diff options
Diffstat (limited to 'sbin/pfctl/tests/files')
304 files changed, 1771 insertions, 0 deletions
diff --git a/sbin/pfctl/tests/files/Makefile b/sbin/pfctl/tests/files/Makefile new file mode 100644 index 000000000000..fc52b1db3c30 --- /dev/null +++ b/sbin/pfctl/tests/files/Makefile @@ -0,0 +1,9 @@ +PACKAGE= tests + +TESTSDIR= ${TESTSBASE}/sbin/pfctl/files +BINDIR= ${TESTSDIR} + +# We use ${.CURDIR} as workaround so that the glob patterns work. +FILES!= echo ${.CURDIR}/pf????.in ${.CURDIR}/pf????.include ${.CURDIR}/pf????.ok ${.CURDIR}/pf????.fail + +.include <bsd.progs.mk> diff --git a/sbin/pfctl/tests/files/Makefile.depend b/sbin/pfctl/tests/files/Makefile.depend new file mode 100644 index 000000000000..11aba52f82cf --- /dev/null +++ b/sbin/pfctl/tests/files/Makefile.depend @@ -0,0 +1,10 @@ +# Autogenerated - do NOT edit! + +DIRDEPS = \ + + +.include <dirdeps.mk> + +.if ${DEP_RELDIR} == ${_DEP_RELDIR} +# local dependencies - needed for -jN in clean tree +.endif diff --git a/sbin/pfctl/tests/files/pf0001.in b/sbin/pfctl/tests/files/pf0001.in new file mode 100644 index 000000000000..494eee3560fe --- /dev/null +++ b/sbin/pfctl/tests/files/pf0001.in @@ -0,0 +1,8 @@ +pass in all +pass in from any to any no state +pass in proto tcp from any port <= 1024 to any label foo_bar +pass in proto tcp from any to any port = 25 +pass in proto tcp from 10.0.0.0/8 port > 1024 to ! 10.1.2.3 port != 22 +pass in proto igmp from 10.0.0.0/8 to 10.1.1.1 allow-opts +pass in proto tcp from { 1.2.3.4, 1.2.3.5 } to any label \ +"$nr:$proto:$srcaddr:$srcport:$dstaddr:$dstport" diff --git a/sbin/pfctl/tests/files/pf0001.ok b/sbin/pfctl/tests/files/pf0001.ok new file mode 100644 index 000000000000..10fb28bb33dc --- /dev/null +++ b/sbin/pfctl/tests/files/pf0001.ok @@ -0,0 +1,8 @@ +pass in all flags S/SA keep state +pass in all no state +pass in proto tcp from any port <= 1024 to any flags S/SA keep state label "foo_bar" +pass in proto tcp from any to any port = smtp flags S/SA keep state +pass in inet proto tcp from 10.0.0.0/8 port > 1024 to ! 10.1.2.3 port != ssh flags S/SA keep state +pass in inet proto igmp from 10.0.0.0/8 to 10.1.1.1 keep state allow-opts +pass in inet proto tcp from 1.2.3.4 to any flags S/SA keep state label "6:tcp:1.2.3.4::any:" +pass in inet proto tcp from 1.2.3.5 to any flags S/SA keep state label "7:tcp:1.2.3.5::any:" diff --git a/sbin/pfctl/tests/files/pf0002.in b/sbin/pfctl/tests/files/pf0002.in new file mode 100644 index 000000000000..bef5d9b08d1c --- /dev/null +++ b/sbin/pfctl/tests/files/pf0002.in @@ -0,0 +1,34 @@ +# test + +block out log on tun1000000 all +block in log on tun1000000 all + +block return-rst out log on tun1000000 proto tcp all +block return-rst in log on tun1000000 proto tcp all +block return-icmp out log on tun1000000 proto udp all +block return-icmp in log on tun1000000 proto udp all + +block out log quick on tun1000000 from ! 157.161.48.183 to any + +block in quick on tun1000000 from any to 255.255.255.255 + +block in log quick on tun1000000 from 10.0.0.0/8 to any +block in log quick on tun1000000 from 172.16.0.0/12 to any +block in quick log on tun1000000 from 192.168.0.0/16 to any +block in quick log on tun1000000 from 255.255.255.255/32 to any + +block in log quick from no-route to any + +pass out on tun1000000 inet proto icmp all icmp-type 8 code 0 keep state +pass in on tun1000000 inet proto icmp all icmp-type 8 code 0 keep state + +pass out on tun1000000 proto udp all keep state + +pass in on tun1000000 proto udp from any to any port = domain keep state + +pass out on tun1000000 proto tcp all keep state + +pass in on tun1000000 proto tcp from any to any port = ssh keep state +pass in on tun1000000 proto tcp from any to any port = smtp keep state +pass in on tun1000000 proto tcp from any to any port = domain keep state +pass in on tun1000000 proto tcp from any to any port = auth keep state diff --git a/sbin/pfctl/tests/files/pf0002.ok b/sbin/pfctl/tests/files/pf0002.ok new file mode 100644 index 000000000000..02e3099013e5 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0002.ok @@ -0,0 +1,22 @@ +block drop out log on tun1000000 all +block drop in log on tun1000000 all +block return-rst out log on tun1000000 proto tcp all +block return-rst in log on tun1000000 proto tcp all +block return-icmp(port-unr, port-unr) out log on tun1000000 proto udp all +block return-icmp(port-unr, port-unr) in log on tun1000000 proto udp all +block drop out log quick on tun1000000 inet from ! 157.161.48.183 to any +block drop in quick on tun1000000 inet from any to 255.255.255.255 +block drop in log quick on tun1000000 inet from 10.0.0.0/8 to any +block drop in log quick on tun1000000 inet from 172.16.0.0/12 to any +block drop in log quick on tun1000000 inet from 192.168.0.0/16 to any +block drop in log quick on tun1000000 inet from 255.255.255.255 to any +block drop in log quick from no-route to any +pass out on tun1000000 inet proto icmp all icmp-type echoreq code 0 keep state +pass in on tun1000000 inet proto icmp all icmp-type echoreq code 0 keep state +pass out on tun1000000 proto udp all keep state +pass in on tun1000000 proto udp from any to any port = domain keep state +pass out on tun1000000 proto tcp all flags S/SA keep state +pass in on tun1000000 proto tcp from any to any port = ssh flags S/SA keep state +pass in on tun1000000 proto tcp from any to any port = smtp flags S/SA keep state +pass in on tun1000000 proto tcp from any to any port = domain flags S/SA keep state +pass in on tun1000000 proto tcp from any to any port = auth flags S/SA keep state diff --git a/sbin/pfctl/tests/files/pf0003.in b/sbin/pfctl/tests/files/pf0003.in new file mode 100644 index 000000000000..fc82383434b9 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0003.in @@ -0,0 +1,13 @@ +pass in all +pass in from any to any + +block in proto tcp from any to any flags FUPEW/FSRPAUEW +block in proto tcp from any to any flags SF/SFRA +block in proto tcp from any to any flags /SFRAW + +pass in proto { udp, icmp, tcp } from any to any flags S/SA +pass in from any to any flags S/SA no state +pass in from any to any flags any no state +pass in from any to any flags any +pass in from any to any keep state +pass in from any to any diff --git a/sbin/pfctl/tests/files/pf0003.ok b/sbin/pfctl/tests/files/pf0003.ok new file mode 100644 index 000000000000..1d9432f9d6c4 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0003.ok @@ -0,0 +1,13 @@ +pass in all flags S/SA keep state +pass in all flags S/SA keep state +block drop in proto tcp all flags FPUEW/FSRPAUEW +block drop in proto tcp all flags FS/FSRA +block drop in proto tcp all flags /FSRAW +pass in proto udp all keep state +pass in proto icmp all keep state +pass in proto tcp all flags S/SA keep state +pass in all flags S/SA no state +pass in all no state +pass in all flags any keep state +pass in all flags S/SA keep state +pass in all flags S/SA keep state diff --git a/sbin/pfctl/tests/files/pf0004.in b/sbin/pfctl/tests/files/pf0004.in new file mode 100644 index 000000000000..dcd6ee916b37 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0004.in @@ -0,0 +1,16 @@ +block in all +block in proto tcp all +block in proto { tcp, udp } all + +block in from any to any +block in from 10.0.0.0/8 to any +block in from ! 10.0.0.0/8 to any +block in from { 10.0.0.0/8, 172.16.0.0/12 } to any + +block in proto tcp from any port = ssh to any +block in proto tcp from any port { ssh, ftp >< 2048, != 1234, >= www } \ + to any port 1024:2048 + +block in proto { tcp, udp } from { 10.0.0.0/8, 172.16.0.0/12 } port { ssh, ftp } \ + to { 192.168.0.0/16, 12.34.56.78 } port { 6667, 6668, 6669:65535 } + diff --git a/sbin/pfctl/tests/files/pf0004.ok b/sbin/pfctl/tests/files/pf0004.ok new file mode 100644 index 000000000000..87b71cdeff3d --- /dev/null +++ b/sbin/pfctl/tests/files/pf0004.ok @@ -0,0 +1,62 @@ +block drop in all +block drop in proto tcp all +block drop in proto tcp all +block drop in proto udp all +block drop in all +block drop in inet from 10.0.0.0/8 to any +block drop in inet from ! 10.0.0.0/8 to any +block drop in inet from 10.0.0.0/8 to any +block drop in inet from 172.16.0.0/12 to any +block drop in proto tcp from any port = ssh to any +block drop in proto tcp from any port = ssh to any port 1024:2048 +block drop in proto tcp from any port 21 >< 2048 to any port 1024:2048 +block drop in proto tcp from any port != 1234 to any port 1024:2048 +block drop in proto tcp from any port >= 80 to any port 1024:2048 +block drop in inet proto tcp from 10.0.0.0/8 port = ssh to 192.168.0.0/16 port = ircd +block drop in inet proto tcp from 10.0.0.0/8 port = ssh to 192.168.0.0/16 port = 6668 +block drop in inet proto tcp from 10.0.0.0/8 port = ssh to 192.168.0.0/16 port 6669:65535 +block drop in inet proto tcp from 10.0.0.0/8 port = ftp to 192.168.0.0/16 port = ircd +block drop in inet proto tcp from 10.0.0.0/8 port = ftp to 192.168.0.0/16 port = 6668 +block drop in inet proto tcp from 10.0.0.0/8 port = ftp to 192.168.0.0/16 port 6669:65535 +block drop in inet proto tcp from 10.0.0.0/8 port = ssh to 12.34.56.78 port = ircd +block drop in inet proto tcp from 10.0.0.0/8 port = ssh to 12.34.56.78 port = 6668 +block drop in inet proto tcp from 10.0.0.0/8 port = ssh to 12.34.56.78 port 6669:65535 +block drop in inet proto tcp from 10.0.0.0/8 port = ftp to 12.34.56.78 port = ircd +block drop in inet proto tcp from 10.0.0.0/8 port = ftp to 12.34.56.78 port = 6668 +block drop in inet proto tcp from 10.0.0.0/8 port = ftp to 12.34.56.78 port 6669:65535 +block drop in inet proto tcp from 172.16.0.0/12 port = ssh to 192.168.0.0/16 port = ircd +block drop in inet proto tcp from 172.16.0.0/12 port = ssh to 192.168.0.0/16 port = 6668 +block drop in inet proto tcp from 172.16.0.0/12 port = ssh to 192.168.0.0/16 port 6669:65535 +block drop in inet proto tcp from 172.16.0.0/12 port = ftp to 192.168.0.0/16 port = ircd +block drop in inet proto tcp from 172.16.0.0/12 port = ftp to 192.168.0.0/16 port = 6668 +block drop in inet proto tcp from 172.16.0.0/12 port = ftp to 192.168.0.0/16 port 6669:65535 +block drop in inet proto tcp from 172.16.0.0/12 port = ssh to 12.34.56.78 port = ircd +block drop in inet proto tcp from 172.16.0.0/12 port = ssh to 12.34.56.78 port = 6668 +block drop in inet proto tcp from 172.16.0.0/12 port = ssh to 12.34.56.78 port 6669:65535 +block drop in inet proto tcp from 172.16.0.0/12 port = ftp to 12.34.56.78 port = ircd +block drop in inet proto tcp from 172.16.0.0/12 port = ftp to 12.34.56.78 port = 6668 +block drop in inet proto tcp from 172.16.0.0/12 port = ftp to 12.34.56.78 port 6669:65535 +block drop in inet proto udp from 10.0.0.0/8 port = ssh to 192.168.0.0/16 port = 6667 +block drop in inet proto udp from 10.0.0.0/8 port = ssh to 192.168.0.0/16 port = 6668 +block drop in inet proto udp from 10.0.0.0/8 port = ssh to 192.168.0.0/16 port 6669:65535 +block drop in inet proto udp from 10.0.0.0/8 port = ftp to 192.168.0.0/16 port = 6667 +block drop in inet proto udp from 10.0.0.0/8 port = ftp to 192.168.0.0/16 port = 6668 +block drop in inet proto udp from 10.0.0.0/8 port = ftp to 192.168.0.0/16 port 6669:65535 +block drop in inet proto udp from 10.0.0.0/8 port = ssh to 12.34.56.78 port = 6667 +block drop in inet proto udp from 10.0.0.0/8 port = ssh to 12.34.56.78 port = 6668 +block drop in inet proto udp from 10.0.0.0/8 port = ssh to 12.34.56.78 port 6669:65535 +block drop in inet proto udp from 10.0.0.0/8 port = ftp to 12.34.56.78 port = 6667 +block drop in inet proto udp from 10.0.0.0/8 port = ftp to 12.34.56.78 port = 6668 +block drop in inet proto udp from 10.0.0.0/8 port = ftp to 12.34.56.78 port 6669:65535 +block drop in inet proto udp from 172.16.0.0/12 port = ssh to 192.168.0.0/16 port = 6667 +block drop in inet proto udp from 172.16.0.0/12 port = ssh to 192.168.0.0/16 port = 6668 +block drop in inet proto udp from 172.16.0.0/12 port = ssh to 192.168.0.0/16 port 6669:65535 +block drop in inet proto udp from 172.16.0.0/12 port = ftp to 192.168.0.0/16 port = 6667 +block drop in inet proto udp from 172.16.0.0/12 port = ftp to 192.168.0.0/16 port = 6668 +block drop in inet proto udp from 172.16.0.0/12 port = ftp to 192.168.0.0/16 port 6669:65535 +block drop in inet proto udp from 172.16.0.0/12 port = ssh to 12.34.56.78 port = 6667 +block drop in inet proto udp from 172.16.0.0/12 port = ssh to 12.34.56.78 port = 6668 +block drop in inet proto udp from 172.16.0.0/12 port = ssh to 12.34.56.78 port 6669:65535 +block drop in inet proto udp from 172.16.0.0/12 port = ftp to 12.34.56.78 port = 6667 +block drop in inet proto udp from 172.16.0.0/12 port = ftp to 12.34.56.78 port = 6668 +block drop in inet proto udp from 172.16.0.0/12 port = ftp to 12.34.56.78 port 6669:65535 diff --git a/sbin/pfctl/tests/files/pf0005.in b/sbin/pfctl/tests/files/pf0005.in new file mode 100644 index 000000000000..6ad7040c2ed1 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0005.in @@ -0,0 +1,6 @@ +foo = "ssh, ftp" +bar = "other thing" +inside="10.0.0.0/8" + +block in proto udp from $inside port { echo, $foo, ident } \ + to 12.34.56.78 port { 6667, 0x10 } diff --git a/sbin/pfctl/tests/files/pf0005.ok b/sbin/pfctl/tests/files/pf0005.ok new file mode 100644 index 000000000000..6158d6779126 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0005.ok @@ -0,0 +1,11 @@ +foo = "ssh, ftp" +bar = "other thing" +inside = "10.0.0.0/8" +block drop in inet proto udp from 10.0.0.0/8 port = echo to 12.34.56.78 port = 6667 +block drop in inet proto udp from 10.0.0.0/8 port = echo to 12.34.56.78 port = 16 +block drop in inet proto udp from 10.0.0.0/8 port = ssh to 12.34.56.78 port = 6667 +block drop in inet proto udp from 10.0.0.0/8 port = ssh to 12.34.56.78 port = 16 +block drop in inet proto udp from 10.0.0.0/8 port = ftp to 12.34.56.78 port = 6667 +block drop in inet proto udp from 10.0.0.0/8 port = ftp to 12.34.56.78 port = 16 +block drop in inet proto udp from 10.0.0.0/8 port = auth to 12.34.56.78 port = 6667 +block drop in inet proto udp from 10.0.0.0/8 port = auth to 12.34.56.78 port = 16 diff --git a/sbin/pfctl/tests/files/pf0006.in b/sbin/pfctl/tests/files/pf0006.in new file mode 100644 index 000000000000..180d36d85db8 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0006.in @@ -0,0 +1,3 @@ +a=b +c=x +a_b_c=d diff --git a/sbin/pfctl/tests/files/pf0006.ok b/sbin/pfctl/tests/files/pf0006.ok new file mode 100644 index 000000000000..85d1e30aa453 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0006.ok @@ -0,0 +1,3 @@ +a = "b" +c = "x" +a_b_c = "d" diff --git a/sbin/pfctl/tests/files/pf0007.in b/sbin/pfctl/tests/files/pf0007.in new file mode 100644 index 000000000000..02514df9cddb --- /dev/null +++ b/sbin/pfctl/tests/files/pf0007.in @@ -0,0 +1,34 @@ +# test modulate state + +block out log on tun1000000 all +block in log on tun1000000 all + +block return-rst out log on tun1000000 proto tcp all +block return-rst in log on tun1000000 proto tcp all +block return-icmp out log on tun1000000 proto udp all +block return-icmp in log on tun1000000 proto udp all + +block out log quick on tun1000000 from ! 157.161.48.183 to any + +block in quick on tun1000000 from any to 255.255.255.255 + +block in log quick on tun1000000 from 10.0.0.0/8 to any +block in log quick on tun1000000 from 172.16.0.0/12 to any +block in log quick on tun1000000 from 192.168.0.0/16 to any +block in log quick on tun1000000 from 255.255.255.255/32 to any + +pass out on tun1000000 inet proto icmp all icmp-type 8 code 0 keep state +pass in on tun1000000 inet proto icmp all icmp-type 8 code 0 keep state + +pass out on tun1000000 proto udp all keep state + +pass in on tun1000000 proto udp from any to any port = domain keep state + +pass out on tun1000000 proto tcp all modulate state +pass in on tun1000000 proto { tcp udp icmp } all modulate state +pass in on tun1000000 proto { udp tcp icmp } all flags S/SA synproxy state + +pass in on tun1000000 proto tcp from any to any port = ssh modulate state +pass in on tun1000000 proto tcp from any to any port = smtp modulate state +pass in on tun1000000 proto tcp from any to any port = domain modulate state +pass in on tun1000000 proto tcp from any to any port = auth modulate state diff --git a/sbin/pfctl/tests/files/pf0007.ok b/sbin/pfctl/tests/files/pf0007.ok new file mode 100644 index 000000000000..357f3180e307 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0007.ok @@ -0,0 +1,27 @@ +block drop out log on tun1000000 all +block drop in log on tun1000000 all +block return-rst out log on tun1000000 proto tcp all +block return-rst in log on tun1000000 proto tcp all +block return-icmp(port-unr, port-unr) out log on tun1000000 proto udp all +block return-icmp(port-unr, port-unr) in log on tun1000000 proto udp all +block drop out log quick on tun1000000 inet from ! 157.161.48.183 to any +block drop in quick on tun1000000 inet from any to 255.255.255.255 +block drop in log quick on tun1000000 inet from 10.0.0.0/8 to any +block drop in log quick on tun1000000 inet from 172.16.0.0/12 to any +block drop in log quick on tun1000000 inet from 192.168.0.0/16 to any +block drop in log quick on tun1000000 inet from 255.255.255.255 to any +pass out on tun1000000 inet proto icmp all icmp-type echoreq code 0 keep state +pass in on tun1000000 inet proto icmp all icmp-type echoreq code 0 keep state +pass out on tun1000000 proto udp all keep state +pass in on tun1000000 proto udp from any to any port = domain keep state +pass out on tun1000000 proto tcp all flags S/SA modulate state +pass in on tun1000000 proto tcp all flags S/SA modulate state +pass in on tun1000000 proto udp all keep state +pass in on tun1000000 proto icmp all keep state +pass in on tun1000000 proto udp all keep state +pass in on tun1000000 proto tcp all flags S/SA synproxy state +pass in on tun1000000 proto icmp all keep state +pass in on tun1000000 proto tcp from any to any port = ssh flags S/SA modulate state +pass in on tun1000000 proto tcp from any to any port = smtp flags S/SA modulate state +pass in on tun1000000 proto tcp from any to any port = domain flags S/SA modulate state +pass in on tun1000000 proto tcp from any to any port = auth flags S/SA modulate state diff --git a/sbin/pfctl/tests/files/pf0008.in b/sbin/pfctl/tests/files/pf0008.in new file mode 100644 index 000000000000..e092bd955afb --- /dev/null +++ b/sbin/pfctl/tests/files/pf0008.in @@ -0,0 +1,2 @@ +extern = "{ ! 10.0.0.0/8, 10.1.2.3 }" +block out log on tun1000001 from $extern to any diff --git a/sbin/pfctl/tests/files/pf0008.ok b/sbin/pfctl/tests/files/pf0008.ok new file mode 100644 index 000000000000..c8786e384cc7 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0008.ok @@ -0,0 +1,3 @@ +extern = "{ ! 