aboutsummaryrefslogtreecommitdiff
path: root/tests/sys/netpfil/pf
Commit message (Collapse)AuthorAgeFilesLines
* pf: fix reply-to after rdr and dummynetKristof Provost2024-03-281-0/+61
| | | | | | | | | | | | | | If we redirect a packet to localhost and it gets dummynet'd it may be re-injected later (e.g. when delayed) which means it will be passed through ip_input() again. ip_input() will then reject the packet because it's directed to the loopback address, but did not arrive on a loopback interface. Fix this by having pf set the rcvif to V_iflo if we redirect to loopback. See also: https://redmine.pfsense.org/issues/15363 Sponsored by: Rubicon Communications, LLC ("Netgate")
* pf: convert DIOCSETSTATUSIF to netlinkKristof Provost2024-03-192-0/+88
| | | | | | | While here also add a basic test case for it. Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D44368
* pf: fix dummynet + route-toKristof Provost2024-03-191-2/+63
| | | | | | | | | | | | | Ensure that we pick the correct dummynet pipe (i.e. forward vs. reverse direction) when applying route-to. We mark the processing as outbound so that dummynet will re-inject in the correct phase of processing after it's done with the packet, but that will cause us to pick the wrong pipe number. Reverse them so that the incorrect decision ends up picking the correct pipe. Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D44366
* pf: avoid passing through dummynet multiple timesKristof Provost2024-03-191-0/+53
| | | | | | | | | | | | In some setups we end up with multiple states created for a single packet, which in turn can mean we run the packet through dummynet multiple times. That's not expected or intended. Mark each packet when it goes through dummynet, and do not pass packet through dummynet if they're marked as having already passed through. See also: https://redmine.pfsense.org/issues/14854 Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D44365
* pf tests: IPv6 versions of the route-to/reply-to if-bound testsKristof Provost2024-03-011-0/+106
| | | | Sponsored by: Rubicon Communications, LLC ("Netgate")
* pf: support if-bound with reply-toKristof Provost2024-03-011-0/+56
| | | | | | | | | On reply-to we don't know what interface to bind to when we create the state. Create any reply-to state as floating, but bind to the appropriate interface once we're handling the reply. See also: https://redmine.pfsense.org/issues/15220 Sponsored by: Rubicon Communications, LLC ("Netgate")
* pf: fix packet-to-big for route-to as wellKristof Provost2024-02-271-8/+39
| | | | | | | | | | | | | | | When we handle a packet via route-to (i.e. pf_route6()) we still need to verify the MTU. However, we only run that check in the forwarding case. Set the PFIL_FWD tag when running the pf_test6(PF_OUT) check from pf_route6(). We are in fact forwarding, so should call the test function as such. This will cause us to run the MTU check, and generate an ICMP6 packet-too-big error when required. See also: 54c62e3e5d8cd90c5571a1d4c8c5f062d580480e See also: f1c0030bb05cfa01bdd500e50befbb425fecc4c4 See also: https://redmine.pfsense.org/issues/14290 Sponsored by: Rubicon Communications, LLC ("Netgate")
* pf: Correct SPDX identifierTom Jones2024-02-231-1/+1
| | | | Pointed out by: Mike Karels <karels@FreeBSD.org>
* pf: Add a TCP rdr test on IPv6Tom Jones2024-02-232-0/+128
| | | | | | | Reviewed by: kp Sponsored by: The FreeBSD Foundation MFC after: 1 week Differential revision: https://reviews.freebsd.org/D42105
* pf: ensure dummynet gets the correct direction after route-toKristof Provost2024-02-021-0/+50
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If we apply a route-to to an inbound packet pf_route() may hand that packet over to dummynet. Dummynet may then delay the packet, and later re-inject it. This re-injection (in dummynet_send()) needs to know if the packet was inbound or outbound, to call the correct path for continued processing. That's done based on the pf_pdesc we pass along (through pf_dummynet_route() and pf_pdesc_to_dnflow()). In the case of pf_route() on inbound packets that may be wrong, because we're called in the input path, and didn't update pf_pdesc->dir. This can manifest in issues with fragmented packets. For example, a fragmented packet will be re-fragmented in pf_route(), and if dummynet makes different decisions for some of the fragments (that is, it delays some and allows others to pass through directly) this will break. The packets that pass through dummynet without delay will be transmitted correctly (through the ifp->if_output() call in pf_route()), but the delayed packets will be re-injected in the input path (and not the output path, as they should be). These packets will pass through pf_test(PF_IN) as they're tagged PF_MTAG_FLAG_DUMMYNET. However, this tag is then removed and the packet will be routed and enter pf_test(PF_OUT) where pf_reassemble() will hold them indefinitely (as some fragments have been transmitted directly, and will never hit pf_test(PF_OUT)). The fix is simple: we must update pf_pfdesc->dir to PF_OUT before we pass the packet to dummynet. See also: https://redmine.pfsense.org/issues/15156 Reviewed by: rcm Sponsored by: Rubicon Communications, LLC ("Netgate")
