Just like route-to reply-to is problematic when used in combination with nat64.
In the normal (i.e. without nat64) flow we return immediately from pf_route().
However, with nat64 we need to continue and do a route lookup. In that case
we should not make the extra pf_test(PF_OUT) call to remain similar to the
non-nat64 flow.
We also have to fix the interface binding. We can only bind to the interface
after we've done the route lookup, not before.
Add a funcional test case, and a test for pfctl's rule printing.
Sponsored by: Rubicon Communications, LLC ("Netgate")
af-to uses pf_route() and pf_route6(), which caused issues when af-to and
route-to were combined in a single rule.
Extend the relevant functions to cope with this and add test cases.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Suppose a thread is adds a socket to an existing TCP lbgroup that is
actively accepting connections. It has to do the following operations:
1. set SO_REUSEPORT_LB on the socket
2. bind() the socket to the shared address/port
3. call listen()
Step 2 makes the inpcb visible to incoming connection requests.
However, at this point the inpcb cannot accept new connections. If
in_pcblookup() matches it, the remote end will see ECONNREFUSED even
when other listening sockets are present in the lbgroup. This means
that dynamically adding inpcbs to an lbgroup (e.g., by starting up new
workers) can trigger spurious connection failures for no good reason.
(A similar problem exists when removing inpcbs from an lbgroup, but that
is harder to fix and is not addressed by this patch; see the review for
a bit more commentary.)
Fix this by augmenting each lbgroup with a linked list of inpcbs that
are pending a listen() call. When adding an inpcb to an lbgroup, keep
the inpcb on this list if listen() hasn't been called, so it is not yet
visible to the lookup path. Then, add a new in_pcblisten() routine which
makes the inpcb visible within the lbgroup now that it's safe to let it
handle new connections.
Add a regression test which verifies that we don't get spurious
connection errors while adding sockets to an LB group.
Reviewed by: glebius
MFC after: 1 month
Sponsored by: Klara, Inc.
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D48544
The route lookup in pf_route6() (for the nat64 case) had the src/dst for bcopy()
swapped around, so any nat64 setup that passed via a gateway on the IPv6 side
was broken.
Fix this, add 'const' to make this error actually fail to compile and add a
test case.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Fix a mistake in the pcm_read_write test that would result in not
properly detecting 32bit calculation on 32bit architectures like i386.
As a consequence, the wrong values would be checked, thus failing the
test.
Reported by: CI
Fixes: 27ef5d48c7 ("sound: Unit test the pcm sample read and write macros")
MFC after: 1 week
Reviewed by: christos
Differential Revision: https://reviews.freebsd.org/D48617
/workspace/src/tests/sys/sound/pcm_read_write.c:36:1: error: 'static' is not
at beginning of declaration [-Werror=old-style-declaration]
36 | } static const afmt_tests[] = {
| ^
Reported by: CI
Fixes: 27ef5d48c7 ("sound: Unit test the pcm sample read and write macros")
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
The tests previously expected the invoker to pass a list of FIBs to use.
However, they now run in separate VNET jails, so we can simply expand
the FIB array as needed in each test. Modify each test to simply set
net.fibs as needed and grab FIB numbers starting at 1.
A number of tests were also broken by commit 9206c79961
("usr.bin/netstat: -n should not print symbolic names"), so fix those.
Reviewed by: asomers
Fixes: 9206c79961 ("usr.bin/netstat: -n should not print symbolic names")
MFC after: 2 weeks
Sponsored by: Klara, Inc.
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D48585
Main goal is to have a unit test, with sample test data that is verified
against the current macro implementation of pcm sample read and write
functions. With a test in place, we can proceed on a planned refactoring
of the sample read and write code, and confidently check the new code
for regressions.
Implementation of the unit test itself has to avoid any cast or
conversion affected by endianness, to make the tests compatible with all
machine architectures.
MFC after: 1 week
Reviewed by: christos, markj
Differential Revision: https://reviews.freebsd.org/D48330
This function uses already supposedly opaque struct _getfamily_attrs as
the argument and it fills it with pointers to volatile memory, which makes
it is unsafe for general use. While here also underscore structures that
hang off the struct _getfamily_attrs.
Small programs like powerd(8) and RPC daemons are converted to use
snl_get_genl_mcast_group() and/or snl_get_genl_family(). The genl(1)
utility was fixed not to mix its own parsers with parsers declared in
netlink_snl_generic.h.
