| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the TTL (or hop limit) expires during nat64 translation we may
need to send the error message in the original address family (i.e.
pre-translation).
We'd usually handle this in pf_route()/pf_route6(), but at that point we
have already translated the packet, making it difficult to include it in
the generated ICMP message.
Check for this case in pf_translate_af() and send icmp errors directly
from it.
PR: 291527
MFC after: 2 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D54166
|
| |
|
|
| |
This makes them "skip" instead of "fail" if the module is not present.
|
| |
|
|
|
|
| |
Extend the test case to verify this works as expected.
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
for all scenarios where both jails have same priority/advskew. There is a
tiny chance that on both sides carp_master_down() will be executed in
parallel and advertisements will also fly through the bridge(4) in
parallel, thus both sides will switch to MASTER before receiving the
announcement from peer. This makes the test to fail. So far this
flakyness was observed for carp:vrrp_v4 only, but in theory it is possible
for any of the patched scenarios.
Note that this sleep does not prolong execution of the tests, as the first
jail is already configured, and if we slept before configuring the second,
we would sleep less in wait_for_carp().
|
| |
|
|
| |
Makes tests to finish slightly faster.
|
| |
|
|
|
|
|
|
|
|
|
| |
Allow only tables to be loaded from a file, rather than everything (i.e.
including options, rules).
Add a test case for this.
PR: 291318
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| |
|
|
|
|
|
|
| |
Turn off IPv6 on all interfaces to avoid having multicast listener
reports generated that might turn up in out pflog output, disrupting
the test.
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| |
|
|
|
|
|
| |
We've seen failures due to pft_ping.py selecting the wrong source address.
Explicitly use 2001:db8::1 as source, to match the tests's expectations.
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| |
|
|
|
|
|
| |
Use 'no_dad' when assigning a v6 address, because otherwise we may try
to use it before it becomes usable.
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| |
|
|
|
|
|
|
|
| |
Allow neighbor discovery/advertisement packets, but don't create state
for them. This ensures that the destination jail can respond to our
echo requests, and that we don't create extra states that would confuse
the test.
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| |
|
|
|
|
|
|
| |
When checking vnet test prerequisites we check if if_epair and if_bridge are
available, but we only checked for loadable modules. It's possible for these to
be built into the kernel instead.
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
pf was too strict when validating SCTP tags. When a server receives a
retransmitted INIT it will reply with a random initiate tag every time.
However, pf saves the first initiate tag and expects every subsequent INIT_ACK
retransmission to have the same tag. This is not the case, leading to endless
INIT/INIT_ACK cycles.
Allow the tag to be updated as long as we've not gone past COOKIE_WAIT.
Add a test case to verify this.
MFC after: 2 weeks
See also: https://redmine.pfsense.org/issues/16516
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| |
|
|
|
|
| |
A test helper program pcap-test allows to capture, inject and compare.
Build a simple test case on top of it. More test cases can be easily
constructed.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
In c12013f5bb38 we fixed udp_mapping cleanup issues in pf_get_sport(), but
missed the static-port case (i.e. low == 0 && high == 0). We could still exit
pf_get_sport() without either inserting the udp_mapping or freeing it.
Address this and add a test case to provoke the problem.
Reviewed by: thj
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D53856
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If we fail to obtain a new source port (pf_get_sport()) while we've
created a udp_mapping (for 'endpoint independent nat') we must free the
udp_mapping in pf_get_sport(). Otherwise the calling function will call
pf_udp_mapping_release(). This will then attempt to remove the udp_mapping from
a list it's not in, and crash.
Actually free the udp_mapping in all failure cases. While here sprinkle in a few
more assertions to ensure we don't forget leak udp_mappings and add a test case
to provoke this problem.
Reviewed by: thj
MFC after: 1 week
See also: https://redmine.pfsense.org/issues/16517
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D53737
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
In a divert setup pf_test_state() may return PF_PASS, but not set the state
pointer. We didn't handle that, and as a result crashed immediately afterwards
trying to dereference that NULL state pointer.
Add a test case to provoke the problem.
PR: 260867
MFC after: 2 weeks
Submitted by: Phil Budne <phil.budne@gmail.com>
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The pr_soreceive method first scans the buffer holding the both I/O sx(9)
and socket buffer mutex(9) and after figuring out how much needs to be
copied out drops the mutex. Since the other side may only append to the
buffer, it is safe to continue the operation holding the sx(9) only.
However, the code had a bug that it used pointer in the very last mbuf as
marker of the place where to stop. This worked both in a case when we
drain a buffer completely (marker points at NULL) and in a case when we
wanted to stop at MSG_EOR (marker points at next mbuf after MSG_EOR).
However, this pointer is not consistent after we dropped the socket buffer
mutex.
Rewrite the logic to use the data length as bounds for the copyout cycle.
Provide a test case that reproduces the race. Note that the race is very
hard to hit, thus test will pass on unmodified kernel as well. In a
virtual machine I needed to add tsleep(9) for 10 nanoseconds into the
middle of function to be able to reproduce.
