Since 2.4.5 scapy started issuing warnings about a few different
configurations during our tests. These are harmless, but they generate
stderr output, which upsets atf_check.
Configure scapy to only log critical errors (and thus not warnings) to
fix these tests.
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit a26e895f3d)
Python 3.8 warns about line 112:
'SyntaxWarning: "is" with a literal. Did you mean "=="?'
Use '==' as Python suggests.
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit 80430c15ca)
MAP-E (RFC 7597) requires special care for selecting source ports
in NAT operation on the Customer Edge because a part of bits of the port
numbers are used by the Border Relay to distinguish another side of the
IPv4-over-IPv6 tunnel.
PR: 254577
Reviewed by: kp
Differential Revision: https://reviews.freebsd.org/D29468
(cherry picked from commit 2aa21096c7)
Now that we support having multiple labels on a rule ensure that we can
use each rule label to kill states.
MFC after: 2 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D29938
(cherry picked from commit 5632f58535)
Add a test case where the pfctl optimizer will generate a table
automatically. These tables have long names, which we accidentally broke
in the nvlist ADDRULE ioctl.
Reviewed by: melifaro
MFC after: 2 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D29989
(cherry picked from commit 08d7730821)
There's a problem with pf's reassembly code where it produces incorrect
checksums when reassembling across interfaces with different MTUs.
Test this.
PR: 255432
Reviewed by: donner
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D30013
(cherry picked from commit 388c0cde10)
This was briefly broken, so ensure that we can read and clear rules
counters.
MFC after: 4 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D29728
(cherry picked from commit 112f007e12)
Most of the routing tests create per-test VNET, making
it harder to repeat the failure with CLI tools.
Provide an additional route/nexthop data on failure.
Differential Revision: https://reviews.freebsd.org/D29957
Reviewed by: kp
MFC after: 2 weeks
(cherry picked from commit bddae5c8a6)
I changed the Makefile to use SRCS instead of LDADD, but since there is
still and absolute path to the source the .o file was created inside the
source directory instead of the build directory.
It would be nice if this was an error/warning by default, but for now just
fix this issue by using .PATH and the base name of the file.
Reported by: cy, peterj
(cherry picked from commit 8b820df156)
This avoids a SIGILL when running these tests on QEMU (which
defaults to a basic amd64 CPU without SSE4.2).
This commit also tests the table-based implementations in addition to
testing the hw-accelerated crc32 versions.
Reviewed By: cem, kib, markj
Differential Revision: https://reviews.freebsd.org/D28395
(cherry picked from commit 83c20b8a2d)
This replicates an issue observed on pfSense: https://redmine.pfsense.org/issues/11436
In essence, reply-to is needed to ensure that connections always leave
the WAN interface they came in on, but this confused the state tracking.
MFC after: 2 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit f37667e235)
tests/sys/netfil/pf/synproxy fails if inetd has been running
outside of the jail because pidfile_open() fails with EEXIST.
tests/sys/netfil/pf/nat has the same problem but the test succeeds
because whether inetd is running is not so important.
Fix the problem by changing the pidfile path from the default
location.
Reviewed by: kp
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D29622
(cherry picked from commit 5a5623397c)
They have been failing for 1.5 months and the patch to fix them is stuck
in review so mark them as XFAIL for now to get Jenkins back to green.
To be reverted when https://reviews.freebsd.org/D28886 (or similar) is
commited.
Reviewed By: kp
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D29528
(cherry picked from commit 83532eb68c)
This should bring the number of Jenkins failures from 4 down to 3.
Locally kyua now prints `skipped: could not find a valid interface [0.115s]`
when I run it in QEMU without a network device.
Reviewed By: lwhsu
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D29414
(cherry picked from commit 6f30d1c851)
I was trying to debug why this test is working locally but failing in CI.
While doing so I made some small changes to allow running it with set -e.
It turns out the problem is that find_iface does not return anything in
Jenkins, so all following tests fail with obscure error messages.
