pfctl tests: verify port range validation

Sponsored by: Rubicon Communications, LLC ("Netgate")

pfctl tests: verify netmask on dynnode

This was broken (in OpenBSD, not FreeBSD) by unmask() refactoring work.
Test for this.

Based on: OpenBSD, kn <kn@openbsd.org>, 50befbbe2e
Sponsored by: Rubic

pfctl tests: verify netmask on dynnode

This was broken (in OpenBSD, not FreeBSD) by unmask() refactoring work.
Test for this.

Based on: OpenBSD, kn <kn@openbsd.org>, 50befbbe2e
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pfctl tests: test line number reporting in include files

Sponsored by: Rubicon Communications, LLC ("Netgate")

pf: add 'max-pkt-size'

Allow pf to limit packets to a specified maximum size. This applies to all
packets, and if reassembly is enabled, looks at the reassembled size, not the
size of individual fra

pf: add 'max-pkt-size'

Allow pf to limit packets to a specified maximum size. This applies to all
packets, and if reassembly is enabled, looks at the reassembled size, not the
size of individual fragments.

Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pfctl tests: max-pkt-rate test

Sponsored by: Rubicon Communications, LLC ("Netgate")

pfctl: route-to, dup-to, reply-to should not override the block action

Spotted by Dilli Paudel <dilli ! paudel at oracle ! com>

ok jung@, ok mikeb@

Add a pfctl test case to ensure this doesn't reg

pfctl: route-to, dup-to, reply-to should not override the block action

Spotted by Dilli Paudel <dilli ! paudel at oracle ! com>

ok jung@, ok mikeb@

Add a pfctl test case to ensure this doesn't regress.

Obtained from: OpenBSD, sashan <sashan@openbsd.org>, 1ae008c822
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pfctl: fix no nat / no rdr rules

In aeddee83341 the nat rule parsing was significantly reworked, unintentionally
breaking no nat / no rdr rules. The option to not have a -> ... redirspec was
omitted

pfctl: fix no nat / no rdr rules

In aeddee83341 the nat rule parsing was significantly reworked, unintentionally
breaking no nat / no rdr rules. The option to not have a -> ... redirspec was
omitted.

Add trivial test cases to catch such issues in the future.

Reported by: Thomas Pasqualini <thomas.pasqualini@orange.com>
Sponsored by: Orange Business Services
Differential Revision: https://reviews.freebsd.org/D49665

show more ...

pfctl: Split pool parsing into separate functions

The pf pools are used in NAT, route-to and af-to rules. Some parts of
code are duplicated between them. Create functions apply_redirspec(),
apply_na

pfctl: Split pool parsing into separate functions

The pf pools are used in NAT, route-to and af-to rules. Some parts of
code are duplicated between them. Create functions apply_redirspec(),
apply_nat_ports() and apply_rdr_ports() to handle the common tasks.

Simplify data structures used for pool parsing. Move the contents of
struct redirection to struct redirspec. Map all ways of parsing pools
directly onto struct redirspec. Name various forms of struct redirspect
to hint where they are used.

Remove struct redirspec *rroute from struct filter_opts, because
filter_opts is bzero()'ed after the route part of rule is parsed, and
thus can't be used.

Add tests to ensure that parsing and error messages behave as expected.
The tests have been written and tested with pfctl from before this
patch.

This is prerequisite for adding support for OpenBSD NAT syntax.

Reviewed by: kp
Approved by: kp (mentor)
Sponsored by: InnoGames GmbH
Differential Revision: https://reviews.freebsd.org/D49218

show more ...

pf: make reply-to work with nat64

Just like route-to reply-to is problematic when used in combination with nat64.

In the normal (i.e. without nat64) flow we return immediately from pf_route().
Howe

pf: make reply-to work with nat64

Just like route-to reply-to is problematic when used in combination with nat64.

In the normal (i.e. without nat64) flow we return immediately from pf_route().
However, with nat64 we need to continue and do a route lookup. In that case
we should not make the extra pf_test(PF_OUT) call to remain similar to the
non-nat64 flow.

We also have to fix the interface binding. We can only bind to the interface
after we've done the route lookup, not before.

Add a funcional test case, and a test for pfctl's rule printing.

Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pf: cope with route-to on af-to rules

af-to uses pf_route() and pf_route6(), which caused issues when af-to and
route-to were combined in a single rule.
Extend the relevant functions to cope with th

pf: cope with route-to on af-to rules

af-to uses pf_route() and pf_route6(), which caused issues when af-to and
route-to were combined in a single rule.
Extend the relevant functions to cope with this and add test cases.

Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pfctl: allow an implicit address family for af-to rules

If the address family can be determined by the "from" or "to" parameter in the
matching part, it is no longer necessary to specify "inet" or "

pfctl: allow an implicit address family for af-to rules

If the address family can be determined by the "from" or "to" parameter in the
matching part, it is no longer necessary to specify "inet" or "inet6" there.
OK henning@ mikeb@

Obtained from: OpenBSD, bluhm <bluhm@openbsd.org>, ff33038bc1
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pfctl: basic nat64 parser test

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D47795

pf tests: test the new log(matches) feature

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46589

pf tests: test the new received-on feature

Reviewed by: zlei
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46578

pfctl: Add endpoint-independent test to the list of tests

Reviewed by: kp
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D46563

pfctl: Allow a semicolon (;) as a comment

To make parsing of, for example, Spamhaus' drop.txt and similar
files that contains semicolons as comments, allow them also
in file-based tables.

Reviewed

pfctl: Allow a semicolon (;) as a comment

To make parsing of, for example, Spamhaus' drop.txt and similar
files that contains semicolons as comments, allow them also
in file-based tables.

Reviewed by: kp
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D46088

show more ...

pfctl tests: basic pflow parser test

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D43110

pfctl: fix incorrect mask on dynamic address

A PF rule using an IPv4 address followed by an IPv6 address and then a
dynamic address, e.g. "pass from {192.0.2.1 2001:db8::1} to (pppoe0)",
will have a

pfctl: fix incorrect mask on dynamic address

A PF rule using an IPv4 address followed by an IPv6 address and then a
dynamic address, e.g. "pass from {192.0.2.1 2001:db8::1} to (pppoe0)",
will have an incorrect /32 mask applied to the dynamic address.

MFC after: 3 weeks
Obtained from: OpenBSD
See also: https://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/007_pfctl.patch.sig
Sponsored by: Rubicon Communications, LLC ("Netgate")
Event: Oslo Hackathon at Modirum

show more ...

Remove $FreeBSD$: two-line .h pattern

Remove /^\s*\*\n \*\s+\$FreeBSD\$$\n/

pf: introduce ridentifier and labels to ether rules

Make Ethernet rules more similar to the usual layer 3 rules by also
allowing ridentifier and labels to be set on them.

Reviewed by: kp
Sponsored

pf: introduce ridentifier and labels to ether rules

Make Ethernet rules more similar to the usual layer 3 rules by also
allowing ridentifier and labels to be set on them.

Reviewed by: kp
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pf: allow scrub rules without fragment reassemble

scrub rules have defaulted to handling fragments for a long time, but
since we removed "fragment crop" and "fragment drop-ovl" in 64b3b4d611
this ha

pf: allow scrub rules without fragment reassemble

scrub rules have defaulted to handling fragments for a long time, but
since we removed "fragment crop" and "fragment drop-ovl" in 64b3b4d611
this has become less obvious and more expensive ("reassemble" being the
more expensive option, even if it's the one the vast majority of users
should be using).

Extend the 'scrub' syntax to allow fragment reassembly to be disabled,
while retaining the other scrub behaviour (e.g. TTL changes, random-id,
..) using 'scrub fragment no reassemble'.

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D37459

show more ...

pfctl tests: test case for the POM_STICKYADDRESS fix

In 1e73fbd8b we fixed an issue with POM_STICKYADDRESS being checked in
the wrong struct.
Add a basic test case for this fix.

MFC after: 2 weeks

pfctl tests: test case for the POM_STICKYADDRESS fix

In 1e73fbd8b we fixed an issue with POM_STICKYADDRESS being checked in
the wrong struct.
Add a basic test case for this fix.

MFC after: 2 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pfctl tests: Ethernet rule parsing tests

A few basic test cases for Ethernet rule parsing.

Sponsored by: Rubicon Communications, LLC ("Netgate")

pfctl tests: Test fairq configuration

We used to have a bug where pfctl could crash setting fairq queues. Test
this case and ensure it does not crash pfctl.

Reviewed by: donner
MFC after: 1 week
Sp

pfctl tests: Test fairq configuration

We used to have a bug where pfctl could crash setting fairq queues. Test
this case and ensure it does not crash pfctl.

Reviewed by: donner
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D30348

show more ...

Rewrite pfctl_test in C to reduce testsuite run time

The new C test takes 25 seconds on QEMU-RISC-V, wheras the shell version
takes 332 seconds.

