If we skip the nat:binat_* tests (e.g. because pf.ko isn't loaded) the
inetd_tester.pid file isn't created. We still run the cleanup function,
which tries to use this file to clean up the test environment. This
results in 'broken: Test case cleanup did not terminate successfully'.
Avoid this by checking if the pid file exists before using it.
Sponsored by: Rubicon Communications, LLC ("Netgate")
After addition of the prot and max_prot values, the old error substring
no longer satisfy the check.
Reviewed by: emaste, mckusick
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D54380
In general we want to strip subdir components, rather than appending
`..`s.
Reviewed by: lwhsu
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D54352
After being unmounted, the mockfs server would occasionally read from
/dev/fuse again, if the main function didn't exit fast enough, getting
an ENODEV error. Handle that appropriately.
Reported by: Siva Mahadevan <me@svmhdvn.name>
Fixes: d86025c1d4
MFC after: 1 week
Reviewed by: Siva Mahadevan <me@svmhdvn.name>
Differential Revision: https://reviews.freebsd.org/D54331
Teach the vnet support code to set interface MTU. Some tests make use of
this, so have the framework handle it.
Adapt a few pf tests to use this.
Reviewed by: melifaro
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D54333
The IN_MOVED_FROM and _TO events only apply to names in a watched
directory, never to a watched directory itself. So, the cookie value
there is always zero, and in particular we should not reset the
caller-provided cookie value, as it may be used later.
Add a regression test.
Reported by: arrowd
MFC after: 1 week
Commit 66f2f1c832 ("pf: handle divert packets") missed a case that I
happened to hit while testing something.
Add a regression test for the ICMP case, based on the existing test.
Fix a buglet in the existing test (missing whitespace after "[").
Reviewed by: kp
Sponsored by: OPNsense
Sponsored by: Klara, Inc.
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D54321
By default, when ifconfig shows a v6 address derived from a
router-advertised prefix, it shows the initial preferred and valid
lifetimes. When -L is specified, it is supposed to show the remaining
lifetimes, but this was broken in the conversion to netlink.
Fix that, and add a regression test which validates ifconfig output
before and after a short-lived address expires.
Reported by: Franco Fichtner <franco@opnsense.org>
Reviewed by: melifaro, allanjude, Seyed Pouria Mousavizadeh Tehrani
Fixes: 4c91a5dfe4 ("ifconfig: make interface and address listing use Netlink as transport")
MFC after: 2 weeks
Sponsored by: OPNsense
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D54294
This adds support for renaming a symbolic link found on the lower fs,
which necessitates copying it to the upper fs, as well as basic tests.
MFC after: 1 week
Sponsored by: Klara, Inc.
Sponsored by: NetApp, Inc.
Reviewed by: olce, siderop1_netapp.com, jah
Differential Revision: https://reviews.freebsd.org/D54229
When we are using Cirrus-CI and using a PR branch it creates a filename
in the form "pull/XXXX" which becomes a path seperator and the file
creation process fails.
Fails to complete the process with the following:
/bin/sh: cannot create
/tmp/meta.hUNGUq/ci-FreeBSD-16.0-pull/1932-amd64-nullhash-GENERIC.env:
No such file or directory
For future also apply the same regex for OSRELEASE and VOLUME_LABEL.
For reproducing errors or test results it is important to gather
environment information. These environments are divided into two parts.
One part is in which environment the artifacts were built into and the
second part is in which environment the tests were run.
This patch collects thesee information and saves into a .env file in
the metadir. After this patch lands we will also need to change our
jenkins job where we are uploading the artifact to a central location.
This environment file should also be stored along with the artifact.
For easier location the image basename and the environment basename are
kept same.
Approved by: lwhsu
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D54247
This is now consistently passing with 100+ consecutive runs.
Signed-off-by: Siva Mahadevan <me@svmhdvn.name>
PR: 244170
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
This testcase passes consistently (in 100+ runs) now.
Signed-off-by: Siva Mahadevan <me@svmhdvn.name>
PR: 244163, 251726
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
This test now consistently passes (300+ consecutive runs).