To handle this case exit early if $eth is empty.
Reviewed By: lwhsu
Differential Revision: https://reviews.freebsd.org/D29340
(cherry picked from commit 7dd1f932c1)
MSG_CMSG_CLOEXEC has not been working since 2015 (SVN r284380) because
_finstall expects O_CLOEXEC and not UF_EXCLOSE as the flags argument.
This was probably not noticed because we don't have a test for this flag
so this commit adds one. I found this problem because one of the
libwayland tests was failing.
Fixes: ea31808c3b ("fd: move out actual fp installation to _finstall")
MFC after: 3 days
Reviewed By: mjg, kib
Differential Revision: https://reviews.freebsd.org/D29328
(cherry picked from commit 6ceacebdf5)
1) F_SETLKW (blocking) operations would be sent to the FUSE server as
F_SETLK (non-blocking).
2) Release operations, F_SETLK with lk_type = F_UNLCK, would simply
return EINVAL.
PR: 253500
Reported by: John Millikin <jmillikin@gmail.com>
(cherry picked from commit 929acdb19a)
Test that pfsync works as expected with bulk updates. That is, create
some state before setting up the second firewall. Let that firewall
request a bulk update so it can catch up, and check that it got the
state which was created before it enable pfsync.
PR: 254236
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D29272
(cherry picked from commit 8ad7d25dfc)
This allows d_off to be used with lseek to position the file so that
getdirentries(2) will return the next entry. It is not used by
readdir(3).
PR: 253411
Reported by: John Millikin <jmillikin@gmail.com>
Reviewed by: cem
Differential Revision: https://reviews.freebsd.org/D28605
(cherry picked from commit 71befc3506)
This should allow the test to pass in Jenkins. Testing it locally now
reports "passed" instead of "invalid TAP data".
While touching this file also fix some shellcheck warnings that were
pointed out by my IDE.
Reviewed By: lwhsu, afedorov
Differential Revision: https://reviews.freebsd.org/D29054
(cherry picked from commit 65f4ff4e68)
The argument has to be a single whitespace-separate value. While touching
all these lines also add ksh93, since `atf_set "require.progs"` overrides
the default value specified in the Kyuafile. This then results in tests
being executed despite ksh93 not being installed.
Reviewed By: asomers
Differential Revision: https://reviews.freebsd.org/D29066
(cherry picked from commit 0b86424c31)
Instead of running tests one-by-one with the shell wrapper we now run
the full gtest testsuite twice (once as root, once as non root). This
significantly speeds up running tests despite running them twice.
This change also passes the missing -u flag to capsicum-test that caused
test failures (https://bugs.freebsd.org/250178)
Previously, running the testsuite with the wrapper script took ~3s per
test on aarch64 QEMU, i.e. a total of almost 5 minutes.
Now it takes 6 seconds to run all tests twice.
Before:
root@freebsd-aarch64:/usr/tests/sys/capsicum # /usr/bin/time kyua test functional
94/96 passed (2 failed)
309.97 real 58.46 user 244.31 sys
After:
root@freebsd-aarch64:/usr/tests/sys/capsicum # /usr/bin/time kyua test functional
functional:test_root -> passed [2.659s]
functional:test_unprivileged -> passed [2.391s]
2/2 passed (0 failed)
5.48 real 1.06 user 2.52 sys
This overhead is caused by kyua + atf-sh spawning lots of additional
processes and can be avoided by just running the googletest test binary.
syscall seconds calls errors
fork 39.810229456 1275 0
sigprocmask 13.546928736 572 0
i.e. 1275 processes spawned to run a single test.
Test Plan: All tests pass with D28907.
PR: 250178
Reviewed By: lwhsu
Differential Revision: https://reviews.freebsd.org/D29014
(cherry picked from commit 53a535c1d8)
This includes various fixes that I submitted recently such as updating the
pdkill() tests for the actual implemented behaviour
(https://github.com/google/capsicum-test/pull/53) and lots of changes to
avoid calling sleep() and replacing it with reliable synchronization
(pull requests 49,51,52,53,54). This should make the testsuite more reliable
when running on Jenkins. Additionally, process status is now retrieved using
libprocstat instead of running `ps` and parsing the output
(https://github.com/google/capsicum-test/pull/50). This fixes one previously
failing test and speeds up execution.
