git: 657aec455f7c - main - pf tests: test reassembly in the slow path

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Kristof Provost <kp_at_FreeBSD.org>
Date: Tue, 06 Jun 2023 08:52:29 UTC
The branch main has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=657aec455f7cd960c8fa79a089f88f450c568d2d

commit 657aec455f7cd960c8fa79a089f88f450c568d2d
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2023-06-02 14:42:08 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2023-06-06 08:03:50 +0000

    pf tests: test reassembly in the slow path
    
    Ensure that 'fragment reassemble' works as expected, even in the IP
    stack's slow forwarding path. (So not via ip_tryforward())
    
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
    Differential Revision:  https://reviews.freebsd.org/D40396
---
 tests/sys/netpfil/pf/fragmentation_pass.sh | 44 ++++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)

diff --git a/tests/sys/netpfil/pf/fragmentation_pass.sh b/tests/sys/netpfil/pf/fragmentation_pass.sh
index 560642a189e8..d257de730d2d 100644
--- a/tests/sys/netpfil/pf/fragmentation_pass.sh
+++ b/tests/sys/netpfil/pf/fragmentation_pass.sh
@@ -425,6 +425,49 @@ no_df_cleanup()
 	pft_cleanup
 }
 
+atf_test_case "reassemble_slowpath" "cleanup"
+reassemble_slowpath_head()
+{
+	atf_set descr 'Test reassembly on the slow path'
+	atf_set require.user root
+}
+
+reassemble_slowpath_body()
+{
+	if ! sysctl -q kern.features.ipsec >/dev/null ; then
+		atf_skip "This test requires ipsec"
+	fi
+
+	setup_router_server_ipv4
+
+	# Now define an ipsec policy so we end up taking the slow path.
+	# We don't actually need the traffic to go through ipsec, we just don't
+	# want to go through ip_tryforward().
+	echo "flush;
+	spdflush;
+	spdadd 203.0.113.1/32 203.0.113.2/32 any -P out ipsec esp/transport//require;
+	add 203.0.113.1 203.0.113.2 esp 0x1001 -E aes-gcm-16 \"12345678901234567890\";" \
+	    | jexec router setkey -c
+
+	# Sanity check.
+	ping_server_check_reply exit:0 --ping-type=icmp
+
+	# Enable packet reassembly with clearing of the no-df flag.
+	pft_set_rules router \
+		"scrub in on ${epair_tester}b fragment no reassemble" \
+		"scrub on ${epair_server}a fragment reassemble" \
+		"pass"
+
+	# Ensure that the packet makes it through the slow path
+	atf_check -s exit:0 -o ignore \
+	    ping -c 1 -s 2000 198.51.100.2
+}
+
+reassemble_slowpath_cleanup()
+{
+	pft_cleanup
+}
+
 atf_init_test_cases()
 {
 	atf_add_test_case "too_many_fragments"
@@ -435,4 +478,5 @@ atf_init_test_cases()
 	atf_add_test_case "overlimit"
 	atf_add_test_case "reassemble"
 	atf_add_test_case "no_df"
+	atf_add_test_case "reassemble_slowpath"
 }