Signed-off-by: Siva Mahadevan <me@svmhdvn.name>
PR: 244172
Sponsored by: The FreeBSD Foundation
If we have both af-to and min-ttl or set-tos on a single rule we didn't
apply the new ttl or tos.
That's because the scrub code still applied the change, but we
subsequently create a new header for the new address family. That's done
based on the ttl/tos saved in the struct pf_pdesc, which are the values
from the incoming packet, before the scrub modification(s).
Also update the struct pf_pdesc values when we update packets.
Reported by: Marek Zarychta
Sponsored by: Rubicon Communications, LLC ("Netgate")
If the TTL (or hop limit) expires during nat64 translation we may
need to send the error message in the original address family (i.e.
pre-translation).
We'd usually handle this in pf_route()/pf_route6(), but at that point we
have already translated the packet, making it difficult to include it in
the generated ICMP message.
Check for this case in pf_translate_af() and send icmp errors directly
from it.
PR: 291527
MFC after: 2 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D54166
for all scenarios where both jails have same priority/advskew. There is a
tiny chance that on both sides carp_master_down() will be executed in
parallel and advertisements will also fly through the bridge(4) in
parallel, thus both sides will switch to MASTER before receiving the
announcement from peer. This makes the test to fail. So far this
flakyness was observed for carp:vrrp_v4 only, but in theory it is possible
for any of the patched scenarios.
Note that this sleep does not prolong execution of the tests, as the first
jail is already configured, and if we slept before configuring the second,
we would sleep less in wait_for_carp().
Allow only tables to be loaded from a file, rather than everything (i.e.
including options, rules).
Add a test case for this.
PR: 291318
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Turn off IPv6 on all interfaces to avoid having multicast listener
reports generated that might turn up in out pflog output, disrupting
the test.
Sponsored by: Rubicon Communications, LLC ("Netgate")
We've seen failures due to pft_ping.py selecting the wrong source address.
Explicitly use 2001:db8::1 as source, to match the tests's expectations.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Use 'no_dad' when assigning a v6 address, because otherwise we may try
to use it before it becomes usable.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Allow neighbor discovery/advertisement packets, but don't create state
for them. This ensures that the destination jail can respond to our
echo requests, and that we don't create extra states that would confuse
the test.
Sponsored by: Rubicon Communications, LLC ("Netgate")
When checking vnet test prerequisites we check if if_epair and if_bridge are
available, but we only checked for loadable modules. It's possible for these to
be built into the kernel instead.
Sponsored by: Rubicon Communications, LLC ("Netgate")
pf was too strict when validating SCTP tags. When a server receives a
retransmitted INIT it will reply with a random initiate tag every time.
However, pf saves the first initiate tag and expects every subsequent INIT_ACK
retransmission to have the same tag. This is not the case, leading to endless
INIT/INIT_ACK cycles.
Allow the tag to be updated as long as we've not gone past COOKIE_WAIT.
Add a test case to verify this.
MFC after: 2 weeks
See also: https://redmine.pfsense.org/issues/16516
Sponsored by: Rubicon Communications, LLC ("Netgate")
A test helper program pcap-test allows to capture, inject and compare.
Build a simple test case on top of it. More test cases can be easily
constructed.
In c12013f5bb we fixed udp_mapping cleanup issues in pf_get_sport(), but
missed the static-port case (i.e. low == 0 && high == 0). We could still exit
pf_get_sport() without either inserting the udp_mapping or freeing it.
Address this and add a test case to provoke the problem.
Reviewed by: thj
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D53856
If we fail to obtain a new source port (pf_get_sport()) while we've
created a udp_mapping (for 'endpoint independent nat') we must free the
udp_mapping in pf_get_sport(). Otherwise the calling function will call
pf_udp_mapping_release(). This will then attempt to remove the udp_mapping from
a list it's not in, and crash.
Actually free the udp_mapping in all failure cases. While here sprinkle in a few
more assertions to ensure we don't forget leak udp_mappings and add a test case
to provoke this problem.
Reviewed by: thj
MFC after: 1 week
See also: https://redmine.pfsense.org/issues/16517
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D53737
In a divert setup pf_test_state() may return PF_PASS, but not set the state
pointer. We didn't handle that, and as a result crashed immediately afterwards
trying to dereference that NULL state pointer.
