pf tests: basic source limiters test case

Sponsored by:	Rubicon Communications, LLC ("Netgate")
This commit is contained in:
Kristof Provost
2026-01-07 18:06:55 +01:00
parent cb7a5d9401
commit 086a3cb4b8
+58
View File
@@ -130,8 +130,66 @@ state_rate_cleanup()
pft_cleanup
}
atf_test_case "source_basic" "cleanup"
source_basic_head()
{
atf_set descr 'Basic source limiter test'
atf_set require.user root
}
source_basic_body()
{
pft_init
epair=$(vnet_mkepair)
ifconfig ${epair}a 192.0.2.2/24 up
ifconfig ${epair}a inet alias 192.0.2.3/24 up
vnet_mkjail alcatraz ${epair}b
jexec alcatraz ifconfig ${epair}b 192.0.2.1/24 up
# Sanity check
atf_check -s exit:0 -o ignore \
ping -S 192.0.2.2 -c 1 192.0.2.1
atf_check -s exit:0 -o ignore \
ping -S 192.0.2.3 -c 1 192.0.2.1
jexec alcatraz pfctl -e
# Allow up to one source for ICMP.
pft_set_rules alcatraz \
"set timeout icmp.error 120" \
"source limiter \"server\" id 1 entries 128 limit 1" \
"block in proto icmp" \
"pass in proto icmp source limiter \"server\""
atf_check -s exit:0 -o ignore \
ping -S 192.0.2.2 -c 2 192.0.2.1
# This should now fail
atf_check -s exit:2 -o ignore \
ping -S 192.0.2.2 -c 2 192.0.2.1
jexec alcatraz pfctl -sLimiterSrcs
hardlim=$(jexec alcatraz pfctl -sLimiterSrcs | awk 'NR>1 { print $5; }')
if [ $hardlim -eq 0 ]; then
atf_fail "Hard limit not incremented"
fi
# However, a different source will succeed
atf_check -s exit:0 -o ignore \
ping -S 192.0.2.3 -c 2 192.0.2.1
}
source_basic_cleanup()
{
pft_cleanup
}
atf_init_test_cases()
{
atf_add_test_case "state_basic"
atf_add_test_case "state_rate"
atf_add_test_case "source_basic"
}