pfctl parser tests

Copy the most important test cases from OpenBSD's corresponding src/regress/sbin/pfctl, those that run pfctl on a test input file and check correctness of its output. We have also added some new tests using the same format. The tests consist of a collection of input files (pf*.in) and corresponding output files (pf*.ok). We run pfctl -nv on the input files and check that the output matches the output files. If any discrepancy is discovered during future development in the source tree, we know that a regression bug has been introduced into the tree. Submitted by: paggas Sponsored by: Google, Inc (GSoC 2017) Differential Revision: https://reviews.freebsd.org/D11322
2017-07-15 19:22:01 +00:00 · 2017-07-15 19:22:01 +00:00 · 4d7709ddf6
commit 4d7709ddf6
parent 4718651cb3
164 changed files with 1674 additions and 0 deletions
--- a/etc/mtree/BSD.tests.dist
+++ b/etc/mtree/BSD.tests.dist
@ -378,6 +378,10 @@
        ..
        mdconfig
        ..
+        pfctl
+            files
+            ..
+        ..
    ..
    secure
        lib
--- a/sbin/pfctl/Makefile
+++ b/sbin/pfctl/Makefile
@ -31,4 +31,8 @@ YFLAGS=

 LIBADD=	m md

+.if ${MK_TESTS} != "no"
+SUBDIR+=    tests
+.endif
+
 .include <bsd.prog.mk>
--- a/sbin/pfctl/tests/Makefile
+++ b/sbin/pfctl/tests/Makefile
@ -0,0 +1,7 @@
+# $FreeBSD$
+
+ATF_TESTS_SH=	pfctl_test
+
+SUBDIR+=	files
+
+.include <bsd.test.mk>
--- a/sbin/pfctl/tests/files/Makefile
+++ b/sbin/pfctl/tests/files/Makefile
@ -0,0 +1,12 @@
+# $FreeBSD$
+
+TESTSDIR=	${TESTSBASE}/sbin/pfctl/files
+BINDIR=		${TESTSDIR}
+
+# We use ${.CURDIR} as workaround so that the glob patterns work.
+FILES=		${.CURDIR}/pf????.in
+FILES+=		${.CURDIR}/pf????.include
+FILES+=		${.CURDIR}/pf????.ok
+FILES+=		${.CURDIR}/pfctl_test_descr.sh
+
+.include <bsd.progs.mk>
--- a/sbin/pfctl/tests/files/pf0001.in
+++ b/sbin/pfctl/tests/files/pf0001.in
@ -0,0 +1,8 @@
+pass in all
+pass in from any to any no state
+pass in proto tcp from any port <= 1024 to any label foo_bar
+pass in proto tcp from any to any port = 25
+pass in proto tcp from 10.0.0.0/8 port > 1024 to ! 10.1.2.3 port != 22
+pass in proto igmp from 10.0.0.0/8 to 10.1.1.1 allow-opts
+pass in proto tcp from { 1.2.3.4, 1.2.3.5 } to any label \
+"$nr:$proto:$srcaddr:$srcport:$dstaddr:$dstport"
--- a/sbin/pfctl/tests/files/pf0001.ok
+++ b/sbin/pfctl/tests/files/pf0001.ok
@ -0,0 +1,8 @@
+pass in all flags S/SA keep state
+pass in all no state
+pass in proto tcp from any port <= 1024 to any flags S/SA keep state label "foo_bar"
+pass in proto tcp from any to any port = smtp flags S/SA keep state
+pass in inet proto tcp from 10.0.0.0/8 port > 1024 to ! 10.1.2.3 port != ssh flags S/SA keep state
+pass in inet proto igmp from 10.0.0.0/8 to 10.1.1.1 keep state allow-opts
+pass in inet proto tcp from 1.2.3.4 to any flags S/SA keep state label "6:tcp:1.2.3.4::any:"
+pass in inet proto tcp from 1.2.3.5 to any flags S/SA keep state label "7:tcp:1.2.3.5::any:"
--- a/sbin/pfctl/tests/files/pf0002.in
+++ b/sbin/pfctl/tests/files/pf0002.in
@ -0,0 +1,34 @@
+# test
+
+block	       out log on tun1000000		 all
+block	       in  log on tun1000000		 all
+
+block return-rst  out log on tun1000000 proto tcp all
+block return-rst  in  log on tun1000000 proto tcp all
+block return-icmp out log on tun1000000 proto udp all
+block return-icmp in  log on tun1000000 proto udp all
+
+block out log quick on tun1000000 from ! 157.161.48.183 to any
+
+block in quick on tun1000000 from any to 255.255.255.255
+
+block in log quick on tun1000000 from 10.0.0.0/8		to any
+block in log quick on tun1000000 from 172.16.0.0/12	to any
+block in quick log on tun1000000 from 192.168.0.0/16	to any
+block in quick log on tun1000000 from 255.255.255.255/32 to any
+
+block in log quick from no-route to any
+
+pass out on tun1000000 inet proto icmp all icmp-type 8 code 0 keep state
+pass in  on tun1000000 inet proto icmp all icmp-type 8 code 0 keep state
+
+pass out on tun1000000 proto udp all keep state
+
+pass in on tun1000000 proto udp from any to any port = domain keep state
+
+pass out on tun1000000 proto tcp all keep state
+
+pass in on tun1000000 proto tcp from any to any port = ssh    keep state
+pass in on tun1000000 proto tcp from any to any port = smtp   keep state
+pass in on tun1000000 proto tcp from any to any port = domain keep state
+pass in on tun1000000 proto tcp from any to any port = auth   keep state
--- a/sbin/pfctl/tests/files/pf0002.ok
+++ b/sbin/pfctl/tests/files/pf0002.ok
@ -0,0 +1,22 @@
+block drop out log on tun1000000 all
+block drop in log on tun1000000 all
+block return-rst out log on tun1000000 proto tcp all
+block return-rst in log on tun1000000 proto tcp all
+block return-icmp(port-unr, port-unr) out log on tun1000000 proto udp all
+block return-icmp(port-unr, port-unr) in log on tun1000000 proto udp all
+block drop out log quick on tun1000000 inet from ! 157.161.48.183 to any
+block drop in quick on tun1000000 inet from any to 255.255.255.255
+block drop in log quick on tun1000000 inet from 10.0.0.0/8 to any
+block drop in log quick on tun1000000 inet from 172.16.0.0/12 to any
+block drop in log quick on tun1000000 inet from 192.168.0.0/16 to any
+block drop in log quick on tun1000000 inet from 255.255.255.255 to any
+block drop in log quick from no-route to any
+pass out on tun1000000 inet proto icmp all icmp-type echoreq code 0 keep state
+pass in on tun1000000 inet proto icmp all icmp-type echoreq code 0 keep state
+pass out on tun1000000 proto udp all keep state
+pass in on tun1000000 proto udp from any to any port = domain keep state
+pass out on tun1000000 proto tcp all flags S/SA keep state
+pass in on tun1000000 proto tcp from any to any port = ssh flags S/SA keep state
+pass in on tun1000000 proto tcp from any to any port = smtp flags S/SA keep state
+pass in on tun1000000 proto tcp from any to any port = domain flags S/SA keep state
+pass in on tun1000000 proto tcp from any to any port = auth flags S/SA keep state
--- a/sbin/pfctl/tests/files/pf0003.in
+++ b/sbin/pfctl/tests/files/pf0003.in
@ -0,0 +1,13 @@
+pass in all
+pass in from any to any
+
+block in proto tcp from any to any flags FUPEW/FSRPAUEW
+block in proto tcp from any to any flags SF/SFRA
+block in proto tcp from any to any flags /SFRAW
+
+pass in proto { udp, icmp, tcp } from any to any flags S/SA
+pass in from any to any flags S/SA no state
+pass in from any to any flags any no state
+pass in from any to any flags any
+pass in from any to any keep state
+pass in from any to any
--- a/sbin/pfctl/tests/files/pf0003.ok
+++ b/sbin/pfctl/tests/files/pf0003.ok
@ -0,0 +1,13 @@
+pass in all flags S/SA keep state
+pass in all flags S/SA keep state
+block drop in proto tcp all flags FPUEW/FSRPAUEW
+block drop in proto tcp all flags FS/FSRA
+block drop in proto tcp all flags /FSRAW
+pass in proto udp all keep state
+pass in proto icmp all keep state
+pass in proto tcp all flags S/SA keep state
+pass in all flags S/SA no state
+pass in all no state
+pass in all flags any keep state
+pass in all flags S/SA keep state
+pass in all flags S/SA keep state
--- a/sbin/pfctl/tests/files/pf0004.in
+++ b/sbin/pfctl/tests/files/pf0004.in
