tests: Require python3 when using Scapy

python3 is a symbolic link that points to the current python 3.X
version.

It is possible for a system to have python (python 3.X) without the
python3 (symlin

tests: Require python3 when using Scapy

python3 is a symbolic link that points to the current python 3.X
version.

It is possible for a system to have python (python 3.X) without the
python3 (symlink) package.

Test scripts that use Scapy are invoked using python3, so add it as a
required program.

Reviewed by: ngie, asomers
Approved by: emaste (mentor)
Differential Revision: https://reviews.freebsd.org/D49007

show more ...

pf: Don't pfsync states with unrecoverable routing information

States created by route-to rules can't be trusted when received with
pfsync version 1301 as they lack the rt and rt_kif information. Th

pf: Don't pfsync states with unrecoverable routing information

States created by route-to rules can't be trusted when received with
pfsync version 1301 as they lack the rt and rt_kif information. They
are imported, though, and pf_route() function attempts to recover
the missing information for every forwarded packet.

Move the recovery operation to pfsync_state_import() so that it's
performed only once and if it's impossible don't import the state.
Add an additional check for cases when recovery might produce wrong
results.

Reviewed by: kp
Approved by: kp (mentor)
Sponsored by: InnoGames GmbH
Differential Revision: https://reviews.freebsd.org/D47906

show more ...

vnet tests: check for if_bridge.ko

A number of tests create a bridge, but did not check if if_bridge.ko is loaded.

We usually get away with that, because `ifconfig bridge create` autoloads the
modu

vnet tests: check for if_bridge.ko

A number of tests create a bridge, but did not check if if_bridge.ko is loaded.

We usually get away with that, because `ifconfig bridge create` autoloads the
module, but if we run the tests in a jail (e.g. because of kyua's upcoming
execenv.jail.params feature) we can't load the module and these tests can fail.

Check if the module is loaded, skip the test if it is not.

Reviewed by: markj
MFC after: 1 week
Event: Kitchener-Waterloo Hackathon 202406
Differential Revision: https://reviews.freebsd.org/D45487

show more ...

pf: add a way to list creator ids

Allow userspace to retrieve a list of distinct creator ids for the
current states.

This is used by pfSense, and used to require dumping all states to
userspace. It

pf: add a way to list creator ids

Allow userspace to retrieve a list of distinct creator ids for the
current states.

This is used by pfSense, and used to require dumping all states to
userspace. It's rather inefficient to export a (potentially extremely
large) state table to obtain a handful (typically 2) of 32-bit integers.

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D42092

show more ...

pf: cope with missing rpool.cur

If we're evaluating a pfsync'd state (and have different rules on both
ends) our state may point to the default rule, which does not have
rpool.cur set. As a result w

pf: cope with missing rpool.cur

If we're evaluating a pfsync'd state (and have different rules on both
ends) our state may point to the default rule, which does not have
rpool.cur set. As a result we can end up dereferencing a NULL pointer.

Explicitly check for this when we try to re-construct the route-to interface.

Also add a test case which can trigger this issue.

MFC after: 3 days
See also: https://redmine.pfsense.org/issues/14804
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pf tests: pfsync:defer requires scapy

Add the kyua hint so we skip the test if it's not installed.

Sponsored by: Rubicon Communications, LLC ("Netgate")

Remove $FreeBSD$: one-line sh pattern

Remove /^\s*#[#!]?\s*\$FreeBSD\$.*$\n/

pfsync: transport over IPv6

Implement pfsync over IPv6.

Submitted by: Luiz Amaral <email@luiz.eng.br>
Submitted by: Naman Sood <naman@freebsdfoundation.org>
Reviewed by: kp
Sponsored by: InnoGames

pfsync: transport over IPv6

Implement pfsync over IPv6.

Submitted by: Luiz Amaral <email@luiz.eng.br>
Submitted by: Naman Sood <naman@freebsdfoundation.org>
Reviewed by: kp
Sponsored by: InnoGames GmbH
Differential Revision: https://reviews.freebsd.org/D40102

show more ...

pf: Add code to enable filtering for locally delivered packets

This is disabled by default since it potentially changes the behavior of
existing filter rule sets. To enable this extra filter for pac

pf: Add code to enable filtering for locally delivered packets

This is disabled by default since it potentially changes the behavior of
existing filter rule sets. To enable this extra filter for packets being
delivered locally, use:

sysctl net.pf.filter_local=1
service pf restart

PR: 268717
Reviewed-by: kp
MFC-after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D40373

show more ...

pf tests: make pfsync:defer test more robust

Set the defer timeout to 2.5 seconds, and only make sure that there's at
least a second of delay between the pfsync packet and the ping packet.
The inten

pf tests: make pfsync:defer test more robust

Set the defer timeout to 2.5 seconds, and only make sure that there's at
least a second of delay between the pfsync packet and the ping packet.
The intent is to allow the test to pass even when there's considerable
jitter on the timing measurement (e.g. when the test runs in a VM, such
as during the CI tests).

Allow the test to run in CI.

Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pfsync tests: check for the correct IP address

When checking if the state synced over we should look for
198.51.100.254, not 198.51.100.2. The test worked because the incorrect
address is a substrin

pfsync tests: check for the correct IP address

When checking if the state synced over we should look for
198.51.100.254, not 198.51.100.2. The test worked because the incorrect
address is a substring of the correct one, but we should fix it anyway.

