Added a framework to write tests for multiple firewalls, with a demonstration of the framework on the pass/block test.
Details
Details
Diff Detail
Diff Detail
- Repository
- rS FreeBSD src repository - subversion
- Lint
Lint Not Applicable - Unit
Tests Not Applicable
Event Timeline
| tests/sys/netpfil/Makefile | ||
|---|---|---|
| 9 ↗ | (On Diff #60145) | You'll have to check your editor settings. It's expanded tabs into spaces. |
| tests/sys/netpfil/common/Makefile | ||
| 5 ↗ | (On Diff #60145) | Same here. This is all indented with spaces, but should be using tabs. |
| tests/sys/netpfil/common/pass_block.sh | ||
| 39 ↗ | (On Diff #60145) | Check for stray trailing spaces here. (In vim ':set list'). |
| 73 ↗ | (On Diff #60145) | It looks a little odd to have ${firewall}_init and then firewall_cleanup. I wonder if it'd be better to firewall_init $firewall and do the ${firewall}_init thing in a wrapper function in utils.subr. That would also let you do vnet_init in firewall_init, rather than three times in the different firewall init functions. While I think about it, it'd probably also be good to pass the firewall type to the cleanup function (i.e. firewall_cleanup ${firewall}. We don't need it know, but might need it in the future, and then the required argument will be there. |
| 127 ↗ | (On Diff #60145) | There's no need for the '\' on the last line. |
| tests/sys/netpfil/common/runner.subr | ||
| 32 ↗ | (On Diff #60145) | I think the style wants there to be a space between ';' and 'do'. |
| 33 ↗ | (On Diff #60145) | The 'then' can go on the same line, expect it becomes an overly long line then. |
| 37 ↗ | (On Diff #60145) | It's probably a good idea to check that $testcase is set here, and it might also be good to check for duplicates (i.e. someone does setup_tests foo pf ipfw pf bar pf) |
| tests/sys/netpfil/common/utils.subr | ||
| 61 ↗ | (On Diff #60145) | This belongs with pf_init. It's also not immediately clear to my what this is for. |
| 74 ↗ | (On Diff #60145) | That belongs with ipf_init. |
| 122 ↗ | (On Diff #60145) | It's probably better to elif [ ${fw} == "ipfnat" ] here, and then have a default case that throws an error. |
Comment Actions
Also, I get 'install: /usr/tests/sys/netpfil/common/pass_block: No such file or directory' trying to install world.
This patch is missing this:
diff --git a/etc/mtree/BSD.tests.dist b/etc/mtree/BSD.tests.dist index dfa35484c80..ef1b06935be 100644 --- a/etc/mtree/BSD.tests.dist +++ b/etc/mtree/BSD.tests.dist @@ -793,6 +793,8 @@ netmap .. netpfil + common + .. pf ioctl ..
Comment Actions
- Replaced spaces with tabs
- Created firewall_init function with firewall name as an argument
- Modified firewall_cleanup function to take name of the firewall as an argument
- Removed obsolete functions like ipf_init.
Comment Actions
- Add check for bad argument in setup_tests
- Add atf-fail in case of wrong firewall name in firewall_config
| tests/sys/netpfil/common/pass_block.sh | ||
|---|---|---|
| 3 ↗ | (On Diff #60175) | 'All rights reserved' no longer has any legal meaning. https://www.iusmentis.com/copyright/allrightsreserved/ We have been going through the tree removing it in places, I'd prefer we not introduce more instances. This applies to all copyright declarations in this review. For future the preferred license for new files in in the committers handbook: |
| 87 ↗ | (On Diff #60175) | Why are you disabling duplicate address detection? 2001::db8 (documentation) addresses are the wrong address space to use for tests. You should use unique local addresses (https://en.wikipedia.org/wiki/Unique_local_address) for the test addresses. I think this is also a problem in the v4 pftests too, I owe @kristof a diff @bz Does using ULA addresses for tests seem correct to you? |
| tests/sys/netpfil/common/runner.subr | ||
| 39 ↗ | (On Diff #60175) | I think the error message here should be something like "no testcase passed to setup_test" |
| tests/sys/netpfil/common/pass_block.sh | ||
|---|---|---|
| 87 ↗ | (On Diff #60175) | The pf tests do that too. I seem to remember because that means the address is applied immediately, rather than waiting for DAD to be done. This speeds up the tests, means we don't need silly little 'sleep X' calls after address assignment, and makes things more robust. Ahsan will have used 2001:db8 because I did that in pf. Your diff will be welcomed. |
Comment Actions
- Used ULA for v6 addresses
- Changed license according to preferred license
- For no_dad, I am taking kp's words regarding speed of the tests.
Comment Actions
I think I'm happy with this.
I'll give Tom a bit of time to add any more remarks he might have, but I think we can commit this soon.
I've also tested this with sysctl net.inet.ip.fw.default_to_accept=1, and that means we can just load all three firewalls and have the tests pass.
| tests/sys/netpfil/common/utils.subr | ||
|---|---|---|
| 65 ↗ | (On Diff #60288) | service ipfilter start relies on ipfilter_enabled="YES" in /etc/rc.conf. We shouldn't assume that. |
Comment Actions
check if ipf module is loaded using "kldstat -q -m ipfilter " because "kldstat -q -m ipl" doesn't work.