diff options
Diffstat (limited to 'tests/sys/net')
| -rw-r--r-- | tests/sys/net/Makefile | 3 | ||||
| -rw-r--r-- | tests/sys/net/bpf/Makefile | 15 | ||||
| -rw-r--r-- | tests/sys/net/bpf/bpf.sh | 67 | ||||
| -rw-r--r-- | tests/sys/net/bpf/bpf_multi_read.c | 76 | ||||
| -rwxr-xr-x | tests/sys/net/if_bridge_test.sh | 574 | ||||
| -rwxr-xr-x | tests/sys/net/if_lagg_test.sh | 13 | ||||
| -rw-r--r-- | tests/sys/net/if_ovpn/Makefile | 4 | ||||
| -rw-r--r-- | tests/sys/net/if_ovpn/if_ovpn.sh | 371 | ||||
| -rwxr-xr-x | tests/sys/net/if_vlan.sh | 76 | ||||
| -rw-r--r-- | tests/sys/net/if_wg.sh | 299 | ||||
| -rw-r--r-- | tests/sys/net/routing/Makefile | 1 |
11 files changed, 1464 insertions, 35 deletions
diff --git a/tests/sys/net/Makefile b/tests/sys/net/Makefile index 95ab86156a0a..bc8f9c5e9c80 100644 --- a/tests/sys/net/Makefile +++ b/tests/sys/net/Makefile @@ -7,6 +7,8 @@ ATF_TESTS_C+= if_epair ATF_TESTS_SH+= if_epair_test ATF_TESTS_SH+= if_bridge_test TEST_METADATA.if_bridge_test+= required_programs="python" +TEST_METADATA.if_bridge_test+= execenv="jail" +TEST_METADATA.if_bridge_test+= execenv_jail_params="vnet allow.raw_sockets" ATF_TESTS_SH+= if_clone_test ATF_TESTS_SH+= if_gif ATF_TESTS_SH+= if_lagg_test @@ -15,6 +17,7 @@ ATF_TESTS_SH+= if_tun_test ATF_TESTS_SH+= if_vlan ATF_TESTS_SH+= if_wg +TESTS_SUBDIRS+= bpf TESTS_SUBDIRS+= if_ovpn TESTS_SUBDIRS+= routing diff --git a/tests/sys/net/bpf/Makefile b/tests/sys/net/bpf/Makefile new file mode 100644 index 000000000000..9c8a25b15d16 --- /dev/null +++ b/tests/sys/net/bpf/Makefile @@ -0,0 +1,15 @@ +.include <src.opts.mk> + +PACKAGE= tests + +TESTSDIR= ${TESTSBASE}/sys/net/bpf +BINDIR= ${TESTSDIR} + +LIBADD+= nv + +PROGS= bpf_multi_read +LIBADD.bpf_multi_read+= pcap + +ATF_TESTS_SH= bpf + +.include <bsd.test.mk> diff --git a/tests/sys/net/bpf/bpf.sh b/tests/sys/net/bpf/bpf.sh new file mode 100644 index 000000000000..2830c4862de9 --- /dev/null +++ b/tests/sys/net/bpf/bpf.sh @@ -0,0 +1,67 @@ +## +# SPDX-License-Identifier: BSD-2-Clause +# +# Copyright (c) 2025 Rubicon Communications, LLC ("Netgate") +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. + +. $(atf_get_srcdir)/../../common/vnet.subr + +atf_test_case "multi_read" "cleanup" +multi_read_head() +{ + atf_set descr 'Test multiple readers on /dev/bpf' + atf_set require.user root +} + +multi_read_body() +{ + vnet_init + + epair=$(vnet_mkepair) + ifconfig ${epair}a inet 192.0.2.1/24 up + + vnet_mkjail alcatraz ${epair}b + jexec alcatraz ifconfig ${epair}b inet 192.0.2.2/24 up + + atf_check -s exit:0 -o ignore \ + ping -c 1 192.0.2.2 + + # Start a multi-thread (or multi-process) read on bpf + $(atf_get_srcdir)/bpf_multi_read ${epair}a & + + # Generate traffic + ping -f 192.0.2.2 >/dev/null 2>&1 & + + # Now let this run for 10 seconds + sleep 10 +} + +multi_read_cleanup() +{ + vnet_cleanup +} + +atf_init_test_cases() +{ + atf_add_test_case "multi_read" +} diff --git a/tests/sys/net/bpf/bpf_multi_read.c b/tests/sys/net/bpf/bpf_multi_read.c new file mode 100644 index 000000000000..3a8edd76d623 --- /dev/null +++ b/tests/sys/net/bpf/bpf_multi_read.c @@ -0,0 +1,76 @@ +/*- + * SPDX-License-Identifier: BSD-2-Clause + * + * Copyright (c) 2025 Rubicon Communications, LLC (Netgate) + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + */ + +#include <err.h> +#include <stdio.h> +#include <pcap.h> +#include <unistd.h> + +static void +callback(u_char *arg __unused, const struct pcap_pkthdr *hdr __unused, + const unsigned char *bytes __unused) +{ +} + +int +main(int argc, const char **argv) +{ + pcap_t *pcap; + const char *interface; + char errbuf[PCAP_ERRBUF_SIZE] = { 0 }; + int ret; + + if (argc != 2) + err(1, "Usage: %s <interface>\n", argv[0]); + + interface = argv[1]; + + pcap = pcap_create(interface, errbuf); + if (! pcap) + perror("Failed to pcap interface"); + + ret = pcap_set_snaplen(pcap, 86); + if (ret != 0) + perror("Failed to set snaplen"); + + ret = pcap_set_timeout(pcap, 100); + if (ret != 0) + perror("Failed to set timeout"); + + ret = pcap_activate(pcap); + if (ret != 0) + perror("Failed to activate"); + + /* So we have two readers on one /dev/bpf fd */ + fork(); + + printf("Interface open\n"); + pcap_loop(pcap, 0, callback, NULL); + + return (0); +} diff --git a/tests/sys/net/if_bridge_test.sh b/tests/sys/net/if_bridge_test.sh index 44370a905223..c0c085f22273 100755 --- a/tests/sys/net/if_bridge_test.sh +++ b/tests/sys/net/if_bridge_test.sh @@ -39,6 +39,7 @@ bridge_transmit_ipv4_unicast_head() bridge_transmit_ipv4_unicast_body() { vnet_init + vnet_init_bridge epair_alcatraz=$(vnet_mkepair) epair_singsing=$(vnet_mkepair) @@ -76,6 +77,7 @@ stp_head() stp_body() { vnet_init + vnet_init_bridge epair_one=$(vnet_mkepair) epair_two=$(vnet_mkepair) @@ -142,6 +144,7 @@ stp_vlan_head() stp_vlan_body() { vnet_init + vnet_init_bridge epair_one=$(vnet_mkepair) epair_two=$(vnet_mkepair) @@ -216,6 +219,7 @@ static_head() static_body() { vnet_init + vnet_init_bridge epair=$(vnet_mkepair) bridge=$(vnet_mkbridge) @@ -267,12 +271,13 @@ span_head() { atf_set descr 'Bridge span test' atf_set require.user root - atf_set require.progs scapy + atf_set require.progs python3 scapy } span_body() { vnet_init + vnet_init_bridge epair=$(vnet_mkepair) epair_span=$(vnet_mkepair) @@ -326,6 +331,7 @@ delete_with_members_head() delete_with_members_body() { vnet_init + vnet_init_bridge bridge=$(vnet_mkbridge) epair=$(vnet_mkepair) @@ -352,6 +358,7 @@ mac_conflict_head() mac_conflict_body() { vnet_init + vnet_init_bridge epair=$(vnet_mkepair) @@ -390,6 +397,7 @@ inherit_mac_head() inherit_mac_body() { vnet_init + vnet_init_bridge bridge=$(vnet_mkbridge) epair=$(vnet_mkepair) @@ -412,12 +420,13 @@ stp_validation_head() { atf_set descr 'Check STP validation' atf_set require.user root - atf_set require.progs scapy + atf_set require.progs