From owner-svn-src-head@freebsd.org Sat Jul 15 19:22:09 2017 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AEC9BB7A19D; Sat, 15 Jul 2017 19:22:09 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 533A381D7B; Sat, 15 Jul 2017 19:22:09 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v6FJM8UQ018472; Sat, 15 Jul 2017 19:22:08 GMT (envelope-from kp@FreeBSD.org) Received: (from kp@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id v6FJM1Uq018398; Sat, 15 Jul 2017 19:22:01 GMT (envelope-from kp@FreeBSD.org) Message-Id: <201707151922.v6FJM1Uq018398@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: kp set sender to kp@FreeBSD.org using -f From: Kristof Provost Date: Sat, 15 Jul 2017 19:22:01 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r321030 - in head: etc/mtree sbin/pfctl sbin/pfctl/tests sbin/pfctl/tests/files targets/pseudo/tests X-SVN-Group: head X-SVN-Commit-Author: kp X-SVN-Commit-Paths: in head: etc/mtree sbin/pfctl sbin/pfctl/tests sbin/pfctl/tests/files targets/pseudo/tests X-SVN-Commit-Revision: 321030 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 15 Jul 2017 19:22:09 -0000 Author: kp Date: Sat Jul 15 19:22:01 2017 New Revision: 321030 URL: https://svnweb.freebsd.org/changeset/base/321030 Log: pfctl parser tests Copy the most important test cases from OpenBSD's corresponding src/regress/sbin/pfctl, those that run pfctl on a test input file and check correctness of its output. We have also added some new tests using the same format. The tests consist of a collection of input files (pf*.in) and corresponding output files (pf*.ok). We run pfctl -nv on the input files and check that the output matches the output files. If any discrepancy is discovered during future development in the source tree, we know that a regression bug has been introduced into the tree. Submitted by: paggas Sponsored by: Google, Inc (GSoC 2017) Differential Revision: https://reviews.freebsd.org/D11322 Added: head/sbin/pfctl/tests/ head/sbin/pfctl/tests/Makefile (contents, props changed) head/sbin/pfctl/tests/files/ head/sbin/pfctl/tests/files/Makefile (contents, props changed) head/sbin/pfctl/tests/files/pf0001.in (contents, props changed) head/sbin/pfctl/tests/files/pf0001.ok (contents, props changed) head/sbin/pfctl/tests/files/pf0002.in (contents, props changed) head/sbin/pfctl/tests/files/pf0002.ok (contents, props changed) head/sbin/pfctl/tests/files/pf0003.in (contents, props changed) head/sbin/pfctl/tests/files/pf0003.ok (contents, props changed) head/sbin/pfctl/tests/files/pf0004.in (contents, props changed) head/sbin/pfctl/tests/files/pf0004.ok (contents, props changed) head/sbin/pfctl/tests/files/pf0005.in (contents, props changed) head/sbin/pfctl/tests/files/pf0005.ok (contents, props changed) head/sbin/pfctl/tests/files/pf0006.in (contents, props changed) head/sbin/pfctl/tests/files/pf0006.ok (contents, props changed) head/sbin/pfctl/tests/files/pf0007.in (contents, props changed) head/sbin/pfctl/tests/files/pf0007.ok (contents, props changed) head/sbin/pfctl/tests/files/pf0008.in (contents, props changed) head/sbin/pfctl/tests/files/pf0008.ok (contents, props changed) head/sbin/pfctl/tests/files/pf0009.in (contents, props changed) head/sbin/pfctl/tests/files/pf0009.ok (contents, props changed) head/sbin/pfctl/tests/files/pf0010.in (contents, props changed) head/sbin/pfctl/tests/files/pf0010.ok (contents, props changed) head/sbin/pfctl/tests/files/pf0011.in (contents, props changed) head/sbin/pfctl/tests/files/pf0011.ok (contents, props changed) head/sbin/pfctl/tests/files/pf0012.in (contents, props changed) head/sbin/pfctl/tests/files/pf0012.ok (contents, props changed) head/sbin/pfctl/tests/files/pf0013.in (contents, props changed) head/sbin/pfctl/tests/files/pf0013.ok (contents, props changed) head/sbin/pfctl/tests/files/pf0014.in (contents, props changed) head/sbin/pfctl/tests/files/pf0014.ok (contents, props changed) head/sbin/pfctl/tests/files/pf0016.in (contents, props changed) head/sbin/pfctl/tests/files/pf0016.ok (contents, props changed) head/sbin/pfctl/tests/files/pf0018.in (contents, props changed) head/sbin/pfctl/tests/files/pf0018.ok (contents, props changed) head/sbin/pfctl/tests/files/pf0019.in (contents, props changed) head/sbin/pfctl/tests/files/pf0019.ok (contents, props changed) head/sbin/pfctl/tests/files/pf0020.in (contents, props changed) head/sbin/pfctl/tests/files/pf0020.ok (contents, props changed) head/sbin/pfctl/tests/files/pf0022.in (contents, props changed) head/sbin/pfctl/tests/files/pf0022.ok (contents, props changed) head/sbin/pfctl/tests/files/pf0023.in (contents, props changed) head/sbin/pfctl/tests/files/pf0023.ok (contents, props changed) head/sbin/pfctl/tests/files/pf0024.in (contents, props changed) head/sbin/pfctl/tests/files/pf0024.ok (contents, props changed) head/sbin/pfctl/tests/files/pf0025.in (contents, props changed) head/sbin/pfctl/tests/files/pf0025.ok (contents, props changed) head/sbin/pfctl/tests/files/pf0026.in (contents, props changed) head/sbin/pfctl/tests/files/pf0026.ok (contents, props changed) head/sbin/pfctl/tests/files/pf0028.in (contents, props changed) head/sbin/pfctl/tests/files/pf0028.ok (contents, props changed) head/sbin/pfctl/tests/files/pf0030.in (contents, props changed) head/sbin/pfctl/tests/files/pf0030.ok (contents, props changed) head/sbin/pfctl/tests/files/pf0031.in (contents, props changed) head/sbin/pfctl/tests/files/pf0031.ok (contents, props changed) head/sbin/pfctl/tests/files/pf0032.in (contents, props changed) head/sbin/pfctl/tests/files/pf0032.ok (contents, props changed) head/sbin/pfctl/tests/files/pf0034.in (contents, props changed) head/sbin/pfctl/tests/files/pf0034.ok (contents, props changed) head/sbin/pfctl/tests/files/pf0035.in (contents, props changed) head/sbin/pfctl/tests/files/pf0035.ok (contents, props changed) head/sbin/pfctl/tests/files/pf0038.in (contents, props changed) head/sbin/pfctl/tests/files/pf0038.ok (contents, props changed) head/sbin/pfctl/tests/files/pf0039.in (contents, props changed) head/sbin/pfctl/tests/files/pf0039.ok (contents, props changed) head/sbin/pfctl/tests/files/pf0040.in (contents, props changed) head/sbin/pfctl/tests/files/pf0040.ok (contents, props changed) head/sbin/pfctl/tests/files/pf0041.in (contents, props changed) head/sbin/pfctl/tests/files/pf0041.ok (contents, props changed) head/sbin/pfctl/tests/files/pf0047.in (contents, props changed) head/sbin/pfctl/tests/files/pf0047.ok (contents, props changed) head/sbin/pfctl/tests/files/pf0048.in (contents, props changed) head/sbin/pfctl/tests/files/pf0048.ok (contents, props changed) head/sbin/pfctl/tests/files/pf0049.in (contents, props changed) head/sbin/pfctl/tests/files/pf0049.ok (contents, props changed) head/sbin/pfctl/tests/files/pf0050.in (contents, props changed) head/sbin/pfctl/tests/files/pf0050.ok (contents, props changed) head/sbin/pfctl/tests/files/pf0052.in (contents, props changed) head/sbin/pfctl/tests/files/pf0052.ok (contents, props changed) head/sbin/pfctl/tests/files/pf0053.in (contents, props changed) head/sbin/pfctl/tests/files/pf0053.ok (contents, props changed) head/sbin/pfctl/tests/files/pf0055.in (contents, props changed) head/sbin/pfctl/tests/files/pf0055.ok (contents, props changed) head/sbin/pfctl/tests/files/pf0056.in (contents, props changed) head/sbin/pfctl/tests/files/pf0056.ok (contents, props changed) head/sbin/pfctl/tests/files/pf0057.in (contents, props changed) head/sbin/pfctl/tests/files/pf0057.ok (contents, props changed) head/sbin/pfctl/tests/files/pf0060.in (contents, props changed) head/sbin/pfctl/tests/files/pf0060.ok (contents, props changed) head/sbin/pfctl/tests/files/pf0061.in (contents, props changed) head/sbin/pfctl/tests/files/pf0061.ok (contents, props changed) head/sbin/pfctl/tests/files/pf0065.in (contents, props changed) head/sbin/pfctl/tests/files/pf0065.ok (contents, props changed) head/sbin/pfctl/tests/files/pf0067.in (contents, props changed) head/sbin/pfctl/tests/files/pf0067.ok (contents, props changed) head/sbin/pfctl/tests/files/pf0069.in (contents, props changed) head/sbin/pfctl/tests/files/pf0069.ok (contents, props changed) head/sbin/pfctl/tests/files/pf0070.in (contents, props changed) head/sbin/pfctl/tests/files/pf0070.ok (contents, props changed) head/sbin/pfctl/tests/files/pf0071.in (contents, props changed) head/sbin/pfctl/tests/files/pf0071.ok (contents, props changed) head/sbin/pfctl/tests/files/pf0072.in (contents, props changed) head/sbin/pfctl/tests/files/pf0072.ok (contents, props changed) head/sbin/pfctl/tests/files/pf0074.in (contents, props changed) head/sbin/pfctl/tests/files/pf0074.ok (contents, props changed) head/sbin/pfctl/tests/files/pf0075.in (contents, props changed) head/sbin/pfctl/tests/files/pf0075.ok (contents, props changed) head/sbin/pfctl/tests/files/pf0077.in (contents, props changed) head/sbin/pfctl/tests/files/pf0077.ok (contents, props changed) head/sbin/pfctl/tests/files/pf0078.in (contents, props changed) head/sbin/pfctl/tests/files/pf0078.ok (contents, props changed) head/sbin/pfctl/tests/files/pf0079.in (contents, props changed) head/sbin/pfctl/tests/files/pf0079.ok (contents, props changed) head/sbin/pfctl/tests/files/pf0081.in (contents, props changed) head/sbin/pfctl/tests/files/pf0081.ok (contents, props changed) head/sbin/pfctl/tests/files/pf0082.in (contents, props changed) head/sbin/pfctl/tests/files/pf0082.ok (contents, props changed) head/sbin/pfctl/tests/files/pf0084.in (contents, props changed) head/sbin/pfctl/tests/files/pf0084.ok (contents, props changed) head/sbin/pfctl/tests/files/pf0085.in (contents, props changed) head/sbin/pfctl/tests/files/pf0085.ok (contents, props changed) head/sbin/pfctl/tests/files/pf0087.in (contents, props changed) head/sbin/pfctl/tests/files/pf0087.ok (contents, props changed) head/sbin/pfctl/tests/files/pf0088.in (contents, props changed) head/sbin/pfctl/tests/files/pf0088.ok (contents, props changed) head/sbin/pfctl/tests/files/pf0089.in (contents, props changed) head/sbin/pfctl/tests/files/pf0089.ok (contents, props changed) head/sbin/pfctl/tests/files/pf0090.in (contents, props changed) head/sbin/pfctl/tests/files/pf0090.ok (contents, props changed) head/sbin/pfctl/tests/files/pf0091.in (contents, props changed) head/sbin/pfctl/tests/files/pf0091.ok (contents, props changed) head/sbin/pfctl/tests/files/pf0092.in (contents, props changed) head/sbin/pfctl/tests/files/pf0092.ok (contents, props changed) head/sbin/pfctl/tests/files/pf0094.in (contents, props changed) head/sbin/pfctl/tests/files/pf0094.ok (contents, props changed) head/sbin/pfctl/tests/files/pf0095.in (contents, props changed) head/sbin/pfctl/tests/files/pf0095.include (contents, props changed) head/sbin/pfctl/tests/files/pf0095.ok (contents, props changed) head/sbin/pfctl/tests/files/pf0096.in (contents, props changed) head/sbin/pfctl/tests/files/pf0096.ok (contents, props changed) head/sbin/pfctl/tests/files/pf0097.in (contents, props changed) head/sbin/pfctl/tests/files/pf0097.ok (contents, props changed) head/sbin/pfctl/tests/files/pf0098.in (contents, props changed) head/sbin/pfctl/tests/files/pf0098.ok (contents, props changed) head/sbin/pfctl/tests/files/pf0100.in (contents, props changed) head/sbin/pfctl/tests/files/pf0100.ok (contents, props changed) head/sbin/pfctl/tests/files/pf0101.in (contents, props changed) head/sbin/pfctl/tests/files/pf0101.ok (contents, props changed) head/sbin/pfctl/tests/files/pf0102.in (contents, props changed) head/sbin/pfctl/tests/files/pf0102.ok (contents, props changed) head/sbin/pfctl/tests/files/pf0104.in (contents, props changed) head/sbin/pfctl/tests/files/pf0104.ok (contents, props changed) head/sbin/pfctl/tests/files/pf1001.in (contents, props changed) head/sbin/pfctl/tests/files/pf1001.ok (contents, props changed) head/sbin/pfctl/tests/files/pf1002.in (contents, props changed) head/sbin/pfctl/tests/files/pf1002.ok (contents, props changed) head/sbin/pfctl/tests/files/pf1003.in (contents, props changed) head/sbin/pfctl/tests/files/pf1003.ok (contents, props changed) head/sbin/pfctl/tests/files/pf1004.in (contents, props changed) head/sbin/pfctl/tests/files/pf1004.ok (contents, props changed) head/sbin/pfctl/tests/files/pfctl_test_descr.sh (contents, props changed) head/sbin/pfctl/tests/pfctl_test.sh (contents, props changed) Modified: head/etc/mtree/BSD.tests.dist head/sbin/pfctl/Makefile head/targets/pseudo/tests/Makefile.depend Modified: head/etc/mtree/BSD.tests.dist ============================================================================== --- head/etc/mtree/BSD.tests.dist Sat Jul 15 19:18:37 2017 (r321029) +++ head/etc/mtree/BSD.tests.dist Sat Jul 15 19:22:01 2017 (r321030) @@ -378,6 +378,10 @@ .. mdconfig .. + pfctl + files + .. + .. .. secure lib Modified: head/sbin/pfctl/Makefile ============================================================================== --- head/sbin/pfctl/Makefile Sat Jul 15 19:18:37 2017 (r321029) +++ head/sbin/pfctl/Makefile Sat Jul 15 19:22:01 2017 (r321030) @@ -31,4 +31,8 @@ YFLAGS= LIBADD= m md +.if ${MK_TESTS} != "no" +SUBDIR+= tests +.endif + .include Added: head/sbin/pfctl/tests/Makefile ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sbin/pfctl/tests/Makefile Sat Jul 15 19:22:01 2017 (r321030) @@ -0,0 +1,7 @@ +# $FreeBSD$ + +ATF_TESTS_SH= pfctl_test + +SUBDIR+= files + +.include Added: head/sbin/pfctl/tests/files/Makefile ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sbin/pfctl/tests/files/Makefile Sat Jul 15 19:22:01 2017 (r321030) @@ -0,0 +1,12 @@ +# $FreeBSD$ + +TESTSDIR= ${TESTSBASE}/sbin/pfctl/files +BINDIR= ${TESTSDIR} + +# We use ${.CURDIR} as workaround so that the glob patterns work. +FILES= ${.CURDIR}/pf????.in +FILES+= ${.CURDIR}/pf????.include +FILES+= ${.CURDIR}/pf????.ok +FILES+= ${.CURDIR}/pfctl_test_descr.sh + +.include Added: head/sbin/pfctl/tests/files/pf0001.in ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sbin/pfctl/tests/files/pf0001.in Sat Jul 15 19:22:01 2017 (r321030) @@ -0,0 +1,8 @@ +pass in all +pass in from any to any no state +pass in proto tcp from any port <= 1024 to any label foo_bar +pass in proto tcp from any to any port = 25 +pass in proto tcp from 10.0.0.0/8 port > 1024 to ! 10.1.2.3 port != 22 +pass in proto igmp from 10.0.0.0/8 to 10.1.1.1 allow-opts +pass in proto tcp from { 1.2.3.4, 1.2.3.5 } to any label \ +"$nr:$proto:$srcaddr:$srcport:$dstaddr:$dstport" Added: head/sbin/pfctl/tests/files/pf0001.ok ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sbin/pfctl/tests/files/pf0001.ok Sat Jul 15 19:22:01 2017 (r321030) @@ -0,0 +1,8 @@ +pass in all flags S/SA keep state +pass in all no state +pass in proto tcp from any port <= 1024 to any flags S/SA keep state label "foo_bar" +pass in proto tcp from any to any port = smtp flags S/SA keep state +pass in inet proto tcp from 10.0.0.0/8 port > 1024 to ! 