10.0.0.0/8, 10.1.2.3 }" +block drop out log on tun1000001 inet from ! 10.0.0.0/8 to any +block drop out log on tun1000001 inet from 10.1.2.3 to any diff --git a/sbin/pfctl/tests/files/pf0009.in b/sbin/pfctl/tests/files/pf0009.in new file mode 100644 index 000000000000..2e4e724dbb84 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0009.in @@ -0,0 +1,3 @@ +interfaces = "{ enc0, tun1000000 }" + +block in on $interfaces all diff --git a/sbin/pfctl/tests/files/pf0009.ok b/sbin/pfctl/tests/files/pf0009.ok new file mode 100644 index 000000000000..c7e9547a8fd3 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0009.ok @@ -0,0 +1,3 @@ +interfaces = "{ enc0, tun1000000 }" +block drop in on enc0 all +block drop in on tun1000000 all diff --git a/sbin/pfctl/tests/files/pf0010.in b/sbin/pfctl/tests/files/pf0010.in new file mode 100644 index 000000000000..250576b9961f --- /dev/null +++ b/sbin/pfctl/tests/files/pf0010.in @@ -0,0 +1,31 @@ +# return variants +pass in inet proto icmp all +pass in inet6 proto icmp6 all +block in inet proto icmp all +block in inet6 proto icmp6 all +block return-rst in inet proto tcp all +block return-rst in inet6 proto tcp all +block return-rst(ttl 10) in inet proto tcp all +block return-rst(ttl 10) in inet6 proto tcp all +block return-icmp in inet proto icmp all +block return-icmp(0) in inet proto icmp all +block return-icmp(net-unr) in inet proto icmp all +block return-icmp(5) in inet proto icmp all +block return-icmp(srcfail) in inet proto icmp all +block return-icmp(10) in inet proto icmp all +block return-icmp(host-prohib) in inet proto icmp all +block return-icmp(15) in inet proto icmp all +block return-icmp(cutoff-preced) in inet proto icmp all +block return-icmp6 in inet6 proto icmp6 all +block return-icmp6(0) in inet6 proto icmp6 all +block return-icmp6(noroute-unr) in inet6 proto icmp6 all +block return-icmp6(1) in inet6 proto icmp6 all +block return-icmp6(admin-unr) in inet6 proto icmp6 all +block return-icmp6(2) in inet6 proto icmp6 all +block return-icmp6(notnbr-unr) in inet6 proto icmp6 all +block return-icmp6(3) in inet6 proto icmp6 all +block return-icmp6(addr-unr) in inet6 proto icmp6 all +block return-icmp6(4) in inet6 proto icmp6 all +block return-icmp6(port-unr) in inet6 proto icmp6 all +block return-icmp(5, 1) in all +block return-icmp(srcfail, admin-unr) in all diff --git a/sbin/pfctl/tests/files/pf0010.ok b/sbin/pfctl/tests/files/pf0010.ok new file mode 100644 index 000000000000..4003c2306e93 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0010.ok @@ -0,0 +1,30 @@ +pass in inet proto icmp all keep state +pass in inet6 proto ipv6-icmp all keep state +block drop in inet proto icmp all +block drop in inet6 proto ipv6-icmp all +block return-rst in inet proto tcp all +block return-rst in inet6 proto tcp all +block return-rst(ttl 10) in inet proto tcp all +block return-rst(ttl 10) in inet6 proto tcp all +block return-icmp(port-unr) in inet proto icmp all +block return-icmp(net-unr) in inet proto icmp all +block return-icmp(net-unr) in inet proto icmp all +block return-icmp(srcfail) in inet proto icmp all +block return-icmp(srcfail) in inet proto icmp all +block return-icmp(host-prohib) in inet proto icmp all +block return-icmp(host-prohib) in inet proto icmp all +block return-icmp(cutoff-preced) in inet proto icmp all +block return-icmp(cutoff-preced) in inet proto icmp all +block return-icmp6(port-unr) in inet6 proto ipv6-icmp all +block return-icmp6(noroute-unr) in inet6 proto ipv6-icmp all +block return-icmp6(noroute-unr) in inet6 proto ipv6-icmp all +block return-icmp6(admin-unr) in inet6 proto ipv6-icmp all +block return-icmp6(admin-unr) in inet6 proto ipv6-icmp all +block return-icmp6(notnbr-unr) in inet6 proto ipv6-icmp all +block return-icmp6(notnbr-unr) in inet6 proto ipv6-icmp all +block return-icmp6(addr-unr) in inet6 proto ipv6-icmp all +block return-icmp6(addr-unr) in inet6 proto ipv6-icmp all +block return-icmp6(port-unr) in inet6 proto ipv6-icmp all +block return-icmp6(port-unr) in inet6 proto ipv6-icmp all +block return-icmp(srcfail, admin-unr) in all +block return-icmp(srcfail, admin-unr) in all diff --git a/sbin/pfctl/tests/files/pf0011.in b/sbin/pfctl/tests/files/pf0011.in new file mode 100644 index 000000000000..a4dd3d574871 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0011.in @@ -0,0 +1,18 @@ +pass in inet proto icmp all icmp-type 0 +pass in inet proto icmp all icmp-type 0 code 0 +pass in inet proto icmp all icmp-type 1 +pass in inet proto icmp all icmp-type 1 code 1 +pass in inet6 proto ipv6-icmp all icmp6-type 0 +pass in inet6 proto ipv6-icmp all icmp6-type 0 code 0 +pass in inet6 proto ipv6-icmp all icmp6-type 1 +pass in inet6 proto ipv6-icmp all icmp6-type 1 code 1 +block in inet proto icmp all icmp-type 0 +block in inet proto icmp all icmp-type 0 code 0 +block in inet proto icmp all icmp-type 1 +block in inet proto icmp all icmp-type 1 code 1 +block in inet6 proto ipv6-icmp all icmp6-type 0 +block in inet6 proto ipv6-icmp all icmp6-type 0 code 0 +block in inet6 proto ipv6-icmp all icmp6-type 1 +block in inet6 proto ipv6-icmp all icmp6-type 1 code 1 +pass in inet proto icmp all icmp-type unreach code needfrag +pass in inet6 proto ipv6-icmp all icmp6-type timex code reassemb diff --git a/sbin/pfctl/tests/files/pf0011.ok b/sbin/pfctl/tests/files/pf0011.ok new file mode 100644 index 000000000000..1268e772db26 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0011.ok @@ -0,0 +1,18 @@ +pass in inet proto icmp all icmp-type echorep keep state +pass in inet proto icmp all icmp-type echorep code 0 keep state +pass in inet proto icmp all icmp-type 1 keep state +pass in inet proto icmp all icmp-type 1 code 1 keep state +pass in inet6 proto ipv6-icmp all icmp6-type 0 keep state +pass in inet6 proto ipv6-icmp all icmp6-type 0 code 0 keep state +pass in inet6 proto ipv6-icmp all icmp6-type unreach keep state +pass in inet6 proto ipv6-icmp all icmp6-type unreach code admin-unr keep state +block drop in inet proto icmp all icmp-type echorep +block drop in inet proto icmp all icmp-type echorep code 0 +block drop in inet proto icmp all icmp-type 1 +block drop in inet proto icmp all icmp-type 1 code 1 +block drop in inet6 proto ipv6-icmp all icmp6-type 0 +block drop in inet6 proto ipv6-icmp all icmp6-type 0 code 0 +block drop in inet6 proto ipv6-icmp all icmp6-type unreach +block drop in inet6 proto ipv6-icmp all icmp6-type unreach code admin-unr +pass in inet proto icmp all icmp-type unreach code needfrag keep state +pass in inet6 proto ipv6-icmp all icmp6-type timex code reassemb keep state diff --git a/sbin/pfctl/tests/files/pf0012.in b/sbin/pfctl/tests/files/pf0012.in new file mode 100644 index 000000000000..15e4eae6af66 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0012.in @@ -0,0 +1,5 @@ +pass in from 127.0.0.1 to 127.0.0.1/8 no state +pass in from 127.0.0.1/16 to 127.0.0.1/24 no state +pass in from 127.0.0.1/25 to ! 127.0.0.1/26 +pass in inet from ! localhost to localhost/16 +pass in inet from ! lo0 to ! lo0/8 diff --git a/sbin/pfctl/tests/files/pf0012.ok b/sbin/pfctl/tests/files/pf0012.ok new file mode 100644 index 000000000000..4ca6765f377d --- /dev/null +++ b/sbin/pfctl/tests/files/pf0012.ok @@ -0,0 +1,5 @@ +pass in inet from 127.0.0.1 to 127.0.0.0/8 no state +pass in inet from 127.0.0.0/16 to 127.0.0.0/24 no state +pass in inet from 127.0.0.0/25 to ! 127.0.0.0/26 flags S/SA keep state +pass in inet from ! 127.0.0.1 to 127.0.0.0/16 flags S/SA keep state +pass in inet from ! 127.0.0.1 to ! 127.0.0.0/8 flags S/SA keep state diff --git a/sbin/pfctl/tests/files/pf0013.in b/sbin/pfctl/tests/files/pf0013.in new file mode 100644 index 000000000000..a0504019e07d --- /dev/null +++ b/sbin/pfctl/tests/files/pf0013.in @@ -0,0 +1,22 @@ +pass in quick on enc0 from any to any +pass in quick on enc0 inet from any to any +pass in quick on enc0 inet6 from any to any + +#pass out quick on tun1000000 inet from any to any route-to tun1000001 +#pass out quick on tun1000000 from any to 192.168.1.1 route-to tun1000001 +#pass out quick on tun1000000 from any to fec0::1 route-to tun1000001 + +#pass in on tun1000000 proto tcp from any to any port = 21 dup-to (tun1000001 192.168.1.1) +#pass in on tun1000000 proto tcp from any to any port = 21 dup-to (tun1000001 fec0::1) + +#pass in quick on tun1000000 from 192.168.1.1/32 to 10.1.1.1/32 route-to tun1000001 +#pass in quick on tun1000000 from fec0::1/64 to fec1::2/128 route-to tun1000001 + +#pass in on tun1000000 proto tcp from any to any port = 21 reply-to (tun1000001 192.168.1.1) +#pass in on tun1000000 proto tcp from any to any port = 21 reply-to (tun1000001 fec0::1) + +#pass in quick on tun1000000 from 192.168.1.1/32 to 10.1.1.1/32 reply-to tun1000001 +#pass in quick on tun1000000 from fec0::1/64 to fec1::2/128 reply-to tun1000001 + +#pass in quick on tun1000000 from 192.168.1.1/32 to 10.1.1.1/32 dup-to (tun1000001 192.168.1.100) +#pass in quick on tun1000000 from fec0::1/64 to fec1::2/128 dup-to (tun1000001 fec1::2) diff --git a/sbin/pfctl/tests/files/pf0013.ok b/sbin/pfctl/tests/files/pf0013.ok new file mode 100644 index 000000000000..9783e40518b9 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0013.ok @@ -0,0 +1,3 @@ +pass in quick on enc0 all flags S/SA keep state +pass in quick on enc0 inet all flags S/SA keep state +pass in quick on enc0 inet6 all flags S/SA keep state diff --git a/sbin/pfctl/tests/files/pf0014.in b/sbin/pfctl/tests/files/pf0014.in new file mode 100644 index 000000000000..eaca6de0fbfc --- /dev/null +++ b/sbin/pfctl/tests/files/pf0014.in @@ -0,0 +1,6 @@ +pass in quick on lo0 from fe80::1%lo0 to fe80::1%lo0 +pass in quick from fe80::1%lo0 to fe80::1%lo0 +pass in quick from fe80::1%lo0 to any +pass in quick from any to fe80::1%lo0 +pass in quick on lo0 from fe80::1%lo0 to any +pass in quick on lo0 from any to fe80::1%lo0 diff --git a/sbin/pfctl/tests/files/pf0014.ok b/sbin/pfctl/tests/files/pf0014.ok new file mode 100644 index 000000000000..15cc43ff77c4 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0014.ok @@ -0,0 +1,6 @@ +pass in quick on lo0 inet6 from fe80::1 to fe80::1 flags S/SA keep state +pass in quick on lo0 inet6 from fe80::1 to fe80::1 flags S/SA keep state +pass in quick on lo0 inet6 from fe80::1 to any flags S/SA keep state +pass in quick on lo0 inet6 from any to fe80::1 flags S/SA keep state +pass in quick on lo0 inet6 from fe80::1 to any flags S/SA keep state +pass in quick on lo0 inet6 from any to fe80::1 flags S/SA keep state diff --git a/sbin/pfctl/tests/files/pf0016.in b/sbin/pfctl/tests/files/pf0016.in new file mode 100644 index 000000000000..7dbc53aa6a21 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0016.in @@ -0,0 +1,5 @@ +# Test rule order processing: should fail unless nat -> filter +match out on lo0 from 192.168.1.1 to any nat-to 10.0.0.1 +match in on lo0 proto tcp from any to 1.2.3.4/32 port 2222 rdr-to 10.0.0.10 port 22 +match on lo0 from 192.168.1.1 to any binat-to 10.0.0.1 +pass in on lo1000000 from any to any no state diff --git a/sbin/pfctl/tests/files/pf0016.ok b/sbin/pfctl/tests/files/pf0016.ok new file mode 100644 index 000000000000..d65374a16475 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0016.ok @@ -0,0 +1,5 @@ +match out on lo0 inet from 192.168.1.1 to any nat-to 10.0.0.1 +match in on lo0 inet proto tcp from any to 1.2.3.4 port = 2222 rdr-to 10.0.0.10 port 22 +match out on lo0 inet from 192.168.1.1 to any nat-to 10.0.0.1 static-port +match in on lo0 inet from any to 10.0.0.1 rdr-to 192.168.1.1 +pass in on lo1000000 all no state diff --git a/sbin/pfctl/tests/files/pf0018.in b/sbin/pfctl/tests/files/pf0018.in new file mode 100644 index 000000000000..ab3c81f86c5f --- /dev/null +++ b/sbin/pfctl/tests/files/pf0018.in @@ -0,0 +1,19 @@ +# test nat + +TEST_LIST1 = "{ 192.168.1.5, 192.168.1.6, 192.168.1.7 }" +TEST_LIST2 = "{ 172.6.1.1, 172.14.1.2/32, 172.16.2.0/24 }" + +match out on lo0 from 192.168.1.1 to any nat-to 10.0.0.1 +match out on lo0 proto tcp from 192.168.1.2 to any nat-to 10.0.0.2 +match out on lo0 proto udp from 192.168.1.3 to any nat-to 10.0.0.3 +match out on lo0 proto icmp from 192.168.1.4 to any nat-to 10.0.0.4 + +match out on lo0 inet from $TEST_LIST1 to $TEST_LIST2 nat-to lo0 + +match out on lo0 inet from 192.168.0.1/24 to any nat-to (lo0) + +match out on lo0 from 192.168.1.8 to ! 172.17.0.0/16 nat-to 10.0.0.8 + +match out on ! lo0 proto { udp, tcp } from any to any nat-to 10.0.0.8 static-port + +match out on { lo0, tun1000000 } from any to any nat-to 10.0.0.8 diff --git a/sbin/pfctl/tests/files/pf0018.ok b/sbin/pfctl/tests/files/pf0018.ok new file mode 100644 index 000000000000..6ba137ae84f8 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0018.ok @@ -0,0 +1,21 @@ +TEST_LIST1 = "{ 192.168.1.5, 192.168.1.6, 192.168.1.7 }" +TEST_LIST2 = "{ 172.6.1.1, 172.14.1.2/32, 172.16.2.0/24 }" +match out on lo0 inet from 192.168.1.1 to any nat-to 10.0.0.1 +match out on lo0 inet proto tcp from 192.168.1.2 to any nat-to 10.0.0.2 +match out on lo0 inet proto udp from 192.168.1.3 to any nat-to 10.0.0.3 +match out on lo0 inet proto icmp from 192.168.1.4 to any nat-to 10.0.0.4 +match out on lo0 inet from 192.168.1.5 to 172.6.1.1 nat-to 127.0.0.1 +match out on lo0 inet from 192.168.1.5 to 172.14.1.2 nat-to 127.0.0.1 +match out on lo0 inet from 192.168.1.5 to 172.16.2.0/24 nat-to 127.0.0.1 +match out on lo0 inet from 192.168.1.6 to 172.6.1.1 nat-to 127.0.0.1 +match out on lo0 inet from 192.168.1.6 to 172.14.1.2 nat-to 127.0.0.1 +match out on lo0 inet from 192.168.1.6 to 172.16.2.0/24 nat-to 127.0.0.1 +match out on lo0 inet from 192.168.1.7 to 172.6.1.1 nat-to 127.0.0.1 +match out on lo0 inet from 192.168.1.7 to 172.14.1.2 nat-to 127.0.0.1 +match out on lo0 inet from 192.168.1.7 to 172.16.2.0/24 nat-to 127.0.0.1 +match out on lo0 inet from 192.168.0.0/24 to any nat-to (lo0) round-robin +match out on lo0 inet from 192.168.1.8 to ! 172.17.0.0/16 nat-to 10.0.0.8 +match out on ! lo0 inet proto udp all nat-to 10.0.0.8 static-port +match out on ! lo0 inet proto tcp all nat-to 10.0.0.8 static-port +match out on lo0 inet all nat-to 10.0.0.8 +match out on tun1000000 inet all nat-to 10.0.0.8 diff --git a/sbin/pfctl/tests/files/pf0019.in b/sbin/pfctl/tests/files/pf0019.in new file mode 100644 index 000000000000..e2bedbb64bd0 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0019.in @@ -0,0 +1,9 @@ +EVIL = "lo0" +GOOD = "{ lo0, lo1000000 }" +GOOD_NET = "{ 127.0.0.0/24, 10.0.1.0/24 }" +DEST_NET = "{ 1.2.3.4/25, 2.4.6.8/30 }" + +match in on lo0 proto tcp from any to 1.2.3.4/32 port 2222 rdr-to 10.0.0.10 port 22 + +# Test list processing +match in on $GOOD proto tcp from $GOOD_NET to $DEST_NET port 21 rdr-to 127.0.0.1 port 8021 diff --git a/sbin/pfctl/tests/files/pf0019.ok b/sbin/pfctl/tests/files/pf0019.ok new file mode 100644 index 000000000000..a5afc374d19f --- /dev/null +++ b/sbin/pfctl/tests/files/pf0019.ok @@ -0,0 +1,13 @@ +EVIL = "lo0" +GOOD = "{ lo0, lo1000000 }" +GOOD_NET = "{ 127.0.0.0/24, 10.0.1.0/24 }" +DEST_NET = "{ 1.2.3.4/25, 2.4.6.8/30 }" +match in on lo0 inet proto tcp from any to 1.2.3.4 port = 2222 rdr-to 10.0.0.10 port 22 +match in on lo0 inet proto tcp from 127.0.0.0/24 to 1.2.3.0/25 port = ftp rdr-to 127.0.0.1 port 8021 +match in on lo0 inet proto tcp from 127.0.0.0/24 to 2.4.6.8/30 port = ftp rdr-to 127.0.0.1 port 8021 +match in on lo0 inet proto tcp from 10.0.1.0/24 to 1.2.3.0/25 port = ftp rdr-to 127.0.0.1 port 8021 +match in on lo0 inet proto tcp from 10.0.1.0/24 to 2.4.6.8/30 port = ftp rdr-to 127.0.0.1 port 8021 +match in on lo1000000 inet proto tcp from 127.0.0.0/24 to 1.2.3.0/25 port = ftp rdr-to 127.0.0.1 port 8021 +match in on lo1000000 inet proto tcp from 127.0.0.0/24 to 2.4.6.8/30 port = ftp rdr-to 127.0.0.1 port 8021 +match in on lo1000000 inet proto tcp from 10.0.1.0/24 to 1.2.3.0/25 port = ftp rdr-to 127.0.0.1 port 8021 +match in on lo1000000 inet proto tcp from 10.0.1.0/24 to 2.4.6.8/30 port = ftp rdr-to 127.0.0.1 port 8021 diff --git a/sbin/pfctl/tests/files/pf0020.in b/sbin/pfctl/tests/files/pf0020.in new file mode 100644 index 000000000000..c973785bc9c5 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0020.in @@ -0,0 +1,9 @@ +# Test whether list expansion in NAT/RDR works correctly + +EVIL = "lo0" +GOOD = "{ lo0, lo1000000 }" +GOOD_NET = "{ 127.0.0.0/24, 10.0.1.0/24 }" +DEST_NET = "{ 1.2.3.4/25, 2.4.6.8/30 }" + +match out on $EVIL inet from $GOOD_NET to $DEST_NET nat-to $EVIL +match in on $GOOD proto tcp from $GOOD_NET to $DEST_NET port 21 rdr-to 127.0.0.1 port 8021 diff --git a/sbin/pfctl/tests/files/pf0020.ok b/sbin/pfctl/tests/files/pf0020.ok new file mode 100644 index 000000000000..bd2c6cf2055d --- /dev/null +++ b/sbin/pfctl/tests/files/pf0020.ok @@ -0,0 +1,16 @@ +EVIL = "lo0" +GOOD = "{ lo0, lo1000000 }" +GOOD_NET = "{ 127.0.0.0/24, 10.0.1.0/24 }" +DEST_NET = "{ 1.2.3.4/25, 2.4.6.8/30 }" +match out on lo0 inet from 127.0.0.0/24 to 1.2.3.0/25 nat-to 127.0.0.1 +match out on lo0 inet from 127.0.0.0/24 to 2.4.6.8/30 nat-to 127.0.0.1 +match out on lo0 inet from 10.0.1.0/24 to 1.2.3.0/25 nat-to 127.0.0.1 +match out on lo0 inet from 10.0.1.0/24 to 2.4.6.8/30 nat-to 127.0.0.1 +match in on lo0 inet proto tcp from 127.0.0.0/24 to 1.2.3.0/25 port = ftp rdr-to 127.0.0.1 port 8021 +match in on lo0 inet proto tcp from 127.0.0.0/24 to 2.4.6.8/30 port = ftp rdr-to 127.0.0.1 port 8021 +match in on lo0 inet proto tcp from 10.0.1.0/24 to 1.2.3.0/25 port = ftp rdr-to 127.0.0.1 port 8021 +match in on lo0 inet proto tcp from 10.0.1.0/24 to 2.4.6.8/30 port = ftp rdr-to 127.0.0.1 port 8021 +match in on lo1000000 inet proto tcp from 127.0.0.0/24 to 1.2.3.0/25 port = ftp rdr-to 127.0.0.1 port 8021 +match in on lo1000000 inet proto tcp from 127.0.0.0/24 to 2.4.6.8/30 port = ftp rdr-to 127.0.0.1 port 8021 +match in on lo1000000 inet proto tcp from 10.0.1.0/24 to 1.2.3.0/25 port = ftp rdr-to 127.0.0.1 port 8021 +match in on lo1000000 inet proto tcp from 10.0.1.0/24 to 2.4.6.8/30 port = ftp rdr-to 127.0.0.1 port 8021 diff --git a/sbin/pfctl/tests/files/pf0022.in b/sbin/pfctl/tests/files/pf0022.in new file mode 100644 index 000000000000..602a085c59f0 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0022.in @@ -0,0 +1,8 @@ +set optimization aggressive +set timeout { tcp.closing 6, tcp.opening 6 } +set timeout tcp.first 6 +set limit states 500 +set limit {states 1000,frags 1000} +set loginterface lo0 +set loginterface none +set hostid 1 diff --git a/sbin/pfctl/tests/files/pf0022.ok b/sbin/pfctl/tests/files/pf0022.ok new file mode 100644 index 000000000000..76940552aa3a --- /dev/null +++ b/sbin/pfctl/tests/files/pf0022.ok @@ -0,0 +1,10 @@ +set optimization aggressive +set timeout tcp.closing 6 +set timeout tcp.opening 6 +set timeout