python3 scapy } stp_validation_body() { vnet_init + vnet_init_bridge epair_one=$(vnet_mkepair) epair_two=$(vnet_mkepair) @@ -461,6 +470,7 @@ gif_head() gif_body() { vnet_init + vnet_init_bridge epair=$(vnet_mkepair) @@ -527,7 +537,7 @@ get_mtu() { intf=$1 - ifconfig ${intf} ether | awk '$5 == "mtu" { print $6 }' + ifconfig ${intf} | awk '$5 == "mtu" { print $6 }' } check_mtu() @@ -536,7 +546,7 @@ check_mtu() expected=$2 mtu=$(get_mtu $intf) - if [ $mtu -ne $expected ]; + if [ "$mtu" -ne "$expected" ]; then atf_fail "Expected MTU of $expected on $intf but found $mtu" fi @@ -545,6 +555,7 @@ check_mtu() mtu_body() { vnet_init + vnet_init_bridge epair=$(vnet_mkepair) gif=$(ifconfig gif create) @@ -606,6 +617,7 @@ vlan_head() vlan_body() { vnet_init + vnet_init_bridge vid=1 @@ -673,6 +685,7 @@ many_bridge_members_head() many_bridge_members_body() { vnet_init + vnet_init_bridge bridge=$(vnet_mkbridge) ifcount=256 @@ -690,6 +703,547 @@ many_bridge_members_cleanup() vnet_cleanup } +atf_test_case "member_ifaddrs_enabled" "cleanup" +member_ifaddrs_enabled_head() +{ + atf_set descr 'bridge with member_ifaddrs=1' + atf_set require.user root +} + +member_ifaddrs_enabled_body() +{ + vnet_init + vnet_init_bridge + + ep=$(vnet_mkepair) + ifconfig ${ep}a inet 192.0.2.1/24 up + + vnet_mkjail one ${ep}b + jexec one sysctl net.link.bridge.member_ifaddrs=1 + jexec one ifconfig ${ep}b inet 192.0.2.2/24 up + jexec one ifconfig bridge0 create addm ${ep}b + + atf_check -s exit:0 -o ignore ping -c3 -t1 192.0.2.2 +} + +member_ifaddrs_enabled_cleanup() +{ + vnet_cleanup +} + +atf_test_case "member_ifaddrs_disabled" "cleanup" +member_ifaddrs_disabled_head() +{ + atf_set descr 'bridge with member_ifaddrs=0' + atf_set require.user root +} + +member_ifaddrs_disabled_body() +{ + vnet_init + vnet_init_bridge + + vnet_mkjail one + jexec one sysctl net.link.bridge.member_ifaddrs=0 + + bridge=$(jexec one ifconfig bridge create) + + # adding an interface with an IPv4 address + ep=$(jexec one ifconfig epair create) + jexec one ifconfig ${ep} 192.0.2.1/32 + atf_check -s exit:1 -e ignore jexec one ifconfig ${bridge} addm ${ep} + + # adding an interface with an IPv6 address + ep=$(jexec one ifconfig epair create) + jexec one ifconfig ${ep} inet6 2001:db8::1/128 + atf_check -s exit:1 -e ignore jexec one ifconfig ${bridge} addm ${ep} + + # adding an interface with an IPv6 link-local address + ep=$(jexec one ifconfig epair create) + jexec one ifconfig ${ep} inet6 -ifdisabled auto_linklocal up + atf_check -s exit:1 -e ignore jexec one ifconfig ${bridge} addm ${ep} + + # adding an IPv4 address to a member + ep=$(jexec one ifconfig epair create) + jexec one ifconfig ${bridge} addm ${ep} + atf_check -s exit:1 -e ignore jexec one ifconfig ${ep} inet 192.0.2.2/32 + + # adding an IPv6 address to a member + ep=$(jexec one ifconfig epair create) + jexec one ifconfig ${bridge} addm ${ep} + atf_check -s exit:1 -e ignore jexec one ifconfig ${ep} inet6 2001:db8::1/128 +} + +member_ifaddrs_disabled_cleanup() +{ + vnet_cleanup +} + +# +# Test kern/287150: when member_ifaddrs=0, and a physical interface which is in +# a bridge also has a vlan(4) on it, tagged packets are not correctly passed to +# vlan(4). +atf_test_case "member_ifaddrs_vlan" "cleanup" +member_ifaddrs_vlan_head() +{ + atf_set descr 'kern/287150: vlan and bridge on the same interface' + atf_set require.user root +} + +member_ifaddrs_vlan_body() +{ + vnet_init + vnet_init_bridge + + epone=$(vnet_mkepair) + eptwo=$(vnet_mkepair) + + # The first jail has an epair with an IP address on vlan 20. + vnet_mkjail one ${epone}a + atf_check -s exit:0 jexec one ifconfig ${epone}a up + atf_check -s exit:0 jexec one \ + ifconfig ${epone}a.20 create inet 192.0.2.1/24 up + + # The second jail has an epair with an IP address on vlan 20, + # which is also in a bridge. + vnet_mkjail two ${epone}b + + jexec two ifconfig + atf_check -s exit:0 -o save:bridge jexec two ifconfig bridge create + bridge=$(cat bridge) + atf_check -s exit:0 jexec two ifconfig ${bridge} addm ${epone}b up + + atf_check -s exit:0 -o ignore jexec two \ + sysctl net.link.bridge.member_ifaddrs=0 + atf_check -s exit:0 jexec two ifconfig ${epone}b up + atf_check -s exit:0 jexec two \ + ifconfig ${epone}b.20 create inet 192.0.2.2/24 up + + # Make sure the two jails can communicate over the vlan. + atf_check -s exit:0 -o ignore jexec one ping -c 3 -t 1 192.0.2.2 + atf_check -s exit:0 -o ignore jexec two ping -c 3 -t 1 192.0.2.1 +} + +member_ifaddrs_vlan_cleanup() +{ + vnet_cleanup +} + +atf_test_case "vlan_pvid" "cleanup" +vlan_pvid_head() +{ + atf_set descr 'bridge with two ports with pvid set' + atf_set require.user root +} + +vlan_pvid_body() +{ + vnet_init + vnet_init_bridge + + epone=$(vnet_mkepair) + eptwo=$(vnet_mkepair) + + vnet_mkjail one ${epone}b + vnet_mkjail two ${eptwo}b + + jexec one ifconfig ${epone}b 192.0.2.1/24 up + jexec two ifconfig ${eptwo}b 192.0.2.2/24 up + + bridge=$(vnet_mkbridge) + + ifconfig ${bridge} up + ifconfig ${epone}a up + ifconfig ${eptwo}a up + ifconfig ${bridge} addm ${epone}a untagged ${epone}a 20 + ifconfig ${bridge} addm ${eptwo}a untagged ${eptwo}a 20 + + # With VLAN filtering enabled, traffic should be passed. + atf_check -s exit:0 -o ignore jexec one ping -c 3 -t 1 192.0.2.2 + atf_check -s exit:0 -o ignore jexec two ping -c 3 -t 1 192.0.2.1 + + # Removed the untagged VLAN on one port; traffic should not be passed. + ifconfig ${bridge} -untagged ${epone}a + atf_check -s exit:2 -o ignore jexec one ping -c 3 -t 1 192.0.2.2 + atf_check -s exit:2 -o ignore jexec two ping -c 3 -t 1 192.0.2.1 +} + +vlan_pvid_cleanup() +{ + vnet_cleanup +} + +atf_test_case "vlan_pvid_filtered" "cleanup" +vlan_pvid_filtered_head() +{ + atf_set descr 'bridge with two ports with different pvids' + atf_set require.user root +} + +vlan_pvid_filtered_body() +{ + vnet_init + vnet_init_bridge + + epone=$(vnet_mkepair) + eptwo=$(vnet_mkepair) + + vnet_mkjail one ${epone}b + vnet_mkjail two ${eptwo}b + + jexec one ifconfig ${epone}b 192.0.2.1/24 up + jexec two ifconfig ${eptwo}b 192.0.2.2/24 up + + bridge=$(vnet_mkbridge) + + ifconfig ${bridge} up + ifconfig ${epone}a up + ifconfig ${eptwo}a up + ifconfig ${bridge} addm ${epone}a untagged ${epone}a 20 + ifconfig ${bridge} addm ${eptwo}a untagged ${eptwo}a 30 + + atf_check -s exit:2 -o ignore jexec one ping -c 3 -t 1 192.0.2.2 + atf_check -s exit:2 -o ignore jexec two ping -c 3 -t 1 192.0.2.1 +} + +vlan_pvid_filtered_cleanup() +{ + vnet_cleanup +} + +atf_test_case "vlan_pvid_tagged" "cleanup" +vlan_pvid_tagged_head() +{ + atf_set descr 'bridge pvid with tagged frames for pvid' + atf_set require.user root +} + +vlan_pvid_tagged_body() +{ + vnet_init + vnet_init_bridge + + epone=$(vnet_mkepair) + eptwo=$(vnet_mkepair) + + vnet_mkjail one ${epone}b + vnet_mkjail two ${eptwo}b + + # Create two tagged interfaces on the appropriate VLANs + jexec one ifconfig ${epone}b up + jexec one ifconfig ${epone}b.20 create 192.0.2.1/24 up + jexec two ifconfig ${eptwo}b up + jexec two ifconfig ${eptwo}b.20 create 192.0.2.2/24 up + + bridge=$(vnet_mkbridge) + + ifconfig ${bridge} up + ifconfig ${epone}a up + ifconfig ${eptwo}a up + ifconfig ${bridge} addm ${epone}a untagged ${epone}a 20 + ifconfig ${bridge} addm ${eptwo}a untagged ${eptwo}a 20 + + # Tagged frames should not be passed. + atf_check -s exit:2 -o ignore jexec one ping -c 3 -t 1 192.0.2.2 + atf_check -s exit:2 -o ignore jexec two ping -c 3 -t 1 192.0.2.1 +} + +vlan_pvid_tagged_cleanup() +{ + vnet_cleanup +} + +atf_test_case "vlan_pvid_1q" "cleanup" +vlan_pvid_1q_head() +{ + atf_set descr '802.1q tag addition and removal' + atf_set require.user root +} + +vlan_pvid_1q_body() +{ + vnet_init + vnet_init_bridge + + epone=$(vnet_mkepair) + eptwo=$(vnet_mkepair) + + vnet_mkjail one ${epone}b + vnet_mkjail two ${eptwo}b + + # Set up one jail with an access port, and the other with a trunk port. + # This forces the bridge to add and remove .1q tags to bridge the + # traffic. + + jexec one ifconfig ${epone}b 192.0.2.1/24 up + jexec two ifconfig ${eptwo}b up + jexec two ifconfig ${eptwo}b.20 create 192.0.2.2/24 up + + bridge=$(vnet_mkbridge) + + ifconfig ${bridge} addm ${epone}a untagged ${epone}a 20 + ifconfig ${bridge} addm ${eptwo}a + + ifconfig ${bridge} up + ifconfig ${epone}a up + ifconfig ${eptwo}a up + + atf_check -s exit:0 -o ignore jexec one ping -c 3 -t 1 192.0.2.2 + atf_check -s exit:0 -o ignore jexec two ping -c 3 -t 1 192.0.2.1 +} + +vlan_pvid_1q_cleanup() +{ + vnet_cleanup +} + +# +# Test vlan filtering. +# +atf_test_case "vlan_filtering" "cleanup" +vlan_filtering_head() +{ + atf_set descr 'tagged traffic with filtering' + atf_set require.user root +} + +vlan_filtering_body() +{ + vnet_init + vnet_init_bridge + + epone=$(vnet_mkepair) + eptwo=$(vnet_mkepair) + + vnet_mkjail one ${epone}b + vnet_mkjail two ${eptwo}b + + jexec one ifconfig ${epone}b up + jexec one ifconfig ${epone}b.20 create 192.0.2.1/24 up + jexec two ifconfig ${eptwo}b up + jexec two ifconfig ${eptwo}b.20 create 192.0.2.2/24 up + + bridge=$(vnet_mkbridge) + + ifconfig ${bridge} up + ifconfig ${epone}a up + ifconfig ${eptwo}a up + ifconfig ${bridge} addm ${epone}a vlanfilter ${epone}a + ifconfig ${bridge} addm ${eptwo}a vlanfilter ${eptwo}a + + # Right now there are no VLANs on the access list, so everything + # should be blocked. + atf_check -s exit:2 -o ignore jexec one ping -c 3 -t 1 192.0.2.2 + atf_check -s exit:2 -o ignore jexec two ping -c 3 -t 1 192.0.2.1 + + # Set the untagged vlan on both ports to 20 and make sure traffic is + # still blocked. We intentionally do not pass tagged traffic for the + # untagged vlan. + atf_check -s exit:0 ifconfig ${bridge} untagged ${epone}a 20 + atf_check -s exit:0 ifconfig ${bridge} untagged ${eptwo}a 20 + + atf_check -s exit:2 -o ignore jexec one ping -c 3 -t 1 192.0.2.2 + atf_check -s exit:2 -o ignore jexec two ping -c 3 -t 1 192.0.2.1 + + atf_check -s exit:0 ifconfig ${bridge} -untagged ${epone}a + atf_check -s exit:0 ifconfig ${bridge} -untagged ${eptwo}a + + # Add VLANs 10-30 to the access list; now access should be allowed. + ifconfig ${bridge} +tagged ${epone}a 10-30 + ifconfig ${bridge} +tagged ${eptwo}a 10-30 + atf_check -s exit:0 -o ignore jexec one ping -c 3 -t 1 192.0.2.2 + atf_check -s exit:0 -o ignore jexec two ping -c 3 -t 1 192.0.2.1 + + # Remove vlan 20 from the access list, now access should be blocked + # again. + ifconfig ${bridge} -tagged ${epone}a 20 + ifconfig ${bridge} -tagged ${eptwo}a 20 + atf_check -s exit:2 -o ignore jexec one ping -c 3 -t 1 192.0.2.2 + atf_check -s exit:2 -o ignore jexec two ping -c 3 -t 1 192.0.2.1 +} + +vlan_filtering_cleanup() +{ + vnet_cleanup +} + +# +# Test the ifconfig 'tagged' option. +# +atf_test_case "vlan_ifconfig_tagged" "cleanup" +vlan_ifconfig_tagged_head() +{ + atf_set descr 'test the ifconfig tagged option' + atf_set require.user root +} + +vlan_ifconfig_tagged_body() +{ + vnet_init + vnet_init_bridge + + ep=$(vnet_mkepair) + bridge=$(vnet_mkbridge) + + ifconfig ${bridge} addm ${ep}a vlanfilter ${ep}a up + ifconfig ${ep}a up + + # To start with, no vlans should be configured. + atf_check -s exit:0 -o not-match:"tagged" ifconfig ${bridge} + + # Add vlans 100-149. + atf_check -s exit:0 ifconfig ${bridge} tagged ${ep}a 100-149 + atf_check -s exit:0 -o match:"tagged 100-149" ifconfig ${bridge} + + # Replace the vlan list with 139-199. + atf_check -s exit:0 ifconfig ${bridge} tagged ${ep}a 139-199 + atf_check -s exit:0 -o match:"tagged 139-199" ifconfig ${bridge} + + # Add vlans 100-170. + atf_check -s exit:0 ifconfig ${bridge} +tagged ${ep}a 100-170 + atf_check -s exit:0 -o