From nobody Wed Jul 23 14:23:50 2025
X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4bnGbC0YtNz62Nnv;
	Wed, 23 Jul 2025 14:23:51 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4bnGbB52CYz3pPK;
	Wed, 23 Jul 2025 14:23:50 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1753280630;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=92nA0xIET05Eeoy2ttiCL59qXhpE2Y8gVIq5CFrvaEI=;
	b=ejGwL1mBvgKNM+gUlj59siFFj0yxCaTj5qqiynECGYEqNKHTj4SqC4UWnWcreyOk2KsCbj
	qpDI7MuvQahD+YoxB/YVLXtWQXtL6qQOSGaxOR0OhODHENZEvgXqqs0VCdMYWP62t3G38C
	QbIJHWS+bVlWDbIgBMMzR8PbmpCbkkytHHxn4ts+vOXomApMbLfKzEpYlXvYoW4Pvb74Y2
	c8zjnB9YuBGHhC5KvC+dSPCO7WyS/0CdKCsIZUGPJj16/PYcDuCn2iuDhitjgHAAX9fNUO
	Z0ALECm5+nDKQ/p2oayjOHpTGtz8duRPZJz1RQX2mhDZOruKalbjX0vzi81dzQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1753280630;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=92nA0xIET05Eeoy2ttiCL59qXhpE2Y8gVIq5CFrvaEI=;
	b=rkZ8IC0CRNUWr02wi1wpuC56CtzSW9AKDjTFNa37Yy8lny+BwNYix6D+HgeLrhkAfje1td
	FaZiwpGIsNca7IbTvcB+4GBgqA6pb6QFbyBXE79AoqGPltLC+IlwXoCvTTuGcH917vtSkU
	vJfWme3RTD7V2L+g1/3h1pmIvt1yIw6fmhqbh1YVU6Mq+/nPl56bx/osWSF1mZZMHa5EcK
	MzJTRlJEVZO34HCWLuM88off0YSeVJVwuOpVtl0iAqUrQBsnLdK55cow6vuhXw0kVPABdg
	qTQU9u6GWwYXtxhpoHbNPuYItqJgpCg/9lUDJ+G4/yPjXDURxnLYEkHPR+uptg==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1753280630; a=rsa-sha256; cv=none;
	b=g+8DDPP66dYn4quHLkSLp0DyPSsNKv4T3pfVrSdKFYfYttJGJp/GK9kn4qHWRIuj76Wgvs
	ch3nxMxNKpMpg+ol6h8E7bNPRvUCa/rXqwh8jqIgYL5Z35GUWyqJEYBHAWTjTtnb4baT6a
	MKMjo2aLrAmqqqe2XuyWfBPcRKxxID7GHXYWUvKmSB2AAj2inZIOb4Ll+6yNtdiUqZarl3
	0ul4q5fwkIY4qOZW2A9h2Z5bA6YGdeU/ODfr9JAh+4yQzE27B/IOzeDLrfnxbr4svJNN8H
	81TfWqkreao/EZsWMzIVR2v6A54RgFVG+ahbmzpH2uwyrl2D+X6DmVEvf+Totw==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4bnGbB4cTCz2FV;
	Wed, 23 Jul 2025 14:23:50 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 56NENo9Q031249;
	Wed, 23 Jul 2025 14:23:50 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 56NENoj0031246;
	Wed, 23 Jul 2025 14:23:50 GMT
	(envelope-from git)
Date: Wed, 23 Jul 2025 14:23:50 GMT
Message-Id: <202507231423.56NENoj0031246@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: Kristof Provost <kp@FreeBSD.org>
Subject: git: ad8eabd4d25e - main - pf tests: verify we now allow
  IGMP packets with the Router Alert IP option
List-Id: Commit messages for the main branch of the src repository <dev-commits-src-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main
List-Help: <mailto:dev-commits-src-main+help@freebsd.org>
List-Post: <mailto:dev-commits-src-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-main+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-main@freebsd.org
Sender: owner-dev-commits-src-main@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: kp
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: ad8eabd4d25e5119dad82b787bb9770ca9ad2953
Auto-Submitted: auto-generated

