Switch tests using pft_ping.py to inetd. Netcat can only accept a single
connection, we need multiple parallel connections to test max-src-conn. Use the
discard service and modify pft_ping.py to use proper port number.
Implement functionality of 3-way handshake test in pft_ping.py. Make send_params
accessible to sniffer, because answers to SYN+ACK packets should be send with
the same parameters as the original SYN packet.
Finally add a test for max-src-conn and overload.
Reviewed by: kp
Differential Revision: https://reviews.freebsd.org/D46798
Using nargs=1 causes arguments to produce lists from which we must then
get the real value. The same applies to defaults, the must be provided
as arrays too.
Remove nargs=1 so that values and defaults can be accessed directly.
Reviewed by: kp
Differential Revision: https://reviews.freebsd.org/D46772
This test always fails, I don't see any reason to make it conditional on
the "CI" test parameter.
There is at least one test bug here, we're using the wrong sysctl to
obtain the receive buffer size, but fixing that is not sufficient.
PR: 279354
Reviewed by: glebius
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D46726
Initially, it was added to cover a conflicting case of ipfw and pf used
together. But there are more drawbacks than benefits:
- A half of these tests are always skipped. That leads to
misunderstanding, while the test suite strives to avoid ambiguous
situations.
- Handling enabled ipfw on the test level is tedious, error-prone, and
less maintainable.
- CI and similar parties already know how to deal with ipfw for the test
suite, like making it open by default. Extra complexity is not needed.
In addition, ipfw+pf use cases are not officially supported.
Reviewed by: kp, markj
Approved by: kp (mentor), markj (mentor)
Differential Revision: https://reviews.freebsd.org/D46655
Ensure that we verify that the inner and outer IP address matches for ICMP error
messages. This is a more detailed test for CVE-2019-5598, which was fixed back
in 2019.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46573
Ensure that we correctly clean up even if the interface never gets a socket
assigned.
Reviewed by: markj
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46617
Many of the modified tests add epair interfaces to the host, though most
of the tests themselves run in a VNET jail. scapy in particular becomes
unhappy when the list of interfaces changes as it is running, so, to
improve reliability of parallel test runs, isolate tests which add
epairs to the host.
Also serialize arp tests, as they examine the dmesg as part of the test.
The list of modified tests is not exhaustive, it was determined by
running the test suite with parallelization enabled and looking at
failures. It may be easier to just automatically enable VNET jailing of
all netinet tests, but let's be more particular for now.
Reviewed by: kp
MFC after: 1 month
Differential Revision: https://reviews.freebsd.org/D46606
If the FUSE_GETATTR issued to query a file's size during
fuse_vnop_deallocate failed for any reason, then fuse_vnop_deallocate
would attempt to destroy an uninitialized fuse_dispatcher struct, with a
crash the likely result. This bug only affects FUSE file systems that
implement FUSE_FALLOCATE, and is unlikely to be seen on those that don't
disable attribute caching.
Reported by: Coverity Scan
CID: 1505308
MFC after: 2 weeks
Now that kyua can isolate tests in their own vnets we can run these tests in
parallel.
Reviewed by: markj
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46600
The in-tree ZFS test suite is somewhat outdated and I see a number of
failures there. I tend to think that we want to integrate the OpenZFS
test suite somehow, replacing the legacy one, though it's also possible
to run that as a separate test suite.
In any case, if one wants to run the OpenZFS test suite separately, it's
useful to be able to disable installation of the legacy ZFS test suite,
so let's provide a src.conf option to do that.
Reviewed by: asomers
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D46476
With Endpoint Independent NAT bindings for UDP flows from a NATed source
address are always mapped to the same ip:port pair on the NAT router.
This allows a client to connect to multiple external servers while
appearing as the same host and enables NAT traversal without requiring
the client to use a middlebox traversal protocol such as STUN or TURN.
Introduce the 'endpoint-independent' option to NAT rules to allow
configuration of endpoint independent without effecting existing
deployments.
