pft_ping: improve IPv6 address comparison

Don't use string comparisons, use socket.inet_pton() instead. This avoids
confusion when there are different ways to spell the same IP addres.
e.g. 64:ff9b:

pft_ping: improve IPv6 address comparison

Don't use string comparisons, use socket.inet_pton() instead. This avoids
confusion when there are different ways to spell the same IP addres.
e.g. 64:ff9b::c000:202 and 64:ff9b::192.0.2.2 are two representations of the same
address.

Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

netpfil tests: skip checksum verification in pft_ping.py

From scapy 2.6.0 it now removes (sets to None) the IP checksum in its defrag
code. We typically ask for IPv4 or IPv6 defragmentation, which c

netpfil tests: skip checksum verification in pft_ping.py

From scapy 2.6.0 it now removes (sets to None) the IP checksum in its defrag
code. We typically ask for IPv4 or IPv6 defragmentation, which causes check
function failures.

Just skip the checksum verificiation here, because we're going to notice
incorrect checksums even if the tests don't directly verify it.

MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pf: fix double ruleset evaluation for fragments sent to dummynet

The function `pf_setup_pdesc()` handles ruleset evaluation for non-reassembled
packets. Having it called before `pf_mtag` is checked

pf: fix double ruleset evaluation for fragments sent to dummynet

The function `pf_setup_pdesc()` handles ruleset evaluation for non-reassembled
packets. Having it called before `pf_mtag` is checked for flags
`PF_MTAG_FLAG_ROUTE_TO` and `PF_MTAG_FLAG_DUMMYNET` will cause loops for
fragmented packets if reassembly is disabled.

Move `pd` zeroing and `pf_mtag` extraction from `pf_setup_pdesc()` to a separate
function `pf_init_pdesc()` and change the order of function calls: first
call `pf_init_pdesc()`, then check if the currently processed packet has been
reinjected from dummynet, finally call `pf_setup_pdesc()`.

Add functionality of sending UDP packets to `pft_ping.py` with fragmentation
support and fix broken IPv6 reassembly.

Reviewed by: kp
Differential Revision: https://reviews.freebsd.org/D46880

show more ...

pf tests: add a test for max-src-conn

Switch tests using pft_ping.py to inetd. Netcat can only accept a single
connection, we need multiple parallel connections to test max-src-conn. Use the
discard

pf tests: add a test for max-src-conn

Switch tests using pft_ping.py to inetd. Netcat can only accept a single
connection, we need multiple parallel connections to test max-src-conn. Use the
discard service and modify pft_ping.py to use proper port number.

Implement functionality of 3-way handshake test in pft_ping.py. Make send_params
accessible to sniffer, because answers to SYN+ACK packets should be send with
the same parameters as the original SYN packet.

Finally add a test for max-src-conn and overload.

Reviewed by: kp
Differential Revision: https://reviews.freebsd.org/D46798

show more ...

pf tests: Make TCP port numbers configurable

This will be useful for state maximums testing.

Reviewed by: kp
Differential Revision: https://reviews.freebsd.org/D46773

pf tests: Remove nargs from single arguments

Using nargs=1 causes arguments to produce lists from which we must then
get the real value. The same applies to defaults, the must be provided
as arrays

pf tests: Remove nargs from single arguments

Using nargs=1 causes arguments to produce lists from which we must then
get the real value. The same applies to defaults, the must be provided
as arrays too.

Remove nargs=1 so that values and defaults can be accessed directly.

Reviewed by: kp
Differential Revision: https://reviews.freebsd.org/D46772

show more ...

pf tests: ensure that pflog shows malformed packets as blocked, not passed

Sponsored by: Rubicon Communications, LLC ("Netgate")

pf tests: Add option to send fragmented packets

Add option to send fragmented packets and to properly sniff them by
reassembling them by the sniffer itself.

Reviewed by: kp
Sponsored by: InnoGames

pf tests: Add option to send fragmented packets

Add option to send fragmented packets and to properly sniff them by
reassembling them by the sniffer itself.

Reviewed by: kp
Sponsored by: InnoGames GmbH
Differential Revision: https://reviews.freebsd.org/D42354

show more ...

netpfil tests: improve pft_ping.py

Multiple improvements to pft_ping.py:

* Automatically use IPv6 when IPv6 addresses are used, --ip6 is not needed.
* Building of ping requests and parsing of ping

netpfil tests: improve pft_ping.py

Multiple improvements to pft_ping.py:

* Automatically use IPv6 when IPv6 addresses are used, --ip6 is not needed.
* Building of ping requests and parsing of ping replies is done layer by
layer. This way most arguments are available both for IPv6 and IPv4,
for ICMP and TCP.
* Use argument groups for improved readability.
* Change ToS and TTL argument name to TC and HL to reflect the modern
IPv6 nomenclature. The argument still set related IPv4 header fields
properly.
* Instead of sniffing for the very specific case of duplicated packets,
allow for sniffing on multiple interfaces.
* Report which sniffer has failed by setting bits of error code.
* Raise meaningful exceptions when irrecoverable errors happen.
* Make IPv4 fragmentation flags configurable.
* Make IPv6 HL / IPv4 TTL configurable.
* Make TCP MSS configurable.
* Make TCP sequence number configurable.
* Make ICMP payload size configurable.
* Add debug output.
* Move command line argument parsing out of network functions.
* Make the code somehow PEP-8 compliant.

