair_two}a ${epair_sync}b
+
+	# pfsync interface
+	jexec one ifconfig ${epair_sync}a 192.0.2.1/24 up
+	jexec one ifconfig ${epair_one}a 198.51.100.1/24 up
+	jexec one ifconfig pfsync0 \
+		syncdev ${epair_sync}a \
+		maxupd 1\
+		up
+	jexec two ifconfig ${epair_two}a 198.51.100.2/24 up
+	jexec two ifconfig ${epair_sync}b 192.0.2.2/24 up
+
+	# Enable pf
+	jexec one pfctl -e
+	pft_set_rules one \
+		"set skip on ${epair_sync}a" \
+		"pass keep state"
+	jexec two pfctl -e
+	pft_set_rules two \
+		"set skip on ${epair_sync}b" \
+		"pass keep state"
+
+	ifconfig ${epair_one}b 198.51.100.254/24 up
+
+	# Create state prior to setting up pfsync
+	ping -c 1 -S 198.51.100.254 198.51.100.1
+
+	# Wait before setting up pfsync on two, so we don't accidentally catch
+	# the update anyway.
+	sleep 1
+
+	# Now set up pfsync in jail two
+	jexec two ifconfig pfsync0 \
+		syncdev ${epair_sync}b \
+		up
+
+	# Give pfsync time to do its thing
+	sleep 2
+
+	jexec two pfctl -s states
+	if ! jexec two pfctl -s states | grep icmp | grep 198.51.100.1 | \
+	    grep 198.51.100.2 ; then
+		atf_fail "state not found on synced host"
+	fi
+}
+
+bulk_cleanup()
+{
+	pfsynct_cleanup
+}
+
 atf_init_test_cases()
 {
 	atf_add_test_case "basic"
 	atf_add_test_case "defer"
+	atf_add_test_case "bulk"
 }

More information about the dev-commits-src-main mailing list