* pf: bind route-to states to their route-to interfaceKristof Provost2024-01-291-0/+43
| | | | | | | | | | | | | | | | When we route-to the state should be bound to the route-to interface, not the default route interface. However, we should only do so for outbound traffic, because inbound traffic should bind on the arriving interface, not the one we eventually transmit on. Explicitly check for this in BOUND_IFACE(). We must also extend pf_find_state(), because subsequent packets within the established state will attempt to match the original interface, not the route-to interface. Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D43589
* pflow: limit to no more than 128 flow exportersKristof Provost2024-01-221-0/+32
| | | | | | | | | While there are no inherent limits to the number of exporters we're likely to scale rather badly to very large numbers. There's also no obvious use case for more than a handful. Limit to 128 exporters to prevent foot-shooting. Sponsored by: Rubicon Communications, LLC ("Netgate")
* pflow: observation domain is an unsigned integerKristof Provost2024-01-221-0/+25
| | | | | | | | Ensure we print it as such, rather than as a signed integer, as that would lead to confusion. Reported by: Jim Pingle <jimp@netgate.com> Sponsored by: Rubicon Communications, LLC ("Netgate")
* pf tests: test ICMP6 packet too big with binatKristof Provost2024-01-222-0/+167
| | | | | Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D43500
* pf tests: test per-rule pflowKristof Provost2024-01-161-0/+49
| | | | | | Test that we can enable pflow on a per-rule basis. Sponsored by: Rubicon Communications, LLC ("Netgate")
* pf tests: test pflow NAT state informationKristof Provost2024-01-162-8/+91
| | | | | | | | | | | pflow(4) now also exports NAT session creation/destruction information. Test that this works as expected. While here improve the parsing of ipfix (i.e. pflowproto 10) a bit, and check more information for the existing state information exports. Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D43117
* pf tests: verify pflow over IPv6Kristof Provost2024-01-161-0/+43
| | | | | | | Test that we can send netflow information over IPv6. Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D43115
* pflow: allow observation domain to be configuredKristof Provost2024-01-161-0/+6
| | | | | Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D43113
* pf tests: pflow functionality testKristof Provost2024-01-163-0/+142
| | | | | | | | Test that we actually send netflow messages when configured to do so. We do not yet inspect the generated netflow messages. Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D43111
* pf tests: initial pflow test caseKristof Provost2024-01-163-0/+90
| | | | | | | Basic creation, validation and cleanup test for the new pflow interface. Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D43109
* pf tests: dummynet + nat fragmentation testKristof Provost2024-01-151-0/+48
| | | | | | | Ensure that we do the right thing when we reassemble fragmented packet and send it through a dummynet pipe. Sponsored by: Rubicon Communications, LLC ("Netgate")
* pf tests: test reassembly with dummynetKristof Provost2024-01-151-0/+39
| | | | | | | Ensure that if we pass packets through a dummynet pipe we still reassemble as expected. Sponsored by: Rubicon Communications, LLC ("Netgate")
* pf tests: ensure that pflog shows malformed packets as blocked, not passedKristof Provost2024-01-042-0/+86
| | | | Sponsored by: Rubicon Communications, LLC ("Netgate")
* pf tests: fix typos in the abort_v6 test case head / cleanup function nameKristof Provost2023-12-141-2/+2
| | | | MFC after: 1 week
* pf tests: test that we validate sequence numbers on TCP RSTKristof Provost2023-12-052-0/+110
| | | | | MFC after: 3 days Sponsored by: Rubicon Communications, LLC ("Netgate")
* pf tests: test recursive printing of labelsKristof Provost2023-11-271-0/+35
| | | | Sponsored by: Rubicon Communications, LLC ("Netgate")
* pf tests: fix name and description of divert-to casesIgor Ostapenko2023-11-201-13/+13
| | | | Reflect the correct order of events for dummynet+ipdivert.
