| #
9b86b272 |
| 15-Oct-2024 |
Igor Ostapenko <igoro@FreeBSD.org> |
tests: Move netpfil/pf/divapp to netpfil/common/
It's intended to be used by both ipfw and pf.
Reviewed by: kp, markj
Approved by: kp (mentor)
Differential Revision: https://reviews.freebsd.org/D47
tests: Move netpfil/pf/divapp to netpfil/common/
It's intended to be used by both ipfw and pf.
Reviewed by: kp, markj
Approved by: kp (mentor)
Differential Revision: https://reviews.freebsd.org/D47110
show more ...
|
|
Revision tags: release/13.4.0 |
|
| #
4f752a15 |
| 19-Jul-2024 |
Kristof Provost <kp@FreeBSD.org> |
netpfil tests: run in parallel
Run these tests in their own (vnet) jail so we don't have to worry about IP
range or jail name conflicts.
Reviewed by: markj
Sponsored by: Rubicon Communications, LLC
netpfil tests: run in parallel
Run these tests in their own (vnet) jail so we don't have to worry about IP
range or jail name conflicts.
Reviewed by: markj
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46040
show more ...
|
| #
e9ac4169 |
| 15-Jul-2024 |
Warner Losh <imp@FreeBSD.org> |
Remove residual blank line at start of Makefile
This is a residual of the $FreeBSD$ removal.
MFC After: 3 days (though I'll just run the command on the branches)
Sponsored by: Netflix
|
|
Revision tags: release/14.1.0, release/13.3.0 |
|
| #
4c84c69b |
| 29-Nov-2023 |
Kristof Provost <kp@FreeBSD.org> |
pf tests: test that we validate sequence numbers on TCP RST
MFC after: 3 days
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
|
Revision tags: release/14.0.0 |
|
| #
d0b2dbfa |
| 16-Aug-2023 |
Warner Losh <imp@FreeBSD.org> |
Remove $FreeBSD$: one-line sh pattern
Remove /^\s*#[#!]?\s*\$FreeBSD\$.*$\n/
|
| #
5ab15157 |
| 24-May-2023 |
Doug Rabson <dfr@FreeBSD.org> |
netinet*: Fix redirects for connections from localhost
Redirect rules use PFIL_IN and PFIL_OUT events to allow packet filter
rules to change the destination address and port for a connection.
Typica
netinet*: Fix redirects for connections from localhost
Redirect rules use PFIL_IN and PFIL_OUT events to allow packet filter
rules to change the destination address and port for a connection.
Typically, the rule triggers on an input event when a packet is received
by a router and the destination address and/or port is changed to
implement the redirect. When a reply packet on this connection is output
to the network, the rule triggers again, reversing the modification.
When the connection is initiated on the same host as the packet filter,
it is initially output via lo0 which queues it for input processing.
This causes an input event on the lo0 interface, allowing redirect
processing to rewrite the destination and create state for the
connection. However, when the reply is received, no corresponding output
event is generated; instead, the packet is delivered to the higher level
protocol (e.g. tcp or udp) without reversing the redirect, the reply is
not matched to the connection and the packet is dropped (for tcp, a
connection reset is also sent).
This commit fixes the problem by adding a second packet filter call in
the input path. The second call happens right before the handoff to
higher level processing and provides the missing output event to allow
the redirect's reply processing to perform its rewrite. This extra
processing is disabled by default and can be enabled using pfilctl:
pfilctl link -o pf:default-out inet-local
pfilctl link -o pf:default-out6 inet6-local
PR: 268717
Reviewed-by: kp, melifaro
MFC-after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D40256
show more ...
|
|
Revision tags: release/13.2.0 |
|
| #
cdb19243 |
| 30-Mar-2023 |
Mark Johnston <markj@FreeBSD.org> |
netpfil tests: Serialize
These tests reuse jail names and so cannot run in parallel.
MFC after: 1 week
|
|
Revision tags: release/12.4.0, release/13.1.0, release/12.3.0 |
|
| #
30276ef1 |
| 19-Oct-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf tests: test NAT-ed ICMP errors
Ensure that the ICMP error is returned with the correct
source and destination addresses.
MFC after: 3 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
pf tests: test NAT-ed ICMP errors
Ensure that the ICMP error is returned with the correct
source and destination addresses.
MFC after: 3 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D32572
show more ...
|
| #
d8d43b2d |
| 28-Jun-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf tests: Stress state retrieval
Create and retrieve 20.000 states. There have been issues with nvlists
causing very slow state retrieval. We don't impose a specific limit on
the time required to re
pf tests: Stress state retrieval
Create and retrieve 20.000 states. There have been issues with nvlists
causing very slow state retrieval. We don't impose a specific limit on
the time required to retrieve the states, but do log it. In excessive
cases the Kyua timeout will fail this test.