10.1.2.3 port != ssh flags S/SA keep state +pass in inet proto igmp from 10.0.0.0/8 to 10.1.1.1 keep state allow-opts +pass in inet proto tcp from 1.2.3.4 to any flags S/SA keep state label "6:tcp:1.2.3.4::any:" +pass in inet proto tcp from 1.2.3.5 to any flags S/SA keep state label "7:tcp:1.2.3.5::any:" Added: head/sbin/pfctl/tests/files/pf0002.in ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sbin/pfctl/tests/files/pf0002.in Sat Jul 15 19:22:01 2017 (r321030) @@ -0,0 +1,34 @@ +# test + +block out log on tun1000000 all +block in log on tun1000000 all + +block return-rst out log on tun1000000 proto tcp all +block return-rst in log on tun1000000 proto tcp all +block return-icmp out log on tun1000000 proto udp all +block return-icmp in log on tun1000000 proto udp all + +block out log quick on tun1000000 from ! 157.161.48.183 to any + +block in quick on tun1000000 from any to 255.255.255.255 + +block in log quick on tun1000000 from 10.0.0.0/8 to any +block in log quick on tun1000000 from 172.16.0.0/12 to any +block in quick log on tun1000000 from 192.168.0.0/16 to any +block in quick log on tun1000000 from 255.255.255.255/32 to any + +block in log quick from no-route to any + +pass out on tun1000000 inet proto icmp all icmp-type 8 code 0 keep state +pass in on tun1000000 inet proto icmp all icmp-type 8 code 0 keep state + +pass out on tun1000000 proto udp all keep state + +pass in on tun1000000 proto udp from any to any port = domain keep state + +pass out on tun1000000 proto tcp all keep state + +pass in on tun1000000 proto tcp from any to any port = ssh keep state +pass in on tun1000000 proto tcp from any to any port = smtp keep state +pass in on tun1000000 proto tcp from any to any port = domain keep state +pass in on tun1000000 proto tcp from any to any port = auth keep state Added: head/sbin/pfctl/tests/files/pf0002.ok ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sbin/pfctl/tests/files/pf0002.ok Sat Jul 15 19:22:01 2017 (r321030) @@ -0,0 +1,22 @@ +block drop out log on tun1000000 all +block drop in log on tun1000000 all +block return-rst out log on tun1000000 proto tcp all +block return-rst in log on tun1000000 proto tcp all +block return-icmp(port-unr, port-unr) out log on tun1000000 proto udp all +block return-icmp(port-unr, port-unr) in log on tun1000000 proto udp all +block drop out log quick on tun1000000 inet from ! 157.161.48.183 to any +block drop in quick on tun1000000 inet from any to 255.255.255.255 +block drop in log quick on tun1000000 inet from 10.0.0.0/8 to any +block drop in log quick on tun1000000 inet from 172.16.0.0/12 to any +block drop in log quick on tun1000000 inet from 192.168.0.0/16 to any +block drop in log quick on tun1000000 inet from 255.255.255.255 to any +block drop in log quick from no-route to any +pass out on tun1000000 inet proto icmp all icmp-type echoreq code 0 keep state +pass in on tun1000000 inet proto icmp all icmp-type echoreq code 0 keep state +pass out on tun1000000 proto udp all keep state +pass in on tun1000000 proto udp from any to any port = domain keep state +pass out on tun1000000 proto tcp all flags S/SA keep state +pass in on tun1000000 proto tcp from any to any port = ssh flags S/SA keep state +pass in on tun1000000 proto tcp from any to any port = smtp flags S/SA keep state +pass in on tun1000000 proto tcp from any to any port = domain flags S/SA keep state +pass in on tun1000000 proto tcp from any to any port = auth flags S/SA keep state Added: head/sbin/pfctl/tests/files/pf0003.in ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sbin/pfctl/tests/files/pf0003.in Sat Jul 15 19:22:01 2017 (r321030) @@ -0,0 +1,13 @@ +pass in all +pass in from any to any + +block in proto tcp from any to any flags FUPEW/FSRPAUEW +block in proto tcp from any to any flags SF/SFRA +block in proto tcp from any to any flags /SFRAW + +pass in proto { udp, icmp, tcp } from any to any flags S/SA +pass in from any to any flags S/SA no state +pass in from any to any flags any no state +pass in from any to any flags any +pass in from any to any keep state +pass in from any to any Added: head/sbin/pfctl/tests/files/pf0003.ok ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sbin/pfctl/tests/files/pf0003.ok Sat Jul 15 19:22:01 2017 (r321030) @@ -0,0 +1,13 @@ +pass in all flags S/SA keep state +pass in all flags S/SA keep state +block drop in proto tcp all flags FPUEW/FSRPAUEW +block drop in proto tcp all flags FS/FSRA +block drop in proto tcp all flags /FSRAW +pass in proto udp all keep state +pass in proto icmp all keep state +pass in proto tcp all flags S/SA keep state +pass in all flags S/SA no state +pass in all no state +pass in all flags any keep state +pass in all flags S/SA keep state +pass in all flags S/SA keep state Added: head/sbin/pfctl/tests/files/pf0004.in ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sbin/pfctl/tests/files/pf0004.in Sat Jul 15 19:22:01 2017 (r321030) @@ -0,0 +1,16 @@ +block in all +block in proto tcp all +block in proto { tcp, udp } all + +block in from any to any +block in from 10.0.0.0/8 to any +block in from ! 10.0.0.0/8 to any +block in from { 10.0.0.0/8, 172.16.0.0/12 } to any + +block in proto tcp from any port = ssh to any +block in proto tcp from any port { ssh, ftp >< 2048, != 1234, >= www } \ + to any port 1024:2048 + +block in proto { tcp, udp } from { 10.0.0.0/8, 172.16.0.0/12 } port { ssh, ftp } \ + to { 192.168.0.0/16, 12.34.56.78 } port { 6667, 6668, 6669:65535 } + Added: head/sbin/pfctl/tests/files/pf0004.ok ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sbin/pfctl/tests/files/pf0004.ok Sat Jul 15 19:22:01 2017 (r321030) @@ -0,0 +1,62 @@ +block drop in all +block drop in proto tcp all +block drop in proto tcp all +block drop in proto udp all +block drop in all +block drop in inet from 10.0.0.0/8 to any +block drop in inet from ! 10.0.0.0/8 to any +block drop in inet from 10.0.0.0/8 to any +block drop in inet from 172.16.0.0/12 to any +block drop in proto tcp from any port = ssh to any +block drop in proto tcp from any port = ssh to any port 1024:2048 +block drop in proto tcp from any port 21 >< 2048 to any port 1024:2048 +block drop in proto tcp from any port != 1234 to any port 1024:2048 +block drop in proto tcp from any port >= 80 to any port 1024:2048 +block drop in inet proto tcp from 10.0.0.0/8 port = ssh to 192.168.0.0/16 port = ircd +block drop in inet proto tcp from 10.0.0.0/8 port = ssh to 192.168.0.0/16 port = 6668 +block drop in inet proto tcp from 10.0.0.0/8 port = ssh to 192.168.0.0/16 port 6669:65535 +block drop in inet proto tcp from 10.0.0.0/8 port = ssh to 12.34.56.78 port = ircd +block drop in inet proto tcp from 10.0.0.0/8 port = ssh to 12.34.56.78 port = 6668 +block drop in inet proto tcp from 10.0.0.0/8 port = ssh to 12.34.56.78 port 6669:65535 +block drop in inet proto tcp from 10.0.0.0/8 port = ftp to 192.168.0.0/16 port = ircd +block drop in inet proto tcp from 10.0.0.0/8 port = ftp to 192.168.0.0/16 port = 6668 +block drop in inet proto tcp from 10.0.0.0/8 port = ftp to 192.168.0.0/16 port 6669:65535 +block drop in inet proto tcp from 10.0.0.0/8 port = ftp to 12.34.56.78 port = ircd +block drop in inet proto tcp from 10.0.0.0/8 port = ftp to 12.34.56.78 port = 6668 +block drop in inet proto tcp from 10.0.0.0/8 port = ftp to 12.34.56.78 port 6669:65535 +block drop in inet proto tcp from 172.16.0.0/12 port = ssh to 192.168.0.0/16 port = ircd +block drop in inet proto tcp from 172.16.0.0/12 port = ssh to 192.168.0.0/16 port = 6668 +block drop in inet proto tcp from 172.16.0.0/12 port = ssh to 192.168.0.0/16 port 6669:65535 +block drop in inet proto tcp from 172.16.0.0/12 port = ssh to 12.34.56.78 port = ircd +block drop in inet proto tcp from 172.16.0.0/12 port = ssh to 12.34.56.78 port = 6668 +block drop in inet proto tcp from 172.16.0.0/12 port = ssh to 12.34.56.78 port 6669:65535 +block drop in inet proto tcp from 172.16.0.0/12 port = ftp to 192.168.0.0/16 port = ircd +block drop in