Commit Graph

66 Commits

Author SHA1 Message Date
Kyle Evans
1d2e31af14 pf tests: fix up a couple WARNS= 6 nits
common_init_tbl is only used within this single CU, so it should be marked
static.

WARNS=6 also complained about the var defined by
`ATF_TC_WITH_CLEANUP(getastats);` being unused, which turns out to be
because it's not been hooked up in ATF_TP_ADD_TCS. kp@ did not immediately
recall any reason for this, and the case passes on my local system, so hook
it up.

Note that I've not yet set WARNS= 6 here. Investigation is underway to see
if we can feasibly default WARNS to 6 for src builds to catch directories
too deep to inherit a WARNS from the top-level subdirectories' Makefile.inc.
Those particular WARNS settings will be subsequently removed as they become
redundant with a more-global default.

MFC after:	1 week
2020-05-14 23:20:58 +00:00
Mark Johnston
17dd52dfab Add a basic table entry counter regression test.
Reviewed by:	kp
MFC after:	2 weeks
Differential Revision:	https://reviews.freebsd.org/D24809
2020-05-11 19:08:03 +00:00
Mark Johnston
96bc58ea81 Remove the svn:executable property from some pf test files.
The test makefiles will handle setting mode bits during install.  Also,
Phabricator gets upset when uploading an executable plain-text file
without a shebang.

MFC after:	1 week
2020-05-11 19:07:33 +00:00
Li-Wen Hsu
c0507192fa Skip sys.netpfil.pf.nat.exhaust on all platforms as it not only fails on amd64
PR:		244703
Sponsored by:	The FreeBSD Foundation
2020-03-13 16:44:48 +00:00
Li-Wen Hsu
7d292b4814 Skip sys.netpfil.pf.nat.exhaust on amd64 in CI as it sometimes panics kernel
PR:		244703
Sponsored by:	The FreeBSD Foundation
2020-03-10 19:18:24 +00:00
Li-Wen Hsu
547a1e03c3 Revert r358309 after r358311.
PR:		244393
Sponsored by:	The FreeBSD Foundation
2020-02-26 04:54:50 +00:00
Li-Wen Hsu
bebf52f1ec Temporarily skip failing test case sys.netpfil.pf.fragmentation.v6
PR:		244393
Sponsored by:	The FreeBSD Foundation
2020-02-25 11:56:54 +00:00
Li-Wen Hsu
09bc401f9d Reenable netinet6 and netpfil tests on i386, net/scapy 2.4.3_2 contains the fix
PR:		239380
Sponsored by:	The FreeBSD Foundation
2019-11-08 18:56:02 +00:00
Kristof Provost
65d553b0f0 netpfil tests: Add missing copyright & license statements 2019-10-29 09:47:12 +00:00
Li-Wen Hsu
cfa8b64827 Follow r354121 to fix some python3 errors in sys.netpfil.*
stderr:

Traceback (most recent call last):
  File "/usr/tests/sys/netpfil/common/pft_ping.py", line 135, in <module>
    main()
  File "/usr/tests/sys/netpfil/common/pft_ping.py", line 124, in main
    ping(args.sendif[0], args.to[0], args)
  File "/usr/tests/sys/netpfil/common/pft_ping.py", line 74, in ping
    raw = sp.raw(str(PAYLOAD_MAGIC))
  File "/usr/local/lib/python3.6/site-packages/scapy/compat.py", line 52, in raw
    return bytes(x)
TypeError: string argument without an encoding

MFC with:	r354121
Sponsored by:	The FreeBSD Foundation
2019-10-27 21:07:50 +00:00
Bjoern A. Zeeb
f0297f121a Upgrade (scapy) py2 tests to work on py3.
In order to move python2 out of the test framework to avoid py2 vs. py3
confusions upgrade the remaining test cases using scapy to work with py3.
That means only one version of scapy needs to be installed in the CI system.
It also gives a path forward for testing i386 issues observed in the CI
system with some of these tests.

Fixes are:
- Use default python from environment (which is 3.x these days).
- properly ident some lines as common for the rest of the file to avoid
  errors.
- cast the calculated offset to an int as the division result is considered
  a float which is not accepted input.
- when comparing payload to a magic number make sure we always add the
  payload properly to the packet and do not try to compare string in
  the result but convert the data payload back into an integer.
- fix print formating.