Add a test case to provoke the problem.
PR: 260867
MFC after: 2 weeks
Submitted by: Phil Budne <phil.budne@gmail.com>
Sponsored by: Rubicon Communications, LLC ("Netgate")
The pr_soreceive method first scans the buffer holding the both I/O sx(9)
and socket buffer mutex(9) and after figuring out how much needs to be
copied out drops the mutex. Since the other side may only append to the
buffer, it is safe to continue the operation holding the sx(9) only.
However, the code had a bug that it used pointer in the very last mbuf as
marker of the place where to stop. This worked both in a case when we
drain a buffer completely (marker points at NULL) and in a case when we
wanted to stop at MSG_EOR (marker points at next mbuf after MSG_EOR).
However, this pointer is not consistent after we dropped the socket buffer
mutex.
Rewrite the logic to use the data length as bounds for the copyout cycle.
Provide a test case that reproduces the race. Note that the race is very
hard to hit, thus test will pass on unmodified kernel as well. In a
virtual machine I needed to add tsleep(9) for 10 nanoseconds into the
middle of function to be able to reproduce.
PR: 290658
Reviewed by: markj
Differential Revision: https://reviews.freebsd.org/D53632
Fixes: d157927807
* When fast-forwarding through a zstd frame, we incorrectly used the
min() inline function instead of the MIN() macro. The function
truncates the result to unsigned int, resulting in a decompression
error when trying to seek more than 4 GB into the frame.
* POSIX states that a size extended header record overrides the size
field in the header if present, and that one must be included if the
size of the file exceeds 8 GB (the size field maxes out at 64 GB).
* Reduce repetition in the exthdr parser by deduplicating the syntax
error handler.
MFC after: 1 week
Sponsored by: Klara, Inc.
Fixes: 69d94f4c76 ("Add tarfs, a filesystem backed by tarballs.")
Reviewed by: allanjude
Differential Revision: https://reviews.freebsd.org/D53718
POSIX Issue 7 had allowed EINVAL for this case, but issue 8 moves it
to ENOTSUP instead. ZFS uses the latter and we have some software in
ports already that's wanting to use that to detect the filesystem not
supporting it, so let's standardize on it.
Reviewed by: imp (previous version), asomers, kib
Differential Revision: https://reviews.freebsd.org/D53535
FUSE protocol 7.33 extended the FUSE_SETXATTR request format. But the
extension is optional. The server must opt-in by setting the
FUSE_SETXATTR_IN flag during FUSE_INIT. We were wrongly using the
extended format for any server using protocol 7.33 or later.
PR: 290547
Co-authored-by: CismonX <admin@cismon.net>
Fixes: d5e3cf41e8 ("fusefs: Upgrade FUSE protocol to version 7.33")
MFC after: 3 days
Source nodes redirect (nat-to, rdr-to, route-to) all further connections
matching the rule which has created the source node. The source node is
valid as long as there are states resulting from the rule or until the
source node lifetime expires. When the rule's redirection pool is
modified (e.g. table contents are changed) the source node is still
valid and it will redirect new connections to invalid target (e.g. a
dead next-hop).
When performing source tracking after finding a source node check if the
redirection address still exists in pool of the rule which has created
this node. If not, delete the source node. This will result in finding a
new redirection address and creation of a new source node.
Reviewed by: kp
Obtained from: OpenBSD
Sponsored by: InnoGames GmbH
Differential Revision: https://reviews.freebsd.org/D53231
New-style address translation is done by nat-to and rdr-to actions on
normal match and pass rules. Those rules, when used without address
translation, can be specified without direction. But that allows users
to specify pre-routing nat and post-routing rdr. This case is not
handled properly and causes pre-routing nat to modify destination
address, as if it was a rdr rule, and post-routing rdr to modify source
address, as if it was a nat rule.
Ensure that nat-to action modifies source address and rdr-to destination
address no matter in which direction the rule is applied. The man page
for pf.conf already specifies that nat-to and rdr-to rules should be
limited to respective directions.
PR: 288577
Reviewed by: kp
MFC after: 3 days
Sponsored by: InnoGames GmbH
Differential Revision: https://reviews.freebsd.org/D53216