Overall, this update reduces the total runtime from ~60s to about 4-5 seconds.
(cherry picked from commit 955a3f9ad5)
This also fixes a typo in the dup test that caused the head function to
not be called. On my test system without python3 the tests are now
skipped instead of failing.
Reviewed By: kp
Differential Revision: https://reviews.freebsd.org/D28903
(cherry picked from commit 98202829d1)
This makes the `kyua report --verbose` output a lot easier to parse when
looking at failed tests. It also fixes the closefrom() test since I
tested my changes with this commit but forgot to push it together with
fa32350347.
Fixes: fa32350347 ("close_range: add audit support")
(cherry picked from commit c97304110a)
In the CheriBSD CI we reproducibly see the first test in sys/audit
(administrative:acct_failure) fail due to a missing startup message.
It appears this is caused by a race condition when starting auditd:
`service auditd onestart` returns as soon as the initial auditd() parent
exits (after the daemon(3) call).
We can avoid this problem by setting up the auditd infrastructure
in-process: libauditd contains audit_quick_{start,stop}() functions that
look like they are ideally suited to this task.
This patch also avoids forking lots of shell processes for each of the 418
tests by using `auditon(A_SENDTRIGGER, &trigger, sizeof(trigger))` to check
for a running auditd(8) instead of using `service auditd onestatus`.
With these two changes (and D28388 to fix the XFAIL'd test) I can now
boot and run `cd /usr/tests/sys/audit && kyua test` without any failures
in a single-core QEMU instance. Before there would always be at least one
failed test.
Besides making the tests more reliable in CI, a nice side-effect of this
change is that it also significantly speeds up running them by avoiding
lots of fork()/execve() caused by shell scripts:
Running kyua test on an AArch64 QEMU took 315s before and now takes 68s,
so it's roughly 3.5 times faster. This effect is even larger when running
on a CHERI-RISC-V QEMU since emulating CHERI instructions on an x86 host
is noticeably slower than emulating AArch64.
Test Plan: aarch64+amd64 QEMU no longer fail.
Reviewed By: asomers
Differential Revision: https://reviews.freebsd.org/D28451
(cherry picked from commit df093aa946)
It seems like GCC's -Wsign-compare is stricter and also warns for
constants. Appease GCC by adding the required casts.
Fixes: 96a9e50e63 ("ptrace_test: Add more debug output on test failures")
Reported by: Jenkins CI
(cherry picked from commit 1fcbddec14)
ATF now opens the results file (without CLOEXEC), so the child actually
has a valid file descriptor 3. To fix this simply use a large number that
will definitely not be a valid file descriptor.
Reviewed by: jhb, cem, lwhsu
Differential Revision: https://reviews.freebsd.org/D28889
(cherry picked from commit 17cc20092c)
I've run these tests many times in a loop on multiple architectures and
it works reliably for me, maybe it's time to retire these skips?
This also adds an additional waitpid to one of the tests to avoid
a potential race condition (suggested by markj@).
PR: 239397, 244056, 239425, 240510, 220841, 243605
Reviewed By: markj
Differential Revision: https://reviews.freebsd.org/D28888
(cherry picked from commit 1032131464)
Mostly automatic, using
`CHILD_REQUIRE\(([^|&\n]*) ==` -> `CHILD_REQUIRE_EQ_INT($1,`
`ATF_REQUIRE\(([^|&\n]*) ==` -> `REQUIRE_EQ_INT($1,` followed by
git-clang-format -f and then manually checking ones that contain ||/&&.
Test Plan:
Still getting the same failure but now it prints
`psr.sr_error (0) == EBADF (9) not met` instead of just failing
without printing the values.