Reported by: Naman Sood <naman@freebsdfoundation.org>
MFC after: 1 week

show more ...

spdx: The BSD-2-Clause-FreeBSD identifier is obsolete, drop -FreeBSD

The SPDX folks have obsoleted the BSD-2-Clause-FreeBSD identifier. Catch
up to that fact and revert to their recommended match of

spdx: The BSD-2-Clause-FreeBSD identifier is obsolete, drop -FreeBSD

The SPDX folks have obsoleted the BSD-2-Clause-FreeBSD identifier. Catch
up to that fact and revert to their recommended match of BSD-2-Clause.

Discussed with: pfg
MFC After: 3 days
Sponsored by: Netflix

show more ...

pf tests: try to trigger locking issues in pfsync_timeout()

PR: 268246
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC (Netgate)

pf tests: test pfsync over IPSec

Test that we can transport pfsync (unicast) over IPSec.

Sponsored by: Rubicon Communications, LLC ("Netgate")

pf tests: improve pfsync:basic_defer test

Create state on output only, to ensure we trigger the defer code.

MFC after: 2 weeks

netpfil tests: improve pfsync_defer.py

Return different exit code depending on which failure was encountered.
The pfsync test expect a very particular failure, not just any.

MFC after: 1 week
Spons

netpfil tests: improve pfsync_defer.py

Return different exit code depending on which failure was encountered.
The pfsync test expect a very particular failure, not just any.

MFC after: 1 week
Sponsored by: InnoGames GmbH
Differential Revision: https://reviews.freebsd.org/D38123

show more ...

pf tests: properly destroy renamed interfaces

The pfsync:pbr tests leaves lot of interfaces when they finish, making
other tests slower due to long time of loading scapy from pft_ping.py
when more

pf tests: properly destroy renamed interfaces

The pfsync:pbr tests leaves lot of interfaces when they finish, making
other tests slower due to long time of loading scapy from pft_ping.py
when more interfaces are present. When both sides of epair are assigned
to jails, they are both removed from created_interfaces.lst and thus
won't be removed during cleanup from this file. An interface assigned to
jail is stored in created_jails.lst but if it is renamed, it won't be
cleaned up either. Furthermore this test uses identical names for
multiple interfaces across multiple jails which after destroying those
jails adds to overall confusion.

To address this issue a new function is provided for renaming interfaces
in jails and storing their new names in created_jails.lst for deletion
during cleanup.

MFC after: 1 week
Sponsored by: InnoGames GmbH
Differential Revision: https://reviews.freebsd.org/D38024

show more ...

pf tests: pfsync and route_to test case

Test pfsync in a more realistic scenario with carp and route_to rules.

Build this topology and initiate a single ping session from client to
server:
┌──

pf tests: pfsync and route_to test case

Test pfsync in a more realistic scenario with carp and route_to rules.

Build this topology and initiate a single ping session from client to
server:
┌──────┐
│client│
└───┬──┘
│
┌───┴───┐
│bridge0│
└┬─────┬┘
│ │
┌────────────────┴─┐ ┌─┴────────────────┐
│gw_route_to_master├─┤gw_route_to_backup│
└────────────────┬─┘ └─┬────────────────┘
│ │
┌┴─────┴┐
│bridge1│
└┬─────┬┘
│ │
┌────────────────┴─┐ ┌─┴────────────────┐
│gw_reply_to_master├─┤gw_reply_to_backup│
└────────────────┬─┘ └─┬────────────────┘
│ │
┌┴─────┴┐
│bridge2│
└───┬───┘
│
┌───┴──┐
│server│
└──────┘

gw* jails forward traffic through pf route-to rules, not fib lookups.
If backup_promotion arg is given (as in the pfsync_pbr test case), a
carp failover event occurs during the ping session on both gateways.

Verify that ping messages still go where we expect them to go.

MFC after: 2 weeks
Sponsored by: Orange Business Services

show more ...

tests: sys.netpfil.pf.pfsync.defer fails in CI

sys.netpfil.pf.pfsync.defer has been failing for a while in CI now.
Disable it for now.

Sponsored by: Rubicon Communications, LLC ("Netgate")

pf tests: more thorough pfsync defer test

Add a somewhat more extensive pfsync defer mode test. Ensure that pfsync
actually delays the state creating packet until after it has sent the
pfsync update

pf tests: more thorough pfsync defer test

Add a somewhat more extensive pfsync defer mode test. Ensure that pfsync
actually delays the state creating packet until after it has sent the
pfsync update and given the peer time to create the state.

Ideally the test should validate the pfsync state update and generate an
ack message, but to keep the test simple we rely on the timeout of the
deferred packet instead.

MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D33245

show more ...

pf tests: pfsync bulk update test

Test that pfsync works as expected with bulk updates. That is, create
some state before setting up the second firewall. Let that firewall
request a bulk update so i

pf tests: pfsync bulk update test

Test that pfsync works as expected with bulk updates. That is, create
some state before setting up the second firewall. Let that firewall
request a bulk update so it can catch up, and check that it got the
state which was created before it enable pfsync.

PR: 254236
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D29272

show more ...

Remove the svn:executable property from some pf test files.

The test makefiles will handle setting mode bits during install. Also,
Phabricator gets upset when uploading an executable plain-text fil

Remove the svn:executable property from some pf test files.

The test makefiles will handle setting mode bits during install. Also,
Phabricator gets upset when uploading an executable plain-text file
without a shebang.

MFC after: 1 week

show more ...

netpfil tests: Add missing copyright & license statements

MFHead@r345275

MFhead@r344786