10 files changed, 247 insertions, 15 deletions
diff --git a/tests/sys/cam/ctl/ctl.subr b/tests/sys/cam/ctl/ctl.subr
index 5da441b806f0..6cc02d774bdb 100644
--- a/tests/sys/cam/ctl/ctl.subr
+++ b/tests/sys/cam/ctl/ctl.subr
@@ -25,15 +25,6 @@
 # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 # THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-load_modules() {
-	if ! kldstat -q -m ctl; then
-		kldload ctl || atf_skip "could not load ctl kernel mod"
-	fi
-	if ! ctladm port -o on -p 0; then
-		atf_skip "could not enable the camsim frontend"
-	fi
-}
-
 find_device() {
 	LUN=$1
 
diff --git a/tests/sys/fs/fusefs/Makefile b/tests/sys/fs/fusefs/Makefile
index b11f11bdfa98..a21512798597 100644
--- a/tests/sys/fs/fusefs/Makefile
+++ b/tests/sys/fs/fusefs/Makefile
@@ -70,7 +70,8 @@ TEST_METADATA.nfs+=	required_user="root"
 TEST_METADATA.ctl+=	is_exclusive="true"
 TEST_METADATA.ctl+=	required_user="root"
 
-TEST_METADATA+= timeout=10
+TEST_METADATA+=	timeout=10
+TEST_METADATA+=	required_kmods="fusefs"
 
 FUSEFS=		${SRCTOP}/sys/fs/fuse
 # Suppress warnings that GCC generates for the libc++ and gtest headers.
diff --git a/tests/sys/mac/bsdextended/Makefile b/tests/sys/mac/bsdextended/Makefile
index 69cd27c0e321..cc3a3f8ea534 100644
--- a/tests/sys/mac/bsdextended/Makefile
+++ b/tests/sys/mac/bsdextended/Makefile
@@ -9,5 +9,6 @@ TEST_METADATA.ugidfw_test+=	required_user="root"
 # Each test case of matches_test reuses the same ruleset number, so they cannot
 # be run simultaneously
 TEST_METADATA.matches_test+=	is_exclusive=true
+TEST_METADATA+=			required_kmods="mac_bsdextended"
 
 .include <bsd.test.mk>
diff --git a/tests/sys/mac/bsdextended/matches_test.sh b/tests/sys/mac/bsdextended/matches_test.sh
index 2a28be0f231b..41fa04f221e3 100644
--- a/tests/sys/mac/bsdextended/matches_test.sh
+++ b/tests/sys/mac/bsdextended/matches_test.sh
@@ -12,9 +12,6 @@ gidoutrange="daemon" # We expect $uidinrange in this group
 
 check_ko()
 {
-	if ! sysctl -N security.mac.bsdextended >/dev/null 2>&1; then
-		atf_skip "mac_bsdextended(4) support isn't available"
-	fi
 	if [ $(sysctl -n security.mac.bsdextended.enabled) = "0" ]; then
 		# The kernel module is loaded but disabled.  Enable it for the
 		# duration of the test.
diff --git a/tests/sys/netpfil/pf/Makefile b/tests/sys/netpfil/pf/Makefile
index 3adaef09ddbd..404d5adfb07a 100644
--- a/tests/sys/netpfil/pf/Makefile
+++ b/tests/sys/netpfil/pf/Makefile
@@ -58,6 +58,8 @@ ATF_TESTS_SH+=	altq \
 ATF_TESTS_PYTEST+=	frag6.py
 ATF_TESTS_PYTEST+=	header.py
 ATF_TESTS_PYTEST+=	icmp.py
+ATF_TESTS_PYTEST+=	igmp.py
+ATF_TESTS_PYTEST+=	mld.py
 ATF_TESTS_PYTEST+=	nat64.py
 ATF_TESTS_PYTEST+=	nat66.py
 ATF_TESTS_PYTEST+=	return.py
diff --git a/tests/sys/netpfil/pf/icmp.py b/tests/sys/netpfil/pf/icmp.py
index 59f2e8190b30..c5e945d60e99 100644
--- a/tests/sys/netpfil/pf/icmp.py
+++ b/tests/sys/netpfil/pf/icmp.py
@@ -136,8 +136,7 @@ class TestICMP(VnetTestTemplate):
             / sp.ICMP(type='echo-request') \
             / sp.raw(bytes.fromhex('f0') * payload_size)
 
-        p = sp.sr1(packet, iface=self.vnet.iface_alias_map["if1"].name,
-            timeout=3)
+        p = sp.sr1(packet, timeout=3)
         p.show()
 
         ip = p.getlayer(sp.IP)
@@ -176,6 +175,22 @@ class TestICMP(VnetTestTemplate):
         self.check_icmp_echo(sp, 1464)
         self.check_icmp_echo(sp, 1468)
 
