summaryrefslogtreecommitdiff
path: root/regress/sbin/pfctl
diff options
context:
space:
mode:
authorRyan Thomas McBride <mcbride@cvs.openbsd.org>2004-12-07 21:32:01 +0000
committerRyan Thomas McBride <mcbride@cvs.openbsd.org>2004-12-07 21:32:01 +0000
commitfc71e17ec521579dbf200150d8ecc6f145f1225d (patch)
tree1b750e91cf2fde1af2aaa0deb5121d26c8fc4821 /regress/sbin/pfctl
parent54db4c8837ced1daff21529143e354994d3a3ea8 (diff)
Tests for max-src-conn, max-src-conn-rate, and overload <foo> flush global.
Diffstat (limited to 'regress/sbin/pfctl')
-rw-r--r--regress/sbin/pfctl/Makefile6
-rw-r--r--regress/sbin/pfctl/pf89.in25
-rw-r--r--regress/sbin/pfctl/pf89.loaded40
-rw-r--r--regress/sbin/pfctl/pf89.ok11
-rw-r--r--regress/sbin/pfctl/pf89.optimized40
5 files changed, 119 insertions, 3 deletions
diff --git a/regress/sbin/pfctl/Makefile b/regress/sbin/pfctl/Makefile
index 73b8c9a41e5..6e8a1cf26cb 100644
--- a/regress/sbin/pfctl/Makefile
+++ b/regress/sbin/pfctl/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.182 2004/10/05 18:33:44 mcbride Exp $
+# $OpenBSD: Makefile,v 1.183 2004/12/07 21:32:00 mcbride Exp $
# TARGETS
# pf: feed pfNN.in through pfctl and check wether the output matches pfNN.ok
@@ -14,14 +14,14 @@
PFTESTS=1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27
PFTESTS+=28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50
PFTESTS+=51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73
-PFTESTS+=74 75 76 77 78 79 80 81 82 83 84 85 86 87 88
+PFTESTS+=74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89
PFFAIL=1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 23 24 25 27
PFFAIL+=28 29 30 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48
PFSIMPLE=1 2
PFSETUP=1 2 3 4
PFLOAD=1 2 3 4 5 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 23 24 25 26 27 28 29
PFLOAD+=30 31 32 34 36 38 39 40 44 46 47 48 49 54 56 60 61 65 66 67 68 69 70 71
-PFLOAD+=72 73 74 75 76 77 78 79 80 81 82 84 87 88
+PFLOAD+=72 73 74 75 76 77 78 79 80 81 82 84 87 88 89
PFALTQ=1 2 3 4 5 6 7 8 9 10 11 12 13 14
# disabled; no altq in anchors
# PFLOAD+=33 35 37 42 43 45 51 58 59 62 63 64
diff --git a/regress/sbin/pfctl/pf89.in b/regress/sbin/pfctl/pf89.in
new file mode 100644
index 00000000000..1beda48b43b
--- /dev/null
+++ b/regress/sbin/pfctl/pf89.in
@@ -0,0 +1,25 @@
+# TCP connection tracking
+
+table <bad> persist
+
+block all
+block quick from <bad>
+
+pass out proto tcp flags S/SA keep state
+pass out proto { icmp, udp } keep state
+
+pass in on lo1000001 proto tcp to 10.0.0.1 port 22 flags S/SA \
+ keep state (max-src-conn 10, max-src-conn-rate 3/99)
+
+pass in on lo1000001 proto tcp to 10.0.0.2 port 22 flags S/SA keep state \
+ (max-src-conn 10)
+
+pass in on lo1000001 proto tcp to 10.0.0.3 port 22 flags S/SA keep state \
+ (max-src-conn-rate 3/99)
+
+pass in on lo1000000 proto tcp to 10.0.0.1 port 80 flags S/SA modulate state \
+ (max-src-conn 100, max-src-conn-rate 10/5, overload <bad> flush)
+
+pass in on lo1000000 proto tcp to 10.0.0.1 port 8080 flags S/SA synproxy state \
+ (max-src-conn 1000, max-src-conn-rate 1000/5, overload <bad> \
+ flush global)
diff --git a/regress/sbin/pfctl/pf89.loaded b/regress/sbin/pfctl/pf89.loaded
new file mode 100644
index 00000000000..72fa1d69dd7
--- /dev/null
+++ b/regress/sbin/pfctl/pf89.loaded
@@ -0,0 +1,40 @@
+@0 block drop all
+ [ Skip steps: i=5 d=2 f=5 p=2 sp=end da=5 dp=5 ]
+ [ queue: qname= qid=0 pqname= pqid=0 ]
+ [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
+@1 block drop quick from <bad:0> to any
+ [ Skip steps: i=5 f=5 sp=end da=5 dp=5 ]
+ [ queue: qname= qid=0 pqname= pqid=0 ]
+ [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
+@2 pass out proto tcp all flags S/SA keep state
+ [ Skip steps: i=5 d=5 f=5 sa=end sp=end da=5 dp=5 ]
+ [ queue: qname= qid=0 pqname= pqid=0 ]
+ [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
+@3 pass out proto icmp all keep state
+ [ Skip steps: i=5 d=5 f=5 sa=end sp=end da=5 dp=5 ]
+ [ queue: qname= qid=0 pqname= pqid=0 ]
+ [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
+@4 pass out proto udp all keep state
+ [ Skip steps: sa=end sp=end ]
+ [ queue: qname= qid=0 pqname= pqid=0 ]
+ [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
