Ensure that we don't conflict with other inetd processes running in other jails
by setting an explicit pid file (rather than relying on the default /var/run/
inetd.pid). This could lead to failure to start inetd, which in turn could cause
test failures.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Switch tests using pft_ping.py to inetd. Netcat can only accept a single
connection, we need multiple parallel connections to test max-src-conn. Use the
discard service and modify pft_ping.py to use proper port number.
Implement functionality of 3-way handshake test in pft_ping.py. Make send_params
accessible to sniffer, because answers to SYN+ACK packets should be send with
the same parameters as the original SYN packet.
Finally add a test for max-src-conn and overload.
Reviewed by: kp
Differential Revision: https://reviews.freebsd.org/D46798
Using nargs=1 causes arguments to produce lists from which we must then
get the real value. The same applies to defaults, the must be provided
as arrays too.
Remove nargs=1 so that values and defaults can be accessed directly.
Reviewed by: kp
Differential Revision: https://reviews.freebsd.org/D46772
Initially, it was added to cover a conflicting case of ipfw and pf used
together. But there are more drawbacks than benefits:
- A half of these tests are always skipped. That leads to
misunderstanding, while the test suite strives to avoid ambiguous
situations.
- Handling enabled ipfw on the test level is tedious, error-prone, and
less maintainable.
- CI and similar parties already know how to deal with ipfw for the test
suite, like making it open by default. Extra complexity is not needed.
In addition, ipfw+pf use cases are not officially supported.
Reviewed by: kp, markj
Approved by: kp (mentor), markj (mentor)
Differential Revision: https://reviews.freebsd.org/D46655
Ensure that we verify that the inner and outer IP address matches for ICMP error
messages. This is a more detailed test for CVE-2019-5598, which was fixed back
in 2019.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46573
With Endpoint Independent NAT bindings for UDP flows from a NATed source
address are always mapped to the same ip:port pair on the NAT router.
This allows a client to connect to multiple external servers while
appearing as the same host and enables NAT traversal without requiring
the client to use a middlebox traversal protocol such as STUN or TURN.
Introduce the 'endpoint-independent' option to NAT rules to allow
configuration of endpoint independent without effecting existing
deployments.
This change satisfies REQ 1 and 3 of RFC 4787 also known as 'full cone'
NAT.
Using Endpoint Independent NAT changes NAT exhaustion behaviour it does
not introduce any additional security considerations compared to other
forms of NAT.
PR: 219803
Co-authored-by: Damjan Jovanovic <damjan.jov@gmail.com>
Co-authored-by: Naman Sood <mail@nsood.in>
Reviewed-by: kp
Sponsored-by: Tailscale
Sponsored-by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D11137
The pfik_ifp field is not provided by the kernel, it is always NULL. Do not
check for it. This caused us to not clear the skip flag on interfaces, leading
to unexpected behaviour when a 'set skip' was removed.
PR: 280834
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46311
If NAT rules cause inbound connections to different external IPs to be
mapped to the same internal IP, and some application uses the same
source port for multiple such connections, rdr translation may result in
conflicts that cause some of the connections to be dropped.
Address this by letting rdr rules detect state conflicts and modulate
the source port to avoid them.
Reviewed by: kp, allanjude
MFC after: 3 months
Sponsored by: Klara, Inc.
Sponsored by: Modirum
Differential Revision: https://reviews.freebsd.org/D44488
There was a bug in pf_handle_get_addr() where it confused the counter and
pointer in the pf_addr_wrap.p union, causing panics. Test for this.
Sponsored by: Rubicon Communications, LLC ("Netgate")
(e.g. traceroute with icmp)
ok henning, jsing
Also extend the test case to cover this scenario.
PR: 280701
Obtained from: OpenBSD
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Some SCTP implementations will abort connections and then later re-use the same
port numbers (i.e. both src and dst) for a new connection, before pf has fully
purged the old connection.
