Print this page
11837 tests/pf_key/acquire-compare is racy
Reviewed by: Robert Mustacchi <rm@fingolfin.org>
*** 10,27 ****
# source. A copy of the CDDL is also available via the Internet at
# http://www.illumos.org/license/CDDL.
#
#
! # Copyright (c) 2017 Joyent, Inc.
#
! if [ `id -u` -ne 0 ]; then
! echo "Need to be root or have effective UID of root."
exit 255
fi
# NOTE: If multihomed, this may fail in interesting ways...
MY_IP=`netstat -in -f inet | egrep -v "Name|lo0" | awk '{print $4}' | head -1`
TEST_REMOTE_DST1=10.90.1.25
TEST_REMOTE_DST2=10.19.84.2
TEST_REMOTE_DST3=10.19.84.3
--- 10,42 ----
# source. A copy of the CDDL is also available via the Internet at
# http://www.illumos.org/license/CDDL.
#
#
! # Copyright 2019 Joyent, Inc.
#
! # we can't presume /usr/bin/timeout is there
! timeout_cmd() {
! $* &
! sleep 3
! kill $!
! # we want to pause a while to make sure the monitor log is
! # updated...
! sleep 2
! }
!
! if [[ `id -u` -ne 0 ]]; then
! echo "Error: need to be root or have effective UID of root." >&2
exit 255
fi
+ if [[ ! -x "$(type -p curl)" ]]; then
+ echo "Error: curl binary not found." >&2
+ exit 255
+ fi
+
# NOTE: If multihomed, this may fail in interesting ways...
MY_IP=`netstat -in -f inet | egrep -v "Name|lo0" | awk '{print $4}' | head -1`
TEST_REMOTE_DST1=10.90.1.25
TEST_REMOTE_DST2=10.19.84.2
TEST_REMOTE_DST3=10.19.84.3
*** 32,41 ****
--- 47,61 ----
T1_PREFIX=10.21.12.0/24
T2_SRC=10.51.50.4
T2_DST=10.51.50.5
T2_PREFIX=10.51.50.0/24
+ CURL_DST3_LPORT=10001
+ CURL_DST4_LPORT=10002
+ CURL_DST1_LPORT=10003
+ CURL_PORT=80
+
MONITOR_LOG=/tmp/ipseckey-monitor.$$
EACQ_PROG=/opt/os-tests/tests/pf_key/eacq-enabler
$EACQ_PROG &
*** 46,59 ****
# Setup the IPsec policy...
ipsecconf -qa - << EOF
# Global policy...
# Remote-port-based policy. Use different algorithms...
! { raddr $TEST_REMOTE_DST3 rport 23 ulp tcp } ipsec { encr_algs aes encr_auth_algs sha512 }
# Unique policy...
! { raddr $TEST_REMOTE_DST4 rport 23 ulp tcp } ipsec { encr_algs aes encr_auth_algs sha256 sa unique }
# Simple IP address policy. Use an AH + ESP for it.
{ raddr $TEST_REMOTE_DST1 } ipsec { auth_algs sha512 encr_algs aes(256) }
{ raddr $TEST_REMOTE_DST2 } ipsec { auth_algs sha384 encr_algs aes(256) }
--- 66,79 ----
# Setup the IPsec policy...
ipsecconf -qa - << EOF
# Global policy...
# Remote-port-based policy. Use different algorithms...
! { raddr $TEST_REMOTE_DST3 rport $CURL_PORT ulp tcp } ipsec { encr_algs aes encr_auth_algs sha512 }
# Unique policy...
! { raddr $TEST_REMOTE_DST4 rport $CURL_PORT ulp tcp } ipsec { encr_algs aes encr_auth_algs sha256 sa unique }
# Simple IP address policy. Use an AH + ESP for it.
{ raddr $TEST_REMOTE_DST1 } ipsec { auth_algs sha512 encr_algs aes(256) }
{ raddr $TEST_REMOTE_DST2 } ipsec { auth_algs sha384 encr_algs aes(256) }
*** 73,114 ****
ipseckey flush
ipseckey -np monitor > $MONITOR_LOG &
IPSECKEY_PID=$!
! # Launch pings and telnets to different addresses (each requiring an ACQUIRE).
! ping -svn $TEST_REMOTE_DST1 1024 1 2>&1 > /dev/null &
! p1=$!
! ping -svn $TEST_REMOTE_DST2 1024 1 2>&1 > /dev/null &
! p2=$!
