1b7daf799SDan McDonald#!/usr/bin/ksh 2b7daf799SDan McDonald 3b7daf799SDan McDonald# 4b7daf799SDan McDonald# This file and its contents are supplied under the terms of the 5b7daf799SDan McDonald# Common Development and Distribution License ("CDDL"), version 1.0. 6b7daf799SDan McDonald# You may only use this file in accordance with the terms of version 7b7daf799SDan McDonald# 1.0 of the CDDL. 8b7daf799SDan McDonald# 9b7daf799SDan McDonald# A full copy of the text of the CDDL should have accompanied this 10b7daf799SDan McDonald# source. A copy of the CDDL is also available via the Internet at 11b7daf799SDan McDonald# http://www.illumos.org/license/CDDL. 12b7daf799SDan McDonald# 13b7daf799SDan McDonald 14b7daf799SDan McDonald# 157ca0d613SJohn Levon# Copyright 2019 Joyent, Inc. 167ca0d613SJohn Levon# 177ca0d613SJohn Levon 187ca0d613SJohn Levon# 197ca0d613SJohn Levon# This test sprays many concurrent ACQUIRE messages and checks the 207ca0d613SJohn Levon# monitor. 217ca0d613SJohn Levon# 227ca0d613SJohn Levon# Note that it's not run by default, as the monitor is best-efforts and 237ca0d613SJohn Levon# therefore not reliable under this kind of load. 24b7daf799SDan McDonald# 25b7daf799SDan McDonald 26*3580e26cSDan McDonaldif [ `id -u` != 0 ]; then 27b7daf799SDan McDonald echo "Need to be root or have effective UID of root." 28b7daf799SDan McDonald exit 255 29b7daf799SDan McDonaldfi 30b7daf799SDan McDonald 31b7daf799SDan McDonaldif [[ `zonename` != "global" ]]; then 32b7daf799SDan McDonald echo "Need to be the in the global zone for lock detection." 33b7daf799SDan McDonald exit 254 34b7daf799SDan McDonaldfi 35b7daf799SDan McDonald 36b7daf799SDan McDonaldPREFIX=10.21.12.0/24 377ca0d613SJohn LevonMONITOR_LOG=/var/tmp/ipseckey-monitor.$$ 38b7daf799SDan McDonald 39b7daf799SDan McDonald# The program that sends an extended REGISTER to enable extended ACQUIREs. 40b7daf799SDan McDonaldEACQ_PROG=/opt/os-tests/tests/pf_key/eacq-enabler 41b7daf799SDan McDonald 42b7daf799SDan McDonald$EACQ_PROG & 43b7daf799SDan McDonaldeapid=$! 44b7daf799SDan McDonald 45b7daf799SDan McDonald# Tunnels will be preserved by using -f instead of -F. 46b7daf799SDan McDonaldipsecconf -qf 47b7daf799SDan McDonald 48b7daf799SDan McDonald# Simple one-type-of-ESP setup... 49b7daf799SDan McDonaldecho "{ raddr $PREFIX } ipsec { encr_algs aes encr_auth_algs sha512 }" | \ 50b7daf799SDan McDonald ipsecconf -qa - 51b7daf799SDan McDonald# ipsecconf -ln 52b7daf799SDan McDonald 537ca0d613SJohn Levonecho "Starting monitor, logging to $MONITOR_LOG" 547ca0d613SJohn Levon 55b7daf799SDan McDonald# Get monitoring PF_KEY for at least regular ACQUIREs. 56b7daf799SDan McDonaldipseckey -n monitor > $MONITOR_LOG & 57b7daf799SDan McDonaldIPSECKEY_PID=$! 58b7daf799SDan McDonald 59b7daf799SDan McDonald# Flush out the SADB to make damned sure we don't have straggler acquire 60b7daf799SDan McDonald# records internally. 61b7daf799SDan McDonaldipseckey flush 62b7daf799SDan McDonald 637ca0d613SJohn Levon# wait for the monitor 647ca0d613SJohn Levonsleep 5 657ca0d613SJohn Levon 667ca0d613SJohn Levonecho "Starting pings" 677ca0d613SJohn Levon 68b7daf799SDan McDonald# Launch 254 pings to different addresses (each requiring an ACQUIRE). 69b7daf799SDan McDonaldi=1 70b7daf799SDan McDonaldwhile [ $i -le 254 ]; do 71b7daf799SDan McDonald truss -Topen -o /dev/null ping -svn 10.21.12.$i 1024 1 2>&1 > /dev/null & 72b7daf799SDan McDonald i=$(($i + 1)) 73b7daf799SDan McDonalddone 74b7daf799SDan McDonald 75b7daf799SDan McDonald# Unleash the pings in 10 seconds, Smithers. 76b7daf799SDan McDonald( sleep 10 ; prun `pgrep ping` ) & 77b7daf799SDan McDonald 787ca0d613SJohn Levonecho "Waiting for pings to finish" 797ca0d613SJohn Levon 807ca0d613SJohn Levon# wait for the pings; not so charming 817ca0d613SJohn Levonwhile :; do 827ca0d613SJohn Levon pids="$(pgrep ping)" 837ca0d613SJohn Levon [[ -n "$pids" ]] || break 847ca0d613SJohn Levon pwait $pids 857ca0d613SJohn Levondone 867ca0d613SJohn Levon 877ca0d613SJohn Levon# wait for the monitor 887ca0d613SJohn Levonsleep 10 897ca0d613SJohn Levon 90b7daf799SDan McDonaldkill $IPSECKEY_PID 91b7daf799SDan McDonaldkill $eapid 92b7daf799SDan McDonald# Use SMF to restore anything that may have been there. "restart" on 93b7daf799SDan McDonald# a disabled service is a NOP, but an enabled one will get 94b7daf799SDan McDonald# /etc/inet/ipsecinit.conf reloaded. 95b7daf799SDan McDonaldsvcadm restart ipsec/policy 96b7daf799SDan McDonald 97b7daf799SDan McDonald# See if we have decent results. 98b7daf799SDan McDonald 997ca0d613SJohn Levoni=1 1007ca0d613SJohn Levonwhile [ $i -le 254 ]; do 1017ca0d613SJohn Levon c=$(grep -c "^DST: AF_INET: port 0, 10\.21\.12\.$i\." $MONITOR_LOG) 102*3580e26cSDan McDonald if [[ "$c" != 2 ]]; then 1037ca0d613SJohn Levon echo "One or more log entries missing for 10.21.12.$i" >&2 1047ca0d613SJohn Levon exit 1 1057ca0d613SJohn Levon fi 1067ca0d613SJohn Levon i=$(($i + 1)) 1077ca0d613SJohn Levondone 108b7daf799SDan McDonald 1097ca0d613SJohn Levonrm -f $MONITOR_LOG 110b7daf799SDan McDonaldexit 0 111