git: 641fbfc82822 - main - pf tests: Do not handle ipfw presence

From: Igor Ostapenko <igoro_at_FreeBSD.org>
Date: Sat, 14 Sep 2024 08:12:55 UTC
The branch main has been updated by igoro:

URL: https://cgit.FreeBSD.org/src/commit/?id=641fbfc82822ac269c778dcdba2406a4df520424

commit 641fbfc82822ac269c778dcdba2406a4df520424
Author:     Igor Ostapenko <igoro@FreeBSD.org>
AuthorDate: 2024-09-14 08:08:06 +0000
Commit:     Igor Ostapenko <igoro@FreeBSD.org>
CommitDate: 2024-09-14 08:08:06 +0000

    pf tests: Do not handle ipfw presence
    
    Initially, it was added to cover a conflicting case of ipfw and pf used
    together. But there are more drawbacks than benefits:
    - A half of these tests are always skipped. That leads to
      misunderstanding, while the test suite strives to avoid ambiguous
      situations.
    - Handling enabled ipfw on the test level is tedious, error-prone, and
      less maintainable.
    - CI and similar parties already know how to deal with ipfw for the test
      suite, like making it open by default. Extra complexity is not needed.
    
    In addition, ipfw+pf use cases are not officially supported.
    
    Reviewed by:    kp, markj
    Approved by:    kp (mentor), markj (mentor)
    Differential Revision:  https://reviews.freebsd.org/D46655
---
 tests/sys/netpfil/pf/divert-to.sh | 203 ++++++--------------------------------
 tests/sys/netpfil/pf/if_enc.sh    |  56 ++---------
 2 files changed, 37 insertions(+), 222 deletions(-)

diff --git a/tests/sys/netpfil/pf/divert-to.sh b/tests/sys/netpfil/pf/divert-to.sh
index 72adbeedb007..c7118c397032 100644
--- a/tests/sys/netpfil/pf/divert-to.sh
+++ b/tests/sys/netpfil/pf/divert-to.sh
@@ -51,8 +51,6 @@
 #         > outbound > diverted > outbound | network terminated
 #
 # Test case naming legend:
-# ipfwon - with ipfw enabled
-# ipfwoff - with ipfw disabled
 # in - inbound
 # div - diverted
 # out - outbound
@@ -76,40 +74,21 @@ dummynet_init()
 	fi
 }
 
-ipfw_init()
-{
-	if ! kldstat -q -m ipfw; then
-		atf_skip "This test requires ipfw"
-	fi
-}
-
-assert_ipfw_is_off()
-{
-	if kldstat -q -m ipfw; then
-		atf_skip "This test is for the case when ipfw is not loaded"
-	fi
-}
-
-atf_test_case "ipfwoff_in_div" "cleanup"
-ipfwoff_in_div_head()
+atf_test_case "in_div" "cleanup"
+in_div_head()
 {
 	atf_set descr 'Test inbound > diverted | divapp terminated'
 	atf_set require.user root
 }
-ipfwoff_in_div_body()
+in_div_body()
 {
-	local ipfwon
-
 	pft_init
 	divert_init
-	test "$1" == "ipfwon" && ipfwon="yes"
-	test $ipfwon && ipfw_init || assert_ipfw_is_off
 
 	epair=$(vnet_mkepair)
 	vnet_mkjail div ${epair}b
 	ifconfig ${epair}a 192.0.2.1/24 up
 	jexec div ifconfig ${epair}b 192.0.2.2/24 up
-	test $ipfwon && jexec div ipfw add 65534 allow all from any to any
 
 	# Sanity check
 	atf_check -s exit:0 -o ignore ping -c3 192.0.2.2
@@ -129,46 +108,26 @@ ipfwoff_in_div_body()
 
 	wait $divapp_pid
 }
-ipfwoff_in_div_cleanup()
-{
-	pft_cleanup
-}
-
-atf_test_case "ipfwon_in_div" "cleanup"
-ipfwon_in_div_head()
-{
-	atf_set descr 'Test inbound > diverted | divapp terminated, with ipfw enabled'
-	atf_set require.user root
-}
-ipfwon_in_div_body()
-{
-	ipfwoff_in_div_body "ipfwon"
-}
-ipfwon_in_div_cleanup()
+in_div_cleanup()
 {
 	pft_cleanup
 }
 
