pf tests: verify that we handle address range rules correctly

There's been a problem where rules which differed only in address ranges were considered duplicates and not added. Test for this. Approved by: so Security: FreeBSD-SA-26:09.pf Security: CVE-2026-4748 Sponsored by: Rubicon Communications, LLC ("Netgate") (cherry picked from commit ab74151e8d097b263237942c0b12277098bc9533) (cherry picked from commit 958dbc87e9c59a2e9f83d84115ce03fb96e9b249)
2026-06-08 16:22:46 -04:00 · 2026-03-12 15:23:32 +01:00 · 2026-03-12 15:23:32 +01:00 · 9b77f8cc18
commit 9b77f8cc18
parent 4b1f421140
1 changed files with 38 additions and 0 deletions
--- a/tests/sys/netpfil/pf/pass_block.sh
+++ b/tests/sys/netpfil/pf/pass_block.sh
@ -255,6 +255,43 @@ urpf_cleanup()
 	pft_cleanup
 }

+atf_test_case "addr_range" "cleanup"
+addr_range_head()
+{
+	atf_set descr 'Test rulesets with multiple address ranges'
+	atf_set require.user root
+}
+
+addr_range_body()
+{
+	pft_init
+
+	epair=$(vnet_mkepair)
+	ifconfig ${epair}b 192.0.2.2/24 up
+
+	vnet_mkjail alcatraz ${epair}a
+	jexec alcatraz ifconfig ${epair}a 192.0.2.1/24 up
+
+	# Sanity check
+	atf_check -s exit:0 -o ignore ping -c 1 -t 1 192.0.2.1
+
+	jexec alcatraz pfctl -e
+	pft_set_rules alcatraz \
+	    "block" \
+	    "pass inet from any to 10.100.100.1 - 10.100.100.20" \
+	    "pass inet from any to 192.0.2.1 - 192.0.2.10"
+
+jexec alcatraz pfctl -sr -vv
+
+	atf_check -s exit:0 -o ignore ping -c 1 -t 1 192.0.2.1
+jexec alcatraz pfctl -sr -vv
+}
+
+addr_range_cleanup()
+{
+	pft_cleanup
+}
+
 atf_init_test_cases()
 {
 	atf_add_test_case "v4"
@ -262,4 +299,5 @@ atf_init_test_cases()
 	atf_add_test_case "noalias"
 	atf_add_test_case "nested_inline"
 	atf_add_test_case "urpf"
+	atf_add_test_case "addr_range"
 }