! ping -svn $T1_DST 1024 1 2>&1 > /dev/null &
! p3=$!
! ping -svn $T2_DST 1024 1 2>&1 > /dev/null &
! p4=$!
! echo "Waiting for pings..."
! pwait $p1 $p2 $p3 $p4
! # Now try some telnets to trigger port and unique policy.
# port-only for DST3
! telnet $TEST_REMOTE_DST3 &
! tpid=$!
! t1port=`pfiles $tpid | grep sockname | awk '{print $5}'`
! echo "First local port == $t1port"
! sleep 10 ; kill $tpid
# unique for DST4
! telnet $TEST_REMOTE_DST4 &
! tpid=$!
! t2port=`pfiles $tpid | grep sockname | awk '{print $5}'`
! echo "Second local port == $t2port"
! sleep 10 ; kill $tpid
# Nothing specced for DST1
! telnet $TEST_REMOTE_DST1 &
! tpid=$!
! t3port=`pfiles $tpid | grep sockname | awk '{print $5}'`
! echo "Third local port == $t3port"
! sleep 10 ; kill $tpid
# Clean up.
kill $IPSECKEY_PID
kill $eapid
# Unplumb the tunnels
--- 93,123 ----
ipseckey flush
ipseckey -np monitor > $MONITOR_LOG &
IPSECKEY_PID=$!
! # give the monitor some time to get set up
! sleep 3
! # Launch pings to various addresses (each requiring an ACQUIRE).
! timeout_cmd ping -svn $TEST_REMOTE_DST1 1024 1
! timeout_cmd ping -svn $TEST_REMOTE_DST2 1024 1
! timeout_cmd ping -svn $T1_DST 1024 1
! timeout_cmd ping -svn $T2_DST 1024 1
!
! # Now try some curls to trigger local port and unique policy.
!
# port-only for DST3
! timeout_cmd curl --local-port $CURL_DST3_LPORT \
! http://$TEST_REMOTE_DST3:$CURL_PORT
# unique for DST4
! timeout_cmd curl --local-port $CURL_DST4_LPORT \
! http://$TEST_REMOTE_DST4:$CURL_PORT
# Nothing specced for DST1
! timeout_cmd curl --local-port $CURL_DST1_LPORT \
! http://$TEST_REMOTE_DST1:$CURL_PORT
# Clean up.
kill $IPSECKEY_PID
kill $eapid
# Unplumb the tunnels
*** 125,142 ****
# Use SMF to restore anything that may have been there. "restart" on
# a disabled service is a NOP, but an enabled one will get
# /etc/inet/ipsecinit.conf reloaded.
svcadm restart ipsec/policy
# Process MONITOR_LOG's output...
echo "Checking for unique local port only in one ACQUIRE case."
! egrep "$t1port|$t2port|$t3port" $MONITOR_LOG > /tmp/egrep.$$
! grep $t2port $MONITOR_LOG > /tmp/grep.$$
diff /tmp/grep.$$ /tmp/egrep.$$
if [[ $? != 0 ]]; then
! echo "More than just the one unique port, $tport2, found in monitor output."
! /bin/rm -f /tmp/grep.$$ /tmp/egrep.$$ $MONITOR_LOG
exit 1
fi
# Split out extended (file.0) and regular (file.1) ACQUIREs.
# NOTE: "+7" is dependent on "ipseckey monitor"'s first output where it gets
--- 134,157 ----
# Use SMF to restore anything that may have been there. "restart" on
# a disabled service is a NOP, but an enabled one will get
# /etc/inet/ipsecinit.conf reloaded.
svcadm restart ipsec/policy
+ # give the monitor some time to finish up
+ sleep 5
+
# Process MONITOR_LOG's output...
echo "Checking for unique local port only in one ACQUIRE case."
! egrep "$CURL_DST3_LPORT|$CURL_DST4_LPORT|$CURL_DST1_LPORT" \
! $MONITOR_LOG > /tmp/egrep.$$
! grep $CURL_DST4_LPORT $MONITOR_LOG > /tmp/grep.$$ || {
! echo "unique port $CURL_DST4_LPORT missing from monitor log."
! exit 1
! }
diff /tmp/grep.$$ /tmp/egrep.$$
if [[ $? != 0 ]]; then
! echo "More than just the one unique port $CURL_DST4_LPORT found."
exit 1
fi
# Split out extended (file.0) and regular (file.1) ACQUIREs.
# NOTE: "+7" is dependent on "ipseckey monitor"'s first output where it gets