We were previously unconditionally adding PROT_WRITE to the maxprot of
private mapping (because a private mapping can be written even if the
fd is read-only), but this might violate the user's PROT_MAX request.
While here, rename cap_maxprot to max_maxprot. This is the intersection
of the maximum protections imposed by capsicum rights on the fd (not
really relevant for private mappings) and the user-required maximum
protections (which were not being obeyed). In particular, cap_maxprot
is a misnomer after the introduction of PROT_MAX.
Add some regression test cases. mmap__maxprot_shm fails without this
patch.
Note: Capsicum's CAP_MMAP_W is a bit ambiguous. Should it be required
in order to create writeable private mappings? Currently it is, even
though such mappings don't permit writes to the object referenced by the
fd.
Reported by: brooks
Reviewed by: brooks
MFC after: 1 month
Fixes: c7841c6b8e ("Relax restrictions on private mappings of POSIX shm objects.")
Differential Revision: https://reviews.freebsd.org/D46741
Without this patch, vdevs faulted via AUX state would not be replaced
once the appropriate drive is replaced. ZFS does not internally use
that state, but a drive can be manually forced into such a state with a
command like zinject.
Submitted by: Goran Mekić <meka@tilda.center>
Sponsored by: ConnectWise
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D46866
The function `pf_setup_pdesc()` handles ruleset evaluation for non-reassembled
packets. Having it called before `pf_mtag` is checked for flags
`PF_MTAG_FLAG_ROUTE_TO` and `PF_MTAG_FLAG_DUMMYNET` will cause loops for
fragmented packets if reassembly is disabled.
Move `pd` zeroing and `pf_mtag` extraction from `pf_setup_pdesc()` to a separate
function `pf_init_pdesc()` and change the order of function calls: first
call `pf_init_pdesc()`, then check if the currently processed packet has been
reinjected from dummynet, finally call `pf_setup_pdesc()`.
Add functionality of sending UDP packets to `pft_ping.py` with fragmentation
support and fix broken IPv6 reassembly.
Reviewed by: kp
Differential Revision: https://reviews.freebsd.org/D46880
Ensure that we don't conflict with other inetd processes running in other jails
by setting an explicit pid file (rather than relying on the default /var/run/
inetd.pid). This could lead to failure to start inetd, which in turn could cause
test failures.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Check enqueue works correctly when the offsets overflow
Reviewed by: imp
Sponsored by: Arm Ltd
Differential Revision: https://reviews.freebsd.org/D46156
Add a simple test for sys/buf_ring.h. This enqueues and dequeues items
in the buf_ring to ensure the simple operations are correct.
There are no checks for multiple threads operating on buf_ring_enqueue
or buf_ring_dequeue_mc as they can be probabilistic and depend on the
architecture memory model.
Reviewed by: markj
Sponsored by: Arm Ltd
Differential Revision: https://reviews.freebsd.org/D46147
Switch tests using pft_ping.py to inetd. Netcat can only accept a single
connection, we need multiple parallel connections to test max-src-conn. Use the
discard service and modify pft_ping.py to use proper port number.
Implement functionality of 3-way handshake test in pft_ping.py. Make send_params
accessible to sniffer, because answers to SYN+ACK packets should be send with
the same parameters as the original SYN packet.
Finally add a test for max-src-conn and overload.
Reviewed by: kp
Differential Revision: https://reviews.freebsd.org/D46798
Using nargs=1 causes arguments to produce lists from which we must then
get the real value. The same applies to defaults, the must be provided
as arrays too.
Remove nargs=1 so that values and defaults can be accessed directly.
Reviewed by: kp
Differential Revision: https://reviews.freebsd.org/D46772
This test always fails, I don't see any reason to make it conditional on
the "CI" test parameter.
There is at least one test bug here, we're using the wrong sysctl to
obtain the receive buffer size, but fixing that is not sufficient.
PR: 279354
Reviewed by: glebius
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D46726
Initially, it was added to cover a conflicting case of ipfw and pf used
together. But there are more drawbacks than benefits:
- A half of these tests are always skipped. That leads to
misunderstanding, while the test suite strives to avoid ambiguous
situations.
- Handling enabled ipfw on the test level is tedious, error-prone, and
less maintainable.
- CI and similar parties already know how to deal with ipfw for the test
suite, like making it open by default. Extra complexity is not needed.
In addition, ipfw+pf use cases are not officially supported.
Reviewed by: kp, markj
Approved by: kp (mentor), markj (mentor)
Differential Revision: https://reviews.freebsd.org/D46655
Ensure that we verify that the inner and outer IP address matches for ICMP error
messages. This is a more detailed test for CVE-2019-5598, which was fixed back
in 2019.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46573
Ensure that we correctly clean up even if the interface never gets a socket
assigned.