@ -0,0 +1,16 @@
+block in all
+block in proto tcp all
+block in proto { tcp, udp } all
+
+block in from any to any
+block in from 10.0.0.0/8 to any
+block in from ! 10.0.0.0/8 to any
+block in from { 10.0.0.0/8, 172.16.0.0/12 } to any
+
+block in proto tcp from any port = ssh to any
+block in proto tcp from any port { ssh, ftp >< 2048, != 1234, >= www } \
+	to any port 1024:2048
+
+block in proto { tcp, udp } from { 10.0.0.0/8, 172.16.0.0/12 } port { ssh, ftp } \
+	to { 192.168.0.0/16, 12.34.56.78 } port { 6667, 6668, 6669:65535 }
+
--- a/sbin/pfctl/tests/files/pf0004.ok
+++ b/sbin/pfctl/tests/files/pf0004.ok
@ -0,0 +1,62 @@
+block drop in all
+block drop in proto tcp all
+block drop in proto tcp all
+block drop in proto udp all
+block drop in all
+block drop in inet from 10.0.0.0/8 to any
+block drop in inet from ! 10.0.0.0/8 to any
+block drop in inet from 10.0.0.0/8 to any
+block drop in inet from 172.16.0.0/12 to any
+block drop in proto tcp from any port = ssh to any
+block drop in proto tcp from any port = ssh to any port 1024:2048
+block drop in proto tcp from any port 21 >< 2048 to any port 1024:2048
+block drop in proto tcp from any port != 1234 to any port 1024:2048
+block drop in proto tcp from any port >= 80 to any port 1024:2048
+block drop in inet proto tcp from 10.0.0.0/8 port = ssh to 192.168.0.0/16 port = ircd
+block drop in inet proto tcp from 10.0.0.0/8 port = ssh to 192.168.0.0/16 port = 6668
+block drop in inet proto tcp from 10.0.0.0/8 port = ssh to 192.168.0.0/16 port 6669:65535
+block drop in inet proto tcp from 10.0.0.0/8 port = ssh to 12.34.56.78 port = ircd
+block drop in inet proto tcp from 10.0.0.0/8 port = ssh to 12.34.56.78 port = 6668
+block drop in inet proto tcp from 10.0.0.0/8 port = ssh to 12.34.56.78 port 6669:65535
+block drop in inet proto tcp from 10.0.0.0/8 port = ftp to 192.168.0.0/16 port = ircd
+block drop in inet proto tcp from 10.0.0.0/8 port = ftp to 192.168.0.0/16 port = 6668
+block drop in inet proto tcp from 10.0.0.0/8 port = ftp to 192.168.0.0/16 port 6669:65535
+block drop in inet proto tcp from 10.0.0.0/8 port = ftp to 12.34.56.78 port = ircd
+block drop in inet proto tcp from 10.0.0.0/8 port = ftp to 12.34.56.78 port = 6668
+block drop in inet proto tcp from 10.0.0.0/8 port = ftp to 12.34.56.78 port 6669:65535
+block drop in inet proto tcp from 172.16.0.0/12 port = ssh to 192.168.0.0/16 port = ircd
+block drop in inet proto tcp from 172.16.0.0/12 port = ssh to 192.168.0.0/16 port = 6668
+block drop in inet proto tcp from 172.16.0.0/12 port = ssh to 192.168.0.0/16 port 6669:65535
+block drop in inet proto tcp from 172.16.0.0/12 port = ssh to 12.34.56.78 port = ircd
+block drop in inet proto tcp from 172.16.0.0/12 port = ssh to 12.34.56.78 port = 6668
+block drop in inet proto tcp from 172.16.0.0/12 port = ssh to 12.34.56.78 port 6669:65535
+block drop in inet proto tcp from 172.16.0.0/12 port = ftp to 192.168.0.0/16 port = ircd
+block drop in inet proto tcp from 172.16.0.0/12 port = ftp to 192.168.0.0/16 port = 6668
+block drop in inet proto tcp from 172.16.0.0/12 port = ftp to 192.168.0.0/16 port 6669:65535
+block drop in inet proto tcp from 172.16.0.0/12 port = ftp to 12.34.56.78 port = ircd
+block drop in inet proto tcp from 172.16.0.0/12 port = ftp to 12.34.56.78 port = 6668
+block drop in inet proto tcp from 172.16.0.0/12 port = ftp to 12.34.56.78 port 6669:65535
+block drop in inet proto udp from 10.0.0.0/8 port = ssh to 192.168.0.0/16 port = 6667
+block drop in inet proto udp from 10.0.0.0/8 port = ssh to 192.168.0.0/16 port = 6668
+block drop in inet proto udp from 10.0.0.0/8 port = ssh to 192.168.0.0/16 port 6669:65535
+block drop in inet proto udp from 10.0.0.0/8 port = ssh to 12.34.56.78 port = 6667
+block drop in inet proto udp from 10.0.0.0/8 port = ssh to 12.34.56.78 port = 6668
+block drop in inet proto udp from 10.0.0.0/8 port = ssh to 12.34.56.78 port 6669:65535
+block drop in inet proto udp from 10.0.0.0/8 port = ftp to 192.168.0.0/16 port = 6667
+block drop in inet proto udp from 10.0.0.0/8 port = ftp to 192.168.0.0/16 port = 6668
+block drop in inet proto udp from 10.0.0.0/8 port = ftp to 192.168.0.0/16 port 6669:65535
+block drop in inet proto udp from 10.0.0.0/8 port = ftp to 12.34.56.78 port = 6667
+block drop in inet proto udp from 10.0.0.0/8 port = ftp to 12.34.56.78 port = 6668
+block drop in inet proto udp from 10.0.0.0/8 port = ftp to 12.34.56.78 port 6669:65535
+block drop in inet proto udp from 172.16.0.0/12 port = ssh to 192.168.0.0/16 port = 6667
+block drop in inet proto udp from 172.16.0.0/12 port = ssh to 192.168.0.0/16 port = 6668
+block drop in inet proto udp from 172.16.0.0/12 port = ssh to 192.168.0.0/16 port 6669:65535
+block drop in inet proto udp from 172.16.0.0/12 port = ssh to 12.34.56.78 port = 6667
+block drop in inet proto udp from 172.16.0.0/12 port = ssh to 12.34.56.78 port = 6668
+block drop in inet proto udp from 172.16.0.0/12 port = ssh to 12.34.56.78 port 6669:65535
+block drop in inet proto udp from 172.16.0.0/12 port = ftp to 192.168.0.0/16 port = 6667
+block drop in inet proto udp from 172.16.0.0/12 port = ftp to 192.168.0.0/16 port = 6668
+block drop in inet proto udp from 172.16.0.0/12 port = ftp to 192.168.0.0/16 port 6669:65535
+block drop in inet proto udp from 172.16.0.0/12 port = ftp to 12.34.56.78 port = 6667
+block drop in inet proto udp from 172.16.0.0/12 port = ftp to 12.34.56.78 port = 6668
+block drop in inet proto udp from 172.16.0.0/12 port = ftp to 12.34.56.78 port 6669:65535
--- a/sbin/pfctl/tests/files/pf0005.in
+++ b/sbin/pfctl/tests/files/pf0005.in
@ -0,0 +1,6 @@
+foo = "ssh, ftp"
+bar = "other thing"
+inside="10.0.0.0/8"
+
+block in proto udp from $inside port { echo, $foo, ident } \
+	to 12.34.56.78 port { 6667, 0x10 }
--- a/sbin/pfctl/tests/files/pf0005.ok
+++ b/sbin/pfctl/tests/files/pf0005.ok
@ -0,0 +1,11 @@
+foo = "ssh, ftp"
+bar = "other thing"
+inside = "10.0.0.0/8"
+block drop in inet proto udp from 10.0.0.0/8 port = echo to 12.34.56.78 port = 6667
+block drop in inet proto udp from 10.0.0.0/8 port = echo to 12.34.56.78 port = 16
+block drop in inet proto udp from 10.0.0.0/8 port = ssh to 12.34.56.78 port = 6667
+block drop in inet proto udp from 10.0.0.0/8 port = ssh to 12.34.56.78 port = 16
+block drop in inet proto udp from 10.0.0.0/8 port = ftp to 12.34.56.78 port = 6667
+block drop in inet proto udp from 10.0.0.0/8 port = ftp to 12.34.56.78 port = 16
+block drop in inet proto udp from 10.0.0.0/8 port = auth to 12.34.56.78 port = 6667
+block drop in inet proto udp from 10.0.0.0/8 port = auth to 12.34.56.78 port = 16
--- a/sbin/pfctl/tests/files/pf0006.in
+++ b/sbin/pfctl/tests/files/pf0006.in
@ -0,0 +1,3 @@
+a=b
+c=x
+a_b_c=d
--- a/sbin/pfctl/tests/files/pf0006.ok
+++ b/sbin/pfctl/tests/files/pf0006.ok
@ -0,0 +1,3 @@
+a = "b"
+c = "x"
+a_b_c = "d"
--- a/sbin/pfctl/tests/files/pf0007.in
+++ b/sbin/pfctl/tests/files/pf0007.in
@ -0,0 +1,34 @@
+# test modulate state
+
+block	       out log on tun1000000		 all
+block	       in  log on tun1000000		 all
+
+block return-rst  out log on tun1000000 proto tcp all
+block return-rst  in  log on tun1000000 proto tcp all
+block return-icmp out log on tun1000000 proto udp all
