1#!/usr/bin/ksh
2
3#
4# This file and its contents are supplied under the terms of the
5# Common Development and Distribution License ("CDDL"), version 1.0.
6# You may only use this file in accordance with the terms of version
7# 1.0 of the CDDL.
8#
9# A full copy of the text of the CDDL should have accompanied this
10# source.  A copy of the CDDL is also available via the Internet at
11# http://www.illumos.org/license/CDDL.
12#
13
14#
15# Copyright 2019 Joyent, Inc.
16#
17
18#
19# This test sprays many concurrent ACQUIRE messages and checks the
20# monitor.
21#
22# Note that it's not run by default, as the monitor is best-efforts and
23# therefore not reliable under this kind of load.
24#
25
26if [ `id -u` -ne 0 ]; then
27	echo "Need to be root or have effective UID of root."
28	exit 255
29fi
30
31if [[ `zonename` != "global" ]]; then
32	echo "Need to be the in the global zone for lock detection."
33	exit 254
34fi
35
36PREFIX=10.21.12.0/24
37MONITOR_LOG=/var/tmp/ipseckey-monitor.$$
38
39# The program that sends an extended REGISTER to enable extended ACQUIREs.
40EACQ_PROG=/opt/os-tests/tests/pf_key/eacq-enabler
41
42$EACQ_PROG &
43eapid=$!
44
45# Tunnels will be preserved by using -f instead of -F.
46ipsecconf -qf
47
48# Simple one-type-of-ESP setup...
49echo "{ raddr $PREFIX } ipsec { encr_algs aes encr_auth_algs sha512 }" | \
50	ipsecconf -qa -
51# ipsecconf -ln
52
53echo "Starting monitor, logging to $MONITOR_LOG"
54
55# Get monitoring PF_KEY for at least regular ACQUIREs.
56ipseckey -n monitor > $MONITOR_LOG &
57IPSECKEY_PID=$!
58
59# Flush out the SADB to make damned sure we don't have straggler acquire
60# records internally.
61ipseckey flush
62
63# wait for the monitor
64sleep 5
65
66echo "Starting pings"
67
68# Launch 254 pings to different addresses (each requiring an ACQUIRE).
69i=1
70while [ $i -le 254 ]; do
71	truss -Topen -o /dev/null ping -svn 10.21.12.$i 1024 1 2>&1 > /dev/null &
72	i=$(($i + 1))
73done
74
75# Unleash the pings in 10 seconds, Smithers.
76( sleep 10 ; prun `pgrep ping` ) &
77
78echo "Waiting for pings to finish"
79
80# wait for the pings; not so charming
81while :; do
82	pids="$(pgrep ping)"
83	[[ -n "$pids" ]] || break
84	pwait $pids
85done
86
87# wait for the monitor
88sleep 10
89
90kill $IPSECKEY_PID
91kill $eapid
92# Use SMF to restore anything that may have been there.  "restart" on
93# a disabled service is a NOP, but an enabled one will get
94# /etc/inet/ipsecinit.conf reloaded.
95svcadm restart ipsec/policy
96
97# See if we have decent results.
98
99i=1
100while [ $i -le 254 ]; do
101	c=$(grep -c "^DST: AF_INET: port 0, 10\.21\.12\.$i\." $MONITOR_LOG)
102	if [[ "$c" -ne 2 ]]; then
103		echo "One or more log entries missing for 10.21.12.$i" >&2
104		exit 1
105	fi
106	i=$(($i + 1))
107done
108
109rm -f $MONITOR_LOG
110exit 0
111