illumos-gate Udiff usr/src/test/os-tests/tests/pf

Print this page

11845 acquire-spray test could be improved
11857 kmc-update test missing from runfile

@@ -10,13 +10,21 @@
 # source.  A copy of the CDDL is also available via the Internet at
 # http://www.illumos.org/license/CDDL.
 #
 
 #
-# Copyright (c) 2017 Joyent, Inc.
+# Copyright 2019 Joyent, Inc.
 #
 
+#
+# This test sprays many concurrent ACQUIRE messages and checks the
+# monitor.
+#
+# Note that it's not run by default, as the monitor is best-efforts and
+# therefore not reliable under this kind of load.
+#
+
 if [ `id -u` -ne 0 ]; then
         echo "Need to be root or have effective UID of root."
         exit 255
 fi

@@ -23,49 +31,42 @@
 if [[ `zonename` != "global" ]]; then
         echo "Need to be the in the global zone for lock detection."
         exit 254
 fi
 
-# This test sprays many concurrent ACQUIRE messages.  The idea originally
-# was to view lock contention on the global netstack's IPsec algorithm lock.
-# It is also useful for having multiple ACQUIRE records.
-
 PREFIX=10.21.12.0/24
-MONITOR_LOG=/var/run/ipseckey-monitor.$$
+MONITOR_LOG=/var/tmp/ipseckey-monitor.$$
 
 # The program that sends an extended REGISTER to enable extended ACQUIREs.
 EACQ_PROG=/opt/os-tests/tests/pf_key/eacq-enabler
 
 $EACQ_PROG &
 eapid=$!
 
-# Find the ipsec_alg_lock to monitor with lockstat (below).
-GLOBAL_NETSTACK=`echo ::netstack | mdb -k | grep -w 0 | awk '{print $1}'`
-GLOBAL_IPSEC=`echo $GLOBAL_NETSTACK::print netstack_t | mdb -k | grep -w nu_ipsec | awk '{print $3}'`
-IPSEC_ALG_LOCK=`echo $GLOBAL_IPSEC::print -a ipsec_stack_t ipsec_alg_lock | mdb -k | head -1 | awk '{print $1}'`
-
-#echo "WARNING -- this test flushes out IPsec policy..."
-#echo "GLOBAL_NETSTACK = $GLOBAL_NETSTACK"
-#echo "GLOBAL_IPSEC = $GLOBAL_IPSEC"
-#echo "IPSEC_ALG_LOCK = $IPSEC_ALG_LOCK"
-
 # Tunnels will be preserved by using -f instead of -F.
 ipsecconf -qf
 
 # Simple one-type-of-ESP setup...
 echo "{ raddr $PREFIX } ipsec { encr_algs aes encr_auth_algs sha512 }" | \
         ipsecconf -qa -
 # ipsecconf -ln
 
+echo "Starting monitor, logging to $MONITOR_LOG"
+
 # Get monitoring PF_KEY for at least regular ACQUIREs.
 ipseckey -n monitor > $MONITOR_LOG &
 IPSECKEY_PID=$!
 
 # Flush out the SADB to make damned sure we don't have straggler acquire
 # records internally.
 ipseckey flush
 
+# wait for the monitor
+sleep 5
+
+echo "Starting pings"
+
 # Launch 254 pings to different addresses (each requiring an ACQUIRE).
 i=1
 while [ $i -le 254 ]; do
         truss -Topen -o /dev/null ping -svn 10.21.12.$i 1024 1 2>&1 > /dev/null &
         i=$(($i + 1))

@@ -72,28 +73,38 @@
 done
 
 # Unleash the pings in 10 seconds, Smithers.
 ( sleep 10 ; prun `pgrep ping` ) &
 
-# Get the lockstats going now.
-echo "Running:     lockstat -A -l 0x$IPSEC_ALG_LOCK,8 sleep 30"
-lockstat -A -l 0x$IPSEC_ALG_LOCK,8 sleep 30
+echo "Waiting for pings to finish"
+
+# wait for the pings; not so charming
+while :; do
+        pids="$(pgrep ping)"
+        [[ -n "$pids" ]] || break
+        pwait $pids
+done
+
+# wait for the monitor
+sleep 10
+
 kill $IPSECKEY_PID
 kill $eapid
 # Use SMF to restore anything that may have been there.  "restart" on
 # a disabled service is a NOP, but an enabled one will get
 # /etc/inet/ipsecinit.conf reloaded.
 svcadm restart ipsec/policy
 
 # See if we have decent results.
 
-numacq=`grep ACQUIRE $MONITOR_LOG | wc -l | awk '{print $1}`
-#rm -f $MONITOR_LOG
-# Pardon the hardcoding again.
-if [[ $numacq != 508 ]]; then
-    echo "Got $numacq ACQUIREs instead of 508"
+i=1
+while [ $i -le 254 ]; do
+        c=$(grep -c "^DST: AF_INET: port 0, 10\.21\.12\.$i\." $MONITOR_LOG)
+        if [[ "$c" -ne 2 ]]; then
+                echo "One or more log entries missing for 10.21.12.$i" >&2
     exit 1
-else
-    echo "Saw expected $numacq ACQUIREs."
-fi
+        fi
+        i=$(($i + 1))
+done
 
+rm -f $MONITOR_LOG
 exit 0