+block return-icmp in  log on tun1000000 proto udp all
+
+block out log quick on tun1000000 from ! 157.161.48.183 to any
+
+block in quick on tun1000000 from any to 255.255.255.255
+
+block in log quick on tun1000000 from 10.0.0.0/8		to any
+block in log quick on tun1000000 from 172.16.0.0/12	to any
+block in log quick on tun1000000 from 192.168.0.0/16	to any
+block in log quick on tun1000000 from 255.255.255.255/32 to any
+
+pass out on tun1000000 inet proto icmp all icmp-type 8 code 0 keep state
+pass in  on tun1000000 inet proto icmp all icmp-type 8 code 0 keep state
+
+pass out on tun1000000 proto udp all keep state
+
+pass in on tun1000000 proto udp from any to any port = domain keep state
+
+pass out on tun1000000 proto tcp all modulate state
+pass in on tun1000000 proto { tcp udp icmp } all modulate state
+pass in on tun1000000 proto { udp tcp icmp } all flags S/SA synproxy state
+
+pass in on tun1000000 proto tcp from any to any port = ssh    modulate state
+pass in on tun1000000 proto tcp from any to any port = smtp   modulate state
+pass in on tun1000000 proto tcp from any to any port = domain modulate state
+pass in on tun1000000 proto tcp from any to any port = auth   modulate state
--- a/sbin/pfctl/tests/files/pf0007.ok
+++ b/sbin/pfctl/tests/files/pf0007.ok
@ -0,0 +1,27 @@
+block drop out log on tun1000000 all
+block drop in log on tun1000000 all
+block return-rst out log on tun1000000 proto tcp all
+block return-rst in log on tun1000000 proto tcp all
+block return-icmp(port-unr, port-unr) out log on tun1000000 proto udp all
+block return-icmp(port-unr, port-unr) in log on tun1000000 proto udp all
+block drop out log quick on tun1000000 inet from ! 157.161.48.183 to any
+block drop in quick on tun1000000 inet from any to 255.255.255.255
+block drop in log quick on tun1000000 inet from 10.0.0.0/8 to any
+block drop in log quick on tun1000000 inet from 172.16.0.0/12 to any
+block drop in log quick on tun1000000 inet from 192.168.0.0/16 to any
+block drop in log quick on tun1000000 inet from 255.255.255.255 to any
+pass out on tun1000000 inet proto icmp all icmp-type echoreq code 0 keep state
+pass in on tun1000000 inet proto icmp all icmp-type echoreq code 0 keep state
+pass out on tun1000000 proto udp all keep state
+pass in on tun1000000 proto udp from any to any port = domain keep state
+pass out on tun1000000 proto tcp all flags S/SA modulate state
+pass in on tun1000000 proto tcp all flags S/SA modulate state
+pass in on tun1000000 proto udp all keep state
+pass in on tun1000000 proto icmp all keep state
+pass in on tun1000000 proto udp all keep state
+pass in on tun1000000 proto tcp all flags S/SA synproxy state
+pass in on tun1000000 proto icmp all keep state
+pass in on tun1000000 proto tcp from any to any port = ssh flags S/SA modulate state
+pass in on tun1000000 proto tcp from any to any port = smtp flags S/SA modulate state
+pass in on tun1000000 proto tcp from any to any port = domain flags S/SA modulate state
+pass in on tun1000000 proto tcp from any to any port = auth flags S/SA modulate state
--- a/sbin/pfctl/tests/files/pf0008.in
+++ b/sbin/pfctl/tests/files/pf0008.in
@ -0,0 +1,2 @@
+extern =  "{ ! 10.0.0.0/8, 10.1.2.3 }"
+block out log on tun1000001 from $extern to any
--- a/sbin/pfctl/tests/files/pf0008.ok
+++ b/sbin/pfctl/tests/files/pf0008.ok
@ -0,0 +1,3 @@
+extern = "{ ! 10.0.0.0/8, 10.1.2.3 }"
+block drop out log on tun1000001 inet from ! 10.0.0.0/8 to any
+block drop out log on tun1000001 inet from 10.1.2.3 to any
--- a/sbin/pfctl/tests/files/pf0009.in
+++ b/sbin/pfctl/tests/files/pf0009.in
@ -0,0 +1,3 @@
+interfaces = "{ enc0, tun1000000 }"
+
+block in on $interfaces all
--- a/sbin/pfctl/tests/files/pf0009.ok
+++ b/sbin/pfctl/tests/files/pf0009.ok
@ -0,0 +1,3 @@
+interfaces = "{ enc0, tun1000000 }"
+block drop in on enc0 all
+block drop in on tun1000000 all
--- a/sbin/pfctl/tests/files/pf0010.in
+++ b/sbin/pfctl/tests/files/pf0010.in
@ -0,0 +1,31 @@
+# return variants
+pass in inet proto icmp all
+pass in inet6 proto icmp6 all
+block in inet proto icmp all
+block in inet6 proto icmp6 all
+block return-rst in inet proto tcp all
+block return-rst in inet6 proto tcp all
+block return-rst(ttl 10) in inet proto tcp all
+block return-rst(ttl 10) in inet6 proto tcp all
+block return-icmp in inet proto icmp all
+block return-icmp(0) in inet proto icmp all
+block return-icmp(net-unr) in inet proto icmp all
+block return-icmp(5) in inet proto icmp all
+block return-icmp(srcfail) in inet proto icmp all
+block return-icmp(10) in inet proto icmp all
+block return-icmp(host-prohib) in inet proto icmp all
+block return-icmp(15) in inet proto icmp all
+block return-icmp(cutoff-preced) in inet proto icmp all
+block return-icmp6 in inet6 proto icmp6 all
+block return-icmp6(0) in inet6 proto icmp6 all
+block return-icmp6(noroute-unr) in inet6 proto icmp6 all
+block return-icmp6(1) in inet6 proto icmp6 all
+block return-icmp6(admin-unr) in inet6 proto icmp6 all
+block return-icmp6(2) in inet6 proto icmp6 all
+block return-icmp6(notnbr-unr) in inet6 proto icmp6 all
+block return-icmp6(3) in inet6 proto icmp6 all
+block return-icmp6(addr-unr) in inet6 proto icmp6 all
+block return-icmp6(4) in inet6 proto icmp6 all
+block return-icmp6(port-unr) in inet6 proto icmp6 all
+block return-icmp(5, 1) in all
+block return-icmp(srcfail, admin-unr) in all
--- a/sbin/pfctl/tests/files/pf0010.ok
+++ b/sbin/pfctl/tests/files/pf0010.ok
@ -0,0 +1,30 @@
+pass in inet proto icmp all keep state
+pass in inet6 proto ipv6-icmp all keep state
+block drop in inet proto icmp all
+block drop in inet6 proto ipv6-icmp all
+block return-rst in inet proto tcp all
+block return-rst in inet6 proto tcp all
+block return-rst(ttl 10) in inet proto tcp all
+block return-rst(ttl 10) in inet6 proto tcp all
+block return-icmp(port-unr) in inet proto icmp all
+block return-icmp(net-unr) in inet proto icmp all
+block return-icmp(net-unr) in inet proto icmp all
+block return-icmp(srcfail) in inet proto icmp all
+block return-icmp(srcfail) in inet proto icmp all
+block return-icmp(host-prohib) in inet proto icmp all
+block return-icmp(host-prohib) in inet proto icmp all
+block return-icmp(cutoff-preced) in inet proto icmp all
+block return-icmp(cutoff-preced) in inet proto icmp all
+block return-icmp6(port-unr) in inet6 proto ipv6-icmp all
+block return-icmp6(noroute-unr) in inet6 proto ipv6-icmp all
+block return-icmp6(noroute-unr) in inet6 proto ipv6-icmp all
+block return-icmp6(admin-unr) in inet6 proto ipv6-icmp all
+block return-icmp6(admin-unr) in inet6 proto ipv6-icmp all
+block return-icmp6(notnbr-unr) in inet6 proto ipv6-icmp all
+block return-icmp6(notnbr-unr) in inet6 proto ipv6-icmp all
+block return-icmp6(addr-unr) in inet6 proto ipv6-icmp all
+block return-icmp6(addr-unr) in inet6 proto ipv6-icmp all
+block return-icmp6(port-unr) in inet6 proto ipv6-icmp all
+block return-icmp6(port-unr) in inet6 proto ipv6-icmp all
+block return-icmp(srcfail, admin-unr) in all
+block return-icmp(srcfail, admin-unr) in all
--- a/sbin/pfctl/tests/files/pf0011.in
+++ b/sbin/pfctl/tests/files/pf0011.in
@ -0,0 +1,18 @@
+pass in inet proto icmp all icmp-type 0
