pfctl regression tests for load anchor

Alexandr Nedvedicky Mon, 27 Nov 2017 17:45:46 -0800

Hello,

adds two test cases for issues reported by Leonardo.  I've created extra
pfloadanchors target in regress/sbin/pfctl/Makefile. The 'load anchor ... from
' construct still needs more love to be covered by existing targets.


consider output for command 'pfctl -o none -nvf  pf113.in':

--------8<---------------8<---------------8<------------------8<--------
anchor "one" all
anchor "two" all
addrs = "{      1.2.3.4,                10.20.30.40,            2.4.6.8,        
        20.40.60.80,            4.8.12.16,              40.80.120.160,          
5.6.7.8,                50.60.70.80,           
10.12.14.16,            100.120.140.160 }"
pass inet from 1.2.3.4 to any flags S/SA
pass inet from 10.20.30.40 to any flags S/SA
pass inet from 2.4.6.8 to any flags S/SA
pass inet from 20.40.60.80 to any flags S/SA
pass inet from 4.8.12.16 to any flags S/SA
pass inet from 40.80.120.160 to any flags S/SA
pass inet from 5.6.7.8 to any flags S/SA
pass inet from 50.60.70.80 to any flags S/SA
pass inet from 10.12.14.16 to any flags S/SA
pass inet from 100.120.140.160 to any flags S/SA
--------8<---------------8<---------------8<------------------8<--------

The output above thoygh it's syntactically valid, is not the ruleset, which
would loaded to kernel. See output here:
--------8<---------------8<---------------8<------------------8<--------
pfctl -a regress -o none -f pf113.in
pfctl -a 'regress/*' -sr
anchor "one" all {
  anchor "two" all {
    pass inet from 1.2.3.4 to any flags S/SA
    pass inet from 10.20.30.40 to any flags S/SA
    pass inet from 2.4.6.8 to any flags S/SA
    pass inet from 20.40.60.80 to any flags S/SA
    pass inet from 4.8.12.16 to any flags S/SA
    pass inet from 40.80.120.160 to any flags S/SA
    pass inet from 5.6.7.8 to any flags S/SA
    pass inet from 50.60.70.80 to any flags S/SA
    pass inet from 10.12.14.16 to any flags S/SA
    pass inet from 100.120.140.160 to any flags S/SA
  }
}
--------8<---------------8<---------------8<------------------8<--------

I've tried to fix it, but decided to postpone the work. I'll eventually get
back to it.

The test cases below, load rules to kernel and then dump them using 'pfctl
-sr'. rules pf112.in verify the user-defined table can get loaded in anchor
'two'. pf113.in checks if optimizer still works for nested anchors.

OK?

thanks and
regards
sasha


--------8<---------------8<---------------8<------------------8<--------
diff --git a/regress/sbin/pfctl/Makefile b/regress/sbin/pfctl/Makefile
index adc236cc8b7..744aa408d97 100644
--- a/regress/sbin/pfctl/Makefile
+++ b/regress/sbin/pfctl/Makefile
@@ -30,6 +30,7 @@ PFIF2IP=1 2 3
 PFCHKSUM=1 2 3
 PFCMD=1
 PFCMDFAIL=1
+PFLOADANCHORS=112 113
 
 PFCTL ?=       /sbin/pfctl
 
@@ -331,6 +332,21 @@ pfchksum-update:   ${PFCHKSUM_UPDATES}
 NODEFAULT_TARGETS+=pfchksum
 REGRESS_ROOT_TARGETS+=pfchksum
 
+.for n in ${PFLOADANCHORS}
+PFLOADANCHORS_TARGETS+=pfloadanchors${n}
+
+pfloadanchors${n}:
+       ${SUDO} ${PFCTL} -a regress -v -f - < ${.CURDIR}/pf${n}.in
+       (${SUDO} ${PFCTL} -a 'regress/*' -sr | \
+           sed -e 's/__automatic_[0-9a-f]*_.*>/__automatic_>/' ) | \
+           diff -u ${.CURDIR}/pf${n}.ok /dev/stdin
+       ${SUDO} ${PFCTL} -o none -a regress -Fr >/dev/null 2>&1
+.endfor
+
+pfloadanchors:         ${PFLOADANCHORS_TARGETS}
+
+REGRESS_TARGETS+=pfloadanchors
+
 update:        ${UPDATE_TARGETS}
 
 alltests: ${REGRESS_TARGETS} ${NODEFAULT_TARGETS}
diff --git a/regress/sbin/pfctl/pf112.in b/regress/sbin/pfctl/pf112.in
new file mode 100644
index 00000000000..5b40dc0e69d
--- /dev/null
+++ b/regress/sbin/pfctl/pf112.in
@@ -0,0 +1,2 @@
+anchor "one"
+load anchor "one" from "pf112.one"
diff --git a/regress/sbin/pfctl/pf112.ok b/regress/sbin/pfctl/pf112.ok
new file mode 100644
index 00000000000..67420f7eea0
--- /dev/null
+++ b/regress/sbin/pfctl/pf112.ok
@@ -0,0 +1,5 @@
+anchor "one" all {
+  anchor "two" all {
+    pass from <foo> to any flags S/SA
+  }
+}
diff --git a/regress/sbin/pfctl/pf112.one b/regress/sbin/pfctl/pf112.one
new file mode 100644
index 00000000000..68e20033087
--- /dev/null
+++ b/regress/sbin/pfctl/pf112.one
@@ -0,0 +1,2 @@
+anchor "two"
+load anchor "two" from "pf112.two"
diff --git a/regress/sbin/pfctl/pf112.two b/regress/sbin/pfctl/pf112.two
new file mode 100644
index 00000000000..84e5f759569
--- /dev/null
+++ b/regress/sbin/pfctl/pf112.two
@@ -0,0 +1,2 @@
+table <foo> { 10.0.0.1 }
+pass from <foo>
diff --git a/regress/sbin/pfctl/pf113.in b/regress/sbin/pfctl/pf113.in
new file mode 100644
index 00000000000..f62fa7ab84a
--- /dev/null
+++ b/regress/sbin/pfctl/pf113.in
@@ -0,0 +1,2 @@
+anchor "one"
+load anchor "one" from "pf113.one"
diff --git a/regress/sbin/pfctl/pf113.ok b/regress/sbin/pfctl/pf113.ok
new file mode 100644
index 00000000000..a599c3c7e74
--- /dev/null
+++ b/regress/sbin/pfctl/pf113.ok
@@ -0,0 +1,5 @@
+anchor "one" all {
+  anchor "two" all {
+    pass inet from <__automatic_> to any flags S/SA
+  }
+}
diff --git a/regress/sbin/pfctl/pf113.one b/regress/sbin/pfctl/pf113.one
new file mode 100644
index 00000000000..4e4b63316b4
--- /dev/null
+++ b/regress/sbin/pfctl/pf113.one
@@ -0,0 +1,2 @@
+anchor "two"
+load anchor "two" from "pf113.two"
diff --git a/regress/sbin/pfctl/pf113.two b/regress/sbin/pfctl/pf113.two
new file mode 100644
index 00000000000..a99c64f94dc
--- /dev/null
+++ b/regress/sbin/pfctl/pf113.two
@@ -0,0 +1,12 @@
+addrs = "{     1.2.3.4,
+               10.20.30.40,
+               2.4.6.8,
+               20.40.60.80,
+               4.8.12.16,
+               40.80.120.160,
+               5.6.7.8,
+               50.60.70.80,
+               10.12.14.16,
+               100.120.140.160
+       }"
+pass from $addrs

pfctl regression tests for load anchor

Reply via email to