match:"tagged 100-199" ifconfig ${bridge} + + # Remove vlans 104, 105, and 150-159 + atf_check -s exit:0 ifconfig ${bridge} -tagged ${ep}a 104,105,150-159 + atf_check -s exit:0 -o match:"tagged 100-103,106-149,160-199" \ + ifconfig ${bridge} + + # Remove the entire vlan list. + atf_check -s exit:0 ifconfig ${bridge} tagged ${ep}a none + atf_check -s exit:0 -o not-match:"tagged" ifconfig ${bridge} + + # Test some invalid vlans sets. + for bad_vlan in -1 0 4096 4097 foo 0-10 4000-5000 foo-40 40-foo; do + atf_check -s exit:1 -e ignore \ + ifconfig ${bridge} tagged "$bad_vlan" + done +} + +vlan_ifconfig_tagged_cleanup() +{ + vnet_cleanup +} + +# +# Test a vlan(4) "SVI" interface on top of a bridge. +# +atf_test_case "vlan_svi" "cleanup" +vlan_svi_head() +{ + atf_set descr 'vlan bridge with an SVI' + atf_set require.user root +} + +vlan_svi_body() +{ + vnet_init + vnet_init_bridge + + epone=$(vnet_mkepair) + + vnet_mkjail one ${epone}b + + jexec one ifconfig ${epone}b up + jexec one ifconfig ${epone}b.20 create 192.0.2.1/24 up + + bridge=$(vnet_mkbridge) + + ifconfig ${bridge} up + ifconfig ${epone}a up + ifconfig ${bridge} addm ${epone}a tagged ${epone}a 20 + + svi=$(vnet_mkvlan) + ifconfig ${svi} vlan 20 vlandev ${bridge} + ifconfig ${svi} inet 192.0.2.2/24 up + + atf_check -s exit:0 -o ignore ping -c 3 -t 1 192.0.2.1 +} + +vlan_svi_cleanup() +{ + vnet_cleanup +} + +# +# Test QinQ (802.1ad). +# +atf_test_case "vlan_qinq" "cleanup" +vlan_qinq_head() +{ + atf_set descr 'vlan filtering with QinQ traffic' + atf_set require.user root +} + +vlan_qinq_body() +{ + vnet_init + vnet_init_bridge + + epone=$(vnet_mkepair) + eptwo=$(vnet_mkepair) + + vnet_mkjail one ${epone}b + vnet_mkjail two ${eptwo}b + + # Create a QinQ trunk between the two jails. The outer (provider) tag + # is 5, and the inner tag is 10. + + jexec one ifconfig ${epone}b up + jexec one ifconfig ${epone}b.5 create vlanproto 802.1ad up + jexec one ifconfig ${epone}b.5.10 create inet 192.0.2.1/24 up + + jexec two ifconfig ${eptwo}b up + jexec two ifconfig ${eptwo}b.5 create vlanproto 802.1ad up + jexec two ifconfig ${eptwo}b.5.10 create inet 192.0.2.2/24 up + + bridge=$(vnet_mkbridge) + + ifconfig ${bridge} up + ifconfig ${epone}a up + ifconfig ${eptwo}a up + ifconfig ${bridge} addm ${epone}a vlanfilter ${epone}a + ifconfig ${bridge} addm ${eptwo}a vlanfilter ${eptwo}a + + # Right now there are no VLANs on the access list, so everything + # should be blocked. + atf_check -s exit:2 -o ignore jexec one ping -c 3 -t 1 192.0.2.2 + atf_check -s exit:2 -o ignore jexec two ping -c 3 -t 1 192.0.2.1 + + # Add the provider tag to the access list; now traffic should be passed. + ifconfig ${bridge} +tagged ${epone}a 5 + ifconfig ${bridge} +tagged ${eptwo}a 5 + atf_check -s exit:0 -o ignore jexec one ping -c 3 -t 1 192.0.2.2 + atf_check -s exit:0 -o ignore jexec two ping -c 3 -t 1 192.0.2.1 +} + +vlan_qinq_cleanup() +{ + vnet_cleanup +} + +# Adding a bridge SVI to a bridge should not be allowed. +atf_test_case "bridge_svi_in_bridge" "cleanup" +bridge_svi_in_bridge_head() +{ + atf_set descr 'adding a bridge SVI to a bridge is not allowed (1)' + atf_set require.user root +} + +bridge_svi_in_bridge_body() +{ + vnet_init + vnet_init_bridge + + bridge=$(vnet_mkbridge) + atf_check -s exit:0 ifconfig ${bridge}.1 create + atf_check -s exit:1 -e ignore ifconfig ${bridge} addm ${bridge}.1 +} + +bridge_svi_in_bridge_cleanup() +{ + vnet_cleanup +} + atf_init_test_cases() { atf_add_test_case "bridge_transmit_ipv4_unicast" @@ -705,4 +1259,16 @@ atf_init_test_cases() atf_add_test_case "mtu" atf_add_test_case "vlan" atf_add_test_case "many_bridge_members" + atf_add_test_case "member_ifaddrs_enabled" + atf_add_test_case "member_ifaddrs_disabled" + atf_add_test_case "member_ifaddrs_vlan" + atf_add_test_case "vlan_pvid" + atf_add_test_case "vlan_pvid_1q" + atf_add_test_case "vlan_pvid_filtered" + atf_add_test_case "vlan_pvid_tagged" + atf_add_test_case "vlan_filtering" + atf_add_test_case "vlan_ifconfig_tagged" + atf_add_test_case "vlan_svi" + atf_add_test_case "vlan_qinq" + atf_add_test_case "bridge_svi_in_bridge" } diff --git a/tests/sys/net/if_lagg_test.sh b/tests/sys/net/if_lagg_test.sh index 6b99aaedfbbf..e2b998599991 100755 --- a/tests/sys/net/if_lagg_test.sh +++ b/tests/sys/net/if_lagg_test.sh @@ -83,10 +83,6 @@ status_stress_body() { local TAP0 TAP1 LAGG MAC - if [ "$(atf_config_get ci false)" = "true" ]; then - atf_skip "Skipping this test because it panics the machine fairly often" - fi - # Configure the lagg interface to use an RFC5737 nonrouteable addresses ADDR="192.0.2.2" MASK="24" @@ -142,8 +138,6 @@ create_destroy_stress_body() { local TAP0 TAP1 LAGG MAC - atf_skip "Skipping this test because it easily panics the machine" - TAP0=`get_tap` TAP1=`get_tap` TAP2=`get_tap` @@ -196,10 +190,6 @@ lacp_linkstate_destroy_stress_head() } lacp_linkstate_destroy_stress_body() { - if [ "$(atf_config_get ci false)" = "true" ]; then - atf_skip "https://bugs.freebsd.org/244168" - fi - local TAP0 TAP1 LAGG MAC SRCDIR # Configure the lagg interface to use an RFC5737 nonrouteable addresses @@ -261,8 +251,6 @@ up_destroy_stress_body() { local TAP0 TAP1 LAGG MAC SRCDIR - atf_skip "Skipping this test because it panics the machine fairly often" - # Configure the lagg interface to use an RFC5737 nonrouteable addresses ADDR="192.0.2.2" MASK="24" @@ -358,7 +346,6 @@ updown_body() { local TAP0 TAP1 LAGG MAC - atf_expect_fail "PR 226144 Upping a lagg interrface should automatically up its children" # Configure the lagg interface to use an RFC5737 nonrouteable addresses ADDR="192.0.2.2" MASK="24" diff --git a/tests/sys/net/if_ovpn/Makefile b/tests/sys/net/if_ovpn/Makefile index 823ad06e76ee..85746226e122 100644 --- a/tests/sys/net/if_ovpn/Makefile +++ b/tests/sys/net/if_ovpn/Makefile @@ -6,8 +6,8 @@ TESTSDIR= ${TESTSBASE}/sys/net/if_ovpn .if ${MK_PF} != "no" ATF_TESTS_SH+= if_ovpn -# Tests reuse jail names and so cannot run in parallel. -TEST_METADATA.if_ovpn+= is_exclusive=true +TEST_METADATA.if_ovpn+= execenv="jail" +TEST_METADATA.if_ovpn+= execenv_jail_params="vnet allow.raw_sockets" .endif ATF_TESTS_C+= if_ovpn_c diff --git a/tests/sys/net/if_ovpn/if_ovpn.sh b/tests/sys/net/if_ovpn/if_ovpn.sh index 0ec2563cf355..c42344da1a3b 100644 --- a/tests/sys/net/if_ovpn/if_ovpn.sh +++ b/tests/sys/net/if_ovpn/if_ovpn.sh @@ -95,6 +95,10 @@ atf_test_case "4in4" "cleanup" echo 'foo' | jexec b nc -u -w 2 192.0.2.1 1194 atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1 + + # Test routing loop protection + jexec b route add 192.0.2.1 198.51.100.1 + atf_check -s exit:2 -o ignore jexec b ping -t 1 -c 1 198.51.100.1 } 4in4_cleanup() @@ -102,6 +106,86 @@ atf_test_case "4in4" "cleanup" ovpn_cleanup } +atf_test_case "bz283426" "cleanup" +bz283426_head() +{ + atf_set descr 'FreeBSD Bugzilla 283426' + atf_set require.user root + atf_set require.progs openvpn python3 +} + +bz283426_body() +{ + ovpn_init + + l=$(vnet_mkepair) + + vnet_mkjail a ${l}a + jexec a ifconfig ${l}a 192.0.2.1/24 up + vnet_mkjail b ${l}b + jexec b ifconfig ${l}b 192.0.2.2/24 up + + # Sanity check + atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2 + + ovpn_start a " + dev ovpn0 + dev-type tun + proto udp4 + + cipher AES-256-GCM + auth SHA256 + + bind 0.0.0.0:1194 + server 198.51.100.0 255.255.255.0 + ca $(atf_get_srcdir)/ca.crt + cert $(atf_get_srcdir)/server.crt + key $(atf_get_srcdir)/server.key + dh $(atf_get_srcdir)/dh.pem + + mode server + script-security 2 + auth-user-pass-verify /usr/bin/true via-env + topology subnet + + keepalive 100 600 + " + ovpn_start b " + dev tun0 + dev-type tun + + client + + remote 192.0.2.1 + auth-user-pass $(atf_get_srcdir)/user.pass + + ca $(atf_get_srcdir)/ca.crt + cert $(atf_get_srcdir)/client.crt + key $(atf_get_srcdir)/client.key + dh $(atf_get_srcdir)/dh.pem + + keepalive 100 600 + " + + # Give the tunnel time to come up + sleep 10 + + atf_check -s exit:0 -o ignore jexec b ping -c 1 198.51.100.1 + + # Send a broadcast packet in the outer link. + echo "import socket as sk +s = sk.socket(sk.AF_INET, sk.SOCK_DGRAM) +s.setsockopt(sk.SOL_SOCKET, sk.SO_BROADCAST, 1) +s.sendto(b'x' * 1000, ('192.0.2.255', 1194))" | jexec b python3 + + atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1 +} + +bz283426_cleanup() +{ + ovpn_cleanup +} + atf_test_case "4mapped" "cleanup" 4mapped_head() { @@ -404,6 +488,10 @@ atf_test_case "6in6" "cleanup" atf_check -s exit:0 -o ignore jexec b ping6 -c 3 2001:db8:1::1 atf_check -s exit:0 -o ignore jexec b ping6 -c 3 -z 16 2001:db8:1::1 + + # Test routing loop protection + jexec b route add -6 2001:db8::1 2001:db8:1::1 + atf_check -s exit:2 -o ignore jexec b ping6 -t 1 -c 3 2001:db8:1::1 } 6in6_cleanup() @@ -594,6 +682,7 @@ multi_client_head() multi_client_body() { ovpn_init + vnet_init_bridge bridge=$(vnet_mkbridge) srv=$(vnet_mkepair) @@ -806,6 +895,7 @@ ra_head() ra_body() { ovpn_init + vnet_init_bridge bridge=$(vnet_mkbridge) srv=$(vnet_mkepair) @@ -1038,9 +1128,286 @@ gcm_128_cleanup() ovpn_cleanup } +atf_test_case "destroy_unused" "cleanup" +destroy_unused_head() +{ + atf_set descr 'Destroy an if_ovpn interface before it is used' + atf_set require.user root +} + +destroy_unused_body() +{ + ovpn_init + + intf=$(ifconfig ovpn create) + atf_check -s exit:0 \ + ifconfig ${intf} destroy +} + +destroy_unused_cleanup() +{ + ovpn_cleanup +} + +atf_test_case "multihome4" "cleanup" +multihome4_head() +{ + atf_set descr 'Test multihome IPv4 with OpenVPN' + atf_set require.user root + atf_set require.progs openvpn +} + +multihome4_body() +{ + pft_init + ovpn_init + + l=$(vnet_mkepair) + + vnet_mkjail a ${l}a + atf_check jexec a ifconfig ${l}a inet 192.0.2.1/24 + atf_check jexec a ifconfig ${l}a alias 192.0.2.2/24 + vnet_mkjail b ${l}b + atf_check jexec b ifconfig ${l}b inet 192.0.2.3/24 + + # Sanity check + atf_check -s exit:0 -o ignore jexec b ping -c 1 192.0.2.1 + atf_check -s exit:0 -o ignore jexec b ping -c 1 192.0.2.2 + + ovpn_start a " + dev ovpn0 + dev-type tun + proto udp4 + + cipher AES-256-GCM + auth SHA256 + + multihome + server 198.51.100.0 255.255.255.0 + ca $(atf_get_srcdir)/ca.crt + cert $(atf_get_srcdir)/server.crt + key $(atf_get_srcdir)/server.key + dh $(atf_get_srcdir)/dh.pem + + mode server + script-security 2 + auth-user-pass-verify /usr/bin/true via-env + topology subnet + + keepalive 100 600 + " + ovpn_start b " + dev tun0 + dev-type tun + + client + + remote 192.0.2.2 + auth-user-pass $(atf_get_srcdir)/user.pass + + ca $(atf_get_srcdir)/ca.crt + cert $(atf_get_srcdir)/client.crt + key $(atf_get_srcdir)/client.key + dh $(atf_get_srcdir)/dh.pem + + keepalive 100 600 + " + + # Block packets from the primary address, openvpn should only use the + # configured remote address. + jexec b pfctl -e + pft_set_rules b \ + "block in quick from 192.0.2.1 to any" \ + "pass all" + + # Give the tunnel time to come up + sleep 10 + + atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1 +} + +multihome4_cleanup() +{ + ovpn_cleanup + pft_cleanup +} + +multihome6_head() +{ + atf_set descr 'Test multihome IPv6 with OpenVPN' + atf_set require.user root + atf_set require.progs openvpn +} + +multihome6_body() +{ + ovpn_init + + l=$(vnet_mkepair) + + vnet_mkjail a ${l}a + atf_check jexec a ifconfig ${l}a inet6 2001:db8::1/64 no_dad + atf_check jexec a ifconfig ${l}a inet6 alias 2001:db8::2/64 no_dad + vnet_mkjail b ${l}b + atf_check jexec b ifconfig ${l}b inet6 2001:db8::3/64 no_dad + + # Sanity check + atf_check -s exit:0 -o ignore jexec b ping6 -c 1 2001:db8::1 + atf_check -s exit:0 -o ignore jexec b ping6 -c 1 2001:db8::2 + + ovpn_start a " + dev ovpn0 + dev-type tun + proto