If sysutils/porch is installed, we'll do some basic testing of tty
behavior. The existing tests primarily cover ICANON-related processing
and corner cases that have been fixed somewhat recently, but I
anticipate growing this out a bit in due time.
Reviewed by: ngie
Differential Revision: https://reviews.freebsd.org/D46806
io.cc relies on `std::setw(..)`, which is exported by the iomanip C++
header. Newer versions of GoogleTest don't export this header, so add
the explicit include.
This unbreaks the build with GoogleTest 1.15.2.
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D47194
The update to py-twisted 24.7.0 broke EPSV mode in twisted's ftp server.
Work around this by disabling EPSV (and thus using PASV).
PR: 282154
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
What's required and not required to be defined is complicated. Write
tests to enshrine it:
endian.h and sys/endian.h:
[bl]e{16,32,64}toh
hto[bl]e{16,32,64}
byteswap.h:
{__,}bswap_{16,32,64}
sys/endian.h:
{__,}bswap{16,32,64}
_BYTE_ORDER
_BIG_ENDIAN
_LITTLE_ENDIAN
_PDP_ENDIAN
endian.h:
__BYTE_ORDER
__BIG_ENDIAN
__LITTLE_ENDIAN
__PDP_ENDIAN
__FLOAT_WORD_ORDER
We also ensure that the sys/endian.h conditions hold true when
we include both endian.h and sys/endian.h in either order.
NOT TESTED: deprecated symbols, internal to glibc symbols
Sponsored by: Netflix
Discussed with: markj (made the changes he requested)
Differential Revision: https://reviews.freebsd.org/D32052
It's intended to be used by both ipfw and pf.
Reviewed by: kp, markj
Approved by: kp (mentor)
Differential Revision: https://reviews.freebsd.org/D47110
Avoid receiving ICMPv6 destination unreachable packets, because scapy will
attempt to parse the pflow information from those (partial) packets as well, and
then get confused.
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
From scapy 2.6.0 it now removes (sets to None) the IP checksum in its defrag
code. We typically ask for IPv4 or IPv6 defragmentation, which causes check
function failures.
Just skip the checksum verificiation here, because we're going to notice
incorrect checksums even if the tests don't directly verify it.
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
We were previously unconditionally adding PROT_WRITE to the maxprot of
private mapping (because a private mapping can be written even if the
fd is read-only), but this might violate the user's PROT_MAX request.
While here, rename cap_maxprot to max_maxprot. This is the intersection
of the maximum protections imposed by capsicum rights on the fd (not
really relevant for private mappings) and the user-required maximum
protections (which were not being obeyed). In particular, cap_maxprot
is a misnomer after the introduction of PROT_MAX.
Add some regression test cases. mmap__maxprot_shm fails without this
patch.
Note: Capsicum's CAP_MMAP_W is a bit ambiguous. Should it be required
in order to create writeable private mappings? Currently it is, even
though such mappings don't permit writes to the object referenced by the
fd.
Reported by: brooks
Reviewed by: brooks
MFC after: 1 month
Fixes: c7841c6b8e ("Relax restrictions on private mappings of POSIX shm objects.")
Differential Revision: https://reviews.freebsd.org/D46741
Without this patch, vdevs faulted via AUX state would not be replaced
once the appropriate drive is replaced. ZFS does not internally use
that state, but a drive can be manually forced into such a state with a
command like zinject.
Submitted by: Goran Mekić <meka@tilda.center>
Sponsored by: ConnectWise
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D46866
The function `pf_setup_pdesc()` handles ruleset evaluation for non-reassembled
packets. Having it called before `pf_mtag` is checked for flags
`PF_MTAG_FLAG_ROUTE_TO` and `PF_MTAG_FLAG_DUMMYNET` will cause loops for
fragmented packets if reassembly is disabled.
Move `pd` zeroing and `pf_mtag` extraction from `pf_setup_pdesc()` to a separate
function `pf_init_pdesc()` and change the order of function calls: first
call `pf_init_pdesc()`, then check if the currently processed packet has been
reinjected from dummynet, finally call `pf_setup_pdesc()`.
Add functionality of sending UDP packets to `pft_ping.py` with fragmentation
support and fix broken IPv6 reassembly.
Reviewed by: kp
Differential Revision: https://reviews.freebsd.org/D46880
Ensure that we don't conflict with other inetd processes running in other jails
by setting an explicit pid file (rather than relying on the default /var/run/
inetd.pid). This could lead to failure to start inetd, which in turn could cause
test failures.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Check enqueue works correctly when the offsets overflow
Reviewed by: imp
Sponsored by: Arm Ltd
Differential Revision: https://reviews.freebsd.org/D46156
Add a simple test for sys/buf_ring.h. This enqueues and dequeues items
in the buf_ring to ensure the simple operations are correct.
There are no checks for multiple threads operating on buf_ring_enqueue
or buf_ring_dequeue_mc as they can be probabilistic and depend on the
architecture memory model.