MFC after: 1 week
Sponsored by: InnoGames GmbH
Differential Revision: https://reviews.freebsd.org/D38122

show more ...

netpfil tests: improve sniffer.py

Multiple improvements to sniffer.py:

* Remove ambiguity of configuring recvif, it must be now explicitly specified.
* Don't catch exceptions around creating the sn

netpfil tests: improve sniffer.py

Multiple improvements to sniffer.py:

* Remove ambiguity of configuring recvif, it must be now explicitly specified.
* Don't catch exceptions around creating the sniffer, let it properly
fail and display the whole stack trace.
* Count correct packets so that duplicates can be found.

MFC after: 1 week
Sponsored by: InnoGames GmbH
Differential Revision: https://reviews.freebsd.org/D38120

show more ...

pf: implement set-tos for IPv6

Extend the existing set-tos keyword to also be able to set traffic class
on IPv6 traffic.
Add tests for this as well.

Reviewed by: kp
Differential Revision: https://r

pf: implement set-tos for IPv6

Extend the existing set-tos keyword to also be able to set traffic class
on IPv6 traffic.
Add tests for this as well.

Reviewed by: kp
Differential Revision: https://reviews.freebsd.org/D31564

show more ...

tests: Only log critical errors from scapy

Since 2.4.5 scapy started issuing warnings about a few different
configurations during our tests. These are harmless, but they generate
stderr output, whic

tests: Only log critical errors from scapy

Since 2.4.5 scapy started issuing warnings about a few different
configurations during our tests. These are harmless, but they generate
stderr output, which upsets atf_check.

Configure scapy to only log critical errors (and thus not warnings) to
fix these tests.

MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pf tests: IPv6 test case for the 'kill state(s)' feature

Reviewed by: donner
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.or

pf tests: IPv6 test case for the 'kill state(s)' feature

Reviewed by: donner
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D29797

show more ...

pf tests: Explicitly ask for python3

If we install the scapy package (which we do list as a dependency) we
don't automatically install python (but we do have python3).

MFC after: 1 week
Sponso

pf tests: Explicitly ask for python3

If we install the scapy package (which we do list as a dependency) we
don't automatically install python (but we do have python3).

MFC after: 1 week
Sponsored by: Rubicon Communications, LLC (“Netgate”’)

show more ...

pf tests: Test unicast reverse path forwarding check

Ensure that pf's urpf-failed keyword works as expected.

PR: 253479
MFC after: 1 week
Reviewed by: melifaro@
Differential Revision: https://revi

pf tests: Test unicast reverse path forwarding check

Ensure that pf's urpf-failed keyword works as expected.

PR: 253479
MFC after: 1 week
Reviewed by: melifaro@
Differential Revision: https://reviews.freebsd.org/D28694

show more ...

pf tests: Test that dup-to doesn't produce extra duplicate packets

pf tests: Verify (tcp) checksum modification on unaligned options

It turns out pf incorrectly updates the TCP checksum if the TCP option
we're modifying is not 2-byte algined with respect to the sta

pf tests: Verify (tcp) checksum modification on unaligned options

It turns out pf incorrectly updates the TCP checksum if the TCP option
we're modifying is not 2-byte algined with respect to the start of the
packet.

Create a TCP packet with such an option and throw it through a scrub
rule, which will update timestamps and modify the packet.

PR: 240416
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D27688

show more ...

netpfil tests: Add missing copyright & license statements

Follow r354121 to fix some python3 errors in sys.netpfil.*

stderr:

Traceback (most recent call last):
File "/usr/tests/sys/netpfil/common/pft_ping.py", line 135, in <module>
main()
File "/u

Follow r354121 to fix some python3 errors in sys.netpfil.*

stderr:

Traceback (most recent call last):
File "/usr/tests/sys/netpfil/common/pft_ping.py", line 135, in <module>
main()
File "/usr/tests/sys/netpfil/common/pft_ping.py", line 124, in main
ping(args.sendif[0], args.to[0], args)
File "/usr/tests/sys/netpfil/common/pft_ping.py", line 74, in ping
raw = sp.raw(str(PAYLOAD_MAGIC))
File "/usr/local/lib/python3.6/site-packages/scapy/compat.py", line 52, in raw
return bytes(x)
TypeError: string argument without an encoding

MFC with: r354121
Sponsored by: The FreeBSD Foundation

show more ...

Upgrade (scapy) py2 tests to work on py3.

In order to move python2 out of the test framework to avoid py2 vs. py3
confusions upgrade the remaining test cases using scapy to work with py3.
That means

Upgrade (scapy) py2 tests to work on py3.

In order to move python2 out of the test framework to avoid py2 vs. py3
confusions upgrade the remaining test cases using scapy to work with py3.
That means only one version of scapy needs to be installed in the CI system.
It also gives a path forward for testing i386 issues observed in the CI
system with some of these tests.

Fixes are:
- Use default python from environment (which is 3.x these days).
- properly ident some lines as common for the rest of the file to avoid
errors.
- cast the calculated offset to an int as the division result is considered
a float which is not accepted input.
- when comparing payload to a magic number make sure we always add the
payload properly to the packet and do not try to compare string in
the result but convert the data payload back into an integer.
- fix print formating.

Discussed with: lwhsu, kp (taking it off his todo :)
MFC after: 2 weeks

show more ...

netpfil tests: Move pft_ping.py and sniffer.py to the common test directory

The pft_ping.py and sniffer.py tool is moved from tests/sys/netpfil/pf to
tests/sys/netpfil/common directory because these

netpfil tests: Move pft_ping.py and sniffer.py to the common test directory

The pft_ping.py and sniffer.py tool is moved from tests/sys/netpfil/pf to
tests/sys/netpfil/common directory because these tools are to be used in
common for all the firewalls.

Submitted by: Ahsan Barkati
Reviewed by: kp, thj
Sponsored by: Google, Inc. (GSoC 2019)
Differential Revision: https://reviews.freebsd.org/D21276

show more ...