in_pcblisten() moves an inpcb from the per-group list into the array, at
which point it becomes visible to inpcb lookups in the datapath. It
assumes that there is space in the array for this, but that's not
guaranteed, since in_pcbinslbgrouphash() doesn't reserve space in the
array if the inpcb isn't associated with a listening socket.
We could resize the array in in_pcblisten(), but that would introduce a
failure case where there currently is none. Instead, keep track of the
number of pending inpcbs as well, and modify in_pcbinslbgrouphash() to
reserve space for each pending (i.e., not-yet-listening) inpcb.
Add a regression test.
Reviewed by: glebius
Reported by: netchild
Fixes: 7cbb6b6e28 ("inpcb: Close some SO_REUSEPORT_LB races, part 2")
Differential Revision: https://reviews.freebsd.org/D49100
In the current test case unicast_v4, host one acts as a router, but it
uses if_bridge(4) to verify the reachability to CARP master.
Unfortunately, if_bridge(4) brings the two CARP hosts into the same
broadcast domain, thus with an unusual (undocumented) setup, one host
is in unicast mode but another one in multicast, or two hosts are both
in multicast mode, the test case can falsely report success.
Fix that by propagating route via routed(8).
PR 284872 shows that CARP(4) happens to send packets with multicast
destination when the unicast peer address is in the range x.x.x.224 ~
x.x.x.239. Update the peer address in test case to catch that bug.
PR: 284872
Reviewed by: kp
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D49076
1) Set SO_BROADCAST and send to INADDR_BROADCAST.
2) Set SO_BROADCAST, set IP_ONESBCAST and cycle through broadcast capable
interfaces sending a datagram on each.
3) Set SO_BROADCAST and send to local broadcast address.
For each test we bind a second socket to check whether the broadcast
is actually received.
Reviewed by: markj
Differential Revision: https://reviews.freebsd.org/D49040
This finally allows to use source-hash for dynamic loadbalancing, eg.
"rdr-to <hosts> source-hash", instead of just round-robin and least-states.
An older pre-siphash version of this diff was tested by many people.
OK tedu@ benno@
Obtained from: OpenBSD, reyk <reyk@openbsd.org>, 252a05523f
Sponsored by: Rubicon Communications, LLC ("Netgate")
When we receive an ICMP packet containing another ICMP packet we look up the
original ICMP state. This is done through a second struct pf_pdesc ('pd2'),
containing relevant information (i.e. addresses, type, id, ..).
pd2 did not contain the network interface ('kif'), leading to state lookup
failures. This only affected if-bound mode, because floating states match all
interfaces.
Set kif in pd2.
Extend the icmp.py:test_fragmentation_needed test case to use if-bound mode. It
already checked that we handled icmp-in-icmp correctly.
PR: 284866
MFC after: 2 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
In some situations the feeders in the sound module lower the pcm sample
resolution through a downshift of the sample value. The pcm_read_write
test implements this operation with an arithmetic division to avoid
implementation defined or architecture specific behavior. Due to
different rounding, the test produced marginally different sample
values, which made the test fail on 32 bit architectures. Correct this.
Reported by: CI
Fixes: 27ef5d48c7 ("sound: Unit test the pcm sample read and write macros")
MFC after: 1 week
Reviewed by: christos, markj
Differential revision: https://reviews.freebsd.org/D48926
1) Test that getsockname() on a socket that experienced a sendto(2)
returns allocated port.
2) Same as 1), but jailed. Make sure IP address was also selected.
3) Test that IP_SENDSRCADDR/IP_RECVDSTADDR work.
4) Regression test for bug 274009.
Scapy is not needed to run this test. Remove it from the required
programs list.
Reviewed by: kp
Approved by: emaste (mentor)
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D49006
The ra.py script requires Scapy. Invoke it using the python3 symlink.
While technically, at the moment, python points to python3, and python3
points to the current version of python, it is recommended to use
python3. No functional change intended.
Add the Scapy requirement in the header of each test that makes use of
it.
