1#!/usr/bin/ksh
2
3#
4# This file and its contents are supplied under the terms of the
5# Common Development and Distribution License ("CDDL"), version 1.0.
6# You may only use this file in accordance with the terms of version
7# 1.0 of the CDDL.
8#
9# A full copy of the text of the CDDL should have accompanied this
10# source.  A copy of the CDDL is also available via the Internet at
11# http://www.illumos.org/license/CDDL.
12#
13
14#
15# Copyright (c) 2017 Joyent, Inc.
16#
17
18if [ `id -u` -ne 0 ]; then
19	echo "Need to be root or have effective UID of root."
20	exit 255
21fi
22
23if [[ `zonename` != "global" ]]; then
24	echo "Need to be the in the global zone for lock detection."
25	exit 254
26fi
27
28# This test sprays many concurrent ACQUIRE messages.  The idea originally
29# was to view lock contention on the global netstack's IPsec algorithm lock.
30# It is also useful for having multiple ACQUIRE records.
31
32PREFIX=10.21.12.0/24
33MONITOR_LOG=/var/run/ipseckey-monitor.$$
34
35# The program that sends an extended REGISTER to enable extended ACQUIREs.
36EACQ_PROG=/opt/os-tests/tests/pf_key/eacq-enabler
37
38$EACQ_PROG &
39eapid=$!
40
41# Find the ipsec_alg_lock to monitor with lockstat (below).
42GLOBAL_NETSTACK=`echo ::netstack | mdb -k | grep -w 0 | awk '{print $1}'`
43GLOBAL_IPSEC=`echo $GLOBAL_NETSTACK::print netstack_t | mdb -k | grep -w nu_ipsec | awk '{print $3}'`
44IPSEC_ALG_LOCK=`echo $GLOBAL_IPSEC::print -a ipsec_stack_t ipsec_alg_lock | mdb -k | head -1 | awk '{print $1}'`
45
46#echo "WARNING -- this test flushes out IPsec policy..."
47#echo "GLOBAL_NETSTACK = $GLOBAL_NETSTACK"
48#echo "GLOBAL_IPSEC = $GLOBAL_IPSEC"
49#echo "IPSEC_ALG_LOCK = $IPSEC_ALG_LOCK"
50
51# Tunnels will be preserved by using -f instead of -F.
52ipsecconf -qf
53
54# Simple one-type-of-ESP setup...
55echo "{ raddr $PREFIX } ipsec { encr_algs aes encr_auth_algs sha512 }" | \
56	ipsecconf -qa -
57# ipsecconf -ln
58
59# Get monitoring PF_KEY for at least regular ACQUIREs.
60ipseckey -n monitor > $MONITOR_LOG &
61IPSECKEY_PID=$!
62
63# Flush out the SADB to make damned sure we don't have straggler acquire
64# records internally.
65ipseckey flush
66
67# Launch 254 pings to different addresses (each requiring an ACQUIRE).
68i=1
69while [ $i -le 254 ]; do
70	truss -Topen -o /dev/null ping -svn 10.21.12.$i 1024 1 2>&1 > /dev/null &
71	i=$(($i + 1))
72done
73
74# Unleash the pings in 10 seconds, Smithers.
75( sleep 10 ; prun `pgrep ping` ) &
76
77# Get the lockstats going now.
78echo "Running:     lockstat -A -l 0x$IPSEC_ALG_LOCK,8 sleep 30"
79lockstat -A -l 0x$IPSEC_ALG_LOCK,8 sleep 30
80kill $IPSECKEY_PID
81kill $eapid
82# Use SMF to restore anything that may have been there.  "restart" on
83# a disabled service is a NOP, but an enabled one will get
84# /etc/inet/ipsecinit.conf reloaded.
85svcadm restart ipsec/policy
86
87# See if we have decent results.
88
89numacq=`grep ACQUIRE $MONITOR_LOG | wc -l | awk '{print $1}`
90#rm -f $MONITOR_LOG
91# Pardon the hardcoding again.
92if [[ $numacq != 508 ]]; then
93    echo "Got $numacq ACQUIREs instead of 508"
94    exit 1
95else
96    echo "Saw expected $numacq ACQUIREs."
97fi
98
99exit 0
100