6e7f24e0 | 04-Mar-2025 |
Kristof Provost <kp@FreeBSD.org> |
pf: fix nat64 ICMP translation
Fix more incorrect use of the iih pointer, this time causing corruption in nat64 translated ICMP error messages. Extend the relevant test case to catch this bug.
Spon
pf: fix nat64 ICMP translation
Fix more incorrect use of the iih pointer, this time causing corruption in nat64 translated ICMP error messages. Extend the relevant test case to catch this bug.
Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D49231
show more ...
|
2f774911 | 25-Feb-2025 |
Kristof Provost <kp@FreeBSD.org> |
pf tests: test ICMP error translation with nat64
Ensure that when we translate an ICMPv4 to ICMPv6 message we set the correct source IP address.
PR: 284944 Sponsored by: Rubicon Communications, LL
pf tests: test ICMP error translation with nat64
Ensure that when we translate an ICMPv4 to ICMPv6 message we set the correct source IP address.
PR: 284944 Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D49144
show more ...
|
f32a2550 | 03-Mar-2025 |
Kristof Provost <kp@FreeBSD.org> |
pf tests: test source-hash and random on empty table or interface without address
Attempt to provoke the crashes fixed by the previous commit.
Sponsored by: Rubicon Communications, LLC ("Netgate") |
f8bd05ad | 03-Mar-2025 |
Kristof Provost <kp@FreeBSD.org> |
pf tests: add missing pflog_init to pflog:rdr_action
Without it we tried to run the test even if pflog wasn't loaded.
Sponsored by: Rubicon Communications, LLC ("Netgate") |
c46af893 | 03-Mar-2025 |
Jose Luis Duran <jlduran@FreeBSD.org> |
tests: Require python3 when using Scapy
python3 is a symbolic link that points to the current python 3.X version.
It is possible for a system to have python (python 3.X) without the python3 (symlin
tests: Require python3 when using Scapy
python3 is a symbolic link that points to the current python 3.X version.
It is possible for a system to have python (python 3.X) without the python3 (symlink) package.
Test scripts that use Scapy are invoked using python3, so add it as a required program.
Reviewed by: ngie, asomers Approved by: emaste (mentor) Differential Revision: https://reviews.freebsd.org/D49007
show more ...
|
f6f116cd | 23-Feb-2025 |
Kajetan Staszkiewicz <ks@FreeBSD.org> |
pf: Make af-to work on outbound interface
Currently af-to works only on inbound interface by creating a reversed NAT state key which is used to match traffic returning on the outbound interface.
Su
pf: Make af-to work on outbound interface
Currently af-to works only on inbound interface by creating a reversed NAT state key which is used to match traffic returning on the outbound interface.
Such limitation is not necessary. When an af-to state is created for an outbound rule do not reverse the NAT state key, making it work just like if it was created for a normal NAT rule. Depending on firewall design it might be easier and more natural to use af-to on the outbound interface.
Reviewed by: kp Approved by: kp (mentor) Sponsored by: InnoGames GmbH Differential Revision: https://reviews.freebsd.org/D49122
show more ...
|
41265f65 | 21-Feb-2025 |
Kristof Provost <kp@FreeBSD.org> |
pf: cope with IPv6 gateways for an IPv4 route in nat64
It's possible for an IPv4 next hop to be specified as an IPv6 address. This broke pf's route lookup in pf_route(), which is required for nat64.
pf: cope with IPv6 gateways for an IPv4 route in nat64
It's possible for an IPv4 next hop to be specified as an IPv6 address. This broke pf's route lookup in pf_route(), which is required for nat64.
Handle this case just like ip_tryforward(): use the struct sockaddr from the struct nhop_object, and mark a struct route to indicate if_output() has to use the gateway.
Add a test case for this.
PR: 284946 Reviewed by: zlei Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D49095
show more ...
|
9bdb3272 | 21-Feb-2025 |
Kristof Provost <kp@FreeBSD.org> |
pf tests: remove stray debug log line
Sponsored by: Rubicon Communications, LLC ("Netgate") |
921c9c7b | 14-Feb-2025 |
Kristof Provost <kp@FreeBSD.org> |
pf tests: test new log(matches) behaviour
Ensure that a log(matches, to pflog1) sends all future matches to pflog1.
Sponsored by: Rubicon Communications, LLC ("Netgate") |
c2346c3d | 13-Feb-2025 |
Kristof Provost <kp@FreeBSD.org> |
pf: support source-hash and random with tables and dynifs, not just pools
This finally allows to use source-hash for dynamic loadbalancing, eg. "rdr-to <hosts> source-hash", instead of just round-ro
pf: support source-hash and random with tables and dynifs, not just pools
This finally allows to use source-hash for dynamic loadbalancing, eg. "rdr-to <hosts> source-hash", instead of just round-robin and least-states.
