1 #!/usr/bin/ksh
2
3 #
4 # This file and its contents are supplied under the terms of the
5 # Common Development and Distribution License ("CDDL"), version 1.0.
6 # You may only use this file in accordance with the terms of version
7 # 1.0 of the CDDL.
8 #
9 # A full copy of the text of the CDDL should have accompanied this
10 # source. A copy of the CDDL is also available via the Internet at
11 # http://www.illumos.org/license/CDDL.
12 #
13
14 #
15 # Copyright (c) 2017 Joyent, Inc.
16 #
17
18 if [ `id -u` -ne 0 ]; then
19 echo "Need to be root or have effective UID of root."
20 exit 255
21 fi
22
23 if [[ `zonename` != "global" ]]; then
24 echo "Need to be the in the global zone for lock detection."
25 exit 254
26 fi
27
28 # This test sprays many concurrent ACQUIRE messages. The idea originally
29 # was to view lock contention on the global netstack's IPsec algorithm lock.
30 # It is also useful for having multiple ACQUIRE records.
31
32 PREFIX=10.21.12.0/24
33 MONITOR_LOG=/var/run/ipseckey-monitor.$$
34
35 # The program that sends an extended REGISTER to enable extended ACQUIREs.
36 EACQ_PROG=/opt/os-tests/tests/pf_key/eacq-enabler
37
38 $EACQ_PROG &
39 eapid=$!
40
41 # Find the ipsec_alg_lock to monitor with lockstat (below).
42 GLOBAL_NETSTACK=`echo ::netstack | mdb -k | grep -w 0 | awk '{print $1}'`
43 GLOBAL_IPSEC=`echo $GLOBAL_NETSTACK::print netstack_t | mdb -k | grep -w nu_ipsec | awk '{print $3}'`
44 IPSEC_ALG_LOCK=`echo $GLOBAL_IPSEC::print -a ipsec_stack_t ipsec_alg_lock | mdb -k | head -1 | awk '{print $1}'`
45
46 #echo "WARNING -- this test flushes out IPsec policy..."
47 #echo "GLOBAL_NETSTACK = $GLOBAL_NETSTACK"
48 #echo "GLOBAL_IPSEC = $GLOBAL_IPSEC"
49 #echo "IPSEC_ALG_LOCK = $IPSEC_ALG_LOCK"
50
51 # Tunnels will be preserved by using -f instead of -F.
52 ipsecconf -qf
53
54 # Simple one-type-of-ESP setup...
55 echo "{ raddr $PREFIX } ipsec { encr_algs aes encr_auth_algs sha512 }" | \
56 ipsecconf -qa -
57 # ipsecconf -ln
58
59 # Get monitoring PF_KEY for at least regular ACQUIREs.
60 ipseckey -n monitor > $MONITOR_LOG &
61 IPSECKEY_PID=$!
62
63 # Flush out the SADB to make damned sure we don't have straggler acquire
64 # records internally.
65 ipseckey flush
66
67 # Launch 254 pings to different addresses (each requiring an ACQUIRE).
68 i=1
69 while [ $i -le 254 ]; do
70 truss -Topen -o /dev/null ping -svn 10.21.12.$i 1024 1 2>&1 > /dev/null &
71 i=$(($i + 1))
72 done
73
74 # Unleash the pings in 10 seconds, Smithers.
75 ( sleep 10 ; prun `pgrep ping` ) &
76
77 # Get the lockstats going now.
78 echo "Running: lockstat -A -l 0x$IPSEC_ALG_LOCK,8 sleep 30"
79 lockstat -A -l 0x$IPSEC_ALG_LOCK,8 sleep 30
80 kill $IPSECKEY_PID
81 kill $eapid
82 # Use SMF to restore anything that may have been there. "restart" on
83 # a disabled service is a NOP, but an enabled one will get
84 # /etc/inet/ipsecinit.conf reloaded.
85 svcadm restart ipsec/policy
86
87 # See if we have decent results.
