pf tests: test source-hash and random on empty table or interface without address

Attempt to provoke the crashes fixed by the previous commit.

Sponsored by: Rubicon Communications, LLC ("Netgate")

pf tests: ensure we don't NAT to link-local addresses

Reviewed by: zlei
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46595

pf: Add support for endpoint independent NAT bindings for UDP

With Endpoint Independent NAT bindings for UDP flows from a NATed source
address are always mapped to the same ip:port pair on the NAT r

pf: Add support for endpoint independent NAT bindings for UDP

With Endpoint Independent NAT bindings for UDP flows from a NATed source
address are always mapped to the same ip:port pair on the NAT router.
This allows a client to connect to multiple external servers while
appearing as the same host and enables NAT traversal without requiring
the client to use a middlebox traversal protocol such as STUN or TURN.

Introduce the 'endpoint-independent' option to NAT rules to allow
configuration of endpoint independent without effecting existing
deployments.

This change satisfies REQ 1 and 3 of RFC 4787 also known as 'full cone'
NAT.

Using Endpoint Independent NAT changes NAT exhaustion behaviour it does
not introduce any additional security considerations compared to other
forms of NAT.

PR: 219803
Co-authored-by: Damjan Jovanovic <damjan.jov@gmail.com>
Co-authored-by: Naman Sood <mail@nsood.in>
Reviewed-by: kp
Sponsored-by: Tailscale
Sponsored-by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D11137

show more ...

pf tests: ensure temporary files end up in the atf working directory

Many of the tests create temporary files. pid files, log files, tcpdump
captures, ... We should take care to ensure they're store

pf tests: ensure temporary files end up in the atf working directory

Many of the tests create temporary files. pid files, log files, tcpdump
captures, ... We should take care to ensure they're stored in the temporary
working directory Kyua creates rather than in the root directory.

This ensures there are no conflicts between simultaneously running tests, and
also keeps the root directory clean.

MFC after: 1 month
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

Improve the pf nat exhaustion test by checking the reply from the echo server

Event: Oslo Hackathon
Approved by: kp

Remove $FreeBSD$: one-line sh pattern

Remove /^\s*#[#!]?\s*\$FreeBSD\$.*$\n/

spdx: The BSD-2-Clause-FreeBSD identifier is obsolete, drop -FreeBSD

The SPDX folks have obsoleted the BSD-2-Clause-FreeBSD identifier. Catch
up to that fact and revert to their recommended match of

spdx: The BSD-2-Clause-FreeBSD identifier is obsolete, drop -FreeBSD

The SPDX folks have obsoleted the BSD-2-Clause-FreeBSD identifier. Catch
up to that fact and revert to their recommended match of BSD-2-Clause.

Discussed with: pfg
MFC After: 3 days
Sponsored by: Netflix

show more ...

pf tests: Test retrieving nested nat-anchors

MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")

pf tests: make synproxy and nat work correctly even if inetd is running

tests/sys/netfil/pf/synproxy fails if inetd has been running
outside of the jail because pidfile_open() fails with EEXIST.
tes

pf tests: make synproxy and nat work correctly even if inetd is running

tests/sys/netfil/pf/synproxy fails if inetd has been running
outside of the jail because pidfile_open() fails with EEXIST.
tests/sys/netfil/pf/nat has the same problem but the test succeeds
because whether inetd is running is not so important.

Fix the problem by changing the pidfile path from the default
location.

Reviewed by: kp
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D29622

show more ...

pf tests: Re-enable panicing tests

We've fixed the vnet/epair cleanup race, so it is now safe to re-enable these
tests.

MFC after: 2 weeks
Sponsored by: Modirum MDPay

Remove the svn:executable property from some pf test files.

The test makefiles will handle setting mode bits during install. Also,
Phabricator gets upset when uploading an executable plain-text fil

Remove the svn:executable property from some pf test files.

The test makefiles will handle setting mode bits during install. Also,
Phabricator gets upset when uploading an executable plain-text file
without a shebang.

MFC after: 1 week

show more ...

Skip sys.netpfil.pf.nat.exhaust on all platforms as it not only fails on amd64

PR: 244703
Sponsored by: The FreeBSD Foundation

Skip sys.netpfil.pf.nat.exhaust on amd64 in CI as it sometimes panics kernel

PR: 244703
Sponsored by: The FreeBSD Foundation

netpfil tests: Add missing copyright & license statements

MFHead@r345275

MFhead@r344786

Merge ^/head r344549 through r344775.

tests: Move common (vnet) test functions into a common file

The netipsec and pf tests have a number of common test functions. These
used to be duplicated, but it makes more sense for them to re-use

tests: Move common (vnet) test functions into a common file

The netipsec and pf tests have a number of common test functions. These
used to be duplicated, but it makes more sense for them to re-use the
common functions.

PR: 236223

show more ...

pf tests: NAT exhaustion test

It's been reported that pf doesn't handle running out of available ports
for NAT correctly. It freezes until a state expires and it can find a
free port.
Test for this,

pf tests: NAT exhaustion test

It's been reported that pf doesn't handle running out of available ports
for NAT correctly. It freezes until a state expires and it can find a
free port.
Test for this, by setting up a situation where only two ports are
available for NAT and then attempting to create three connections.

If successful the third connection will fail immediately. In an
incorrect case the connection attempt will freeze, also freezing all
interaction with pf through pfctl and trigger timeout.

PR: 233867
MFC after: 2 weeks

show more ...