src-test2/sbin/pfctl, branch master

src-test2/sbin/pfctl, branch master FreeBSD source tree https://cgit-dev.freebsd.org/src-test2/atom?h=master 2020-10-15T14:56:51Z [pfctl_tests] Add missing void to empty function declaration 2020-10-15T14:56:51Z Adrian Chadd adrian@FreeBSD.org 2020-10-15T14:56:51Z urn:sha1:d80b9f8d51c71909abb829811f6351ab5c006b4e Our gcc-6.4 flags require non-empty function declarations. Fix this to match the rest of the codebase. Tested: * compiled on gcc-6.4 for amd64 Reviewed by: imp Differential Revision: https://reviews.freebsd.org/D26795 Rewrite pfctl_test in C to reduce testsuite run time 2020-10-14T17:39:50Z Alex Richardson arichardson@FreeBSD.org 2020-10-14T17:39:50Z urn:sha1:44ec023c179247de330114a8fdb6b44020cef188 The new C test takes 25 seconds on QEMU-RISC-V, wheras the shell version takes 332 seconds. Even with the latest optimizations to atf-sh this test still takes a few seconds to startup in QEMU. Re-writing it in C reduces the runtime for a single test from about 2-3 seconds to less than .5 seconds. Since there are ~80 tests, this adds up to about 3-4 minutes. This may not seem like a big speedup, but before the recent optimizations to avoid atf_get_srcdir, each test took almost 100 seconds on QEMU RISC-V instead of 3. This also significantly reduces the time it takes to list the available test cases, which speeds up running the tests via kyua: ``` root@qemu-riscv64-alex:~ # /usr/bin/time kyua test -k /usr/tests/sbin/pfctl/Kyuafile pfctl_test_old ... 158/158 passed (0 failed) 332.08 real 42.58 user 286.17 sys root@qemu-riscv64-alex:~ # /usr/bin/time kyua test -k /usr/tests/sbin/pfctl/Kyuafile pfctl_test 158/158 passed (0 failed) 24.96 real 9.75 user 14.26 sys root@qemu-riscv64-alex:/usr/tests/sbin/pfctl # /usr/bin/time ./pfctl_test pf1001 pfctl_test: WARNING: Running test cases outside of kyua(1) is unsupported pfctl_test: WARNING: No isolation nor timeout control is being applied; you may get unexpected failures; see atf-test-case(4) Running pfctl -o none -nvf /usr/tests/sbin/pfctl/./files/pf1001.in --- binat on em0 inet6 from fc00::/64 to any -> fc00:0:0:1::/64 binat on em0 inet6 from any to fc00:0:0:1::/64 -> fc00::/64 --- passed 0.17 real 0.06 user 0.08 sys root@qemu-riscv64-alex:/usr/tests/sbin/pfctl # /usr/bin/time ./pfctl_test_old pf1001 pfctl_test_old: WARNING: Running test cases outside of kyua(1) is unsupported pfctl_test_old: WARNING: No isolation nor timeout control is being applied; you may get unexpected failures; see atf-test-case(4) Id Refs Name 141 1 pf Executing command [ pfctl -o none -nvf - ] passed 1.73 real 0.25 user 1.41 sys root@qemu-riscv64-alex:/usr/tests/sbin/pfctl # /usr/bin/time ./pfctl_test_old -l > /dev/null 24.36 real 2.26 user 21.86 sys root@qemu-riscv64-alex:/usr/tests/sbin/pfctl # /usr/bin/time ./pfctl_test -l > /dev/null 0.04 real 0.02 user 0.01 sys ``` The speedups are even more noticeable on CHERI-RISC-V (since QEMU runs slower when emulating CHERI instructions): ``` root@qemu-cheri-alex:/usr/tests/sbin/pfctl # /usr/bin/time ./pfctl_test_new -l > /dev/null 0.51 real 0.49 user 0.00 sys root@qemu-cheri-alex:/usr/tests/sbin/pfctl # /usr/bin/time ./pfctl_test -l > /dev/null 34.20 real 32.69 user 0.16 sys root@qemu-cheri-alex:/usr/tests/sbin/pfctl # /usr/bin/time ./pfctl_test pf1001 pfctl_test: WARNING: Running test cases outside of kyua(1) is unsupported pfctl_test: WARNING: No isolation nor timeout control is being applied; you may get unexpected failures; see atf-test-case(4) Id Refs Name 147 1 pf Executing command [ pfctl -o none -nvf - ] passed 5.74 real 5.41 user 0.03 sys root@qemu-cheri-alex:/usr/tests/sbin/pfctl # /usr/bin/time ./pfctl_test_new pf1001 pfctl_test_new: WARNING: Running test cases outside of kyua(1) is unsupported pfctl_test_new: WARNING: No isolation nor timeout control is being applied; you may get unexpected failures; see