Discussed with:	lwhsu, kp (taking it off his todo :)
MFC after:	2 weeks
2019-10-26 21:19:55 +00:00
Li-Wen Hsu
ebcb81079e Temporarily skip sys.netpfil.common.tos.pf_tos on i386 CI as it always fails
PR:		240086
Sponsored by:	The FreeBSD Foundation
2019-09-17 22:09:14 +00:00
Li-Wen Hsu
ae92090ae0 Temporarily skip sys.netpfil.common.forward.pf_v4 on i386 CI as it always fails
PR:		240085
Sponsored by:	The FreeBSD Foundation
2019-09-17 22:08:16 +00:00
Li-Wen Hsu
74fa3a52ce Fix failure test cases after r351423 due to ping6(8) options changed
Failure test cases:
    sys.netpfil.common.pass_block.pf_v6
    sys.netpfil.pf.pass_block.noalias
    sys.netpfil.pf.pass_block.v6

Sponsored by:	The FreeBSD Foundation
2019-08-24 01:28:39 +00:00
Kristof Provost
39cae0d5ed netpfil tests: Add forward test for the three firewalls
Submitted by:	Ahsan Barkati
Reviewed by:	kp
Sponsored by:	Google, Inc. (GSoC 2019)
Differential Revision:	https://reviews.freebsd.org/D21321
2019-08-23 12:11:46 +00:00
Li-Wen Hsu
cdac716946 Fix path issues after r351212
This fixes sys.netpfil.pf.forward.v4 and sys.netpfil.pf.icmp.cve_2019_5598
failures in CI system.

Sponsored by:	The FreeBSD Foundation
2019-08-22 12:08:35 +00:00
Kristof Provost
3e1ebe7fb8 netpfil tests: Add too many fragments test for pf, ipfw and ipf
Add test for checking that the packets are dropped if it is fragmented into
more than the defined value.

Submitted by:	Ahsan Barkati
Reviewed by:	kp
Sponsored by:	Google, Inc. (GSoC 2019)
Differential Revision:	https://reviews.freebsd.org/D21307
2019-08-20 14:46:12 +00:00
Kristof Provost
df3d236d96 netpfil tests: Add the set ToS test for ipfw and pf
This test tests the following:

 - The firewall is able to set the tos bits
 - The firewall is able to set the DSCP bits when EN bits is already set and
   the EN bits remains unchanged.
 - The firewall is able to drop the packets based on ToS value

Submitted by:	Ahsan Barkati
Reviewed by:	kp
Sponsored by:	Google, Inc. (GSoC 2019)
Differential Revision:	https://reviews.freebsd.org/D21305
2019-08-20 14:31:22 +00:00
Kristof Provost
9531253098 netpfil tests: Move pft_ping.py and sniffer.py to the common test directory
The pft_ping.py and sniffer.py tool is moved from tests/sys/netpfil/pf to
tests/sys/netpfil/common directory because these tools are to be used in
common for all the firewalls.

Submitted by:	Ahsan Barkati
Reviewed by:	kp, thj
Sponsored by:	Google, Inc. (GSoC 2019)
Differential Revision:	https://reviews.freebsd.org/D21276
2019-08-19 10:48:27 +00:00
Tom Jones
0d9da68f01 Add basic NAT test for pf, ipf and ipfw
Add common firewall NAT tests for pf, ipf and ipfw (using both in-kernel and
userspace NAT).

Submitted by:   Ahsan Barkati
Sponsored by:   Google, Inc. (GSoC 2019)
Reviewed by:    kp
Approved by:    bz (mentor)
MFC after:      2 weeks
Differential Revision: https://reviews.freebsd.org/D21199
2019-08-17 06:44:11 +00:00
Mateusz Piotrowski
03d8a4b7d3 pf tests: Fix accidental duplication of content
Some files got their contented duplicated in r345409. Some mistakes where
fixed in r345430. The only file that was left with a duplicated content was
CVE-2019-5598.py.