+pass in inet proto icmp all icmp-type 0 code 0
+pass in inet proto icmp all icmp-type 1
+pass in inet proto icmp all icmp-type 1 code 1
+pass in inet6 proto ipv6-icmp all icmp6-type 0
+pass in inet6 proto ipv6-icmp all icmp6-type 0 code 0
+pass in inet6 proto ipv6-icmp all icmp6-type 1
+pass in inet6 proto ipv6-icmp all icmp6-type 1 code 1
+block in inet proto icmp all icmp-type 0
+block in inet proto icmp all icmp-type 0 code 0
+block in inet proto icmp all icmp-type 1
+block in inet proto icmp all icmp-type 1 code 1
+block in inet6 proto ipv6-icmp all icmp6-type 0
+block in inet6 proto ipv6-icmp all icmp6-type 0 code 0
+block in inet6 proto ipv6-icmp all icmp6-type 1
+block in inet6 proto ipv6-icmp all icmp6-type 1 code 1
+pass in inet proto icmp all icmp-type unreach code needfrag
+pass in inet6 proto ipv6-icmp all icmp6-type timex code reassemb
--- a/sbin/pfctl/tests/files/pf0011.ok
+++ b/sbin/pfctl/tests/files/pf0011.ok
@ -0,0 +1,18 @@
+pass in inet proto icmp all icmp-type echorep keep state
+pass in inet proto icmp all icmp-type echorep code 0 keep state
+pass in inet proto icmp all icmp-type 1 keep state
+pass in inet proto icmp all icmp-type 1 code 1 keep state
+pass in inet6 proto ipv6-icmp all icmp6-type 0 keep state
+pass in inet6 proto ipv6-icmp all icmp6-type 0 code 0 keep state
+pass in inet6 proto ipv6-icmp all icmp6-type unreach keep state
+pass in inet6 proto ipv6-icmp all icmp6-type unreach code admin-unr keep state
+block drop in inet proto icmp all icmp-type echorep
+block drop in inet proto icmp all icmp-type echorep code 0
+block drop in inet proto icmp all icmp-type 1
+block drop in inet proto icmp all icmp-type 1 code 1
+block drop in inet6 proto ipv6-icmp all icmp6-type 0
+block drop in inet6 proto ipv6-icmp all icmp6-type 0 code 0
+block drop in inet6 proto ipv6-icmp all icmp6-type unreach
+block drop in inet6 proto ipv6-icmp all icmp6-type unreach code admin-unr
+pass in inet proto icmp all icmp-type unreach code needfrag keep state
+pass in inet6 proto ipv6-icmp all icmp6-type timex code reassemb keep state
--- a/sbin/pfctl/tests/files/pf0012.in
+++ b/sbin/pfctl/tests/files/pf0012.in
@ -0,0 +1,5 @@
+pass in from 127.0.0.1 to 127.0.0.1/8 no state
+pass in from 127.0.0.1/16 to 127.0.0.1/24 no state
+pass in from 127.0.0.1/25 to ! 127.0.0.1/26
+pass in inet from ! localhost to localhost/16
+pass in inet from ! lo0 to ! lo0/8
--- a/sbin/pfctl/tests/files/pf0012.ok
+++ b/sbin/pfctl/tests/files/pf0012.ok
@ -0,0 +1,5 @@
+pass in inet from 127.0.0.1 to 127.0.0.0/8 no state
+pass in inet from 127.0.0.0/16 to 127.0.0.0/24 no state
+pass in inet from 127.0.0.0/25 to ! 127.0.0.0/26 flags S/SA keep state
+pass in inet from ! 127.0.0.1 to 127.0.0.0/16 flags S/SA keep state
+pass in inet from ! 127.0.0.1 to ! 127.0.0.0/8 flags S/SA keep state
--- a/sbin/pfctl/tests/files/pf0013.in
+++ b/sbin/pfctl/tests/files/pf0013.in
@ -0,0 +1,22 @@
+pass in quick on enc0 from any to any
+pass in quick on enc0 inet from any to any
+pass in quick on enc0 inet6 from any to any
+
+#pass out quick on tun1000000 inet from any to any route-to tun1000001
+#pass out quick on tun1000000 from any to 192.168.1.1 route-to tun1000001
+#pass out quick on tun1000000 from any to fec0::1 route-to tun1000001
+
+#pass in on tun1000000 proto tcp from any to any port = 21 dup-to (tun1000001 192.168.1.1)
+#pass in on tun1000000 proto tcp from any to any port = 21 dup-to (tun1000001 fec0::1)
+
+#pass in quick on tun1000000 from 192.168.1.1/32 to 10.1.1.1/32 route-to tun1000001
+#pass in quick on tun1000000 from fec0::1/64 to fec1::2/128 route-to tun1000001
+
+#pass in on tun1000000 proto tcp from any to any port = 21 reply-to (tun1000001 192.168.1.1)
+#pass in on tun1000000 proto tcp from any to any port = 21 reply-to (tun1000001 fec0::1)
+
+#pass in quick on tun1000000 from 192.168.1.1/32 to 10.1.1.1/32 reply-to tun1000001
+#pass in quick on tun1000000 from fec0::1/64 to fec1::2/128 reply-to tun1000001
+
+#pass in quick on tun1000000 from 192.168.1.1/32 to 10.1.1.1/32 dup-to (tun1000001 192.168.1.100)
+#pass in quick on tun1000000 from fec0::1/64 to fec1::2/128 dup-to (tun1000001 fec1::2)
--- a/sbin/pfctl/tests/files/pf0013.ok
+++ b/sbin/pfctl/tests/files/pf0013.ok
@ -0,0 +1,3 @@
+pass in quick on enc0 all flags S/SA keep state
+pass in quick on enc0 inet all flags S/SA keep state
+pass in quick on enc0 inet6 all flags S/SA keep state
--- a/sbin/pfctl/tests/files/pf0014.in
+++ b/sbin/pfctl/tests/files/pf0014.in
@ -0,0 +1,6 @@
+pass in quick on lo0 from fe80::1%lo0 to fe80::1%lo0
+pass in quick from fe80::1%lo0 to fe80::1%lo0
+pass in quick from fe80::1%lo0 to any
+pass in quick from any to fe80::1%lo0
+pass in quick on lo0 from fe80::1%lo0 to any
+pass in quick on lo0 from any to fe80::1%lo0
--- a/sbin/pfctl/tests/files/pf0014.ok
+++ b/sbin/pfctl/tests/files/pf0014.ok
@ -0,0 +1,6 @@
+pass in quick on lo0 inet6 from fe80::1 to fe80::1 flags S/SA keep state
+pass in quick on lo0 inet6 from fe80::1 to fe80::1 flags S/SA keep state
+pass in quick on lo0 inet6 from fe80::1 to any flags S/SA keep state
+pass in quick on lo0 inet6 from any to fe80::1 flags S/SA keep state
+pass in quick on lo0 inet6 from fe80::1 to any flags S/SA keep state
+pass in quick on lo0 inet6 from any to fe80::1 flags S/SA keep state
--- a/sbin/pfctl/tests/files/pf0016.in
+++ b/sbin/pfctl/tests/files/pf0016.in
@ -0,0 +1,5 @@
+# Test rule order processing: should fail unless nat -> filter
+#match out on lo0 from 192.168.1.1 to any nat-to 10.0.0.1
+#match in on lo0 proto tcp from any to 1.2.3.4/32 port 2222 rdr-to 10.0.0.10 port 22   
+#match on lo0 from 192.168.1.1 to any binat-to 10.0.0.1
+pass in on lo1000000 from any to any no state
--- a/sbin/pfctl/tests/files/pf0016.ok
+++ b/sbin/pfctl/tests/files/pf0016.ok
@ -0,0 +1 @@
+pass in on lo1000000 all no state
--- a/sbin/pfctl/tests/files/pf0018.in
+++ b/sbin/pfctl/tests/files/pf0018.in
@ -0,0 +1,19 @@
+# test nat
+
+TEST_LIST1 = "{ 192.168.1.5, 192.168.1.6, 192.168.1.7 }"
+TEST_LIST2 = "{ 172.6.1.1, 172.14.1.2/32, 172.16.2.0/24 }"
+
+#match out on lo0 from 192.168.1.1 to any nat-to 10.0.0.1
+#match out on lo0 proto tcp from 192.168.1.2 to any nat-to 10.0.0.2
+#match out on lo0 proto udp from 192.168.1.3 to any nat-to 10.0.0.3
+#match out on lo0 proto icmp from 192.168.1.4 to any nat-to 10.0.0.4
+
+#match out on lo0 inet from $TEST_LIST1 to $TEST_LIST2 nat-to lo0
+
+#match out on lo0 inet from 192.168.0.1/24 to any nat-to (lo0)
+
+#match out on lo0 from 192.168.1.8 to ! 172.17.0.0/16 nat-to 10.0.0.8
+
+#match out on ! lo0 proto { udp, tcp } from any to any nat-to 10.0.0.8 static-port
+
+#match out on { lo0, tun1000000 } from any to any nat-to 10.0.0.8
--- a/sbin/pfctl/tests/files/pf0018.ok
+++ b/sbin/pfctl/tests/files/pf0018.ok
@ -0,0 +1,2 @@
+TEST_LIST1 = "{ 192.168.1.5, 192.168.1.6, 192.168.1.7 }"
+TEST_LIST2 = "{ 172.6.1.1, 172.14.1.2/32, 172.16.2.0/24 }"
--- a/sbin/pfctl/tests/files/pf0019.in
+++ b/sbin/pfctl/tests/files/pf0019.in
@ -0,0 +1,9 @@
+EVIL = "lo0"
+GOOD = "{ lo0, lo1000000 }"
+GOOD_NET = "{ 127.0.0.0/24, 10.0.1.0/24 }"
+DEST_NET = "{ 1.2.3.4/25, 2.4.6.8/30 }"
+
+#match in on lo0 proto tcp from any to 1.2.3.4/32 port 2222 rdr-to 10.0.0.10 port 22   