-atf_test_case "ipfwoff_in_div_in" "cleanup"
-ipfwoff_in_div_in_head()
+atf_test_case "in_div_in" "cleanup"
+in_div_in_head()
 {
 	atf_set descr 'Test inbound > diverted > inbound | host terminated'
 	atf_set require.user root
 }
-ipfwoff_in_div_in_body()
+in_div_in_body()
 {
-	local ipfwon
-
 	pft_init
 	divert_init
-	test "$1" == "ipfwon" && ipfwon="yes"
-	test $ipfwon && ipfw_init || assert_ipfw_is_off
 
 	epair=$(vnet_mkepair)
 	vnet_mkjail div ${epair}b
 	ifconfig ${epair}a 192.0.2.1/24 up
 	jexec div ifconfig ${epair}b 192.0.2.2/24 up
-	test $ipfwon && jexec div ipfw add 65534 allow all from any to any
 
 	# Sanity check
 	atf_check -s exit:0 -o ignore ping -c3 192.0.2.2
@@ -188,46 +147,26 @@ ipfwoff_in_div_in_body()
 
 	wait $divapp_pid
 }
-ipfwoff_in_div_in_cleanup()
+in_div_in_cleanup()
 {
 	pft_cleanup
 }
 
-atf_test_case "ipfwon_in_div_in" "cleanup"
-ipfwon_in_div_in_head()
-{
-	atf_set descr 'Test inbound > diverted > inbound | host terminated, with ipfw enabled'
-	atf_set require.user root
-}
-ipfwon_in_div_in_body()
-{
-	ipfwoff_in_div_in_body "ipfwon"
-}
-ipfwon_in_div_in_cleanup()
-{
-	pft_cleanup
-}
-
-atf_test_case "ipfwoff_out_div" "cleanup"
-ipfwoff_out_div_head()
+atf_test_case "out_div" "cleanup"
+out_div_head()
 {
 	atf_set descr 'Test outbound > diverted | divapp terminated'
 	atf_set require.user root
 }
-ipfwoff_out_div_body()
+out_div_body()
 {
-	local ipfwon
-
 	pft_init
 	divert_init
-	test "$1" == "ipfwon" && ipfwon="yes"
-	test $ipfwon && ipfw_init || assert_ipfw_is_off
 
 	epair=$(vnet_mkepair)
 	vnet_mkjail div ${epair}b
 	ifconfig ${epair}a 192.0.2.1/24 up
 	jexec div ifconfig ${epair}b 192.0.2.2/24 up
-	test $ipfwon && jexec div ipfw add 65534 allow all from any to any
 
 	# Sanity check
 	atf_check -s exit:0 -o ignore ping -c3 192.0.2.2
@@ -248,46 +187,26 @@ ipfwoff_out_div_body()
 
 	wait $divapp_pid
 }
-ipfwoff_out_div_cleanup()
-{
-	pft_cleanup
-}
-
-atf_test_case "ipfwon_out_div" "cleanup"
-ipfwon_out_div_head()
-{
-	atf_set descr 'Test outbound > diverted | divapp terminated, with ipfw enabled'
-	atf_set require.user root
-}
-ipfwon_out_div_body()
-{
-	ipfwoff_out_div_body "ipfwon"
-}
-ipfwon_out_div_cleanup()
+out_div_cleanup()
 {
 	pft_cleanup
 }
 
-atf_test_case "ipfwoff_out_div_out" "cleanup"
-ipfwoff_out_div_out_head()
+atf_test_case "out_div_out" "cleanup"
+out_div_out_head()
 {
 	atf_set descr 'Test outbound > diverted > outbound | network terminated'
 	atf_set require.user root
 }
-ipfwoff_out_div_out_body()
+out_div_out_body()
 {
-	local ipfwon
-
 	pft_init
 	divert_init
-	test "$1" == "ipfwon" && ipfwon="yes"
-	test $ipfwon && ipfw_init || assert_ipfw_is_off
 
 	epair=$(vnet_mkepair)
 	vnet_mkjail div ${epair}b
 	ifconfig ${epair}a 192.0.2.1/24 up
 	jexec div ifconfig ${epair}b 192.0.2.2/24 up
-	test $ipfwon && jexec div ipfw add 65534 allow all from any to any
 