Reviewed by: donner
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D30943
show more ...
|
| #
ea3eca5c |
| 21-May-2021 |
Kristof Provost <kp@FreeBSD.org> |
netpfil tests: Basic dummynet pipe test
Test dummynet pipes (i.e. bandwidth limitation) with ipfw. This is put
in the common tests because we hope to add dummynet support to pf in the
near future.
netpfil tests: Basic dummynet pipe test
Test dummynet pipes (i.e. bandwidth limitation) with ipfw. This is put
in the common tests because we hope to add dummynet support to pf in the
near future.
MFC after: 2 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D30380
show more ...
|
|
Revision tags: release/13.0.0, release/12.2.0, release/11.4.0, release/12.1.0 |
|
| #
c5c3ba6b |
| 03-Sep-2019 |
Dimitry Andric <dim@FreeBSD.org> |
Merge ^/head r351317 through r351731.
|
| #
39cae0d5 |
| 23-Aug-2019 |
Kristof Provost <kp@FreeBSD.org> |
netpfil tests: Add forward test for the three firewalls
Submitted by: Ahsan Barkati
Reviewed by: kp
Sponsored by: Google, Inc. (GSoC 2019)
Differential Revision: https://reviews.freebsd.org/D21321
|
| #
3e1ebe7f |
| 20-Aug-2019 |
Kristof Provost <kp@FreeBSD.org> |
netpfil tests: Add too many fragments test for pf, ipfw and ipf
Add test for checking that the packets are dropped if it is fragmented into
more than the defined value.
Submitted by: Ahsan Barkati
netpfil tests: Add too many fragments test for pf, ipfw and ipf
Add test for checking that the packets are dropped if it is fragmented into
more than the defined value.
Submitted by: Ahsan Barkati
Reviewed by: kp
Sponsored by: Google, Inc. (GSoC 2019)
Differential Revision: https://reviews.freebsd.org/D21307
show more ...
|
| #
df3d236d |
| 20-Aug-2019 |
Kristof Provost <kp@FreeBSD.org> |
netpfil tests: Add the set ToS test for ipfw and pf
This test tests the following:
- The firewall is able to set the tos bits
- The firewall is able to set the DSCP bits when EN bits is already s
netpfil tests: Add the set ToS test for ipfw and pf
This test tests the following:
- The firewall is able to set the tos bits
- The firewall is able to set the DSCP bits when EN bits is already set and
the EN bits remains unchanged.
- The firewall is able to drop the packets based on ToS value
Submitted by: Ahsan Barkati
Reviewed by: kp
Sponsored by: Google, Inc. (GSoC 2019)
Differential Revision: https://reviews.freebsd.org/D21305
show more ...
|
| #
95312530 |
| 19-Aug-2019 |
Kristof Provost <kp@FreeBSD.org> |
netpfil tests: Move pft_ping.py and sniffer.py to the common test directory
The pft_ping.py and sniffer.py tool is moved from tests/sys/netpfil/pf to
tests/sys/netpfil/common directory because these
netpfil tests: Move pft_ping.py and sniffer.py to the common test directory
The pft_ping.py and sniffer.py tool is moved from tests/sys/netpfil/pf to
tests/sys/netpfil/common directory because these tools are to be used in
common for all the firewalls.
Submitted by: Ahsan Barkati
Reviewed by: kp, thj
Sponsored by: Google, Inc. (GSoC 2019)
Differential Revision: https://reviews.freebsd.org/D21276
show more ...
|
| #
0d9da68f |
| 17-Aug-2019 |
Tom Jones <thj@FreeBSD.org> |
Add basic NAT test for pf, ipf and ipfw
Add common firewall NAT tests for pf, ipf and ipfw (using both in-kernel and
userspace NAT).
Submitted by: Ahsan Barkati
Sponsored by: Google, Inc. (GSoC
Add basic NAT test for pf, ipf and ipfw
Add common firewall NAT tests for pf, ipf and ipfw (using both in-kernel and
userspace NAT).
Submitted by: Ahsan Barkati
Sponsored by: Google, Inc. (GSoC 2019)
Reviewed by: kp
Approved by: bz (mentor)
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D21199
show more ...
|
| #
f97a8a36 |
| 05-Aug-2019 |
Tom Jones <thj@FreeBSD.org> |
Add common firewall test suite
Add a common test suite for the firewalls included in the base system. The test
suite allows common test infrastructure to test pf, ipfw and ipf firewalls from
test fi
Add common firewall test suite
Add a common test suite for the firewalls included in the base system. The test
suite allows common test infrastructure to test pf, ipfw and ipf firewalls from
test files containing the setup for all three firewalls.
Add the pass block test for pf, ipfw and ipf. The pass block test checks the
allow/deny functionality of the firewalls tested.
Submitted by: Ahsan Barkati
Sponsored by: Google, Inc. (GSoC 2019)
Reviewed by: kp
Approved by: bz (co-mentor)
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D21065
show more ...
|