D43111.id131565.diff
No OneTemporary
Actions

Size

5 KB

Referenced Files

None

Subscribers

None

D43111.id131565.diff
View Options

	diff --git a/tests/sys/netpfil/pf/Makefile b/tests/sys/netpfil/pf/Makefile
	--- a/tests/sys/netpfil/pf/Makefile
	+++ b/tests/sys/netpfil/pf/Makefile
	@@ -62,6 +62,7 @@
	frag-overreplace.py \
	pfsync_defer.py \
	pft_ether.py \
	+ pft_read_ipfix.py \
	utils.subr

	${PACKAGE}FILESMODE_CVE-2019-5597.py= 0555
	@@ -72,5 +73,6 @@
	${PACKAGE}FILESMODE_frag-overreplace.py= 0555
	${PACKAGE}FILESMODE_pfsync_defer.py= 0555
	${PACKAGE}FILESMODE_pft_ether.py= 0555
	+${PACKAGE}FILESMODE_pft_read_ipfix.py= 0555

	.include <bsd.test.mk>
	diff --git a/tests/sys/netpfil/pf/pflow.sh b/tests/sys/netpfil/pf/pflow.sh
	--- a/tests/sys/netpfil/pf/pflow.sh
	+++ b/tests/sys/netpfil/pf/pflow.sh
	@@ -74,7 +74,69 @@
	pft_cleanup
	}

	+atf_test_case "state_defaults" "cleanup"
	+state_defaults_head()
	+{
	+ atf_set descr 'Test set state-defaults pflow'
	+ atf_set require.user root
	+ atf_set require.progs scapy
	+}
	+
	+state_defaults_body()
	+{
	+ pflow_init
	+
	+ epair=$(vnet_mkepair)
	+ ifconfig ${epair}a 192.0.2.2/24 up
	+
	+ vnet_mkjail alcatraz ${epair}b
	+ jexec alcatraz ifconfig ${epair}b 192.0.2.1/24 up
	+
	+ # Sanity check
	+ atf_check -s exit:0 -o ignore ping -c 1 192.0.2.1
	+
	+ jexec alcatraz pfctl -e
	+ pft_set_rules alcatraz \
	+ "pass"
	+
	+ pflow=$(jexec alcatraz ifconfig pflow create)
	+ jexec alcatraz ifconfig ${pflow} flowdst 192.0.2.2:2055 up
	+
	+ # No flow data is generated because no states are marked for it.
	+ ping -c 1 192.0.2.1
	+ # Flush states to force pflow creation
	+ jexec alcatraz pfctl -Fstates
	+
	+ atf_check -o match:"No data" \
	+ $(atf_get_srcdir)/pft_read_ipfix.py --recvif ${epair}a --port 2055
	+
	+ # Expect pflow output with state-defaults pflow
	+ pft_set_rules alcatraz \
	+ "set state-defaults pflow" \
	+ "pass"
	+
	+ ping -c 1 192.0.2.1
	+
	+ # We default to version 5
	+ atf_check -o match:"^v=5.*" \
	+ $(atf_get_srcdir)/pft_read_ipfix.py --recvif ${epair}a --port 2055
	+
	+ # Switch to version 10
	+ jexec alcatraz ifconfig ${pflow} pflowproto 10
	+
	+ ping -c 1 192.0.2.1
	+
	+ atf_check -o match:"^v=10.*" \
	+ $(atf_get_srcdir)/pft_read_ipfix.py --recvif ${epair}a --port 2055
	+}
	+
	+state_defaults_cleanup()
	+{
	+ pft_cleanup
	+}
	+
	atf_init_test_cases()
	{
	atf_add_test_case "basic"
	+ atf_add_test_case "state_defaults"
	}
	diff --git a/tests/sys/netpfil/pf/pflow.sh b/tests/sys/netpfil/pf/pft_read_ipfix.py
	copy from tests/sys/netpfil/pf/pflow.sh
	copy to tests/sys/netpfil/pf/pft_read_ipfix.py
	--- a/tests/sys/netpfil/pf/pflow.sh
	+++ b/tests/sys/netpfil/pf/pft_read_ipfix.py
	@@ -1,7 +1,8 @@
	+#!/usr/bin/env python3
	#
	# SPDX-License-Identifier: BSD-2-Clause
	#
	-# Copyright (c) 2023 Rubicon Communications, LLC (Netgate)
	+# Copyright © 2023. Rubicon Communications, LLC (Netgate). All Rights Reserved.
	#
	# Redistribution and use in source and binary forms, with or without
	# modification, are permitted provided that the following conditions
	@@ -23,58 +24,55 @@
	# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
	# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
	# SUCH DAMAGE.
	+#

