From nobody Tue Nov 12 17:20:27 2024 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4XntTl6907z5cqV5; Tue, 12 Nov 2024 17:20:27 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4XntTl5hSzz4lKx; Tue, 12 Nov 2024 17:20:27 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1731432027; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=sjrQP5AdlKdJJRfIOUtgOiZEckI7yEWWTDhrAjliiVk=; b=SZhGyMAIFutjUpGekqiCzibakiix8Tsat8tyZzxWpSzeC3F+BOhhQEuwAPFvFEIJ6CX6/S kyHae5RuObCfw+m9RUKwYLDKqrkERysev7FdeKx9NnVcETNdPu3ZhcXwJeywzxn8w7CIh3 g5MLQWe+zn8Zt5v4vxDXnr9x7yMvHFiQAwHoEUnoQK56wF6zj0EVmtRE4aA+mlQIrcaFiL ihZe/SWycEfBu+n3Np/45S4Ag6Ef3KjWEus+HSifkD43hUTKj2crDC9MsgkgD1rDGA4l2k RzY50ztHY8NKx/2hKG71i8tIuLaey07aFZAd81AMAUzMEcn2uHwd0ec09T0yTA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1731432027; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=sjrQP5AdlKdJJRfIOUtgOiZEckI7yEWWTDhrAjliiVk=; b=vKXmrnN/0JlJGw+iin2KreNNX9vPLJ+56rs2zvyrq9M4kLf/KUAgKFG9px1GNyxJCVv8pD 4HyP/SCQSE6HkGxm/1xWbxmIzdMe9dEYzewhxZrsuUq0ltQpJPmQEh/E1nSjuslRjhYRi7 SgFVD3nmnxxmtXozpejGVMqu3GQFlMBlNQRfesV//cairIkBKj21tKtoSKxddix9MD3u61 6588skWKpW9z6wnesiWsOIrvUd1Gb/5HFLMjKdjWY32/sSfB0yVfyCJRICK30NNyK/bEOc rBD8sCQuh+M25fe4TmQmjcr8vyTAmOU4TNjna9wtA/adxQIXLt/iV2m07N2Mhw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1731432027; a=rsa-sha256; cv=none; b=NRpeXbcTekqD3iE3aa7FqDecpt4SHS/M/Juk9G5xnP9rUAL0ngzMvEuy97KpzP4s7CnltN O43q3BYB7zhaMVcM0KkxrnraU6U9bPpkPHxyWgUy79FEK4fu+rSuTS/M/Dl3IUAFlNLiIq IX6hdJNv5/V0V44ZUpLaEtuicQA5EO2pkoCrK4rQ0iZo3huF9p7rUO6RJBmMdVd0S7aFTY /L9XfVTuf0kfY7FYqevSNX8V93b7VWxADzssvxUTZEdt769AE5OJXNwju7mZtihq2khDUb i9m0T7g113LsDJtbdUOwClT34F6i9bBJNcaApTQJODhrhCRXdUh6yjxiN7fzDA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4XntTl5H1fzKCy; Tue, 12 Nov 2024 17:20:27 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 4ACHKRpL024993; Tue, 12 Nov 2024 17:20:27 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 4ACHKRlT024990; Tue, 12 Nov 2024 17:20:27 GMT (envelope-from git) Date: Tue, 12 Nov 2024 17:20:27 GMT Message-Id: <202411121720.4ACHKRlT024990@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Kajetan Staszkiewicz Subject: git: 65b20771713c - main - pf tests: Simplify handling of pfctl -s List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: ks X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 65b20771713c7ec4d46fb5af4a16353209658d79 Auto-Submitted: auto-generated The branch main has been updated by ks: URL: https://cgit.FreeBSD.org/src/commit/?id=65b20771713c7ec4d46fb5af4a16353209658d79 commit 65b20771713c7ec4d46fb5af4a16353209658d79 Author: Kajetan Staszkiewicz AuthorDate: 2024-11-12 17:17:12 +0000 Commit: Kajetan Staszkiewicz CommitDate: 2024-11-12 17:17:12 +0000 pf tests: Simplify handling of pfctl -s Some pf tests check the output of pfctl -s[sSr] to find if relevant states, source nodes or rules exist and if their counters have proper values. The output is multiple lines per entry and contains varying amount of whitespace. This makes parsing it rather hard. Provide a function for standardization of output of pfctl -s[sSr] which converts the output to a single line per entry and reduces whitespace always to a single space. Adjust existing tests to make use of this function. Revieved by: kp Approved by: kp (mentor) Differental Revision: https://reviews.freebsd.org/D47435 --- tests/sys/netpfil/pf/fragmentation_pass.sh | 5 ++--- tests/sys/netpfil/pf/src_track.sh | 24 ++++++++++++------------ tests/sys/netpfil/pf/utils.subr | 10 ++++++++++ 3 files changed, 24 insertions(+), 15 deletions(-) diff --git a/tests/sys/netpfil/pf/fragmentation_pass.sh b/tests/sys/netpfil/pf/fragmentation_pass.sh index 99d2c827b239..94a25cc41988 100644 --- a/tests/sys/netpfil/pf/fragmentation_pass.sh +++ b/tests/sys/netpfil/pf/fragmentation_pass.sh @@ -580,13 +580,12 @@ dummynet_fragmented_body() ping_dummy_check_request exit:0 --ping-type=udp --send-length=10000 --send-frag-length=1280 rules=$(mktemp) || exit 1 - jexec router pfctl -qvsr > $rules + jexec router pfctl -qvsr | normalize_pfctl_s > $rules # Count that fragmented packets have hit the rule only once and that # they have not created states. There is no stateful firewall support # for fragmented packets. - grep -A2 'pass in on epair0b inet proto udp all keep state dnpipe(1, 1)' $rules | - grep -qE 'Packets: 8\s+Bytes: 10168\s+States: 0\s+' || + grep -qE 'pass in on epair0b inet proto udp all keep state dnpipe\(1, 1\) .