Scapy is not needed to run this test. Remove it from the required
programs list.
Reviewed by: kp
Approved by: emaste (mentor)
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D49006
(cherry picked from commit 1f1963bd32d669f89ea3b044636de0cb7a33134b)
Add more test cases for pf fragment hole counter. Also look into
final fragment of echo reply and check total length of IP packet.
MFC after: 1 week
Obtained from: OpenBSD, bluhm <bluhm@openbsd.org>, 640736615b
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit db100bd93036855c7688dc088b811dc7b660f51d)
The reassembly state will be dropped after timeout, all related
fragments are dropped until that. This is conforming to RFC 5722.
- Sort pf_fragment fields while there.
- If the fr_queue is empty, we had overlapping fragments, don't add
new ones.
- If we detect overlapping IPv6 fragments, flush the fr_queue and
drop all fragments immediately.
- Rearrange debug output, to make clear what happens.
- An IPv4 fragment that is totaly overlapped does not inclease the
bad fragment counter.
- Put an KASSERT into pf_isfull_fragment() to make sure that the
fr_queue is never emtpy there.
discussed with Fernando Gont; ok henning@
Obtained from: OpenBSD, bluhm <bluhm@openbsd.org>, 8b45f36762
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit 6a3266f72e437aecf3edcfb8aa919466b270d548)
Much like we already do for TCP and UDP we should also parse SCTP-in-ICMP
messages to see if they apply to an SCTP connection we've already allowed. If so
we should allow the ICMP packet to pass, even if we'd otherwise block it.
Add a test case where we generate an 'ICMP unreachable - need to frag' packet
and check that it passes through pf.
MFC after: 2 weeks
Sponsored by: Orange Business Services
(cherry picked from commit 7d5e02b01577047290e937399accc02e6b184ce9)
Allow users to choose to allow permitted SCTP connections to set up additional
multihomed connections regardless of the ruleset. That is, allow an already
established connection to set up flows that would otherwise be disallowed.
In case of if-bound connections we initially set the extra associations to
be floating, because we don't know what path they'll be taking when they're
created. Once we see the first traffic we can bind them.
MFC after: 2 weeks
Sponsored by: Orange Business Services
Differential Revision: https://reviews.freebsd.org/D48453
(cherry picked from commit e4f2733df8c9d2fd0c5e8fdc8bec002bf39811f3)
Verify that we reset the cleared time when we zero an address' counters in
a table.
PR: 282877, 282984
Reviewed by: kp
MFC after: 2 weeks
Signed-off-by: Leonid Evdokimov <leon@darkk.net.ru>
Differential Revision: https://reviews.freebsd.org/D48242
(cherry picked from commit 0749d8134300b8e3c956e161890ab496247d2542)
This will make it easier for scripts to detect idle hosts in tables.
PR: 282984
Reviewed by: kp
MFC after: 2 weeks
(cherry picked from commit 5b59b0c61e29f684a019afdd2848ffe2d5604e0c)
The ioctl DIOCRCLRASTATS provides the functionality of clearing stats
not only for the whole table for for addresses stored in that table. The
functionality was missing from pfctl, though. Add it now.
PR: 282877
Obtained from: OpenBSD, kirill <kirill@openbsd.org>, e496dff3a7
MFC after: 3 weeks
(cherry picked from commit 6463b6b59152fb1695bbe0de78f6e2675c5a765a)
If NAT rules cause inbound connections to different external IPs to be
mapped to the same internal IP, and some application uses the same
source port for multiple such connections, rdr translation may result in
conflicts that cause some of the connections to be dropped.
Address this by letting rdr rules detect state conflicts and modulate
the source port to avoid them.
Reviewed by: kp, allanjude
MFC after: 3 months
Sponsored by: Klara, Inc.