+
+# Test list processing
+#match in on $GOOD proto tcp from $GOOD_NET to $DEST_NET port 21 rdr-to 127.0.0.1 port 8021
--- a/sbin/pfctl/tests/files/pf0019.ok
+++ b/sbin/pfctl/tests/files/pf0019.ok
@ -0,0 +1,4 @@
+EVIL = "lo0"
+GOOD = "{ lo0, lo1000000 }"
+GOOD_NET = "{ 127.0.0.0/24, 10.0.1.0/24 }"
+DEST_NET = "{ 1.2.3.4/25, 2.4.6.8/30 }"
--- a/sbin/pfctl/tests/files/pf0020.in
+++ b/sbin/pfctl/tests/files/pf0020.in
@ -0,0 +1,9 @@
+# Test whether list expansion in NAT/RDR works correctly
+
+EVIL = "lo0"
+GOOD = "{ lo0, lo1000000 }"
+GOOD_NET = "{ 127.0.0.0/24, 10.0.1.0/24 }"
+DEST_NET = "{ 1.2.3.4/25, 2.4.6.8/30 }"
+
+#match out on $EVIL inet from $GOOD_NET to $DEST_NET nat-to $EVIL
+#match in on $GOOD proto tcp from $GOOD_NET to $DEST_NET port 21 rdr-to 127.0.0.1 port 8021
--- a/sbin/pfctl/tests/files/pf0020.ok
+++ b/sbin/pfctl/tests/files/pf0020.ok
@ -0,0 +1,4 @@
+EVIL = "lo0"
+GOOD = "{ lo0, lo1000000 }"
+GOOD_NET = "{ 127.0.0.0/24, 10.0.1.0/24 }"
+DEST_NET = "{ 1.2.3.4/25, 2.4.6.8/30 }"
--- a/sbin/pfctl/tests/files/pf0022.in
+++ b/sbin/pfctl/tests/files/pf0022.in
@ -0,0 +1,8 @@
+set optimization aggressive
+set timeout { tcp.closing 6, tcp.opening 6 }
+set timeout tcp.first 6
+set limit states 500
+set limit {states 1000,frags 1000}
+set loginterface lo0
+set loginterface none
+set hostid 1
--- a/sbin/pfctl/tests/files/pf0022.ok
+++ b/sbin/pfctl/tests/files/pf0022.ok
@ -0,0 +1,10 @@
+set optimization aggressive
+set timeout tcp.closing 6
+set timeout tcp.opening 6
+set timeout tcp.first 6
+set limit states 500
+set limit states 1000
+set limit frags 1000
+set loginterface lo0
+set loginterface none
+set hostid 0x00000001
--- a/sbin/pfctl/tests/files/pf0023.in
+++ b/sbin/pfctl/tests/files/pf0023.in
@ -0,0 +1,2 @@
+#test negated interface matching
+block in on ! lo0 all
--- a/sbin/pfctl/tests/files/pf0023.ok
+++ b/sbin/pfctl/tests/files/pf0023.ok
@ -0,0 +1 @@
+block drop in on ! lo0 all
--- a/sbin/pfctl/tests/files/pf0024.in
+++ b/sbin/pfctl/tests/files/pf0024.in
@ -0,0 +1,8 @@
+#test variable concat
+a="ssh"
+b="ftp"
+c=$a $b
+d=$a $b $a $b
+e=$a $b $b "test" $a $b
+
+pass in proto tcp from any to any port { $c }
--- a/sbin/pfctl/tests/files/pf0024.ok
+++ b/sbin/pfctl/tests/files/pf0024.ok
@ -0,0 +1,7 @@
+a = "ssh"
+b = "ftp"
+c = "ssh ftp"
+d = "ssh ftp ssh ftp"
+e = "ssh ftp ftp test ssh ftp"
+pass in proto tcp from any to any port = ssh flags S/SA keep state
+pass in proto tcp from any to any port = ftp flags S/SA keep state
--- a/sbin/pfctl/tests/files/pf0025.in
+++ b/sbin/pfctl/tests/files/pf0025.in
@ -0,0 +1,4 @@
+antispoof for lo0
+antispoof log quick for lo0 inet
+antispoof for (lo0)
+antispoof log quick for (lo0) inet
--- a/sbin/pfctl/tests/files/pf0025.ok
+++ b/sbin/pfctl/tests/files/pf0025.ok
@ -0,0 +1,5 @@
+block drop in on ! lo0 inet6 from ::1 to any
+block drop in on ! lo0 inet from 127.0.0.0/8 to any
+block drop in log quick on ! lo0 inet from 127.0.0.0/8 to any
+block drop in on ! lo0 from (lo0:network) to any
+block drop in log quick on ! lo0 inet from (lo0:network) to any
--- a/sbin/pfctl/tests/files/pf0026.in
+++ b/sbin/pfctl/tests/files/pf0026.in
@ -0,0 +1,2 @@
+block in on lo0 inet from ! (lo0) to any
+block out on lo0 inet from any to ! (lo0)
--- a/sbin/pfctl/tests/files/pf0026.ok
+++ b/sbin/pfctl/tests/files/pf0026.ok
@ -0,0 +1,2 @@
+block drop in on lo0 inet from ! (lo0) to any
+block drop out on lo0 inet from any to ! (lo0)
--- a/sbin/pfctl/tests/files/pf0028.in
+++ b/sbin/pfctl/tests/files/pf0028.in
@ -0,0 +1,7 @@
+# test logging keywords, and log quick/quick log order
+block in log (all) quick on lo0 all
+block in quick log       on lo0 all
+block in quick log (all) on lo0 all
+block in log quick       on lo0 all
+block in log             on lo0 all
+block in log (all)       on lo0 all 
--- a/sbin/pfctl/tests/files/pf0028.ok
+++ b/sbin/pfctl/tests/files/pf0028.ok
@ -0,0 +1,6 @@
+block drop in log (all) quick on lo0 all
+block drop in log quick on lo0 all
+block drop in log (all) quick on lo0 all
+block drop in log quick on lo0 all
+block drop in log on lo0 all
+block drop in log (all) on lo0 all
--- a/sbin/pfctl/tests/files/pf0030.in
+++ b/sbin/pfctl/tests/files/pf0030.in
@ -0,0 +1,7 @@
+#test line continuation
+
+block \
+    in \
+    on lo0 \
+    from any \
+    to any
--- a/sbin/pfctl/tests/files/pf0030.ok
+++ b/sbin/pfctl/tests/files/pf0030.ok
@ -0,0 +1 @@
+block drop in on lo0 all
--- a/sbin/pfctl/tests/files/pf0031.in
+++ b/sbin/pfctl/tests/files/pf0031.in
@ -0,0 +1,21 @@
+set block-policy drop
+block return in on lo0 all
+block return in on lo0 inet all
+block return in on lo0 inet6 all
+block drop in on lo0 all
+block drop in on lo0 inet all
+block drop in on lo0 inet6 all
+block in on lo0 all
+block in on lo0 inet all
+block in on lo0 inet6 all
+#set block-policy return
+block return in on lo0 all
+block return in on lo0 inet all
+block return in on lo0 inet6 all
+block drop in on lo0 all
+block drop in on lo0 inet all
+block drop in on lo0 inet6 all
+block in on lo0 all
+block in on lo0 inet all
+block in on lo0 inet6 all
+
--- a/sbin/pfctl/tests/files/pf0031.ok
+++ b/sbin/pfctl/tests/files/pf0031.ok
@ -0,0 +1,19 @@
+set block-policy drop
+block return in on lo0 all
+block return in on lo0 inet all
+block return in on lo0 inet6 all
+block drop in on lo0 all
+block drop in on lo0 inet all
+block drop in on lo0 inet6 all
+block drop in on lo0 all
+block drop in on lo0 inet all
+block drop in on lo0 inet6 all
+block return in on lo0 all
+block return in on lo0 inet all
+block return in on lo0 inet6 all
+block drop in on lo0 all
+block drop in on lo0 inet all
+block drop in on lo0 inet6 all
+block drop in on lo0 all
+block drop in on lo0 inet all
+block drop in on lo0 inet6 all
--- a/sbin/pfctl/tests/files/pf0032.in
+++ b/sbin/pfctl/tests/files/pf0032.in
@ -0,0 +1,7 @@
+pass in from 10/8 to any
+pass in from 10.1/8 to any
+pass in from 192.168.37.29/25 to any
+pass in from 192.168.37.29/24 to any
+pass in from 192.168.37.29/16 to any
+pass in from 192.168.37.29/8 to any
+
--- a/sbin/pfctl/tests/files/pf0032.ok
+++ b/sbin/pfctl/tests/files/pf0032.ok
@ -0,0 +1,6 @@
+pass in inet from 10.0.0.0/8 to any flags S/SA keep state
+pass in inet from 10.0.0.0/8 to any flags S/SA keep state
+pass in inet from 192.168.37.0/25 to any flags S/SA keep state
+pass in inet from 192.168.37.0/24 to any flags S/SA keep state
+pass in inet from 192.168.0.0/16 to any flags S/SA keep state
+pass in inet from 192.0.0.0/8 to any flags S/SA keep state
--- a/sbin/pfctl/tests/files/pf0034.in
+++ b/sbin/pfctl/tests/files/pf0034.in
@ -0,0 +1,5 @@
+#mixed af, probability
+pass in from any to { 127.0.0.1, 2000::1 }
+pass in probability 0.5
+pass in probability 50%
+pass in inet6 proto tcp from ::1 probability 0.8%
--- a/sbin/pfctl/tests/files/pf0034.ok
+++ b/sbin/pfctl/tests/files/pf0034.ok
@ -0,0 +1,5 @@
+pass in inet from any to 127.0.0.1 flags S/SA keep state
+pass in inet6 from any to 2000::1 flags S/SA keep state
+pass in all flags S/SA keep state probability 50%
+pass in all flags S/SA keep state probability 50%
+pass in inet6 proto tcp from ::1 to any flags S/SA keep state probability 0.8%
