aboutsummaryrefslogtreecommitdiff
path: root/tests/sys/netpfil/pf/Makefile
Commit message (Collapse)AuthorAgeFilesLines
* pf tests: basic test for ridentifierKristof Provost2021-11-051-0/+1
| | | | | | MFC after: 3 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D32751
* pf tests: ensure that $nr expansion is correctKristof Provost2021-10-151-0/+1
| | | | | | | | Test the $nr expansion in labels is correct, even if the optimiser reduces the rule count. MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D32489
* pf tests: Forwarding syncookie testKristof Provost2021-07-201-0/+1
| | | | | | | | | | Test syncookies on a forwarding host. That is, in a setup where the machine (or vnet) running pf is not the same as the machine (or vnet) running the server it's protecting. MFC after: 1 week Sponsored by: Modirum MDPay Differential Revision: https://reviews.freebsd.org/D31141
* pf tests: Stress state retrievalKristof Provost2021-07-021-0/+1
| | | | | | | | | | | | Create and retrieve 20.000 states. There have been issues with nvlists causing very slow state retrieval. We don't impose a specific limit on the time required to retrieve the states, but do log it. In excessive cases the Kyua timeout will fail this test. Reviewed by: donner MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D30943
* pf tests: ftp-proxy testKristof Provost2021-07-011-0/+1
| | | | | | | | Basic test case for ftp-proxy PR: 256917 MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate")
* pf tests: Test cases for fragment reassemblyKristof Provost2021-05-251-0/+8
| | | | Obtained from: Alexander Bluhm, OpenBSD
* pf tests: Test cases for the 'kill state(s)' featureKristof Provost2021-04-201-0/+1
| | | | | | MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D29796
* pf tests: Test clearing rules countersKristof Provost2021-04-141-0/+1
| | | | | | | | | This was briefly broken, so ensure that we can read and clear rules counters. MFC after: 4 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D29728
* pf: Implement the NAT source port selection of MAP-E Customer EdgeKurosawa Takahiro2021-04-131-0/+1
| | | | | | | | | | | MAP-E (RFC 7597) requires special care for selecting source ports in NAT operation on the Customer Edge because a part of bits of the port numbers are used by the Border Relay to distinguish another side of the IPv4-over-IPv6 tunnel. PR: 254577 Reviewed by: kp Differential Revision: https://reviews.freebsd.org/D29468
* pf tests: Test tos/dscp matchingKristof Provost2021-03-061-1/+2
| | | | | | MFC after: 2 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D29078
* pf tests: Test that dup-to doesn't produce extra duplicate packetsKristof Provost2021-01-281-0/+1
|
* altq tests: Basic ALTQ testKristof Provost2021-01-251-1/+2
| | | | | | | Activate ALTQ_HFSC, crudely check if it really limits bandwidth as we'd expect. Reviewed by: donner@ Differential Revision: https://reviews.freebsd.org/D28303
* pf tests: Verify (tcp) checksum modification on unaligned optionsKristof Provost2020-12-231-0/+1
| | | | | | | | | | | | | It turns out pf incorrectly updates the TCP checksum if the TCP option we're modifying is not 2-byte algined with respect to the start of the packet. Create a TCP packet with such an option and throw it through a scrub rule, which will update timestamps and modify the packet. PR: 240416 MFC after: 1 week Differential revision: https://reviews.freebsd.org/D27688
* pf tests: Sort Makefile entriesKristof Provost2020-12-231-10/+10
| | | | MFC after: 1 week
* pf tests: Basic source tracking testKristof Provost2020-11-201-0/+1
| | | | | | | | MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D27255 Notes: svn path=/head/; revision=367869
* Add a basic table entry counter regression test.Mark Johnston2020-05-111-0/+1
| | | | | | | | | Reviewed by: kp MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D24809 Notes: svn path=/head/; revision=360906
* netpfil tests: Move pft_ping.py and sniffer.py to the common test directoryKristof Provost2019-08-191-3/+0
| | | | | | | | | | | | | | The pft_ping.py and sniffer.py tool is moved from tests/sys/netpfil/pf to tests/sys/netpfil/common directory because these tools are to be used in common for all the firewalls. Submitted by: Ahsan Barkati Reviewed by: kp, thj Sponsored by: Google, Inc. (GSoC 2019) Differential Revision: https://reviews.freebsd.org/D21276 Notes: svn path=/head/; revision=351212
* pf tests: Test CVE-2019-5598Kristof Provost2019-03-221-2/+5
