pf tests: test truncated IP options in ICMP payload

Sponsored by: Rubicon Communications, LLC ("Netgate")

pf tests: don't set interface on scapy's sr1()

That's not supported:
> /usr/local/lib/python3.11/site-packages/scapy/sendrecv.py:726: SyntaxWarning: 'iface' has no effect on L3 I/O sr1().

Sponsored

pf tests: don't set interface on scapy's sr1()

That's not supported:
> /usr/local/lib/python3.11/site-packages/scapy/sendrecv.py:726: SyntaxWarning: 'iface' has no effect on L3 I/O sr1().

Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

tests: Get the MAC from the epairs.

This removes knowledge of the implementation of if_epair.
Makes it easier to modify if_epair in future commits.

Reviewed by: kp
Differential Revision: https://re

tests: Get the MAC from the epairs.

This removes knowledge of the implementation of if_epair.
Makes it easier to modify if_epair in future commits.

Reviewed by: kp
Differential Revision: https://reviews.freebsd.org/D51205

show more ...

pf tests: test handling of ICMP echo requests with the same ID

We previously broke this, so add a test to prevent regressions.

Sponsored by: Rubicon Communications, LLC ("Netgate")

pf: fix icmp-in-icmp handling with if-bound states

When we receive an ICMP packet containing another ICMP packet we look up the
original ICMP state. This is done through a second struct pf_pdesc ('p

pf: fix icmp-in-icmp handling with if-bound states

When we receive an ICMP packet containing another ICMP packet we look up the
original ICMP state. This is done through a second struct pf_pdesc ('pd2'),
containing relevant information (i.e. addresses, type, id, ..).
pd2 did not contain the network interface ('kif'), leading to state lookup
failures. This only affected if-bound mode, because floating states match all
interfaces.

Set kif in pd2.

Extend the icmp.py:test_fragmentation_needed test case to use if-bound mode. It
already checked that we handled icmp-in-icmp correctly.

PR: 284866
MFC after: 2 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

sys tests: Add scapy as a required program

These atf-python tests rely on scapy to run.
Add it as a required program.

Reported by: glebius, kp
Reviewed by: kp
Approved by: emaste (mentor)
MFC after

sys tests: Add scapy as a required program

These atf-python tests rely on scapy to run.
Add it as a required program.

Reported by: glebius, kp
Reviewed by: kp
Approved by: emaste (mentor)
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D48946

show more ...

pf: send ICMP destination unreachable fragmentation needed when appropriate

Just like we do for IPv6, generate an ICMP fragmentation needed packet if we're
going to need fragmenation for IPv4 as wel

pf: send ICMP destination unreachable fragmentation needed when appropriate

Just like we do for IPv6, generate an ICMP fragmentation needed packet if we're
going to need fragmenation for IPv4 as well (i.e. DF is set). Do so before full
processing, so we generate it with pre-NAT addreses, just as we do for IPv6.

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D48805

show more ...

pf tests: improved test for CVE-2019-5598

Ensure that we verify that the inner and outer IP address matches for ICMP error
messages. This is a more detailed test for CVE-2019-5598, which was fixed b

pf tests: improved test for CVE-2019-5598

Ensure that we verify that the inner and outer IP address matches for ICMP error
messages. This is a more detailed test for CVE-2019-5598, which was fixed back
in 2019.

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46573

show more ...