From owner-svn-src-stable@freebsd.org Wed Dec 26 12:55:36 2018 Return-Path: Delivered-To: svn-src-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 84D6C1350B53; Wed, 26 Dec 2018 12:55:36 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 271C482222; Wed, 26 Dec 2018 12:55:36 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 0DDA223DB1; Wed, 26 Dec 2018 12:55:36 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id wBQCtZt3011057; Wed, 26 Dec 2018 12:55:35 GMT (envelope-from kp@FreeBSD.org) Received: (from kp@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id wBQCtZux011056; Wed, 26 Dec 2018 12:55:35 GMT (envelope-from kp@FreeBSD.org) Message-Id: <201812261255.wBQCtZux011056@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: kp set sender to kp@FreeBSD.org using -f From: Kristof Provost Date: Wed, 26 Dec 2018 12:55:35 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-12@freebsd.org Subject: svn commit: r342544 - stable/12/tests/sys/netpfil/pf X-SVN-Group: stable-12 X-SVN-Commit-Author: kp X-SVN-Commit-Paths: stable/12/tests/sys/netpfil/pf X-SVN-Commit-Revision: 342544 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 271C482222 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.96 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; NEURAL_HAM_SHORT(-0.96)[-0.961,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US]; NEURAL_HAM_LONG(-1.00)[-0.998,0] X-BeenThere: svn-src-stable@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for all the -stable branches of the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Dec 2018 12:55:36 -0000 Author: kp Date: Wed Dec 26 12:55:35 2018 New Revision: 342544 URL: https://svnweb.freebsd.org/changeset/base/342544 Log: MFC r341999: pf tests: NAT exhaustion test It's been reported that pf doesn't handle running out of available ports for NAT correctly. It freezes until a state expires and it can find a free port. Test for this, by setting up a situation where only two ports are available for NAT and then attempting to create three connections. If successful the third connection will fail immediately. In an incorrect case the connection attempt will freeze, also freezing all interaction with pf through pfctl and trigger timeout. PR: 233867 Added: stable/12/tests/sys/netpfil/pf/nat.sh - copied unchanged from r341999, head/tests/sys/netpfil/pf/nat.sh Modified: stable/12/tests/sys/netpfil/pf/Makefile Directory Properties: stable/12/ (props changed) Modified: stable/12/tests/sys/netpfil/pf/Makefile ============================================================================== --- stable/12/tests/sys/netpfil/pf/Makefile Wed Dec 26 12:54:27 2018 (r342543) +++ stable/12/tests/sys/netpfil/pf/Makefile Wed Dec 26 12:55:35 2018 (r342544) @@ -9,6 +9,7 @@ ATF_TESTS_SH+= anchor \ pass_block \ forward \ fragmentation \ + nat \ set_tos \ route_to \ synproxy \ Copied: stable/12/tests/sys/netpfil/pf/nat.sh (from r341999, head/tests/sys/netpfil/pf/nat.sh) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ stable/12/tests/sys/netpfil/pf/nat.sh Wed Dec 26 12:55:35 2018 (r342544, copy of r341999, head/tests/sys/netpfil/pf/nat.sh) @@ -0,0 +1,64 @@ +# $FreeBSD$ + +. $(atf_get_srcdir)/utils.subr + +atf_test_case "exhaust" "cleanup" +exhaust_head() +{ + atf_set descr 'Test exhausting the NAT pool' + atf_set require.user root +} + +exhaust_body() +{ + pft_init + + epair_nat=$(pft_mkepair) + epair_echo=$(pft_mkepair) + + pft_mkjail nat ${epair_nat}b ${epair_echo}a + pft_mkjail echo ${epair_echo}b + + ifconfig ${epair_nat}a 192.0.2.2/24 up + route add -net 198.51.100.0/24 192.0.2.1 + + jexec nat ifconfig ${epair_nat}b 192.0.2.1/24 up + jexec nat ifconfig ${epair_echo}a 198.51.100.1/24 up + jexec nat sysctl net.inet.ip.forwarding=1 + + jexec echo ifconfig ${epair_echo}b 198.51.100.2/24 up + jexec echo /usr/sbin/inetd $(atf_get_srcdir)/echo_inetd.conf + + # Enable pf! + jexec nat pfctl -e + pft_set_rules nat \ + "nat pass on ${epair_echo}a inet from 192.0.2.0/24 to any -> (${epair_echo}a) port 30000:30001 sticky-address" + + # Sanity check + atf_check -s exit:0 -o ignore ping -c 3 198.51.100.2 + + echo "foo" | nc -N 198.51.100.2 7 + echo "foo" | nc -N 198.51.100.2 7 + + # This one will fail, but that's expected + echo "foo" | nc -N 198.51.100.2 7 & + + sleep 1 + + # If the kernel is stuck in pf_get_sport() this will not succeed either. + timeout 2 jexec nat pfctl -sa + if [ $? -eq 124 ]; then + # Timed out + atf_fail "pfctl timeout" + fi +} + +exhaust_cleanup() +{ + pft_cleanup +} + +atf_init_test_cases() +{ + atf_add_test_case "exhaust" +}