Reviewed by: kp
Approved by: emaste (mentor)
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D49005
The utils.subr file includes a couple of subroutines
(ping_dummy_check_request and ping_server_check_reply) that require
Scapy.
Add this requirement in the header of each test that makes use of them.
Reported by: Jenkins
Reviewed by: kp
Approved by: emaste (mentor)
Fixes: 07e070ef08 ("pf: Add support for multiple source node types")
Differential Revision: https://reviews.freebsd.org/D49004
When a packet matches a binat/nat/rdr rule, pf logs the match. The log
metadata includes the rule's action on the packet, e.g., PF_PASS. NAT
rules have their own actions: PF_BINAT, PF_NAT, PF_RDR.
Before commit 948e8413ab ("pflog: pass the action to pflog directly"),
pflog_packet() would obtain the action from the rule definition, whereas
after that commit the action is passed as a parameter. When a NAT rule
matches, we want to log the rule action, but after that commit, PF_PASS
is hard-coded. Restore the previous behaviour.
Add a regression test which installs a redirect, logs packets matching
the redirect rule, and verifies that the corresponding pflog entry
includes the correct action.
Reviewed by: kp
Fixes: 948e8413ab ("pflog: pass the action to pflog directly")
MFC after: 2 weeks
Sponsored by: Klara, Inc.
Sponsored by: OPNsense
Differential Revision: https://reviews.freebsd.org/D48911
For every state pf creates up to two source nodes: a limiting one
struct pf_kstate -> src_node and a NAT one struct pf_kstate -> nat_src_node.
The limiting source node is tracking information needed for limits using
max-src-states and max-src-nodes and the NAT source node is tracking NAT
rules only.
On closer inspection some issues emerge:
- For route-to rules the redirection decision is stored in the limiting source
node. Thus sticky-address and source limiting can't be used separately.
- Global source tracking, as promised in the man page, is totally absent from
the code. Pfctl is capable of setting flags PFRULE_SRCTRACK (enable source
tracking) and PFRULE_RULESRCTRACK (make source tracking per rule). The kernel
code checks PFRULE_SRCTRACK but ignores PFRULE_RULESRCTRACK. That makes
source tracking work per-rule only.
This patch is based on OpenBSD approach where source nodes have a type and each
state has an array of source node pointers indexed by source node type
instead of just two pointers. The conditions for limiting are applied
only to source nodes of PF_SN_LIMIT type. For global limit tracking
source nodes are attached to the default rule.
Reviewed by: kp
Approved by: kp (mentor)
Sponsored by: InnoGames GmbH
Differential Revision: https://reviews.freebsd.org/D39880
Two test cases in table.sh didn't call pft_init and thus didn't skip if pf is
not loaded.
The fragmentation_pass:v6_route_to test had the test body in the cleanup
function, so got run even when pf was not loaded.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Move the import of 'Sniffer', which depends on scapy into the test so we
don't try (and fail) to import it unless scapy is installed.
Reviewed by: kp, emaste
Approved by: emaste (mentor)
Differential Revision: https://reviews.freebsd.org/D48945
The utils.subr file includes a couple of subroutines
(ping_dummy_check_request and ping_server_check_reply) that require
scapy.
Add this requirement in the header of each test that makes use of them.
Reported by: Jenkins
Reviewed by: kp, ngie
Approved by: emaste (mentor)
Differential Revision: https://reviews.freebsd.org/D48917
Add more test cases for pf fragment hole counter. Also look into
final fragment of echo reply and check total length of IP packet.
MFC after: 1 week
Obtained from: OpenBSD, bluhm <bluhm@openbsd.org>, 640736615b
Sponsored by: Rubicon Communications, LLC ("Netgate")
If vmm.ko is loaded but fails initialization, it doesn't get
automatically unloaded, so the tests will not skip themselves and will
instead fail outright.
MFC after: 1 week
Verify that we can set-tos on pass rules, and that this still works even if a
'scrub' option is present on the pass rule.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Just like we do for IPv6, generate an ICMP fragmentation needed packet if we're
going to need fragmenation for IPv4 as well (i.e. DF is set). Do so before full
processing, so we generate it with pre-NAT addreses, just as we do for IPv6.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D48805
Avoid POLA breakage and preserve output standard that really predates
the FreeBSD project itself. There are scripts in the wild that rely
on the behavior.
