Page MenuHomeFreeBSD
Files F115809571

D43111.diff
No OneTemporary
Actions

D43111.diff
View Options

diff --git a/tests/sys/netpfil/pf/Makefile b/tests/sys/netpfil/pf/Makefile
--- a/tests/sys/netpfil/pf/Makefile
+++ b/tests/sys/netpfil/pf/Makefile
@@ -63,6 +63,7 @@
frag-overreplace.py \
pfsync_defer.py \
pft_ether.py \
+ pft_read_ipfix.py \
utils.subr
${PACKAGE}FILESMODE_CVE-2019-5597.py= 0555
@@ -73,5 +74,6 @@
${PACKAGE}FILESMODE_frag-overreplace.py= 0555
${PACKAGE}FILESMODE_pfsync_defer.py= 0555
${PACKAGE}FILESMODE_pft_ether.py= 0555
+${PACKAGE}FILESMODE_pft_read_ipfix.py= 0555
.include <bsd.test.mk>
diff --git a/tests/sys/netpfil/pf/pflow.sh b/tests/sys/netpfil/pf/pflow.sh
--- a/tests/sys/netpfil/pf/pflow.sh
+++ b/tests/sys/netpfil/pf/pflow.sh
@@ -74,7 +74,69 @@
pft_cleanup
}
+atf_test_case "state_defaults" "cleanup"
+state_defaults_head()
+{
+ atf_set descr 'Test set state-defaults pflow'
+ atf_set require.user root
+ atf_set require.progs scapy
+}
+
+state_defaults_body()
+{
+ pflow_init
+
+ epair=$(vnet_mkepair)
+ ifconfig ${epair}a 192.0.2.2/24 up
+
+ vnet_mkjail alcatraz ${epair}b
+ jexec alcatraz ifconfig ${epair}b 192.0.2.1/24 up
+
+ # Sanity check
+ atf_check -s exit:0 -o ignore ping -c 1 192.0.2.1
+
+ jexec alcatraz pfctl -e
+ pft_set_rules alcatraz \
+ "pass"
+
+ pflow=$(jexec alcatraz pflowctl -c)
+ jexec alcatraz pflowctl -s ${pflow} dst 192.0.2.2:2055
+
+ # No flow data is generated because no states are marked for it.
+ ping -c 1 192.0.2.1
+ # Flush states to force pflow creation
+ jexec alcatraz pfctl -Fstates
+
+ atf_check -o match:"No data" \
+ $(atf_get_srcdir)/pft_read_ipfix.py --recvif ${epair}a --port 2055
+
+ # Expect pflow output with state-defaults pflow
+ pft_set_rules alcatraz \
+ "set state-defaults pflow" \
+ "pass"
+
+ ping -c 1 192.0.2.1
+
+ # We default to version 5
+ atf_check -o match:"^v=5.*" \
+ $(atf_get_srcdir)/pft_read_ipfix.py --recvif ${epair}a --port 2055
+
+ # Switch to version 10
+ jexec alcatraz pflowctl -s ${pflow} proto 10
+
+ ping -c 1 192.0.2.1
+
+ atf_check -o match:"^v=10.*" \
+ $(atf_get_srcdir)/pft_read_ipfix.py --recvif ${epair}a --port 2055
+}
+
+state_defaults_cleanup()
+{
+ pft_cleanup
+}
+
atf_init_test_cases()
{
atf_add_test_case "basic"
+ atf_add_test_case "state_defaults"
}
diff --git a/tests/sys/netpfil/pf/pflow.sh b/tests/sys/netpfil/pf/pft_read_ipfix.py
copy from tests/sys/netpfil/pf/pflow.sh
copy to tests/sys/netpfil/pf/pft_read_ipfix.py
--- a/tests/sys/netpfil/pf/pflow.sh
+++ b/tests/sys/netpfil/pf/pft_read_ipfix.py
@@ -1,7 +1,8 @@
+#!/usr/bin/env python3
#
# SPDX-License-Identifier: BSD-2-Clause
#
-# Copyright (c) 2023 Rubicon Communications, LLC (Netgate)
+# Copyright © 2023. Rubicon Communications, LLC (Netgate). All Rights Reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
@@ -23,58 +24,55 @@
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
+#
-. $(atf_get_srcdir)/utils.subr
-
-atf_test_case "basic" "cleanup"
-basic_head()
-{
- atf_set descr 'Basic pflow test'
- atf_set require.user root
-}
+import argparse
+import logging
+logging.getLogger("scapy").setLevel(logging.CRITICAL)
+import scapy.all as sp
-basic_body()
-{
- pflow_init
+def receive(recvif, recvport):
+ pkts = sp.sniff(iface=recvif, timeout=65)
- epair=$(vnet_mkepair)
- ifconfig ${epair}a 192.0.2.2/24 up
+ if len(pkts) == 0:
+ print("No data")
+ return
- vnet_mkjail alcatraz ${epair}b
- jexec alcatraz ifconfig ${epair}b 192.0.2.1/24 up
+ for pkt in pkts:
+ udp = pkt.getlayer(sp.UDP)
+ if not udp:
+ continue
- # Sanity check
- atf_check -s exit:0 -o ignore ping -c 1 192.0.2.1
+ if udp.dport != recvport:
+ continue
- pflow=$(jexec alcatraz pflowctl -c)
+ hdr = pkt.getlayer(sp.NetflowHeader)
- # Reject invalid flow destinations
- atf_check -s exit:1 -e ignore \
- jexec alcatraz pflowctl -s ${pflow} dst 256.0.0.1:4000
- atf_check -s exit:1 -e ignore \
- jexec alcatraz pflowctl -s ${pflow} dst 192.0.0.2:400000
+ if hdr.version == 5:
+ v5hdr = pkt.getlayer(sp.NetflowHeaderV5)
+ out=""
+ for i in range(1, v5hdr.count + 1):
+ r = pkt.getlayer(sp.NetflowRecordV5, nb=i)
+ out = "%s,proto=%d,src=%s,dst=%s,srcport=%d,dstport=%d" % (out, r.prot, r.src, r.dst, r.srcport, r.dstport)
+ print("v=%d,count=%d%s" % (hdr.version, v5hdr.count, out))
+ elif hdr.version == 10:
+ print("v=10")
+ return
- # A valid destination is accepted
- atf_check -s exit:0 \
- jexec alcatraz pflowctl -s ${pflow} dst 192.0.2.2:4000
+def main():
+ parser = argparse.ArgumentParser("pft_read_ipfix.py",
+ description="IPFix test tool")
+ parser.add_argument('--recvif', nargs=1,
+ required=True,
+ help='The interface on which to look for packets')
+ parser.add_argument('--port', nargs=1,
+ required=True,
+ help='The port number')
- # Reject invalid version numbers
- atf_check -s exit:1 -e ignore \
- jexec alcatraz pflowctl -s ${pflow} proto 9
+ args = parser.parse_args()
- # Valid version passes
- atf_check -s exit:0 \
- jexec alcatraz pflowctl -s ${pflow} proto 5
- atf_check -s exit:0 \
- jexec alcatraz pflowctl -s ${pflow} proto 10
-}
+ receive(args.recvif[0], int(args.port[0]))
-basic_cleanup()
-{
- pft_cleanup
-}
+if __name__ == '__main__':
+ main()
-atf_init_test_cases()
-{
- atf_add_test_case "basic"
-}

File Metadata

Mime Type
text/plain
Expires
Tue, Apr 29, 11:40 PM (10 h, 11 s)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
17848225
Default Alt Text
D43111.diff (5 KB)

Event Timeline