tcp.first 6 +set limit states 500 +set limit states 1000 +set limit frags 1000 +set loginterface lo0 +set loginterface none +set hostid 0x00000001 diff --git a/sbin/pfctl/tests/files/pf0023.in b/sbin/pfctl/tests/files/pf0023.in new file mode 100644 index 000000000000..2adbe16c4a50 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0023.in @@ -0,0 +1,2 @@ +#test negated interface matching +block in on ! lo0 all diff --git a/sbin/pfctl/tests/files/pf0023.ok b/sbin/pfctl/tests/files/pf0023.ok new file mode 100644 index 000000000000..83a75fe716af --- /dev/null +++ b/sbin/pfctl/tests/files/pf0023.ok @@ -0,0 +1 @@ +block drop in on ! lo0 all diff --git a/sbin/pfctl/tests/files/pf0024.in b/sbin/pfctl/tests/files/pf0024.in new file mode 100644 index 000000000000..73c204933633 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0024.in @@ -0,0 +1,8 @@ +#test variable concat +a="ssh" +b="ftp" +c=$a $b +d=$a $b $a $b +e=$a $b $b "test" $a $b + +pass in proto tcp from any to any port { $c } diff --git a/sbin/pfctl/tests/files/pf0024.ok b/sbin/pfctl/tests/files/pf0024.ok new file mode 100644 index 000000000000..c6ff2f037012 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0024.ok @@ -0,0 +1,7 @@ +a = "ssh" +b = "ftp" +c = "ssh ftp" +d = "ssh ftp ssh ftp" +e = "ssh ftp ftp test ssh ftp" +pass in proto tcp from any to any port = ssh flags S/SA keep state +pass in proto tcp from any to any port = ftp flags S/SA keep state diff --git a/sbin/pfctl/tests/files/pf0025.in b/sbin/pfctl/tests/files/pf0025.in new file mode 100644 index 000000000000..28d1a335ccf8 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0025.in @@ -0,0 +1,4 @@ +antispoof for lo0 +antispoof log quick for lo0 inet +antispoof for (lo0) +antispoof log quick for (lo0) inet diff --git a/sbin/pfctl/tests/files/pf0025.ok b/sbin/pfctl/tests/files/pf0025.ok new file mode 100644 index 000000000000..f4fc7766dc02 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0025.ok @@ -0,0 +1,5 @@ +block drop in on ! lo0 inet6 from ::1 to any +block drop in on ! lo0 inet from 127.0.0.0/8 to any +block drop in log quick on ! lo0 inet from 127.0.0.0/8 to any +block drop in on ! lo0 from (lo0:network) to any +block drop in log quick on ! lo0 inet from (lo0:network) to any diff --git a/sbin/pfctl/tests/files/pf0026.in b/sbin/pfctl/tests/files/pf0026.in new file mode 100644 index 000000000000..5799de5afe9e --- /dev/null +++ b/sbin/pfctl/tests/files/pf0026.in @@ -0,0 +1,2 @@ +block in on lo0 inet from ! (lo0) to any +block out on lo0 inet from any to ! (lo0) diff --git a/sbin/pfctl/tests/files/pf0026.ok b/sbin/pfctl/tests/files/pf0026.ok new file mode 100644 index 000000000000..a9a281244a69 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0026.ok @@ -0,0 +1,2 @@ +block drop in on lo0 inet from ! (lo0) to any +block drop out on lo0 inet from any to ! (lo0) diff --git a/sbin/pfctl/tests/files/pf0028.in b/sbin/pfctl/tests/files/pf0028.in new file mode 100644 index 000000000000..cfcc0b952200 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0028.in @@ -0,0 +1,7 @@ +# test logging keywords, and log quick/quick log order +block in log (all) quick on lo0 all +block in quick log on lo0 all +block in quick log (all) on lo0 all +block in log quick on lo0 all +block in log on lo0 all +block in log (all) on lo0 all diff --git a/sbin/pfctl/tests/files/pf0028.ok b/sbin/pfctl/tests/files/pf0028.ok new file mode 100644 index 000000000000..ff6ca332dff4 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0028.ok @@ -0,0 +1,6 @@ +block drop in log (all) quick on lo0 all +block drop in log quick on lo0 all +block drop in log (all) quick on lo0 all +block drop in log quick on lo0 all +block drop in log on lo0 all +block drop in log (all) on lo0 all diff --git a/sbin/pfctl/tests/files/pf0030.in b/sbin/pfctl/tests/files/pf0030.in new file mode 100644 index 000000000000..8ea257809291 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0030.in @@ -0,0 +1,7 @@ +#test line continuation + +block \ + in \ + on lo0 \ + from any \ + to any diff --git a/sbin/pfctl/tests/files/pf0030.ok b/sbin/pfctl/tests/files/pf0030.ok new file mode 100644 index 000000000000..11fb969bbb91 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0030.ok @@ -0,0 +1 @@ +block drop in on lo0 all diff --git a/sbin/pfctl/tests/files/pf0031.in b/sbin/pfctl/tests/files/pf0031.in new file mode 100644 index 000000000000..c227829f1121 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0031.in @@ -0,0 +1,21 @@ +set block-policy drop +block return in on lo0 all +block return in on lo0 inet all +block return in on lo0 inet6 all +block drop in on lo0 all +block drop in on lo0 inet all +block drop in on lo0 inet6 all +block in on lo0 all +block in on lo0 inet all +block in on lo0 inet6 all +#set block-policy return +block return in on lo0 all +block return in on lo0 inet all +block return in on lo0 inet6 all +block drop in on lo0 all +block drop in on lo0 inet all +block drop in on lo0 inet6 all +block in on lo0 all +block in on lo0 inet all +block in on lo0 inet6 all + diff --git a/sbin/pfctl/tests/files/pf0031.ok b/sbin/pfctl/tests/files/pf0031.ok new file mode 100644 index 000000000000..d19a2797da21 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0031.ok @@ -0,0 +1,19 @@ +set block-policy drop +block return in on lo0 all +block return in on lo0 inet all +block return in on lo0 inet6 all +block drop in on lo0 all +block drop in on lo0 inet all +block drop in on lo0 inet6 all +block drop in on lo0 all +block drop in on lo0 inet all +block drop in on lo0 inet6 all +block return in on lo0 all +block return in on lo0 inet all +block return in on lo0 inet6 all +block drop in on lo0 all +block drop in on lo0 inet all +block drop in on lo0 inet6 all +block drop in on lo0 all +block drop in on lo0 inet all +block drop in on lo0 inet6 all diff --git a/sbin/pfctl/tests/files/pf0032.in b/sbin/pfctl/tests/files/pf0032.in new file mode 100644 index 000000000000..333dafa72dd8 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0032.in @@ -0,0 +1,7 @@ +pass in from 10/8 to any +pass in from 10.1/8 to any +pass in from 192.168.37.29/25 to any +pass in from 192.168.37.29/24 to any +pass in from 192.168.37.29/16 to any +pass in from 192.168.37.29/8 to any + diff --git a/sbin/pfctl/tests/files/pf0032.ok b/sbin/pfctl/tests/files/pf0032.ok new file mode 100644 index 000000000000..826ce61ebcb3 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0032.ok @@ -0,0 +1,6 @@ +pass in inet from 10.0.0.0/8 to any flags S/SA keep state +pass in inet from 10.0.0.0/8 to any flags S/SA keep state +pass in inet from 192.168.37.0/25 to any flags S/SA keep state +pass in inet from 192.168.37.0/24 to any flags S/SA keep state +pass in inet from 192.168.0.0/16 to any flags S/SA keep state +pass in inet from 192.0.0.0/8 to any flags S/SA keep state diff --git a/sbin/pfctl/tests/files/pf0034.in b/sbin/pfctl/tests/files/pf0034.in new file mode 100644 index 000000000000..e3248d281e70 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0034.in @@ -0,0 +1,5 @@ +#mixed af, probability +pass in from any to { 127.0.0.1, 2000::1 } +pass in probability 0.5 +pass in probability 50% +pass in inet6 proto tcp from ::1 probability 0.8% diff --git a/sbin/pfctl/tests/files/pf0034.ok b/sbin/pfctl/tests/files/pf0034.ok new file mode 100644 index 000000000000..a91f1ae50d2e --- /dev/null +++ b/sbin/pfctl/tests/files/pf0034.ok @@ -0,0 +1,5 @@ +pass in inet from any to 127.0.0.1 flags S/SA keep state +pass in inet6 from any to 2000::1 flags S/SA keep state +pass in all flags S/SA keep state probability 50% +pass in all flags S/SA keep state probability 50% +pass in inet6 proto tcp from ::1 to any flags S/SA keep state probability 0.8% diff --git a/sbin/pfctl/tests/files/pf0035.in b/sbin/pfctl/tests/files/pf0035.in new file mode 100644 index 000000000000..3d0ab8963297 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0035.in @@ -0,0 +1,5 @@ +#test matching on tos + +intf = "lo0" +pass out on $intf inet proto tcp from any to any port 22 tos 0x10 +pass out on $intf inet proto tcp from any to any port 22 tos 0x08 diff --git a/sbin/pfctl/tests/files/pf0035.ok b/sbin/pfctl/tests/files/pf0035.ok new file mode 100644 index 000000000000..fb77ae59e523 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0035.ok @@ -0,0 +1,3 @@ +intf = "lo0" +pass out on lo0 inet proto tcp from any to any port = ssh flags S/SA tos 0x10 keep state +pass out on lo0 inet proto tcp from any to any port = ssh flags S/SA tos 0x08 keep state diff --git a/sbin/pfctl/tests/files/pf0038.in b/sbin/pfctl/tests/files/pf0038.in new file mode 100644 index 000000000000..1e63d6e5e268 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0038.in @@ -0,0 +1,5 @@ +# test + +pass in on tun1000000 proto tcp from any to any user bin +pass in on tun1000000 proto tcp from any to any group bin +pass in on tun1000000 proto tcp from any to any group wheel user root user bin diff --git a/sbin/pfctl/tests/files/pf0038.ok b/sbin/pfctl/tests/files/pf0038.ok new file mode 100644 index 000000000000..77e2ee63bf5a --- /dev/null +++ b/sbin/pfctl/tests/files/pf0038.ok @@ -0,0 +1,4 @@ +pass in on tun1000000 proto tcp all user = 3 flags S/SA keep state +pass in on tun1000000 proto tcp all group = 7 flags S/SA keep state +pass in on tun1000000 proto tcp all user = 3 group = 0 flags S/SA keep state +pass in on tun1000000 proto tcp all user = 0 group = 0 flags S/SA keep state diff --git a/sbin/pfctl/tests/files/pf0039.in b/sbin/pfctl/tests/files/pf0039.in new file mode 100644 index 000000000000..739f4efd4297 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0039.in @@ -0,0 +1,25 @@ +#test random ordered opts + +body1="pass in log quick on lo0 inet proto icmp all " +body2="pass in log quick on lo0 inet proto tcp all " +o_user="user root " +o_user2="user bin " +o_group="group wheel " +o_group2="group nobody " +o_flags="flags S/SA " +o_icmpspec="icmp-type 0 code 0 " +o_tos="tos 0x08 " +o_keep="keep state " +o_fragment="fragment " +o_allowopts="allow-opts " +o_label="label blah" +o_prio="set prio 2" + +$body2 $o_fragment $o_keep $o_label $o_tos +$body2 $o_user $o_prio $o_tos $o_keep $o_group $o_label $o_allowopts \ +$o_user2 $o_group2 +$body1 $o_icmpspec $o_keep $o_label $o_prio +$body2 $o_keep +$body2 $o_label $o_keep $o_prio $o_tos +$body1 $o_icmpspec $o_tos +$body2 $o_flags $o_allowopts diff --git a/sbin/pfctl/tests/files/pf0039.ok b/sbin/pfctl/tests/files/pf0039.ok new file mode 100644 index 000000000000..524d9d1d9537 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0039.ok @@ -0,0 +1,24 @@ +body1 = "pass in log quick on lo0 inet proto icmp all " +body2 = "pass in log quick on lo0 inet proto tcp all " +o_user = "user root " +o_user2 = "user bin " +o_group = "group wheel " +o_group2 = "group nobody " +o_flags = "flags S/SA " +o_icmpspec = "icmp-type 0 code 0 " +o_tos = "tos 0x08 " +o_keep = "keep state " +o_fragment = "fragment " +o_allowopts = "allow-opts " +o_label = "label blah" +o_prio = "set prio 2" +pass in log quick on lo0 inet proto tcp all tos 0x08 keep state fragment label "blah" +pass in log quick on lo0 inet proto tcp all user = 3 group = 65534 flags S/SA tos 0x08 set ( prio 2 ) keep state allow-opts label "blah" +pass in log quick on lo0 inet proto tcp all user = 3 group = 0 flags S/SA tos 0x08 set ( prio 2 ) keep state allow-opts label "blah" +pass in log quick on lo0 inet proto tcp all user = 0 group = 65534 flags S/SA tos 0x08 set ( prio 2 ) keep state allow-opts label "blah" +pass in log quick on lo0 inet proto tcp all user = 0 group = 0 flags S/SA tos 0x08 set ( prio 2 ) keep state allow-opts label "blah" +pass in log quick on lo0 inet proto icmp all icmp-type echorep code 0 set ( prio 2 ) keep state label "blah" +pass in log quick on lo0 inet proto tcp all flags S/SA keep state +pass in log quick on lo0 inet proto tcp all flags S/SA tos 0x08 set ( prio 2 ) keep state label "blah" +pass in log quick on lo0 inet proto icmp all icmp-type echorep code 0 tos 0x08 keep state +pass in log quick on lo0 inet proto tcp all flags S/SA keep state allow-opts diff --git a/sbin/pfctl/tests/files/pf0040.in b/sbin/pfctl/tests/files/pf0040.in new file mode 100644 index 000000000000..7d91ad447109 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0040.in @@ -0,0 +1,20 @@ +block +block return +block return-rst proto tcp +pass +pass in no state +pass out no state +pass all no state +block in all +block out all +block from any to any +pass in from any to any +pass out from any to any +block on lo0 +pass on lo0 all +block on lo0 from any to any +pass proto tcp flags S/SA +pass proto udp keep state +pass in proto udp all keep state +pass out proto udp from any to any keep state +pass out on lo0 proto tcp from any to any port 25 keep state diff --git a/sbin/pfctl/tests/files/pf0040.ok b/sbin/pfctl/tests/files/pf0040.ok new file mode 100644 index 000000000000..1a740bb96470 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0040.ok @@ -0,0 +1,20 @@ +block drop all +block return all +block return-rst proto tcp all +pass all flags S/SA keep state +pass in all no state +pass out all no state +pass all no state +block drop in all +block drop out all +block drop all +pass in all flags S/SA keep state +pass out all flags S/SA keep state +block drop on lo0 all +pass on lo0 all flags S/SA keep state +block drop on lo0 all +pass proto tcp all flags S/SA keep state +pass proto udp all keep state +pass in proto udp all keep state +pass out proto udp all keep state +pass out on lo0 proto tcp from any to any port = smtp flags S/SA keep state diff --git a/sbin/pfctl/tests/files/pf0041.in b/sbin/pfctl/tests/files/pf0041.in new file mode 100644 index 000000000000..42987e7f0daa --- /dev/null +++ b/sbin/pfctl/tests/files/pf0041.in @@ -0,0 +1,12 @@ +anchor foo +anchor bar all +anchor bar from any to any +anchor foo inet +anchor foo inet6 +anchor foo inet all +anchor foo proto tcp +anchor foo inet proto tcp from 10.1.2.3 port smtp to 10.2.3.4 port ssh +anchor foobar inet6 proto udp from ::1 port 1 to ::1 port 2 +anchor filteropt out proto tcp to any port 22 user root +anchor filteropt in proto tcp to (self) port 22 group sshd +anchor filteropt out inet proto icmp all icmp-type echoreq diff --git a/sbin/pfctl/tests/files/pf0041.ok b/sbin/pfctl/tests/files/pf0041.ok new file mode 100644 index 000000000000..836c7459365c --- /dev/null +++ b/sbin/pfctl/tests/files/pf0041.ok @@ -0,0 +1,12 @@ +anchor "foo" all +anchor "bar" all +anchor "bar" all +anchor "foo" inet all +anchor "foo" inet6 all +anchor "foo" inet all +anchor "foo" proto tcp all +anchor "foo" inet proto tcp from 10.1.2.3 port = smtp to 10.2.3.4 port = ssh +anchor "foobar" inet6 proto udp from ::1 port = tcpmux to ::1 port = compressnet +anchor "filteropt" out proto tcp from any to any port = ssh user = 0 +anchor "filteropt" in proto tcp from any to (self) port = ssh group = 22 +anchor "filteropt" out inet proto icmp all icmp-type echoreq diff --git a/sbin/pfctl/tests/files/pf0047.in b/sbin/pfctl/tests/files/pf0047.in new file mode 100644 index 000000000000..0fcfa14ebb32 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0047.in @@ -0,0 +1,67 @@ +pass in on lo0 all label "" + +pass in all label "$if" +pass in on lo0 all label "$if" +pass in on lo0 all label "$if$if" + +pass in on lo0 all label "$srcaddr" +pass in on lo0 from 0/0 to any label "$srcaddr" +pass in on lo0 from 127.0.0.1 to any label "$srcaddr" +pass in on lo0 from 127.0.0.1 to any label "$srcaddr$srcaddr" +pass in on lo0 from 127.0.0.1 to any label ":$srcaddr:$srcaddr:" +pass in on lo0 from 127.0.0.1/8 to any label "$srcaddr" +pass in on lo0 from 127.0.0.1/16 to any label "$srcaddr$srcaddr" +pass in on lo0 from 127.0.0.1/31 to any label ":$srcaddr:$srcaddr:" +pass in on lo0 inet6 from fe80::1 to any label "$srcaddr" +pass in on lo0 inet6 from fe80::1 to any label "$srcaddr$srcaddr" +pass in on lo0 inet6 from fe80::1 to any label ":$srcaddr:$srcaddr:" +pass in on lo0 inet6 from lo0/8 to any label "$srcaddr" +pass in on lo0 inet6 from lo0/64 to any label "$srcaddr$srcaddr" +pass in on lo0 inet6 from lo0/127 to any label ":$srcaddr:$srcaddr:" + +pass in on lo0 all label "!$dstaddr!" +pass in on lo0 inet from any to (lo0) label "$dstaddr" +pass in on lo0 inet from any to (lo0) label "$dstaddr$dstaddr" +pass in on lo0 inet from any to (lo0) label " $dstaddr $dstaddr " +pass in on lo0 from any to ! 127.0.0.1/8 label "$dstaddr" +pass in on lo0 from any to ! 127.0.0.1/16 label "$dstaddr$dstaddr" +pass in on lo0 from any to ! 127.0.0.1/31 label " $dstaddr $dstaddr " +pass in on lo0 inet6 from any to ! (lo0) label "$dstaddr" +pass in on lo0 inet6 from any to ! (lo0) label "$dstaddr$dstaddr" +pass in on lo0 inet6 from any to ! (lo0) label " $dstaddr $dstaddr " +pass in on lo0 inet6 from any to ! ::1/8 label "$dstaddr" +pass in on lo0 inet6 from any to ! ::1/64 label "$dstaddr$dstaddr" +pass in on lo0 inet6 from any to ! ::1/127 label " $dstaddr $dstaddr " + +pass in on lo0 all label "x$srcportx" +pass in on lo0 proto tcp from any port = 28 to any label "$srcport" +pass in on lo0 proto tcp from any port 28 >< 29 to any label "$srcport" +pass in on lo0 proto tcp from any port 28 <> 29 to any label "$srcport" +pass in on lo0 proto tcp from any port 28:29 to any label "$srcport" +pass in on lo0 proto tcp from any port != 28 to any label "$srcport" +pass in on lo0 proto tcp from any port < 28 to any label "$srcport" +pass in on lo0 proto tcp from any port <= 28 to any label "$srcport" +pass in on lo0 proto tcp from any port > 28 to any label "$srcport" +pass in on lo0 proto tcp from any port >= 28 to any label "$srcport" +pass in on lo0 proto tcp from any port = 28 to any label "$srcport$srcport" +pass in on lo0 proto tcp from any port = 28 to any label "$$srcport$$srcport$" + +pass in on lo0 all label "$dstport" +pass in on lo0 proto udp from any to any port = 29 label "$dstport" +pass in on lo0 proto udp from any to any port != 29 label "$dstport$dstport" +pass in on lo0 proto udp from any to any port > 29 label "x$dstportx$dstportx" + +pass in on lo0 all label "$proto" +pass in on lo0 proto esp all label "$proto" +pass in on lo0 proto esp all label "$proto$proto" +pass in on lo0 proto esp all label "-$proto-$proto-" +pass in on lo0 proto 166 all label "$proto" +pass in on lo0 proto 166 all label "$proto$proto" +pass in on lo0 proto 166 all label "_$proto_$proto_" + +pass in on lo0 all label "$nr" +pass in on lo0 all label "$nr$nr" +pass in on lo0 all label "%$nr%$nr%" + +pass in on lo0 proto tcp from 127.0.0.1 port = 30 to 127.0.0.2 port = 44 \ + label "if $if proto $proto $srcaddr $srcport $dstaddr $dstport" diff --git a/sbin/pfctl/tests/files/pf0047.ok b/sbin/pfctl/tests/files/pf0047.ok new file mode 100644 index 000000000000..12b93bb14e30 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0047.ok @@ -0,0 +1,61 @@ +pass in on lo0 all flags S/SA keep state +pass in all flags S/SA keep state label "any" +pass in on lo0 all flags S/SA keep state label "lo0" +pass in on lo0 all flags S/SA keep state label "lo0lo0" +pass in on lo0 all flags S/SA keep state label "any" +pass in on lo0 inet all flags S/SA keep state label "any" +pass in on lo0 inet from 127.0.0.1 to any flags S/SA keep state label "127.0.0.1" +pass in on lo0 inet from 127.0.0.1 to any flags S/SA keep state label "127.0.0.1127.0.0.1" +pass in on lo0 inet from 127.0.0.1 to any flags S/SA keep state label ":127.0.0.1:127.0.0.1:" +pass in on lo0 inet from 127.0.0.0/8 to any flags S/SA keep state label "127.0.0.0/8" +pass in on lo0 inet from 127.0.0.0/16 to any flags S/SA keep state label "127.0.0.0/16127.0.0.0/16" +pass in on lo0 inet from 127.0.0.0/31 to any flags S/SA keep state label ":127.0.0.0/31:127.0.0.0/31:" +pass in on lo0 inet6 from fe80::1 to any flags S/SA keep state label "fe80::1" +pass in on lo0 inet6 from fe80::1 to any flags S/SA keep state label "fe80::1fe80::1" +pass in on lo0 inet6 from fe80::1 to any flags S/SA keep state label ":fe80::1:fe80::1:" +pass in on lo0 inet6 from ::/8 to any flags S/SA keep state label "::/8" +pass in on lo0 inet6 from fe00::/8 to any flags S/SA keep state label "fe00::/8" +pass in on lo0 inet6 from ::/64 to any flags S/SA keep state label "::/64::/64" +pass in on lo0 inet6 from fe80::/64 to any flags S/SA keep state label "fe80::/64fe80::/64" +pass in on lo0 inet6 from ::/127 to any flags S/SA keep state label ":::/127:::/127:" +pass in on lo0 inet6 from fe80::/127 to any flags S/SA keep state label ":fe80::/127:fe80::/127:" +pass in on lo0 all flags S/SA keep state label "!any!" +pass in on lo0 inet from any to (lo0) flags S/SA keep state label "(lo0)" +pass in on lo0 inet from any to (lo0) flags S/SA keep state label "(lo0)(lo0)" +pass in on lo0 inet from any to (lo0) flags S/SA keep state label " (lo0) (lo0) " +pass in on lo0 inet from any to ! 