Provide option to specify -nn twice to have a completely numeric
output of the routing tables.
Fixes: 9206c79961
This reverts commit e090646d6f.
Reviewed by: zlei, gallatin, melifaro, allanjude, markj, emaste
Differential Revision: https://reviews.freebsd.org/D48729
Just like route-to reply-to is problematic when used in combination with nat64.
In the normal (i.e. without nat64) flow we return immediately from pf_route().
However, with nat64 we need to continue and do a route lookup. In that case
we should not make the extra pf_test(PF_OUT) call to remain similar to the
non-nat64 flow.
We also have to fix the interface binding. We can only bind to the interface
after we've done the route lookup, not before.
Add a funcional test case, and a test for pfctl's rule printing.
Sponsored by: Rubicon Communications, LLC ("Netgate")
af-to uses pf_route() and pf_route6(), which caused issues when af-to and
route-to were combined in a single rule.
Extend the relevant functions to cope with this and add test cases.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Suppose a thread is adds a socket to an existing TCP lbgroup that is
actively accepting connections. It has to do the following operations:
1. set SO_REUSEPORT_LB on the socket
2. bind() the socket to the shared address/port
3. call listen()
Step 2 makes the inpcb visible to incoming connection requests.
However, at this point the inpcb cannot accept new connections. If
in_pcblookup() matches it, the remote end will see ECONNREFUSED even
when other listening sockets are present in the lbgroup. This means
that dynamically adding inpcbs to an lbgroup (e.g., by starting up new
workers) can trigger spurious connection failures for no good reason.
(A similar problem exists when removing inpcbs from an lbgroup, but that
is harder to fix and is not addressed by this patch; see the review for
a bit more commentary.)
Fix this by augmenting each lbgroup with a linked list of inpcbs that
are pending a listen() call. When adding an inpcb to an lbgroup, keep
the inpcb on this list if listen() hasn't been called, so it is not yet
visible to the lookup path. Then, add a new in_pcblisten() routine which
makes the inpcb visible within the lbgroup now that it's safe to let it
handle new connections.
Add a regression test which verifies that we don't get spurious
connection errors while adding sockets to an LB group.
Reviewed by: glebius
MFC after: 1 month
Sponsored by: Klara, Inc.
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D48544
The route lookup in pf_route6() (for the nat64 case) had the src/dst for bcopy()
swapped around, so any nat64 setup that passed via a gateway on the IPv6 side
was broken.
Fix this, add 'const' to make this error actually fail to compile and add a
test case.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Fix a mistake in the pcm_read_write test that would result in not
properly detecting 32bit calculation on 32bit architectures like i386.
As a consequence, the wrong values would be checked, thus failing the
test.
Reported by: CI
Fixes: 27ef5d48c7 ("sound: Unit test the pcm sample read and write macros")
MFC after: 1 week
Reviewed by: christos
Differential Revision: https://reviews.freebsd.org/D48617
/workspace/src/tests/sys/sound/pcm_read_write.c:36:1: error: 'static' is not
at beginning of declaration [-Werror=old-style-declaration]
36 | } static const afmt_tests[] = {
| ^
Reported by: CI
Fixes: 27ef5d48c7 ("sound: Unit test the pcm sample read and write macros")
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
The tests previously expected the invoker to pass a list of FIBs to use.
However, they now run in separate VNET jails, so we can simply expand
the FIB array as needed in each test. Modify each test to simply set
net.fibs as needed and grab FIB numbers starting at 1.
A number of tests were also broken by commit 9206c79961
("usr.bin/netstat: -n should not print symbolic names"), so fix those.
Reviewed by: asomers
Fixes: 9206c79961 ("usr.bin/netstat: -n should not print symbolic names")
MFC after: 2 weeks
Sponsored by: Klara, Inc.