 	# Sanity check
 	atf_check -s exit:0 -o ignore ping -c3 192.0.2.2
@@ -308,40 +227,21 @@ ipfwoff_out_div_out_body()
 
 	wait $divapp_pid
 }
-ipfwoff_out_div_out_cleanup()
+out_div_out_cleanup()
 {
 	pft_cleanup
 }
 
-atf_test_case "ipfwon_out_div_out" "cleanup"
-ipfwon_out_div_out_head()
-{
-	atf_set descr 'Test outbound > diverted > outbound | network terminated, with ipfw enabled'
-	atf_set require.user root
-}
-ipfwon_out_div_out_body()
-{
-	ipfwoff_out_div_out_body "ipfwon"
-}
-ipfwon_out_div_out_cleanup()
-{
-	pft_cleanup
-}
-
-atf_test_case "ipfwoff_in_div_in_fwd_out_div_out" "cleanup"
-ipfwoff_in_div_in_fwd_out_div_out_head()
+atf_test_case "in_div_in_fwd_out_div_out" "cleanup"
+in_div_in_fwd_out_div_out_head()
 {
 	atf_set descr 'Test inbound > diverted > inbound > forwarded > outbound > diverted > outbound | network terminated'
 	atf_set require.user root
 }
-ipfwoff_in_div_in_fwd_out_div_out_body()
+in_div_in_fwd_out_div_out_body()
 {
-	local ipfwon
-
 	pft_init
 	divert_init
-	test "$1" == "ipfwon" && ipfwon="yes"
-	test $ipfwon && ipfw_init || assert_ipfw_is_off
 
 	# host <a--epair0--b> router <a--epair1--b> site
 	epair0=$(vnet_mkepair)
@@ -352,12 +252,10 @@ ipfwoff_in_div_in_fwd_out_div_out_body()
 	jexec router sysctl net.inet.ip.forwarding=1
 	jexec router ifconfig ${epair0}b 192.0.2.2/24 up
 	jexec router ifconfig ${epair1}a 198.51.100.1/24 up
-	test $ipfwon && jexec router ipfw add 65534 allow all from any to any
 
 	vnet_mkjail site ${epair1}b
 	jexec site ifconfig ${epair1}b 198.51.100.2/24 up
 	jexec site route add default 198.51.100.1
-	test $ipfwon && jexec site ipfw add 65534 allow all from any to any
 
 	route add -net 198.51.100.0/24 192.0.2.2
 
@@ -385,48 +283,28 @@ ipfwoff_in_div_in_fwd_out_div_out_body()
 
 	wait $indivapp_pid && wait $outdivapp_pid
 }
-ipfwoff_in_div_in_fwd_out_div_out_cleanup()
-{
-	pft_cleanup
-}
-
-atf_test_case "ipfwon_in_div_in_fwd_out_div_out" "cleanup"
-ipfwon_in_div_in_fwd_out_div_out_head()
-{
-	atf_set descr 'Test inbound > diverted > inbound > forwarded > outbound > diverted > outbound | network terminated, with ipfw enabled'
-	atf_set require.user root
-}
-ipfwon_in_div_in_fwd_out_div_out_body()
-{
-	ipfwoff_in_div_in_fwd_out_div_out_body "ipfwon"
-}
-ipfwon_in_div_in_fwd_out_div_out_cleanup()
+in_div_in_fwd_out_div_out_cleanup()
 {
 	pft_cleanup
 }
 