udp6 + + cipher AES-256-GCM + auth SHA256 + + multihome + server-ipv6 2001:db8:1::/64 + + ca $(atf_get_srcdir)/ca.crt + cert $(atf_get_srcdir)/server.crt + key $(atf_get_srcdir)/server.key + dh $(atf_get_srcdir)/dh.pem + + mode server + script-security 2 + auth-user-pass-verify /usr/bin/true via-env + topology subnet + + keepalive 100 600 + " + ovpn_start b " + dev tun0 + dev-type tun + + client + + remote 2001:db8::2 + auth-user-pass $(atf_get_srcdir)/user.pass + + ca $(atf_get_srcdir)/ca.crt + cert $(atf_get_srcdir)/client.crt + key $(atf_get_srcdir)/client.key + dh $(atf_get_srcdir)/dh.pem + + keepalive 100 600 + " + + # Block packets from the primary address, openvpn should only use the + # configured remote address. + jexec b pfctl -e + pft_set_rules b \ + "block in quick from 2001:db8::1 to any" \ + "pass all" + + # Give the tunnel time to come up + sleep 10 + + atf_check -s exit:0 -o ignore jexec b ping6 -c 3 2001:db8:1::1 + atf_check -s exit:0 -o ignore jexec b ping6 -c 3 -z 16 2001:db8:1::1 +} + +multihome6_cleanup() +{ + ovpn_cleanup +} + +atf_test_case "float" "cleanup" +float_head() +{ + atf_set descr 'Test peer float notification' + atf_set require.user root +} + +float_body() +{ + ovpn_init + + l=$(vnet_mkepair) + + vnet_mkjail a ${l}a + jexec a ifconfig ${l}a 192.0.2.1/24 up + jexec a ifconfig lo0 127.0.0.1/8 up + vnet_mkjail b ${l}b + jexec b ifconfig ${l}b 192.0.2.2/24 up + + # Sanity check + atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2 + + ovpn_start a " + dev ovpn0 + dev-type tun + proto udp4 + + cipher AES-256-GCM + auth SHA256 + + local 192.0.2.1 + server 198.51.100.0 255.255.255.0 + ca $(atf_get_srcdir)/ca.crt + cert $(atf_get_srcdir)/server.crt + key $(atf_get_srcdir)/server.key + dh $(atf_get_srcdir)/dh.pem + + mode server + script-security 2 + auth-user-pass-verify /usr/bin/true via-env + topology subnet + + keepalive 2 10 + + management 192.0.2.1 1234 + " + ovpn_start b " + dev tun0 + dev-type tun + + client + + remote 192.0.2.1 + auth-user-pass $(atf_get_srcdir)/user.pass + + ca $(atf_get_srcdir)/ca.crt + cert $(atf_get_srcdir)/client.crt + key $(atf_get_srcdir)/client.key + dh $(atf_get_srcdir)/dh.pem + + keepalive 2 10 + " + + # Give the tunnel time to come up + sleep 10 + + atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1 + + # We expect the client on 192.0.2.2 + if ! echo "status" | jexec a nc -N 192.0.2.1 1234 | grep 192.0.2.2; then + atf_fail "Client not found in status list!" + fi + + # Now change the client IP + jexec b ifconfig ${l}b 192.0.2.3/24 up + + # And wait for keepalives to trigger the float notification + sleep 5 + + # So the client now has the new address in userspace + if ! echo "status" | jexec a nc -N 192.0.2.1 1234 | grep 192.0.2.3; then + atf_fail "Client not found in status list!" + fi +} + +float_cleanup() +{ + ovpn_cleanup +} + atf_init_test_cases() { atf_add_test_case "4in4" + atf_add_test_case "bz283426" atf_add_test_case "4mapped" atf_add_test_case "6in4" atf_add_test_case "6in6" @@ -1052,4 +1419,8 @@ atf_init_test_cases() atf_add_test_case "ra" atf_add_test_case "chacha" atf_add_test_case "gcm_128" + atf_add_test_case "destroy_unused" + atf_add_test_case "multihome4" + atf_add_test_case "multihome6" + atf_add_test_case "float" } diff --git a/tests/sys/net/if_vlan.sh b/tests/sys/net/if_vlan.sh index 675ed0090e8c..8122203337e2 100755 --- a/tests/sys/net/if_vlan.sh +++ b/tests/sys/net/if_vlan.sh @@ -22,8 +22,12 @@ basic_body() jexec alcatraz ifconfig ${epair_vlan}a up jexec alcatraz ifconfig ${vlan0} 10.0.0.1/24 up - vlan1=$(jexec singsing ifconfig vlan create vlandev ${epair_vlan}b \ - vlan 42) + vlan1=$(jexec singsing ifconfig vlan create) + + # Test associating the physical interface + atf_check -s exit:0 \ + jexec singsing ifconfig ${vlan1} vlandev ${epair_vlan}b vlan 42 + jexec singsing ifconfig ${epair_vlan}b up jexec singsing ifconfig ${vlan1} 10.0.0.2/24 up @@ -37,7 +41,7 @@ basic_body() # And change back # Test changing the vlan ID atf_check -s exit:0 \ - jexec singsing ifconfig ${vlan1} vlandev ${epair_vlan}b vlan 42 + jexec singsing ifconfig ${vlan1} vlan 42 vlandev ${epair_vlan}b atf_check -s exit:0 -o ignore jexec singsing ping -c 1 10.0.0.1 } @@ -253,7 +257,7 @@ bpf_pcp_head() { atf_set descr 'Set VLAN PCP through BPF' atf_set require.user root - atf_set require.progs scapy + atf_set require.progs python3 scapy } bpf_pcp_body() @@ -293,6 +297,68 @@ bpf_pcp_cleanup() vnet_cleanup } +atf_test_case "conflict_id" "cleanup" +conflict_id_head() +{ + atf_set descr 'Test conflicting VLAN IDs, PR #279195' + atf_set require.user root +} + +conflict_id_body() +{ + vnet_init + + epair=$(vnet_mkepair) + + vnet_mkjail alcatraz ${epair}b + vlan_a=$(jexec alcatraz ifconfig vlan create) + vlan_b=$(jexec alcatraz ifconfig vlan create) + + jexec alcatraz ifconfig ${vlan_a} vlan 100 vlandev ${epair}b + jexec alcatraz ifconfig ${vlan_b} vlan 101 vlandev ${epair}b + + atf_check -s exit:1 -o ignore -e ignore \ + jexec alcatraz ifconfig ${vlan_a} vlan 101 + + atf_check -s exit:0 -o match:"vlan: 100" \ + jexec alcatraz ifconfig ${vlan_a} + + atf_check -s exit:0 -o ignore -e ignore \ + jexec alcatraz ifconfig ${vlan_a} vlan 100 +} + +conflict_id_cleanup() +{ + vnet_cleanup + +} + +# If a vlan interface is in a bridge, changing the vlandev to refer to +# a bridge should not be allowed. +atf_test_case "bridge_vlandev" "cleanup" +bridge_vlandev_head() +{ + atf_set descr 'transforming a bridge member vlan into an SVI is not allowed' + atf_set require.user root +} + +bridge_vlandev_body() +{ + vnet_init + vnet_init_bridge + + bridge=$(vnet_mkbridge) + vlan=$(vnet_mkvlan) + + atf_check -s exit:0 ifconfig ${bridge} addm ${vlan} + atf_check -s exit:1 -e ignore ifconfig ${vlan} vlan 1 vlandev ${bridge} +} + +bridge_vlandev_cleanup() +{ + vnet_cleanup +} + atf_init_test_cases() { atf_add_test_case "basic" @@ -302,4 +368,6 @@ atf_init_test_cases() atf_add_test_case "qinq_dot" atf_add_test_case "qinq_setflags" atf_add_test_case "bpf_pcp" + atf_add_test_case "conflict_id" + atf_add_test_case "bridge_vlandev" } diff --git a/tests/sys/net/if_wg.sh b/tests/sys/net/if_wg.sh index b43b40f25018..1f51d86c8efa 100644 --- a/tests/sys/net/if_wg.sh +++ b/tests/sys/net/if_wg.sh @@ -34,6 +34,7 @@ wg_basic_head() { atf_set descr 'Create a wg(4) tunnel over an epair and pass traffic between jails' atf_set require.user root + atf_set require.kmods if_wg } wg_basic_body() @@ -41,8 +42,6 @@ wg_basic_body() local epair pri1 pri2 pub1 pub2 wg1 wg2 local endpoint1 endpoint2 tunnel1 tunnel2 - kldload -n if_wg || atf_skip "This test requires if_wg and could not load it" - pri1=$(wg genkey) pri2=$(wg genkey) @@ -92,11 +91,90 @@ wg_basic_cleanup() vnet_cleanup } +atf_test_case "wg_basic_crossaf" "cleanup" +wg_basic_crossaf_head() +{ + atf_set descr 'Create a wg(4) tunnel and pass IPv4 traffic over an IPv6 nexthop' + atf_set require.user root +} + +wg_basic_crossaf_body() +{ + local epair pri1 pri2 pub1 pub2 wg1 wg2 + local endpoint1 endpoint2 tunnel1 tunnel2 + local testnet testlocal testremote + + kldload -n if_wg || atf_skip "This test requires if_wg and could not load it" + + pri1=$(wg genkey) + pri2=$(wg genkey) + + endpoint1=192.168.2.1 + endpoint2=192.168.2.2 + tunnel1=2001:db8:1::1 + tunnel2=2001:db8:1::2 + + testnet=192.168.3.0/24 + testlocal=192.168.3.1 + testremote=192.168.3.2 + + epair=$(vnet_mkepair) + + vnet_init + + vnet_mkjail wgtest1 ${epair}a + vnet_mkjail wgtest2 ${epair}b + + jexec wgtest1 ifconfig ${epair}a ${endpoint1}/24 up + jexec wgtest2 ifconfig ${epair}b ${endpoint2}/24 up + + wg1=$(jexec wgtest1 ifconfig wg create) + echo "$pri1" | jexec wgtest1 wg set $wg1 listen-port 12345 \ + private-key /dev/stdin + pub1=$(jexec wgtest1 wg show $wg1 public-key) + wg2=$(jexec wgtest2 ifconfig wg create) + echo "$pri2" | jexec wgtest2 wg set $wg2 listen-port 12345 \ + private-key /dev/stdin + pub2=$(jexec wgtest2 wg show $wg2 public-key) + + atf_check -s exit:0 -o ignore \ + jexec wgtest1 wg set $wg1 peer "$pub2" \ + endpoint ${endpoint2}:12345 allowed-ips ${tunnel2}/128,${testnet} + atf_check -s exit:0 \ + jexec wgtest1 ifconfig $wg1 inet6 ${tunnel1}/64 up + + atf_check -s exit:0 -o ignore \ + jexec wgtest2 wg set $wg2 peer "$pub1" \ + endpoint ${endpoint1}:12345 allowed-ips ${tunnel1}/128,${testnet} + atf_check -s exit:0 \ + jexec wgtest2 ifconfig $wg2 inet6 ${tunnel2}/64 up + + atf_check -s exit:0 jexec wgtest1 ifconfig $wg1 inet ${testlocal}/32 + atf_check -s exit:0 jexec wgtest2 ifconfig $wg2 inet ${testremote}/32 + + # Generous timeout since the handshake takes some time. + atf_check -s exit:0 -o ignore jexec wgtest1 ping -c 1 -t 5 "$tunnel2" + + # Setup our IPv6 endpoint and routing + atf_check -s exit:0 -o ignore \ + jexec wgtest1 route add -inet ${testnet} -inet6 "$tunnel2" + atf_check -s exit:0 -o ignore \ + jexec wgtest2 route add -inet ${testnet} -inet6 "$tunnel1" + # Now ping an address on the other side + atf_check -s exit:0 -o ignore jexec wgtest1 ping -c 1 -t 3 ${testremote} +} + +wg_basic_crossaf_cleanup() +{ + vnet_cleanup +} + atf_test_case "wg_basic_netmap" "cleanup" wg_basic_netmap_head() { atf_set descr 'Create a wg(4) tunnel over an epair and pass traffic between jails with netmap' atf_set require.user root + atf_set require.kmods if_wg netmap } wg_basic_netmap_body() @@ -105,9 +183,6 @@ wg_basic_netmap_body() local endpoint1 endpoint2 tunnel1 tunnel2 tunnel3 tunnel4 local pid status - kldload -n if_wg || atf_skip "This test requires if_wg and could not load it" - kldload -n netmap || atf_skip "This test requires netmap and could not load it" - pri1=$(wg genkey) pri2=$(wg genkey) @@ -190,6 +265,7 @@ wg_key_peerdev_shared_head() { atf_set descr 'Create a wg(4) interface with a shared pubkey between device and a peer' atf_set require.user root + atf_set require.kmods if_wg } wg_key_peerdev_shared_body() @@ -197,8 +273,6 @@ wg_key_peerdev_shared_body() local epair pri1 pub1 wg1 local endpoint1 tunnel1 - kldload -n if_wg || atf_skip "This test requires if_wg and could not load it" - pri1=$(wg genkey) endpoint1=192.168.2.1 @@ -238,8 +312,6 @@ wg_key_peerdev_makeshared_body() local epair pri1 pub1 pri2 wg1 wg2 local endpoint1 tunnel1 - kldload -n if_wg || atf_skip "This test requires if_wg and could not load it" - pri1=$(wg genkey) pri2=$(wg genkey) @@ -283,6 +355,7 @@ wg_vnet_parent_routing_head() { atf_set descr 'Create a wg(4) tunnel without epairs and pass traffic between jails' atf_set require.user root + atf_set require.kmods if_wg } wg_vnet_parent_routing_body() @@ -290,8 +363,6 @@ wg_vnet_parent_routing_body() local pri1 pri2 pub1 pub2 wg1 wg2 local tunnel1 tunnel2 - kldload -n if_wg - pri1=$(wg genkey) pri2=$(wg genkey) @@ -346,11 +417,217 @@ wg_vnet_parent_routing_cleanup() vnet_cleanup } +# The kernel should now allow removing a single allowed-ip without having to +# replace the whole list. We can't really test the atomicity of it all that +# easily, but we'll trust that it worked right if just that addr/mask is gone. +atf_test_case "wg_allowedip_incremental" "cleanup" +wg_allowedip_incremental_head() +{ + atf_set descr "Add/remove allowed-ips from a peer with the +/- incremental syntax" + atf_set require.user root +} + +wg_allowedip_incremental_body() +{ + local pri1 pri2 pub1 pub2 wg1 + local tunnel1 tunnel2 tunnel3 + + kldload -n if_wg || atf_skip "This test requires if_wg and could not load it" + + pri1=$(wg genkey) + pri2=$(wg genkey) + pub2=$(echo "$pri2" | wg pubkey) + + tunnel1=169.254.0.1 + tunnel2=169.254.0.2 + tunnel3=169.254.0.3 + + vnet_mkjail wgtest1 + + wg1=$(jexec wgtest1 ifconfig wg create) + echo "$pri1" | jexec wgtest1 