	-. $(atf_get_srcdir)/utils.subr
	-
	-atf_test_case "basic" "cleanup"
	-basic_head()
	-{
	- atf_set descr 'Basic pflow test'
	- atf_set require.user root
	-}
	+import argparse
	+import logging
	+logging.getLogger("scapy").setLevel(logging.CRITICAL)
	+import scapy.all as sp

	-basic_body()
	-{
	- pflow_init
	+def receive(recvif, recvport):
	+ pkts = sp.sniff(iface=recvif, timeout=65)

	- epair=$(vnet_mkepair)
	- ifconfig ${epair}a 192.0.2.2/24 up
	+ if len(pkts) == 0:
	+ print("No data")
	+ return

	- vnet_mkjail alcatraz ${epair}b
	- jexec alcatraz ifconfig ${epair}b 192.0.2.1/24 up
	+ for pkt in pkts:
	+ udp = pkt.getlayer(sp.UDP)
	+ if not udp:
	+ continue

	- # Sanity check
	- atf_check -s exit:0 -o ignore ping -c 1 192.0.2.1
	+ if udp.dport != recvport:
	+ continue

	- pflow=$(jexec alcatraz ifconfig pflow create)
	+ hdr = pkt.getlayer(sp.NetflowHeader)

	- # Reject invalid flow destinations
	- atf_check -s exit:1 -e ignore \
	- jexec alcatraz ifconfig ${pflow} flowdst 256.0.0.1:4000
	- atf_check -s exit:1 -e ignore \
	- jexec alcatraz ifconfig ${pflow} flowdst 192.0.0.2:400000
	+ if hdr.version == 5:
	+ v5hdr = pkt.getlayer(sp.NetflowHeaderV5)
	+ out=""
	+ for i in range(1, v5hdr.count + 1):
	+ r = pkt.getlayer(sp.NetflowRecordV5, nb=i)
	+ out = "%s,proto=%d,src=%s,dst=%s,srcport=%d,dstport=%d" % (out, r.prot, r.src, r.dst, r.srcport, r.dstport)
	+ print("v=%d,count=%d%s" % (hdr.version, v5hdr.count, out))
	+ elif hdr.version == 10:
	+ print("v=10")
	+ return

	- # A valid destination is accepted
	- atf_check -s exit:0 \
	- jexec alcatraz ifconfig ${pflow} flowdst 192.0.2.2:4000
	+def main():
	+ parser = argparse.ArgumentParser("pft_read_ipfix.py",
	+ description="IPFix test tool")
	+ parser.add_argument('--recvif', nargs=1,
	+ required=True,
	+ help='The interface on which to look for packets')
	+ parser.add_argument('--port', nargs=1,
	+ required=True,
	+ help='The port number')

	- # Reject invalid version numbers
	- atf_check -s exit:1 -e ignore \
	- jexec alcatraz ifconfig ${pflow} pflowproto 9
	+ args = parser.parse_args()

	- # Valid version passes
	- atf_check -s exit:0 \
	- jexec alcatraz ifconfig ${pflow} pflowproto 5
	- atf_check -s exit:0 \
	- jexec alcatraz ifconfig ${pflow} pflowproto 10
	-}
	+ receive(args.recvif[0], int(args.port[0]))

	-basic_cleanup()
	-{
	- pft_cleanup
	-}
	+if __name__ == '__main__':
	+ main()

	-atf_init_test_cases()
	-{
	- atf_add_test_case "basic"
	-}

File Metadata

Mime Type: text/plain
Expires: Sun, Oct 19, 6:13 AM (2 h, 32 m)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 23913577
Default Alt Text: D43111.id131565.diff (5 KB)

D43111.id131565.diffNo OneTemporaryActions

D43111.id131565.diffView Options

File Metadata

Event Timeline

D43111.id131565.diff
No OneTemporary
Actions

D43111.id131565.diff
View Options