Remove $FreeBSD$: one-line sh pattern

Remove /^\s*#[#!]?\s*\$FreeBSD\$.*$\n/

pf: test rules evaluation in the face of multiple IPv6 fragment headers

Send an ICMPv6 echo request packet with multiple IPv6 fragment headers.
Set rules to pass all packets, except for ICMPv6 echo

pf: test rules evaluation in the face of multiple IPv6 fragment headers

Send an ICMPv6 echo request packet with multiple IPv6 fragment headers.
Set rules to pass all packets, except for ICMPv6 echo requests.

pf ought to drop the echo request, but doesn't because it reassembles
the packet, and then doesn't handle the second fragment header. In other
words: it fails to detect the ICMPv6 echo header.

Reported by: Enrico Bassetti bassetti@di.uniroma1.it (NetSecurityLab @ Sapienza University of Rome)
MFC after: instant
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pf tests: basic SCTP connection test

pf can now inspect SCTP. Check that we can set up a connection.
IPv4 and IPv6 tests.

MFC after: 3 weeks
Sponsored by: Orange Business Services
Differential Revi

pf tests: basic SCTP connection test

pf can now inspect SCTP. Check that we can set up a connection.
IPv4 and IPv6 tests.

MFC after: 3 weeks
Sponsored by: Orange Business Services
Differential Revision: https://reviews.freebsd.org/D40863

show more ...

netinet*: Fix redirects for connections from localhost

Redirect rules use PFIL_IN and PFIL_OUT events to allow packet filter
rules to change the destination address and port for a connection.
Typica

netinet*: Fix redirects for connections from localhost

Redirect rules use PFIL_IN and PFIL_OUT events to allow packet filter
rules to change the destination address and port for a connection.
Typically, the rule triggers on an input event when a packet is received
by a router and the destination address and/or port is changed to
implement the redirect. When a reply packet on this connection is output
to the network, the rule triggers again, reversing the modification.

When the connection is initiated on the same host as the packet filter,
it is initially output via lo0 which queues it for input processing.
This causes an input event on the lo0 interface, allowing redirect
processing to rewrite the destination and create state for the
connection. However, when the reply is received, no corresponding output
event is generated; instead, the packet is delivered to the higher level
protocol (e.g. tcp or udp) without reversing the redirect, the reply is
not matched to the connection and the packet is dropped (for tcp, a
connection reset is also sent).

This commit fixes the problem by adding a second packet filter call in
the input path. The second call happens right before the handoff to
higher level processing and provides the missing output event to allow
the redirect's reply processing to perform its rewrite. This extra
processing is disabled by default and can be enabled using pfilctl:

pfilctl link -o pf:default-out inet-local
pfilctl link -o pf:default-out6 inet6-local

PR: 268717
Reviewed-by: kp, melifaro
MFC-after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D40256

show more ...

pf tests: add tests for the new scrub syntax

Add functions for testing new scrub option syntax and for packet
fragmentation and route tables, because this was modified too. When
testing of both the

pf tests: add tests for the new scrub syntax

Add functions for testing new scrub option syntax and for packet
fragmentation and route tables, because this was modified too. When
testing of both the new and the compatible syntax is necessary, move
original tests into _compat.sh file.

Reviewed by: kp
Sponsored by: InnoGames GmbH
Differential Revision: https://reviews.freebsd.org/D38129

show more ...

pf tests: Serialize

These tests reuse jail names and cannot run in parallel. Until this is
fixed - which is desirable since these takes take a while to run - tell
kyua to serialize them.

MFC after

pf tests: Serialize

These tests reuse jail names and cannot run in parallel. Until this is
fixed - which is desirable since these takes take a while to run - tell
kyua to serialize them.

MFC after: 1 week

show more ...

netpfil tests: Add functions for testing routing scenarios

Many pf tests use identical setup where one jail is a router and
optionally another jail is a server. Add functions to create such jails
fo

netpfil tests: Add functions for testing routing scenarios

Many pf tests use identical setup where one jail is a router and
optionally another jail is a server. Add functions to create such jails
for IPv6 and IPv4 and functions to perform tests on such setup.

Add tests using those functions: scrub actions, routing table, tcp
sequence number modulation.

Reviewed by: kp
Sponsored by: InnoGames GmbH
Differential Revision: https://reviews.freebsd.org/D38126

show more ...

pf tests: test short packets

Test sending very short packets (i.e. too short for an IP header)
packets in the Ethernet filtering code.

Sponsored by: Rubicon Communications, LLC ("Netgate")

pf tests: slightly more complect captive portal setup

Combine anchor, dummynet and rdr to produce a more complex captive
portal setup.