The branch main has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=ad8eabd4d25e5119dad82b787bb9770ca9ad2953

commit ad8eabd4d25e5119dad82b787bb9770ca9ad2953
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2025-07-17 10:07:28 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2025-07-23 13:35:45 +0000

    pf tests: verify we now allow IGMP packets with the Router Alert IP option
    
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
---
 tests/sys/netpfil/pf/Makefile |  1 +
 tests/sys/netpfil/pf/igmp.py  | 95 +++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 96 insertions(+)

diff --git a/tests/sys/netpfil/pf/Makefile b/tests/sys/netpfil/pf/Makefile
index 3adaef09ddbd..def35b18e5d8 100644
--- a/tests/sys/netpfil/pf/Makefile
+++ b/tests/sys/netpfil/pf/Makefile
@@ -58,6 +58,7 @@ ATF_TESTS_SH+=	altq \
 ATF_TESTS_PYTEST+=	frag6.py
 ATF_TESTS_PYTEST+=	header.py
 ATF_TESTS_PYTEST+=	icmp.py
+ATF_TESTS_PYTEST+=	igmp.py
 ATF_TESTS_PYTEST+=	nat64.py
 ATF_TESTS_PYTEST+=	nat66.py
 ATF_TESTS_PYTEST+=	return.py
diff --git a/tests/sys/netpfil/pf/igmp.py b/tests/sys/netpfil/pf/igmp.py
new file mode 100644
index 000000000000..b339a2825082
--- /dev/null
+++ b/tests/sys/netpfil/pf/igmp.py
@@ -0,0 +1,95 @@
+#
+# SPDX-License-Identifier: BSD-2-Clause
+#
+# Copyright (c) 2025 Rubicon Communications, LLC (Netgate)
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+
+import pytest
+from utils import DelayedSend
+from atf_python.sys.net.tools import ToolsHelper
+from atf_python.sys.net.vnet import VnetTestTemplate
+
+class TestIGMP(VnetTestTemplate):
+    REQUIRED_MODULES = [ "pf" ]
+    TOPOLOGY = {
+        "vnet1": {"ifaces": ["if1"]},
+        "vnet2": {"ifaces": ["if1"]},
+        "if1": {"prefixes4": [("192.0.2.2/24", "192.0.2.1/24")]},
+    }
+
+    def vnet2_handler(self, vnet):
+        ifname = vnet.iface_alias_map["if1"].name
+        ToolsHelper.print_output("/sbin/pfctl -e")
+        ToolsHelper.pf_rules([
+            "pass",
+            ])
+        ToolsHelper.print_output("/sbin/pfctl -x loud")
+        ToolsHelper.print_output("echo \"j 230.0.0.1 %s\ns 3600\nq\" | /usr/sbin/mtest" % ifname)
+
+    def find_igmp_reply(self, pkt, ifname):
+        pkt.show()
+        s = DelayedSend(pkt)
+
+        found = False
+        packets = self.sp.sniff(iface=ifname, timeout=5)
+        for r in packets:
+            r.show()
+            igmp = r.getlayer(self.sc.igmp.IGMP)
+            if not igmp:
+                continue
+            igmp.show()
+            if not igmp.gaddr == "230.0.0.1":
+                continue
+            found = True
+        return found
+
+    @pytest.mark.require_user("root")
+    @pytest.mark.require_progs(["scapy"])
+    def test_ip_opts(self):
+        """Verify that we allow IGMP packets with IP options"""
+        ifname = self.vnet.iface_alias_map["if1"].name
+
+        # Import in the correct vnet, so at to not confuse Scapy
+        import scapy.all as sp
+        import scapy.contrib as sc
+        import scapy.contrib.igmp
+        self.sp = sp
+        self.sc = sc
+
+        # We allow IGMP packets with the router alert option
+        pkt = sp.IP(dst="224.0.0.1%%%s" % ifname, ttl=1,
+            options=[sp.IPOption_Router_Alert()]) \
+            / sc.igmp.IGMP(type=0x11, mrcode=1)
+        assert self.find_igmp_reply(pkt, ifname)
+
+        # But not with other options
+        pkt = sp.IP(dst="224.0.0.1%%%s" % ifname, ttl=1,
+            options=[sp.IPOption_NOP()]) \
+            / sc.igmp.IGMP(type=0x11, mrcode=1)
+        assert not self.find_igmp_reply(pkt, ifname)
+
+        # Or with the wrong TTL
+        pkt = sp.IP(dst="224.0.0.1%%%s" % ifname, ttl=2,
+            options=[sp.IPOption_Router_Alert()]) \
+            / sc.igmp.IGMP(type=0x11, mrcode=1)
+        assert not self.find_igmp_reply(pkt, ifname)