| | | | | | | | Verify that pf correctly drops inconsistent ICMP packets (i.e. where the IP src/dst do not match the IP src/dst in the ICMP packet. Notes: svn path=/head/; revision=345409
* pf tests: Move Sniffer to its own fileKristof Provost2019-03-211-0/+1
| | | | | | | | Make it easier to re-use the sniffer class in other test support scripts. Notes: svn path=/head/; revision=345367
* pf tests: Test CVE-2019-5597Kristof Provost2019-03-011-1/+3
| | | | | | | | | | | Generate a fragmented packet with different header chains, to provoke the incorrect behaviour of pf. Without the fix this will trigger a panic. Obtained from: Corentin Bayet, Nicolas Collignon, Luca Moro at Synacktiv Notes: svn path=/head/; revision=344692
* pf tests: Basic rdr testKristof Provost2018-12-121-0/+1
| | | | | | | MFC after: 2 weeks Notes: svn path=/head/; revision=342000
* pf tests: NAT exhaustion testKristof Provost2018-12-121-0/+1
| | | | | | | | | | | | | | | | | | It's been reported that pf doesn't handle running out of available ports for NAT correctly. It freezes until a state expires and it can find a free port. Test for this, by setting up a situation where only two ports are available for NAT and then attempting to create three connections. If successful the third connection will fail immediately. In an incorrect case the connection attempt will freeze, also freezing all interaction with pf through pfctl and trigger timeout. PR: 233867 MFC after: 2 weeks Notes: svn path=/head/; revision=341999
* pf tests: Test name handlingKristof Provost2018-12-011-0/+1
| | | | | | | | Provoke a situation where two interfaces have the same name, and verify pf's reaction to this. Notes: svn path=/head/; revision=341360
* pf tests: Test PR 183198Kristof Provost2018-11-081-1/+2
| | | | | | | | | | | Create a table which is only used inside an anchor, ensure that the table exists. PR: 183198 MFC after: 2 weeks Notes: svn path=/head/; revision=340266
* pf tests: Basic pfsync testKristof Provost2018-11-021-1/+2
| | | | | | | | | | | | Set up two jails, configure pfsync between them and create state in one of them, verify that this state is copied to the other jail. MFC after: 2 weeks Sponsored by: Orange Business Services Differential Revision: https://reviews.freebsd.org/D17504 Notes: svn path=/head/; revision=340069
* pf tests: Basic test for 'set skip in $groupname'Kristof Provost2018-08-111-1/+2
| | | | | | | | | | This tests for the problem reported in PR 229241, where using a group name in 'set skip on' did not work as expected. Sponsored by: Essen Hackathon Notes: svn path=/head/; revision=337646
* pf tests: Basic synproxy testKristof Provost2018-07-141-1/+3
| | | | | | | | A very basic syncproxy test: set up a connection via a synproxy rule. This triggeres the panic fixed in r336273. Notes: svn path=/head/; revision=336297
* pf tests: Basic route-to testsKristof Provost2018-06-091-1/+2
| | | | | | | | Very basic route-to tests. These tests attempt to provoke PR 228782 for IPv4 and IPv6. A test failure will panic the machine. Notes: svn path=/head/; revision=334877
* pf tests: Basic ioctl validation testsKristof Provost2018-04-061-0/+1
| | | | | | | | | | Validate the DIOCRADDTABLES and DIOCRDELTABLES ioctls with invalid size values. All of these requests should fail. MFC after: 1 week Notes: svn path=/head/; revision=332102
* pf tests: Fragmentation (v6) testKristof Provost2017-10-261-0/+1
| | | | | | | | | | | Test fragmentation handling (i.e. scrub fragment reassemble) code for IPv6. Two simple tests: Ping a host (jail) and test forwarding of fragmented packets. Notes: svn path=/head/; revision=325021
* pf: test set-tosKristof Provost2017-10-161-1/+2
| | | | | | | | Introduce tests for the set-tos feature of pf. Teach pft_ping.py to send and verify ToS flags. Notes: svn path=/head/; revision=324662
* pf: Very basic forwarding testKristof Provost2017-10-061-2/+6
| | | | | | | | | This test illustrates the use of scapy to test pf. Differential Revision: https://reviews.freebsd.org/D12581 Notes: svn path=/head/; revision=324376
* pf: Basic automated test using VIMAGEKristof Provost2017-10-061-0/+11
If VIMAGE is present we can start jails with their own pf instance. This makes it fairly easy to run tests. For example, this basic test verifies that drop/pass and icmp classification works. It's a basic sanity test for pf, and hopefully an example on how to write more pf tests. The tests are skipped if VIMAGE is not enabled. This work is inspired by the GSoC work of Panagiotes Mousikides. Differential Revision: https://reviews.freebsd.org/D12580 Notes: svn path=/head/; revision=324375