wg set $wg1 private-key /dev/stdin + pub1=$(jexec wgtest1 wg show $wg1 public-key) + + atf_check -s exit:0 \ + jexec wgtest1 wg set $wg1 peer $pub2 \ + allowed-ips "${tunnel1}/32,${tunnel2}/32" + + atf_check -o save:wg.allowed jexec wgtest1 wg show $wg1 allowed-ips + atf_check grep -q "${tunnel1}/32" wg.allowed + atf_check grep -q "${tunnel2}/32" wg.allowed + + atf_check -s exit:0 \ + jexec wgtest1 wg set $wg1 peer $pub2 \ + allowed-ips "-${tunnel2}/32" + + atf_check -o save:wg-2.allowed jexec wgtest1 wg show $wg1 allowed-ips + atf_check grep -q "${tunnel1}/32" wg-2.allowed + atf_check -s not-exit:0 grep -q "${tunnel2}/32" wg-2.allowed + + atf_check -s exit:0 \ + jexec wgtest1 wg set $wg1 peer $pub2 \ + allowed-ips "+${tunnel2}/32" + + atf_check -o save:wg-3.allowed jexec wgtest1 wg show $wg1 allowed-ips + atf_check grep -q "${tunnel1}/32" wg-3.allowed + atf_check grep -q "${tunnel2}/32" wg-3.allowed + + # Now attempt to add the address yet again to confirm that it's not + # harmful. + atf_check -s exit:0 \ + jexec wgtest1 wg set $wg1 peer $pub2 \ + allowed-ips "+${tunnel2}/32" + + atf_check -o save:wg-4.allowed -x \ + "jexec wgtest1 wg show $wg1 allowed-ips | cut -f2 | tr ' ' '\n'" + atf_check -o match:"2 wg-4.allowed$" wc -l wg-4.allowed + + # Finally, let's try removing an address that we never had at all and + # confirm that we still have our two addresses. + atf_check -s exit:0 \ + jexec wgtest1 wg set $wg1 peer $pub2 \ + allowed-ips "-${tunnel3}/32" + + atf_check -o save:wg-5.allowed -x \ + "jexec wgtest1 wg show $wg1 allowed-ips | cut -f2 | tr ' ' '\n'" + atf_check cmp -s wg-4.allowed wg-5.allowed +} + +wg_allowedip_incremental_cleanup() +{ + vnet_cleanup +} + +atf_test_case "wg_allowedip_incremental_inet6" "cleanup" +wg_allowedip_incremental_inet6_head() +{ + atf_set descr "Add/remove IPv6 allowed-ips from a peer with the +/- incremental syntax" + atf_set require.user root +} + +wg_allowedip_incremental_inet6_body() +{ + local pri1 pri2 pub1 pub2 wg1 + local tunnel1 tunnel2 + + kldload -n if_wg || atf_skip "This test requires if_wg and could not load it" + + pri1=$(wg genkey) + pri2=$(wg genkey) + pub2=$(echo "$pri2" | wg pubkey) + + tunnel1=2001:db8:1::1 + tunnel2=2001:db8:1::2 + + vnet_mkjail wgtest1 + + wg1=$(jexec wgtest1 ifconfig wg create) + echo "$pri1" | jexec wgtest1 wg set $wg1 private-key /dev/stdin + pub1=$(jexec wgtest1 wg show $wg1 public-key) + + atf_check -s exit:0 \ + jexec wgtest1 wg set $wg1 peer $pub2 \ + allowed-ips "${tunnel1}/128" + atf_check -o save:wg.allowed jexec wgtest1 wg show $wg1 allowed-ips + atf_check grep -q "${tunnel1}/128" wg.allowed + + atf_check -s exit:0 \ + jexec wgtest1 wg set $wg1 peer $pub2 \ + allowed-ips "+${tunnel2}/128" + atf_check -o save:wg-2.allowed jexec wgtest1 wg show $wg1 allowed-ips + atf_check grep -q "${tunnel1}/128" wg-2.allowed + atf_check grep -q "${tunnel2}/128" wg-2.allowed + + atf_check -s exit:0 \ + jexec wgtest1 wg set $wg1 peer $pub2 \ + allowed-ips "-${tunnel1}/128" + atf_check -o save:wg-3.allowed jexec wgtest1 wg show $wg1 allowed-ips + atf_check -s not-exit:0 grep -q "${tunnel1}/128" wg-3.allowed + atf_check grep -q "${tunnel2}/128" wg-3.allowed +} + +wg_allowedip_incremental_inet6_cleanup() +{ + vnet_cleanup +} + + +atf_test_case "wg_allowedip_incremental_stealing" "cleanup" +wg_allowedip_incremental_stealing_head() +{ + atf_set descr "Add/remove allowed-ips from a peer with the +/- incremental syntax to steal" + atf_set require.user root +} + +wg_allowedip_incremental_stealing_body() +{ + local pri1 pri2 pri3 pub1 pub2 pub3 wg1 + local regex2 regex3 + local tunnel1 tunnel2 + + kldload -n if_wg || atf_skip "This test requires if_wg and could not load it" + + pri1=$(wg genkey) + pri2=$(wg genkey) + pri3=$(wg genkey) + pub2=$(echo "$pri2" | wg pubkey) + pub3=$(echo "$pri3" | wg pubkey) + + regex2=$(echo "$pub2" | sed -e 's/[+]/[+]/g') + regex3=$(echo "$pub3" | sed -e 's/[+]/[+]/g') + + tunnel1=169.254.0.1 + tunnel2=169.254.0.2 + tunnel3=169.254.0.3 + + vnet_mkjail wgtest1 + + wg1=$(jexec wgtest1 ifconfig wg create) + echo "$pri1" | jexec wgtest1 wg set $wg1 private-key /dev/stdin + pub1=$(jexec wgtest1 wg show $wg1 public-key) + + atf_check -s exit:0 \ + jexec wgtest1 wg set $wg1 peer $pub2 \ + allowed-ips "${tunnel1}/32,${tunnel2}/32" + + atf_check -s exit:0 \ + jexec wgtest1 wg set $wg1 peer $pub3 \ + allowed-ips "${tunnel3}/32" + + # First, confirm that the negative syntax doesn't do anything because + # we have the wrong peer. + atf_check -s exit:0 \ + jexec wgtest1 wg set $wg1 peer $pub2 \ + allowed-ips "-${tunnel3}/32" + + atf_check -o save:wg.allowed jexec wgtest1 wg show $wg1 allowed-ips + atf_check grep -Eq "^${regex3}.+${tunnel3}/32" wg.allowed + + # Next, steal it with an incremental move and check that it moved. + atf_check -s exit:0 \ + jexec wgtest1 wg set $wg1 peer $pub2 \ + allowed-ips "+${tunnel3}/32" + + atf_check -o save:wg-2.allowed jexec wgtest1 wg show $wg1 allowed-ips + + atf_check grep -Eq "^${regex2}.+${tunnel3}/32" wg-2.allowed + atf_check grep -Evq "^${regex3}.+${tunnel3}/32" wg-2.allowed +} + +wg_allowedip_incremental_stealing_cleanup() +{ + vnet_cleanup +} + atf_init_test_cases() { atf_add_test_case "wg_basic" + atf_add_test_case "wg_basic_crossaf" atf_add_test_case "wg_basic_netmap" atf_add_test_case "wg_key_peerdev_shared" atf_add_test_case "wg_key_peerdev_makeshared" atf_add_test_case "wg_vnet_parent_routing" + atf_add_test_case "wg_allowedip_incremental" + atf_add_test_case "wg_allowedip_incremental_inet6" + atf_add_test_case "wg_allowedip_incremental_stealing" } diff --git a/tests/sys/net/routing/Makefile b/tests/sys/net/routing/Makefile index c98e4e2a2eaf..c725d23f15d1 100644 --- a/tests/sys/net/routing/Makefile +++ b/tests/sys/net/routing/Makefile @@ -1,4 +1,3 @@ - PACKAGE= tests WARNS?= 1 |