-atf_test_case "ipfwoff_in_dn_in_div_in_out_div_out_dn_out" "cleanup"
-ipfwoff_in_dn_in_div_in_out_div_out_dn_out_head()
+atf_test_case "in_dn_in_div_in_out_div_out_dn_out" "cleanup"
+in_dn_in_div_in_out_div_out_dn_out_head()
 {
 	atf_set descr 'Test inbound > delayed+diverted > outbound > diverted+delayed > outbound | network terminated'
 	atf_set require.user root
 }
-ipfwoff_in_dn_in_div_in_out_div_out_dn_out_body()
+in_dn_in_div_in_out_div_out_dn_out_body()
 {
-	local ipfwon
-
 	pft_init
 	divert_init
 	dummynet_init
-	test "$1" == "ipfwon" && ipfwon="yes"
-	test $ipfwon && ipfw_init || assert_ipfw_is_off
 
 	epair=$(vnet_mkepair)
 	vnet_mkjail alcatraz ${epair}b
 	ifconfig ${epair}a 192.0.2.1/24 up
 	ifconfig ${epair}a ether 02:00:00:00:00:01
 	jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up
-	test $ipfwon && jexec alcatraz ipfw add 65534 allow all from any to any
 
 	# Sanity check
 	atf_check -s exit:0 -o ignore ping -c3 192.0.2.2
@@ -489,41 +367,20 @@ ipfwoff_in_dn_in_div_in_out_div_out_dn_out_body()
 
 	# }
 }
-ipfwoff_in_dn_in_div_in_out_div_out_dn_out_cleanup()
-{
-	pft_cleanup
-}
-
-atf_test_case "ipfwon_in_dn_in_div_in_out_div_out_dn_out" "cleanup"
-ipfwon_in_dn_in_div_in_out_div_out_dn_out_head()
-{
-	atf_set descr 'Test inbound > delayed+diverted > outbound > diverted+delayed > outbound | network terminated, with ipfw enabled'
-	atf_set require.user root
-}
-ipfwon_in_dn_in_div_in_out_div_out_dn_out_body()
-{
-	ipfwoff_in_dn_in_div_in_out_div_out_dn_out_body "ipfwon"
-}
-ipfwon_in_dn_in_div_in_out_div_out_dn_out_cleanup()
+in_dn_in_div_in_out_div_out_dn_out_cleanup()
 {
 	pft_cleanup
 }
 
 atf_init_test_cases()
 {
-	atf_add_test_case "ipfwoff_in_div"
-	atf_add_test_case "ipfwoff_in_div_in"
-	atf_add_test_case "ipfwon_in_div"
-	atf_add_test_case "ipfwon_in_div_in"
+	atf_add_test_case "in_div"
+	atf_add_test_case "in_div_in"
 
-	atf_add_test_case "ipfwoff_out_div"
-	atf_add_test_case "ipfwoff_out_div_out"
-	atf_add_test_case "ipfwon_out_div"
-	atf_add_test_case "ipfwon_out_div_out"
+	atf_add_test_case "out_div"
+	atf_add_test_case "out_div_out"
 
-	atf_add_test_case "ipfwoff_in_div_in_fwd_out_div_out"
-	atf_add_test_case "ipfwon_in_div_in_fwd_out_div_out"
+	atf_add_test_case "in_div_in_fwd_out_div_out"
 
-	atf_add_test_case "ipfwoff_in_dn_in_div_in_out_div_out_dn_out"
-	atf_add_test_case "ipfwon_in_dn_in_div_in_out_div_out_dn_out"
+	atf_add_test_case "in_dn_in_div_in_out_div_out_dn_out"
 }
diff --git a/tests/sys/netpfil/pf/if_enc.sh b/tests/sys/netpfil/pf/if_enc.sh
index 2e9060d4aa68..40090b175470 100644
--- a/tests/sys/netpfil/pf/if_enc.sh
+++ b/tests/sys/netpfil/pf/if_enc.sh
@@ -71,24 +71,8 @@ if_enc_init()
 	fi
 }
 
-ipfw_init()
-{
-	if ! kldstat -q -m ipfw; then
-		atf_skip "This test requires ipfw"
-	fi
-}
-
-assert_ipfw_is_off()
-{
-	if kldstat -q -m ipfw; then
-		atf_skip "This test is for the case when ipfw is not loaded"
-	fi
-}
-
 build_test_network()
 {
-	local ipfwon=$1
-
 	alan=$(vnet_mkepair)
 	awan=$(vnet_mkepair)
 	bwan=$(vnet_mkepair)
@@ -98,7 +82,6 @@ build_test_network()
 	vnet_mkjail a ${alan}a
 	jexec a ifconfig ${alan}a 1.0.0.11/24 up
 	jexec a route add default 1.0.0.1
-	test $ipfwon && jexec a ipfw add 65534 allow all from any to any
 