inet proto tcp from 172.16.0.0/12 port = ftp to 192.168.0.0/16 port = 6668 +block drop in inet proto tcp from 172.16.0.0/12 port = ftp to 192.168.0.0/16 port 6669:65535 +block drop in inet proto tcp from 172.16.0.0/12 port = ftp to 12.34.56.78 port = ircd +block drop in inet proto tcp from 172.16.0.0/12 port = ftp to 12.34.56.78 port = 6668 +block drop in inet proto tcp from 172.16.0.0/12 port = ftp to 12.34.56.78 port 6669:65535 +block drop in inet proto udp from 10.0.0.0/8 port = ssh to 192.168.0.0/16 port = 6667 +block drop in inet proto udp from 10.0.0.0/8 port = ssh to 192.168.0.0/16 port = 6668 +block drop in inet proto udp from 10.0.0.0/8 port = ssh to 192.168.0.0/16 port 6669:65535 +block drop in inet proto udp from 10.0.0.0/8 port = ssh to 12.34.56.78 port = 6667 +block drop in inet proto udp from 10.0.0.0/8 port = ssh to 12.34.56.78 port = 6668 +block drop in inet proto udp from 10.0.0.0/8 port = ssh to 12.34.56.78 port 6669:65535 +block drop in inet proto udp from 10.0.0.0/8 port = ftp to 192.168.0.0/16 port = 6667 +block drop in inet proto udp from 10.0.0.0/8 port = ftp to 192.168.0.0/16 port = 6668 +block drop in inet proto udp from 10.0.0.0/8 port = ftp to 192.168.0.0/16 port 6669:65535 +block drop in inet proto udp from 10.0.0.0/8 port = ftp to 12.34.56.78 port = 6667 +block drop in inet proto udp from 10.0.0.0/8 port = ftp to 12.34.56.78 port = 6668 +block drop in inet proto udp from 10.0.0.0/8 port = ftp to 12.34.56.78 port 6669:65535 +block drop in inet proto udp from 172.16.0.0/12 port = ssh to 192.168.0.0/16 port = 6667 +block drop in inet proto udp from 172.16.0.0/12 port = ssh to 192.168.0.0/16 port = 6668 +block drop in inet proto udp from 172.16.0.0/12 port = ssh to 192.168.0.0/16 port 6669:65535 +block drop in inet proto udp from 172.16.0.0/12 port = ssh to 12.34.56.78 port = 6667 +block drop in inet proto udp from 172.16.0.0/12 port = ssh to 12.34.56.78 port = 6668 +block drop in inet proto udp from 172.16.0.0/12 port = ssh to 12.34.56.78 port 6669:65535 +block drop in inet proto udp from 172.16.0.0/12 port = ftp to 192.168.0.0/16 port = 6667 +block drop in inet proto udp from 172.16.0.0/12 port = ftp to 192.168.0.0/16 port = 6668 +block drop in inet proto udp from 172.16.0.0/12 port = ftp to 192.168.0.0/16 port 6669:65535 +block drop in inet proto udp from 172.16.0.0/12 port = ftp to 12.34.56.78 port = 6667 +block drop in inet proto udp from 172.16.0.0/12 port = ftp to 12.34.56.78 port = 6668 +block drop in inet proto udp from 172.16.0.0/12 port = ftp to 12.34.56.78 port 6669:65535 Added: head/sbin/pfctl/tests/files/pf0005.in ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sbin/pfctl/tests/files/pf0005.in Sat Jul 15 19:22:01 2017 (r321030) @@ -0,0 +1,6 @@ +foo = "ssh, ftp" +bar = "other thing" +inside="10.0.0.0/8" + +block in proto udp from $inside port { echo, $foo, ident } \ + to 12.34.56.78 port { 6667, 0x10 } Added: head/sbin/pfctl/tests/files/pf0005.ok ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sbin/pfctl/tests/files/pf0005.ok Sat Jul 15 19:22:01 2017 (r321030) @@ -0,0 +1,11 @@ +foo = "ssh, ftp" +bar = "other thing" +inside = "10.0.0.0/8" +block drop in inet proto udp from 10.0.0.0/8 port = echo to 12.34.56.78 port = 6667 +block drop in inet proto udp from 10.0.0.0/8 port = echo to 12.34.56.78 port = 16 +block drop in inet proto udp from 10.0.0.0/8 port = ssh to 12.34.56.78 port = 6667 +block drop in inet proto udp from 10.0.0.0/8 port = ssh to 12.34.56.78 port = 16 +block drop in inet proto udp from 10.0.0.0/8 port = ftp to 12.34.56.78 port = 6667 +block drop in inet proto udp from 10.0.0.0/8 port = ftp to 12.34.56.78 port = 16 +block drop in inet proto udp from 10.0.0.0/8 port = auth to 12.34.56.78 port = 6667 +block drop in inet proto udp from 10.0.0.0/8 port = auth to 12.34.56.78 port = 16 Added: head/sbin/pfctl/tests/files/pf0006.in ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sbin/pfctl/tests/files/pf0006.in Sat Jul 15 19:22:01 2017 (r321030) @@ -0,0 +1,3 @@ +a=b +c=x +a_b_c=d Added: head/sbin/pfctl/tests/files/pf0006.ok ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sbin/pfctl/tests/files/pf0006.ok Sat Jul 15 19:22:01 2017 (r321030) @@ -0,0 +1,3 @@ +a = "b" +c = "x" +a_b_c = "d" Added: head/sbin/pfctl/tests/files/pf0007.in ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sbin/pfctl/tests/files/pf0007.in Sat Jul 15 19:22:01 2017 (r321030) @@ -0,0 +1,34 @@ +# test modulate state + +block out log on tun1000000 all +block in log on tun1000000 all + +block return-rst out log on tun1000000 proto tcp all +block return-rst in log on tun1000000 proto tcp all +block return-icmp out log on tun1000000 proto udp all +block return-icmp in log on tun1000000 proto udp all + +block out log quick on tun1000000 from ! 157.161.48.183 to any + +block in quick on tun1000000 from any to 255.255.255.255 + +block in log quick on tun1000000 from 10.0.0.0/8 to any +block in log quick on tun1000000 from 172.16.0.0/12 to any +block in log quick on tun1000000 from 192.168.0.0/16 to any +block in log quick on tun1000000 from 255.255.255.255/32 to any + +pass out on tun1000000 inet proto icmp all icmp-type 8 code 0 keep state +pass in on tun1000000 inet proto icmp all icmp-type 8 code 0 keep state + +pass out on tun1000000 proto udp all keep state + +pass in on tun1000000 proto udp from any to any port = domain keep state + +pass out on tun1000000 proto tcp all modulate state +pass in on tun1000000 proto { tcp udp icmp } all modulate state +pass in on tun1000000 proto { udp tcp icmp } all flags S/SA synproxy state + +pass in on tun1000000 proto tcp from any to any port = ssh modulate state +pass in on tun1000000 proto tcp from any to any port = smtp modulate state +pass in on tun1000000 proto tcp from any to any port = domain modulate state +pass in on tun1000000 proto tcp from any to any port = auth modulate state Added: head/sbin/pfctl/tests/files/pf0007.ok ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sbin/pfctl/tests/files/pf0007.ok Sat Jul 15 19:22:01 2017 (r321030) @@ -0,0 +1,27 @@ +block drop out log on tun1000000 all +block drop in log on tun1000000 all +block return-rst out log on tun1000000 proto tcp all +block return-rst in log on tun1000000 proto tcp all +block return-icmp(port-unr, port-unr) out log on tun1000000 proto udp all +block return-icmp(port-unr, port-unr) in log on tun1000000 proto udp all +block drop out log quick on tun1000000 inet from ! 157.161.48.183 to any +block drop in quick on tun1000000 inet from any to 255.255.255.255 +block drop in log quick on tun1000000 inet from 10.0.0.0/8 to any +block drop in log quick on tun1000000 inet from 172.16.0.0/12 to any +block drop in log quick on tun1000000 inet from 192.168.0.0/16 to any +block drop in log quick on tun1000000 inet from 255.255.255.255 to any +pass out on tun1000000 inet proto icmp all icmp-type echoreq code 0 keep state +pass in on tun1000000 inet proto icmp all icmp-type echoreq code 0 keep state +pass out on tun1000000 proto udp all keep state +pass in on tun1000000 proto udp from any to any port = domain keep state +pass out on tun1000000 proto tcp all flags S/SA modulate state +pass in on tun1000000 proto tcp all flags S/SA modulate state +pass in on tun1000000 proto udp all keep state +pass in on tun1000000 proto icmp all keep state +pass in on tun1000000 proto udp all keep state +pass in on tun1000000 proto tcp all flags S/SA synproxy state +pass in on tun1000000 proto icmp all keep state +pass in on tun1000000 proto tcp from any to any port = ssh flags S/SA modulate state +pass in on tun1000000 proto tcp from any to any port = smtp flags S/SA modulate state +pass in on tun1000000 proto tcp from any to any port = domain flags S/SA modulate state +pass in on tun1000000 proto tcp from any to any port = auth flags S/SA modulate state Added: head/sbin/pfctl/tests/files/pf0008.in ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sbin/pfctl/tests/files/pf0008.in Sat Jul 15 19:22:01 2017 (r321030) @@ -0,0 +1,2 @@ +extern = "{ ! 