Disallow the use of tables in ethernet rules. Using tables requires
taking the PF_RULES lock. Moreover, the current table code isn't ready
to deal with ethernet rules.
Disallow their use for now.
Sponsored by: Rubicon Communications, LLC ("Netgate")
This test case depends on dtrace and sometimes gets affected if dtrace
has issues. Make it report skipped instead of failure when dtrace fails
to run.
Sponsored by: The FreeBSD Foundation
Combine anchor, dummynet and rdr to produce a more complex captive
portal setup.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D32484
Teach the 'ether' rules to accept { mac1, mac2, ... } lists, similar to
the lists of interfaces or IP addresses we already supported for layer 3
filtering.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D32481
Ensure that the 'match' keyword works with dummynet
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D32480
Test that we can set dummynet information on L2, which is processed by
L3 later (assuming it's not overruled by L3 rules, of course).
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D32223
Test that we correctly match inbound ('in') or outbound ('out') Ethernet
packets.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D31747
Use the ether rules to selectively (i.e. per MAC address) redirect
certain connections. Test that tags carry over to the layer-3 pf code.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D31746
Test that we can express 'ether block from ! 00:01:02:03:04:05'.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D31744
Test the MAC address filtering capability in the new 'ether' feature in
pf.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D31743
And drop stray 'd' from the end of some printed numbers. I assume this
was the result of someone thinking u is a printf length modifier for d,
not a format specifier itself.
Reviewed by: kevans, rew
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D34387
When renaming a directory into a different parent directory, invalidate
the cached attributes of the new parent. Otherwise, stat will show the
wrong st_nlink value.
MFC after: 1 week
Reviewed by: ngie
Differential Revision: https://reviews.freebsd.org/D34336
This test case uses `dtrace -c` but it has some issues at the moment so
disable it until dtrace fixed.
From markj:
This is the CTF type ID limit which has come up quite a few times
lately. It'll be fixed with the introduction of CTFv3.
PR: 258763
Sponsored by: The FreeBSD Foundation
This can be used by debuggers to find which bits in a virtual address
should be masked off to get a canonical address. This is currently used
by the Pointer Authentication Code support to get its mask. It could also
be used if we support Top Byte Ignore for the same purpose.
Reviewed by: kib
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D34302
Use kern.elfXX.allow_wx to decide whether to map W+X or W-only memory.
Future work could expand this test to add an "allow_wx" axis to the
test matrix, but I would argue that a separate test should be written,
since that's orthogonal to map_at_zero.
MFC after: 1 week
Sponsored by: Dell EMC Isilon
The ability to set VLAN PCP from pf was introduced in 3e248e0fb4, but
never had a test added.
Create a basic setup to set the PCP to an arbitrary value and use
tcpdump to check it's actually set.
MFC after: 1 week
Both struct ip and struct udphdr both have an aligment of 2, but the
cast from struct ip to a uint32_t pointer confused GCC 9 into raising
the required alignment to 4 and then raising a
-Waddress-of-packed-member error when casting to struct udphdr.
Reviewed by: imp
Differential Revision: https://reviews.freebsd.org/D31941
There was nothing preventing one from sending an empty fragment on an
arbitrary KTLS TX-enabled socket, but ktls_frame() asserts that this
could not happen. Though the transmit path handles this case for TLS
1.0 with AES-CBC, we should be strict and allow empty fragments only in
modes where it is explicitly allowed.
Modify sosend_generic() to reject writes to a KTLS-enabled socket if the
number of data bytes is zero, so that userspace cannot trigger the
aforementioned assertion.
Add regression tests to exercise this case.
Reported by: syzkaller
Reviewed by: gallatin, jhb
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D34195
We should clear the single step flag when entering a signal hander and
set it when returning. This fixes the ptrace__PT_STEP_with_signal test.
While here add support for userspace to set the single step bit as on
x86. This can be used by userspace for self tracing.
Reviewed by: kib
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D34170
In libc++'s __threading_support header the semaphore.h header was
implicitly included, but from version 14 onwards, this is no longer the
case, resulting in compile errors:
tests/sys/fs/fusefs/setattr.cc:740:8: error: variable has incomplete type 'sem_t' (aka '_sem')
sem_t sem;
^
tests/sys/fs/fusefs/utils.hh:33:8: note: forward declaration of '_sem'
struct _sem;
^
MFC after: 3 days
The pf tests have the ability to log state information (pf rules, pf
states, interfaces, ...) on exit (i.e. on success or on error).
This is useful, but only in specific cases. When it's not needed it may
get in the way of clear output.
Test scripts can add 'debug' to the pft_init call to enable this for the
specified test.
Reviewed by: brd
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D34133
There are some error paths in ioctl handlers that will call
pf_krule_free() before the rule's rpool.mtx field is initialized,
causing a panic with INVARIANTS enabled.
Fix the problem by introducing pf_krule_alloc() and initializing the
mutex there. This does mean that the rule->krule and pool->kpool
conversion functions need to stop zeroing the input structure, but I
don't see a nicer way to handle this except perhaps by guarding the
mtx_destroy() with a mtx_initialized() check.
Constify some related functions while here and add a regression test
based on a syzkaller reproducer.
Reported by: syzbot+77cd12872691d219c158@syzkaller.appspotmail.com
Reviewed by: kp
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D34115
This adds the PT_GETREGSET and PT_SETREGSET ptrace types. These can be
used to access all the registers from a specified core dump note type.
The NT_PRSTATUS and NT_FPREGSET notes are initially supported. Other
machine-dependant types are expected to be added in the future.
The ptrace addr points to a struct iovec pointing at memory to hold the
registers along with its length. On success the length in the iovec is
updated to tell userspace the actual length the kernel wrote or, if the
base address is NULL, the length the kernel would have written.
Because the data field is an int the arguments are backwards when
compared to the Linux PTRACE_GETREGSET call.
Reviewed by: kib
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D19831
These had been disabled due to panics with queued packets keeping
pointers (in m->m_pkthdr.rcvif) to removed interfaces.
This issue has been resolved in 165746f4e4, so the tests can be run
again.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Dummynet queues packets with an associated struct ifnet pointer. Ensure
that things do not explode if that interface goes away with packets
still in the queue.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D33065
glob(3) returns GLOB_NOMATCH if GLOB_NOCHECK or GLOB_NOMAGIC flag is not
passed so ATF_REQUIRE_EQ(r, 0) will cause a precondition check failure if no
/dev/ses* exists.
Remove calling of atf_tc_skip() in ATF_TC_CLEANUP() because it would let
the clean up procedure unfinish.
While here, fix a set-but-not-used warning.
Reviewed by: asomers
Differential Revision: https://reviews.freebsd.org/D34056
The kernel should reject such exec()s now, early on. Instead of adding
the needed boilerplate to write a test in C, just add an -n argument for
"(n)ull argv" to the execve helper and exec this other helper that just
exits silently with argv count.
Reviewed by: emaste, kib, markj (all previous version)
Differential Revision: https://reviews.freebsd.org/D34045
There is no guarentee that upon return of 'jail -r' all jail resources
will be released. The test suite used to rely on that. Recent changes
to the PCB zones made jails delay releasing their resources, which ended
with interface leak in the test suite.
Fix that by executing 'ifconfig foo0 destroy' inside the jail, instead
of doing 'jail -r' and expecting interfaces to pop up back immediately
in the parent jail.
Reviewed by: kp
Differential revision: https://reviews.freebsd.org/D33942