Apply the same hack we already have for similarly misbehaving TCP
implementations and forcibly remove the old state so we can create a new one.
MFC after: 2 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
When creating a state for ICMP (v4 or v6) packets we only used the ID, which
means that we could confuse different ICMP types. For example, if we allowed
neighbour discovery but not ICMPv6 echo requests an ND packet could create a
state that the echo request would match.
Test that this is now fixed.
Reported by: Enrico Bassetti <e.bassetti@tudelft.nl>
MFC after: 1 day
Sponsored by: Rubicon Communications, LLC ("Netgate")
Run these tests in their own (vnet) jail so we don't have to worry about IP
range or jail name conflicts.
Reviewed by: markj
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46040
Many of the tests create temporary files. pid files, log files, tcpdump
captures, ... We should take care to ensure they're stored in the temporary
working directory Kyua creates rather than in the root directory.
This ensures there are no conflicts between simultaneously running tests, and
also keeps the root directory clean.
MFC after: 1 month
Sponsored by: Rubicon Communications, LLC ("Netgate")
We're going to start running many of the vnet tests in nested jails (so they
can run in parallel). That means the tests won't be able to load kernel modules,
which we commonly do for if_epair and if_bridge.
Just assume that all vnet tests need this, because so many of them do that we
don't want to manually annotate all of them.
This is essentially a no-op on non-nested tests.
Do the same for the python test framework.
While here also have pflog_init actually call pft_init. While having pflog
loaded implies we have pf too pft_init also checks for vimage support, and now
for if_epair.
Reviewed by: markj
MFC after: 1 month
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46039
if_enc(4) can pass IPsec payload to pfil(9) with the outer header or without
it. In case of a small packet like ICMP, when mbuf cluster is not used,
everything works fine. Otherwise, the first mbuf in a chain has m_len == 0
if it is asked to strip the outer header. pf was not handling such case, and
erroneous reading of the outer IP header led to unexpected behavior.
Reviewed by: kp, glebius
Differential Revision: https://reviews.freebsd.org/D45780
Ensure that we correctly transfer byte counts if the value exceeds what can be
stored in a single 32-bit counter.
Sponsored by: Rubicon Communications, LLC ("Netgate")
A number of tests create a bridge, but did not check if if_bridge.ko is loaded.
We usually get away with that, because `ifconfig bridge create` autoloads the
module, but if we run the tests in a jail (e.g. because of kyua's upcoming
execenv.jail.params feature) we can't load the module and these tests can fail.
Check if the module is loaded, skip the test if it is not.
Reviewed by: markj
MFC after: 1 week
Event: Kitchener-Waterloo Hackathon 202406
Differential Revision: https://reviews.freebsd.org/D45487
Give them more time to hit the expected loss numbers.
We see occasional failures during CI runs. This makes that less likely.
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
If we redirect a packet to localhost and it gets dummynet'd it may be
re-injected later (e.g. when delayed) which means it will be passed
through ip_input() again. ip_input() will then reject the packet because
it's directed to the loopback address, but did not arrive on a loopback
interface.
Fix this by having pf set the rcvif to V_iflo if we redirect to
loopback.
See also: https://redmine.pfsense.org/issues/15363
Sponsored by: Rubicon Communications, LLC ("Netgate")
While here also add a basic test case for it.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D44368
Ensure that we pick the correct dummynet pipe (i.e. forward vs. reverse
direction) when applying route-to.
We mark the processing as outbound so that dummynet will re-inject in
the correct phase of processing after it's done with the packet, but
that will cause us to pick the wrong pipe number. Reverse them so that
the incorrect decision ends up picking the correct pipe.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D44366
In some setups we end up with multiple states created for a single
packet, which in turn can mean we run the packet through dummynet
multiple times. That's not expected or intended. Mark each packet when
it goes through dummynet, and do not pass packet through dummynet if
they're marked as having already passed through.
See also: https://redmine.pfsense.org/issues/14854
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D44365