--- a/sbin/pfctl/tests/files/pf0035.in
+++ b/sbin/pfctl/tests/files/pf0035.in
@ -0,0 +1,5 @@
+#test matching on tos
+
+intf = "lo0"
+pass out on $intf inet proto tcp from any to any port 22 tos 0x10
+pass out on $intf inet proto tcp from any to any port 22 tos 0x08
--- a/sbin/pfctl/tests/files/pf0035.ok
+++ b/sbin/pfctl/tests/files/pf0035.ok
@ -0,0 +1,3 @@
+intf = "lo0"
+pass out on lo0 inet proto tcp from any to any port = ssh flags S/SA tos 0x10 keep state
+pass out on lo0 inet proto tcp from any to any port = ssh flags S/SA tos 0x08 keep state
--- a/sbin/pfctl/tests/files/pf0038.in
+++ b/sbin/pfctl/tests/files/pf0038.in
@ -0,0 +1,5 @@
+# test
+
+pass in on tun1000000 proto tcp from any to any user bin
+pass in on tun1000000 proto tcp from any to any group bin
+pass in on tun1000000 proto tcp from any to any group wheel user root user bin
--- a/sbin/pfctl/tests/files/pf0038.ok
+++ b/sbin/pfctl/tests/files/pf0038.ok
@ -0,0 +1,4 @@
+pass in on tun1000000 proto tcp all user = 3 flags S/SA keep state
+pass in on tun1000000 proto tcp all group = 7 flags S/SA keep state
+pass in on tun1000000 proto tcp all user = 3 group = 0 flags S/SA keep state
+pass in on tun1000000 proto tcp all user = 0 group = 0 flags S/SA keep state
--- a/sbin/pfctl/tests/files/pf0039.in
+++ b/sbin/pfctl/tests/files/pf0039.in
@ -0,0 +1,25 @@
+#test random ordered opts
+
+body1="pass in log quick on lo0 inet proto icmp all "
+body2="pass in log quick on lo0 inet proto tcp all "
+o_user="user root "
+o_user2="user bin "
+o_group="group wheel "
+o_group2="group nobody "
+o_flags="flags S/SA "
+o_icmpspec="icmp-type 0 code 0 "
+o_tos="tos 0x08 "
+o_keep="keep state "
+o_fragment="fragment "
+o_allowopts="allow-opts "
+o_label="label blah"
+o_prio="set prio 2"
+
+$body2 $o_fragment $o_keep $o_label $o_tos
+$body2 $o_user $o_prio $o_tos $o_keep $o_group $o_label $o_allowopts \
+$o_user2 $o_group2
+$body1 $o_icmpspec $o_keep $o_label $o_prio
+$body2 $o_keep
+$body2 $o_label $o_keep $o_prio $o_tos
+$body1 $o_icmpspec $o_tos
+$body2 $o_flags $o_allowopts 
--- a/sbin/pfctl/tests/files/pf0039.ok
+++ b/sbin/pfctl/tests/files/pf0039.ok
@ -0,0 +1,24 @@
+body1 = "pass in log quick on lo0 inet proto icmp all "
+body2 = "pass in log quick on lo0 inet proto tcp all "
+o_user = "user root "
+o_user2 = "user bin "
+o_group = "group wheel "
+o_group2 = "group nobody "
+o_flags = "flags S/SA "
+o_icmpspec = "icmp-type 0 code 0 "
+o_tos = "tos 0x08 "
+o_keep = "keep state "
+o_fragment = "fragment "
+o_allowopts = "allow-opts "
+o_label = "label blah"
+o_prio = "set prio 2"
+pass in log quick on lo0 inet proto tcp all tos 0x08 keep state fragment label "blah"
+pass in log quick on lo0 inet proto tcp all user = 3 group = 65534 flags S/SA tos 0x08 set ( prio 2 ) keep state allow-opts label "blah"
+pass in log quick on lo0 inet proto tcp all user = 3 group = 0 flags S/SA tos 0x08 set ( prio 2 ) keep state allow-opts label "blah"
+pass in log quick on lo0 inet proto tcp all user = 0 group = 65534 flags S/SA tos 0x08 set ( prio 2 ) keep state allow-opts label "blah"
+pass in log quick on lo0 inet proto tcp all user = 0 group = 0 flags S/SA tos 0x08 set ( prio 2 ) keep state allow-opts label "blah"
+pass in log quick on lo0 inet proto icmp all icmp-type echorep code 0 set ( prio 2 ) keep state label "blah"
+pass in log quick on lo0 inet proto tcp all flags S/SA keep state
+pass in log quick on lo0 inet proto tcp all flags S/SA tos 0x08 set ( prio 2 ) keep state label "blah"
+pass in log quick on lo0 inet proto icmp all icmp-type echorep code 0 tos 0x08 keep state
+pass in log quick on lo0 inet proto tcp all flags S/SA keep state allow-opts
--- a/sbin/pfctl/tests/files/pf0040.in
+++ b/sbin/pfctl/tests/files/pf0040.in
@ -0,0 +1,20 @@
+block
+block return
+block return-rst proto tcp
+pass
+pass in no state
+pass out no state
+pass all no state
+block in all
+block out all
+block from any to any
+pass in from any to any
+pass out from any to any
+block on lo0
+pass on lo0 all
+block on lo0 from any to any
+pass proto tcp flags S/SA
+pass proto udp keep state
+pass in proto udp all keep state
+pass out proto udp from any to any keep state
+pass out on lo0 proto tcp from any to any port 25 keep state
--- a/sbin/pfctl/tests/files/pf0040.ok
+++ b/sbin/pfctl/tests/files/pf0040.ok
@ -0,0 +1,20 @@
+block drop all
+block return all
+block return-rst proto tcp all
+pass all flags S/SA keep state
+pass in all no state
+pass out all no state
+pass all no state
+block drop in all
+block drop out all
+block drop all
+pass in all flags S/SA keep state
+pass out all flags S/SA keep state
+block drop on lo0 all
+pass on lo0 all flags S/SA keep state
+block drop on lo0 all
+pass proto tcp all flags S/SA keep state
+pass proto udp all keep state
+pass in proto udp all keep state
+pass out proto udp all keep state
+pass out on lo0 proto tcp from any to any port = smtp flags S/SA keep state
--- a/sbin/pfctl/tests/files/pf0041.in
+++ b/sbin/pfctl/tests/files/pf0041.in
@ -0,0 +1,12 @@
+anchor foo
+anchor bar all
+anchor bar from any to any
+anchor foo inet
+anchor foo inet6
+anchor foo inet all
+anchor foo proto tcp
+anchor foo inet proto tcp from 10.1.2.3 port smtp to 10.2.3.4 port ssh
+anchor foobar inet6 proto udp from ::1 port 1 to ::1 port 2
+anchor filteropt out proto tcp to any port 22 user root
+anchor filteropt in proto tcp to (self) port 22 group sshd
+anchor filteropt out inet proto icmp all icmp-type echoreq
--- a/sbin/pfctl/tests/files/pf0041.ok
+++ b/sbin/pfctl/tests/files/pf0041.ok
@ -0,0 +1,12 @@
+anchor "foo" all
+anchor "bar" all
+anchor "bar" all
+anchor "foo" inet all
+anchor "foo" inet6 all
+anchor "foo" inet all
+anchor "foo" proto tcp all
+anchor "foo" inet proto tcp from 10.1.2.3 port = smtp to 10.2.3.4 port = ssh
+anchor "foobar" inet6 proto udp from ::1 port = tcpmux to ::1 port = compressnet
+anchor "filteropt" out proto tcp from any to any port = ssh user = 0
+anchor "filteropt" in proto tcp from any to (self) port = ssh group = 22
+anchor "filteropt" out inet proto icmp all icmp-type echoreq
--- a/sbin/pfctl/tests/files/pf0047.in
+++ b/sbin/pfctl/tests/files/pf0047.in
@ -0,0 +1,67 @@
+pass in on lo0 all label ""
+
+pass in all label "$if"
+pass in on lo0 all label "$if"
+pass in on lo0 all label "$if$if"
+
+pass in on lo0 all label "$srcaddr"
+pass in on lo0 from 0/0 to any label "$srcaddr"
+pass in on lo0 from 127.0.0.1 to any label "$srcaddr"
+pass in on lo0 from 127.0.0.1 to any label "$srcaddr$srcaddr"
+pass in on lo0 from 127.0.0.1 to any label ":$srcaddr:$srcaddr:"
+pass in on lo0 from 127.0.0.1/8 to any label "$srcaddr"
+pass in on lo0 from 127.0.0.1/16 to any label "$srcaddr$srcaddr"
+pass in on lo0 from 127.0.0.1/31 to any label ":$srcaddr:$srcaddr:"
+pass in on lo0 inet6 from fe80::1 to any label "$srcaddr"
+pass in on lo0 inet6 from fe80::1 to any label "$srcaddr$srcaddr"
+pass in on lo0 inet6 from fe80::1 to any label ":$srcaddr:$srcaddr:"
+pass in on lo0 inet6 from lo0/8 to any label "$srcaddr"
+pass in on lo0 inet6 from lo0/64 to any label "$srcaddr$srcaddr"
+pass in on lo0 inet6 from lo0/127 to any label ":$srcaddr:$srcaddr:"
+
+pass in on lo0 all label "!$dstaddr!"