10.0.0.0/8, 10.1.2.3 }" +block out log on tun1000001 from $extern to any Added: head/sbin/pfctl/tests/files/pf0008.ok ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sbin/pfctl/tests/files/pf0008.ok Sat Jul 15 19:22:01 2017 (r321030) @@ -0,0 +1,3 @@ +extern = "{ ! 10.0.0.0/8, 10.1.2.3 }" +block drop out log on tun1000001 inet from ! 10.0.0.0/8 to any +block drop out log on tun1000001 inet from 10.1.2.3 to any Added: head/sbin/pfctl/tests/files/pf0009.in ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sbin/pfctl/tests/files/pf0009.in Sat Jul 15 19:22:01 2017 (r321030) @@ -0,0 +1,3 @@ +interfaces = "{ enc0, tun1000000 }" + +block in on $interfaces all Added: head/sbin/pfctl/tests/files/pf0009.ok ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sbin/pfctl/tests/files/pf0009.ok Sat Jul 15 19:22:01 2017 (r321030) @@ -0,0 +1,3 @@ +interfaces = "{ enc0, tun1000000 }" +block drop in on enc0 all +block drop in on tun1000000 all Added: head/sbin/pfctl/tests/files/pf0010.in ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sbin/pfctl/tests/files/pf0010.in Sat Jul 15 19:22:01 2017 (r321030) @@ -0,0 +1,31 @@ +# return variants +pass in inet proto icmp all +pass in inet6 proto icmp6 all +block in inet proto icmp all +block in inet6 proto icmp6 all +block return-rst in inet proto tcp all +block return-rst in inet6 proto tcp all +block return-rst(ttl 10) in inet proto tcp all +block return-rst(ttl 10) in inet6 proto tcp all +block return-icmp in inet proto icmp all +block return-icmp(0) in inet proto icmp all +block return-icmp(net-unr) in inet proto icmp all +block return-icmp(5) in inet proto icmp all +block return-icmp(srcfail) in inet proto icmp all +block return-icmp(10) in inet proto icmp all +block return-icmp(host-prohib) in inet proto icmp all +block return-icmp(15) in inet proto icmp all +block return-icmp(cutoff-preced) in inet proto icmp all +block return-icmp6 in inet6 proto icmp6 all +block return-icmp6(0) in inet6 proto icmp6 all +block return-icmp6(noroute-unr) in inet6 proto icmp6 all +block return-icmp6(1) in inet6 proto icmp6 all +block return-icmp6(admin-unr) in inet6 proto icmp6 all +block return-icmp6(2) in inet6 proto icmp6 all +block return-icmp6(notnbr-unr) in inet6 proto icmp6 all +block return-icmp6(3) in inet6 proto icmp6 all +block return-icmp6(addr-unr) in inet6 proto icmp6 all +block return-icmp6(4) in inet6 proto icmp6 all +block return-icmp6(port-unr) in inet6 proto icmp6 all +block return-icmp(5, 1) in all +block return-icmp(srcfail, admin-unr) in all Added: head/sbin/pfctl/tests/files/pf0010.ok ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sbin/pfctl/tests/files/pf0010.ok Sat Jul 15 19:22:01 2017 (r321030) @@ -0,0 +1,30 @@ +pass in inet proto icmp all keep state +pass in inet6 proto ipv6-icmp all keep state +block drop in inet proto icmp all +block drop in inet6 proto ipv6-icmp all +block return-rst in inet proto tcp all +block return-rst in inet6 proto tcp all +block return-rst(ttl 10) in inet proto tcp all +block return-rst(ttl 10) in inet6 proto tcp all +block return-icmp(port-unr) in inet proto icmp all +block return-icmp(net-unr) in inet proto icmp all +block return-icmp(net-unr) in inet proto icmp all +block return-icmp(srcfail) in inet proto icmp all +block return-icmp(srcfail) in inet proto icmp all +block return-icmp(host-prohib) in inet proto icmp all +block return-icmp(host-prohib) in inet proto icmp all +block return-icmp(cutoff-preced) in inet proto icmp all +block return-icmp(cutoff-preced) in inet proto icmp all +block return-icmp6(port-unr) in inet6 proto ipv6-icmp all +block return-icmp6(noroute-unr) in inet6 proto ipv6-icmp all +block return-icmp6(noroute-unr) in inet6 proto ipv6-icmp all +block return-icmp6(admin-unr) in inet6 proto ipv6-icmp all +block return-icmp6(admin-unr) in inet6 proto ipv6-icmp all +block return-icmp6(notnbr-unr) in inet6 proto ipv6-icmp all +block return-icmp6(notnbr-unr) in inet6 proto ipv6-icmp all +block return-icmp6(addr-unr) in inet6 proto ipv6-icmp all +block return-icmp6(addr-unr) in inet6 proto ipv6-icmp all +block return-icmp6(port-unr) in inet6 proto ipv6-icmp all +block return-icmp6(port-unr) in inet6 proto ipv6-icmp all +block return-icmp(srcfail, admin-unr) in all +block return-icmp(srcfail, admin-unr) in all Added: head/sbin/pfctl/tests/files/pf0011.in ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sbin/pfctl/tests/files/pf0011.in Sat Jul 15 19:22:01 2017 (r321030) @@ -0,0 +1,18 @@ +pass in inet proto icmp all icmp-type 0 +pass in inet proto icmp all icmp-type 0 code 0 +pass in inet proto icmp all icmp-type 1 +pass in inet proto icmp all icmp-type 1 code 1 +pass in inet6 proto ipv6-icmp all icmp6-type 0 +pass in inet6 proto ipv6-icmp all icmp6-type 0 code 0 +pass in inet6 proto ipv6-icmp all icmp6-type 1 +pass in inet6 proto ipv6-icmp all icmp6-type 1 code 1 +block in inet proto icmp all icmp-type 0 +block in inet proto icmp all icmp-type 0 code 0 +block in inet proto icmp all icmp-type 1 +block in inet proto icmp all icmp-type 1 code 1 +block in inet6 proto ipv6-icmp all icmp6-type 0 +block in inet6 proto ipv6-icmp all icmp6-type 0 code 0 +block in inet6 proto ipv6-icmp all icmp6-type 1 +block in inet6 proto ipv6-icmp all icmp6-type 1 code 1 +pass in inet proto icmp all icmp-type unreach code needfrag +pass in inet6 proto ipv6-icmp all icmp6-type timex code reassemb Added: head/sbin/pfctl/tests/files/pf0011.ok ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sbin/pfctl/tests/files/pf0011.ok Sat Jul 15 19:22:01 2017 (r321030) @@ -0,0 +1,18 @@ +pass in inet proto icmp all icmp-type echorep keep state +pass in inet proto icmp all icmp-type echorep code 0 keep state +pass in inet proto icmp all icmp-type 1 keep state +pass in inet proto icmp all icmp-type 1 code 1 keep state +pass in inet6 proto ipv6-icmp all icmp6-type 0 keep state +pass in inet6 proto ipv6-icmp all icmp6-type 0 code 0 keep state +pass in inet6 proto ipv6-icmp all icmp6-type unreach keep state +pass in inet6 proto ipv6-icmp all icmp6-type unreach code admin-unr keep state +block drop in inet proto icmp all icmp-type echorep +block drop in inet proto icmp all icmp-type echorep code 0 +block drop in inet proto icmp all icmp-type 1 +block drop in inet proto icmp all icmp-type 1 code 1 +block drop in inet6 proto ipv6-icmp all icmp6-type 0 +block drop in inet6 proto ipv6-icmp all icmp6-type 0 code 0 +block drop in inet6 proto ipv6-icmp all icmp6-type unreach +block drop in inet6 proto ipv6-icmp all icmp6-type unreach code admin-unr +pass in inet proto icmp all icmp-type unreach code needfrag keep state +pass in inet6 proto ipv6-icmp all icmp6-type timex code reassemb keep state Added: head/sbin/pfctl/tests/files/pf0012.in ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sbin/pfctl/tests/files/pf0012.in Sat Jul 15 19:22:01 2017 (r321030) @@ -0,0 +1,5 @@ +pass in from 127.0.0.1 to 127.0.0.1/8 no state +pass in from 127.0.0.1/16 to 127.0.0.1/24 no state +pass in from 127.0.0.1/25 to ! 