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differen

pf tests: slightly more complect captive portal setup

Combine anchor, dummynet and rdr to produce a more complex captive
portal setup.

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D32484

show more ...

pf tests: test match keyword and dummynet

Ensure that the 'match' keyword works with dummynet

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.or

pf tests: test match keyword and dummynet

Ensure that the 'match' keyword works with dummynet

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D32480

show more ...

pf tests: MAC address filtering test

Test the MAC address filtering capability in the new 'ether' feature in
pf.

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https:/

pf tests: MAC address filtering test

Test the MAC address filtering capability in the new 'ether' feature in
pf.

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D31743

show more ...

pf tests: Basic 'set prio' test

The ability to set VLAN PCP from pf was introduced in 3e248e0fb4, but
never had a test added.

Create a basic setup to set the PCP to an arbitrary value and use
tcpdu

pf tests: Basic 'set prio' test

The ability to set VLAN PCP from pf was introduced in 3e248e0fb4, but
never had a test added.

Create a basic setup to set the PCP to an arbitrary value and use
tcpdump to check it's actually set.

MFC after: 1 week

show more ...

pf tests: more thorough pfsync defer test

Add a somewhat more extensive pfsync defer mode test. Ensure that pfsync
actually delays the state creating packet until after it has sent the
pfsync update

pf tests: more thorough pfsync defer test

Add a somewhat more extensive pfsync defer mode test. Ensure that pfsync
actually delays the state creating packet until after it has sent the
pfsync update and given the peer time to create the state.

Ideally the test should validate the pfsync state update and generate an
ack message, but to keep the test simple we rely on the timeout of the
deferred packet instead.

MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D33245

show more ...

pf tests: basic test for ridentifier

MFC after: 3 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D32751

pf tests: ensure that $nr expansion is correct

Test the $nr expansion in labels is correct, even if the optimiser
reduces the rule count.

MFC after: 1 week
Differential Revision: https://reviews.fr

pf tests: ensure that $nr expansion is correct

Test the $nr expansion in labels is correct, even if the optimiser
reduces the rule count.

MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D32489

show more ...

pf tests: Forwarding syncookie test

Test syncookies on a forwarding host. That is, in a setup where the
machine (or vnet) running pf is not the same as the machine (or vnet)
running the server it's

pf tests: Forwarding syncookie test

Test syncookies on a forwarding host. That is, in a setup where the
machine (or vnet) running pf is not the same as the machine (or vnet)
running the server it's protecting.

MFC after: 1 week
Sponsored by: Modirum MDPay
Differential Revision: https://reviews.freebsd.org/D31141

show more ...

pf tests: Stress state retrieval

Create and retrieve 20.000 states. There have been issues with nvlists
causing very slow state retrieval. We don't impose a specific limit on
the time required to re

pf tests: Stress state retrieval

Create and retrieve 20.000 states. There have been issues with nvlists
causing very slow state retrieval. We don't impose a specific limit on
the time required to retrieve the states, but do log it. In excessive
cases the Kyua timeout will fail this test.

Reviewed by: donner
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D30943

show more ...

pf tests: ftp-proxy test

Basic test case for ftp-proxy

PR: 256917
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")

pf tests: Test cases for fragment reassembly

Obtained from: Alexander Bluhm, OpenBSD

pf tests: Test cases for the 'kill state(s)' feature

MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D29796

pf tests: Test clearing rules counters

This was briefly broken, so ensure that we can read and clear rules
counters.

MFC after: 4 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differe

pf tests: Test clearing rules counters

This was briefly broken, so ensure that we can read and clear rules
counters.

MFC after: 4 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D29728

show more ...

pf: Implement the NAT source port selection of MAP-E Customer Edge

MAP-E (RFC 7597) requires special care for selecting source ports
in NAT operation on the Customer Edge because a part of bits of t

pf: Implement the NAT source port selection of MAP-E Customer Edge

MAP-E (RFC 7597) requires special care for selecting source ports
in NAT operation on the Customer Edge because a part of bits of the port
numbers are used by the Border Relay to distinguish another side of the
IPv4-over-IPv6 tunnel.

PR: 254577
Reviewed by: kp
Differential Revision: https://reviews.freebsd.org/D29468

show more ...

pf tests: Test tos/dscp matching

MFC after: 2 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D29078

pf tests: Test that dup-to doesn't produce extra duplicate packets

altq tests: Basic ALTQ test

Activate ALTQ_HFSC, crudely check if it really limits bandwidth as we'd expect.

Reviewed by: donner@
Differential Revision: https://reviews.freebsd.org/D28303