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D48585
Main goal is to have a unit test, with sample test data that is verified
against the current macro implementation of pcm sample read and write
functions. With a test in place, we can proceed on a planned refactoring
of the sample read and write code, and confidently check the new code
for regressions.
Implementation of the unit test itself has to avoid any cast or
conversion affected by endianness, to make the tests compatible with all
machine architectures.
MFC after: 1 week
Reviewed by: christos, markj
Differential Revision: https://reviews.freebsd.org/D48330
This function uses already supposedly opaque struct _getfamily_attrs as
the argument and it fills it with pointers to volatile memory, which makes
it is unsafe for general use. While here also underscore structures that
hang off the struct _getfamily_attrs.
Small programs like powerd(8) and RPC daemons are converted to use
snl_get_genl_mcast_group() and/or snl_get_genl_family(). The genl(1)
utility was fixed not to mix its own parsers with parsers declared in
netlink_snl_generic.h.
Reviewed by: melifaro
Differential Revision: https://reviews.freebsd.org/D48480
Excercise the garp code.
This doesn't actively verify anything, but is sufficient to trigger the
panic reported in PR 284073, so it's a useful test case to keep.
PR: 284073
Sponsored by: Rubicon Communications, LLC ("Netgate")
Produce an IPv6 packet that's longer than 65535 bytes so it'll get dropped in
pf_reassemble6(). This can then causes pf_normalize_ip6() to return an error,
which led pf_setup_pdesc() to fail to update *m0, eventually ending up with
pf_scrub() attempting to modify *m0 (now different from pd->m), a freed mbuf.
This does depend on pf_join_fragment()'s call to m_cat() freeing the relevant
mbuf rather than adding it to the chain. Accomplish this by ensuring there's
sufficient free space, by having dummymbuf re-allocate larger mbufs for our
fragments.
PR: 283705
Reported by: Yichen Chai <yichen.chai@gmail.com>, Zhuo Ying Jiang Li <zyj20@cl.cam.ac.uk>
Sponsored by: Rubicon Communications, LLC ("Netgate")
Allow users to choose to allow permitted SCTP connections to set up additional
multihomed connections regardless of the ruleset. That is, allow an already
established connection to set up flows that would otherwise be disallowed.
In case of if-bound connections we initially set the extra associations to
be floating, because we don't know what path they'll be taking when they're
created. Once we see the first traffic we can bind them.
MFC after: 2 weeks
Sponsored by: Orange Business Services
Differential Revision: https://reviews.freebsd.org/D48453
To comply with Common Criteria certification requirements, it may be
necessary to ensure that packets to 0.0.0.0/::0 are dropped and logged
by the system firewall. Currently, such packets are dropped by
ip_input() and ip6_input() before reaching pfil hooks; let's defer the
checks slightly to give firewalls a chance to drop the packets
themselves, as this gives better observability. Add some regression
tests for this with pf+pflog.
Note that prior to commit 713264f6b8, v4 packets to the unspecified
address were not dropped by the IP stack at all.
Note that ip_forward() and ip6_forward() ensure that such packets are
not forwarded; they are passed back unmodified.
Add a regression test which ensures that such packets are visible to
pflog.
Reviewed by: glebius
MFC after: 3 weeks
Sponsored by: Klara, Inc.
Sponsored by: OPNsense
Differential Revision: https://reviews.freebsd.org/D48163
Currently packets are logged before pf_create_state() is called, so we
might log a packet as passed that is subsequently dropped due to state
creation failure. In particular, the drop is not logged, which is
wrong.
Improve the situation a bit: force logging if state creation fails.
This isn't totally right as we'll end up logging the packet twice in
this case, but it's better than not logging the drop at all.
Add a regression test.
Discussed with: kp, ks
Co-authored-by: Franco Fichtner <franco@opnsense.org>
MFC after: 2 weeks
Sponsored by: Klara, Inc.
Sponsored by: OPNsense
Differential Revision: https://reviews.freebsd.org/D47953
If the kernel rejects a response written by the server, print it. That
would most likely be due to an error in the test logic.
MFC after: 2 weeks
Sponsored by: ConnectWise