Reviewed by: markj
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46617
Many of the modified tests add epair interfaces to the host, though most
of the tests themselves run in a VNET jail. scapy in particular becomes
unhappy when the list of interfaces changes as it is running, so, to
improve reliability of parallel test runs, isolate tests which add
epairs to the host.
Also serialize arp tests, as they examine the dmesg as part of the test.
The list of modified tests is not exhaustive, it was determined by
running the test suite with parallelization enabled and looking at
failures. It may be easier to just automatically enable VNET jailing of
all netinet tests, but let's be more particular for now.
Reviewed by: kp
MFC after: 1 month
Differential Revision: https://reviews.freebsd.org/D46606
If the FUSE_GETATTR issued to query a file's size during
fuse_vnop_deallocate failed for any reason, then fuse_vnop_deallocate
would attempt to destroy an uninitialized fuse_dispatcher struct, with a
crash the likely result. This bug only affects FUSE file systems that
implement FUSE_FALLOCATE, and is unlikely to be seen on those that don't
disable attribute caching.
Reported by: Coverity Scan
CID: 1505308
MFC after: 2 weeks
Now that kyua can isolate tests in their own vnets we can run these tests in
parallel.
Reviewed by: markj
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46600
The in-tree ZFS test suite is somewhat outdated and I see a number of
failures there. I tend to think that we want to integrate the OpenZFS
test suite somehow, replacing the legacy one, though it's also possible
to run that as a separate test suite.
In any case, if one wants to run the OpenZFS test suite separately, it's
useful to be able to disable installation of the legacy ZFS test suite,
so let's provide a src.conf option to do that.
Reviewed by: asomers
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D46476
With Endpoint Independent NAT bindings for UDP flows from a NATed source
address are always mapped to the same ip:port pair on the NAT router.
This allows a client to connect to multiple external servers while
appearing as the same host and enables NAT traversal without requiring
the client to use a middlebox traversal protocol such as STUN or TURN.
Introduce the 'endpoint-independent' option to NAT rules to allow
configuration of endpoint independent without effecting existing
deployments.
This change satisfies REQ 1 and 3 of RFC 4787 also known as 'full cone'
NAT.
Using Endpoint Independent NAT changes NAT exhaustion behaviour it does
not introduce any additional security considerations compared to other
forms of NAT.
PR: 219803
Co-authored-by: Damjan Jovanovic <damjan.jov@gmail.com>
Co-authored-by: Naman Sood <mail@nsood.in>
Reviewed-by: kp
Sponsored-by: Tailscale
Sponsored-by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D11137
The test suite runs the same tests twice, as different users, and these
can trample over each other when run in parallel, causing spurious test
failures.
MFC after: 1 week
Test whether the SNDSTIOC_ADD_USER_DEVS IOCTL (registers a userland
device to /dev/sndstat) works properly.
Sponsored by: The FreeBSD Foundation
MFC after: 2 days
Reviewed by: dev_submerge.ch
Differential Revision: https://reviews.freebsd.org/D46228
The pfik_ifp field is not provided by the kernel, it is always NULL. Do not
check for it. This caused us to not clear the skip flag on interfaces, leading
to unexpected behaviour when a 'set skip' was removed.
PR: 280834
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46311
If NAT rules cause inbound connections to different external IPs to be
mapped to the same internal IP, and some application uses the same
source port for multiple such connections, rdr translation may result in
conflicts that cause some of the connections to be dropped.
Address this by letting rdr rules detect state conflicts and modulate
the source port to avoid them.
Reviewed by: kp, allanjude
MFC after: 3 months
Sponsored by: Klara, Inc.
Sponsored by: Modirum
Differential Revision: https://reviews.freebsd.org/D44488
There was a bug in pf_handle_get_addr() where it confused the counter and
pointer in the pf_addr_wrap.p union, causing panics. Test for this.
Sponsored by: Rubicon Communications, LLC ("Netgate")
(e.g. traceroute with icmp)
ok henning, jsing
Also extend the test case to cover this scenario.
PR: 280701
Obtained from: OpenBSD
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Some SCTP implementations will abort connections and then later re-use the same
port numbers (i.e. both src and dst) for a new connection, before pf has fully
purged the old connection.
Apply the same hack we already have for similarly misbehaving TCP
implementations and forcibly remove the old state so we can create a new one.
MFC after: 2 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
When creating a state for ICMP (v4 or v6) packets we only used the ID, which
means that we could confuse different ICMP types. For example, if we allowed
neighbour discovery but not ICMPv6 echo requests an ND packet could create a
state that the echo request would match.
Test that this is now fixed.
Reported by: Enrico Bassetti <e.bassetti@tudelft.nl>
MFC after: 1 day
Sponsored by: Rubicon Communications, LLC ("Netgate")