* Packets: 8 Bytes: 10168 States: 0 ' $rules || atf_fail "Fragmented packets not counted correctly" } diff --git a/tests/sys/netpfil/pf/src_track.sh b/tests/sys/netpfil/pf/src_track.sh index 9d0ca690d344..5349e61ec76b 100755 --- a/tests/sys/netpfil/pf/src_track.sh +++ b/tests/sys/netpfil/pf/src_track.sh @@ -165,16 +165,16 @@ max_src_conn_rule_body() ping_server_check_reply exit:0 --ping-type=tcp3way --send-sport=4205 --fromaddr 2001:db8:44::2 states=$(mktemp) || exit 1 - jexec router pfctl -qss | grep 'tcp 2001:db8:43::2\[9\] <-' > $states + jexec router pfctl -qss | normalize_pfctl_s | grep 'tcp 2001:db8:43::2\[9\] <-' > $states - grep -qE '2001:db8:44::1\[4201\]\s+ESTABLISHED:ESTABLISHED' $states || atf_fail "State for port 4201 not found or not established" - grep -qE '2001:db8:44::1\[4202\]\s+ESTABLISHED:ESTABLISHED' $states || atf_fail "State for port 4202 not found or not established" - grep -qE '2001:db8:44::1\[4203\]\s+ESTABLISHED:ESTABLISHED' $states || atf_fail "State for port 4203 not found or not established" - grep -qE '2001:db8:44::2\[4205\]\s+ESTABLISHED:ESTABLISHED' $states || atf_fail "State for port 4205 not found or not established" + grep -qE '2001:db8:44::1\[4201\] ESTABLISHED:ESTABLISHED' $states || atf_fail "State for port 4201 not found or not established" + grep -qE '2001:db8:44::1\[4202\] ESTABLISHED:ESTABLISHED' $states || atf_fail "State for port 4202 not found or not established" + grep -qE '2001:db8:44::1\[4203\] ESTABLISHED:ESTABLISHED' $states || atf_fail "State for port 4203 not found or not established" + grep -qE '2001:db8:44::2\[4205\] ESTABLISHED:ESTABLISHED' $states || atf_fail "State for port 4205 not found or not established" if ( - grep -qE '2001:db8:44::1\[4204\]\s+' $states && - ! grep -qE '2001:db8:44::1\[4204\]\s+CLOSED:CLOSED' $states + grep -qE '2001:db8:44::1\[4204\] ' $states && + ! grep -qE '2001:db8:44::1\[4204\] CLOSED:CLOSED' $states ); then atf_fail "State for port 4204 found but not closed" fi @@ -234,13 +234,13 @@ max_src_states_rule_body() # We will check the resulting source nodes, though. # Order of source nodes in output is not guaranteed, find each one separately. nodes=$(mktemp) || exit 1 - jexec router pfctl -qvsS > $nodes + jexec router pfctl -qvsS | normalize_pfctl_s > $nodes for node_regexp in \ - '2001:db8:44::1 -> :: \( states 2, connections 2, rate [0-9/\.]+s \)\s+age [0-9:]+, 6 pkts, [0-9]+ bytes, filter rule 3' \ - '2001:db8:44::1 -> :: \( states 2, connections 2, rate [0-9/\.]+s \)\s+age [0-9:]+, 6 pkts, [0-9]+ bytes, filter rule 4' \ - '2001:db8:44::2 -> :: \( states 2, connections 2, rate [0-9/\.]+s \)\s+age [0-9:]+, 6 pkts, [0-9]+ bytes, filter rule 4' \ + '2001:db8:44::1 -> :: \( states 2, connections 2, rate [0-9/\.]+s \) age [0-9:]+, 6 pkts, [0-9]+ bytes, filter rule 3$' \ + '2001:db8:44::1 -> :: \( states 2, connections 2, rate [0-9/\.]+s \) age [0-9:]+, 6 pkts, [0-9]+ bytes, filter rule 4$' \ + '2001:db8:44::2 -> :: \( states 2, connections 2, rate [0-9/\.]+s \) age [0-9:]+, 6 pkts, [0-9]+ bytes, filter rule 4$' \ ; do - cat $nodes | tr '\n' ' ' | grep -qE "$node_regexp" || atf_fail "Source nodes not matching expected output" + grep -qE "$node_regexp" $nodes || atf_fail "Source nodes not matching expected output" done # Check if limit counters have been properly set. diff --git a/tests/sys/netpfil/pf/utils.subr b/tests/sys/netpfil/pf/utils.subr index c854ad5e69d8..6af10e80390d 100644 --- a/tests/sys/netpfil/pf/utils.subr +++ b/tests/sys/netpfil/pf/utils.subr @@ -301,3 +301,13 @@ ping_server_check_reply() --replyif ${epair_tester}a \ $params } + +normalize_pfctl_s() +{ + # `pfctl -s[rsS]` output is divided into sections. Each rule, state or + # source node starts with the beginning of a line and next lines with leading + # spaces are various parameters of said rule, state or source node. + # Convert it into a single line per entry, and remove multiple spaces, + # so that regular expressions for matching them in tests can be simpler. + awk '{ if ($0 ~ /^[^ ]/ && NR > 1) print(""); gsub(/ +/, " ", $0); printf("%s", $0); } END {print("");}' +}