svn commit: r367058 - stable/12/tests/sys/netpfil/pf

[Kristof Provost]

Author: kp
Date: Mon Oct 26 13:24:20 2020
New Revision: 367058
URL: https://svnweb.freebsd.org/changeset/base/367058

Log:
  MFC r366648:
  
  pf tests: Test that 'set skip on <group>' works on new group members
  
  There's a know issue where new group members don't get the 'set skip on'
  applied until the rules are re-loaded.
  
  Do this by setting rules that block all traffic, but skip members of the
  'epair' group. If we can communicate over the epair interface we know the set
  skip rule took effect, even if the rule was set before the interface was
  created.

Modified:
  stable/12/tests/sys/netpfil/pf/set_skip.sh
Directory Properties:
  stable/12/   (props changed)

Modified: stable/12/tests/sys/netpfil/pf/set_skip.sh
==============================================================================
--- stable/12/tests/sys/netpfil/pf/set_skip.sh	Mon Oct 26 13:23:40 2020	(r367057)
+++ stable/12/tests/sys/netpfil/pf/set_skip.sh	Mon Oct 26 13:24:20 2020	(r367058)
@@ -60,8 +60,41 @@ set_skip_group_lo_cleanup()
 	pft_cleanup
 }
 
+atf_test_case "set_skip_dynamic" "cleanup"
+set_skip_dynamic_head()
+{
+	atf_set descr "Cope with group changes"
+	atf_set require.user root
+}
+
+set_skip_dynamic_body()
+{
+	pft_init
+
+	set -x
+
+	vnet_mkjail alcatraz
+	jexec alcatraz pfctl -e
+	pft_set_rules alcatraz "set skip on epair" \
+		"block"
+
+	epair=$(vnet_mkepair)
+	ifconfig ${epair}a 192.0.2.2/24 up
+	ifconfig ${epair}b vnet alcatraz
+
+	jexec alcatraz ifconfig ${epair}b 192.0.2.1/24 up
+
+	atf_check -s exit:0 -o ignore jexec alcatraz ping -c 1 192.0.2.2
+}
+
+set_skip_dynamic_cleanup()
+{
+	pft_cleanup
+}
+
 atf_init_test_cases()
 {
 	atf_add_test_case "set_skip_group"
 	atf_add_test_case "set_skip_group_lo"
+	atf_add_test_case "set_skip_dynamic"
 }