diff options
| author | Kristof Provost <kp@FreeBSD.org> | 2024-03-11 13:44:17 +0000 |
|---|---|---|
| committer | Kristof Provost <kp@FreeBSD.org> | 2024-03-19 15:29:29 +0000 |
| commit | 0ea0c026557b46292881d5a75babeb3cc0fd9696 (patch) | |
| tree | 09ac9831c5b451ddc47233deb8a02d5357c65035 /tests | |
| parent | 02b25ccfc0b13759ce04c291b6569dcfa22a9fa0 (diff) | |
| download | src-0ea0c026557b46292881d5a75babeb3cc0fd9696.tar.gz src-0ea0c026557b46292881d5a75babeb3cc0fd9696.zip | |
pf: avoid passing through dummynet multiple times
In some setups we end up with multiple states created for a single
packet, which in turn can mean we run the packet through dummynet
multiple times. That's not expected or intended. Mark each packet when
it goes through dummynet, and do not pass packet through dummynet if
they're marked as having already passed through.
See also: https://redmine.pfsense.org/issues/14854
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D44365
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/sys/netpfil/pf/route_to.sh | 53 |
1 files changed, 53 insertions, 0 deletions
diff --git a/tests/sys/netpfil/pf/route_to.sh b/tests/sys/netpfil/pf/route_to.sh index d5d29709fe06..4df9b790359a 100644 --- a/tests/sys/netpfil/pf/route_to.sh +++ b/tests/sys/netpfil/pf/route_to.sh @@ -615,6 +615,58 @@ dummynet_frag_cleanup() pft_cleanup } +atf_test_case "dummynet_double" "cleanup" +dummynet_double_head() +{ + atf_set descr 'Ensure dummynet is not applied multiple times' + atf_set require.user root +} + +dummynet_double_body() +{ + pft_init + dummynet_init + + epair_one=$(vnet_mkepair) + epair_two=$(vnet_mkepair) + + ifconfig ${epair_one}a 192.0.2.1/24 up + + vnet_mkjail alcatraz ${epair_one}b ${epair_two}a + jexec alcatraz ifconfig ${epair_one}b 192.0.2.2/24 up + jexec alcatraz ifconfig ${epair_two}a 198.51.100.1/24 up + jexec alcatraz sysctl net.inet.ip.forwarding=1 + + vnet_mkjail singsing ${epair_two}b + jexec singsing ifconfig ${epair_two}b 198.51.100.2/24 up + jexec singsing route add default 198.51.100.1 + + route add 198.51.100.0/24 192.0.2.2 + + jexec alcatraz dnctl pipe 1 config delay 800 + + jexec alcatraz pfctl -e + pft_set_rules alcatraz \ + "set reassemble yes" \ + "nat on ${epair_two}a from 192.0.2.0/24 -> (${epair_two}a)" \ + "pass in route-to (${epair_two}a 198.51.100.2) inet proto icmp all icmp-type echoreq dnpipe (1, 1)" \ + "pass out route-to (${epair_two}a 198.51.100.2) inet proto icmp all icmp-type echoreq" + + ping -c 1 198.51.100.2 + jexec alcatraz pfctl -sr -vv + jexec alcatraz pfctl -ss -vv + + # We expect to be delayed 1.6 seconds, so timeout of two seconds passes, but + # timeout of 1 does not. + atf_check -s exit:0 -o ignore ping -t 2 -c 1 198.51.100.2 + atf_check -s exit:2 -o ignore ping -t 1 -c 1 198.51.100.2 +} + +dummynet_double_cleanup() +{ + pft_cleanup +} + atf_init_test_cases() { atf_add_test_case "v4" @@ -628,4 +680,5 @@ atf_init_test_cases() atf_add_test_case "ifbound_reply_to" atf_add_test_case "ifbound_reply_to_v6" atf_add_test_case "dummynet_frag" + atf_add_test_case "dummynet_double" } |