127.0.0.0/8 flags S/SA keep state label "! 127.0.0.0/8" +pass in on lo0 inet from any to ! 127.0.0.0/16 flags S/SA keep state label "! 127.0.0.0/16! 127.0.0.0/16" +pass in on lo0 inet from any to ! 127.0.0.0/31 flags S/SA keep state label " ! 127.0.0.0/31 ! 127.0.0.0/31 " +pass in on lo0 inet6 from any to ! (lo0) flags S/SA keep state label "! (lo0)" +pass in on lo0 inet6 from any to ! (lo0) flags S/SA keep state label "! (lo0)! (lo0)" +pass in on lo0 inet6 from any to ! (lo0) flags S/SA keep state label " ! (lo0) ! (lo0) " +pass in on lo0 inet6 from any to ! ::/8 flags S/SA keep state label "! ::/8" +pass in on lo0 inet6 from any to ! ::/64 flags S/SA keep state label "! ::/64! ::/64" +pass in on lo0 inet6 from any to ! ::/127 flags S/SA keep state label " ! ::/127 ! ::/127 " +pass in on lo0 all flags S/SA keep state label "xx" +pass in on lo0 proto tcp from any port = 28 to any flags S/SA keep state label "28" +pass in on lo0 proto tcp from any port 28 >< 29 to any flags S/SA keep state label "28><29" +pass in on lo0 proto tcp from any port 28 <> 29 to any flags S/SA keep state label "28<>29" +pass in on lo0 proto tcp from any port 28:29 to any flags S/SA keep state +pass in on lo0 proto tcp from any port != 28 to any flags S/SA keep state label "!=28" +pass in on lo0 proto tcp from any port < 28 to any flags S/SA keep state label "<28" +pass in on lo0 proto tcp from any port <= 28 to any flags S/SA keep state label "<=28" +pass in on lo0 proto tcp from any port > 28 to any flags S/SA keep state label ">28" +pass in on lo0 proto tcp from any port >= 28 to any flags S/SA keep state label ">=28" +pass in on lo0 proto tcp from any port = 28 to any flags S/SA keep state label "2828" +pass in on lo0 proto tcp from any port = 28 to any flags S/SA keep state label "$28$28$" +pass in on lo0 all flags S/SA keep state +pass in on lo0 proto udp from any to any port = msg-icp keep state label "29" +pass in on lo0 proto udp from any to any port != msg-icp keep state label "!=29!=29" +pass in on lo0 proto udp from any to any port > 29 keep state label "x>29x>29x" +pass in on lo0 all flags S/SA keep state label "ip" +pass in on lo0 proto esp all keep state label "esp" +pass in on lo0 proto esp all keep state label "espesp" +pass in on lo0 proto esp all keep state label "-esp-esp-" +pass in on lo0 proto 166 all keep state label "166" +pass in on lo0 proto 166 all keep state label "166166" +pass in on lo0 proto 166 all keep state label "_166_166_" +pass in on lo0 all flags S/SA keep state label "57" +pass in on lo0 all flags S/SA keep state label "5858" +pass in on lo0 all flags S/SA keep state label "%59%59%" +pass in on lo0 inet proto tcp from 127.0.0.1 port = 30 to 127.0.0.2 port = mpm-flags flags S/SA keep state label "if lo0 proto tcp 127.0.0.1 30 127.0.0.2 44" diff --git a/sbin/pfctl/tests/files/pf0048.in b/sbin/pfctl/tests/files/pf0048.in new file mode 100644 index 000000000000..a0dd143c8dd2 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0048.in @@ -0,0 +1,13 @@ +table < regress > { 1.2.3.4 !5.6.7.8 10/8 lo0 } +table <regress.1> const { ::1 fe80::/64 } +table <regress.a> { 1.2.3.4 !5.6.7.8 } { ::1 ::2 ::3 } file "/dev/null" const { 4.3.2.1 } +match out on lo0 inet from < regress.1> to <regress.2> nat-to lo0:0 +match out on !lo0 inet from !<regress.1 > to <regress.2> nat-to lo0:0 +match in on lo0 inet6 from <regress.1> to <regress.2> rdr-to lo0:0 +match in on !lo0 inet6 from !< regress.1 > to <regress.2> rdr-to lo0:0 +match in from { <regress.1> !<regress.2> } to any +match out from any to { !<regress.1>, <regress.2> } +pass in from <regress> to any +pass out from any to <regress > +pass in from { <regress.1> <regress.2> } to any +pass out from any to { !<regress.1>, !<regress.2> } diff --git a/sbin/pfctl/tests/files/pf0048.ok b/sbin/pfctl/tests/files/pf0048.ok new file mode 100644 index 000000000000..89569fb4f8ba --- /dev/null +++ b/sbin/pfctl/tests/files/pf0048.ok @@ -0,0 +1,17 @@ +table <regress> { 1.2.3.4 !5.6.7.8 10.0.0.0/8 ::1 fe80::1 127.0.0.1 } +table <regress.1> const { ::1 fe80::/64 } +table <regress.a> const { 1.2.3.4 !5.6.7.8 ::1 ::2 ::3 } file "/dev/null" { 4.3.2.1 } +match out on lo0 inet from <regress.1> to <regress.2> nat-to 127.0.0.1 +match out on ! lo0 inet from ! <regress.1> to <regress.2> nat-to 127.0.0.1 +match in on lo0 inet6 from <regress.1> to <regress.2> rdr-to ::1 +match in on ! lo0 inet6 from ! <regress.1> to <regress.2> rdr-to ::1 +match in from <regress.1> to any +match in from ! <regress.2> to any +match out from any to ! <regress.1> +match out from any to <regress.2> +pass in from <regress> to any flags S/SA keep state +pass out from any to <regress> flags S/SA keep state +pass in from <regress.1> to any flags S/SA keep state +pass in from <regress.2> to any flags S/SA keep state +pass out from any to ! <regress.1> flags S/SA keep state +pass out from any to ! <regress.2> flags S/SA keep state diff --git a/sbin/pfctl/tests/files/pf0049.in b/sbin/pfctl/tests/files/pf0049.in new file mode 100644 index 000000000000..91b9712f7b30 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0049.in @@ -0,0 +1,7 @@ +#test :broadcast and :network modifiers +pass in on lo0 from lo0:network to any keep state +pass out on lo0 inet from lo0:network to any +pass in on lo0 inet6 from lo0:network to any keep state + +#broadcast on lo0 doesn't make sense at all! +#block in on lo0 from any to lo0:broadcast diff --git a/sbin/pfctl/tests/files/pf0049.ok b/sbin/pfctl/tests/files/pf0049.ok new file mode 100644 index 000000000000..0349424cee1e --- /dev/null +++ b/sbin/pfctl/tests/files/pf0049.ok @@ -0,0 +1,4 @@ +pass in on lo0 inet6 from ::1 to any flags S/SA keep state +pass in on lo0 inet from 127.0.0.0/8 to any flags S/SA keep state +pass out on lo0 inet from 127.0.0.0/8 to any flags S/SA keep state +pass in on lo0 inet6 from ::1 to any flags S/SA keep state diff --git a/sbin/pfctl/tests/files/pf0050.in b/sbin/pfctl/tests/files/pf0050.in new file mode 100644 index 000000000000..e1ecb5274b1e --- /dev/null +++ b/sbin/pfctl/tests/files/pf0050.in @@ -0,0 +1,4 @@ +# double macro set +extif="wi0" +extif="lo0" +block in on $extif diff --git a/sbin/pfctl/tests/files/pf0050.ok b/sbin/pfctl/tests/files/pf0050.ok new file mode 100644 index 000000000000..e891b238639b --- /dev/null +++ b/sbin/pfctl/tests/files/pf0050.ok @@ -0,0 +1,3 @@ +extif = "wi0" +extif = "lo0" +block drop in on lo0 all diff --git a/sbin/pfctl/tests/files/pf0052.in b/sbin/pfctl/tests/files/pf0052.in new file mode 100644 index 000000000000..262d029841d3 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0052.in @@ -0,0 +1,7 @@ +# test setting all optimizations to avoid future keyword clashes + +set optimization normal +set optimization satellite +set optimization high-latency +set optimization conservative +set optimization aggressive diff --git a/sbin/pfctl/tests/files/pf0052.ok b/sbin/pfctl/tests/files/pf0052.ok new file mode 100644 index 000000000000..f83263b2a267 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0052.ok @@ -0,0 +1,5 @@ +set optimization normal +set optimization satellite +set optimization high-latency +set optimization conservative +set optimization aggressive diff --git a/sbin/pfctl/tests/files/pf0053.in b/sbin/pfctl/tests/files/pf0053.in new file mode 100644 index 000000000000..263f99048f1d --- /dev/null +++ b/sbin/pfctl/tests/files/pf0053.in @@ -0,0 +1,4 @@ +pass in proto tcp from { 1.2.3.4, 1.2.3.5 } to any label \ +"$nr:$if:$proto:$srcaddr:$srcport:$dstaddr:$dstport" +pass in on lo0 proto tcp from { 1.2.3.4, 1.2.3.5 } to any label \ +"$nr:$if:$proto:$srcaddr:$srcport:$dstaddr:$dstport" diff --git a/sbin/pfctl/tests/files/pf0053.ok b/sbin/pfctl/tests/files/pf0053.ok new file mode 100644 index 000000000000..91866b724d31 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0053.ok @@ -0,0 +1,4 @@ +pass in inet proto tcp from 1.2.3.4 to any flags S/SA keep state label "0:any:tcp:1.2.3.4::any:" +pass in inet proto tcp from 1.2.3.5 to any flags S/SA keep state label "1:any:tcp:1.2.3.5::any:" +pass in on lo0 inet proto tcp from 1.2.3.4 to any flags S/SA keep state label "2:lo0:tcp:1.2.3.4::any:" +pass in on lo0 inet proto tcp from 1.2.3.5 to any flags S/SA keep state label "3:lo0:tcp:1.2.3.5::any:" diff --git a/sbin/pfctl/tests/files/pf0055.in b/sbin/pfctl/tests/files/pf0055.in new file mode 100644 index 000000000000..849221e316a7 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0055.in @@ -0,0 +1,18 @@ +set timeout { interval 43, frag 23 } +set timeout { tcp.first 423, tcp.opening 123, tcp.established 43758 } +set timeout { tcp.closing 744, tcp.finwait 25, tcp.closed 38 } +set timeout { udp.first 356, udp.single 73, udp.multiple 34 } +set timeout { icmp.first 464, icmp.error 34 } +set timeout { other.first 455, other.single 54, other.multiple 324 } +set timeout { src.track 3600 } +set limit { states 4522, frags 43556 } +set loginterface none +set loginterface lo0 +set hostid 1 +set optimization normal +set block-policy drop + +set limit states 43254 +set limit frags 34557 +set timeout interval 344 +set timeout frag 213 diff --git a/sbin/pfctl/tests/files/pf0055.ok b/sbin/pfctl/tests/files/pf0055.ok new file mode 100644 index 000000000000..2281ca82abd4 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0055.ok @@ -0,0 +1,28 @@ +set timeout interval 43 +set timeout frag 23 +set timeout tcp.first 423 +set timeout tcp.opening 123 +set timeout tcp.established 43758 +set timeout tcp.closing 744 +set timeout tcp.finwait 25 +set timeout tcp.closed 38 +set timeout udp.first 356 +set timeout udp.single 73 +set timeout udp.multiple 34 +set timeout icmp.first 464 +set timeout icmp.error 34 +set timeout other.first 455 +set timeout other.single 54 +set timeout other.multiple 324 +set timeout src.track 3600 +set limit states 4522 +set limit frags 43556 +set loginterface none +set loginterface lo0 +set hostid 0x00000001 +set optimization normal +set block-policy drop +set limit states 43254 +set limit frags 34557 +set timeout interval 344 +set timeout frag 213 diff --git a/sbin/pfctl/tests/files/pf0056.in b/sbin/pfctl/tests/files/pf0056.in new file mode 100644 index 000000000000..691908925488 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0056.in @@ -0,0 +1,2 @@ +pass in proto tcp from any to any port www keep state (tcp.established 60) +pass in proto tcp from any to any port www keep state (max 10, no-sync, tcp.first 2) diff --git a/sbin/pfctl/tests/files/pf0056.ok b/sbin/pfctl/tests/files/pf0056.ok new file mode 100644 index 000000000000..14bf215a4d7d --- /dev/null +++ b/sbin/pfctl/tests/files/pf0056.ok @@ -0,0 +1,2 @@ +pass in proto tcp from any to any port = http flags S/SA keep state (tcp.established 60) +pass in proto tcp from any to any port = http flags S/SA keep state (max 10, no-sync, tcp.first 2, adaptive.start 6, adaptive.end 12) diff --git a/sbin/pfctl/tests/files/pf0057.in b/sbin/pfctl/tests/files/pf0057.in new file mode 100644 index 000000000000..0eca99d162f0 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0057.in @@ -0,0 +1,4 @@ +a="10.0.0.1" +b="x" +b="y" +pass in from $a diff --git a/sbin/pfctl/tests/files/pf0057.ok b/sbin/pfctl/tests/files/pf0057.ok new file mode 100644 index 000000000000..23299e285181 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0057.ok @@ -0,0 +1,4 @@ +a = "10.0.0.1" +b = "x" +b = "y" +pass in inet from 10.0.0.1 to any flags S/SA keep state diff --git a/sbin/pfctl/tests/files/pf0060.in b/sbin/pfctl/tests/files/pf0060.in new file mode 100644 index 000000000000..2824cfd301b2 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0060.in @@ -0,0 +1,11 @@ +# netmask handling w/ multicast + +pass from 224.4.5.4/32 +pass from 224.4.5.4/16 +pass from 224.4.5.4/26 +pass from 224.4.5.65/26 +pass from 224.4.5.134/26 +pass from 224.4.5.199/26 +pass from 224.4.5.4 + + diff --git a/sbin/pfctl/tests/files/pf0060.ok b/sbin/pfctl/tests/files/pf0060.ok new file mode 100644 index 000000000000..f0cd27039fef --- /dev/null +++ b/sbin/pfctl/tests/files/pf0060.ok @@ -0,0 +1,7 @@ +pass inet from 224.4.5.4 to any flags S/SA keep state +pass inet from 224.4.0.0/16 to any flags S/SA keep state +pass inet from 224.4.5.0/26 to any flags S/SA keep state +pass inet from 224.4.5.64/26 to any flags S/SA keep state +pass inet from 224.4.5.128/26 to any flags S/SA keep state +pass inet from 224.4.5.192/26 to any flags S/SA keep state +pass inet from 224.4.5.4 to any flags S/SA keep state diff --git a/sbin/pfctl/tests/files/pf0061.in b/sbin/pfctl/tests/files/pf0061.in new file mode 100644 index 000000000000..7343a39ee64b --- /dev/null +++ b/sbin/pfctl/tests/files/pf0061.in @@ -0,0 +1,4 @@ +# dynaddr with netmask + +pass inet to (lo0)/24 + diff --git a/sbin/pfctl/tests/files/pf0061.ok b/sbin/pfctl/tests/files/pf0061.ok new file mode 100644 index 000000000000..f28451aa473d --- /dev/null +++ b/sbin/pfctl/tests/files/pf0061.ok @@ -0,0 +1 @@ +pass inet from any to (lo0)/24 flags S/SA keep state diff --git a/sbin/pfctl/tests/files/pf0065.in b/sbin/pfctl/tests/files/pf0065.in new file mode 100644 index 000000000000..617ba5f51e0e --- /dev/null +++ b/sbin/pfctl/tests/files/pf0065.in @@ -0,0 +1,2 @@ +antispoof for lo0 label "antispoof-lo0" +antispoof log quick for lo0 inet label "antispoof-lo0-2" diff --git a/sbin/pfctl/tests/files/pf0065.ok b/sbin/pfctl/tests/files/pf0065.ok new file mode 100644 index 000000000000..eaef6485bcd5 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0065.ok @@ -0,0 +1,3 @@ +block drop in on ! lo0 inet6 from ::1 to any label "antispoof-lo0" +block drop in on ! lo0 inet from 127.0.0.0/8 to any label "antispoof-lo0" +block drop in log quick on ! lo0 inet from 127.0.0.0/8 to any label "antispoof-lo0-2" diff --git a/sbin/pfctl/tests/files/pf0067.in b/sbin/pfctl/tests/files/pf0067.in new file mode 100644 index 000000000000..4594420aff0c --- /dev/null +++ b/sbin/pfctl/tests/files/pf0067.in @@ -0,0 +1,3 @@ +pass in quick on tun1000000 keep state tag regress +pass out quick on lo0 keep state tagged regress + diff --git a/sbin/pfctl/tests/files/pf0067.ok b/sbin/pfctl/tests/files/pf0067.ok new file mode 100644 index 000000000000..4b09611f9a06 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0067.ok @@ -0,0 +1,2 @@ +pass in quick on tun1000000 all flags S/SA keep state tag regress +pass out quick on lo0 all flags S/SA keep state tagged regress diff --git a/sbin/pfctl/tests/files/pf0069.in b/sbin/pfctl/tests/files/pf0069.in new file mode 100644 index 000000000000..85847b9bd6b2 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0069.in @@ -0,0 +1,2 @@ +match out on lo0 inet all tag regress nat-to lo0 +pass out quick on lo0 keep state tagged regress diff --git a/sbin/pfctl/tests/files/pf0069.ok b/sbin/pfctl/tests/files/pf0069.ok new file mode 100644 index 000000000000..2bf34c04baa7 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0069.ok @@ -0,0 +1,2 @@ +match out on lo0 inet all tag regress nat-to 127.0.0.1 +pass out quick on lo0 all flags S/SA keep state tagged regress diff --git a/sbin/pfctl/tests/files/pf0070.in b/sbin/pfctl/tests/files/pf0070.in new file mode 100644 index 000000000000..1ccec9302436 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0070.in @@ -0,0 +1,2 @@ +match out on lo0 from 10.0.0.0/8 to any nat-to lo0 +block out on lo0 tagged regress diff --git a/sbin/pfctl/tests/files/pf0070.ok b/sbin/pfctl/tests/files/pf0070.ok new file mode 100644 index 000000000000..cf79485b40c1 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0070.ok @@ -0,0 +1,2 @@ +match out on lo0 inet from 10.0.0.0/8 to any nat-to 127.0.0.1 +block drop out on lo0 all tagged regress diff --git a/sbin/pfctl/tests/files/pf0071.in b/sbin/pfctl/tests/files/pf0071.in new file mode 100644 index 000000000000..8975a8ebc943 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0071.in @@ -0,0 +1,2 @@ +match in on lo0 proto tcp from 10.0.0.0/8 to port 80 rdr-to lo0 +block out on lo0 tagged regress diff --git a/sbin/pfctl/tests/files/pf0071.ok b/sbin/pfctl/tests/files/pf0071.ok new file mode 100644 index 000000000000..2bae94fc8fac --- /dev/null +++ b/sbin/pfctl/tests/files/pf0071.ok @@ -0,0 +1,2 @@ +match in on lo0 inet proto tcp from 10.0.0.0/8 to any port = http rdr-to 127.0.0.1 +block drop out on lo0 all tagged regress diff --git a/sbin/pfctl/tests/files/pf0072.in b/sbin/pfctl/tests/files/pf0072.in new file mode 100644 index 000000000000..d23843b799d5 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0072.in @@ -0,0 +1,3 @@ +# test binat tagging +match on lo0 from 192.168.1.1 to any tag regress binat-to 10.0.0.1 +block out on lo0 tagged regress diff --git a/sbin/pfctl/tests/files/pf0072.ok b/sbin/pfctl/tests/files/pf0072.ok new file mode 100644 index 000000000000..02e676dadc06 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0072.ok @@ -0,0 +1,3 @@ +match out on lo0 inet from 192.168.1.1 to any tag regress nat-to 10.0.0.1 static-port +match in on lo0 inet from any to 10.0.0.1 tag regress rdr-to 192.168.1.1 +block drop out on lo0 all tagged regress diff --git a/sbin/pfctl/tests/files/pf0074.in b/sbin/pfctl/tests/files/pf0074.in new file mode 100644 index 000000000000..521bdd00c889 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0074.in @@ -0,0 +1 @@ +pass in proto tcp synproxy state diff --git a/sbin/pfctl/tests/files/pf0074.ok b/sbin/pfctl/tests/files/pf0074.ok new file mode 100644 index 000000000000..1f5d99dfe106 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0074.ok @@ -0,0 +1 @@ +pass in proto tcp all flags S/SA synproxy state diff --git a/sbin/pfctl/tests/files/pf0075.in b/sbin/pfctl/tests/files/pf0075.in new file mode 100644 index 000000000000..ee12db7b10cf --- /dev/null +++ b/sbin/pfctl/tests/files/pf0075.in @@ -0,0 +1,3 @@ +block in on lo0 proto tcp from 192.168.0.0/24 to port 22 tag ssh +block in quick on lo0 ! tagged ssh +
