stderr:
Traceback (most recent call last):
File "/usr/tests/sys/netpfil/common/pft_ping.py", line 135, in <module>
main()
File "/usr/tests/sys/netpfil/common/pft_ping.py", line 124, in main
ping(args.sendif[0], args.to[0], args)
File "/usr/tests/sys/netpfil/common/pft_ping.py", line 74, in ping
raw = sp.raw(str(PAYLOAD_MAGIC))
File "/usr/local/lib/python3.6/site-packages/scapy/compat.py", line 52, in raw
return bytes(x)
TypeError: string argument without an encoding
MFC with: r354121
Sponsored by: The FreeBSD Foundation
In order to move python2 out of the test framework to avoid py2 vs. py3
confusions upgrade the remaining test cases using scapy to work with py3.
That means only one version of scapy needs to be installed in the CI system.
It also gives a path forward for testing i386 issues observed in the CI
system with some of these tests.
Fixes are:
- Use default python from environment (which is 3.x these days).
- properly ident some lines as common for the rest of the file to avoid
errors.
- cast the calculated offset to an int as the division result is considered
a float which is not accepted input.
- when comparing payload to a magic number make sure we always add the
payload properly to the packet and do not try to compare string in
the result but convert the data payload back into an integer.
- fix print formating.
Discussed with: lwhsu, kp (taking it off his todo :)
MFC after: 2 weeks
Failure test cases:
sys.netpfil.common.pass_block.pf_v6
sys.netpfil.pf.pass_block.noalias
sys.netpfil.pf.pass_block.v6
Sponsored by: The FreeBSD Foundation
Add test for checking that the packets are dropped if it is fragmented into
more than the defined value.
Submitted by: Ahsan Barkati
Reviewed by: kp
Sponsored by: Google, Inc. (GSoC 2019)
Differential Revision: https://reviews.freebsd.org/D21307
This test tests the following:
- The firewall is able to set the tos bits
- The firewall is able to set the DSCP bits when EN bits is already set and
the EN bits remains unchanged.
- The firewall is able to drop the packets based on ToS value
Submitted by: Ahsan Barkati
Reviewed by: kp
Sponsored by: Google, Inc. (GSoC 2019)
Differential Revision: https://reviews.freebsd.org/D21305
The pft_ping.py and sniffer.py tool is moved from tests/sys/netpfil/pf to
tests/sys/netpfil/common directory because these tools are to be used in
common for all the firewalls.
Submitted by: Ahsan Barkati
Reviewed by: kp, thj
Sponsored by: Google, Inc. (GSoC 2019)
Differential Revision: https://reviews.freebsd.org/D21276
Some files got their contented duplicated in r345409. Some mistakes where
fixed in r345430. The only file that was left with a duplicated content was
CVE-2019-5598.py.
Reviewed by: kp
Approved by: src (kp)
Differential Revision: https://reviews.freebsd.org/D21267
Add a common test suite for the firewalls included in the base system. The test
suite allows common test infrastructure to test pf, ipfw and ipf firewalls from
test files containing the setup for all three firewalls.
Add the pass block test for pf, ipfw and ipf. The pass block test checks the
allow/deny functionality of the firewalls tested.
Submitted by: Ahsan Barkati
Sponsored by: Google, Inc. (GSoC 2019)
Reviewed by: kp
Approved by: bz (co-mentor)
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D21065
The test should fail if pf rules can't be set. This is helpful both
while writing tests and to verify that pfctl works as expected.
MFC after: 1 week
Event: Aberdeen hackathon 2019
There was an issue with copyin() on DIOCRSETTFLAGS, which would panic if
pfrio_buffer was NULL.
Test for the issue fixed in r346319.
MFC after: 1 week
Event: Aberdeen hackathon 2019
Make the tests run slightly faster by having pft_ping.py end the capture
of packets as soon as it sees the expected packet, rather than
continuing to sniff.
MFC after: 2 weeks
The netipsec and pf tests have a number of common test functions. These
used to be duplicated, but it makes more sense for them to re-use the
common functions.
PR: 236223
Generate a fragmented packet with different header chains, to provoke
the incorrect behaviour of pf.
Without the fix this will trigger a panic.
Obtained from: Corentin Bayet, Nicolas Collignon, Luca Moro at Synacktiv
pfctl has an issue with 'set skip on <group>', which causes inconsistent
behaviour: the set skip directive works initially, but does not take
effect when the same rules are re-applied.
PR: 229241
MFC after: 1 week
It's been reported that pf doesn't handle running out of available ports
for NAT correctly. It freezes until a state expires and it can find a
free port.
Test for this, by setting up a situation where only two ports are
available for NAT and then attempting to create three connections.
If successful the third connection will fail immediately. In an
incorrect case the connection attempt will freeze, also freezing all
interaction with pf through pfctl and trigger timeout.
PR: 233867
MFC after: 2 weeks
Use ATF_TC_CLEANUP(), because that means the cleanup code will get
called even if a test fails. Before it would only be executed if every
test within the body succeeded.
Reported by: Marie Helene Kvello-Aune <marieheleneka@gmail.com>
MFC after: 2 weeks
Explicitly mark these tests as requiring root rights. We need to be able
to open /dev/pf.
Reported by: Marie Helene Kvello-Aune <marieheleneka@gmail.com>
MFC after: 2 weeks
Replace hard-coded epair0b with the variable holds the real epair interface
used for testing.
Reviewed by: kp
Approved by: emaste, markj (mentors)
MFC with: r339836
Sponsored by: The FreeBSD Foundation
Set up two jails, configure pfsync between them and create state in one
of them, verify that this state is copied to the other jail.
MFC after: 2 weeks
Sponsored by: Orange Business Services
Differential Revision: https://reviews.freebsd.org/D17504
Do not build or install pf tests if WITHOUT_PF is set. This fixes the build
failure with WITHOUT_PF=yes.
Reported by: Vladimir Zakharov <zakharov.vv@gmail.com>
There was a memory leak in the DIOCRADDTABLES ioctl() code which could
be triggered by trying to add tables with the same name.
Try to provoke this memory leak. It was fixed in r331225.
MFC after: 1 week
Validate the DIOCRGETTABLES, DIOCRGETTSTATS, DIOCRCLRTSTATS and
DIOCRSETTFLAGS ioctls with invalid values. These may succeed (because
the kernel uses the minimally required size, not the specified size),
but should not trigger kernel panics.
MFC after: 1 week
Scapy requires the Raw payload to be a string, which was not the case. This
caused the pft_ping.py script to fail, which in turn caused the test to fail.