+pass in on lo0 inet from any to (lo0) label "$dstaddr"
+pass in on lo0 inet from any to (lo0) label "$dstaddr$dstaddr"
+pass in on lo0 inet from any to (lo0) label " $dstaddr $dstaddr "
+pass in on lo0 from any to ! 127.0.0.1/8 label "$dstaddr"
+pass in on lo0 from any to ! 127.0.0.1/16 label "$dstaddr$dstaddr"
+pass in on lo0 from any to ! 127.0.0.1/31 label " $dstaddr $dstaddr "
+pass in on lo0 inet6 from any to ! (lo0) label "$dstaddr"
+pass in on lo0 inet6 from any to ! (lo0) label "$dstaddr$dstaddr"
+pass in on lo0 inet6 from any to ! (lo0) label " $dstaddr $dstaddr "
+pass in on lo0 inet6 from any to ! ::1/8 label "$dstaddr"
+pass in on lo0 inet6 from any to ! ::1/64 label "$dstaddr$dstaddr"
+pass in on lo0 inet6 from any to ! ::1/127 label " $dstaddr $dstaddr "
+
+pass in on lo0 all label "x$srcportx"
+pass in on lo0 proto tcp from any port = 28 to any label "$srcport"
+pass in on lo0 proto tcp from any port 28 >< 29 to any label "$srcport"
+pass in on lo0 proto tcp from any port 28 <> 29 to any label "$srcport"
+pass in on lo0 proto tcp from any port 28:29 to any label "$srcport"
+pass in on lo0 proto tcp from any port != 28 to any label "$srcport"
+pass in on lo0 proto tcp from any port < 28 to any label "$srcport"
+pass in on lo0 proto tcp from any port <= 28 to any label "$srcport"
+pass in on lo0 proto tcp from any port > 28 to any label "$srcport"
+pass in on lo0 proto tcp from any port >= 28 to any label "$srcport"
+pass in on lo0 proto tcp from any port = 28 to any label "$srcport$srcport"
+pass in on lo0 proto tcp from any port = 28 to any label "$$srcport$$srcport$"
+
+pass in on lo0 all label "$dstport"
+pass in on lo0 proto udp from any to any port = 29 label "$dstport"
+pass in on lo0 proto udp from any to any port != 29 label "$dstport$dstport"
+pass in on lo0 proto udp from any to any port > 29 label "x$dstportx$dstportx"
+
+pass in on lo0 all label "$proto"
+pass in on lo0 proto esp all label "$proto"
+pass in on lo0 proto esp all label "$proto$proto"
+pass in on lo0 proto esp all label "-$proto-$proto-"
+pass in on lo0 proto 166 all label "$proto"
+pass in on lo0 proto 166 all label "$proto$proto"
+pass in on lo0 proto 166 all label "_$proto_$proto_"
+
+pass in on lo0 all label "$nr"
+pass in on lo0 all label "$nr$nr"
+pass in on lo0 all label "%$nr%$nr%"
+
+pass in on lo0 proto tcp from 127.0.0.1 port = 30 to 127.0.0.2 port = 44 \
+    label "if $if proto $proto $srcaddr $srcport $dstaddr $dstport"
--- a/sbin/pfctl/tests/files/pf0047.ok
+++ b/sbin/pfctl/tests/files/pf0047.ok
@ -0,0 +1,61 @@
+pass in on lo0 all flags S/SA keep state
+pass in all flags S/SA keep state label "any"
+pass in on lo0 all flags S/SA keep state label "lo0"
+pass in on lo0 all flags S/SA keep state label "lo0lo0"
+pass in on lo0 all flags S/SA keep state label "any"
+pass in on lo0 inet all flags S/SA keep state label "any"
+pass in on lo0 inet from 127.0.0.1 to any flags S/SA keep state label "127.0.0.1"
+pass in on lo0 inet from 127.0.0.1 to any flags S/SA keep state label "127.0.0.1127.0.0.1"
+pass in on lo0 inet from 127.0.0.1 to any flags S/SA keep state label ":127.0.0.1:127.0.0.1:"
+pass in on lo0 inet from 127.0.0.0/8 to any flags S/SA keep state label "127.0.0.0/8"
+pass in on lo0 inet from 127.0.0.0/16 to any flags S/SA keep state label "127.0.0.0/16127.0.0.0/16"
+pass in on lo0 inet from 127.0.0.0/31 to any flags S/SA keep state label ":127.0.0.0/31:127.0.0.0/31:"
+pass in on lo0 inet6 from fe80::1 to any flags S/SA keep state label "fe80::1"
+pass in on lo0 inet6 from fe80::1 to any flags S/SA keep state label "fe80::1fe80::1"
+pass in on lo0 inet6 from fe80::1 to any flags S/SA keep state label ":fe80::1:fe80::1:"
+pass in on lo0 inet6 from ::/8 to any flags S/SA keep state label "::/8"
+pass in on lo0 inet6 from fe00::/8 to any flags S/SA keep state label "fe00::/8"
+pass in on lo0 inet6 from ::/64 to any flags S/SA keep state label "::/64::/64"
+pass in on lo0 inet6 from fe80::/64 to any flags S/SA keep state label "fe80::/64fe80::/64"
+pass in on lo0 inet6 from ::/127 to any flags S/SA keep state label ":::/127:::/127:"
+pass in on lo0 inet6 from fe80::/127 to any flags S/SA keep state label ":fe80::/127:fe80::/127:"
+pass in on lo0 all flags S/SA keep state label "!any!"
+pass in on lo0 inet from any to (lo0) flags S/SA keep state label "(lo0)"
+pass in on lo0 inet from any to (lo0) flags S/SA keep state label "(lo0)(lo0)"
+pass in on lo0 inet from any to (lo0) flags S/SA keep state label " (lo0) (lo0) "
+pass in on lo0 inet from any to ! 127.0.0.0/8 flags S/SA keep state label "! 127.0.0.0/8"
+pass in on lo0 inet from any to ! 127.0.0.0/16 flags S/SA keep state label "! 127.0.0.0/16! 127.0.0.0/16"
+pass in on lo0 inet from any to ! 127.0.0.0/31 flags S/SA keep state label " ! 127.0.0.0/31 ! 127.0.0.0/31 "
+pass in on lo0 inet6 from any to ! (lo0) flags S/SA keep state label "! (lo0)"
+pass in on lo0 inet6 from any to ! (lo0) flags S/SA keep state label "! (lo0)! (lo0)"
+pass in on lo0 inet6 from any to ! (lo0) flags S/SA keep state label " ! (lo0) ! (lo0) "
+pass in on lo0 inet6 from any to ! ::/8 flags S/SA keep state label "! ::/8"
+pass in on lo0 inet6 from any to ! ::/64 flags S/SA keep state label "! ::/64! ::/64"
+pass in on lo0 inet6 from any to ! ::/127 flags S/SA keep state label " ! ::/127 ! ::/127 "
+pass in on lo0 all flags S/SA keep state label "xx"
+pass in on lo0 proto tcp from any port = 28 to any flags S/SA keep state label "28"
+pass in on lo0 proto tcp from any port 28 >< 29 to any flags S/SA keep state label "28><29"
+pass in on lo0 proto tcp from any port 28 <> 29 to any flags S/SA keep state label "28<>29"
+pass in on lo0 proto tcp from any port 28:29 to any flags S/SA keep state
+pass in on lo0 proto tcp from any port != 28 to any flags S/SA keep state label "!=28"
+pass in on lo0 proto tcp from any port < 28 to any flags S/SA keep state label "<28"
+pass in on lo0 proto tcp from any port <= 28 to any flags S/SA keep state label "<=28"
+pass in on lo0 proto tcp from any port > 28 to any flags S/SA keep state label ">28"
+pass in on lo0 proto tcp from any port >= 28 to any flags S/SA keep state label ">=28"
+pass in on lo0 proto tcp from any port = 28 to any flags S/SA keep state label "2828"
+pass in on lo0 proto tcp from any port = 28 to any flags S/SA keep state label "$28$28$"
+pass in on lo0 all flags S/SA keep state
+pass in on lo0 proto udp from any to any port = msg-icp keep state label "29"
+pass in on lo0 proto udp from any to any port != msg-icp keep state label "!=29!=29"
+pass in on lo0 proto udp from any to any port > 29 keep state label "x>29x>29x"
+pass in on lo0 all flags S/SA keep state label "ip"
+pass in on lo0 proto esp all keep state label "esp"
+pass in on lo0 proto esp all keep state label "espesp"
+pass in on lo0 proto esp all keep state label "-esp-esp-"
+pass in on lo0 proto 166 all keep state label "166"
+pass in on lo0 proto 166 all keep state label "166166"
+pass in on lo0 proto 166 all keep state label "_166_166_"
+pass in on lo0 all flags S/SA keep state label "57"
+pass in on lo0 all flags S/SA keep state label "5858"
+pass in on lo0 all flags S/SA keep state label "%59%59%"
+pass in on lo0 inet proto tcp from 127.0.0.1 port = 30 to 127.0.0.2 port = mpm-flags flags S/SA keep state label "if lo0 proto tcp 127.0.0.1 30 127.0.0.2 44"
--- a/sbin/pfctl/tests/files/pf0048.in
+++ b/sbin/pfctl/tests/files/pf0048.in
@ -0,0 +1,13 @@
+table < regress > { 1.2.3.4 !5.6.7.8 10/8 lo0 }
+table <regress.1> const { ::1 fe80::/64 }
+table <regress.a> { 1.2.3.4 !5.6.7.8 } { ::1 ::2 ::3 } file "/dev/null" const { 4.3.2.1 }
+#match out on lo0 inet from < regress.1> to <regress.2> nat-to lo0:0
+#match out on !lo0 inet from !<regress.1 > to <regress.2> nat-to lo0:0
+#match in on lo0 inet6 from <regress.1> to <regress.2> rdr-to lo0:0
+#match in on !lo0 inet6 from !< regress.1 > to <regress.2> rdr-to lo0:0
+#match in from { <regress.1> !<regress.2> } to any
+#match out from any to { !<regress.1>, <regress.2> }
+pass in from <regress> to any
+pass out from any to <regress >
+pass in from { <regress.1> <regress.2> } to any
+pass out from any to { !<regress.1>, !<regress.2> }
--- a/sbin/pfctl/tests/files/pf0048.ok
+++ b/sbin/pfctl/tests/files/pf0048.ok
@ -0,0 +1,9 @@
+table <regress> { 1.2.3.4 !5.6.7.8 10.0.0.0/8 ::1 fe80::1 127.0.0.1 }
+table <regress.1> const { ::1 fe80::/64 }
+table <regress.a> const { 1.2.3.4 !5.6.7.8 ::1 ::2 ::3 } file "/dev/null" { 4.3.2.1 }
+pass in from <regress> to any flags S/SA keep state
+pass out from any to <regress> flags S/SA keep state
+pass in from <regress.1> to any flags S/SA keep state
+pass in from <regress.2> to any flags S/SA keep state
+pass out from any to ! <regress.1> flags S/SA keep state
+pass out from any to ! <regress.2> flags S/SA keep state
--- a/sbin/pfctl/tests/files/pf0049.in
+++ b/sbin/pfctl/tests/files/pf0049.in
@ -0,0 +1,7 @@
+#test :broadcast and :network modifiers
+pass in on lo0 from lo0:network to any keep state
+pass out on lo0 inet from lo0:network to any
+pass in on lo0 inet6 from lo0:network to any keep state
+
+#broadcast on lo0 doesn't make sense at all!