\ No newline at end of file diff --git a/sbin/pfctl/tests/files/pf0075.ok b/sbin/pfctl/tests/files/pf0075.ok new file mode 100644 index 000000000000..460715b5dd2d --- /dev/null +++ b/sbin/pfctl/tests/files/pf0075.ok @@ -0,0 +1,2 @@ +block drop in on lo0 inet proto tcp from 192.168.0.0/24 to any port = ssh tag ssh +block drop in quick on lo0 all ! tagged ssh diff --git a/sbin/pfctl/tests/files/pf0077.in b/sbin/pfctl/tests/files/pf0077.in new file mode 100644 index 000000000000..b6e32e15a9e7 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0077.in @@ -0,0 +1,5 @@ +# dynaddr with netmask. I never want to see this again: +# <henning@quigon:1>$ echo "pass inet from (le0)/8" | pfctl -nvf - +# pass inet from (l)/8 to any + +pass inet from (lo0)/8 diff --git a/sbin/pfctl/tests/files/pf0077.ok b/sbin/pfctl/tests/files/pf0077.ok new file mode 100644 index 000000000000..233d434b782b --- /dev/null +++ b/sbin/pfctl/tests/files/pf0077.ok @@ -0,0 +1 @@ +pass inet from (lo0)/8 to any flags S/SA keep state diff --git a/sbin/pfctl/tests/files/pf0078.in b/sbin/pfctl/tests/files/pf0078.in new file mode 100644 index 000000000000..0b2368c72c0e --- /dev/null +++ b/sbin/pfctl/tests/files/pf0078.in @@ -0,0 +1,2 @@ +pass in from 10.0.0.1 to <regress> label "$srcaddr:$dstaddr" + diff --git a/sbin/pfctl/tests/files/pf0078.ok b/sbin/pfctl/tests/files/pf0078.ok new file mode 100644 index 000000000000..fed726e4f671 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0078.ok @@ -0,0 +1 @@ +pass in inet from 10.0.0.1 to <regress> flags S/SA keep state label "10.0.0.1:<regress>" diff --git a/sbin/pfctl/tests/files/pf0079.in b/sbin/pfctl/tests/files/pf0079.in new file mode 100644 index 000000000000..402266be8a72 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0079.in @@ -0,0 +1,2 @@ +pass in from 10.0.0.1 to no-route label "$srcaddr:$dstaddr" + diff --git a/sbin/pfctl/tests/files/pf0079.ok b/sbin/pfctl/tests/files/pf0079.ok new file mode 100644 index 000000000000..a21475d63ec8 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0079.ok @@ -0,0 +1 @@ +pass in inet from 10.0.0.1 to no-route flags S/SA keep state label "10.0.0.1:no-route" diff --git a/sbin/pfctl/tests/files/pf0081.in b/sbin/pfctl/tests/files/pf0081.in new file mode 100644 index 000000000000..ac25c49dc65d --- /dev/null +++ b/sbin/pfctl/tests/files/pf0081.in @@ -0,0 +1,12 @@ +# skip step optimization involving dynaddr, tables, no-route +# optimisation should be done on theses rules + +ip_list="{ ::1 ::2 ::3 0.0.0.1 0.0.0.2 0.0.0.3 }" +table_list="{ <bar1> <bar2> <bar3> }" +pass from (lo0) to $ip_list +pass from <foo> to $table_list +pass from <foo> to $ip_list +pass from <foo> to $table_list +pass from no-route to $table_list +pass from no-route to $ip_list +pass from no-route to $table_list diff --git a/sbin/pfctl/tests/files/pf0081.ok b/sbin/pfctl/tests/files/pf0081.ok new file mode 100644 index 000000000000..2b58a18744d9 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0081.ok @@ -0,0 +1,32 @@ +ip_list = "{ ::1 ::2 ::3 0.0.0.1 0.0.0.2 0.0.0.3 }" +table_list = "{ <bar1> <bar2> <bar3> }" +pass inet6 from (lo0) to ::1 flags S/SA keep state +pass inet6 from (lo0) to ::2 flags S/SA keep state +pass inet6 from (lo0) to ::3 flags S/SA keep state +pass inet from (lo0) to 0.0.0.1 flags S/SA keep state +pass inet from (lo0) to 0.0.0.2 flags S/SA keep state +pass inet from (lo0) to 0.0.0.3 flags S/SA keep state +pass from <foo> to <bar1> flags S/SA keep state +pass from <foo> to <bar2> flags S/SA keep state +pass from <foo> to <bar3> flags S/SA keep state +pass inet6 from <foo> to ::1 flags S/SA keep state +pass inet6 from <foo> to ::2 flags S/SA keep state +pass inet6 from <foo> to ::3 flags S/SA keep state +pass inet from <foo> to 0.0.0.1 flags S/SA keep state +pass inet from <foo> to 0.0.0.2 flags S/SA keep state +pass inet from <foo> to 0.0.0.3 flags S/SA keep state +pass from <foo> to <bar1> flags S/SA keep state +pass from <foo> to <bar2> flags S/SA keep state +pass from <foo> to <bar3> flags S/SA keep state +pass from no-route to <bar1> flags S/SA keep state +pass from no-route to <bar2> flags S/SA keep state +pass from no-route to <bar3> flags S/SA keep state +pass inet6 from no-route to ::1 flags S/SA keep state +pass inet6 from no-route to ::2 flags S/SA keep state +pass inet6 from no-route to ::3 flags S/SA keep state +pass inet from no-route to 0.0.0.1 flags S/SA keep state +pass inet from no-route to 0.0.0.2 flags S/SA keep state +pass inet from no-route to 0.0.0.3 flags S/SA keep state +pass from no-route to <bar1> flags S/SA keep state +pass from no-route to <bar2> flags S/SA keep state +pass from no-route to <bar3> flags S/SA keep state diff --git a/sbin/pfctl/tests/files/pf0082.in b/sbin/pfctl/tests/files/pf0082.in new file mode 100644 index 000000000000..7f1751deb365 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0082.in @@ -0,0 +1,15 @@ +# skip step optimization involving dynaddr, tables, no-route + +pass inet from (lo0) +pass inet from !(lo0) +pass inet from (lo0) +pass inet6 from (lo0) +pass from <foo> +pass from !<foo> +pass from <foo> +pass inet from <bar> +pass from <bar> +pass inet6 from <foo> +pass from <foo> +pass inet from no-route +pass from no-route diff --git a/sbin/pfctl/tests/files/pf0082.ok b/sbin/pfctl/tests/files/pf0082.ok new file mode 100644 index 000000000000..4a2071521a35 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0082.ok @@ -0,0 +1,13 @@ +pass inet from (lo0) to any flags S/SA keep state +pass inet from ! (lo0) to any flags S/SA keep state +pass inet from (lo0) to any flags S/SA keep state +pass inet6 from (lo0) to any flags S/SA keep state +pass from <foo> to any flags S/SA keep state +pass from ! <foo> to any flags S/SA keep state +pass from <foo> to any flags S/SA keep state +pass inet from <bar> to any flags S/SA keep state +pass from <bar> to any flags S/SA keep state +pass inet6 from <foo> to any flags S/SA keep state +pass from <foo> to any flags S/SA keep state +pass inet from no-route to any flags S/SA keep state +pass from no-route to any flags S/SA keep state diff --git a/sbin/pfctl/tests/files/pf0084.in b/sbin/pfctl/tests/files/pf0084.in new file mode 100644 index 000000000000..17140a786d73 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0084.in @@ -0,0 +1,17 @@ +match out on tun1000000 from 10.0.0.0/24 to any \ + nat-to { 10.0.1.1, 10.0.1.2 } round-robin sticky-address +match in on tun1000000 from any to 10.0.1.1 \ + rdr-to { 10.0.0.0/24 } sticky-address random +match in on tun1000000 from any to 10.0.1.2 \ + rdr-to { 10.0.0.1, 10.0.0.2 } sticky-address + +pass in proto tcp from any to any port 22 \ + keep state (source-track) +pass in proto tcp from any to any port 25 \ + keep state (source-track global) +pass in proto tcp from any to any port 80 \ + keep state (source-track rule, max-src-nodes 1000, max-src-states 3) +pass in proto tcp from any to any port 123 \ + keep state (source-track, max-src-nodes 1000) +pass in proto tcp from any to any port 321 \ + keep state (source-track, max-src-states 3) diff --git a/sbin/pfctl/tests/files/pf0084.ok b/sbin/pfctl/tests/files/pf0084.ok new file mode 100644 index 000000000000..1ca89e515a3d --- /dev/null +++ b/sbin/pfctl/tests/files/pf0084.ok @@ -0,0 +1,8 @@ +match out on tun1000000 inet from 10.0.0.0/24 to any nat-to { 10.0.1.1, 10.0.1.2 } round-robin sticky-address +match in on tun1000000 inet from any to 10.0.1.1 rdr-to 10.0.0.0/24 random sticky-address +match in on tun1000000 inet from any to 10.0.1.2 rdr-to { 10.0.0.1, 10.0.0.2 } round-robin sticky-address +pass in proto tcp from any to any port = ssh flags S/SA keep state (source-track global) +pass in proto tcp from any to any port = smtp flags S/SA keep state (source-track global) +pass in proto tcp from any to any port = http flags S/SA keep state (source-track rule, max-src-states 3, max-src-nodes 1000) +pass in proto tcp from any to any port = ntp flags S/SA keep state (source-track rule, max-src-nodes 1000) +pass in proto tcp from any to any port = pip flags S/SA keep state (source-track global, max-src-states 3) diff --git a/sbin/pfctl/tests/files/pf0085.in b/sbin/pfctl/tests/files/pf0085.in new file mode 100644 index 000000000000..43dd0e077658 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0085.in @@ -0,0 +1,3 @@ +# test tag macro expansion +pass from { 127.0.0.1 127.0.0.2 127.0.0.3 } keep state tag "$srcaddr" +pass from { 127.0.0.1 127.0.0.2 127.0.0.3 } keep state tagged "$srcaddr" diff --git a/sbin/pfctl/tests/files/pf0085.ok b/sbin/pfctl/tests/files/pf0085.ok new file mode 100644 index 000000000000..07e71ed5f70d --- /dev/null +++ b/sbin/pfctl/tests/files/pf0085.ok @@ -0,0 +1,6 @@ +pass inet from 127.0.0.1 to any flags S/SA keep state tag 127.0.0.1 +pass inet from 127.0.0.2 to any flags S/SA keep state tag 127.0.0.2 +pass inet from 127.0.0.3 to any flags S/SA keep state tag 127.0.0.3 +pass inet from 127.0.0.1 to any flags S/SA keep state tagged 127.0.0.1 +pass inet from 127.0.0.2 to any flags S/SA keep state tagged 127.0.0.2 +pass inet from 127.0.0.3 to any flags S/SA keep state tagged 127.0.0.3 diff --git a/sbin/pfctl/tests/files/pf0087.in b/sbin/pfctl/tests/files/pf0087.in new file mode 100644 index 000000000000..cd19262b83e4 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0087.in @@ -0,0 +1,24 @@ +# pfctl -o rule reordering + +pass in on lo1000000 proto tcp from any to 10.0.0.2 port 22 keep state +pass in on lo1000001 proto tcp from 10.0.0.1 port 22 to 10.0.0.2 keep state +pass in on lo1000001 proto udp from 10.0.0.5 to 10.0.0.4 port 53 keep state +pass in on lo1000000 proto udp from any to 10.0.0.2 port 53 keep state +pass in proto tcp to 10.0.0.1 port 80 keep state +pass out on lo1000001 proto udp from any to 10.0.0.2 port 53 keep state +pass in proto tcp to 10.0.0.3 port 80 keep state +pass out proto tcp to 10.0.0.1 port 81 keep state +pass in proto udp to 10.0.0.3 port 53 keep state +pass in on lo1000001 proto udp from 10.0.0.2 port 53 to 10.0.0.2 keep state +pass out proto udp to 10.0.0.1 port 53 keep state +pass out on lo1000000 proto udp from any to 10.0.0.2 port 53 keep state +pass out proto udp to 10.0.0.3 port 53 keep state +pass out on lo1000000 proto tcp from any to 10.0.0.2 port 22 keep state +pass in on lo1000001 proto tcp from any to 10.0.0.2 port 22 keep state +pass in on lo1000001 proto udp from any to 10.0.0.2 port 53 keep state +pass in on lo1000001 proto tcp from 10.0.0.1 to 10.0.0.4 keep state +pass out on lo1000001 proto tcp from any to 10.0.0.2 port 22 keep state +pass out proto tcp to 10.0.0.1 port 80 keep state +pass in proto udp to 10.0.0.1 port 53 keep state +pass in on lo1000001 proto tcp from 10.0.0.1 to 10.0.0.6 port 22 keep state +pass in on lo1000001 proto udp from 10.0.0.5 to 10.0.0.2 keep state diff --git a/sbin/pfctl/tests/files/pf0087.ok b/sbin/pfctl/tests/files/pf0087.ok new file mode 100644 index 000000000000..7aa69adefae0 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0087.ok @@ -0,0 +1,22 @@ +pass in on lo1000000 inet proto tcp from any to 10.0.0.2 port = ssh flags S/SA keep state +pass in on lo1000001 inet proto tcp from 10.0.0.1 port = ssh to 10.0.0.2 flags S/SA keep state +pass in on lo1000001 inet proto udp from 10.0.0.5 to 10.0.0.4 port = domain keep state +pass in on lo1000000 inet proto udp from any to 10.0.0.2 port = domain keep state +pass in inet proto tcp from any to 10.0.0.1 port = http flags S/SA keep state +pass out on lo1000001 inet proto udp from any to 10.0.0.2 port = domain keep state +pass in inet proto tcp from any to 10.0.0.3 port = http flags S/SA keep state +pass out inet proto tcp from any to 10.0.0.1 port = 81 flags S/SA keep state +pass in inet proto udp from any to 10.0.0.3 port = domain keep state +pass in on lo1000001 inet proto udp from 10.0.0.2 port = domain to 10.0.0.2 keep state +pass out inet proto udp from any to 10.0.0.1 port = domain keep state +pass out on lo1000000 inet proto udp from any to 10.0.0.2 port = domain keep state +pass out inet proto udp from any to 10.0.0.3 port = domain keep state +pass out on lo1000000 inet proto tcp from any to 10.0.0.2 port = ssh flags S/SA keep state +pass in on lo1000001 inet proto tcp from any to 10.0.0.2 port = ssh flags S/SA keep state +pass in on lo1000001 inet proto udp from any to 10.0.0.2 port = domain keep state +pass in on lo1000001 inet proto tcp from 10.0.0.1 to 10.0.0.4 flags S/SA keep state +pass out on lo1000001 inet proto tcp from any to 10.0.0.2 port = ssh flags S/SA keep state +pass out inet proto tcp from any to 10.0.0.1 port = http flags S/SA keep state +pass in inet proto udp from any to 10.0.0.1 port = domain keep state +pass in on lo1000001 inet proto tcp from 10.0.0.1 to 10.0.0.6 port = ssh flags S/SA keep state +pass in on lo1000001 inet proto udp from 10.0.0.5 to 10.0.0.2 keep state diff --git a/sbin/pfctl/tests/files/pf0088.in b/sbin/pfctl/tests/files/pf0088.in new file mode 100644 index 000000000000..a85aa84a30bb --- /dev/null +++ b/sbin/pfctl/tests/files/pf0088.in @@ -0,0 +1,32 @@ +# pfctl -o duplicate rules + +pass in on lo1000000 from any to 10.0.0.1 +pass in on lo1000000 inet from any to 10.0.0.1 + +pass +pass out +pass out +pass out quick + +pass on lo1000001 to 10.0.0.1 +pass on lo1000000 from any to 10.0.0.1 + +pass to 10.0.0.2 modulate state +pass to 10.0.0.2 keep state +block from 10.0.0.3 to 10.0.0.2 +pass to 10.0.0.2 modulate state +block from 10.0.0.3 to 10.0.0.2 +pass in to 10.0.0.2 synproxy state + + +pass out proto tcp from 10.0.0.4 to 10.0.0.5 keep state +pass out proto tcp from 10.0.0.4 to 10.0.0.5 port 80 keep state + +pass out +pass in + +pass in on lo1000001 from any to any +pass in on lo1000001 from any to any keep state +pass in on lo1000001 from any to any + +block diff --git a/sbin/pfctl/tests/files/pf0088.ok b/sbin/pfctl/tests/files/pf0088.ok new file mode 100644 index 000000000000..801056a4ab46 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0088.ok @@ -0,0 +1,22 @@ +pass in on lo1000000 inet from any to 10.0.0.1 flags S/SA keep state +pass in on lo1000000 inet from any to 10.0.0.1 flags S/SA keep state +pass all flags S/SA keep state +pass out all flags S/SA keep state +pass out all flags S/SA keep state +pass out quick all flags S/SA keep state +pass on lo1000001 inet from any to 10.0.0.1 flags S/SA keep state +pass on lo1000000 inet from any to 10.0.0.1 flags S/SA keep state +pass inet from any to 10.0.0.2 flags S/SA modulate state +pass inet from any to 10.0.0.2 flags S/SA keep state +block drop inet from 10.0.0.3 to 10.0.0.2 +pass inet from any to 10.0.0.2 flags S/SA modulate state +block drop inet from 10.0.0.3 to 10.0.0.2 +pass in inet from any to 10.0.0.2 flags S/SA synproxy state +pass out inet proto tcp from 10.0.0.4 to 10.0.0.5 flags S/SA keep state +pass out inet proto tcp from 10.0.0.4 to 10.0.0.5 port = http flags S/SA keep state +pass out all flags S/SA keep state +pass in all flags S/SA keep state +pass in on lo1000001 all flags S/SA keep state +pass in on lo1000001 all flags S/SA keep state +pass in on lo1000001 all flags S/SA keep state +block drop all diff --git a/sbin/pfctl/tests/files/pf0089.in b/sbin/pfctl/tests/files/pf0089.in new file mode 100644 index 000000000000..1beda48b43b2 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0089.in @@ -0,0 +1,25 @@ +# TCP connection tracking + +table <bad> persist + +block all +block quick from <bad> + +pass out proto tcp flags S/SA keep state +pass out proto { icmp, udp } keep state + +pass in on lo1000001 proto tcp to 10.0.0.1 port 22 flags S/SA \ + keep state (max-src-conn 10, max-src-conn-rate 3/99) + +pass in on lo1000001 proto tcp to 10.0.0.2 port 22 flags S/SA keep state \ + (max-src-conn 10) + +pass in on lo1000001 proto tcp to 10.0.0.3 port 22 flags S/SA keep state \ + (max-src-conn-rate 3/99) + +pass in on lo1000000 proto tcp to 10.0.0.1 port 80 flags S/SA modulate state \ + (max-src-conn 100, max-src-conn-rate 10/5, overload <bad> flush) + +pass in on lo1000000 proto tcp to 10.0.0.1 port 8080 flags S/SA synproxy state \ + (max-src-conn 1000, max-src-conn-rate 1000/5, overload <bad> \ + flush global) diff --git a/sbin/pfctl/tests/files/pf0089.ok b/sbin/pfctl/tests/files/pf0089.ok new file mode 100644 index 000000000000..c2403e775da1 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0089.ok @@ -0,0 +1,11 @@ +table <bad> persist +block drop all +block drop quick from <bad> to any +pass out proto tcp all flags S/SA keep state +pass out proto icmp all keep state +pass out proto udp all keep state +pass in on lo1000001 inet proto tcp from any to 10.0.0.1 port = ssh flags S/SA keep state (source-track rule, max-src-conn 10, max-src-conn-rate 3/99, src.track 99) +pass in on lo1000001 inet proto tcp from any to 10.0.0.2 port = ssh flags S/SA keep state (source-track rule, max-src-conn 10) +pass in on lo1000001 inet proto tcp from any to 10.0.0.3 port = ssh flags S/SA keep state (source-track rule, max-src-conn-rate 3/99, src.track 99) +pass in on lo1000000 inet proto tcp from any to 10.0.0.1 port = http flags S/SA modulate state (source-track rule, max-src-conn 100, max-src-conn-rate 10/5, overload <bad> flush, src.track 5) +pass in on lo1000000 inet proto tcp from any to 10.0.0.1 port = http-alt flags S/SA synproxy state (source-track rule, max-src-conn 1000, max-src-conn-rate 1000/5, overload <bad> flush global, src.track 5) diff --git a/sbin/pfctl/tests/files/pf0090.in b/sbin/pfctl/tests/files/pf0090.in new file mode 100644 index 000000000000..593ddc6a32ee --- /dev/null +++ b/sbin/pfctl/tests/files/pf0090.in @@ -0,0 +1,5 @@ +pass log (user) +pass log (all) +pass log (to pflog7) +block log (all, user, to pflog1) +block log (to pflog1, user) diff --git a/sbin/pfctl/tests/files/pf0090.ok b/sbin/pfctl/tests/files/pf0090.ok new file mode 100644 index 000000000000..4255dc356c43 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0090.ok @@ -0,0 +1,5 @@ +pass log (user) all flags S/SA keep state +pass log (all) all flags S/SA keep state +pass log (to pflog7) all flags S/SA keep state +block drop log (all, user, to pflog1) all +block drop log (user, to pflog1) all diff --git a/sbin/pfctl/tests/files/pf0091.in b/sbin/pfctl/tests/files/pf0091.in new file mode 100644 index 000000000000..b4fc631423e7 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0091.in @@ -0,0 +1,11 @@ +# basic anchor test +anchor on tun1000000 { + anchor foo out { + pass proto tcp to port 1234 + anchor proto tcp to port 2413 user root label "foo" { + block + pass from 127.0.0.1 + } + } + pass in proto tcp to port 1234 +} diff --git a/sbin/pfctl/tests/files/pf0091.ok b/sbin/pfctl/tests/files/pf0091.ok new file mode 100644 index 000000000000..9f69e272d7fd --- /dev/null +++ b/sbin/pfctl/tests/files/pf0091.ok @@ -0,0 +1,10 @@ +anchor on tun1000000 all { + anchor "foo" out all { + pass proto tcp from any to any port = 1234 flags S/SA keep state + anchor proto tcp from any to any port = 2413 user = 0 label "foo" { + block drop all + pass inet from 127.0.0.1 to any flags S/SA keep state + } + } + pass in proto tcp from any to any port = 1234 flags S/SA keep state +} diff --git a/sbin/pfctl/tests/files/pf0092.in b/sbin/pfctl/tests/files/pf0092.in new file mode 100644 index 000000000000..3af6ea6e38d3 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0092.in @@ -0,0 +1,30 @@ +anchor { # testing comments + anchor in { + # comment before rule + pass quick + } + # silly nesting + anchor out { + anchor in { + anchor out { + anchor in { + anchor out { + anchor in { + anchor out { + anchor in { + pass + } + } + } + } + } + } + } + } + pass in on tun1000000 + anchor foo on tun1000000 { + + pass + } +} # comment after closing brace + diff --git a/sbin/pfctl/tests/files/pf0092.ok b/sbin/pfctl/tests/files/pf0092.ok new file mode 100644 index 000000000000..43720c1afa2a --- /dev/null +++ b/sbin/pfctl/tests/files/pf0092.ok @@ -0,0 +1,26 @@ +anchor all { + anchor in all { + pass quick all flags S/SA keep state + } + anchor out all { + anchor in all { + anchor out all { + anchor in all { + anchor out all { + anchor in all { + anchor out all { + anchor in all { + pass all flags S/SA keep state + } + } + } + } + } + } + } + } + pass in on tun1000000 all flags S/SA keep state + anchor "foo" on tun1000000 all { + pass all flags S/SA keep state + } +} diff --git a/sbin/pfctl/tests/files/pf0094.in b/sbin/pfctl/tests/files/pf0094.in new file mode 100644 index 000000000000..b0e3d0feebf8 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0094.in @@ -0,0 +1,4 @@ +pass from 10.1.2.3 - 10.1.2.4 to 10.2.3.4 - 10.3.4.5 +pass from 0.0.0.0 - 255.255.255.255 +pass from 2001:6f8:1098::2 - 2001:6f8:1098::5 to 2001:6f8:1098::3 - 2001:6f8:1098::4 +pass from ::0 - ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff diff --git a/sbin/pfctl/tests/files/pf0094.ok b/sbin/pfctl/tests/files/pf0094.ok new file mode 100644 index 000000000000..5a792644defd --- /dev/null +++ b/sbin/pfctl/tests/files/pf0094.ok @@ -0,0 +1,4 @@ +pass inet from 10.1.2.3 - 10.1.2.4 to 10.2.3.4 - 10.3.4.5 flags S/SA keep state +pass inet from 0.0.0.0 - 255.255.255.255 to any flags S/SA keep state +pass inet6 from 2001:6f8:1098::2 - 2001:6f8:1098::5 to 2001:6f8:1098::3 - 2001:6f8:1098::4 flags S/SA keep state +pass inet6 from :: - ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff to any flags S/SA keep state diff --git a/sbin/pfctl/tests/files/pf0095.in b/sbin/pfctl/tests/files/pf0095.in new file mode 100644 index 000000000000..c43914bc0017 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0095.in @@ -0,0 +1,4 @@ + +include "./pf0095.include" + +block out proto tcp diff --git a/sbin/pfctl/tests/files/pf0095.include b/sbin/pfctl/tests/files/pf0095.include new file mode 100644 index 000000000000..f852a7169cfe --- /dev/null +++ b/sbin/pfctl/tests/files/pf0095.include @@ -0,0 +1,2 @@ + +block in proto udp diff --git a/sbin/pfctl/tests/files/pf0095.ok b/sbin/pfctl/tests/files/pf0095.ok new file mode 100644 index 000000000000..004e1787865d --- /dev/null +++ b/sbin/pfctl/tests/files/pf0095.ok @@ -0,0 +1,2 @@ +block drop in proto udp all +block drop out proto tcp all diff --git a/sbin/pfctl/tests/files/pf0096.in b/sbin/pfctl/tests/files/pf0096.in new file mode 100644 index 000000000000..4d1aed38e5bc --- /dev/null +++ b/sbin/pfctl/tests/files/pf0096.in @@ -0,0 +1,5 @@ +# varset allows concatenated strings as numbers +myports = 5555 6666 +# and also can be used within another macro +moreports = $myports 7777 +pass in proto tcp from any to any port { $moreports } diff --git a/sbin/pfctl/tests/files/pf0096.ok b/sbin/pfctl/tests/files/pf0096.ok new file mode 100644 index 000000000000..df7af0a3a157 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0096.ok @@ -0,0 +1,5 @@ +myports = "5555 6666" +moreports = "5555 6666 7777" +pass in proto tcp from any to any port = personal-agent flags S/SA keep state +pass in proto tcp from any to any port = 6666 flags S/SA keep state +pass in proto tcp from any to any port = 7777 flags S/SA keep state diff --git a/sbin/pfctl/tests/files/pf0097.in b/sbin/pfctl/tests/files/pf0097.in new file mode 100644 index 000000000000..b3fd4939b0a6 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0097.in @@ -0,0 +1,4 @@ +pass in on em0 inet proto tcp from any to any port 220:230 divert-to 127.0.0.1 port 22 +#pass out on em0 inet proto tcp from any to any port 220:230 divert-reply +pass on em0 inet proto tcp from any to any port 80 divert-to 127.0.0.1 port 8080 +pass in on em0 inet proto 103 divert-to 127.0.0.1 port 103 # FIXME diff --git a/sbin/pfctl/tests/files/pf0097.ok b/sbin/pfctl/tests/files/pf0097.ok new file mode 100644 index 000000000000..0a78066a9c25 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0097.ok @@ -0,0 +1,3 @@ +pass in on em0 inet proto tcp from any to any port 220:230 flags S/SA keep state divert-to 22 +pass on em0 inet proto tcp from any to any port = http flags S/SA keep state divert-to 8080 +pass in on em0 inet proto pim all keep state divert-to 103 diff --git a/sbin/pfctl/tests/files/pf0098.in b/sbin/pfctl/tests/files/pf0098.in new file mode 100644 index 000000000000..c26f0fcfe4d3 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0098.in @@ -0,0 +1,3 @@ +# Test rule order processing should pass (require-order no longer required) +pass in on lo1000000 all +match out on lo0 inet6 all nat-to lo0 diff --git a/sbin/pfctl/tests/files/pf0098.ok b/sbin/pfctl/tests/files/pf0098.ok new file mode 100644 index 000000000000..105bb46b4ae5 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0098.ok @@ -0,0 +1,2 @@ +pass in on lo1000000 all flags S/SA keep state +match out on lo0 inet6 all nat-to { ::1, fe80::1 } round-robin diff --git a/sbin/pfctl/tests/files/pf0100.in b/sbin/pfctl/tests/files/pf0100.in new file mode 100644 index 000000000000..287e1c9e4d7c --- /dev/null +++ b/sbin/pfctl/tests/files/pf0100.in @@ -0,0 +1,20 @@ +pass +anchor "a/b" +anchor "1/2/3" # test anchors with multiple path components +anchor "relative" { + pass in on lo0 label TEST1 +} +anchor "camield/*" # empty wildcard anchor + +anchor "relayd/*" + +anchor "foo" in on lo0 { + anchor "bar" in { # nested named inlined anchor + anchor "/1/2/3" # absolute multicomponent path + anchor "/relative" # absolute path + pass in on lo0 label FOO + } + anchor in { # nested unnamed inlined anchor + pass in on lo0 label BAR + } +} diff --git a/sbin/pfctl/tests/files/pf0100.ok b/sbin/pfctl/tests/files/pf0100.ok new file mode 100644 index 000000000000..9f4427379bc7 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0100.ok @@ -0,0 +1,18 @@ +pass all flags S/SA keep state +anchor "a/b" all +anchor "1/2/3" all +anchor "relative" all { + pass in on lo0 all flags S/SA keep state label "TEST1" +} +anchor "camield/*" all +anchor "relayd/*" all +anchor "foo" in on lo0 all { + anchor "bar" in all { + anchor "/1/2/3" all + anchor "/relative" all + pass in on lo0 all flags S/SA keep state label "FOO" + } + anchor in all { + pass in on lo0 all flags S/SA keep state label "BAR" + } +} diff --git a/sbin/pfctl/tests/files/pf0101.in b/sbin/pfctl/tests/files/pf0101.in new file mode 100644 index 000000000000..8bf9dc6cb8da --- /dev/null +++ b/sbin/pfctl/tests/files/pf0101.in @@ -0,0 +1,8 @@ +# test prio + +pass set prio 3 + +pass out on lo1000000 proto tcp from any to any port 22 set prio (5 2) + +pass proto udp from any to { 127.0.0.1 127.0.0.2 } port 53 set prio 4 + diff --git a/sbin/pfctl/tests/files/pf0101.ok b/sbin/pfctl/tests/files/pf0101.ok new file mode 100644 index 000000000000..a46f2699711a --- /dev/null +++ b/sbin/pfctl/tests/files/pf0101.ok @@ -0,0 +1,4 @@ +pass all flags S/SA set ( prio 3 ) keep state +pass out on lo1000000 proto tcp from any to any port = ssh flags S/SA set ( prio(5, 2) ) keep state +pass inet proto udp from any to 127.0.0.1 port = domain set ( prio 4 ) keep state +pass inet proto udp from any to 127.0.0.2 port = domain set ( prio 4 ) keep state diff --git a/sbin/pfctl/tests/files/pf0102.in b/sbin/pfctl/tests/files/pf0102.in new file mode 100644 index 000000000000..d0c3a1110482 --- /dev/null +++ b/sbin/pfctl/tests/files/pf0102.in @@ -0,0 +1,9 @@ +# test rule expansion with mixed af + +pass from {1.1.1.1 2002::} to (self) + +pass from {2002:: 1.1.1.1} to (self) + +pass from {1.1.1.1 2002::} to (self)/40 + +pass from {2002:: 1.1.1.1} to (self)/40 diff --git a/sbin/pfctl/tests/files/pf0102.ok b/sbin/pfctl/tests/files/pf0102.ok new file mode 100644 index 000000000000..1c76ec2725ba --- /dev/null +++ b/sbin/pfctl/tests/files/pf0102.ok @@ -0,0 +1,8 @@ +pass inet from 1.1.1.1 to (self) flags S/SA keep state +pass inet6 from 2002:: to (self) flags S/SA keep state +pass inet6 from 2002:: to (self) flags S/SA keep state +pass inet from 1.1.1.1 to (self) flags S/SA keep state +pass inet from 1.1.1.1 to (self) flags S/SA keep state +pass inet6 from 2002:: to (self)/40 flags S/SA keep state +pass inet6 from 2002:: to (self)/40 flags S/SA keep state +pass inet from 1.1.1.1 to (self) flags S/SA keep state diff --git a/sbin/pfctl/tests/files/pf0104.in b/sbin/pfctl/tests/files/pf0104.in new file mode 100644 index 000000000000..91bd43e3a4bb --- /dev/null +++ b/sbin/pfctl/tests/files/pf0104.in @@ -0,0 +1,10 @@ +# This test assumes that localhost points to 127.0.0.1 first +pass in proto tcp to port 25 divert-to localhost port 8025 +# Test IPv4 addresses +pass in proto tcp to port 25 divert-to 127.0.0.1 port 8025 +pass in inet proto tcp to port 25 divert-to 127.0.0.1 port 8025 +pass in inet proto tcp to port 25 divert-to localhost port 8025 +# Test IPv6 addresses +pass in proto tcp to port 25 divert-to ::1 port 8025 +pass in inet6 proto tcp to port 25 divert-to ::1 port 8025 +pass in inet6 proto tcp to port 25 divert-to localhost port 8025 diff --git a/sbin/pfctl/tests/files/pf0104.ok b/sbin/pfctl/tests/files/pf0104.ok new file mode 100644 index 000000000000..a4260f9ac98e --- /dev/null +++ b/sbin/pfctl/tests/files/pf0104.ok @@ -0,0 +1,7 @@ +pass in proto tcp from any to any port = smtp flags S/SA keep state divert-to 8025 +pass in proto tcp from any to any port = smtp flags S/SA keep state divert-to 8025 +pass in inet proto tcp from any to any port = smtp flags S/SA keep state divert-to 8025 +pass in inet proto tcp from any to any port = smtp flags S/SA keep state divert-to 8025 +pass in proto tcp from any to any port = smtp flags S/SA keep state divert-to 8025 +pass in inet6 proto tcp from any to any port = smtp flags S/SA keep state divert-to 8025 +pass in inet6 proto tcp from any to any port = smtp flags S/SA keep state divert-to 8025 diff --git a/sbin/pfctl/tests/files/pf1001.in b/sbin/pfctl/tests/files/pf1001.in new file mode 100644 index 000000000000..9007d63aeebd --- /dev/null +++ b/sbin/pfctl/tests/files/pf1001.in @@ -0,0 +1,2 @@ +binat on em0 inet6 from fc00::/64 to any -> fc00:0:0:1::/64 +binat on em0 inet6 from any to fc00:0:0:1::/64 -> fc00::/64 diff --git a/sbin/pfctl/tests/files/pf1001.ok b/sbin/pfctl/tests/files/pf1001.ok new file mode 100644 index 000000000000..9007d63aeebd --- /dev/null +++ b/sbin/pfctl/tests/files/pf1001.ok @@ -0,0 +1,2 @@ +binat on em0 inet6 from fc00::/64 to any -> fc00:0:0:1::/64 +binat on em0 inet6 from any to fc00:0:0:1::/64 -> fc00::/64 diff --git a/sbin/pfctl/tests/files/pf1002.in b/sbin/pfctl/tests/files/pf1002.in new file mode 100644 index 000000000000..3fdde81be7de --- /dev/null +++ b/sbin/pfctl/tests/files/pf1002.in @@ -0,0 +1,6 @@ +set timeout interval 10 +set timeout sctp.first 11 +set timeout sctp.opening 12 +set timeout sctp.established 13 +set timeout sctp.closing 14 +set timeout sctp.closed 15 diff --git a/sbin/pfctl/tests/files/pf1002.ok b/sbin/pfctl/tests/files/pf1002.ok new file mode 100644 index 000000000000..3fdde81be7de --- /dev/null +++ b/sbin/pfctl/tests/files/pf1002.ok @@ -0,0 +1,6 @@ +set timeout interval 10 +set timeout sctp.first 11 +set timeout sctp.opening 12 +set timeout sctp.established 13 +set timeout sctp.closing 14 +set timeout sctp.closed 15 diff --git a/sbin/pfctl/tests/files/pf1003.in b/sbin/pfctl/tests/files/pf1003.in new file mode 100644 index 000000000000..298b3df81b52 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1003.in @@ -0,0 +1,3 @@ +altq on em0 cbq(default) bandwidth 100Kb queue qmain +queue qmain priority 4 +pass on em0 queue qmain diff --git a/sbin/pfctl/tests/files/pf1003.ok b/sbin/pfctl/tests/files/pf1003.ok new file mode 100644 index 000000000000..afc9817e3b35 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1003.ok @@ -0,0 +1,3 @@ +altq on em0 cbq( default ) bandwidth 100Kb tbrsize 1500 queue { qmain } +queue qmain priority 4 +pass on em0 all flags S/SA keep state queue qmain diff --git a/sbin/pfctl/tests/files/pf1004.in b/sbin/pfctl/tests/files/pf1004.in new file mode 100644 index 000000000000..e8f26bef9e1a --- /dev/null +++ b/sbin/pfctl/tests/files/pf1004.in @@ -0,0 +1,6 @@ +altq on em0 cbq(default codel) bandwidth 20Mb queue qmain +queue qmain { q1 q2 } +queue q1 priority 1 bandwidth 60% +queue q2 priority 2 bandwidth 40% +pass on em0 queue q1 +block on em0 queue q2 diff --git a/sbin/pfctl/tests/files/pf1004.ok b/sbin/pfctl/tests/files/pf1004.ok new file mode 100644 index 000000000000..b2e033c6e87d --- /dev/null +++ b/sbin/pfctl/tests/files/pf1004.ok @@ -0,0 +1,6 @@ +altq on em0 cbq( codel default ) bandwidth 20Mb tbrsize 12000 queue { qmain } +queue qmain { q1 q2 } +queue q1 bandwidth 60% +queue q2 bandwidth 40% priority 2 +pass on em0 all flags S/SA keep state queue q1 +block drop on em0 all queue q2 diff --git a/sbin/pfctl/tests/files/pf1005.in b/sbin/pfctl/tests/files/pf1005.in new file mode 100644 index 000000000000..72e5c8f2a87d --- /dev/null +++ b/sbin/pfctl/tests/files/pf1005.in @@ -0,0 +1,3 @@ +rdr on em0 proto tcp from any to any -> 1.1.1.1 port 2121 +pass out log quick on lo0 route-to (lo0 localhost) inet from any to any +pass in log quick on lo0 route-to (lo0 localhost) inet6 from any to any diff --git a/sbin/pfctl/tests/files/pf1005.ok b/sbin/pfctl/tests/files/pf1005.ok new file mode 100644 index 000000000000..a1678f61d4ad --- /dev/null +++ b/sbin/pfctl/tests/files/pf1005.ok @@ -0,0 +1,3 @@ +rdr on em0 inet proto tcp all -> 1.1.1.1 port 2121 +pass out log quick on lo0 route-to (lo0 127.0.0.1) inet all flags S/SA keep state +pass in log quick on lo0 route-to (lo0 ::1) inet6 all flags S/SA keep state diff --git a/sbin/pfctl/tests/files/pf1006.in b/sbin/pfctl/tests/files/pf1006.in new file mode 100644 index 000000000000..b50c16994cfc --- /dev/null +++ b/sbin/pfctl/tests/files/pf1006.in @@ -0,0 +1,2 @@ +altq on igb0 fairq bandwidth 1Gb queue { qLink } +queue qLink fairq(default) diff --git a/sbin/pfctl/tests/files/pf1006.ok b/sbin/pfctl/tests/files/pf1006.ok new file mode 100644 index 000000000000..be44b765c2e9 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1006.ok @@ -0,0 +1,2 @@ +altq on igb0 fairq bandwidth 1Gb tbrsize 36000 queue { qLink } +queue qLink fairq( default ) diff --git a/sbin/pfctl/tests/files/pf1007.in b/sbin/pfctl/tests/files/pf1007.in new file mode 100644 index 000000000000..e08b38d7241a --- /dev/null +++ b/sbin/pfctl/tests/files/pf1007.in @@ -0,0 +1 @@ +ether block out on igb0 to ! 00:01:02:03:04:05 diff --git a/sbin/pfctl/tests/files/pf1007.ok b/sbin/pfctl/tests/files/pf1007.ok new file mode 100644 index 000000000000..742b5308ec90 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1007.ok @@ -0,0 +1 @@ +ether block out on igb0 to ! 