Date: Sun, 22 Mar 2026 06:02:34 +0000 From: Kristof Provost <kp@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: 0b0d34fd2f40 - main - pf tests: verify first-match-wins for nat rules Message-ID: <69bf85fa.347bf.2555cd35@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=0b0d34fd2f40e06e4600441b15b26b1cc1941c9f commit 0b0d34fd2f40e06e4600441b15b26b1cc1941c9f Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2026-03-20 03:16:57 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2026-03-22 03:47:36 +0000 pf tests: verify first-match-wins for nat rules Sponsored by: Orange Business Services --- tests/sys/netpfil/pf/nat.sh | 45 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) diff --git a/tests/sys/netpfil/pf/nat.sh b/tests/sys/netpfil/pf/nat.sh index 025471f75f97..600688a8dbc9 100644 --- a/tests/sys/netpfil/pf/nat.sh +++ b/tests/sys/netpfil/pf/nat.sh @@ -953,6 +953,50 @@ dummynet_mask_cleanup() pft_cleanup } +atf_test_case "first_match" "cleanup" +first_match_head() +{ + atf_set descr 'Test that NAT rules are first match' + atf_set require.user root +} + +first_match_body() +{ + pft_init + + epair_nat=$(vnet_mkepair) + epair_echo=$(vnet_mkepair) + + vnet_mkjail nat ${epair_nat}b ${epair_echo}a + vnet_mkjail echo ${epair_echo}b + + ifconfig ${epair_nat}a 192.0.2.2/24 up + route add -net 198.51.100.0/24 192.0.2.1 + + jexec nat ifconfig ${epair_nat}b 192.0.2.1/24 up + jexec nat ifconfig ${epair_echo}a 198.51.100.1/24 up + jexec nat sysctl net.inet.ip.forwarding=1 + + jexec echo ifconfig ${epair_echo}b 198.51.100.2/24 up + + # Enable pf! + jexec nat pfctl -e + pft_set_rules nat \ + "table <foo> { 192.0.2.0/24 }" \ + "nat on ${epair_echo}a inet from <foo> to any -> 198.51.100.1" \ + "nat on ${epair_echo}a inet from 192.0.2.0/24 to any -> 198.51.100.3" + + atf_check -s exit:0 -o ignore ping -c 3 198.51.100.2 + atf_check -s exit:0 -e ignore \ + -o match:"all icmp 198.51.100.1:.*(192.0.2.2:.*) -> 198.51.100.2:8.*" \ + jexec nat pfctl -ss +} + +first_match_cleanup() +{ + pft_cleanup +} + atf_init_test_cases() { atf_add_test_case "exhaust" @@ -975,4 +1019,5 @@ atf_init_test_cases() atf_add_test_case "binat_match" atf_add_test_case "empty_pool" atf_add_test_case "dummynet_mask" + atf_add_test_case "first_match" }home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?69bf85fa.347bf.2555cd35>