pf tests: verify syncookie status report

Verify that pfctl -si -v correctly shows syncookies to be active/inactive. Sponsored by: Rubicon Communications, LLC ("Netgate")
2025-01-31 16:57:10 +00:00 · 2022-10-31 12:15:58 +01:00 · 2022-10-31 12:15:58 +01:00 · b0bf430310
commit b0bf430310
parent 444a77ca85
1 changed files with 30 additions and 0 deletions
--- a/tests/sys/netpfil/pf/syncookie.sh
+++ b/tests/sys/netpfil/pf/syncookie.sh
@ -29,6 +29,14 @@

 common_dir=$(atf_get_srcdir)/../common

+syncookie_state()
+{
+	jail=$1
+
+	jexec $jail pfctl -si -v | grep -A 2 '^Syncookies' | grep active \
+	    | awk '{ print($2); }'
+}
+
 atf_test_case "basic" "cleanup"
 basic_head()
 {
@ -63,6 +71,14 @@ basic_body()
 	then
 		atf_fail "Failed to connect to syncookie protected echo daemon"
 	fi
+
+
+	# Check that status shows syncookies as being active
+	active=$(syncookie_state alcatraz)
+	if [ "$active" != "active" ];
+	then
+		atf_fail "syncookies not active"
+	fi
 }

 basic_cleanup()
@ -196,12 +212,26 @@ adaptive_body()
 	# Sanity check
 	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.1

+	# Check that status shows syncookies as being inactive
+	active=$(syncookie_state alcatraz)
+	if [ "$active" != "inactive" ];
+	then
+		atf_fail "syncookies active when they should not be"
+	fi
+
 	# Now syn flood to create many states
 	${common_dir}/pft_synflood.py \
 		--sendif ${epair}a \
 		--to 192.0.2.2 \
 		--count 100

+	# Check that status shows syncookies as being active
+	active=$(syncookie_state alcatraz)
+	if [ "$active" != "active" ];
+	then
+		atf_fail "syncookies not active"
+	fi
+
 	# Adaptive mode should kick in and stop us from creating more than
 	# about 10 states
 	states=$(jexec alcatraz pfctl -ss | grep tcp | wc -l)