* pf: always create multihomed states as floatingKristof Provost2023-11-171-2/+3
| | | | | | | | | | When we create a new state for multihomed sctp connections (i.e. based on INIT/INIT_ACK or ASCONF parameters) we cannot know what interfaces we'll be seeing that traffic on. Make those states floating, irrespective of state policy. MFC after: 1 week Sponsored by: Orange Business Services
* pf: fix dummynet + ipdivert use caseIgor Ostapenko2023-11-171-1/+117
| | | | | | | | | | | | | | | | | | | Dummynet re-injects an mbuf with MTAG_IPFW_RULE added, and the same mtag is used by divert(4) as parameters for packet diversion. If according to pf rule set a packet should go through dummynet first and through ipdivert after then mentioned mtag must be removed after dummynet not to make ipdivert think that this is its input parameters. At the very beginning ipfw consumes this mtag what means the same behavior with tag clearing after dummynet. And after fabf705f4b5a pf passes parameters to ipdivert using its personal MTAG_PF_DIVERT mtag. PR: 274850 Reviewed by: kp Differential Revision: https://reviews.freebsd.org/D42609
* pf tests: ensure that we generate all permutations for SCTP multihomeKristof Provost2023-10-311-0/+61
| | | | | | | | | | | | | The initial multihome implementation was a little simplistic, and failed to create all of the required states. Given a client with IP 1 and 2 and a server with IP 3 and 4 we end up creating states for 1 - 3 and 2 - 3, as well as 3 - 1 and 4 - 1, but not for 2 - 4. Check for this. MFC after: 1 week Sponsored by: Orange Business Services Differential Revision: https://reviews.freebsd.org/D42362
* dirdeps: Update Makefile.depend* files with empty contentsStephen J. Kiernan2023-10-291-0/+1
| | | | | Some Makefile.depend* files were committed with no contents or empty DIRDEPS list, but they should have DIRDEPS with some contents.
* pf: Fix packet reassemblyKajetan Staszkiewicz2023-10-263-11/+131
| | | | | | | | | | Don't drop fragmented packets when reassembly is disabled, they can be matched by rules with "fragment" keyword. Ensure that presence of scrub rules forces old behaviour. Reviewed by: kp Sponsored by: InnoGames GmbH Differential Revision: https://reviews.freebsd.org/D42355
* pf tests: add a test for killing states by NAT addressKristof Provost2023-10-231-1/+74
| | | | | Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D42313
* pf: fix pf divert-to loopIgor Ostapenko2023-10-193-0/+566
| | | | | | | | | | | | | | | | Resolved conflict between ipfw and pf if both are used and pf wants to do divert(4) by having separate mtags for pf and ipfw. Also fix the incorrect 'rulenum' check, which caused the reported loop. While here add a few test cases to ensure that divert-to works as expected, even if ipfw is loaded. divert(4) PR: 272770 MFC after: 3 weeks Reviewed by: kp Differential Revision: https://reviews.freebsd.org/D42142
* pf: implement start/stop calls via netlinkKristof Provost2023-10-131-0/+38
| | | | | | | | | Implement equivalents to DIOCSTART and DIOCSTOP in netlink. Provide a libpfctl implementation and add a basic test case, mostly to verify that we still return the same errors as before the conversion Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D42145
* pf: add a way to list creator idsKristof Provost2023-10-101-0/+8
| | | | | | | | | | | | Allow userspace to retrieve a list of distinct creator ids for the current states. This is used by pfSense, and used to require dumping all states to userspace. It's rather inefficient to export a (potentially extremely large) state table to obtain a handful (typically 2) of 32-bit integers. Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D42092
* Improve the pf nat exhaustion test by checking the reply from the echo serverBrad Davis2023-10-061-2/+2
| | | | | Event: Oslo Hackathon Approved by: kp
* pf: cope with missing rpool.curKristof Provost2023-10-041-0/+96
