Date: Sun, 26 Apr 2026 10:12:27 +0000 From: Kristof Provost <kp@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: 4fc1503f8617 - stable/14 - pf: fix duplicate rule detection for automatic tables Message-ID: <69ede50b.3c931.3ee282aa@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch stable/14 has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=4fc1503f86177259c140c42eacb073bd17f9f72e commit 4fc1503f86177259c140c42eacb073bd17f9f72e Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2026-04-09 16:11:41 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2026-04-26 10:12:03 +0000 pf: fix duplicate rule detection for automatic tables We should look at the table name for automatic tables as well. These are different tables, so the rules using them are (or can be) different as well. MFC after: 3 days Reported by: Michael Sinatra <michael@burnttofu.net> Sponsored by: Rubicon Communications, LLC ("Netgate") (cherry picked from commit fb838352751767e756bd45cd2040fa464ed4de20) --- tests/sys/netpfil/pf/pass_block.sh | 42 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/tests/sys/netpfil/pf/pass_block.sh b/tests/sys/netpfil/pf/pass_block.sh index b91ba7f9ee68..0ebbfcfaf699 100644 --- a/tests/sys/netpfil/pf/pass_block.sh +++ b/tests/sys/netpfil/pf/pass_block.sh @@ -292,6 +292,47 @@ addr_range_cleanup() pft_cleanup } +atf_test_case "auto_tables" "cleanup" +auto_tables_head() +{ + atf_set descr 'Test rulesets with different automatic tables' + atf_set require.user root +} + +auto_tables_body() +{ + pft_init + + epair=$(vnet_mkepair) + ifconfig ${epair}b 192.0.2.2/24 up + + vnet_mkjail alcatraz ${epair}a + jexec alcatraz ifconfig ${epair}a 192.0.2.1/24 up + + # Sanity check + atf_check -s exit:0 -o ignore ping -c 1 -t 1 192.0.2.1 + + jexec alcatraz pfctl -e + pft_set_rules alcatraz \ + "set ruleset-optimization basic" \ + "test_a = \"203.0.113.1 203.0.113.2 203.0.113.3 203.0.113.4 + 203.0.113.5 203.0.113.6 203.0.113.7 203.0.113.8 203.0.113.9 + 203.0.113.10\"" \ + "test_b = \"192.0.2.1 192.0.2.2 192.0.2.3 192.0.2.4 192.0.2.5 + 192.0.2.6 192.0.2.7 192.0.2.8 192.0.2.9 192.0.2.10\"" \ + "block" \ + "pass inet from any to { \$test_a }" \ + "pass inet from 198.51.100.1 to 198.51.100.2 no state" \ + "pass inet from any to { \$test_b }" + + atf_check -s exit:0 -o ignore ping -c 1 -t 1 192.0.2.1 +} + +auto_tables_cleanup() +{ + pft_cleanup +} + atf_init_test_cases() { atf_add_test_case "v4" @@ -300,4 +341,5 @@ atf_init_test_cases() atf_add_test_case "nested_inline" atf_add_test_case "urpf" atf_add_test_case "addr_range" + atf_add_test_case "auto_tables" }home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?69ede50b.3c931.3ee282aa>