|
Revision tags: release/14.2.0 |
|
| #
a4e04032 |
| 08-Nov-2024 |
Kristof Provost <kp@FreeBSD.org> |
pf tests: verify that TCP RST makes it through NAT64
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D47796
|
| #
0656a680 |
| 21-Oct-2024 |
Kristof Provost <kp@FreeBSD.org> |
pf tests: basic nat64 test case
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D47791
|
| #
9b86b272 |
| 15-Oct-2024 |
Igor Ostapenko <igoro@FreeBSD.org> |
tests: Move netpfil/pf/divapp to netpfil/common/
It's intended to be used by both ipfw and pf.
Reviewed by: kp, markj
Approved by: kp (mentor)
Differential Revision: https://reviews.freebsd.org/D47
tests: Move netpfil/pf/divapp to netpfil/common/
It's intended to be used by both ipfw and pf.
Reviewed by: kp, markj
Approved by: kp (mentor)
Differential Revision: https://reviews.freebsd.org/D47110
show more ...
|
| #
67bd1d07 |
| 25-Sep-2024 |
Kajetan Staszkiewicz <vegeta@tuxpowered.net> |
pf tests: Add max states test
Reviewed by: kp
Differential Revision: https://reviews.freebsd.org/D46774
|
|
Revision tags: release/13.4.0 |
|
| #
b27d3f71 |
| 28-Aug-2024 |
Kristof Provost <kp@FreeBSD.org> |
pf tests: improved test for CVE-2019-5598
Ensure that we verify that the inner and outer IP address matches for ICMP error
messages. This is a more detailed test for CVE-2019-5598, which was fixed b
pf tests: improved test for CVE-2019-5598
Ensure that we verify that the inner and outer IP address matches for ICMP error
messages. This is a more detailed test for CVE-2019-5598, which was fixed back
in 2019.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46573
show more ...
|
| #
9897a669 |
| 19-Aug-2024 |
Mark Johnston <markj@FreeBSD.org> |
pf: Let rdr rules modify the src port if doing so would avoid a conflict
If NAT rules cause inbound connections to different external IPs to be
mapped to the same internal IP, and some application u
pf: Let rdr rules modify the src port if doing so would avoid a conflict
If NAT rules cause inbound connections to different external IPs to be
mapped to the same internal IP, and some application uses the same
source port for multiple such connections, rdr translation may result in
conflicts that cause some of the connections to be dropped.
Address this by letting rdr rules detect state conflicts and modulate
the source port to avoid them.
Reviewed by: kp, allanjude
MFC after: 3 months
Sponsored by: Klara, Inc.
Sponsored by: Modirum
Differential Revision: https://reviews.freebsd.org/D44488
show more ...
|
| #
09b7a038 |
| 14-Aug-2024 |
Igor Ostapenko <pm@igoro.pro> |
pf tests: Add 'mbuf' test for (*m0)->m_len < sizeof(struct ip) cases
Reviewed by: kp
Differential Revision: https://reviews.freebsd.org/D45927
|
| #
b9f0dbc3 |
| 09-Jul-2024 |
Kristof Provost <kp@FreeBSD.org> |
pf tests: ensure we don't confuse different ICMP types
When creating a state for ICMP (v4 or v6) packets we only used the ID, which
means that we could confuse different ICMP types. For example, if
pf tests: ensure we don't confuse different ICMP types
When creating a state for ICMP (v4 or v6) packets we only used the ID, which
means that we could confuse different ICMP types. For example, if we allowed
neighbour discovery but not ICMPv6 echo requests an ND packet could create a
state that the echo request would match.
Test that this is now fixed.
Reported by: Enrico Bassetti <e.bassetti@tudelft.nl>
MFC after: 1 day
Sponsored by: Rubicon Communications, LLC ("Netgate")
show more ...
|
| #
4f752a15 |
| 19-Jul-2024 |
Kristof Provost <kp@FreeBSD.org> |
netpfil tests: run in parallel
Run these tests in their own (vnet) jail so we don't have to worry about IP
range or jail name conflicts.
Reviewed by: markj
Sponsored by: Rubicon Communications, LLC
netpfil tests: run in parallel
Run these tests in their own (vnet) jail so we don't have to worry about IP
range or jail name conflicts.
Reviewed by: markj
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46040
show more ...
|
| #
e9ac4169 |
| 15-Jul-2024 |
Warner Losh <imp@FreeBSD.org> |
Remove residual blank line at start of Makefile
This is a residual of the $FreeBSD$ removal.
MFC After: 3 days (though I'll just run the command on the branches)
Sponsored by: Netflix
|
| #
239e24eb |
| 02-Jul-2024 |
Igor Ostapenko <pm@igoro.pro> |
pf: Handle (*m0)->m_len < sizeof(struct ip) case
if_enc(4) can pass IPsec payload to pfil(9) with the outer header or without
it. In case of a small packet like ICMP, when mbuf cluster is not used,
pf: Handle (*m0)->m_len < sizeof(struct ip) case
if_enc(4) can pass IPsec payload to pfil(9) with the outer header or without
it. In case of a small packet like ICMP, when mbuf cluster is not used,
everything works fine. Otherwise, the first mbuf in a chain has m_len == 0
if it is asked to strip the outer header. pf was not handling such case, and
erroneous reading of the outer IP header led to unexpected behavior.