PR: 243605
Reviewed By: jhb
Differential Revision: https://reviews.freebsd.org/D28887
(cherry picked from commit 96a9e50e63)
In the CheriBSD CI, we run the testsuite with /tmp as tmpfs. This causes
the extattr audit tests to fail since tmpfs does not (yet) support
extattrs. Skip those tests if the target path is on a file system that
does not support extended file attributes.
While touching these two files also convert the ATF_REQUIRE_EQ(-1, ...)
checks to use ATF_REQURIE_ERRNO().
Reviewed By: asomers
Differential Revision: https://reviews.freebsd.org/D28392
(cherry picked from commit 40407d3998)
This changes the behaviour to a 30s total timeout (needed when running
on slow emulated uniprocessor systems) and timing out after 10s without
any input. This also uses timespecsub() instead of ignoring the
nanoseconds field.
After this change the tests runs more reliably on QEMU and time out less
frequently.
Reviewed By: asomers
Differential Revision: https://reviews.freebsd.org/D28391
(cherry picked from commit 869cc06480)
Traditionally routing socket code did almost zero checks on
the input message except for the most basic size checks.
This resulted in the unclear KPI boundary for the routing system code
(`rtrequest*` and now `rib_action()`) w.r.t message validness.
Multiple potential problems and nuances exists:
* Host bits in RTAX_DST sockaddr. Existing applications do send prefixes
with hostbits uncleared. Even `route(8)` does this, as they hope the kernel
would do the job of fixing it. Code inside `rib_action()` needs to handle
it on its own (see `rt_maskedcopy()` ugly hack).
* There are multiple way of adding the host route: it can be DST without
netmask or DST with /32(/128) netmask. Also, RTF_HOST has to be set correspondingly.
Currently, these 2 options create 2 DIFFERENT routes in the kernel.
* no sockaddr length/content checking for the "secondary" fields exists: nothing
stops rtsock application to send sockaddr_in with length of 25 (instead of 16).
Kernel will accept it, install to RIB as is and propagate to all rtsock consumers,
potentially triggering bugs in their code. Same goes for sin_port, sin_zero, etc.
The goal of this change is to make rtsock verify all sockaddr and prefix consistency.
Said differently, `rib_action()` or internals should NOT require to change any of the
sockaddrs supplied by `rt_addrinfo` structure due to incorrectness.
To be more specific, this change implements the following:
* sockaddr cleanup/validation check is added immediately after getting sockaddrs from rtm.
* Per-family dst/netmask checks clears host bits in dst and zeros all dst/netmask "secondary" fields.
* The same netmask checking code converts /32(/128) netmasks to "host" route case
(NULL netmask, RTF_HOST), removing the dualism.
* Instead of allowing ANY "known" sockaddr families (0<..<AF_MAX), allow only actually
supported ones (inet, inet6, link).
* Automatically convert `sockaddr_sdl` (AF_LINK) gateways to
`sockaddr_sdl_short`.
Reported by: Guy Yur <guyyur at gmail.com>
Reviewed By: donner
Differential Revision: https://reviews.freebsd.org/D28668
(cherry picked from commit 2fe5a79425)
df093aa946 linked against libprivateauditd.a, but that is currently
(and incorrectly) built as position-dependent. For now just force PIE
off for this test to fix the WITH_PIE build.
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 4621c4f2fd)
Ensure that we not only block on some interfaces, but also forward on
some. Without the previous commit we wound up discarding on all ports,
rather than only on the ports needed to break the loop.
MFC after: 1 week
Sponsored by: Orange Business Services
Differential Revision: https://reviews.freebsd.org/D28917
(cherry picked from commit 7a4dbffa42)
This is basically the same test as the existing STP test, but now on top
of VLAN interfaces instead of directly using the epair devices.
MFC after: 1 week
Sponsored by: Orange Business Services
Differential Revision: https://reviews.freebsd.org/D28861
(cherry picked from commit 26492ba271)