An older pre-siphash version of this diff was tested by many people.
OK tedu@ benno@
Obtained from: OpenBSD, reyk <reyk@openbsd.org>, 252a05523f Sponsored by: Rubicon Communications, LLC ("Netgate")
show more ...
|
86f2641b | 19-Feb-2025 |
Kristof Provost <kp@FreeBSD.org> |
pf: fix icmp-in-icmp handling with if-bound states
When we receive an ICMP packet containing another ICMP packet we look up the original ICMP state. This is done through a second struct pf_pdesc ('p
pf: fix icmp-in-icmp handling with if-bound states
When we receive an ICMP packet containing another ICMP packet we look up the original ICMP state. This is done through a second struct pf_pdesc ('pd2'), containing relevant information (i.e. addresses, type, id, ..). pd2 did not contain the network interface ('kif'), leading to state lookup failures. This only affected if-bound mode, because floating states match all interfaces.
Set kif in pd2.
Extend the icmp.py:test_fragmentation_needed test case to use if-bound mode. It already checked that we handled icmp-in-icmp correctly.
PR: 284866 MFC after: 2 weeks Sponsored by: Rubicon Communications, LLC ("Netgate")
show more ...
|
1f1963bd | 17-Feb-2025 |
Jose Luis Duran <jlduran@FreeBSD.org> |
pf tests: Remove Scapy as a required program
Scapy is not needed to run this test. Remove it from the required programs list.
Reviewed by: kp Approved by: emaste (mentor) MFC after: 1 week Differe
pf tests: Remove Scapy as a required program
Scapy is not needed to run this test. Remove it from the required programs list.
Reviewed by: kp Approved by: emaste (mentor) MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D49006
show more ...
|
cf4a4e4f | 17-Feb-2025 |
Jose Luis Duran <jlduran@FreeBSD.org> |
pf tests: Add Scapy as a required program
The utils.subr file includes a couple of subroutines (ping_dummy_check_request and ping_server_check_reply) that require Scapy.
Add this requirement in the
pf tests: Add Scapy as a required program
The utils.subr file includes a couple of subroutines (ping_dummy_check_request and ping_server_check_reply) that require Scapy.
Add this requirement in the header of each test that makes use of them.
Reported by: Jenkins Reviewed by: kp Approved by: emaste (mentor) Fixes: 07e070ef0869 ("pf: Add support for multiple source node types") Differential Revision: https://reviews.freebsd.org/D49004
show more ...
|
26a7be91 | 11-Feb-2025 |
Kristof Provost <kp@FreeBSD.org> |
pf tests: basic 'any' interface test case
Sponsored by: Rubicon Communications, LLC ("Netgate") |
685fb425 | 14-Feb-2025 |
Franco Fichtner <franco@opnsense.org> |
pf: Log the intended action when a NAT rule matches a packet
When a packet matches a binat/nat/rdr rule, pf logs the match. The log metadata includes the rule's action on the packet, e.g., PF_PASS.
pf: Log the intended action when a NAT rule matches a packet
When a packet matches a binat/nat/rdr rule, pf logs the match. The log metadata includes the rule's action on the packet, e.g., PF_PASS. NAT rules have their own actions: PF_BINAT, PF_NAT, PF_RDR.
Before commit 948e8413aba0 ("pflog: pass the action to pflog directly"), pflog_packet() would obtain the action from the rule definition, whereas after that commit the action is passed as a parameter. When a NAT rule matches, we want to log the rule action, but after that commit, PF_PASS is hard-coded. Restore the previous behaviour.
Add a regression test which installs a redirect, logs packets matching the redirect rule, and verifies that the corresponding pflog entry includes the correct action.
Reviewed by: kp Fixes: 948e8413aba0 ("pflog: pass the action to pflog directly") MFC after: 2 weeks Sponsored by: Klara, Inc. Sponsored by: OPNsense Differential Revision: https://reviews.freebsd.org/D48911
show more ...
|
07e070ef | 07-Feb-2025 |
Kajetan Staszkiewicz <ks@FreeBSD.org> |
pf: Add support for multiple source node types
For every state pf creates up to two source nodes: a limiting one struct pf_kstate -> src_node and a NAT one struct pf_kstate -> nat_src_node. The limi
pf: Add support for multiple source node types
For every state pf creates up to two source nodes: a limiting one struct pf_kstate -> src_node and a NAT one struct pf_kstate -> nat_src_node. The limiting source node is tracking information needed for limits using max-src-states and max-src-nodes and the NAT source node is tracking NAT rules only.