Reviewed by:	kp
Approved by:	src (kp)
Differential Revision:	https://reviews.freebsd.org/D21267
2019-08-15 12:00:59 +00:00
Tom Jones
f97a8a3615 Add common firewall test suite
Add a common test suite for the firewalls included in the base system. The test
suite allows common test infrastructure to test pf, ipfw and ipf firewalls from
test files containing the setup for all three firewalls.

Add the pass block test for pf, ipfw and ipf. The pass block test checks the
allow/deny functionality of the firewalls tested.

Submitted by:   Ahsan Barkati
Sponsored by:   Google, Inc. (GSoC 2019)
Reviewed by:    kp
Approved by:    bz (co-mentor)
MFC after:      2 weeks
Differential Revision: https://reviews.freebsd.org/D21065
2019-08-05 11:47:34 +00:00
Li-Wen Hsu
4f6d74c9c4 Temporarily skip sys.netpfil.pf.forward.{v4,v6} and sys.netpfil.pf.set_tos.v4
on i386 as they are flakey on it

PR:		239380
Sponsored by:	The FreeBSD Foundation
2019-07-22 18:54:26 +00:00
Li-Wen Hsu
43527153dc Skip sys.netpfil.pf.names.names and sys.netpfil.pf.synproxy.synproxy
temporarily because kernel panics when flushing epair queue.

PR:		238870
Sponsored by:	The FreeBSD Foundation
2019-06-29 12:19:57 +00:00
Kristof Provost
b20ff7b90a pf tests: Fail the test if we can't set the rules
The test should fail if pf rules can't be set. This is helpful both
while writing tests and to verify that pfctl works as expected.

MFC after:	1 week
Event:		Aberdeen hackathon 2019
2019-04-18 10:54:08 +00:00
Kristof Provost
246e18b224 pf tests: Try to provoke the panic with invalid DIOCRSETTFLAGS
There was an issue with copyin() on DIOCRSETTFLAGS, which would panic if
pfrio_buffer was NULL.
Test for the issue fixed in r346319.

MFC after:	1 week
Event:		Aberdeen hackathon 2019
2019-04-17 16:45:35 +00:00
Kristof Provost
dcccc93ae4 pf tests: Fix accidental duplication of content
Also use the correct name for the scapy test script.
2019-03-23 01:07:51 +00:00
Kristof Provost
7de4bd92b8 pf tests: Test CVE-2019-5598
Verify that pf correctly drops inconsistent ICMP packets (i.e. where the
IP src/dst do not match the IP src/dst in the ICMP packet.
2019-03-22 07:39:28 +00:00
Kristof Provost
d1805f60af pf tests: Move Sniffer to its own file
Make it easier to re-use the sniffer class in other test support
scripts.
2019-03-21 08:15:46 +00:00
Kristof Provost
16b56c7f4e pf tests: Accelerate tests
Make the tests run slightly faster by having pft_ping.py end the capture
of packets as soon as it sees the expected packet, rather than
continuing to sniff.

MFC after:	2 weeks
2019-03-07 11:09:29 +00:00
Kristof Provost
06aac31aec tests: Move common (vnet) test functions into a common file
The netipsec and pf tests have a number of common test functions. These
used to be duplicated, but it makes more sense for them to re-use the
common functions.

PR:		236223
2019-03-04 18:15:06 +00:00
Kristof Provost
bd0eb4dcc4 pf tests: Test for nested inline anchor issue
PR:		196314
MFC after:	1 week
2019-03-02 12:30:59 +00:00
Kristof Provost
15426769bb pf tests: Test CVE-2019-5597
Generate a fragmented packet with different header chains, to provoke
the incorrect behaviour of pf.
Without the fix this will trigger a panic.

Obtained from:	Corentin Bayet, Nicolas Collignon, Luca Moro at Synacktiv
2019-03-01 07:39:55 +00:00
Kristof Provost
fe5a065d4b pf tests: Check size validation in DIOCGETSRCNODES
Ensure that invalid sizes for DIOCGETSRCNODES do not cause panics.

MFC after:	 1 week
2019-01-22 02:56:36 +00:00
Kristof Provost
b9dee1ff02 pf tests: Test PR 229241
pfctl has an issue with 'set skip on <group>', which causes inconsistent
behaviour: the set skip directive works initially, but does not take
effect when the same rules are re-applied.