+#block in on lo0 from any to lo0:broadcast
--- a/sbin/pfctl/tests/files/pf0049.ok
+++ b/sbin/pfctl/tests/files/pf0049.ok
@ -0,0 +1,4 @@
+pass in on lo0 inet6 from ::1 to any flags S/SA keep state
+pass in on lo0 inet from 127.0.0.0/8 to any flags S/SA keep state
+pass out on lo0 inet from 127.0.0.0/8 to any flags S/SA keep state
+pass in on lo0 inet6 from ::1 to any flags S/SA keep state
--- a/sbin/pfctl/tests/files/pf0050.in
+++ b/sbin/pfctl/tests/files/pf0050.in
@ -0,0 +1,4 @@
+# double macro set
+extif="wi0"
+extif="lo0"
+block in on $extif
--- a/sbin/pfctl/tests/files/pf0050.ok
+++ b/sbin/pfctl/tests/files/pf0050.ok
@ -0,0 +1,3 @@
+extif = "wi0"
+extif = "lo0"
+block drop in on lo0 all
--- a/sbin/pfctl/tests/files/pf0052.in
+++ b/sbin/pfctl/tests/files/pf0052.in
@ -0,0 +1,7 @@
+# test setting all optimizations to avoid future keyword clashes
+
+set optimization normal
+set optimization satellite
+set optimization high-latency
+set optimization conservative
+set optimization aggressive
--- a/sbin/pfctl/tests/files/pf0052.ok
+++ b/sbin/pfctl/tests/files/pf0052.ok
@ -0,0 +1,5 @@
+set optimization normal
+set optimization satellite
+set optimization high-latency
+set optimization conservative
+set optimization aggressive
--- a/sbin/pfctl/tests/files/pf0053.in
+++ b/sbin/pfctl/tests/files/pf0053.in
@ -0,0 +1,4 @@
+pass in proto tcp from { 1.2.3.4, 1.2.3.5 } to any label \
+"$nr:$if:$proto:$srcaddr:$srcport:$dstaddr:$dstport"
+pass in on lo0 proto tcp from { 1.2.3.4, 1.2.3.5 } to any label \
+"$nr:$if:$proto:$srcaddr:$srcport:$dstaddr:$dstport"
--- a/sbin/pfctl/tests/files/pf0053.ok
+++ b/sbin/pfctl/tests/files/pf0053.ok
@ -0,0 +1,4 @@
+pass in inet proto tcp from 1.2.3.4 to any flags S/SA keep state label "0:any:tcp:1.2.3.4::any:"
+pass in inet proto tcp from 1.2.3.5 to any flags S/SA keep state label "1:any:tcp:1.2.3.5::any:"
+pass in on lo0 inet proto tcp from 1.2.3.4 to any flags S/SA keep state label "2:lo0:tcp:1.2.3.4::any:"
+pass in on lo0 inet proto tcp from 1.2.3.5 to any flags S/SA keep state label "3:lo0:tcp:1.2.3.5::any:"
--- a/sbin/pfctl/tests/files/pf0055.in
+++ b/sbin/pfctl/tests/files/pf0055.in
@ -0,0 +1,18 @@
+set timeout { interval 43, frag 23 }
+set timeout { tcp.first 423, tcp.opening 123, tcp.established 43758 }
+set timeout { tcp.closing 744, tcp.finwait 25, tcp.closed 38 }
+set timeout { udp.first 356, udp.single 73, udp.multiple 34 }
+set timeout { icmp.first 464, icmp.error 34 }
+set timeout { other.first 455, other.single 54, other.multiple 324 }
+set timeout { src.track 3600 }
+set limit { states 4522, frags 43556 }
+set loginterface none
+set loginterface lo0
+set hostid 1
+set optimization normal
+set block-policy drop
+
+set limit states 43254
+set limit frags 34557
+set timeout interval 344
+set timeout frag 213
--- a/sbin/pfctl/tests/files/pf0055.ok
+++ b/sbin/pfctl/tests/files/pf0055.ok
@ -0,0 +1,28 @@
+set timeout interval 43
+set timeout frag 23
+set timeout tcp.first 423
+set timeout tcp.opening 123
+set timeout tcp.established 43758
+set timeout tcp.closing 744
+set timeout tcp.finwait 25
+set timeout tcp.closed 38
+set timeout udp.first 356
+set timeout udp.single 73
+set timeout udp.multiple 34
+set timeout icmp.first 464
+set timeout icmp.error 34
+set timeout other.first 455
+set timeout other.single 54
+set timeout other.multiple 324
+set timeout src.track 3600
+set limit states 4522
+set limit frags 43556
+set loginterface none
+set loginterface lo0
+set hostid 0x00000001
+set optimization normal
+set block-policy drop
+set limit states 43254
+set limit frags 34557
+set timeout interval 344
+set timeout frag 213
--- a/sbin/pfctl/tests/files/pf0056.in
+++ b/sbin/pfctl/tests/files/pf0056.in
@ -0,0 +1,2 @@
+pass in proto tcp from any to any port www keep state (tcp.established 60)
+pass in proto tcp from any to any port www keep state (max 10, no-sync, tcp.first 2)
--- a/sbin/pfctl/tests/files/pf0056.ok
+++ b/sbin/pfctl/tests/files/pf0056.ok
@ -0,0 +1,2 @@
+pass in proto tcp from any to any port = http flags S/SA keep state (tcp.established 60)
+pass in proto tcp from any to any port = http flags S/SA keep state (max 10, no-sync, tcp.first 2, adaptive.start 6, adaptive.end 12)
--- a/sbin/pfctl/tests/files/pf0057.in
+++ b/sbin/pfctl/tests/files/pf0057.in
@ -0,0 +1,4 @@
+a="10.0.0.1"
+b="x"
+b="y"
+pass in from $a
--- a/sbin/pfctl/tests/files/pf0057.ok
+++ b/sbin/pfctl/tests/files/pf0057.ok
@ -0,0 +1,4 @@
+a = "10.0.0.1"
+b = "x"
+b = "y"
+pass in inet from 10.0.0.1 to any flags S/SA keep state
--- a/sbin/pfctl/tests/files/pf0060.in
+++ b/sbin/pfctl/tests/files/pf0060.in
@ -0,0 +1,11 @@
+# netmask handling w/ multicast
+
+pass from 224.4.5.4/32
+pass from 224.4.5.4/16
+pass from 224.4.5.4/26
+pass from 224.4.5.65/26
+pass from 224.4.5.134/26
+pass from 224.4.5.199/26
+pass from 224.4.5.4
+
+
--- a/sbin/pfctl/tests/files/pf0060.ok
+++ b/sbin/pfctl/tests/files/pf0060.ok
@ -0,0 +1,7 @@
+pass inet from 224.4.5.4 to any flags S/SA keep state
+pass inet from 224.4.0.0/16 to any flags S/SA keep state
+pass inet from 224.4.5.0/26 to any flags S/SA keep state
+pass inet from 224.4.5.64/26 to any flags S/SA keep state
+pass inet from 224.4.5.128/26 to any flags S/SA keep state
+pass inet from 224.4.5.192/26 to any flags S/SA keep state
+pass inet from 224.4.5.4 to any flags S/SA keep state
--- a/sbin/pfctl/tests/files/pf0061.in
+++ b/sbin/pfctl/tests/files/pf0061.in
@ -0,0 +1,4 @@
+# dynaddr with netmask
+
+pass inet to (lo0)/24
+
--- a/sbin/pfctl/tests/files/pf0061.ok
+++ b/sbin/pfctl/tests/files/pf0061.ok
@ -0,0 +1 @@
+pass inet from any to (lo0)/24 flags S/SA keep state
--- a/sbin/pfctl/tests/files/pf0065.in
+++ b/sbin/pfctl/tests/files/pf0065.in
@ -0,0 +1,2 @@
+antispoof for lo0 label "antispoof-lo0"
+antispoof log quick for lo0 inet label "antispoof-lo0-2"
--- a/sbin/pfctl/tests/files/pf0065.ok
+++ b/sbin/pfctl/tests/files/pf0065.ok
@ -0,0 +1,3 @@
+block drop in on ! lo0 inet6 from ::1 to any label "antispoof-lo0"
+block drop in on ! lo0 inet from 127.0.0.0/8 to any label "antispoof-lo0"
+block drop in log quick on ! lo0 inet from 127.0.0.0/8 to any label "antispoof-lo0-2"
--- a/sbin/pfctl/tests/files/pf0067.in
+++ b/sbin/pfctl/tests/files/pf0067.in
@ -0,0 +1,3 @@
+pass in quick on tun1000000 keep state tag regress
+pass out quick on lo0 keep state tagged regress
+
--- a/sbin/pfctl/tests/files/pf0067.ok
+++ b/sbin/pfctl/tests/files/pf0067.ok
@ -0,0 +1,2 @@
+pass in quick on tun1000000 all flags S/SA keep state tag regress
+pass out quick on lo0 all flags S/SA keep state tagged regress
--- a/sbin/pfctl/tests/files/pf0069.in
+++ b/sbin/pfctl/tests/files/pf0069.in
@ -0,0 +1,3 @@
+#match out on lo0 inet all tag regress nat-to lo0
+pass out quick on lo0 keep state tagged regress
+
--- a/sbin/pfctl/tests/files/pf0069.ok
+++ b/sbin/pfctl/tests/files/pf0069.ok
@ -0,0 +1 @@
+pass out quick on lo0 all flags S/SA keep state tagged regress
--- a/sbin/pfctl/tests/files/pf0070.in
+++ b/sbin/pfctl/tests/files/pf0070.in
@ -0,0 +1,3 @@
+#match out on lo0 from 10.0.0.0/8 to any nat-to lo0
+block out on lo0 tagged regress
+
--- a/sbin/pfctl/tests/files/pf0070.ok
+++ b/sbin/pfctl/tests/files/pf0070.ok
@ -0,0 +1 @@
+block drop out on lo0 all tagged regress
--- a/Show More
+++ b/Show More
				`@ -0,0 +1 @@`
				`pass inet from any to (lo0)/24 flags S/SA keep state`
				`@ -0,0 +1 @@`
				`pass out quick on lo0 all flags S/SA keep state tagged regress`