127.0.0.1/26 +pass in inet from ! localhost to localhost/16 +pass in inet from ! lo0 to ! lo0/8 Added: head/sbin/pfctl/tests/files/pf0012.ok ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sbin/pfctl/tests/files/pf0012.ok Sat Jul 15 19:22:01 2017 (r321030) @@ -0,0 +1,5 @@ +pass in inet from 127.0.0.1 to 127.0.0.0/8 no state +pass in inet from 127.0.0.0/16 to 127.0.0.0/24 no state +pass in inet from 127.0.0.0/25 to ! 127.0.0.0/26 flags S/SA keep state +pass in inet from ! 127.0.0.1 to 127.0.0.0/16 flags S/SA keep state +pass in inet from ! 127.0.0.1 to ! 127.0.0.0/8 flags S/SA keep state Added: head/sbin/pfctl/tests/files/pf0013.in ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sbin/pfctl/tests/files/pf0013.in Sat Jul 15 19:22:01 2017 (r321030) @@ -0,0 +1,22 @@ +pass in quick on enc0 from any to any +pass in quick on enc0 inet from any to any +pass in quick on enc0 inet6 from any to any + +#pass out quick on tun1000000 inet from any to any route-to tun1000001 +#pass out quick on tun1000000 from any to 192.168.1.1 route-to tun1000001 +#pass out quick on tun1000000 from any to fec0::1 route-to tun1000001 + +#pass in on tun1000000 proto tcp from any to any port = 21 dup-to (tun1000001 192.168.1.1) +#pass in on tun1000000 proto tcp from any to any port = 21 dup-to (tun1000001 fec0::1) + +#pass in quick on tun1000000 from 192.168.1.1/32 to 10.1.1.1/32 route-to tun1000001 +#pass in quick on tun1000000 from fec0::1/64 to fec1::2/128 route-to tun1000001 + +#pass in on tun1000000 proto tcp from any to any port = 21 reply-to (tun1000001 192.168.1.1) +#pass in on tun1000000 proto tcp from any to any port = 21 reply-to (tun1000001 fec0::1) + +#pass in quick on tun1000000 from 192.168.1.1/32 to 10.1.1.1/32 reply-to tun1000001 +#pass in quick on tun1000000 from fec0::1/64 to fec1::2/128 reply-to tun1000001 + +#pass in quick on tun1000000 from 192.168.1.1/32 to 10.1.1.1/32 dup-to (tun1000001 192.168.1.100) +#pass in quick on tun1000000 from fec0::1/64 to fec1::2/128 dup-to (tun1000001 fec1::2) Added: head/sbin/pfctl/tests/files/pf0013.ok ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sbin/pfctl/tests/files/pf0013.ok Sat Jul 15 19:22:01 2017 (r321030) @@ -0,0 +1,3 @@ +pass in quick on enc0 all flags S/SA keep state +pass in quick on enc0 inet all flags S/SA keep state +pass in quick on enc0 inet6 all flags S/SA keep state Added: head/sbin/pfctl/tests/files/pf0014.in ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sbin/pfctl/tests/files/pf0014.in Sat Jul 15 19:22:01 2017 (r321030) @@ -0,0 +1,6 @@ +pass in quick on lo0 from fe80::1%lo0 to fe80::1%lo0 +pass in quick from fe80::1%lo0 to fe80::1%lo0 +pass in quick from fe80::1%lo0 to any +pass in quick from any to fe80::1%lo0 +pass in quick on lo0 from fe80::1%lo0 to any +pass in quick on lo0 from any to fe80::1%lo0 Added: head/sbin/pfctl/tests/files/pf0014.ok ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sbin/pfctl/tests/files/pf0014.ok Sat Jul 15 19:22:01 2017 (r321030) @@ -0,0 +1,6 @@ +pass in quick on lo0 inet6 from fe80::1 to fe80::1 flags S/SA keep state +pass in quick on lo0 inet6 from fe80::1 to fe80::1 flags S/SA keep state +pass in quick on lo0 inet6 from fe80::1 to any flags S/SA keep state +pass in quick on lo0 inet6 from any to fe80::1 flags S/SA keep state +pass in quick on lo0 inet6 from fe80::1 to any flags S/SA keep state +pass in quick on lo0 inet6 from any to fe80::1 flags S/SA keep state Added: head/sbin/pfctl/tests/files/pf0016.in ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sbin/pfctl/tests/files/pf0016.in Sat Jul 15 19:22:01 2017 (r321030) @@ -0,0 +1,5 @@ +# Test rule order processing: should fail unless nat -> filter +#match out on lo0 from 192.168.1.1 to any nat-to 10.0.0.1 +#match in on lo0 proto tcp from any to 1.2.3.4/32 port 2222 rdr-to 10.0.0.10 port 22 +#match on lo0 from 192.168.1.1 to any binat-to 10.0.0.1 +pass in on lo1000000 from any to any no state Added: head/sbin/pfctl/tests/files/pf0016.ok ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sbin/pfctl/tests/files/pf0016.ok Sat Jul 15 19:22:01 2017 (r321030) @@ -0,0 +1 @@ +pass in on lo1000000 all no state Added: head/sbin/pfctl/tests/files/pf0018.in ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sbin/pfctl/tests/files/pf0018.in Sat Jul 15 19:22:01 2017 (r321030) @@ -0,0 +1,19 @@ +# test nat + +TEST_LIST1 = "{ 192.168.1.5, 192.168.1.6, 192.168.1.7 }" +TEST_LIST2 = "{ 172.6.1.1, 172.14.1.2/32, 172.16.2.0/24 }" + +#match out on lo0 from 192.168.1.1 to any nat-to 10.0.0.1 +#match out on lo0 proto tcp from 192.168.1.2 to any nat-to 10.0.0.2 +#match out on lo0 proto udp from 192.168.1.3 to any nat-to 10.0.0.3 +#match out on lo0 proto icmp from 192.168.1.4 to any nat-to 10.0.0.4 + +#match out on lo0 inet from $TEST_LIST1 to $TEST_LIST2 nat-to lo0 + +#match out on lo0 inet from 192.168.0.1/24 to any nat-to (lo0) + +#match out on lo0 from 192.168.1.8 to ! 172.17.0.0/16 nat-to 10.0.0.8 + +#match out on ! lo0 proto { udp, tcp } from any to any nat-to 10.0.0.8 static-port + +#match out on { lo0, tun1000000 } from any to any nat-to 10.0.0.8 Added: head/sbin/pfctl/tests/files/pf0018.ok ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sbin/pfctl/tests/files/pf0018.ok Sat Jul 15 19:22:01 2017 (r321030) @@ -0,0 +1,2 @@ +TEST_LIST1 = "{ 192.168.1.5, 192.168.1.6, 192.168.1.7 }" +TEST_LIST2 = "{ 172.6.1.1, 172.14.1.2/32, 172.16.2.0/24 }" Added: head/sbin/pfctl/tests/files/pf0019.in ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sbin/pfctl/tests/files/pf0019.in Sat Jul 15 19:22:01 2017 (r321030) @@ -0,0 +1,9 @@ +EVIL = "lo0" +GOOD = "{ lo0, lo1000000 }" +GOOD_NET = "{ 127.0.0.0/24, 10.0.1.0/24 }" +DEST_NET = "{ 1.2.3.4/25, 2.4.6.8/30 }" + +#match in on lo0 proto tcp from any to 1.2.3.4/32 port 2222 rdr-to 10.0.0.10 port 22 + +# Test list processing +#match in on $GOOD proto tcp from $GOOD_NET to $DEST_NET port 21 rdr-to 127.0.0.1 port 8021 Added: head/sbin/pfctl/tests/files/pf0019.ok ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sbin/pfctl/tests/files/pf0019.ok Sat Jul 15 19:22:01 2017 (r321030) @@ -0,0 +1,4 @@ +EVIL = "lo0" +GOOD = "{ lo0, lo1000000 }" +GOOD_NET = "{ 127.0.0.0/24, 10.0.1.0/24 }" +DEST_NET = "{ 1.2.3.4/25, 2.4.6.8/30 }" Added: head/sbin/pfctl/tests/files/pf0020.in ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sbin/pfctl/tests/files/pf0020.in Sat Jul 15 19:22:01 2017 (r321030) @@ -0,0 +1,9 @@ +# Test whether list expansion in NAT/RDR works correctly + +EVIL = "lo0" +GOOD = "{ lo0, lo1000000 }" +GOOD_NET = "{ 127.0.0.0/24, 10.0.1.0/24 }" +DEST_NET = "{ 1.2.3.4/25, 2.4.6.8/30 }" + +#match out on $EVIL inet from $GOOD_NET to $DEST_NET nat-to $EVIL +#match in on $GOOD proto tcp from $GOOD_NET to $DEST_NET port 21 rdr-to 127.0.0.1 port 8021 Added: head/sbin/pfctl/tests/files/pf0020.ok ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sbin/pfctl/tests/files/pf0020.ok Sat Jul 15 19:22:01 2017 (r321030) @@ -0,0 +1,4 @@ +EVIL = "lo0" +GOOD = "{ lo0, lo1000000 }" +GOOD_NET = "{ 127.0.0.0/24, 10.0.1.0/24 }" +DEST_NET = "{ 1.2.3.4/25, 2.4.6.8/30 }" Added: head/sbin/pfctl/tests/files/pf0022.in ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sbin/pfctl/tests/files/pf0022.in Sat Jul 15 19:22:01 2017 (r321030) @@ -0,0 +1,8 @@ +set optimization aggressive +set timeout { tcp.closing 6, tcp.opening 6 } +set timeout tcp.first 6 +set limit states 500 +set limit {states 1000,frags 1000} +set loginterface lo0 +set loginterface none +set hostid 1 Added: head/sbin/pfctl/tests/files/pf0022.ok ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sbin/pfctl/tests/files/pf0022.ok Sat Jul 15 19:22:01 2017 (r321030) @@ -0,0 +1,10 @@ +set optimization aggressive +set timeout tcp.closing 6 +set timeout tcp.opening 6 +set timeout tcp.first 6 +set limit states 500 +set limit states 1000 +set limit frags 