Sponsored by: Modirum
Differential Revision: https://reviews.freebsd.org/D44488
(cherry picked from commit 9897a66923a3e79c22fcbd4bc80afae9eb9f277c)
When processing an SCTP ASCONF we re-run the rules processing to check
if the new state should be allowed as well. We used to do so against the
'all' interface, to allow new connections to use any interface.
This is problematic for two reasons, the first being it may unexpectedly
bypass interface restrictions. The more important one is that it
can trigger panics. If the ruleset contains a rule which filters on
interface group we'd attempt to process the group list for the 'all'
interface. As this isn't a real interface it doesn't have an associated
struct ifnet, and we end up dereferencing a NULL pointer.
Solve this by not overriding the interface, instead leaving the physical
interface the SCTP ASCONF arrived on. This implies that we may end up
binding to that interface (if if-bound), and thus denying traffic on
other interfaces. Users can allow this anyway by setting 'state-policy
floating' on the relevant SCTP rules. This arguably better reflects user
intent as well. That is, we'll consider SCTP multihomed states to be
floating if we're in floating mode, and if-bound if we're if-bound.
Update the test cases to account for this, while adding a "pass on
lo" (i.e. pass on an interface group") rule to provoke this issue. Add
separate test cases for the floating and if-bound scenarios.
Reported by: Franco Fichtner <franco@opnsense.org>
MFC after: 3 weeks
Sponsored by: Orange Business Services
Without this patch, vdevs faulted via AUX state would not be replaced
once the appropriate drive is replaced. ZFS does not internally use
that state, but a drive can be manually forced into such a state with a
command like zinject.
Submitted by: Goran Mekić <meka@tilda.center>
Sponsored by: ConnectWise
Differential Revision: https://reviews.freebsd.org/D46866
(cherry picked from commit 618ae939b7f95a197a0518cbb390a572bb90c6d0)
The update to py-twisted 24.7.0 broke EPSV mode in twisted's ftp server.
Work around this by disabling EPSV (and thus using PASV).
PR: 282154
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit 9cd6ab45a44607ea862c8bbb2ebaa8a7521178ff)
From scapy 2.6.0 it now removes (sets to None) the IP checksum in its defrag
code. We typically ask for IPv4 or IPv6 defragmentation, which causes check
function failures.
Just skip the checksum verificiation here, because we're going to notice
incorrect checksums even if the tests don't directly verify it.
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit 6b8096fa5f6f81e2959cbb2ca857c4e134273da2)
Many of the modified tests add epair interfaces to the host, though most
of the tests themselves run in a VNET jail. scapy in particular becomes
unhappy when the list of interfaces changes as it is running, so, to
improve reliability of parallel test runs, isolate tests which add
epairs to the host.
Also serialize arp tests, as they examine the dmesg as part of the test.
The list of modified tests is not exhaustive, it was determined by
running the test suite with parallelization enabled and looking at
failures. It may be easier to just automatically enable VNET jailing of
all netinet tests, but let's be more particular for now.
Reviewed by: kp
MFC after: 1 month
Differential Revision: https://reviews.freebsd.org/D46606
(cherry picked from commit b103fc49ae160fdce221c2fffa98dde9bc0ff3b0)
Approved by: kp (mentor), markj (mentor)
Now that kyua can isolate tests in their own vnets we can run these tests in
parallel.
Reviewed by: markj
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46600
(cherry picked from commit a05decec2d194821f8bf5c8f2ae72063de0c87a8)
Approved by: kp (mentor), markj (mentor)
Run these tests in their own (vnet) jail so we don't have to worry about IP
range or jail name conflicts.
Reviewed by: markj
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46040
(cherry picked from commit 4f752a1583dc97d166caae7f844bf42715e99978)
Approved by: kp (mentor), markj (mentor)
The test assumes commit 96950419f15510287080c557174e0d8409f06956, but
that was never MFCed to stable branches, resulting in a broken test.
This is a direct commit to stable/14.