Reviewed by: melifaro
Differential Revision: https://reviews.freebsd.org/D48480
Excercise the garp code.
This doesn't actively verify anything, but is sufficient to trigger the
panic reported in PR 284073, so it's a useful test case to keep.
PR: 284073
Sponsored by: Rubicon Communications, LLC ("Netgate")
Produce an IPv6 packet that's longer than 65535 bytes so it'll get dropped in
pf_reassemble6(). This can then causes pf_normalize_ip6() to return an error,
which led pf_setup_pdesc() to fail to update *m0, eventually ending up with
pf_scrub() attempting to modify *m0 (now different from pd->m), a freed mbuf.
This does depend on pf_join_fragment()'s call to m_cat() freeing the relevant
mbuf rather than adding it to the chain. Accomplish this by ensuring there's
sufficient free space, by having dummymbuf re-allocate larger mbufs for our
fragments.
PR: 283705
Reported by: Yichen Chai <yichen.chai@gmail.com>, Zhuo Ying Jiang Li <zyj20@cl.cam.ac.uk>
Sponsored by: Rubicon Communications, LLC ("Netgate")
Allow users to choose to allow permitted SCTP connections to set up additional
multihomed connections regardless of the ruleset. That is, allow an already
established connection to set up flows that would otherwise be disallowed.
In case of if-bound connections we initially set the extra associations to
be floating, because we don't know what path they'll be taking when they're
created. Once we see the first traffic we can bind them.
MFC after: 2 weeks
Sponsored by: Orange Business Services
Differential Revision: https://reviews.freebsd.org/D48453
To comply with Common Criteria certification requirements, it may be
necessary to ensure that packets to 0.0.0.0/::0 are dropped and logged
by the system firewall. Currently, such packets are dropped by
ip_input() and ip6_input() before reaching pfil hooks; let's defer the
checks slightly to give firewalls a chance to drop the packets
themselves, as this gives better observability. Add some regression
tests for this with pf+pflog.
Note that prior to commit 713264f6b8, v4 packets to the unspecified
address were not dropped by the IP stack at all.
Note that ip_forward() and ip6_forward() ensure that such packets are
not forwarded; they are passed back unmodified.
Add a regression test which ensures that such packets are visible to
pflog.
Reviewed by: glebius
MFC after: 3 weeks
Sponsored by: Klara, Inc.
Sponsored by: OPNsense
Differential Revision: https://reviews.freebsd.org/D48163
Currently packets are logged before pf_create_state() is called, so we
might log a packet as passed that is subsequently dropped due to state
creation failure. In particular, the drop is not logged, which is
wrong.
Improve the situation a bit: force logging if state creation fails.
This isn't totally right as we'll end up logging the packet twice in
this case, but it's better than not logging the drop at all.
Add a regression test.
Discussed with: kp, ks
Co-authored-by: Franco Fichtner <franco@opnsense.org>
MFC after: 2 weeks
Sponsored by: Klara, Inc.
Sponsored by: OPNsense
Differential Revision: https://reviews.freebsd.org/D47953
If the kernel rejects a response written by the server, print it. That
would most likely be due to an error in the test logic.
MFC after: 2 weeks
Sponsored by: ConnectWise
When set, this limits the amount of data that the kernel will request of
the server in any single read operation. The option has always been
available in our fusefs implementation, but never covered by the test
suite.
MFC after: 2 weeks
Sponsored by: ConnectWise
The reassembly state will be dropped after timeout, all related
fragments are dropped until that. This is conforming to RFC 5722.
- Sort pf_fragment fields while there.
- If the fr_queue is empty, we had overlapping fragments, don't add
new ones.
- If we detect overlapping IPv6 fragments, flush the fr_queue and
drop all fragments immediately.
- Rearrange debug output, to make clear what happens.
- An IPv4 fragment that is totaly overlapped does not inclease the
bad fragment counter.
- Put an KASSERT into pf_isfull_fragment() to make sure that the
fr_queue is never emtpy there.
discussed with Fernando Gont; ok henning@
Obtained from: OpenBSD, bluhm <bluhm@openbsd.org>, 8b45f36762
Sponsored by: Rubicon Communications, LLC ("Netgate")
Fix a Coverity error in the aio_kqueue_test that could theoretically
(but probably not realistically) cause overindexing an array.
