diff options
author | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2016-11-16 16:00:42 +0000 |
---|---|---|
committer | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2016-11-16 16:00:42 +0000 |
commit | 25a8583e59b36ea59a5d8f7dd91b11d576f066cf (patch) | |
tree | 97a69e7573e3e6b3ad781c123c36a71be8a5f80c | |
parent | 34e3b22d96c2faba8572eec80d8d8149ee05e137 (diff) |
Test multiple combinations of divert connections. The socket cleanup
of the first connection must remove the pf state so that the second
connection can succeed. Disable two raw IP tests that do not work
with the current implementation in the kernel.
-rw-r--r-- | regress/sys/net/pf_divert/Makefile | 69 | ||||
-rw-r--r-- | regress/sys/net/pf_divert/README | 8 |
2 files changed, 55 insertions, 22 deletions
diff --git a/regress/sys/net/pf_divert/Makefile b/regress/sys/net/pf_divert/Makefile index e5350132921..c4395eb6f16 100644 --- a/regress/sys/net/pf_divert/Makefile +++ b/regress/sys/net/pf_divert/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.14 2016/11/15 16:00:50 bluhm Exp $ +# $OpenBSD: Makefile,v 1.15 2016/11/16 16:00:41 bluhm Exp $ # The following ports must be installed for the regression tests: # p5-IO-Socket-INET6 object interface for AF_INET and AF_INET6 domain sockets @@ -63,9 +63,28 @@ TARGETS ?= inet-args-tcp-to inet6-args-tcp-to \ inet-args-icmp-to inet6-args-icmp-to \ inet-args-icmp-reply-to inet6-args-icmp-reply-to \ inet-args-icmp-reply-reuse inet6-args-icmp-reply-reuse \ - inet-reuse-tcp inet6-reuse-tcp \ - inet-reuse-udp inet6-reuse-udp \ - inet-reuse-rip inet6-reuse-rip + inet-reuse-tcp-to-to inet6-reuse-tcp-to-to \ + inet-reuse-tcp-to-reply inet6-reuse-tcp-to-reply \ + inet-reuse-tcp-reply-to inet6-reuse-tcp-reply-to \ + inet-reuse-tcp-reply-reply inet6-reuse-tcp-reply-reply \ + inet-reuse-udp-to-to inet6-reuse-udp-to-to \ + inet-reuse-udp-to-reply inet6-reuse-udp-to-reply \ + inet-reuse-udp-to-reply-to inet6-reuse-udp-to-reply-to \ + inet-reuse-udp-reply-to inet6-reuse-udp-reply-to \ + inet-reuse-udp-reply-reply inet6-reuse-udp-reply-reply \ + inet-reuse-udp-reply-reply-to inet6-reuse-udp-reply-reply-to \ + inet-reuse-udp-reply-to-to inet6-reuse-udp-reply-to-to \ + inet-reuse-udp-reply-to-reply inet6-reuse-udp-reply-to-reply \ + inet-reuse-udp-reply-to-reply-to inet6-reuse-udp-reply-to-reply-to \ + inet-reuse-rip-to-to inet6-reuse-rip-to-to \ + inet-reuse-rip-to-reply inet6-reuse-rip-to-reply \ + inet-reuse-rip-to-reply-to inet6-reuse-rip-to-reply-to \ + inet-reuse-rip-reply-to inet6-reuse-rip-reply-to \ + inet-reuse-rip-reply-reply inet6-reuse-rip-reply-reply \ + inet-reuse-rip-reply-reply-to inet6-reuse-rip-reply-reply-to \ + inet-reuse-rip-reply-to-to inet6-reuse-rip-reply-to-to \ + inet-reuse-rip-reply-to-reply inet6-reuse-rip-reply-to-reply \ + inet-reuse-rip-reply-to-reply-to inet6-reuse-rip-reply-to-reply-to REGRESS_TARGETS = ${TARGETS:S/^/run-regress-/} CLEANFILES += *.log *.port ktrace.out stamp-* @@ -104,7 +123,12 @@ PERLPATH = ${.CURDIR}/ # diverted process is running on the remote machine reachable with # ssh. -.for inet addr in inet ADDR inet6 ADDR6 +.for inet addr in inet ADDR inet6 ADDR6 + +run-regress-${inet}-reuse-rip-to-reply-to: + @echo '\n======== $@ ========' + @echo 'rip to before reply is broken, it does not remove the state.' + @echo DISABLED .for a in ${ARGS} run-regress-${inet}-${a:R}: ${a} @@ -113,32 +137,39 @@ run-regress-${inet}-${a:R}: ${a} .endfor .for proto in tcp udp rip -run-regress-${inet}-reuse-${proto}: + +.for first second in to to to reply to reply-to reply to reply reply reply reply-to reply-to to reply-to reply reply-to reply-to + +run-regress-${inet}-reuse-${proto}-${first}-${second}: @echo '\n======== $@ ========' - time ${SUDO} SUDO=${SUDO} perl ${PERLINC} ${PERLPATH}remote.pl ${inet} ${LOCAL_${addr}} ${FAKE_${addr}} ${REMOTE_SSH} ${PERLPATH}args-${proto}-reply.pl + time ${SUDO} SUDO=${SUDO} perl ${PERLINC} ${PERLPATH}remote.pl -f ${inet} ${LOCAL_${addr}} ${FAKE_${addr}} ${REMOTE_SSH} ${PERLPATH}args-${proto}-${first}.pl sed -n '/^connect peer:/s/.* //p' client.log >client.port sed -n '/^connect sock:/s/.* //p' client.log >server.port .if "tcp" == ${proto} +.if "reply" == ${first} ${SUDO} tcpdrop ${LOCAL_${addr}} `cat client.port` ${FAKE_${addr}} `cat server.port` .endif - time ${SUDO} SUDO=${SUDO} perl ${PERLINC} ${PERLPATH}remote.pl ${inet} ${LOCAL_${addr}} ${FAKE_${addr}} ${REMOTE_SSH} `cat client.port` `cat server.port` ${PERLPATH}args-${proto}-to.pl +.if "to" == ${first} + ssh ${REMOTE_SSH} ${SUDO} tcpdrop ${FAKE_${addr}} `cat client.port` ${LOCAL_${addr}} `cat server.port` +.endif +.endif + time ${SUDO} SUDO=${SUDO} perl ${PERLINC} ${PERLPATH}remote.pl ${inet} ${LOCAL_${addr}} ${FAKE_${addr}} ${REMOTE_SSH} `cat client.port` `cat server.port` ${PERLPATH}args-${proto}-${second}.pl .if "tcp" == ${proto} +.if "reply" == ${second} + ${SUDO} tcpdrop ${LOCAL_${addr}} `cat server.port` ${FAKE_${addr}} `cat client.port` +.endif +.if "to" == ${second} + ssh ${REMOTE_SSH} ${SUDO} pfctl -ss | \ + egrep 'all ${proto} ${FAKE_${addr}}:?\[?'`cat server.port`\]?' .. ${LOCAL_${addr}}:?\[?'`cat client.port`'\]? ' ssh ${REMOTE_SSH} ${SUDO} tcpdrop ${FAKE_${addr}} `cat server.port` ${LOCAL_${addr}} `cat client.port` -.if "inet" == ${inet} - if ssh ${REMOTE_SSH} ${SUDO} pfctl -ss | \ - grep 'all ${proto} ${FAKE_${addr}}:'`cat server.port`' .. ${LOCAL_${addr}}:'`cat client.port`' '; \ - then false; \ - fi -.else - if ssh ${REMOTE_SSH} ${SUDO} pfctl -ss | \ - grep 'all ${proto} ${FAKE_${addr}}\['`cat server.port`\]' .. ${LOCAL_${addr}}\['`cat client.port`'\] '; \ - then false; \ - fi + ssh ${REMOTE_SSH} ${SUDO} pfctl -ss | \ + ! egrep 'all ${proto} ${FAKE_${addr}}:?\[?'`cat server.port`\]?' .. ${LOCAL_${addr}}:?\[?'`cat client.port`'\]? ' .endif .endif -.endfor .endfor +.endfor +.endfor .PHONY: syntax check-setup diff --git a/regress/sys/net/pf_divert/README b/regress/sys/net/pf_divert/README index ffa90c0a0b5..c602d4edd66 100644 --- a/regress/sys/net/pf_divert/README +++ b/regress/sys/net/pf_divert/README @@ -43,6 +43,8 @@ has a different ID, so it cannot use the same pf state. Check that the second reply reaches the client. This can only work, if pf creates a second outgoing state although all packet use one socket. -The reuse-... tests run the corresponding args-...-reply and -args-...-to tests consecutively to check that the pf states to not -interfere. +The reuse tests run pairs of corresponding args-...-to and +args-...-reply and args-...-reply-to tests consecutively to check +that the pf states to not interfere. The first run flushes the +state, the second must get rid of the state automatically. For TCP +the connection in TIME_WAIT is dropped to remove the state. |