88
89 numacq=`grep ACQUIRE $MONITOR_LOG | wc -l | awk '{print $1}`
90 #rm -f $MONITOR_LOG
91 # Pardon the hardcoding again.
92 if [[ $numacq != 508 ]]; then
93 echo "Got $numacq ACQUIREs instead of 508"
94 exit 1
95 else
96 echo "Saw expected $numacq ACQUIREs."
97 fi
98
99 exit 0
|
1 #!/usr/bin/ksh
2
3 #
4 # This file and its contents are supplied under the terms of the
5 # Common Development and Distribution License ("CDDL"), version 1.0.
6 # You may only use this file in accordance with the terms of version
7 # 1.0 of the CDDL.
8 #
9 # A full copy of the text of the CDDL should have accompanied this
10 # source. A copy of the CDDL is also available via the Internet at
11 # http://www.illumos.org/license/CDDL.
12 #
13
14 #
15 # Copyright 2019 Joyent, Inc.
16 #
17
18 #
19 # This test sprays many concurrent ACQUIRE messages and checks the
20 # monitor.
21 #
22 # Note that it's not run by default, as the monitor is best-efforts and
23 # therefore not reliable under this kind of load.
24 #
25
26 if [ `id -u` -ne 0 ]; then
27 echo "Need to be root or have effective UID of root."
28 exit 255
29 fi
30
31 if [[ `zonename` != "global" ]]; then
32 echo "Need to be the in the global zone for lock detection."
33 exit 254
34 fi
35
36 PREFIX=10.21.12.0/24
37 MONITOR_LOG=/var/tmp/ipseckey-monitor.$$
38
39 # The program that sends an extended REGISTER to enable extended ACQUIREs.
40 EACQ_PROG=/opt/os-tests/tests/pf_key/eacq-enabler
41
42 $EACQ_PROG &
43 eapid=$!
44
45 # Tunnels will be preserved by using -f instead of -F.
46 ipsecconf -qf
47
48 # Simple one-type-of-ESP setup...
49 echo "{ raddr $PREFIX } ipsec { encr_algs aes encr_auth_algs sha512 }" | \
50 ipsecconf -qa -
51 # ipsecconf -ln
52
53 echo "Starting monitor, logging to $MONITOR_LOG"
54
55 # Get monitoring PF_KEY for at least regular ACQUIREs.
56 ipseckey -n monitor > $MONITOR_LOG &
57 IPSECKEY_PID=$!
58
59 # Flush out the SADB to make damned sure we don't have straggler acquire
60 # records internally.
61 ipseckey flush
62
63 # wait for the monitor
64 sleep 5
65
66 echo "Starting pings"
67
68 # Launch 254 pings to different addresses (each requiring an ACQUIRE).
69 i=1
70 while [ $i -le 254 ]; do
71 truss -Topen -o /dev/null ping -svn 10.21.12.$i 1024 1 2>&1 > /dev/null &
72 i=$(($i + 1))
73 done
74
75 # Unleash the pings in 10 seconds, Smithers.
76 ( sleep 10 ; prun `pgrep ping` ) &
77
78 echo "Waiting for pings to finish"
79
80 # wait for the pings; not so charming
81 while :; do
82 pids="$(pgrep ping)"
83 [[ -n "$pids" ]] || break
84 pwait $pids
85 done
86
87 # wait for the monitor
88 sleep 10
89
90 kill $IPSECKEY_PID
91 kill $eapid
92 # Use SMF to restore anything that may have been there. "restart" on
93 # a disabled service is a NOP, but an enabled one will get
94 # /etc/inet/ipsecinit.conf reloaded.
95 svcadm restart ipsec/policy
96
97 # See if we have decent results.
98
99 i=1
100 while [ $i -le 254 ]; do
101 c=$(grep -c "^DST: AF_INET: port 0, 10\.21\.12\.$i\." $MONITOR_LOG)
102 if [[ "$c" -ne 2 ]]; then
103 echo "One or more log entries missing for 10.21.12.$i" >&2
104 exit 1
105 fi
106 i=$(($i + 1))
107 done
108
109 rm -f $MONITOR_LOG
110 exit 0
|