Differential Revision: https://reviews.freebsd.org/D48328
Reviewed by: asomers, vangyzen
Sponsored by: Dell Technologies
Instead of failing, it must succeed now.
Reviewed by: markj
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D48332
Much like we already do for TCP and UDP we should also parse SCTP-in-ICMP
messages to see if they apply to an SCTP connection we've already allowed. If so
we should allow the ICMP packet to pass, even if we'd otherwise block it.
Add a test case where we generate an 'ICMP unreachable - need to frag' packet
and check that it passes through pf.
MFC after: 2 weeks
Sponsored by: Orange Business Services
Differential Revision: https://reviews.freebsd.org/D48170
Verify that we reset the cleared time when we zero an address' counters in
a table.
PR: 282877, 282984
Reviewed by: kp
MFC after: 2 weeks
Signed-off-by: Leonid Evdokimov <leon@darkk.net.ru>
Differential Revision: https://reviews.freebsd.org/D48242
Do more work in MockFS's constructor's member initializer list, instead
of the body of the constructor. It's easier to read this way.
Sponsored by: ConnectWise
Fix a leak of a fuse_ticket structure. The leak mostly affected
NFS-exported fuse file systems, and was triggered by a failure during
FUSE_LOOKUP.
MFC after: 2 weeks
Sponsored by: ConnectWise
See commit 4f02a7d739 for more background.
I cannot see a good reason to continue ignoring mismatching UIDs when
binding to INADDR_ANY. Looking at the sdr.V2.4a7n sources (mentioned in
bugzilla PR 7713), there is a CANT_MCAST_BIND hack wherein the
application binds to INADDR_ANY instead of a multicast address, but
CANT_MCAST_BIND isn't defined for FreeBSD builds.
It seems unlikely that we still have a use-case for allowing sockets
from different UIDs to bind to the same port when binding to the
unspecified address. And, as noted in D47832, applications like sdr
would have been broken by the inverted SO_REUSEPORT check removed in
that revision, apparently without any bug reports. Let's break
compatibility and simply disallow this case outright.
Also, add some comments, remove a hack in a regression test which tests
this funtionality, and add a new regression test to exercise the
remaining checks that were added in commit 4658dc8325.
MFC after: 1 month
Sponsored by: Klara, Inc.
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D47870
The FUSE_NO_OPEN_SUPPORT and FUSE_NO_OPENDIR_SUPPORT flags
are only meant to indicate kernel features, and should be ignored
if they appear in the FUSE_INIT reply flags.
Also fix the corresponding test cases.
MFC after: 2 weeks
Reviewed by: Alan Somers <asomers@FreeBSD.org>
Signed-off-by: CismonX <admin@cismon.net>
Pull Request: https://github.com/freebsd/freebsd-src/pull/1509
Even on a riscv embedded system, the fusefs tests run fast enough that
10 seconds is a reasonable timeout.
[skip ci]
MFC after: 2 weeks
Sponsored by: ConnectWise
Every fuse ticket has a "unique" token. As the name implies, they're
supposed to be unique. Previously the fusefs test suite verified their
uniqueness by relying on the fact that they are also sequential. But
they aren't guaranteed to be sequential. Enhance the tests by removing
that convenient assumption.
MFC after: 2 weeks
Sponsored by: Axcient
For IPv4 it's valid for a UDP checksum to be 0 (i.e. no checksum). This isn't
the case for IPv6, so if we translate a UDP packet from IPv4 to IPv6 we need to
ensure that the checksum is calculated.
Add a test case to verify this. Rework the server jail so it can listen for TCP
and UDP packets at the same time.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Tables can only be used as a redirspec (i.e. in pf_map_addr()) in round-robin mode.
Enforce this for af-to tables as well.
Add a test case to verify.
Sponsored by: Rubicon Communications, LLC ("Netgate")
We do multiple lookups during the nat64 process, some of which will fail due
to address family mismatches. Do not reset the lookup offset so we actually use
different addresses from the table.
Sponsored by: Rubicon Communications, LLC ("Netgate")
This isn't expected to work, for obvious reasons, but we also expect to not
panic doing this. Exercise this special case.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Just as with reply-to rules we don't know what interface we will send this out
of until we create the state. Create new nat64 rules as floating, but bind them
to the appropriate interface on the first pf_route(), when we do know.
Set state policy if-bound for the nat64 tests to validate this.
See also: 6460322a0
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D47801