00:01:02:03:04:05 l3 all diff --git a/sbin/pfctl/tests/files/pf1008.in b/sbin/pfctl/tests/files/pf1008.in new file mode 100644 index 000000000000..a9bd472a5070 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1008.in @@ -0,0 +1 @@ +ether block out on igb0 to 00:01:02:03:04:05/24 diff --git a/sbin/pfctl/tests/files/pf1008.ok b/sbin/pfctl/tests/files/pf1008.ok new file mode 100644 index 000000000000..646ef77c78dd --- /dev/null +++ b/sbin/pfctl/tests/files/pf1008.ok @@ -0,0 +1 @@ +ether block out on igb0 to 00:01:02:03:04:05/24 l3 all diff --git a/sbin/pfctl/tests/files/pf1009.in b/sbin/pfctl/tests/files/pf1009.in new file mode 100644 index 000000000000..833c9099837c --- /dev/null +++ b/sbin/pfctl/tests/files/pf1009.in @@ -0,0 +1 @@ +ether block out on igb0 to 00:01:02:03:04:05&ff:ff:ff:00:00:ff diff --git a/sbin/pfctl/tests/files/pf1009.ok b/sbin/pfctl/tests/files/pf1009.ok new file mode 100644 index 000000000000..3023f1337dd3 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1009.ok @@ -0,0 +1 @@ +ether block out on igb0 to 00:01:02:03:04:05&ff:ff:ff:00:00:ff l3 all diff --git a/sbin/pfctl/tests/files/pf1010.in b/sbin/pfctl/tests/files/pf1010.in new file mode 100644 index 000000000000..2baf4dc360af --- /dev/null +++ b/sbin/pfctl/tests/files/pf1010.in @@ -0,0 +1,2 @@ +pass inet proto icmp icmp-type {unreach} +pass in route-to (if0 127.0.0.1/8) sticky-address inet diff --git a/sbin/pfctl/tests/files/pf1010.ok b/sbin/pfctl/tests/files/pf1010.ok new file mode 100644 index 000000000000..b960dbfc50b8 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1010.ok @@ -0,0 +1,2 @@ +pass inet proto icmp all icmp-type unreach keep state +pass in route-to (if0 127.0.0.0/8) sticky-address inet all flags S/SA keep state diff --git a/sbin/pfctl/tests/files/pf1011.in b/sbin/pfctl/tests/files/pf1011.in new file mode 100644 index 000000000000..84f0e7204e40 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1011.in @@ -0,0 +1 @@ +scrub fragment no reassemble diff --git a/sbin/pfctl/tests/files/pf1011.ok b/sbin/pfctl/tests/files/pf1011.ok new file mode 100644 index 000000000000..48572b371d8d --- /dev/null +++ b/sbin/pfctl/tests/files/pf1011.ok @@ -0,0 +1 @@ +scrub all fragment no reassemble diff --git a/sbin/pfctl/tests/files/pf1012.in b/sbin/pfctl/tests/files/pf1012.in new file mode 100644 index 000000000000..9083d1bf5396 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1012.in @@ -0,0 +1 @@ +scrub diff --git a/sbin/pfctl/tests/files/pf1012.ok b/sbin/pfctl/tests/files/pf1012.ok new file mode 100644 index 000000000000..b7f1f454fb6a --- /dev/null +++ b/sbin/pfctl/tests/files/pf1012.ok @@ -0,0 +1 @@ +scrub all fragment reassemble diff --git a/sbin/pfctl/tests/files/pf1013.in b/sbin/pfctl/tests/files/pf1013.in new file mode 100644 index 000000000000..053804e1a35a --- /dev/null +++ b/sbin/pfctl/tests/files/pf1013.in @@ -0,0 +1 @@ +ether block out on igb0 ridentifier 12345678 diff --git a/sbin/pfctl/tests/files/pf1013.ok b/sbin/pfctl/tests/files/pf1013.ok new file mode 100644 index 000000000000..7395f3fd6311 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1013.ok @@ -0,0 +1 @@ +ether block out on igb0 l3 all ridentifier 12345678 diff --git a/sbin/pfctl/tests/files/pf1014.in b/sbin/pfctl/tests/files/pf1014.in new file mode 100644 index 000000000000..8739034f1bda --- /dev/null +++ b/sbin/pfctl/tests/files/pf1014.in @@ -0,0 +1 @@ +ether block out on igb0 label "test" diff --git a/sbin/pfctl/tests/files/pf1014.ok b/sbin/pfctl/tests/files/pf1014.ok new file mode 100644 index 000000000000..d0086cb25e54 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1014.ok @@ -0,0 +1 @@ +ether block out on igb0 l3 all label "test" diff --git a/sbin/pfctl/tests/files/pf1015.in b/sbin/pfctl/tests/files/pf1015.in new file mode 100644 index 000000000000..11c7a211ae8a --- /dev/null +++ b/sbin/pfctl/tests/files/pf1015.in @@ -0,0 +1 @@ +ether block out on igb0 label "test" label "another label" diff --git a/sbin/pfctl/tests/files/pf1015.ok b/sbin/pfctl/tests/files/pf1015.ok new file mode 100644 index 000000000000..d3ea76f1875b --- /dev/null +++ b/sbin/pfctl/tests/files/pf1015.ok @@ -0,0 +1 @@ +ether block out on igb0 l3 all label "test" label "another label" diff --git a/sbin/pfctl/tests/files/pf1016.in b/sbin/pfctl/tests/files/pf1016.in new file mode 100644 index 000000000000..a7b1f6bc0ca9 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1016.in @@ -0,0 +1 @@ +ether block out on igb0 label "test" ridentifier 12345678 diff --git a/sbin/pfctl/tests/files/pf1016.ok b/sbin/pfctl/tests/files/pf1016.ok new file mode 100644 index 000000000000..f1d59c988730 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1016.ok @@ -0,0 +1 @@ +ether block out on igb0 l3 all label "test" ridentifier 12345678 diff --git a/sbin/pfctl/tests/files/pf1017.in b/sbin/pfctl/tests/files/pf1017.in new file mode 100644 index 000000000000..ad523337bdc5 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1017.in @@ -0,0 +1 @@ +ether block out on igb0 label "test" label "another test" ridentifier 12345678 diff --git a/sbin/pfctl/tests/files/pf1017.ok b/sbin/pfctl/tests/files/pf1017.ok new file mode 100644 index 000000000000..0efdd55e27a0 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1017.ok @@ -0,0 +1 @@ +ether block out on igb0 l3 all label "test" label "another test" ridentifier 12345678 diff --git a/sbin/pfctl/tests/files/pf1018.in b/sbin/pfctl/tests/files/pf1018.in new file mode 100644 index 000000000000..90f0a3a0bab7 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1018.in @@ -0,0 +1 @@ +pass from { 192.0.2.1 2001:db8::1 } to (pppoe0) diff --git a/sbin/pfctl/tests/files/pf1018.ok b/sbin/pfctl/tests/files/pf1018.ok new file mode 100644 index 000000000000..04950f0035b8 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1018.ok @@ -0,0 +1,2 @@ +pass inet from 192.0.2.1 to (pppoe0) flags S/SA keep state +pass inet6 from 2001:db8::1 to (pppoe0) flags S/SA keep state diff --git a/sbin/pfctl/tests/files/pf1019.in b/sbin/pfctl/tests/files/pf1019.in new file mode 100644 index 000000000000..04a770768714 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1019.in @@ -0,0 +1 @@ +pass in keep state (pflow) diff --git a/sbin/pfctl/tests/files/pf1019.ok b/sbin/pfctl/tests/files/pf1019.ok new file mode 100644 index 000000000000..e865d57da16c --- /dev/null +++ b/sbin/pfctl/tests/files/pf1019.ok @@ -0,0 +1 @@ +pass in all flags S/SA keep state (pflow) diff --git a/sbin/pfctl/tests/files/pf1020.in b/sbin/pfctl/tests/files/pf1020.in new file mode 100644 index 000000000000..7f98df69bd04 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1020.in @@ -0,0 +1,3 @@ +table <tabl1> file "./pf1020.include" + +block from <tabl1> diff --git a/sbin/pfctl/tests/files/pf1020.include b/sbin/pfctl/tests/files/pf1020.include new file mode 100644 index 000000000000..3fca07f64bfa --- /dev/null +++ b/sbin/pfctl/tests/files/pf1020.include @@ -0,0 +1,4 @@ +; comment1 +# comment2 +1.0.0.1/32 ; comment1 +2.0.0.2/32 # comment2 diff --git a/sbin/pfctl/tests/files/pf1020.ok b/sbin/pfctl/tests/files/pf1020.ok new file mode 100644 index 000000000000..16073b3d6987 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1020.ok @@ -0,0 +1,2 @@ +table <tabl1> file "./pf1020.include" +block drop from <tabl1> to any diff --git a/sbin/pfctl/tests/files/pf1021.in b/sbin/pfctl/tests/files/pf1021.in new file mode 100644 index 000000000000..841b024157c6 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1021.in @@ -0,0 +1 @@ +nat on vtnet1 inet from ! (vtnet1) to any -> (vtnet1) endpoint-independent diff --git a/sbin/pfctl/tests/files/pf1021.ok b/sbin/pfctl/tests/files/pf1021.ok new file mode 100644 index 000000000000..3b5b84e2e11b --- /dev/null +++ b/sbin/pfctl/tests/files/pf1021.ok @@ -0,0 +1 @@ +nat on vtnet1 inet from ! (vtnet1) to any -> (vtnet1) round-robin endpoint-independent diff --git a/sbin/pfctl/tests/files/pf1022.in b/sbin/pfctl/tests/files/pf1022.in new file mode 100644 index 000000000000..640eb1334100 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1022.in @@ -0,0 +1 @@ +pass out on em0 from 192.0.2.1 to 198.51.100.1 received-on fxp0 diff --git a/sbin/pfctl/tests/files/pf1022.ok b/sbin/pfctl/tests/files/pf1022.ok new file mode 100644 index 000000000000..2f7b4a5bd616 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1022.ok @@ -0,0 +1 @@ +pass out on em0 inet from 192.0.2.1 to 198.51.100.1 received-on fxp0 flags S/SA keep state diff --git a/sbin/pfctl/tests/files/pf1023.in b/sbin/pfctl/tests/files/pf1023.in new file mode 100644 index 000000000000..4855ae0f339e --- /dev/null +++ b/sbin/pfctl/tests/files/pf1023.in @@ -0,0 +1,3 @@ +match log(matches) inet proto tcp +match log(matches) inet from 192.0.2.0/24 +pass diff --git a/sbin/pfctl/tests/files/pf1023.ok b/sbin/pfctl/tests/files/pf1023.ok new file mode 100644 index 000000000000..63fa40113ecf --- /dev/null +++ b/sbin/pfctl/tests/files/pf1023.ok @@ -0,0 +1,3 @@ +match log (matches) inet proto tcp all +match log (matches) inet from 192.0.2.0/24 to any +pass all flags S/SA keep state diff --git a/sbin/pfctl/tests/files/pf1024.in b/sbin/pfctl/tests/files/pf1024.in new file mode 100644 index 000000000000..be518bb3bd53 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1024.in @@ -0,0 +1 @@ +pass in inet af-to inet6 from 2001:db8::1 diff --git a/sbin/pfctl/tests/files/pf1024.ok b/sbin/pfctl/tests/files/pf1024.ok new file mode 100644 index 000000000000..2d4ddb9d0ce7 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1024.ok @@ -0,0 +1 @@ +pass in inet all flags S/SA keep state af-to inet6 from 2001:db8::1 diff --git a/sbin/pfctl/tests/files/pf1025.in b/sbin/pfctl/tests/files/pf1025.in new file mode 100644 index 000000000000..d4ad821a6899 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1025.in @@ -0,0 +1 @@ +pass in from 10.0.0.0/8 af-to inet6 from 2001:db8::1 diff --git a/sbin/pfctl/tests/files/pf1025.ok b/sbin/pfctl/tests/files/pf1025.ok new file mode 100644 index 000000000000..8f48c987c6a0 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1025.ok @@ -0,0 +1 @@ +pass in inet from 10.0.0.0/8 to any flags S/SA keep state af-to inet6 from 2001:db8::1 diff --git a/sbin/pfctl/tests/files/pf1026.in b/sbin/pfctl/tests/files/pf1026.in new file mode 100644 index 000000000000..3691d0947b39 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1026.in @@ -0,0 +1 @@ +pass in on epair2b route-to (epair0a 192.0.2.2) inet6 from any to 64:ff9b::/96 af-to inet from (epair0a) diff --git a/sbin/pfctl/tests/files/pf1026.ok b/sbin/pfctl/tests/files/pf1026.ok new file mode 100644 index 000000000000..323036f2b800 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1026.ok @@ -0,0 +1 @@ +pass in on epair2b route-to (epair0a 192.0.2.2) inet6 from any to 64:ff9b::/96 flags S/SA keep state af-to inet from (epair0a) round-robin diff --git a/sbin/pfctl/tests/files/pf1027.in b/sbin/pfctl/tests/files/pf1027.in new file mode 100644 index 000000000000..3c5c24025e0a --- /dev/null +++ b/sbin/pfctl/tests/files/pf1027.in @@ -0,0 +1 @@ +pass in on epair2b reply-to (epair0a 2001:db8::1) inet6 from any to 64:ff9b::/96 af-to inet from (epair0a) diff --git a/sbin/pfctl/tests/files/pf1027.ok b/sbin/pfctl/tests/files/pf1027.ok new file mode 100644 index 000000000000..b50f1e216837 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1027.ok @@ -0,0 +1 @@ +pass in on epair2b reply-to (epair0a 2001:db8::1) inet6 from any to 64:ff9b::/96 flags S/SA keep state af-to inet from (epair0a) round-robin diff --git a/sbin/pfctl/tests/files/pf1028.in b/sbin/pfctl/tests/files/pf1028.in new file mode 100644 index 000000000000..2386fcb52249 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1028.in @@ -0,0 +1 @@ +rdr on vtnet0 proto tcp from 192.0.2.1 to 192.0.2.2 -> 192.0.2.3 diff --git a/sbin/pfctl/tests/files/pf1028.ok b/sbin/pfctl/tests/files/pf1028.ok new file mode 100644 index 000000000000..07be890f4e05 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1028.ok @@ -0,0 +1 @@ +rdr on vtnet0 inet proto tcp from 192.0.2.1 to 192.0.2.2 -> 192.0.2.3 diff --git a/sbin/pfctl/tests/files/pf1029.in b/sbin/pfctl/tests/files/pf1029.in new file mode 100644 index 000000000000..73815839aadd --- /dev/null +++ b/sbin/pfctl/tests/files/pf1029.in @@ -0,0 +1 @@ +rdr on vtnet0 proto tcp from 192.0.2.1 to 192.0.2.2 -> 192.0.2.3 port 1002 diff --git a/sbin/pfctl/tests/files/pf1029.ok b/sbin/pfctl/tests/files/pf1029.ok new file mode 100644 index 000000000000..6e9083bf856a --- /dev/null +++ b/sbin/pfctl/tests/files/pf1029.ok @@ -0,0 +1 @@ +rdr on vtnet0 inet proto tcp from 192.0.2.1 to 192.0.2.2 -> 192.0.2.3 port 1002 diff --git a/sbin/pfctl/tests/files/pf1030.in b/sbin/pfctl/tests/files/pf1030.in new file mode 100644 index 000000000000..b6f891998a71 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1030.in @@ -0,0 +1 @@ +rdr on vtnet0 proto tcp from 192.0.2.1 to 192.0.2.2 -> 192.0.2.3 port 50001:65535 diff --git a/sbin/pfctl/tests/files/pf1030.ok b/sbin/pfctl/tests/files/pf1030.ok new file mode 100644 index 000000000000..4f6b2eba2f39 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1030.ok @@ -0,0 +1 @@ +rdr on vtnet0 inet proto tcp from 192.0.2.1 to 192.0.2.2 -> 192.0.2.3 port 50001:65535 diff --git a/sbin/pfctl/tests/files/pf1031.in b/sbin/pfctl/tests/files/pf1031.in new file mode 100644 index 000000000000..7cad4ae64000 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1031.in @@ -0,0 +1 @@ +rdr on vtnet0 proto tcp from 192.0.2.1 to 192.0.2.2 port 1004:2004 -> 192.0.2.3 port 1004 diff --git a/sbin/pfctl/tests/files/pf1031.ok b/sbin/pfctl/tests/files/pf1031.ok new file mode 100644 index 000000000000..8dd7fe027716 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1031.ok @@ -0,0 +1 @@ +rdr on vtnet0 inet proto tcp from 192.0.2.1 to 192.0.2.2 port 1004:2004 -> 192.0.2.3 port 1004 diff --git a/sbin/pfctl/tests/files/pf1032.in b/sbin/pfctl/tests/files/pf1032.in new file mode 100644 index 000000000000..a2eec78da045 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1032.in @@ -0,0 +1 @@ +rdr on vtnet0 proto tcp from 192.0.2.1 to 192.0.2.2 port 1005:2005 -> 192.0.2.3 port 3004:* diff --git a/sbin/pfctl/tests/files/pf1032.ok b/sbin/pfctl/tests/files/pf1032.ok new file mode 100644 index 000000000000..3b3f124efc33 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1032.ok @@ -0,0 +1 @@ +rdr on vtnet0 inet proto tcp from 192.0.2.1 to 192.0.2.2 port 1005:2005 -> 192.0.2.3 port 3004:4004 diff --git a/sbin/pfctl/tests/files/pf1033.fail b/sbin/pfctl/tests/files/pf1033.fail new file mode 100644 index 000000000000..d9fbfe4296e3 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1033.fail @@ -0,0 +1 @@ +the 'static-port' option is only valid with nat rules diff --git a/sbin/pfctl/tests/files/pf1033.in b/sbin/pfctl/tests/files/pf1033.in new file mode 100644 index 000000000000..76f33e7e8f0e --- /dev/null +++ b/sbin/pfctl/tests/files/pf1033.in @@ -0,0 +1 @@ +rdr on vtnet0 proto tcp from 192.0.2.1 to 192.0.2.2 -> 192.0.2.3 static-port diff --git a/sbin/pfctl/tests/files/pf1034.fail b/sbin/pfctl/tests/files/pf1034.fail new file mode 100644 index 000000000000..e407996a8fa3 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1034.fail @@ -0,0 +1 @@ +the 'map-e-portset' option is only valid with nat rules diff --git a/sbin/pfctl/tests/files/pf1034.in b/sbin/pfctl/tests/files/pf1034.in new file mode 100644 index 000000000000..be847a8af241 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1034.in @@ -0,0 +1 @@ +rdr on vtnet0 proto tcp from 192.0.2.1 to 192.0.2.2 -> 192.0.2.3 map-e-portset 6/8/0x34 diff --git a/sbin/pfctl/tests/files/pf1035.in b/sbin/pfctl/tests/files/pf1035.in new file mode 100644 index 000000000000..9382ffedc8c9 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1035.in @@ -0,0 +1 @@ +nat on vtnet0 proto tcp from 192.0.2.1 to 192.0.2.2 -> 192.0.2.3 diff --git a/sbin/pfctl/tests/files/pf1035.ok b/sbin/pfctl/tests/files/pf1035.ok new file mode 100644 index 000000000000..be573ef460f5 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1035.ok @@ -0,0 +1 @@ +nat on vtnet0 inet proto tcp from 192.0.2.1 to 192.0.2.2 -> 192.0.2.3 diff --git a/sbin/pfctl/tests/files/pf1036.in b/sbin/pfctl/tests/files/pf1036.in new file mode 100644 index 000000000000..81718c908303 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1036.in @@ -0,0 +1 @@ +nat on vtnet0 proto tcp from 192.0.2.1 to 192.0.2.2 -> 192.0.2.3 port 50001:65535 diff --git a/sbin/pfctl/tests/files/pf1036.ok b/sbin/pfctl/tests/files/pf1036.ok new file mode 100644 index 000000000000..be573ef460f5 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1036.ok @@ -0,0 +1 @@ +nat on vtnet0 inet proto tcp from 192.0.2.1 to 192.0.2.2 -> 192.0.2.3 diff --git a/sbin/pfctl/tests/files/pf1037.in b/sbin/pfctl/tests/files/pf1037.in new file mode 100644 index 000000000000..a30f6c0e7bbe --- /dev/null +++ b/sbin/pfctl/tests/files/pf1037.in @@ -0,0 +1 @@ +nat on vtnet0 proto tcp from 192.0.2.1 to 192.0.2.2 -> 192.0.2.3 port 1003 diff --git a/sbin/pfctl/tests/files/pf1037.ok b/sbin/pfctl/tests/files/pf1037.ok new file mode 100644 index 000000000000..020e2de28dec --- /dev/null +++ b/sbin/pfctl/tests/files/pf1037.ok @@ -0,0 +1 @@ +nat on vtnet0 inet proto tcp from 192.0.2.1 to 192.0.2.2 -> 192.0.2.3 port 1003 diff --git a/sbin/pfctl/tests/files/pf1038.in b/sbin/pfctl/tests/files/pf1038.in new file mode 100644 index 000000000000..532060e56494 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1038.in @@ -0,0 +1 @@ +nat on vtnet0 proto tcp from 192.0.2.1 to 192.0.2.2 -> 192.0.2.3 port 1004:2004 diff --git a/sbin/pfctl/tests/files/pf1038.ok b/sbin/pfctl/tests/files/pf1038.ok new file mode 100644 index 000000000000..a4021db7b1b2 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1038.ok @@ -0,0 +1 @@ +nat on vtnet0 inet proto tcp from 192.0.2.1 to 192.0.2.2 -> 192.0.2.3 port 1004:2004 diff --git a/sbin/pfctl/tests/files/pf1039.in b/sbin/pfctl/tests/files/pf1039.in new file mode 100644 index 000000000000..dba14b0625de --- /dev/null +++ b/sbin/pfctl/tests/files/pf1039.in @@ -0,0 +1 @@ +nat on vtnet0 proto tcp from 192.0.2.1 to 192.0.2.2 -> 192.0.2.3 static-port diff --git a/sbin/pfctl/tests/files/pf1039.ok b/sbin/pfctl/tests/files/pf1039.ok new file mode 100644 index 000000000000..80cfbe742865 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1039.ok @@ -0,0 +1 @@ +nat on vtnet0 inet proto tcp from 192.0.2.1 to 192.0.2.2 -> 192.0.2.3 static-port diff --git a/sbin/pfctl/tests/files/pf1040.fail b/sbin/pfctl/tests/files/pf1040.fail new file mode 100644 index 000000000000..5b9afc22b441 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1040.fail @@ -0,0 +1 @@ +the 'static-port' option can't be used when specifying a port range diff --git a/sbin/pfctl/tests/files/pf1040.in b/sbin/pfctl/tests/files/pf1040.in new file mode 100644 index 000000000000..38d7292a560a --- /dev/null +++ b/sbin/pfctl/tests/files/pf1040.in @@ -0,0 +1 @@ +nat on vtnet0 proto tcp from 192.0.2.1 to 192.0.2.2 -> 192.0.2.3 port 1006 static-port diff --git a/sbin/pfctl/tests/files/pf1040.ok b/sbin/pfctl/tests/files/pf1040.ok new file mode 100644 index 000000000000..ffe2e023f77c --- /dev/null +++ b/sbin/pfctl/tests/files/pf1040.ok @@ -0,0 +1 @@ +nat on vtnet0 inet proto tcp from 192.0.2.1 to 192.0.2.2 -> 192.0.2.3 map-e-portset 6/8/52 diff --git a/sbin/pfctl/tests/files/pf1041.in b/sbin/pfctl/tests/files/pf1041.in new file mode 100644 index 000000000000..4c384ac70e05 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1041.in @@ -0,0 +1 @@ +nat on vtnet0 proto tcp from 192.0.2.1 to 192.0.2.2 -> 192.0.2.3 map-e-portset 6/8/0x34 diff --git a/sbin/pfctl/tests/files/pf1041.ok b/sbin/pfctl/tests/files/pf1041.ok new file mode 100644 index 000000000000..ffe2e023f77c --- /dev/null +++ b/sbin/pfctl/tests/files/pf1041.ok @@ -0,0 +1 @@ +nat on vtnet0 inet proto tcp from 192.0.2.1 to 192.0.2.2 -> 192.0.2.3 map-e-portset 6/8/52 diff --git a/sbin/pfctl/tests/files/pf1042.fail b/sbin/pfctl/tests/files/pf1042.fail new file mode 100644 index 000000000000..56e174a5ece5 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1042.fail @@ -0,0 +1 @@ +the 'map-e-portset' option can't be used 'static-port' diff --git a/sbin/pfctl/tests/files/pf1042.in b/sbin/pfctl/tests/files/pf1042.in new file mode 100644 index 000000000000..906f637b6a0a --- /dev/null +++ b/sbin/pfctl/tests/files/pf1042.in @@ -0,0 +1 @@ +nat on vtnet0 proto tcp from 192.0.2.1 to 192.0.2.2 -> 192.0.2.3 static-port map-e-portset 6/8/0x34 diff --git a/sbin/pfctl/tests/files/pf1043.fail b/sbin/pfctl/tests/files/pf1043.fail new file mode 100644 index 000000000000..cdfab00916a2 