 	# host agw
 	vnet_mkjail agw ${alan}b ${awan}a
@@ -106,14 +89,12 @@ build_test_network()
 	jexec agw ifconfig ${awan}a 2.0.0.22/24 up
 	jexec agw route add default 2.0.0.1
 	jexec agw sysctl net.inet.ip.forwarding=1
-	test $ipfwon && jexec agw ipfw add 65534 allow all from any to any
 
 	# host wan
 	vnet_mkjail wan ${awan}b ${bwan}b
 	jexec wan ifconfig ${awan}b 2.0.0.1/24 up
 	jexec wan ifconfig ${bwan}b 3.0.0.1/24 up
 	jexec wan sysctl net.inet.ip.forwarding=1
-	test $ipfwon && jexec wan ipfw add 65534 allow all from any to any
 
 	# host bgw
 	vnet_mkjail bgw ${bwan}a ${blan}b
@@ -121,13 +102,11 @@ build_test_network()
 	jexec bgw ifconfig ${blan}b 4.0.0.1/24 up
 	jexec bgw route add default 3.0.0.1
 	jexec bgw sysctl net.inet.ip.forwarding=1
-	test $ipfwon && jexec bgw ipfw add 65534 allow all from any to any
 
 	# host b
 	vnet_mkjail b ${blan}a
 	jexec b ifconfig ${blan}a 4.0.0.44/24 up
 	jexec b route add default 4.0.0.1
-	test $ipfwon && jexec b ipfw add 65534 allow all from any to any
 
 	# Office A VPN setup
 	echo '
@@ -146,23 +125,19 @@ build_test_network()
 	' | jexec bgw setkey -c
 }
 
-atf_test_case "ipfwoff_ip4_pfil_in_after_stripping" "cleanup"
-ipfwoff_ip4_pfil_in_after_stripping_head()
+atf_test_case "ip4_pfil_in_after_stripping" "cleanup"
+ip4_pfil_in_after_stripping_head()
 {
-	atf_set descr 'Test that pf pulls up mbuf if m_len==0 after stripping the outer header, with ipfw disabled'
+	atf_set descr 'Test that pf pulls up mbuf if m_len==0 after stripping the outer header'
 	atf_set require.user root
 	atf_set require.progs nc
 }
-ipfwoff_ip4_pfil_in_after_stripping_body()
+ip4_pfil_in_after_stripping_body()
 {
-	local ipfwon
-
 	pft_init
 	if_enc_init
-	test "$1" == "ipfwon" && ipfwon="yes"
-	test $ipfwon && ipfw_init || assert_ipfw_is_off
 
-	build_test_network $ipfwon
+	build_test_network
 
 	# Sanity check
 	atf_check -s exit:0 -o ignore jexec a ping -c3 4.0.0.44
@@ -192,29 +167,12 @@ ipfwoff_ip4_pfil_in_after_stripping_body()
 	jexec b kill -KILL $nc_pid	# in a fail case the catcher may listen forever
 	atf_check_equal "$spell" "$(cat ./receiver)"
 }
-ipfwoff_ip4_pfil_in_after_stripping_cleanup()
-{
-	pft_cleanup
-}
-
-atf_test_case "ipfwon_ip4_pfil_in_after_stripping" "cleanup"
-ipfwon_ip4_pfil_in_after_stripping_head()
-{
-	atf_set descr 'Test that pf pulls up mbuf if m_len==0 after stripping the outer header, with ipfw enabled'
-	atf_set require.user root
-	atf_set require.progs nc
-}
-ipfwon_ip4_pfil_in_after_stripping_body()
-{
-	ipfwoff_ip4_pfil_in_after_stripping_body "ipfwon"
-}
-ipfwon_ip4_pfil_in_after_stripping_cleanup()
+ip4_pfil_in_after_stripping_cleanup()
 {
 	pft_cleanup
 }
 
 atf_init_test_cases()
 {
-	atf_add_test_case "ipfwoff_ip4_pfil_in_after_stripping"
-	atf_add_test_case "ipfwon_ip4_pfil_in_after_stripping"
+	atf_add_test_case "ip4_pfil_in_after_stripping"
 }