+    @pytest.mark.require_user("root")
+    @pytest.mark.require_progs(["scapy"])
+    def test_truncated_opts(self):
+        ToolsHelper.print_output("/sbin/route add default 192.0.2.1")
+
+        # Import in the correct vnet, so at to not confuse Scapy
+        import scapy.all as sp
+
+        packet = sp.IP(dst="198.51.100.2", flags="DF") \
+            / sp.ICMP(type='dest-unreach', length=108) \
+            / sp.IP(src="198.51.100.2", dst="192.0.2.2", len=1000, \
+              ihl=(120 >> 2), options=[ \
+              sp.IPOption_Security(length=100)])
+        packet.show()
+        sp.sr1(packet, timeout=3)
+
 class TestICMP_NAT(VnetTestTemplate):
     REQUIRED_MODULES = [ "pf" ]
     TOPOLOGY = {
diff --git a/tests/sys/netpfil/pf/igmp.py b/tests/sys/netpfil/pf/igmp.py
new file mode 100644
index 000000000000..b339a2825082
--- /dev/null
+++ b/tests/sys/netpfil/pf/igmp.py
@@ -0,0 +1,95 @@
+#
+# SPDX-License-Identifier: BSD-2-Clause
+#
+# Copyright (c) 2025 Rubicon Communications, LLC (Netgate)
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+
+import pytest
+from utils import DelayedSend
+from atf_python.sys.net.tools import ToolsHelper
+from atf_python.sys.net.vnet import VnetTestTemplate
+
+class TestIGMP(VnetTestTemplate):
+    REQUIRED_MODULES = [ "pf" ]
+    TOPOLOGY = {
+        "vnet1": {"ifaces": ["if1"]},
+        "vnet2": {"ifaces": ["if1"]},
+        "if1": {"prefixes4": [("192.0.2.2/24", "192.0.2.1/24")]},
+    }
+
+    def vnet2_handler(self, vnet):
+        ifname = vnet.iface_alias_map["if1"].name
+        ToolsHelper.print_output("/sbin/pfctl -e")
+        ToolsHelper.pf_rules([
+            "pass",
+            ])
+        ToolsHelper.print_output("/sbin/pfctl -x loud")
+        ToolsHelper.print_output("echo \"j 230.0.0.1 %s\ns 3600\nq\" | /usr/sbin/mtest" % ifname)
+
+    def find_igmp_reply(self, pkt, ifname):
+        pkt.show()
+        s = DelayedSend(pkt)
+
+        found = False
+        packets = self.sp.sniff(iface=ifname, timeout=5)
+        for r in packets:
+            r.show()
+            igmp = r.getlayer(self.sc.igmp.IGMP)
+            if not igmp:
+                continue
+            igmp.show()
+            if not igmp.gaddr == "230.0.0.1":
+                continue
+            found = True
+        return found
+
+    @pytest.mark.require_user("root")
+    @pytest.mark.require_progs(["scapy"])
+    def test_ip_opts(self):
+        """Verify that we allow IGMP packets with IP options"""
+        ifname = self.vnet.iface_alias_map["if1"].name
+
+        # Import in the correct vnet, so at to not confuse Scapy
+        import scapy.all as sp
+        import scapy.contrib as sc
+        import scapy.contrib.igmp
+        self.sp = sp
+        self.sc = sc
+
+        # We allow IGMP packets with the router alert option
+        pkt = sp.IP(dst="224.0.0.1%%%s" % ifname, ttl=1,
+            options=[sp.IPOption_Router_Alert()]) \
+            / sc.igmp.IGMP(type=0x11, mrcode=1)
+        assert self.find_igmp_reply(pkt, ifname)
+
+        # But not with other options
+        pkt = sp.IP(dst="224.0.0.1%%%s" % ifname, ttl=1,
+            options=[sp.IPOption_NOP()]) \
+            / sc.igmp.IGMP(type=0x11, mrcode=1)
+        assert not self.find_igmp_reply(pkt, ifname)
+
+        # Or with the wrong TTL
+        pkt = sp.IP(dst="224.0.0.1%%%s" % ifname, ttl=2,
+            options=[sp.IPOption_Router_Alert()]) \
+            / sc.igmp.IGMP(type=0x11, mrcode=1)
+        assert not self.find_igmp_reply(pkt, ifname)
diff --git a/tests/sys/netpfil/pf/mbuf.sh b/tests/sys/netpfil/pf/mbuf.sh
index d845f793a969..e3f138bb73b9 100644
--- a/tests/sys/netpfil/pf/mbuf.sh
+++ b/tests/sys/netpfil/pf/mbuf.sh
@@ -105,6 +105,12 @@ inet6_in_mbuf_len_body()
 	epair=$(vnet_mkepair)
 	ifconfig ${epair}a inet6 2001:db8::1/64 up no_dad
 