| | | | | | | | | | | | | | If we're evaluating a pfsync'd state (and have different rules on both ends) our state may point to the default rule, which does not have rpool.cur set. As a result we can end up dereferencing a NULL pointer. Explicitly check for this when we try to re-construct the route-to interface. Also add a test case which can trigger this issue. MFC after: 3 days See also: https://redmine.pfsense.org/issues/14804 Sponsored by: Rubicon Communications, LLC ("Netgate")
* pf tests: pfsync:defer requires scapyKristof Provost2023-09-131-0/+1
| | | | | | Add the kyua hint so we skip the test if it's not installed. Sponsored by: Rubicon Communications, LLC ("Netgate")
* pf tests: extend SCTP tests to test state removal through ASCONFKristof Provost2023-09-071-0/+36
| | | | | | | | pf can now mark shut down multihomed connections shutting down. Verify that pf does the right thing. MFC after: 3 weeks Sponsored by: Orange Business Services
* pf tests: basic SCTP multihoming testKristof Provost2023-09-072-0/+443
| | | | | | | | | | | | | | | The SCTP server will announce multiple addresses. Block one of them with pf, connect to the other have the client use the blocked address. pf is expected to have created state for all of the addresses announced by the server. In a separate test case add the secondary (client) IP after the connection has been established. The intent is to verify the functionality of the ASCONF chunk parsing. MFC after: 3 weeks Sponsored by: Orange Business Services Differential Revision: https://reviews.freebsd.org/D41638
* pf tests: test syncookies on IPv6Kristof Provost2023-08-211-1/+150
| | | | | MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate")
* Remove $FreeBSD$: one-line sh patternWarner Losh2023-08-1637-37/+0
| | | | Remove /^\s*#[#!]?\s*\$FreeBSD\$.*$\n/
* Remove $FreeBSD$: two-line .h patternWarner Losh2023-08-161-2/+0
| | | | Remove /^\s*\*\n \*\s+\$FreeBSD\$$\n/
* pf: test rules evaluation in the face of multiple IPv6 fragment headersKristof Provost2023-08-042-0/+62
| | | | | | | | | | | | | Send an ICMPv6 echo request packet with multiple IPv6 fragment headers. Set rules to pass all packets, except for ICMPv6 echo requests. pf ought to drop the echo request, but doesn't because it reassembles the packet, and then doesn't handle the second fragment header. In other words: it fails to detect the ICMPv6 echo header. Reported by: Enrico Bassetti bassetti@di.uniroma1.it (NetSecurityLab @ Sapienza University of Rome) MFC after: instant Sponsored by: Rubicon Communications, LLC ("Netgate")
* pf tests: test SCTP pfsyncKristof Provost2023-07-211-0/+188
| | | | | | | | | Ensure that SCTP connections survive a failover to the backup pf instance. MFC after: 3 weeks Sponsored by: Orange Business Services Differential Revision: https://reviews.freebsd.org/D40869
* pf tests: test 'rdr' for SCTPKristof Provost2023-07-211-0/+68
| | | | | | | | | | Explicitly test that we cannot change the port number with rdr. That's not a desireable feature on SCTP, because it could break multihomed connections. MFC after: 3 weeks Sponsored by: Orange Business Services Differential Revision: https://reviews.freebsd.org/D40868
* pf tests: test SCTP NATKristof Provost2023-07-211-0/+106
| | | | | | MFC after: 3 weeks Sponsored by: Orange Business Services Differential Revision: https://reviews.freebsd.org/D40867
* pf tests: test SCTP 'return'Kristof Provost2023-07-211-0/+117
| | | | | | | | | | | Ensure that we send a correct abort message for 'block return' rules. Test this by validating that nc doesn't sit around waiting for a connection. It should give up immediately when it receives the abort. MFC after: 3 weeks Sponsored by: Orange Business Services Differential Revision: https://reviews.freebsd.org/D40865
* pf tests: basic SCTP connection testKristof Provost2023-07-212-0/+191
| | | | | | | | | pf can now inspect SCTP. Check that we can set up a connection. IPv4 and IPv6 tests. MFC after: 3 weeks Sponsored by: Orange Business Services Differential Revision: https://reviews.freebsd.org/D40863
generated by cgit v1.2.3 (git 2.25.1) at 2024-04-24 08:30:42 +0000