PR:		229241
MFC after:	1 week
2019-01-13 05:31:53 +00:00
Kristof Provost
ff514f1f8a pf tests: Basic rdr test
MFC after:	2 weeks
2018-12-12 20:19:56 +00:00
Kristof Provost
9bfe20461c pf tests: NAT exhaustion test
It's been reported that pf doesn't handle running out of available ports
for NAT correctly. It freezes until a state expires and it can find a
free port.
Test for this, by setting up a situation where only two ports are
available for NAT and then attempting to create three connections.

If successful the third connection will fail immediately. In an
incorrect case the connection attempt will freeze, also freezing all
interaction with pf through pfctl and trigger timeout.

PR:		233867
MFC after:	2 weeks
2018-12-12 20:19:18 +00:00
Kristof Provost
d3cc40300e pf tests: Use the ATF cleanup infrastructure in the ioctl tests
Use ATF_TC_CLEANUP(), because that means the cleanup code will get
called even if a test fails. Before it would only be executed if every
test within the body succeeded.

Reported by:	Marie Helene Kvello-Aune <marieheleneka@gmail.com>
MFC after:	2 weeks
2018-12-11 21:49:13 +00:00
Kristof Provost
87c7063c2b pf tests: ioctl tests require root rights
Explicitly mark these tests as requiring root rights. We need to be able
to open /dev/pf.

Reported by:	Marie Helene Kvello-Aune <marieheleneka@gmail.com>
MFC after:	2 weeks
2018-12-11 21:45:56 +00:00
Kristof Provost
369d9a2c15 pf tests: Add a defer mode test for pfsync
Repeat the pfsync test, this time with the 'defer' option enabled. This
exercises slightly different code paths.
2018-12-05 19:53:09 +00:00
Kristof Provost
df5ceb3b66 pf tests: Test name handling
Provoke a situation where two interfaces have the same name, and verify
pf's reaction to this.
2018-12-01 09:59:32 +00:00
Kristof Provost
db785060cb pf tests: Make pass_block:noalias more robust
Send several ICMPv6 echo requests. We've seen occasional failures with a
single request.
2018-12-01 09:57:29 +00:00
Li-Wen Hsu
b0e9618e68 Fix test: sys.netpfil.pf.pass_block.noalias
Replace hard-coded epair0b with the variable holds the real epair interface
used for testing.

Reviewed by:	kp
Approved by:	emaste, markj (mentors)
MFC with:	r339836
Sponsored by:	The FreeBSD Foundation
2018-11-09 15:24:24 +00:00
Kristof Provost
55177f18a1 pf tests: Test PR 183198
Create a table which is only used inside an anchor, ensure that the
table exists.

PR:		183198
MFC after:	2 weeks
2018-11-08 21:56:06 +00:00
Kristof Provost
6ab3ac5afa pf tests: Basic pfsync test
Set up two jails, configure pfsync between them and create state in one
of them, verify that this state is copied to the other jail.

MFC after:	2 weeks
Sponsored by:	Orange Business Services
Differential Revision:	https://reviews.freebsd.org/D17504
2018-11-02 16:59:55 +00:00
Kristof Provost
71f8908a1a pf tests: Test ':0' ignoring link-local addresses
PR:		201695
2018-10-28 05:37:15 +00:00
Kristof Provost
2848a0e2da pf tests: Verify that pf limits the number of fragments per packet
Test the limitation on number of frames per packet introduced in pf in r337969.

Sponsored by:	Klara Systems
2018-08-17 15:02:58 +00:00
Kristof Provost
9317ba2226 pf tests: Basic test for 'set skip in $groupname'
This tests for the problem reported in PR 229241, where using a group
name in 'set skip on' did not work as expected.

Sponsored by:	Essen Hackathon
2018-08-11 16:41:07 +00:00
Kristof Provost
6e0bca03bd pf tests: Basic synproxy test
A very basic syncproxy test: set up a connection via a synproxy rule.
This triggeres the panic fixed in r336273.
2018-07-14 21:32:32 +00:00
Kristof Provost
d850143efd pf tests: Basic route-to tests
Very basic route-to tests. These tests attempt to provoke PR 228782 for IPv4
and IPv6. A test failure will panic the machine.
2018-06-09 14:21:07 +00:00