+	# Ensure we don't unintentionally send MLD packets to alcatraz
+	pfctl -e
+	echo "block
+	pass out inet6 proto icmp6 icmp6-type { neighbrsol, neighbradv, echoreq, echorep }
+	" | pfctl -g -f -
+
 	# Set up a simple jail with one interface
 	vnet_mkjail alcatraz ${epair}b
 	jexec alcatraz ifconfig ${epair}b inet6 2001:db8::2/64 up no_dad
diff --git a/tests/sys/netpfil/pf/mld.py b/tests/sys/netpfil/pf/mld.py
new file mode 100644
index 000000000000..d118a34c8a7d
--- /dev/null
+++ b/tests/sys/netpfil/pf/mld.py
@@ -0,0 +1,95 @@
+#
+# SPDX-License-Identifier: BSD-2-Clause
+#
+# Copyright (c) 2025 Rubicon Communications, LLC (Netgate)
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+
+import pytest
+from utils import DelayedSend
+from atf_python.sys.net.tools import ToolsHelper
+from atf_python.sys.net.vnet import VnetTestTemplate
+
+class TestMLD(VnetTestTemplate):
+    REQUIRED_MODULES = [ "pf" ]
+    TOPOLOGY = {
+        "vnet1": {"ifaces": ["if1"]},
+        "vnet2": {"ifaces": ["if1"]},
+        "if1": {"prefixes6": [("2001:db8::2/64", "2001:db8::1/64")]},
+    }
+
+    def vnet2_handler(self, vnet):
+        ifname = vnet.iface_alias_map["if1"].name
+        #ToolsHelper.print_output("/sbin/pfctl -e")
+        ToolsHelper.pf_rules([
+            "pass",
+            ])
+        ToolsHelper.print_output("/sbin/pfctl -x loud")
+        #ToolsHelper.print_output("echo \"j 230.0.0.1 %s\ns 3600\nq\" | /usr/sbin/mtest" % ifname)
+
+    def find_mld_reply(self, pkt, ifname):
+        pkt.show()
+        s = DelayedSend(pkt)
+
+        found = False
+        packets = self.sp.sniff(iface=ifname, timeout=5)
+        for r in packets:
+            r.show()
+            mld = r.getlayer(self.sp.ICMPv6MLReport2)
+            if not mld:
+                continue
+            mld.show()
+            found = True
+        return found
+
+    @pytest.mark.require_user("root")
+    @pytest.mark.require_progs(["scapy"])
+    def test_router_alert(self):
+        """Verify that we allow MLD packets with router alert extension header"""
+        ifname = self.vnet.iface_alias_map["if1"].name
+        #ToolsHelper.print_output("/sbin/ifconfig %s inet6 -ifdisable" % ifname)
+        ToolsHelper.print_output("/sbin/ifconfig")
+
+        # Import in the correct vnet, so at to not confuse Scapy
+        import scapy.all as sp
+        import scapy.contrib as sc
+        import scapy.contrib.igmp
+        self.sp = sp
+        self.sc = sc
+
+        # A correct MLD query gets a reply
+        pkt = sp.IPv6(src="fe80::1%%%s" % ifname, dst="ff02::1", hlim=1) \
+            / sp.RouterAlert(value=0) \
+            / sp.ICMPv6MLQuery2()
+        assert self.find_mld_reply(pkt, ifname)
+
+        # The wrong extension header does not
+        pkt = sp.IPv6(src="fe80::1%%%s" % ifname, dst="ff02::1", hlim=1) \
+            / sp.IPv6ExtHdrRouting() \
+            / sp.ICMPv6MLQuery2()
+        assert not self.find_mld_reply(pkt, ifname)
+
+        # Neither does an incorrect hop limit
+        pkt = sp.IPv6(src="fe80::1%%%s" % ifname, dst="ff02::1", hlim=2) \
+            / sp.RouterAlert(value=0) \
+            / sp.ICMPv6MLQuery2()
+        assert not self.find_mld_reply(pkt, ifname)
diff --git a/tests/sys/netpfil/pf/table.sh b/tests/sys/netpfil/pf/table.sh
index 78320375db7c..5e5fccdaca20 100644
--- a/tests/sys/netpfil/pf/table.sh
+++ b/tests/sys/netpfil/pf/table.sh
@@ -582,6 +582,34 @@ anchor_cleanup()
 	pft_cleanup
 }
 
+atf_test_case "flush" "cleanup"
+flush_head()
+{
+	atf_set descr 'Test flushing addresses from tables'
+	atf_set require.user root
+}
+
+flush_body()
+{
+	pft_init
+
+	vnet_mkjail alcatraz
+
+	atf_check -s exit:0 -e match:"1/1 addresses added." \
+	    jexec alcatraz pfctl -t foo -T add 1.2.3.4
+	atf_check -s exit:0 -o match:"   1.2.3.4" \
+	    jexec alcatraz pfctl -t foo -T show
+	atf_check -s exit:0 -e match:"1 addresses deleted." \
+	    jexec alcatraz pfctl -t foo -T flush
+	atf_check -s exit:0 -o not-match:"1.2.3.4" \
+	    jexec alcatraz pfctl -t foo -T show
+}
+
+flush_cleanup()
+{
+	pft_cleanup
+}
+
 atf_init_test_cases()
 {
 	atf_add_test_case "v4_counters"
@@ -596,4 +624,5 @@ atf_init_test_cases()
 	atf_add_test_case "pr259689"
 	atf_add_test_case "precreate"
 	atf_add_test_case "anchor"
+	atf_add_test_case "flush"
 }