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1043.fail @@ -0,0 +1 @@ +the 'map-e-portset' option can't be used when specifying a port range diff --git a/sbin/pfctl/tests/files/pf1043.in b/sbin/pfctl/tests/files/pf1043.in new file mode 100644 index 000000000000..15428a9e54bc --- /dev/null +++ b/sbin/pfctl/tests/files/pf1043.in @@ -0,0 +1 @@ +nat on vtnet0 proto tcp from 192.0.2.1 to 192.0.2.2 -> 192.0.2.3 port 1007 map-e-portset 6/8/0x34 diff --git a/sbin/pfctl/tests/files/pf1044.in b/sbin/pfctl/tests/files/pf1044.in new file mode 100644 index 000000000000..6a927b66b83f --- /dev/null +++ b/sbin/pfctl/tests/files/pf1044.in @@ -0,0 +1 @@ +nat on vtnet0 proto tcp from 192.0.2.1 to 192.0.2.2 -> <targets> sticky-address diff --git a/sbin/pfctl/tests/files/pf1044.ok b/sbin/pfctl/tests/files/pf1044.ok new file mode 100644 index 000000000000..a68b1daaa73a --- /dev/null +++ b/sbin/pfctl/tests/files/pf1044.ok @@ -0,0 +1 @@ +nat on vtnet0 inet proto tcp from 192.0.2.1 to 192.0.2.2 -> <targets> round-robin sticky-address diff --git a/sbin/pfctl/tests/files/pf1045.in b/sbin/pfctl/tests/files/pf1045.in new file mode 100644 index 000000000000..38f708ce19b8 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1045.in @@ -0,0 +1 @@ +nat on vtnet0 proto tcp from 192.0.2.1 to 192.0.2.2 -> 203.0.113.0/24 bitmask diff --git a/sbin/pfctl/tests/files/pf1045.ok b/sbin/pfctl/tests/files/pf1045.ok new file mode 100644 index 000000000000..5388db7e58a4 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1045.ok @@ -0,0 +1 @@ +nat on vtnet0 inet proto tcp from 192.0.2.1 to 192.0.2.2 -> 203.0.113.0/24 bitmask diff --git a/sbin/pfctl/tests/files/pf1046.fail b/sbin/pfctl/tests/files/pf1046.fail new file mode 100644 index 000000000000..b152f9063241 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1046.fail @@ -0,0 +1 @@ +tables are not supported by pool type diff --git a/sbin/pfctl/tests/files/pf1046.in b/sbin/pfctl/tests/files/pf1046.in new file mode 100644 index 000000000000..e4a9f79efd6f --- /dev/null +++ b/sbin/pfctl/tests/files/pf1046.in @@ -0,0 +1 @@ +nat on vtnet0 proto tcp from 192.0.2.1 to 192.0.2.2 -> <targets> bitmask diff --git a/sbin/pfctl/tests/files/pf1047.fail b/sbin/pfctl/tests/files/pf1047.fail new file mode 100644 index 000000000000..239b96b2fed4 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1047.fail @@ -0,0 +1 @@ +interface \(vtnet1\) is not supported by pool type diff --git a/sbin/pfctl/tests/files/pf1047.in b/sbin/pfctl/tests/files/pf1047.in new file mode 100644 index 000000000000..369bfcb0fb26 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1047.in @@ -0,0 +1 @@ +nat on vtnet0 proto tcp from 192.0.2.1 to 192.0.2.2 -> (vtnet1) bitmask diff --git a/sbin/pfctl/tests/files/pf1048.in b/sbin/pfctl/tests/files/pf1048.in new file mode 100644 index 000000000000..01232a33b5d8 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1048.in @@ -0,0 +1 @@ +nat on vtnet0 proto tcp from 192.0.2.1 to 192.0.2.2 -> 203.0.113.0/24 random diff --git a/sbin/pfctl/tests/files/pf1048.ok b/sbin/pfctl/tests/files/pf1048.ok new file mode 100644 index 000000000000..35e86fc676fc --- /dev/null +++ b/sbin/pfctl/tests/files/pf1048.ok @@ -0,0 +1 @@ +nat on vtnet0 inet proto tcp from 192.0.2.1 to 192.0.2.2 -> 203.0.113.0/24 random diff --git a/sbin/pfctl/tests/files/pf1049.in b/sbin/pfctl/tests/files/pf1049.in new file mode 100644 index 000000000000..3f2e5acf8265 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1049.in @@ -0,0 +1 @@ +nat on vtnet0 proto tcp from 192.0.2.1 to 192.0.2.2 -> { 192.0.2.3 } diff --git a/sbin/pfctl/tests/files/pf1049.ok b/sbin/pfctl/tests/files/pf1049.ok new file mode 100644 index 000000000000..be573ef460f5 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1049.ok @@ -0,0 +1 @@ +nat on vtnet0 inet proto tcp from 192.0.2.1 to 192.0.2.2 -> 192.0.2.3 diff --git a/sbin/pfctl/tests/files/pf1050.in b/sbin/pfctl/tests/files/pf1050.in new file mode 100644 index 000000000000..69ccaf445c3b --- /dev/null +++ b/sbin/pfctl/tests/files/pf1050.in @@ -0,0 +1 @@ +nat on vtnet0 proto tcp from 192.0.2.1 to 192.0.2.2 -> <targets> diff --git a/sbin/pfctl/tests/files/pf1050.ok b/sbin/pfctl/tests/files/pf1050.ok new file mode 100644 index 000000000000..24ca9b459bb7 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1050.ok @@ -0,0 +1 @@ +nat on vtnet0 inet proto tcp from 192.0.2.1 to 192.0.2.2 -> <targets> round-robin diff --git a/sbin/pfctl/tests/files/pf1051.in b/sbin/pfctl/tests/files/pf1051.in new file mode 100644 index 000000000000..734da64a372c --- /dev/null +++ b/sbin/pfctl/tests/files/pf1051.in @@ -0,0 +1 @@ +nat on vtnet0 proto tcp from 192.0.2.1 to 192.0.2.2 -> { 203.0.113.1 203.0.113.2 } diff --git a/sbin/pfctl/tests/files/pf1051.ok b/sbin/pfctl/tests/files/pf1051.ok new file mode 100644 index 000000000000..86f23488be41 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1051.ok @@ -0,0 +1 @@ +nat on vtnet0 inet proto tcp from 192.0.2.1 to 192.0.2.2 -> { 203.0.113.1, 203.0.113.2 } round-robin diff --git a/sbin/pfctl/tests/files/pf1052.in b/sbin/pfctl/tests/files/pf1052.in new file mode 100644 index 000000000000..2ea770f3c06e --- /dev/null +++ b/sbin/pfctl/tests/files/pf1052.in @@ -0,0 +1 @@ +nat on vtnet0 proto tcp from 192.0.2.1 to 192.0.2.2 -> { 203.0.113.1 <targets> } diff --git a/sbin/pfctl/tests/files/pf1052.ok b/sbin/pfctl/tests/files/pf1052.ok new file mode 100644 index 000000000000..b71d105eb77a --- /dev/null +++ b/sbin/pfctl/tests/files/pf1052.ok @@ -0,0 +1 @@ +nat on vtnet0 inet proto tcp from 192.0.2.1 to 192.0.2.2 -> { 203.0.113.1, <targets> } round-robin diff --git a/sbin/pfctl/tests/files/pf1053.in b/sbin/pfctl/tests/files/pf1053.in new file mode 100644 index 000000000000..f0cced0b64a2 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1053.in @@ -0,0 +1 @@ +nat on vtnet0 proto tcp from 192.0.2.1 to 192.0.2.2 -> 203.0.113.0/24 diff --git a/sbin/pfctl/tests/files/pf1053.ok b/sbin/pfctl/tests/files/pf1053.ok new file mode 100644 index 000000000000..de321b8c738f --- /dev/null +++ b/sbin/pfctl/tests/files/pf1053.ok @@ -0,0 +1 @@ +nat on vtnet0 inet proto tcp from 192.0.2.1 to 192.0.2.2 -> 203.0.113.0/24 diff --git a/sbin/pfctl/tests/files/pf1054.in b/sbin/pfctl/tests/files/pf1054.in new file mode 100644 index 000000000000..9e66bb2a81d6 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1054.in @@ -0,0 +1,3 @@ +# XXX: it causes just the 0th address to be used without cycling +# Probably a bug +nat on vtnet0 proto tcp from 192.0.2.1 to 192.0.2.2 -> 203.0.113.0/24 round-robin diff --git a/sbin/pfctl/tests/files/pf1054.ok b/sbin/pfctl/tests/files/pf1054.ok new file mode 100644 index 000000000000..3d7ab7974d87 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1054.ok @@ -0,0 +1 @@ +nat on vtnet0 inet proto tcp from 192.0.2.1 to 192.0.2.2 -> 203.0.113.0/24 round-robin diff --git a/sbin/pfctl/tests/files/pf1055.in b/sbin/pfctl/tests/files/pf1055.in new file mode 100644 index 000000000000..c116ef5fd43e --- /dev/null +++ b/sbin/pfctl/tests/files/pf1055.in @@ -0,0 +1 @@ +nat on vtnet0 proto tcp from 192.0.2.1 to 192.0.2.2 -> 203.0.113.0/24 source-hash 0x42424242424242424242424242424242 diff --git a/sbin/pfctl/tests/files/pf1055.ok b/sbin/pfctl/tests/files/pf1055.ok new file mode 100644 index 000000000000..468e47012169 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1055.ok @@ -0,0 +1 @@ +nat on vtnet0 inet proto tcp from 192.0.2.1 to 192.0.2.2 -> 203.0.113.0/24 source-hash 0x42424242424242424242424242424242 diff --git a/sbin/pfctl/tests/files/pf1056.in b/sbin/pfctl/tests/files/pf1056.in new file mode 100644 index 000000000000..bd2af077fc3f --- /dev/null +++ b/sbin/pfctl/tests/files/pf1056.in @@ -0,0 +1 @@ +pass in on vtnet0 inet6 from any to 64:ff9b::/96 af-to inet from 203.0.113.1 to 203.0.113.2 diff --git a/sbin/pfctl/tests/files/pf1056.ok b/sbin/pfctl/tests/files/pf1056.ok new file mode 100644 index 000000000000..0397570dbce0 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1056.ok @@ -0,0 +1 @@ +pass in on vtnet0 inet6 from any to 64:ff9b::/96 flags S/SA keep state af-to inet from 203.0.113.1 to 203.0.113.2 diff --git a/sbin/pfctl/tests/files/pf1057.in b/sbin/pfctl/tests/files/pf1057.in new file mode 100644 index 000000000000..0e26976e5a0d --- /dev/null +++ b/sbin/pfctl/tests/files/pf1057.in @@ -0,0 +1 @@ +nat on vtnet0 proto tcp from 192.0.2.1 to 192.0.2.2 -> vlan1057 diff --git a/sbin/pfctl/tests/files/pf1057.ok b/sbin/pfctl/tests/files/pf1057.ok new file mode 100644 index 000000000000..7626951e138c --- /dev/null +++ b/sbin/pfctl/tests/files/pf1057.ok @@ -0,0 +1 @@ +nat on vtnet0 inet proto tcp from 192.0.2.1 to 192.0.2.2 -> 203.0.113.5 diff --git a/sbin/pfctl/tests/files/pf1058.in b/sbin/pfctl/tests/files/pf1058.in new file mode 100644 index 000000000000..27c0ef1d69b3 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1058.in @@ -0,0 +1 @@ +nat on vtnet0 proto tcp from 192.0.2.1 to 192.0.2.2 -> { 203.0.113.1 vlan1058 } diff --git a/sbin/pfctl/tests/files/pf1058.ok b/sbin/pfctl/tests/files/pf1058.ok new file mode 100644 index 000000000000..b1d2b07a58b4 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1058.ok @@ -0,0 +1 @@ +nat on vtnet0 inet proto tcp from 192.0.2.1 to 192.0.2.2 -> { 203.0.113.1, 203.0.113.5 } round-robin diff --git a/sbin/pfctl/tests/files/pf1059.in b/sbin/pfctl/tests/files/pf1059.in new file mode 100644 index 000000000000..92ed5c50656b --- /dev/null +++ b/sbin/pfctl/tests/files/pf1059.in @@ -0,0 +1 @@ +nat on vtnet0 proto tcp from 192.0.2.1 to 192.0.2.2 -> (vlan1059) diff --git a/sbin/pfctl/tests/files/pf1059.ok b/sbin/pfctl/tests/files/pf1059.ok new file mode 100644 index 000000000000..6b028f18ee60 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1059.ok @@ -0,0 +1 @@ +nat on vtnet0 inet proto tcp from 192.0.2.1 to 192.0.2.2 -> (vlan1059) round-robin diff --git a/sbin/pfctl/tests/files/pf1060.in b/sbin/pfctl/tests/files/pf1060.in new file mode 100644 index 000000000000..85cdd19f2897 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1060.in @@ -0,0 +1 @@ +nat on vtnet0 proto tcp from 192.0.2.1 to 192.0.2.2 -> { 203.0.113.0 (vlan1060) } diff --git a/sbin/pfctl/tests/files/pf1060.ok b/sbin/pfctl/tests/files/pf1060.ok new file mode 100644 index 000000000000..3364b3cbdcc5 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1060.ok @@ -0,0 +1 @@ +nat on vtnet0 inet proto tcp from 192.0.2.1 to 192.0.2.2 -> { 203.0.113.0, (vlan1060) } round-robin diff --git a/sbin/pfctl/tests/files/pf1061.in b/sbin/pfctl/tests/files/pf1061.in new file mode 100644 index 000000000000..32eb8272db8b --- /dev/null +++ b/sbin/pfctl/tests/files/pf1061.in @@ -0,0 +1 @@ +nat on vtnet0 proto tcp from 2001:db8::1 to 2001:db8::2 -> vlan1061:0 diff --git a/sbin/pfctl/tests/files/pf1061.ok b/sbin/pfctl/tests/files/pf1061.ok new file mode 100644 index 000000000000..d2e6d969cb11 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1061.ok @@ -0,0 +1 @@ +nat on vtnet0 inet6 proto tcp from 2001:db8::1 to 2001:db8::2 -> 2001:db8::cb00:7105 diff --git a/sbin/pfctl/tests/files/pf1062.in b/sbin/pfctl/tests/files/pf1062.in new file mode 100644 index 000000000000..4d6a0ecc2e92 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1062.in @@ -0,0 +1 @@ +nat on vtnet0 proto tcp from 2001:db8::1 to 2001:db8::2 -> { 2001:db8::3 vlan1062:0 } diff --git a/sbin/pfctl/tests/files/pf1062.ok b/sbin/pfctl/tests/files/pf1062.ok new file mode 100644 index 000000000000..cb5db62ded1d --- /dev/null +++ b/sbin/pfctl/tests/files/pf1062.ok @@ -0,0 +1 @@ +nat on vtnet0 inet6 proto tcp from 2001:db8::1 to 2001:db8::2 -> { 2001:db8::3, 2001:db8::cb00:7105 } round-robin diff --git a/sbin/pfctl/tests/files/pf1063.in b/sbin/pfctl/tests/files/pf1063.in new file mode 100644 index 000000000000..3d164538640d --- /dev/null +++ b/sbin/pfctl/tests/files/pf1063.in @@ -0,0 +1 @@ +nat on vtnet0 proto tcp from 2001:db8::1 to 2001:db8::2 -> (vlan1063) diff --git a/sbin/pfctl/tests/files/pf1063.ok b/sbin/pfctl/tests/files/pf1063.ok new file mode 100644 index 000000000000..13189e00cc8a --- /dev/null +++ b/sbin/pfctl/tests/files/pf1063.ok @@ -0,0 +1 @@ +nat on vtnet0 inet6 proto tcp from 2001:db8::1 to 2001:db8::2 -> (vlan1063) round-robin diff --git a/sbin/pfctl/tests/files/pf1064.in b/sbin/pfctl/tests/files/pf1064.in new file mode 100644 index 000000000000..78d04135154f --- /dev/null +++ b/sbin/pfctl/tests/files/pf1064.in @@ -0,0 +1 @@ +nat on vtnet0 proto tcp from 2001:db8::1 to 2001:db8::2 -> { fe80::2 (vlan1064) } diff --git a/sbin/pfctl/tests/files/pf1064.ok b/sbin/pfctl/tests/files/pf1064.ok new file mode 100644 index 000000000000..ed15d054ab34 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1064.ok @@ -0,0 +1 @@ +nat on vtnet0 inet6 proto tcp from 2001:db8::1 to 2001:db8::2 -> { fe80::2, (vlan1064) } round-robin diff --git a/sbin/pfctl/tests/files/pf1065.in b/sbin/pfctl/tests/files/pf1065.in new file mode 100644 index 000000000000..690045befee6 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1065.in @@ -0,0 +1 @@ +no nat on vtnet0 proto tcp from 2001:db8::1 to 2001:db8::2 diff --git a/sbin/pfctl/tests/files/pf1065.ok b/sbin/pfctl/tests/files/pf1065.ok new file mode 100644 index 000000000000..651a2fa0ae09 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1065.ok @@ -0,0 +1 @@ +no nat on vtnet0 inet6 proto tcp from 2001:db8::1 to 2001:db8::2 diff --git a/sbin/pfctl/tests/files/pf1066.in b/sbin/pfctl/tests/files/pf1066.in new file mode 100644 index 000000000000..e81461c470ab --- /dev/null +++ b/sbin/pfctl/tests/files/pf1066.in @@ -0,0 +1 @@ +no rdr on vtnet0 proto tcp from 2001:db8::1 to 2001:db8::2 diff --git a/sbin/pfctl/tests/files/pf1066.ok b/sbin/pfctl/tests/files/pf1066.ok new file mode 100644 index 000000000000..5ff596fa0158 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1066.ok @@ -0,0 +1 @@ +no rdr on vtnet0 inet6 proto tcp from 2001:db8::1 to 2001:db8::2 diff --git a/sbin/pfctl/tests/files/pf1067.fail b/sbin/pfctl/tests/files/pf1067.fail new file mode 100644 index 000000000000..23ac1daad64f --- /dev/null +++ b/sbin/pfctl/tests/files/pf1067.fail @@ -0,0 +1 @@ +route-to, reply-to and dup-to are not supported on block rules diff --git a/sbin/pfctl/tests/files/pf1067.in b/sbin/pfctl/tests/files/pf1067.in new file mode 100644 index 000000000000..47f3bf6285dd --- /dev/null +++ b/sbin/pfctl/tests/files/pf1067.in @@ -0,0 +1 @@ +block in route-to (if0 127.0.0.1/8) diff --git a/sbin/pfctl/tests/files/pf1068.in b/sbin/pfctl/tests/files/pf1068.in new file mode 100644 index 000000000000..993cfa37f8f9 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1068.in @@ -0,0 +1 @@ +pass in proto icmp max-pkt-rate 100/10 diff --git a/sbin/pfctl/tests/files/pf1068.ok b/sbin/pfctl/tests/files/pf1068.ok new file mode 100644 index 000000000000..bd36043207f9 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1068.ok @@ -0,0 +1 @@ +pass in proto icmp all max-pkt-rate 100/10 keep state diff --git a/sbin/pfctl/tests/files/pf1069.in b/sbin/pfctl/tests/files/pf1069.in new file mode 100644 index 000000000000..3a69158fff7e --- /dev/null +++ b/sbin/pfctl/tests/files/pf1069.in @@ -0,0 +1 @@ +pass in proto icmp max-pkt-size 128 diff --git a/sbin/pfctl/tests/files/pf1069.ok b/sbin/pfctl/tests/files/pf1069.ok new file mode 100644 index 000000000000..b79228266156 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1069.ok @@ -0,0 +1 @@ +pass in proto icmp all max-pkt-size 128 keep state diff --git a/sbin/pfctl/tests/files/pf1070.fail b/sbin/pfctl/tests/files/pf1070.fail new file mode 100644 index 000000000000..60b56d9da2b9 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1070.fail @@ -0,0 +1 @@ +pf1070.include:2: syntax error diff --git a/sbin/pfctl/tests/files/pf1070.in b/sbin/pfctl/tests/files/pf1070.in new file mode 100644 index 000000000000..42b874d4d6f4 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1070.in @@ -0,0 +1,2 @@ +pass in +include pf1070.include diff --git a/sbin/pfctl/tests/files/pf1070.include b/sbin/pfctl/tests/files/pf1070.include new file mode 100644 index 000000000000..09c3755dbe28 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1070.include @@ -0,0 +1,2 @@ +block out +invalidline diff --git a/sbin/pfctl/tests/files/pf1071.in b/sbin/pfctl/tests/files/pf1071.in new file mode 100644 index 000000000000..9e6c2abc0621 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1071.in @@ -0,0 +1 @@ +pass inet from (lo0)/24 diff --git a/sbin/pfctl/tests/files/pf1071.ok b/sbin/pfctl/tests/files/pf1071.ok new file mode 100644 index 000000000000..409b5dc4b068 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1071.ok @@ -0,0 +1 @@ +pass inet from (lo0)/24 to any flags S/SA keep state diff --git a/sbin/pfctl/tests/files/pf1072.fail b/sbin/pfctl/tests/files/pf1072.fail new file mode 100644 index 000000000000..06ef5ae457e5 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1072.fail @@ -0,0 +1 @@ +invalid port range diff --git a/sbin/pfctl/tests/files/pf1072.in b/sbin/pfctl/tests/files/pf1072.in new file mode 100644 index 000000000000..e09e92388ce1 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1072.in @@ -0,0 +1 @@ +pass in proto tcp from any port 500:100 to any diff --git a/sbin/pfctl/tests/files/pf1073.in b/sbin/pfctl/tests/files/pf1073.in new file mode 100644 index 000000000000..477995893ac3 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1073.in @@ -0,0 +1 @@ +pass in on vtnet0 route-to ( vtnet1 2001:db8::1 ) prefer-ipv6-nexthop inet diff --git a/sbin/pfctl/tests/files/pf1073.ok b/sbin/pfctl/tests/files/pf1073.ok new file mode 100644 index 000000000000..f34867508c75 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1073.ok @@ -0,0 +1 @@ +pass in on vtnet0 route-to (vtnet1 2001:db8::1) prefer-ipv6-nexthop inet all flags S/SA keep state diff --git a/sbin/pfctl/tests/files/pf1074.fail b/sbin/pfctl/tests/files/pf1074.fail new file mode 100644 index 000000000000..afe8ee3c458f --- /dev/null +++ b/sbin/pfctl/tests/files/pf1074.fail @@ -0,0 +1 @@ +no routing address with matching address family found. diff --git a/sbin/pfctl/tests/files/pf1074.in b/sbin/pfctl/tests/files/pf1074.in new file mode 100644 index 000000000000..5d285bc5d6e8 --- /dev/null +++ b/sbin/pfctl/tests/files/pf1074.in @@ -0,0 +1 @@ +pass in on vtnet0 route-to ( vtnet1 2001:db8::1 ) inet diff --git a/sbin/pfctl/tests/files/pf1075.in b/sbin/pfctl/tests/files/pf1075.in new file mode 100644 index 000000000000..835a31a25c6a --- /dev/null +++ b/sbin/pfctl/tests/files/pf1075.in @@ -0,0 +1 @@ +pass inet from (lo0)/24 once diff --git a/sbin/pfctl/tests/files/pf1075.ok b/sbin/pfctl/tests/files/pf1075.ok new file mode 100644 index 000000000000..2369c9410cda --- /dev/null +++ b/sbin/pfctl/tests/files/pf1075.ok @@ -0,0 +1 @@ +pass inet from (lo0)/24 to any flags S/SA keep state once |