PR: 290658
Reviewed by: markj
Differential Revision: https://reviews.freebsd.org/D53632
Fixes: d15792780760ef94647af9b377b5f0a80e1826bc
|
| |
|
|
|
|
|
|
|
|
| |
socantrcvmore() and unp_dispose() assume that the socket's socket
buffers are initialized, which isn't the case for listening sockets.
Reported by: syzbot+a62883292a5c257703be@syzkaller.appspotmail.com
MFC after: 1 week
Reviewed by: glebius
Differential Revision: https://reviews.freebsd.org/D53743
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* When fast-forwarding through a zstd frame, we incorrectly used the
min() inline function instead of the MIN() macro. The function
truncates the result to unsigned int, resulting in a decompression
error when trying to seek more than 4 GB into the frame.
* POSIX states that a size extended header record overrides the size
field in the header if present, and that one must be included if the
size of the file exceeds 8 GB (the size field maxes out at 64 GB).
* Reduce repetition in the exthdr parser by deduplicating the syntax
error handler.
MFC after: 1 week
Sponsored by: Klara, Inc.
Fixes: 69d94f4c7608 ("Add tarfs, a filesystem backed by tarballs.")
Reviewed by: allanjude
Differential Revision: https://reviews.freebsd.org/D53718
|
| |
|
|
| |
Fixes: eb95b990f8eb ("sound tests: Fix format specified for kevent.data")
|
| |
|
|
|
|
|
| |
Reported by: CI
Fixes: dd81b19ef236 ("sound tests: Test polling")
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
|
| |
|
|
|
|
| |
Fixes: dd81b19ef236 ("sound tests: Test polling")
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
|
| |
|
|
|
|
|
|
| |
Co-authored by: meka@tilda.center
Sponsored by: The FreeBSD Foundation
MFC after: 2 weeks
Reviewed by: markj
Differential Revision: https://reviews.freebsd.org/D53188
|
| |
|
|
|
|
|
| |
The tests themselves create identically named jails, resulting in
spurious failures when the tests are run in parallel.
MFC after: 1 week
|
| |
|
|
|
|
|
|
|
|
| |
POSIX Issue 7 had allowed EINVAL for this case, but issue 8 moves it
to ENOTSUP instead. ZFS uses the latter and we have some software in
ports already that's wanting to use that to detect the filesystem not
supporting it, so let's standardize on it.
Reviewed by: imp (previous version), asomers, kib
Differential Revision: https://reviews.freebsd.org/D53535
|
| |
|
|
|
|
|
|
|
|
|
|
| |
FUSE protocol 7.33 extended the FUSE_SETXATTR request format. But the
extension is optional. The server must opt-in by setting the
FUSE_SETXATTR_IN flag during FUSE_INIT. We were wrongly using the
extended format for any server using protocol 7.33 or later.
PR: 290547
Co-authored-by: CismonX <admin@cismon.net>
Fixes: d5e3cf41e89 ("fusefs: Upgrade FUSE protocol to version 7.33")
MFC after: 3 days
|
| |
|
|
| |
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Source nodes redirect (nat-to, rdr-to, route-to) all further connections
matching the rule which has created the source node. The source node is
valid as long as there are states resulting from the rule or until the
source node lifetime expires. When the rule's redirection pool is
modified (e.g. table contents are changed) the source node is still
valid and it will redirect new connections to invalid target (e.g. a
dead next-hop).
When performing source tracking after finding a source node check if the
redirection address still exists in pool of the rule which has created
this node. If not, delete the source node. This will result in finding a
new redirection address and creation of a new source node.
Reviewed by: kp
Obtained from: OpenBSD
Sponsored by: InnoGames GmbH
Differential Revision: https://reviews.freebsd.org/D53231
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
New-style address translation is done by nat-to and rdr-to actions on
normal match and pass rules. Those rules, when used without address
translation, can be specified without direction. But that allows users
to specify pre-routing nat and post-routing rdr. This case is not
handled properly and causes pre-routing nat to modify destination
address, as if it was a rdr rule, and post-routing rdr to modify source
address, as if it was a nat rule.
Ensure that nat-to action modifies source address and rdr-to destination
address no matter in which direction the rule is applied. The man page
for pf.conf already specifies that nat-to and rdr-to rules should be
limited to respective directions.
PR: 288577
Reviewed by: kp
MFC after: 3 days
Sponsored by: InnoGames GmbH
Differential Revision: https://reviews.freebsd.org/D53216
|
| |
|
|
|
|
|
|
|
| |
Both for the DIOCADDSTATE ioctl and for states imported through pfsync packets.
Add a test case to exercise this code path.
Reported by: Ilja Van Sprundel <ivansprundel@ioactive.com>
MFC after: 3 days
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| |
|
|
|
|
|
|
|
| |
Unterminated strings in the anchor or name could cause crashes.
Validate them, and add a test case.
Reported by: Ilja Van Sprundel <ivansprundel@ioactive.com>
MFC after: 3 days
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| |
|
|
| |
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Avoid emitting a warning if there is no Ethernet anchor. If the anchor
--regardless of its type-- is nonexistent, should be caught earlier.