Reviewed by: markj
Sponsored by: Arm Ltd
Differential Revision: https://reviews.freebsd.org/D46147
Switch tests using pft_ping.py to inetd. Netcat can only accept a single
connection, we need multiple parallel connections to test max-src-conn. Use the
discard service and modify pft_ping.py to use proper port number.
Implement functionality of 3-way handshake test in pft_ping.py. Make send_params
accessible to sniffer, because answers to SYN+ACK packets should be send with
the same parameters as the original SYN packet.
Finally add a test for max-src-conn and overload.
Reviewed by: kp
Differential Revision: https://reviews.freebsd.org/D46798
Using nargs=1 causes arguments to produce lists from which we must then
get the real value. The same applies to defaults, the must be provided
as arrays too.
Remove nargs=1 so that values and defaults can be accessed directly.
Reviewed by: kp
Differential Revision: https://reviews.freebsd.org/D46772
This test always fails, I don't see any reason to make it conditional on
the "CI" test parameter.
There is at least one test bug here, we're using the wrong sysctl to
obtain the receive buffer size, but fixing that is not sufficient.
PR: 279354
Reviewed by: glebius
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D46726
Initially, it was added to cover a conflicting case of ipfw and pf used
together. But there are more drawbacks than benefits:
- A half of these tests are always skipped. That leads to
misunderstanding, while the test suite strives to avoid ambiguous
situations.
- Handling enabled ipfw on the test level is tedious, error-prone, and
less maintainable.
- CI and similar parties already know how to deal with ipfw for the test
suite, like making it open by default. Extra complexity is not needed.
In addition, ipfw+pf use cases are not officially supported.
Reviewed by: kp, markj
Approved by: kp (mentor), markj (mentor)
Differential Revision: https://reviews.freebsd.org/D46655
Ensure that we verify that the inner and outer IP address matches for ICMP error
messages. This is a more detailed test for CVE-2019-5598, which was fixed back
in 2019.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46573
Ensure that we correctly clean up even if the interface never gets a socket
assigned.
Reviewed by: markj
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46617
Many of the modified tests add epair interfaces to the host, though most
of the tests themselves run in a VNET jail. scapy in particular becomes
unhappy when the list of interfaces changes as it is running, so, to
improve reliability of parallel test runs, isolate tests which add
epairs to the host.
Also serialize arp tests, as they examine the dmesg as part of the test.
The list of modified tests is not exhaustive, it was determined by
running the test suite with parallelization enabled and looking at
failures. It may be easier to just automatically enable VNET jailing of
all netinet tests, but let's be more particular for now.
Reviewed by: kp
MFC after: 1 month
Differential Revision: https://reviews.freebsd.org/D46606
If the FUSE_GETATTR issued to query a file's size during
fuse_vnop_deallocate failed for any reason, then fuse_vnop_deallocate
would attempt to destroy an uninitialized fuse_dispatcher struct, with a
crash the likely result. This bug only affects FUSE file systems that
implement FUSE_FALLOCATE, and is unlikely to be seen on those that don't
disable attribute caching.
Reported by: Coverity Scan
CID: 1505308
MFC after: 2 weeks
Now that kyua can isolate tests in their own vnets we can run these tests in
parallel.
Reviewed by: markj
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46600
The in-tree ZFS test suite is somewhat outdated and I see a number of
failures there. I tend to think that we want to integrate the OpenZFS
test suite somehow, replacing the legacy one, though it's also possible
to run that as a separate test suite.
In any case, if one wants to run the OpenZFS test suite separately, it's
useful to be able to disable installation of the legacy ZFS test suite,
so let's provide a src.conf option to do that.
Reviewed by: asomers
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D46476
With Endpoint Independent NAT bindings for UDP flows from a NATed source
address are always mapped to the same ip:port pair on the NAT router.
This allows a client to connect to multiple external servers while
appearing as the same host and enables NAT traversal without requiring
the client to use a middlebox traversal protocol such as STUN or TURN.
Introduce the 'endpoint-independent' option to NAT rules to allow
configuration of endpoint independent without effecting existing
deployments.
This change satisfies REQ 1 and 3 of RFC 4787 also known as 'full cone'
NAT.
Using Endpoint Independent NAT changes NAT exhaustion behaviour it does
not introduce any additional security considerations compared to other
forms of NAT.
PR: 219803
Co-authored-by: Damjan Jovanovic <damjan.jov@gmail.com>
Co-authored-by: Naman Sood <mail@nsood.in>
Reviewed-by: kp
Sponsored-by: Tailscale
Sponsored-by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D11137
The test suite runs the same tests twice, as different users, and these
can trample over each other when run in parallel, causing spurious test
failures.
MFC after: 1 week
Test whether the SNDSTIOC_ADD_USER_DEVS IOCTL (registers a userland
device to /dev/sndstat) works properly.
Sponsored by: The FreeBSD Foundation
MFC after: 2 days
Reviewed by: dev_submerge.ch
Differential Revision: https://reviews.freebsd.org/D46228
The pfik_ifp field is not provided by the kernel, it is always NULL. Do not
check for it. This caused us to not clear the skip flag on interfaces, leading
to unexpected behaviour when a 'set skip' was removed.
PR: 280834
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46311
