mirror of
https://github.com/outbackdingo/firezone.git
synced 2026-01-27 10:18:54 +00:00
16a7284bab
The current assertion is not robust enough as we can see from the test failure in https://github.com/firezone/firezone/actions/runs/19619954030/job/56178969296?pr=10931. Another way of asserting that we have roamed is to check whether or not we are using a non-standard source port. The NAT binding for the old source port is still active after roaming and therefore, the NAT has to assign a new source port to the traffic arriving from the client.
64 lines
1.9 KiB
Bash
Executable File
64 lines
1.9 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
|
|
source "./scripts/tests/lib.sh"
|
|
|
|
# Download 10MB at a max rate of 1MB/s. The first two UDP socket writes will fail as checksum offload is disabled.
|
|
# This means it will take 13 seconds + the resent STUN binding request round trip time.
|
|
client sh -c \
|
|
"curl \
|
|
--fail \
|
|
--max-time 16 \
|
|
--keepalive-time 1 \
|
|
--limit-rate 1000000 \
|
|
--output download.file \
|
|
http://download.httpbin/bytes?num=10000000" &
|
|
|
|
DOWNLOAD_PID=$!
|
|
|
|
sleep 3 # Download a bit
|
|
|
|
docker network disconnect firezone_client-internal firezone-client-1 # Disconnect the client
|
|
sleep 3
|
|
docker network connect firezone_client-internal firezone-client-1 --ip 172.30.0.200 --ip6 172:30::200 # Reconnect client with a different IP
|
|
|
|
# Add static route to internet subnet via router; they get removed when the network interface disappears
|
|
client ip -4 route add 203.0.113.0/24 via 172.30.0.254
|
|
client ip -6 route add 203:0:113::/64 via 172:30:0::254
|
|
|
|
# Disable checksum offload again to calculate checksums in software so that checksum verification passes
|
|
client ethtool -K eth0 tx off
|
|
|
|
# Send SIGHUP, triggering `reconnect` internally
|
|
sudo kill -s HUP "$(ps -C firezone-headless-client -o pid=)"
|
|
|
|
wait $DOWNLOAD_PID || {
|
|
echo "Download process failed"
|
|
exit 1
|
|
}
|
|
|
|
known_checksum="f5e02aa71e67f41d79023a128ca35bad86cf7b6656967bfe0884b3a3c4325eaf"
|
|
computed_checksum=$(client sha256sum download.file | awk '{ print $1 }')
|
|
|
|
if [[ "$computed_checksum" != "$known_checksum" ]]; then
|
|
echo "Checksum of downloaded file does not match"
|
|
exit 1
|
|
fi
|
|
|
|
sleep 3
|
|
readarray -t flows < <(get_flow_logs "tcp")
|
|
|
|
assert_gteq "${#flows[@]}" 2
|
|
|
|
declare -i non_standard_ports=0
|
|
|
|
for flow in "${flows[@]}"; do
|
|
# All flows should have same inner_dst_ip
|
|
assert_eq "$(get_flow_field "$flow" "inner_dst_ip")" "172.21.0.101"
|
|
|
|
if [ "$(get_flow_field "$flow" "outer_src_port")" != "52625" ]; then
|
|
non_standard_ports+=1
|
|
fi
|
|
done
|
|
|
|
assert_gteq "$non_standard_ports" 1
|