pf tests: Verify (tcp) checksum modification on unaligned options

It turns out pf incorrectly updates the TCP checksum if the TCP option
we're modifying is not 2-byte algined with respect to the sta

pf tests: Verify (tcp) checksum modification on unaligned options

It turns out pf incorrectly updates the TCP checksum if the TCP option
we're modifying is not 2-byte algined with respect to the start of the
packet.

Create a TCP packet with such an option and throw it through a scrub
rule, which will update timestamps and modify the packet.

PR: 240416
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D27688

show more ...

pf tests: Sort Makefile entries

MFC after: 1 week

pf tests: Basic source tracking test

MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D27255

Add a basic table entry counter regression test.

Reviewed by: kp
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D24809

netpfil tests: Move pft_ping.py and sniffer.py to the common test directory

The pft_ping.py and sniffer.py tool is moved from tests/sys/netpfil/pf to
tests/sys/netpfil/common directory because these

netpfil tests: Move pft_ping.py and sniffer.py to the common test directory

The pft_ping.py and sniffer.py tool is moved from tests/sys/netpfil/pf to
tests/sys/netpfil/common directory because these tools are to be used in
common for all the firewalls.

Submitted by: Ahsan Barkati
Reviewed by: kp, thj
Sponsored by: Google, Inc. (GSoC 2019)
Differential Revision: https://reviews.freebsd.org/D21276

show more ...

MFHead@r345677

pf tests: Test CVE-2019-5598

Verify that pf correctly drops inconsistent ICMP packets (i.e. where the
IP src/dst do not match the IP src/dst in the ICMP packet.

pf tests: Move Sniffer to its own file

Make it easier to re-use the sniffer class in other test support
scripts.

MFHead@r345275

MFhead@r344786

Merge ^/head r344549 through r344775.

pf tests: Test CVE-2019-5597

Generate a fragmented packet with different header chains, to provoke
the incorrect behaviour of pf.
Without the fix this will trigger a panic.

Obtained from: Corentin

pf tests: Test CVE-2019-5597

Generate a fragmented packet with different header chains, to provoke
the incorrect behaviour of pf.
Without the fix this will trigger a panic.

Obtained from: Corentin Bayet, Nicolas Collignon, Luca Moro at Synacktiv

show more ...

pf tests: Basic rdr test

MFC after: 2 weeks

pf tests: NAT exhaustion test

It's been reported that pf doesn't handle running out of available ports
for NAT correctly. It freezes until a state expires and it can find a
free port.
Test for this,

pf tests: NAT exhaustion test

It's been reported that pf doesn't handle running out of available ports
for NAT correctly. It freezes until a state expires and it can find a
free port.
Test for this, by setting up a situation where only two ports are
available for NAT and then attempting to create three connections.

If successful the third connection will fail immediately. In an
incorrect case the connection attempt will freeze, also freezing all
interaction with pf through pfctl and trigger timeout.

PR: 233867
MFC after: 2 weeks

show more ...

Merge ^/head r340918 through r341763.

pf tests: Test name handling

Provoke a situation where two interfaces have the same name, and verify
pf's reaction to this.

Merge ^/head r340235 through r340367.

pf tests: Test PR 183198

Create a table which is only used inside an anchor, ensure that the
table exists.

PR: 183198
MFC after: 2 weeks

Merge ^/head r339813 through r340125.

pf tests: Basic pfsync test

Set up two jails, configure pfsync between them and create state in one
of them, verify that this state is copied to the other jail.

MFC after: 2 weeks
Sponsored by: Ora

pf tests: Basic pfsync test

Set up two jails, configure pfsync between them and create state in one
of them, verify that this state is copied to the other jail.

MFC after: 2 weeks
Sponsored by: Orange Business Services
Differential Revision: https://reviews.freebsd.org/D17504

show more ...

Merge ^/head r337646 through r338014.

pf tests: Basic test for 'set skip in $groupname'

This tests for the problem reported in PR 229241, where using a group
name in 'set skip on' did not work as expected.

Sponsored by: Essen Hackathon

pf tests: Basic synproxy test

A very basic syncproxy test: set up a connection via a synproxy rule.
This triggeres the panic fixed in r336273.

pf tests: Basic route-to tests

Very basic route-to tests. These tests attempt to provoke PR 228782 for IPv4
and IPv6. A test failure will panic the machine.

pf tests: Basic ioctl validation tests

Validate the DIOCRADDTABLES and DIOCRDELTABLES ioctls with invalid size
values. All of these requests should fail.

MFC after: 1 week