This change satisfies REQ 1 and 3 of RFC 4787 also known as 'full cone'
NAT.
Using Endpoint Independent NAT changes NAT exhaustion behaviour it does
not introduce any additional security considerations compared to other
forms of NAT.
PR: 219803
Co-authored-by: Damjan Jovanovic <damjan.jov@gmail.com>
Co-authored-by: Naman Sood <mail@nsood.in>
Reviewed-by: kp
Sponsored-by: Tailscale
Sponsored-by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D11137
The test suite runs the same tests twice, as different users, and these
can trample over each other when run in parallel, causing spurious test
failures.
MFC after: 1 week
Test whether the SNDSTIOC_ADD_USER_DEVS IOCTL (registers a userland
device to /dev/sndstat) works properly.
Sponsored by: The FreeBSD Foundation
MFC after: 2 days
Reviewed by: dev_submerge.ch
Differential Revision: https://reviews.freebsd.org/D46228
The pfik_ifp field is not provided by the kernel, it is always NULL. Do not
check for it. This caused us to not clear the skip flag on interfaces, leading
to unexpected behaviour when a 'set skip' was removed.
PR: 280834
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46311
If NAT rules cause inbound connections to different external IPs to be
mapped to the same internal IP, and some application uses the same
source port for multiple such connections, rdr translation may result in
conflicts that cause some of the connections to be dropped.
Address this by letting rdr rules detect state conflicts and modulate
the source port to avoid them.
Reviewed by: kp, allanjude
MFC after: 3 months
Sponsored by: Klara, Inc.
Sponsored by: Modirum
Differential Revision: https://reviews.freebsd.org/D44488
There was a bug in pf_handle_get_addr() where it confused the counter and
pointer in the pf_addr_wrap.p union, causing panics. Test for this.
Sponsored by: Rubicon Communications, LLC ("Netgate")
(e.g. traceroute with icmp)
ok henning, jsing
Also extend the test case to cover this scenario.
PR: 280701
Obtained from: OpenBSD
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Some SCTP implementations will abort connections and then later re-use the same
port numbers (i.e. both src and dst) for a new connection, before pf has fully
purged the old connection.
Apply the same hack we already have for similarly misbehaving TCP
implementations and forcibly remove the old state so we can create a new one.
MFC after: 2 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
When creating a state for ICMP (v4 or v6) packets we only used the ID, which
means that we could confuse different ICMP types. For example, if we allowed
neighbour discovery but not ICMPv6 echo requests an ND packet could create a
state that the echo request would match.
Test that this is now fixed.
Reported by: Enrico Bassetti <e.bassetti@tudelft.nl>
MFC after: 1 day
Sponsored by: Rubicon Communications, LLC ("Netgate")
This serves as a regression test for commit a48df53e42.
Reviewed by: bz, allanjude
MFC after: 2 weeks
Sponsored by: Klara, Inc.
Sponsored by: Bell Tower Integration
Differential Revision: https://reviews.freebsd.org/D46136
Run these tests in their own (vnet) jail so we don't have to worry about IP
range or jail name conflicts.
Reviewed by: markj
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46040
Many of the tests create temporary files. pid files, log files, tcpdump
captures, ... We should take care to ensure they're stored in the temporary
working directory Kyua creates rather than in the root directory.
This ensures there are no conflicts between simultaneously running tests, and
also keeps the root directory clean.
MFC after: 1 month
Sponsored by: Rubicon Communications, LLC ("Netgate")
We're going to start running many of the vnet tests in nested jails (so they
can run in parallel). That means the tests won't be able to load kernel modules,
which we commonly do for if_epair and if_bridge.
Just assume that all vnet tests need this, because so many of them do that we
don't want to manually annotate all of them.
This is essentially a no-op on non-nested tests.
Do the same for the python test framework.
While here also have pflog_init actually call pft_init. While having pflog
loaded implies we have pf too pft_init also checks for vimage support, and now
for if_epair.
Reviewed by: markj
MFC after: 1 month
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46039