unbound: Vendor import 1.18.0

[FreeBSD/FreeBSD.git] / contrib / unbound / testdata / ip_ratelimit.tdir / ip_ratelimit.test

# #-- ip_ratelimit.test --#
# source the master var file when it's there
[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
# use .tpkg.var.test for in test variable passing
[ -f .tpkg.var.test ] && source .tpkg.var.test

PRE="../.."
. ../common.sh

get_make
(cd $PRE; $MAKE streamtcp)

# These tests rely on second time precision. To combat false negatives the
# tests run multiple times and we allow 1/3 of the runs to fail.
total_runs=6
success_threshold=4  # 2/3*total_runs

if dig -h 2>&1 | grep "cookie" >/dev/null; then
        nocookie="+nocookie"
else
        nocookie=""
fi

echo "> First get a valid cookie"
dig @127.0.0.1 -p $UNBOUND_PORT +ednsopt=10:0102030405060708 $nocookie +tcp +retry=0 +time=1 test. TXT >outfile 2>&1
if test "$?" -ne 0; then
        echo "exit status not OK"
        echo "> cat logfiles"
        cat outfile
        cat unbound.log
        echo "Not OK"
        exit 1
fi
if test `grep "COOKIE: " outfile | wc -l` -ne 1; then
        echo "Could not get cookie"
        echo "> cat logfiles"
        cat outfile
        cat unbound.log
        echo "Not OK"
        exit 1
fi
cookie=`grep "COOKIE: " outfile | cut -d ' ' -f 3`

successes=0
echo "> Three parallel queries with backoff and cookie"
# For this test we send three parallel queries. The ratelimit should be reached
# for that second. We send a query to verify that there is no reply.
# Then for the next second we again send three parallel queries and we expect
# none of them to be allowed through because of the backoff logic that keeps
# rolling the RATE_WINDOW based on demand.
# Again we send another query but with a valid cookie and we expect to receive
# an answer.
for i in $(seq 1 $total_runs); do
        # Try to hit limit
        $PRE/streamtcp -nu -f 127.0.0.1@$UNBOUND_PORT test. TXT IN test. TXT IN test. TXT IN >outfile 2>&1
        if test "$?" -ne 0; then
                echo "exit status not OK"
                echo "> cat logfiles"
                cat outfile
                cat unbound.log
                echo "Not OK"
                exit 1
        fi
        # Expect no answer because of limit
        dig @127.0.0.1 -p $UNBOUND_PORT $nocookie +retry=0 +time=1 test. TXT >outfile 2>&1
        if test "$?" -eq 0; then
                continue
        fi
        # Try to keep limit
        $PRE/streamtcp -nu -f 127.0.0.1@$UNBOUND_PORT test. TXT IN test. TXT IN test. TXT IN >outfile 2>&1
        if test "$?" -ne 0; then
                echo "exit status not OK"
                echo "> cat logfiles"
                cat outfile
                cat unbound.log
                echo "Not OK"
                exit 1
        fi
        # Expect answer because of DNS cookie
        dig @127.0.0.1 -p $UNBOUND_PORT +ednsopt=10:$cookie $nocookie +retry=0 +time=1 test. TXT >outfile 2>&1
        if test "$?" -ne 0; then
                continue
        fi
        ((successes++))
        # We don't have to wait for all the runs to complete if we know
        # we passed the threshold.
        if test $successes -ge $success_threshold; then
                break
        fi
done

if test $successes -ge $success_threshold; then
        echo "Three parallel queries with backoff and cookie OK"
else
        echo "Three parallel queries with backoff and cookie NOT OK"
        echo "> cat logfiles"
        cat outfile
        cat unbound.log
        echo "Three parallel queries with backoff and cookie NOT OK"
        exit 1
fi

echo "> Activating ip-ratelimit-cookie"
echo "$PRE/unbound-control -c ub.conf set_option ip-ratelimit-cookie: 1"
$PRE/unbound-control -c ub.conf set_option ip-ratelimit-cookie: 1
if test $? -ne 0; then
        echo "wrong exit value after success"
        exit 1
fi

successes=0
echo "> Three parallel queries with backoff and cookie with ip-ratelimit-cookie"
# This is the exact same test as above with the exception that we don't expect
# an answer on the last query because ip-ratelimit-cookie is now enabled.
for i in $(seq 1 $total_runs); do
        # Try to hit limit
        $PRE/streamtcp -nu -f 127.0.0.1@$UNBOUND_PORT test. TXT IN test. TXT IN test. TXT IN >outfile 2>&1
        if test "$?" -ne 0; then
                echo "exit status not OK"
                echo "> cat logfiles"
                cat outfile
                cat unbound.log
                echo "Not OK"
                exit 1
        fi
        # Expect no answer because of limit
        dig @127.0.0.1 -p $UNBOUND_PORT $nocookie +retry=0 +time=1 test. TXT >outfile 2>&1
        if test "$?" -eq 0; then
                continue
        fi
        # Try to keep limit
        $PRE/streamtcp -nu -f 127.0.0.1@$UNBOUND_PORT test. TXT IN test. TXT IN test. TXT IN >outfile 2>&1
        if test "$?" -ne 0; then
                echo "exit status not OK"
                echo "> cat logfiles"
                cat outfile
                cat unbound.log
                echo "Not OK"
                exit 1
        fi
        # Expect no answer because of ip-ratelimit-cookie
        dig @127.0.0.1 -p $UNBOUND_PORT +ednsopt=10:$cookie $nocookie +retry=0 +time=1 test. TXT >outfile 2>&1
        if test "$?" -eq 0; then
                continue
        fi
        ((successes++))
        # We don't have to wait for all the runs to complete if we know
        # we passed the threshold.
        if test $successes -ge $success_threshold; then
                break
        fi
done

if test $successes -ge $success_threshold; then
        echo "Three parallel queries with backoff and cookie with ip-ratelimit-cookie OK"
else
        echo "Three parallel queries with backoff and cookie with ip-ratelimit-cookie NOT OK"
        echo "> cat logfiles"
        cat outfile
        cat unbound.log
        echo "Three parallel queries with backoff and cookie with ip-ratelimit-cookie NOT OK"
        exit 1
fi

exit 0