Reviewed by: kp, glebius
Differential Revision: https://reviews.freebsd.org/D45780
show more ...
|
| #
d9ab8999 |
| 07-Jun-2024 |
Kristof Provost <kp@FreeBSD.org> |
pf: migrate DIOCGETLIMIT/DIOCSETLIMIT to netlink
Event: Kitchener-Waterloo Hackathon 202406
|
| #
cce69517 |
| 01-Jun-2024 |
Kristof Provost <kp@FreeBSD.org> |
pf tests: basic debug level test
Set & retrieve the debug level.
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
|
Revision tags: release/14.1.0 |
|
| #
a9d7ff4e |
| 30-May-2024 |
Kristof Provost <kp@FreeBSD.org> |
pf tests: basic status get/clear test
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| #
470a2b33 |
| 18-Mar-2024 |
Kristof Provost <kp@FreeBSD.org> |
pf: convert DIOCSETSTATUSIF to netlink
While here also add a basic test case for it.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D44368
|
|
Revision tags: release/13.3.0, release/14.0.0 |
|
| #
b9870ba9 |
| 06-Oct-2023 |
Tom Jones <thj@FreeBSD.org> |
pf: Add a TCP rdr test on IPv6
Reviewed by: kp
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D42105
|
| #
57c50d6b |
| 17-Jan-2024 |
Kristof Provost <kp@FreeBSD.org> |
pf tests: test ICMP6 packet too big with binat
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D43500
|
| #
6bd36d1c |
| 04-Dec-2023 |
Kristof Provost <kp@FreeBSD.org> |
pf tests: pflow functionality test
Test that we actually send netflow messages when configured to do so.
We do not yet inspect the generated netflow messages.
Sponsored by: Rubicon Communications,
pf tests: pflow functionality test
Test that we actually send netflow messages when configured to do so.
We do not yet inspect the generated netflow messages.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D43111
show more ...
|
| #
fb0c7468 |
| 01-Dec-2023 |
Kristof Provost <kp@FreeBSD.org> |
pf tests: initial pflow test case
Basic creation, validation and cleanup test for the new pflow interface.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://revie
pf tests: initial pflow test case
Basic creation, validation and cleanup test for the new pflow interface.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D43109
show more ...
|
| #
32df0124 |
| 02-Jan-2024 |
Kristof Provost <kp@FreeBSD.org> |
pf tests: ensure that pflog shows malformed packets as blocked, not passed
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| #
4c84c69b |
| 29-Nov-2023 |
Kristof Provost <kp@FreeBSD.org> |
pf tests: test that we validate sequence numbers on TCP RST
MFC after: 3 days
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| #
ede5d4ff |
| 26-Oct-2023 |
Kajetan Staszkiewicz <vegeta@tuxpowered.net> |
pf: Fix packet reassembly
Don't drop fragmented packets when reassembly is disabled, they can be
matched by rules with "fragment" keyword. Ensure that presence of scrub
rules forces old behaviour.
pf: Fix packet reassembly
Don't drop fragmented packets when reassembly is disabled, they can be
matched by rules with "fragment" keyword. Ensure that presence of scrub
rules forces old behaviour.
Reviewed by: kp
Sponsored by: InnoGames GmbH
Differential Revision: https://reviews.freebsd.org/D42355
show more ...
|
| #
fabf705f |
| 19-Oct-2023 |
Igor Ostapenko <pm@igoro.pro> |
pf: fix pf divert-to loop
Resolved conflict between ipfw and pf if both are used and pf wants to
do divert(4) by having separate mtags for pf and ipfw.
Also fix the incorrect 'rulenum' check, which
pf: fix pf divert-to loop
Resolved conflict between ipfw and pf if both are used and pf wants to
do divert(4) by having separate mtags for pf and ipfw.
Also fix the incorrect 'rulenum' check, which caused the reported loop.
While here add a few test cases to ensure that divert-to works as
expected, even if ipfw is loaded.
divert(4)
PR: 272770
MFC after: 3 weeks
Reviewed by: kp
Differential Revision: https://reviews.freebsd.org/D42142
show more ...
|
| #
1a28d5fe |
| 02-Aug-2023 |
Kristof Provost <kp@FreeBSD.org> |
pf tests: basic SCTP multihoming test
The SCTP server will announce multiple addresses. Block one of them with
pf, connect to the other have the client use the blocked address. pf
is expected to hav
pf tests: basic SCTP multihoming test
The SCTP server will announce multiple addresses. Block one of them with
pf, connect to the other have the client use the blocked address. pf
is expected to have created state for all of the addresses announced by
the server.
In a separate test case add the secondary (client) IP after the
connection has been established. The intent is to verify the
functionality of the ASCONF chunk parsing.
MFC after: 3 weeks
Sponsored by: Orange Business Services
Differential Revision: https://reviews.freebsd.org/D41638
show more ...
|
| #
d0b2dbfa |
| 16-Aug-2023 |
Warner Losh <imp@FreeBSD.org> |
Remove $FreeBSD$: one-line sh pattern
Remove /^\s*#[#!]?\s*\$FreeBSD\$.*$\n/
|