On closer inspection some issues emerge: - For route-to rules the redirection decision is stored in the limiting source node. Thus sticky-address and source limiting can't be used separately. - Global source tracking, as promised in the man page, is totally absent from the code. Pfctl is capable of setting flags PFRULE_SRCTRACK (enable source tracking) and PFRULE_RULESRCTRACK (make source tracking per rule). The kernel code checks PFRULE_SRCTRACK but ignores PFRULE_RULESRCTRACK. That makes source tracking work per-rule only.
This patch is based on OpenBSD approach where source nodes have a type and each state has an array of source node pointers indexed by source node type instead of just two pointers. The conditions for limiting are applied only to source nodes of PF_SN_LIMIT type. For global limit tracking source nodes are attached to the default rule.
Reviewed by: kp Approved by: kp (mentor) Sponsored by: InnoGames GmbH Differential Revision: https://reviews.freebsd.org/D39880
show more ...
|
26fb3871 | 10-Feb-2025 |
Kristof Provost <kp@FreeBSD.org> |
pf tests: add basic ! received-on test case
Sponsored by: Rubicon Communications, LLC ("Netgate") |
90ef7a0b | 10-Feb-2025 |
Kristof Provost <kp@FreeBSD.org> |
pf tests: test 'quick' for match rules
Sponsored by: Rubicon Communications, LLC ("Netgate") |
e736f6df | 12-Feb-2025 |
Kristof Provost <kp@FreeBSD.org> |
pf tests: fix test skipping when pf is not loaded
Two test cases in table.sh didn't call pft_init and thus didn't skip if pf is not loaded. The fragmentation_pass:v6_route_to test had the test body
pf tests: fix test skipping when pf is not loaded
Two test cases in table.sh didn't call pft_init and thus didn't skip if pf is not loaded. The fragmentation_pass:v6_route_to test had the test body in the cleanup function, so got run even when pf was not loaded.
Sponsored by: Rubicon Communications, LLC ("Netgate")
show more ...
|
d11a1965 | 06-Feb-2025 |
Kristof Provost <kp@FreeBSD.org> |
pf tests: verify that table counters work on match rules
Sponsored by: Rubicon Communications, LLC ("Netgate") |
65cc5af1 | 12-Feb-2025 |
Jose Luis Duran <jlduran@FreeBSD.org> |
sys tests: Add scapy as a required program
These atf-python tests rely on scapy to run. Add it as a required program.
Reported by: glebius, kp Reviewed by: kp Approved by: emaste (mentor) MFC after
sys tests: Add scapy as a required program
These atf-python tests rely on scapy to run. Add it as a required program.
Reported by: glebius, kp Reviewed by: kp Approved by: emaste (mentor) MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D48946
show more ...
|
6c795ce1 | 05-Feb-2025 |
Kristof Provost <kp@FreeBSD.org> |
pf tests: verify that a nested anchor does not clear the quick flag
Sponsored by: Rubicon Communications, LLC ("Netgate") |
e295e0b8 | 11-Feb-2025 |
Jose Luis Duran <jlduran@FreeBSD.org> |
tests: Add scapy as a required program
The utils.subr file includes a couple of subroutines (ping_dummy_check_request and ping_server_check_reply) that require scapy.
Add this requirement in the he
tests: Add scapy as a required program
The utils.subr file includes a couple of subroutines (ping_dummy_check_request and ping_server_check_reply) that require scapy.
Add this requirement in the header of each test that makes use of them.
Reported by: Jenkins Reviewed by: kp, ngie Approved by: emaste (mentor) Differential Revision: https://reviews.freebsd.org/D48917
show more ...
|
db100bd9 | 04-Feb-2025 |
Kristof Provost <kp@FreeBSD.org> |
pf tests: add more fragmentation test cases
Add more test cases for pf fragment hole counter. Also look into final fragment of echo reply and check total length of IP packet.
MFC after: 1 week Obt
pf tests: add more fragmentation test cases
Add more test cases for pf fragment hole counter. Also look into final fragment of echo reply and check total length of IP packet.
MFC after: 1 week Obtained from: OpenBSD, bluhm <bluhm@openbsd.org>, 640736615b Sponsored by: Rubicon Communications, LLC ("Netgate")
show more ...
|
0cd95355 | 05-Feb-2025 |
Kristof Provost <kp@FreeBSD.org> |
pf tests: extend set-tos test
Verify that we can set-tos on pass rules, and that this still works even if a 'scrub' option is present on the pass rule.
Sponsored by: Rubicon Communications, LLC ("N
pf tests: extend set-tos test
Verify that we can set-tos on pass rules, and that this still works even if a 'scrub' option is present on the pass rule.
Sponsored by: Rubicon Communications, LLC ("Netgate")
show more ...
|