xref: /openbsd/regress/sys/net/pf_divert/README (revision 09467b48) 
1Run pf divert-to and divert-reply regression test.  The framework
2runs both a client and a server process.  One process is started
3on the local and the other one on the remote machine.  The kernel's
4pf of the remote machine gets tested.  The remote machine's pf.conf
5must contain an anchor named "regress" where the test places its
6divert rules automatically.  All tests are done with IPv4 and IPv6.
7
8The protocols TCP, UDP, Raw IP, ICMP get tested.  TCP uses a listen
9and a connected stream socket, the others use bound and possibly
10connected datagram sockets.  Over the TCP connection messages are
11sent on both directions.  The datagram sockets deal with single
12packets.  The remote machine can be reached over a non existing
13address which is diverted to the stack.
14
15The args-...-to tests install an incoming divert-to pf rule on the
16remote machine and run a server there.  The server binds to the
17localhost address, for TCP it also listens and accepts.  The client
18is started on the local machine and connects to the non existing
19address of the remote machine.  For TCP the bidirectional connection,
20for the others a singe packet from the client has to reach the
21server.
22
23The args-...-reply tests install an outgoing divert-reply pf rule
24on the remote machine and start a client there.  The client binds
25with bindany to the non existing address and connects to the local
26machine's address.  The server is run on the local machine, for TCP
27it also listens and accepts.  For TCP the bidirectional connection,
28for the others a singe packet from the client has to reach the
29server.
30
31The args-...-reply-to tests use the same setup as the args-...-reply
32tests.  But addtitionally to the packet from the client to the
33server, the server sends a packet back which has to be received by
34the client.  To figure out the client's address and port, the server
35receives with recvfrom and sends back with sendto.  The args-icmp-reply-to
36test does not use a server as the kernel of the local machine
37automatically reflects the ICMP echo request packet with an reply.
38
39The args-icmp-reply-reuse test is similar to the args-icmp-reply-to
40test, but it sends two ICMP echo requests and expects two ICMP echo
41replies.  All four packets use the same socket.  The second echo
42has a different ID, so it cannot use the same pf state.  Check that
43the second reply reaches the client.  This can only work, if pf
44creates a second outgoing state although all packet use one socket.
45
46The reuse tests run pairs of corresponding args-...-to and
47args-...-reply and args-...-reply-to tests consecutively to check
48that the pf states to not interfere.  The first run flushes the
49state, the second must get rid of the state automatically.  For TCP
50the connection in TIME_WAIT is dropped to remove the state.
51
52SUDO=sudo
53As pf and bindany need root privileges either run the tests as root
54or set this variable and run make as a regular user.
55
56KTRACE=ktrace
57Set this variable if you want a ktrace output from client and server.
58Note that ktrace is invoked after sudo as sudo would disable it.
59