Even with the latest optimizations to atf-sh this te

Rewrite pfctl_test in C to reduce testsuite run time

The new C test takes 25 seconds on QEMU-RISC-V, wheras the shell version
takes 332 seconds.

Even with the latest optimizations to atf-sh this test still takes a few
seconds to startup in QEMU. Re-writing it in C reduces the runtime for a
single test from about 2-3 seconds to less than .5 seconds. Since there
are ~80 tests, this adds up to about 3-4 minutes.
This may not seem like a big speedup, but before the recent optimizations
to avoid atf_get_srcdir, each test took almost 100 seconds on QEMU RISC-V
instead of 3. This also significantly reduces the time it takes to list
the available test cases, which speeds up running the tests via kyua:

```
root@qemu-riscv64-alex:~ # /usr/bin/time kyua test -k /usr/tests/sbin/pfctl/Kyuafile pfctl_test_old
...
158/158 passed (0 failed)
332.08 real 42.58 user 286.17 sys
root@qemu-riscv64-alex:~ # /usr/bin/time kyua test -k /usr/tests/sbin/pfctl/Kyuafile pfctl_test
158/158 passed (0 failed)
24.96 real 9.75 user 14.26 sys

root@qemu-riscv64-alex:/usr/tests/sbin/pfctl # /usr/bin/time ./pfctl_test pf1001
pfctl_test: WARNING: Running test cases outside of kyua(1) is unsupported
pfctl_test: WARNING: No isolation nor timeout control is being applied; you may get unexpected failures; see atf-test-case(4)
Running pfctl -o none -nvf /usr/tests/sbin/pfctl/./files/pf1001.in
---
binat on em0 inet6 from fc00::/64 to any -> fc00:0:0:1::/64
binat on em0 inet6 from any to fc00:0:0:1::/64 -> fc00::/64
---
passed
0.17 real 0.06 user 0.08 sys
root@qemu-riscv64-alex:/usr/tests/sbin/pfctl # /usr/bin/time ./pfctl_test_old pf1001
pfctl_test_old: WARNING: Running test cases outside of kyua(1) is unsupported
pfctl_test_old: WARNING: No isolation nor timeout control is being applied; you may get unexpected failures; see atf-test-case(4)
Id Refs Name
141 1 pf
Executing command [ pfctl -o none -nvf - ]
passed
1.73 real 0.25 user 1.41 sys
root@qemu-riscv64-alex:/usr/tests/sbin/pfctl # /usr/bin/time ./pfctl_test_old -l > /dev/null
24.36 real 2.26 user 21.86 sys
root@qemu-riscv64-alex:/usr/tests/sbin/pfctl # /usr/bin/time ./pfctl_test -l > /dev/null
0.04 real 0.02 user 0.01 sys
```

The speedups are even more noticeable on CHERI-RISC-V (since QEMU runs
slower when emulating CHERI instructions):
```
root@qemu-cheri-alex:/usr/tests/sbin/pfctl # /usr/bin/time ./pfctl_test_new -l > /dev/null
0.51 real 0.49 user 0.00 sys
root@qemu-cheri-alex:/usr/tests/sbin/pfctl # /usr/bin/time ./pfctl_test -l > /dev/null
34.20 real 32.69 user 0.16 sys
root@qemu-cheri-alex:/usr/tests/sbin/pfctl # /usr/bin/time ./pfctl_test pf1001
pfctl_test: WARNING: Running test cases outside of kyua(1) is unsupported
pfctl_test: WARNING: No isolation nor timeout control is being applied; you may get unexpected failures; see atf-test-case(4)
Id Refs Name
147 1 pf
Executing command [ pfctl -o none -nvf - ]
passed
5.74 real 5.41 user 0.03 sys
root@qemu-cheri-alex:/usr/tests/sbin/pfctl # /usr/bin/time ./pfctl_test_new pf1001
pfctl_test_new: WARNING: Running test cases outside of kyua(1) is unsupported
pfctl_test_new: WARNING: No isolation nor timeout control is being applied; you may get unexpected failures; see atf-test-case(4)
Running pfctl -o none -nvf /usr/tests/sbin/pfctl/./files/pf1001.in
---
binat on em0 inet6 from fc00::/64 to any -> fc00:0:0:1::/64
binat on em0 inet6 from any to fc00:0:0:1::/64 -> fc00::/64
---
passed
0.68 real 0.66 user 0.00 sys
root@qemu-cheri-alex:/usr/tests/sbin/pfctl #
```

Reviewed By: kp
Differential Revision: https://reviews.freebsd.org/D26779

show more ...