atf-test-case(4) Running pfctl -o none -nvf /usr/tests/sbin/pfctl/./files/pf1001.in --- binat on em0 inet6 from fc00::/64 to any -> fc00:0:0:1::/64 binat on em0 inet6 from any to fc00:0:0:1::/64 -> fc00::/64 --- passed 0.68 real 0.66 user 0.00 sys root@qemu-cheri-alex:/usr/tests/sbin/pfctl # ``` Reviewed By: kp Differential Revision: https://reviews.freebsd.org/D26779 pfctl_test: avoid 200 calls to atf_get_srcdir 2020-09-14T08:51:18Z Alex Richardson arichardson@FreeBSD.org 2020-09-14T08:51:18Z urn:sha1:d815e4241933b8d80bd09be979110e4bb0657708 I have been trying to reduce the time that testsuite runs take for CheriBSD on QEMU (currently about 22 hours). One of the slowest tests is pfctl_test: Just listing the available test cases currently takes 98 seconds on a CheriBSD RISC-V system due to all the processes being spawned. This trivial patch reduces the time to 92 seconds. The better solution would be to rewrite the test in C/C++ which I may do as a follow-up change. Reviewed By: kp Differential Revision: https://reviews.freebsd.org/D26417 pfctl: Call ifa_load() before ifa_grouplookup() 2020-04-19T15:37:13Z Kristof Provost kp@FreeBSD.org 2020-04-19T15:37:13Z urn:sha1:8fd675d8a0538544a85483f7a9bed2bd48382926 ifa_grouplookup() uses the data loaded in ifa_load() (through is_a_group()), so we must call ifa_load() before we can rely on any of the data it populates. Submitted by: Nick Rogers MFC after: 1 week Sponsored by: RG Nets pfctl: Remove unused variable 2020-04-19T15:32:14Z Kristof Provost kp@FreeBSD.org 2020-04-19T15:32:14Z urn:sha1:681652667af16267b350fc8dd31b93e7c8133611 Submitted by: Nick Rogers MFC after: 1 week Sponsored by: RG Nets pfctl: improve rule load times with thousands of interfaces 2020-03-19T12:54:43Z Kristof Provost kp@FreeBSD.org 2020-03-19T12:54:43Z urn:sha1:d2568b024da283bd2b88a633eecfc9abf240b3d8 r343287 / D18759 introduced ifa_add_groups_to_map() which is now run by ifa_load/ifa_lookup/host_if. When loading an anchor or ruleset via pfctl that does NOT contain ifnames as hosts, host() still ends up iterating all interfaces twice, grabbing SIOCGIFGROUP ioctl twice for each. This adds an unnecessary amount of time on systems with thousands or tens of thousands of interfaces. Prioritize the IPv4/6 check over the interface name lookup, which skips loading the iftab and iterating all interfaces when the configuration does not contain interface names. Submitted by: Nick Rogers MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D24100 Fix test cases after r358448 2020-02-29T13:24:41Z Li-Wen Hsu lwhsu@FreeBSD.org 2020-02-29T13:24:41Z urn:sha1:fe44c67716c23269a756f5162baf882bf8b77f0c sbin.pfctl.pfctl_test.pf0087 sbin.pfctl.pfctl_test.selfpf0087 MFC with: r358448 Sponsored by: The FreeBSD Foundation pfctl: Warn users when they run into kernel limits 2019-12-14T02:03:47Z Kristof Provost kp@FreeBSD.org 2019-12-14T02:03:47Z urn:sha1:3c7fbb06a0d440aaeca539be76054a9265f89e40 Warn users when they try to add/delete/modify more items than the kernel will allow. Reviewed by: allanjude (previous version), Lutz Donnerhacke Differential Revision: https://reviews.freebsd.org/D22733 pkgbase: pfctl: tests: Put tests files in the FreeBSD-tests package 2019-09-05T14:19:06Z Emmanuel Vadot manu@FreeBSD.org 2019-09-05T14:19:06Z urn:sha1:92fd0827c16e521afb026c0290ab30884fb496a4 Reviewed by: kp, gjb Differential Revision: https://reviews.freebsd.org/D21521 pfctl: Fix ifgroup check 2019-04-19T10:52:54Z Kristof Provost kp@FreeBSD.org 2019-04-19T10:52:54Z urn:sha1:7296d6c9bf670dc48c14ec2dff9eb3a044f12c5e We cannot just assume that any name which ends with a letter is a group That's not been true since we allowed renaming of network interfaces. It's also not true for things like epair0a. Try to retrieve the group members for the name to check, since we'll get ENOENT if the group doesn't exist. MFC after: 1 week Event: Aberdeen hackathon 2019