git: a4e64fcd6808 - main - pf tests: test kill and clear source nodes paths

From: Kristof Provost <kp_at_FreeBSD.org>
Date: Wed, 06 Nov 2024 18:02:59 UTC
The branch main has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=a4e64fcd6808f638ce938ed028716a5c87b75dae

commit a4e64fcd6808f638ce938ed028716a5c87b75dae
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2024-11-06 14:28:31 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2024-11-06 18:02:03 +0000

    pf tests: test kill and clear source nodes paths
    
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
---
 tests/sys/netpfil/pf/src_track.sh | 70 ++++++++++++++++++++++++++++++++++++++-
 1 file changed, 69 insertions(+), 1 deletion(-)

diff --git a/tests/sys/netpfil/pf/src_track.sh b/tests/sys/netpfil/pf/src_track.sh
index 2038393a240e..9d0ca690d344 100755
--- a/tests/sys/netpfil/pf/src_track.sh
+++ b/tests/sys/netpfil/pf/src_track.sh
@@ -52,7 +52,19 @@ source_track_body()
 		"pass out keep state (source-track)"
 
 	ping -c 3 192.0.2.1
-	jexec alcatraz pfctl -s all -v
+	atf_check -s exit:0 -o match:'192.0.2.2 -> 0.0.0.0 \( states 1,.*' \
+	    jexec alcatraz pfctl -sS
+
+	# Flush all source nodes
+	jexec alcatraz pfctl -FS
+
+	# We can't find the previous source node any more
+	atf_check -s exit:0 -o not-match:'192.0.2.2 -> 0.0.0.0 \( states 1,.*' \
+	    jexec alcatraz pfctl -sS
+
+	# But we still have the state
+	atf_check -s exit:0 -o match:'all icmp 192.0.2.1:8 <- 192.0.2.2:.*' \
+	    jexec alcatraz pfctl -ss
 }
 
 source_track_cleanup()
@@ -60,6 +72,61 @@ source_track_cleanup()
 	pft_cleanup
 }
 
+atf_test_case "kill" "cleanup"
+kill_head()
+{
+	atf_set descr 'Test killing source nodes'
+	atf_set require.user root
+}
+
+kill_body()
+{
+	pft_init
+
+	epair=$(vnet_mkepair)
+	vnet_mkjail alcatraz ${epair}b
+
+	ifconfig ${epair}a 192.0.2.2/24 up
+	ifconfig ${epair}a inet alias 192.0.2.3/24 up
+	jexec alcatraz ifconfig ${epair}b 192.0.2.1/24 up
+
+	# Enable pf!
+	jexec alcatraz pfctl -e
+	pft_set_rules alcatraz \
+		"pass in keep state (source-track)" \
+		"pass out keep state (source-track)"
+
+	# Establish two sources
+	atf_check -s exit:0 -o ignore \
+	    ping -c 1 -S 192.0.2.2 192.0.2.1
+	atf_check -s exit:0 -o ignore \
+	    ping -c 1 -S 192.0.2.3 192.0.2.1
+
+	# Check that both source nodes exist
+	atf_check -s exit:0 -o match:'192.0.2.2 -> 0.0.0.0 \( states 1,.*' \
+	    jexec alcatraz pfctl -sS
+	atf_check -s exit:0 -o match:'192.0.2.3 -> 0.0.0.0 \( states 1,.*' \
+	    jexec alcatraz pfctl -sS
+
+
+jexec alcatraz pfctl -sS
+
+	# Kill the 192.0.2.2 source
+	jexec alcatraz pfctl -K 192.0.2.2
+
+	# The other source still exists
+	atf_check -s exit:0 -o match:'192.0.2.3 -> 0.0.0.0 \( states 1,.*' \
+	    jexec alcatraz pfctl -sS
+
+	# But not the one we killed
+	atf_check -s exit:0 -o not-match:'192.0.2.2 -> 0.0.0.0 \( states 1,.*' \
+	    jexec alcatraz pfctl -sS
+}
+
+kill_cleanup()
+{
+	pft_cleanup
+}
 
 max_src_conn_rule_head()
 {
@@ -188,6 +255,7 @@ max_src_states_rule_cleanup()
 atf_init_test_cases()
 {
 	atf_add_test_case "source_track"
+	atf_add_test_case "kill"
 	atf_add_test_case "max_src_conn_rule"
 	atf_add_test_case "max_src_states_rule"
 }