pf tests: Test that 'set skip on <group>' works on new group members

There's a know issue where new group members don't get the 'set skip on' applied until the rules are re-loaded. Do this by setting rules that block all traffic, but skip members of the 'epair' group. If we can communicate over the epair interface we know the set skip rule took effect, even if the rule was set before the interface was created. MFC after: 2 weeks
svn path=/head/; revision=366648
2024-11-22 19:41:04 +01:00 · 2020-10-12 12:41:10 +00:00 · 2020-10-12 12:41:10 +00:00 · e6f9af16bc · 2020-12-20 02:59:44 +00:00
commit e6f9af16bc
parent c9449e4fb8
1 changed files with 33 additions and 0 deletions
--- a/tests/sys/netpfil/pf/set_skip.sh
+++ b/tests/sys/netpfil/pf/set_skip.sh
@ -85,8 +85,41 @@ set_skip_group_lo_cleanup()
 	pft_cleanup
 }

+atf_test_case "set_skip_dynamic" "cleanup"
+set_skip_dynamic_head()
+{
+	atf_set descr "Cope with group changes"
+	atf_set require.user root
+}
+
+set_skip_dynamic_body()
+{
+	pft_init
+
+	set -x
+
+	vnet_mkjail alcatraz
+	jexec alcatraz pfctl -e
+	pft_set_rules alcatraz "set skip on epair" \
+		"block"
+
+	epair=$(vnet_mkepair)
+	ifconfig ${epair}a 192.0.2.2/24 up
+	ifconfig ${epair}b vnet alcatraz
+
+	jexec alcatraz ifconfig ${epair}b 192.0.2.1/24 up
+
+	atf_check -s exit:0 -o ignore jexec alcatraz ping -c 1 192.0.2.2
+}
+
+set_skip_dynamic_cleanup()
+{
+	pft_cleanup
+}
+
 atf_init_test_cases()
 {
 	atf_add_test_case "set_skip_group"
 	atf_add_test_case "set_skip_group_lo"
+	atf_add_test_case "set_skip_dynamic"
 }