1000 +set loginterface lo0 +set loginterface none +set hostid 0x00000001 Added: head/sbin/pfctl/tests/files/pf0023.in ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sbin/pfctl/tests/files/pf0023.in Sat Jul 15 19:22:01 2017 (r321030) @@ -0,0 +1,2 @@ +#test negated interface matching +block in on ! lo0 all Added: head/sbin/pfctl/tests/files/pf0023.ok ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sbin/pfctl/tests/files/pf0023.ok Sat Jul 15 19:22:01 2017 (r321030) @@ -0,0 +1 @@ +block drop in on ! lo0 all Added: head/sbin/pfctl/tests/files/pf0024.in ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sbin/pfctl/tests/files/pf0024.in Sat Jul 15 19:22:01 2017 (r321030) @@ -0,0 +1,8 @@ +#test variable concat +a="ssh" +b="ftp" +c=$a $b +d=$a $b $a $b +e=$a $b $b "test" $a $b + +pass in proto tcp from any to any port { $c } Added: head/sbin/pfctl/tests/files/pf0024.ok ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sbin/pfctl/tests/files/pf0024.ok Sat Jul 15 19:22:01 2017 (r321030) @@ -0,0 +1,7 @@ +a = "ssh" +b = "ftp" +c = "ssh ftp" +d = "ssh ftp ssh ftp" +e = "ssh ftp ftp test ssh ftp" +pass in proto tcp from any to any port = ssh flags S/SA keep state +pass in proto tcp from any to any port = ftp flags S/SA keep state Added: head/sbin/pfctl/tests/files/pf0025.in ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sbin/pfctl/tests/files/pf0025.in Sat Jul 15 19:22:01 2017 (r321030) @@ -0,0 +1,4 @@ +antispoof for lo0 +antispoof log quick for lo0 inet +antispoof for (lo0) +antispoof log quick for (lo0) inet Added: head/sbin/pfctl/tests/files/pf0025.ok ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sbin/pfctl/tests/files/pf0025.ok Sat Jul 15 19:22:01 2017 (r321030) @@ -0,0 +1,5 @@ +block drop in on ! lo0 inet6 from ::1 to any +block drop in on ! lo0 inet from 127.0.0.0/8 to any +block drop in log quick on ! lo0 inet from 127.0.0.0/8 to any +block drop in on ! lo0 from (lo0:network) to any +block drop in log quick on ! lo0 inet from (lo0:network) to any Added: head/sbin/pfctl/tests/files/pf0026.in ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sbin/pfctl/tests/files/pf0026.in Sat Jul 15 19:22:01 2017 (r321030) @@ -0,0 +1,2 @@ +block in on lo0 inet from ! (lo0) to any +block out on lo0 inet from any to ! (lo0) Added: head/sbin/pfctl/tests/files/pf0026.ok ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sbin/pfctl/tests/files/pf0026.ok Sat Jul 15 19:22:01 2017 (r321030) @@ -0,0 +1,2 @@ +block drop in on lo0 inet from ! (lo0) to any +block drop out on lo0 inet from any to ! (lo0) Added: head/sbin/pfctl/tests/files/pf0028.in ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sbin/pfctl/tests/files/pf0028.in Sat Jul 15 19:22:01 2017 (r321030) @@ -0,0 +1,7 @@ +# test logging keywords, and log quick/quick log order +block in log (all) quick on lo0 all +block in quick log on lo0 all +block in quick log (all) on lo0 all +block in log quick on lo0 all +block in log on lo0 all +block in log (all) on lo0 all Added: head/sbin/pfctl/tests/files/pf0028.ok ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sbin/pfctl/tests/files/pf0028.ok Sat Jul 15 19:22:01 2017 (r321030) @@ -0,0 +1,6 @@ +block drop in log (all) quick on lo0 all +block drop in log quick on lo0 all +block drop in log (all) quick on lo0 all +block drop in log quick on lo0 all +block drop in log on lo0 all +block drop in log (all) on lo0 all Added: head/sbin/pfctl/tests/files/pf0030.in ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sbin/pfctl/tests/files/pf0030.in Sat Jul 15 19:22:01 2017 (r321030) @@ -0,0 +1,7 @@ +#test line continuation + +block \ + in \ + on lo0 \ + from any \ + to any Added: head/sbin/pfctl/tests/files/pf0030.ok ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sbin/pfctl/tests/files/pf0030.ok Sat Jul 15 19:22:01 2017 (r321030) @@ -0,0 +1 @@ +block drop in on lo0 all Added: head/sbin/pfctl/tests/files/pf0031.in ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sbin/pfctl/tests/files/pf0031.in Sat Jul 15 19:22:01 2017 (r321030) @@ -0,0 +1,21 @@ +set block-policy drop +block return in on lo0 all +block return in on lo0 inet all +block return in on lo0 inet6 all +block drop in on lo0 all +block drop in on lo0 inet all +block drop in on lo0 inet6 all +block in on lo0 all +block in on lo0 inet all +block in on lo0 inet6 all +#set block-policy return +block return in on lo0 all +block return in on lo0 inet all +block return in on lo0 inet6 all +block drop in on lo0 all +block drop in on lo0 inet all +block drop in on lo0 inet6 all +block in on lo0 all +block in on lo0 inet all +block in on lo0 inet6 all + Added: head/sbin/pfctl/tests/files/pf0031.ok ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sbin/pfctl/tests/files/pf0031.ok Sat Jul 15 19:22:01 2017 (r321030) @@ -0,0 +1,19 @@ +set block-policy drop +block return in on lo0 all +block return in on lo0 inet all +block return in on lo0 inet6 all +block drop in on lo0 all +block drop in on lo0 inet all +block drop in on lo0 inet6 all +block drop in on lo0 all +block drop in on lo0 inet all +block drop in on lo0 inet6 all +block return in on lo0 all +block return in on lo0 inet all +block return in on lo0 inet6 all +block drop in on lo0 all +block drop in on lo0 inet all +block drop in on lo0 inet6 all +block drop in on lo0 all +block drop in on lo0 inet all +block drop in on lo0 inet6 all Added: head/sbin/pfctl/tests/files/pf0032.in ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sbin/pfctl/tests/files/pf0032.in Sat Jul 15 19:22:01 2017 (r321030) @@ -0,0 +1,7 @@ +pass in from 10/8 to any +pass in from 10.1/8 to any +pass in from 192.168.37.29/25 to any +pass in from 192.168.37.29/24 to any +pass in from 192.168.37.29/16 to any +pass in from 192.168.37.29/8 to any + Added: head/sbin/pfctl/tests/files/pf0032.ok ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sbin/pfctl/tests/files/pf0032.ok Sat Jul 15 19:22:01 2017 (r321030) @@ -0,0 +1,6 @@ +pass in inet from 10.0.0.0/8 to any flags S/SA keep state +pass in inet from 10.0.0.0/8 to any flags S/SA keep state +pass in inet from 192.168.37.0/25 to any flags S/SA keep state +pass in inet from 192.168.37.0/24 to any flags S/SA keep state +pass in inet from 192.168.0.0/16 to any flags S/SA keep state +pass in inet from 192.0.0.0/8 to any flags S/SA keep state Added: head/sbin/pfctl/tests/files/pf0034.in ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sbin/pfctl/tests/files/pf0034.in Sat Jul 15 19:22:01 2017 (r321030) @@ -0,0 +1,5 @@ +#mixed af, probability +pass in from any to { 127.0.0.1, 2000::1 } +pass in probability 0.5 +pass in probability 50% +pass in inet6 proto tcp from ::1 probability 0.8% Added: head/sbin/pfctl/tests/files/pf0034.ok ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sbin/pfctl/tests/files/pf0034.ok Sat Jul 15 19:22:01 2017 (r321030) @@ -0,0 +1,5 @@ +pass in inet from any to 127.0.0.1 flags S/SA keep state +pass in inet6 from any to 2000::1 flags S/SA keep state +pass in all flags S/SA keep state probability 50% +pass in all flags S/SA keep state probability 50% +pass in inet6 proto tcp from ::1 to any flags S/SA keep state probability 0.8% Added: head/sbin/pfctl/tests/files/pf0035.in ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sbin/pfctl/tests/files/pf0035.in Sat Jul 15 19:22:01 2017 (r321030) @@ -0,0 +1,5 @@ +#test matching on tos + +intf = "lo0" +pass out on $intf inet proto tcp from any to any port 22 tos 0x10 +pass out on $intf inet proto tcp from any to any port 22 tos 0x08 Added: head/sbin/pfctl/tests/files/pf0035.ok ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sbin/pfctl/tests/files/pf0035.ok