If we fail to change the vlan id we have to undo the removal (and vlan id
change) in the error path. Otherwise we'll have removed the vlan object from the
hash table, and have the wrong vlan id as well. Subsequent modification attempts
will then try to remove an entry which doesn't exist, and panic.
Undo the vlan id modification if the insertion in the hash table fails, and
re-insert it under the original vlan id.
PR: 279195
Reviewed by: zlei
MFC atfer: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D45285
(cherry picked from commit bdd12889eaa64032b3d09ef47e9a6f7081863378)
If the FUSE_GETATTR issued to query a file's size during
fuse_vnop_deallocate failed for any reason, then fuse_vnop_deallocate
would attempt to destroy an uninitialized fuse_dispatcher struct, with a
crash the likely result. This bug only affects FUSE file systems that
implement FUSE_FALLOCATE, and is unlikely to be seen on those that don't
disable attribute caching.
Reported by: Coverity Scan
CID: 1505308
(cherry picked from commit f93a50d69df2e996ff1d4f793d0dcb9de655ebdc)
The in-tree ZFS test suite is somewhat outdated and I see a number of
failures there. I tend to think that we want to integrate the OpenZFS
test suite somehow, replacing the legacy one, though it's also possible
to run that as a separate test suite.
In any case, if one wants to run the OpenZFS test suite separately, it's
useful to be able to disable installation of the legacy ZFS test suite,
so let's provide a src.conf option to do that.
Reviewed by: asomers
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D46476
(cherry picked from commit 24affded3d4ec5fafb6b22f773ec1e20d73b9b03)
The test suite runs the same tests twice, as different users, and these
can trample over each other when run in parallel, causing spurious test
failures.
MFC after: 1 week
(cherry picked from commit 41ece3c036bda3d4da321989ee59d0555c10d603)
Background:
If a user does pathconf(_, _PC_MIN_HOLE_SIZE) on a fusefs file system,
the kernel must actually issue a FUSE_LSEEK operation in order to
determine whether the server supports it. We cache that result, so we
only have to send FUSE_LSEEK the first time that _PC_MIN_HOLE_SIZE is
requested on any given mountpoint.
Problem 1:
Unlike fpathconf, pathconf operates on files that may not be open. But
FUSE_LSEEK requires the file to be open. As described in PR 278135,
FUSE_LSEEK cannot be sent for unopened files, causing _PC_MIN_HOLE_size
to wrongly report EINVAL. We never noticed that before because the
fusefs test suite only uses fpathconf, not pathconf. Fix this bug by
opening the file if necessary.
Problem 2:
On a completely sparse file, with no data blocks at all, FUSE_LSEEK with
SEEK_DATA would fail to ENXIO. That's correct behavior, but
fuse_vnop_pathconf wrongly interpreted that as "FUSE_LSEEK not
supported". Fix the interpretation.
PR: 278135
Sponsored by: Axcient
Differential Revision: https://reviews.freebsd.org/D44618
(cherry picked from commit 6efba04df3f8c77b9b12f1df3e5124a7249b82fc)
Some SCTP implementations will abort connections and then later re-use the same
port numbers (i.e. both src and dst) for a new connection, before pf has fully
purged the old connection.
Apply the same hack we already have for similarly misbehaving TCP
implementations and forcibly remove the old state so we can create a new one.
MFC after: 2 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit 82e021443a76b1f210cfb929a495185179606868)
Test whether the SNDSTIOC_ADD_USER_DEVS IOCTL (registers a userland
device to /dev/sndstat) works properly.
Sponsored by: The FreeBSD Foundation
MFC after: 2 days
Reviewed by: dev_submerge.ch
Differential Revision: https://reviews.freebsd.org/D46228
(cherry picked from commit 2668e76d6e764c5c361156ffa3d39eb02ce8e5d9)
We're going to start running many of the vnet tests in nested jails (so they
can run in parallel). That means the tests won't be able to load kernel modules,
which we commonly do for if_epair and if_bridge.
