illumos-gate New usr/src/test/os-tests/tests/pf

   1 #!/usr/bin/ksh
   2 
   3 #
   4 # This file and its contents are supplied under the terms of the
   5 # Common Development and Distribution License ("CDDL"), version 1.0.
   6 # You may only use this file in accordance with the terms of version
   7 # 1.0 of the CDDL.
   8 #
   9 # A full copy of the text of the CDDL should have accompanied this
  10 # source.  A copy of the CDDL is also available via the Internet at
  11 # http://www.illumos.org/license/CDDL.
  12 #
  13 
  14 #
  15 # Copyright 2019 Joyent, Inc.
  16 #
  17 
  18 #
  19 # This test sprays many concurrent ACQUIRE messages and checks the
  20 # monitor.
  21 #
  22 # Note that it's not run by default, as the monitor is best-efforts and
  23 # therefore not reliable under this kind of load.
  24 #
  25 
  26 if [ `id -u` -ne 0 ]; then
  27         echo "Need to be root or have effective UID of root."
  28         exit 255
  29 fi
  30 
  31 if [[ `zonename` != "global" ]]; then
  32         echo "Need to be the in the global zone for lock detection."
  33         exit 254
  34 fi
  35 
  36 PREFIX=10.21.12.0/24
  37 MONITOR_LOG=/var/tmp/ipseckey-monitor.$$
  38 
  39 # The program that sends an extended REGISTER to enable extended ACQUIREs.
  40 EACQ_PROG=/opt/os-tests/tests/pf_key/eacq-enabler
  41 
  42 $EACQ_PROG &
  43 eapid=$!
  44 
  45 # Tunnels will be preserved by using -f instead of -F.
  46 ipsecconf -qf
  47 
  48 # Simple one-type-of-ESP setup...
  49 echo "{ raddr $PREFIX } ipsec { encr_algs aes encr_auth_algs sha512 }" | \
  50         ipsecconf -qa -
  51 # ipsecconf -ln
  52 
  53 echo "Starting monitor, logging to $MONITOR_LOG"
  54 
  55 # Get monitoring PF_KEY for at least regular ACQUIREs.
  56 ipseckey -n monitor > $MONITOR_LOG &
  57 IPSECKEY_PID=$!
  58 
  59 # Flush out the SADB to make damned sure we don't have straggler acquire
  60 # records internally.
  61 ipseckey flush
  62 
  63 # wait for the monitor
  64 sleep 5
  65 
  66 echo "Starting pings"
  67 
  68 # Launch 254 pings to different addresses (each requiring an ACQUIRE).
  69 i=1
  70 while [ $i -le 254 ]; do
  71         truss -Topen -o /dev/null ping -svn 10.21.12.$i 1024 1 2>&1 > /dev/null &
  72         i=$(($i + 1))
  73 done
  74 
  75 # Unleash the pings in 10 seconds, Smithers.
  76 ( sleep 10 ; prun `pgrep ping` ) &
  77 
  78 echo "Waiting for pings to finish"
  79 
  80 # wait for the pings; not so charming
  81 while :; do
  82         pids="$(pgrep ping)"
  83         [[ -n "$pids" ]] || break
  84         pwait $pids
  85 done
  86 
  87 # wait for the monitor
  88 sleep 10
  89 
  90 kill $IPSECKEY_PID
  91 kill $eapid
  92 # Use SMF to restore anything that may have been there.  "restart" on
  93 # a disabled service is a NOP, but an enabled one will get
  94 # /etc/inet/ipsecinit.conf reloaded.
  95 svcadm restart ipsec/policy
  96 
  97 # See if we have decent results.
  98 
  99 i=1
 100 while [ $i -le 254 ]; do
 101         c=$(grep -c "^DST: AF_INET: port 0, 10\.21\.12\.$i\." $MONITOR_LOG)
 102         if [[ "$c" -ne 2 ]]; then
 103                 echo "One or more log entries missing for 10.21.12.$i" >&2
 104                 exit 1
 105         fi
 106         i=$(($i + 1))
 107 done
 108 
 109 rm -f $MONITOR_LOG
 110 exit 0