This can be misleading when there is a layer 3 anchor but not an
Ethernet anchor, giving the user the impression that there is no layer 3
anchor with that name.
PR: 280516
Approved by: kp
MFC after: 2 days
Differential Revision: https://reviews.freebsd.org/D53360
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Set the number of rulesets (i.e., anchors) directly attached to the
anchor and its path in pfctl_get_ruleset().
While here, add a test to document this behavior.
PR: 290478
Reviewed by: kp
Fixes: 041ce1d690f1 ("pfctl: recursively flush rules and tables")
MFC after: 2 days
Differential Revision: https://reviews.freebsd.org/D53358
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We were using the m_quit bit for two similar but distinct uses:
* To instruct the server to quit
* To cope with the kernel forcibly unmounting the fs
Fix the intermittent test failure by adding a separate bit,
m_expect_unmount, to handle cases like the latter.
Reported by: Siva Mahadevan <me@svmhdvn.name>
MFC after: 1 week
Revied by: Siva Mahadevan <me@svmhdvn.name>
Differential Revision: https://reviews.freebsd.org/D53357
|
| |
|
|
|
| |
Reviewed by: ngie, markj
Differential Revision: https://reviews.freebsd.org/D52800
|
| |
|
|
|
|
|
|
|
|
|
|
| |
A FUSE daemon can send asynchronous notification to the kernel in order
to, for example, invalidate an inode's cache. Fix a page fault that can
happen if the file system isn't yet mounted, or is already unmounted,
when that notification arrives.
PR: 290519
MFC after: 1 week
Reviewed by: emaste
Differential Revision: https://reviews.freebsd.org/D53356
|
| |
|
|
|
|
|
|
|
| |
The first test is supposed to close the new fd, but was instead not
closing anything.
Reviewed by: ngie, markj
Fixes: 3cedbec3ee08 ("Integrate tools/regression/fifo into ...")
Differential Revision: https://reviews.freebsd.org/D52799
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
VOP_BMAP is purely advisory. If VOP_BMAP returns an error during
readahead, cluster_read should still succeed, because the actual data
was still read just fine.
Add a regression test for PR 264196, wherein cluster_read would fail if
VOP_BMAP did.
PR: 264196
MFC with: 62aef3f73f38db9fb68bffc12cc8900fecd58f0e
Reported by: danfe
Reviewed by: arrowd
Differential Revision: https://reviews.freebsd.org/D51316
|
| |
|
|
| |
Approved by: so
|
| |
|
|
|
|
|
|
|
| |
This greatly speeds up skipping a test that can't be run.
MFC after: 2 weeks
Sponsored by: ConnectWise
Reviewed by: kp
Differential Revision: https://reviews.freebsd.org/D53215
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Ensure we always have a non-NULL rule pointer (ctx.rm).
It might have gotten set to NULL by pf_get_translation().
While here also restore the previous rdr behaviour be re-adding the incorrectly
removed 'break' in pf_match_translation_rule.
PR: 290177
MFC after: 3 days
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D53191
|
| |
|
|
|
|
|
| |
Reviewed by: asomers
MFC after: 3 days
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D53178
|
| |
|
|
|
|
|
|
| |
Otherwise routed logs a warning:
"MCAST_LEAVE_GROUP ALLROUTERS: Can't assign requested address"
that may be misinterpreted as a problem.
|
| |
|
|
|
|
|
|
|
|
|
| |
The code to do the route lookup was already there, but was used only for
the legacy IP_ADD_MEMBERSHIP when called without index. Do same lookup
for IP_ADD_MEMBERSHIP with index and what is more important for
MCAST_JOIN_GROUP, if the supplied index is 0. This is a neat feature and
Linux does that, so this should make a few applications easier portable to
FreeBSD.
Differential Revision: https://reviews.freebsd.org/D52918
|
| |
|
|
|
|
|
|
|
|
| |
The send operations are waiting on the peer's socket buffer, but we shall
use our timeout value. Provide a test for that.
Reported by: phk
Reviewed by: asomers
Differential Revision: https://reviews.freebsd.org/D53081
Fixes: d15792780760ef94647af9b377b5f0a80e1826bc
|
| |
|
|
|
|
|
|
| |
The receiver is run as a background job, so we need a wait loop to
make sure it has been fully functional before launching sender.
Reported by: Siva Mahadevan <me svmhdvn.name>
PR: 290210
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This test implicitly depended on the order in which two threads
completed. If the test thread finished first, the test would pass. But
if the mock file system thread did, it would attempt to read from an
unmounted file system, and fail. As a result, the test would randomly
fail once out of every several thousand executions. Fix it by telling
the mock file system's event loop to exit without attempting to read any
more events.
Reported by: Siva Mahadevan <me@svmhdvn.name>
MFC after: 1 week
Reviewed by: Siva Mahadevan <me@svmhdvn.name>
Differential Revision: https://reviews.freebsd.org/D53080
|
| |
|
|
|
|
| |
Reviewed by: rrs, tuexen
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D52979
|
| |
|
|
|
|
| |
Sponsored by: Netflix
Reviewed by: imp
Differential Revision: https://reviews.freebsd.org/D52735
|