Sat Jul 15 19:22:01 2017 (r321030) @@ -0,0 +1,3 @@ +intf = "lo0" +pass out on lo0 inet proto tcp from any to any port = ssh flags S/SA tos 0x10 keep state +pass out on lo0 inet proto tcp from any to any port = ssh flags S/SA tos 0x08 keep state Added: head/sbin/pfctl/tests/files/pf0038.in ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sbin/pfctl/tests/files/pf0038.in Sat Jul 15 19:22:01 2017 (r321030) @@ -0,0 +1,5 @@ +# test + +pass in on tun1000000 proto tcp from any to any user bin +pass in on tun1000000 proto tcp from any to any group bin +pass in on tun1000000 proto tcp from any to any group wheel user root user bin Added: head/sbin/pfctl/tests/files/pf0038.ok ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sbin/pfctl/tests/files/pf0038.ok Sat Jul 15 19:22:01 2017 (r321030) @@ -0,0 +1,4 @@ +pass in on tun1000000 proto tcp all user = 3 flags S/SA keep state +pass in on tun1000000 proto tcp all group = 7 flags S/SA keep state +pass in on tun1000000 proto tcp all user = 3 group = 0 flags S/SA keep state +pass in on tun1000000 proto tcp all user = 0 group = 0 flags S/SA keep state Added: head/sbin/pfctl/tests/files/pf0039.in ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sbin/pfctl/tests/files/pf0039.in Sat Jul 15 19:22:01 2017 (r321030) @@ -0,0 +1,25 @@ +#test random ordered opts + +body1="pass in log quick on lo0 inet proto icmp all " +body2="pass in log quick on lo0 inet proto tcp all " +o_user="user root " +o_user2="user bin " +o_group="group wheel " +o_group2="group nobody " +o_flags="flags S/SA " +o_icmpspec="icmp-type 0 code 0 " +o_tos="tos 0x08 " +o_keep="keep state " +o_fragment="fragment " +o_allowopts="allow-opts " +o_label="label blah" +o_prio="set prio 2" + +$body2 $o_fragment $o_keep $o_label $o_tos +$body2 $o_user $o_prio $o_tos $o_keep $o_group $o_label $o_allowopts \ +$o_user2 $o_group2 +$body1 $o_icmpspec $o_keep $o_label $o_prio +$body2 $o_keep +$body2 $o_label $o_keep $o_prio $o_tos +$body1 $o_icmpspec $o_tos +$body2 $o_flags $o_allowopts Added: head/sbin/pfctl/tests/files/pf0039.ok ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sbin/pfctl/tests/files/pf0039.ok Sat Jul 15 19:22:01 2017 (r321030) @@ -0,0 +1,24 @@ +body1 = "pass in log quick on lo0 inet proto icmp all " +body2 = "pass in log quick on lo0 inet proto tcp all " +o_user = "user root " +o_user2 = "user bin " +o_group = "group wheel " +o_group2 = "group nobody " +o_flags = "flags S/SA " +o_icmpspec = "icmp-type 0 code 0 " +o_tos = "tos 0x08 " +o_keep = "keep state " +o_fragment = "fragment " +o_allowopts = "allow-opts " +o_label = "label blah" +o_prio = "set prio 2" +pass in log quick on lo0 inet proto tcp all tos 0x08 keep state fragment label "blah" +pass in log quick on lo0 inet proto tcp all user = 3 group = 65534 flags S/SA tos 0x08 set ( prio 2 ) keep state allow-opts label "blah" +pass in log quick on lo0 inet proto tcp all user = 3 group = 0 flags S/SA tos 0x08 set ( prio 2 ) keep state allow-opts label "blah" +pass in log quick on lo0 inet proto tcp all user = 0 group = 65534 flags S/SA tos 0x08 set ( prio 2 ) keep state allow-opts label "blah" +pass in log quick on lo0 inet proto tcp all user = 0 group = 0 flags S/SA tos 0x08 set ( prio 2 ) keep state allow-opts label "blah" +pass in log quick on lo0 inet proto icmp all icmp-type echorep code 0 set ( prio 2 ) keep state label "blah" +pass in log quick on lo0 inet proto tcp all flags S/SA keep state +pass in log quick on lo0 inet proto tcp all flags S/SA tos 0x08 set ( prio 2 ) keep state label "blah" +pass in log quick on lo0 inet proto icmp all icmp-type echorep code 0 tos 0x08 keep state +pass in log quick on lo0 inet proto tcp all flags S/SA keep state allow-opts Added: head/sbin/pfctl/tests/files/pf0040.in ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sbin/pfctl/tests/files/pf0040.in Sat Jul 15 19:22:01 2017 (r321030) @@ -0,0 +1,20 @@ +block +block return +block return-rst proto tcp +pass +pass in no state +pass out no state +pass all no state +block in all +block out all +block from any to any +pass in from any to any +pass out from any to any +block on lo0 +pass on lo0 all +block on lo0 from any to any +pass proto tcp flags S/SA +pass proto udp keep state +pass in proto udp all keep state +pass out proto udp from any to any keep state +pass out on lo0 proto tcp from any to any port 25 keep state Added: head/sbin/pfctl/tests/files/pf0040.ok ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sbin/pfctl/tests/files/pf0040.ok Sat Jul 15 19:22:01 2017 (r321030) @@ -0,0 +1,20 @@ +block drop all +block return all +block return-rst proto tcp all +pass all flags S/SA keep state +pass in all no state +pass out all no state +pass all no state +block drop in all +block drop out all +block drop all +pass in all flags S/SA keep state +pass out all flags S/SA keep state +block drop on lo0 all +pass on lo0 all flags S/SA keep state +block drop on lo0 all +pass proto tcp all flags S/SA keep state +pass proto udp all keep state +pass in proto udp all keep state +pass out proto udp all keep state +pass out on lo0 proto tcp from any to any port = smtp flags S/SA keep state Added: head/sbin/pfctl/tests/files/pf0041.in ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sbin/pfctl/tests/files/pf0041.in Sat Jul 15 19:22:01 2017 (r321030) @@ -0,0 +1,12 @@ +anchor foo +anchor bar all +anchor bar from any to any +anchor foo inet +anchor foo inet6 +anchor foo inet all +anchor foo proto tcp +anchor foo inet proto tcp from 10.1.2.3 port smtp to 10.2.3.4 port ssh +anchor foobar inet6 proto udp from ::1 port 1 to ::1 port 2 +anchor filteropt out proto tcp to any port 22 user root +anchor filteropt in proto tcp to (self) port 22 group sshd +anchor filteropt out inet proto icmp all icmp-type echoreq Added: head/sbin/pfctl/tests/files/pf0041.ok ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sbin/pfctl/tests/files/pf0041.ok Sat Jul 15 19:22:01 2017 (r321030) @@ -0,0 +1,12 @@ +anchor "foo" all +anchor "bar" all +anchor "bar" all +anchor "foo" inet all +anchor "foo" inet6 all +anchor "foo" inet all +anchor "foo" proto tcp all +anchor "foo" inet proto tcp from 10.1.2.3 port = smtp to 10.2.3.4 port = ssh +anchor "foobar" inet6 proto udp from ::1 port = tcpmux to ::1 port = compressnet +anchor "filteropt" out proto tcp from any to any port = ssh user = 0 +anchor "filteropt" in proto tcp from any to (self) port = ssh group = 22 +anchor "filteropt" out inet proto icmp all icmp-type echoreq Added: head/sbin/pfctl/tests/files/pf0047.in ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sbin/pfctl/tests/files/pf0047.in Sat Jul 15 19:22:01 2017 (r321030) @@ -0,0 +1,67 @@ +pass in on lo0 all label "" + +pass in all label "$if" +pass in on lo0 all label "$if" +pass in on lo0 all label "$if$if" + +pass in on lo0 all label "$srcaddr" +pass in on lo0 from 0/0 to any label "$srcaddr" +pass in on lo0 from 127.0.0.1 to any label "$srcaddr" +pass in on lo0 from 127.0.0.1 to any label "$srcaddr$srcaddr" +pass in on lo0 from 127.0.0.1 to any label ":$srcaddr:$srcaddr:" +pass in on lo0 from 127.0.0.1/8 to any label "$srcaddr" +pass in on lo0 from 127.0.0.1/16 to any label "$srcaddr$srcaddr" +pass in on lo0 from 127.0.0.1/31 to any label ":$srcaddr:$srcaddr:" +pass in on lo0 inet6 from fe80::1 to any label "$srcaddr" +pass in on lo0 inet6 from fe80::1 to any label "$srcaddr$srcaddr" +pass in on lo0 inet6 from fe80::1 to any label ":$srcaddr:$srcaddr:" +pass in on lo0 inet6 from lo0/8 to any label "$srcaddr" +pass in on lo0 inet6 from lo0/64 to any label "$srcaddr$srcaddr" *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***