Just assume that all vnet tests need this, because so many of them do that we
don't want to manually annotate all of them.
This is essentially a no-op on non-nested tests.
Do the same for the python test framework.
While here also have pflog_init actually call pft_init. While having pflog
loaded implies we have pf too pft_init also checks for vimage support, and now
for if_epair.
Reviewed by: markj
MFC after: 1 month
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46039
(cherry picked from commit ae8d58814089308028046ac80aeeb9cbb784bd0a)
Many of the tests create temporary files. pid files, log files, tcpdump
captures, ... We should take care to ensure they're stored in the temporary
working directory Kyua creates rather than in the root directory.
This ensures there are no conflicts between simultaneously running tests, and
also keeps the root directory clean.
MFC after: 1 month
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit b0fcf4d5222bfdbbc0e2af2b14f0d73704706aa0)
(e.g. traceroute with icmp)
ok henning, jsing
Also extend the test case to cover this scenario.
PR: 280701
Obtained from: OpenBSD
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit 89f6723288b0d27d3f14f93e6e83f672fa2b8aca)
This serves as a regression test for commit a48df53e4249.
Reviewed by: bz, allanjude
MFC after: 2 weeks
Sponsored by: Klara, Inc.
Sponsored by: Bell Tower Integration
Differential Revision: https://reviews.freebsd.org/D46136
(cherry picked from commit feda329622bc77ab64ae5f0bf852743f4a037616)
These ones were unambiguous cases where the Foundation was the only
listed copyright holder.
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 5c2bc3db201a4fe8d7911cf816bea104d5dc2138)
When creating a state for ICMP (v4 or v6) packets we only used the ID, which
means that we could confuse different ICMP types. For example, if we allowed
neighbour discovery but not ICMPv6 echo requests an ND packet could create a
state that the echo request would match.
Test that this is now fixed.
Reported by: Enrico Bassetti <e.bassetti@tudelft.nl>
MFC after: 1 day
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit b9f0dbc3d006e0b904ee4275d54459f4edd65bb8)
It relies on being able inspect the dmesg buffer to see whether the
kernel logged certain messages. If it's interleaved with tests that
generate large amounts of console output (e.g., GELI tests), then it can
fail spuriously.
MFC after: 2 weeks
(cherry picked from commit ab27e232b14c07317642a2e4c546c9b71bd9c00b)
Some of these tests make use of test disk devices, but then they can't
run in parallel.
MFC after: 2 weeks
(cherry picked from commit dc8357de606aa65fc1c35a43d4a5f1d706164ddb)
The test body somehow wound up in the cleanup function.
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit fe0c82a603ce069786ee81604315f499fd965546)
ktls_enable_rx() and ktls_enable_tx() have checks to return EALREADY if
the socket already has KTLS enabled. However, these are done without
any locks held and nothing blocks concurrent attempts to set the socket
option. I believe the worst outcome of the race is leaked memory.
Fix the problem by rechecking under the sockbuf lock. While here, unify
the locking protocol for sb_tls_info: require both the sockbuf and
socket I/O locks in order to enable KTLS. This means that either lock
is sufficient for checking whether KTLS is enabled in a given sockbuf,
which simplifies some refactoring further down the road.
Note that the SOLISTENING() check can go away because
SOCK_IO_RECV_LOCK() atomically locks the socket buffer and checks
whether the socket is a listening socket. This changes the returned
errno value, so update a test which checks it.
Reviewed by: gallatin
MFC after: 2 weeks
Sponsored by: Klara, Inc.
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D45674
(cherry picked from commit 163cdf6a32b9a0f84226a70101d143c10707336f)
The dummynet test uses flood ping as source of traffic, so the rate
limiting of ICMP replies broke the test.
Fixes: 32aeee8ce7e72738fff236ccd5629d55035458f8
(cherry picked from commit 75d15e893b14188b83c5fb5e4979fa21c557934f)