+@5 pass in on lo1000001 inet proto tcp from any to 10.0.0.1 port = ssh flags S/SA keep state (source-track rule, max-src-conn 10, max-src-conn-rate 3/99, src.track 99)
+ [ Skip steps: i=8 d=end f=end p=end sa=end sp=end dp=8 ]
+ [ queue: qname= qid=0 pqname= pqid=0 ]
+ [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
+@6 pass in on lo1000001 inet proto tcp from any to 10.0.0.2 port = ssh flags S/SA keep state (source-track rule, max-src-conn 10)
+ [ Skip steps: i=8 d=end f=end p=end sa=end sp=end dp=8 ]
+ [ queue: qname= qid=0 pqname= pqid=0 ]
+ [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
+@7 pass in on lo1000001 inet proto tcp from any to 10.0.0.3 port = ssh flags S/SA keep state (source-track rule, max-src-conn-rate 3/99, src.track 99)
+ [ Skip steps: d=end f=end p=end sa=end sp=end ]
+ [ queue: qname= qid=0 pqname= pqid=0 ]
+ [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
+@8 pass in on lo1000000 inet proto tcp from any to 10.0.0.1 port = www flags S/SA modulate state (source-track rule, max-src-conn 100, max-src-conn-rate 10/5, overload <bad> flush, src.track 5)
+ [ Skip steps: i=end d=end f=end p=end sa=end sp=end da=end ]
+ [ queue: qname= qid=0 pqname= pqid=0 ]
+ [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
+@9 pass in on lo1000000 inet proto tcp from any to 10.0.0.1 port = 8080 flags S/SA synproxy state (source-track rule, max-src-conn 1000, max-src-conn-rate 1000/5, overload <bad> flush global, src.track 5)
+ [ Skip steps: i=end d=end f=end p=end sa=end sp=end da=end dp=end ]
+ [ queue: qname= qid=0 pqname= pqid=0 ]
+ [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
diff --git a/regress/sbin/pfctl/pf89.ok b/regress/sbin/pfctl/pf89.ok
new file mode 100644
index 00000000000..e66f5f89f5d
--- /dev/null
+++ b/regress/sbin/pfctl/pf89.ok
@@ -0,0 +1,11 @@
+table <bad> persist
+block drop all
+block drop quick from <bad> to any
+pass out proto tcp all flags S/SA keep state
+pass out proto icmp all keep state
+pass out proto udp all keep state
+pass in on lo1000001 inet proto tcp from any to 10.0.0.1 port = ssh flags S/SA keep state (source-track rule, max-src-conn 10, max-src-conn-rate 3/99, src.track 99)
+pass in on lo1000001 inet proto tcp from any to 10.0.0.2 port = ssh flags S/SA keep state (source-track rule, max-src-conn 10)
+pass in on lo1000001 inet proto tcp from any to 10.0.0.3 port = ssh flags S/SA keep state (source-track rule, max-src-conn-rate 3/99, src.track 99)
+pass in on lo1000000 inet proto tcp from any to 10.0.0.1 port = www flags S/SA modulate state (source-track rule, max-src-conn 100, max-src-conn-rate 10/5, overload <bad> flush, src.track 5)
+pass in on lo1000000 inet proto tcp from any to 10.0.0.1 port = 8080 flags S/SA synproxy state (source-track rule, max-src-conn 1000, max-src-conn-rate 1000/5, overload <bad> flush global, src.track 5)
diff --git a/regress/sbin/pfctl/pf89.optimized b/regress/sbin/pfctl/pf89.optimized
new file mode 100644
index 00000000000..72fa1d69dd7
--- /dev/null
+++ b/regress/sbin/pfctl/pf89.optimized
@@ -0,0 +1,40 @@
+@0 block drop all
+ [ Skip steps: i=5 d=2 f=5 p=2 sp=end da=5 dp=5 ]
+ [ queue: qname= qid=0 pqname= pqid=0 ]
+ [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
+@1 block drop quick from <bad:0> to any
+ [ Skip steps: i=5 f=5 sp=end da=5 dp=5 ]
+ [ queue: qname= qid=0 pqname= pqid=0 ]
+ [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
+@2 pass out proto tcp all flags S/SA keep state
+ [ Skip steps: i=5 d=5 f=5 sa=end sp=end da=5 dp=5 ]
+ [ queue: qname= qid=0 pqname= pqid=0 ]
+ [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
+@3 pass out proto icmp all keep state
+ [ Skip steps: i=5 d=5 f=5 sa=end sp=end da=5 dp=5 ]
+ [ queue: qname= qid=0 pqname= pqid=0 ]
+ [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
+@4 pass out proto udp all keep state
+ [ Skip steps: sa=end sp=end ]
+ [ queue: qname= qid=0 pqname= pqid=0 ]
+ [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
+@5 pass in on lo1000001 inet proto tcp from any to 10.0.0.1 port = ssh flags S/SA keep state (source-track rule, max-src-conn 10, max-src-conn-rate 3/99, src.track 99)
+ [ Skip steps: i=8 d=end f=end p=end sa=end sp=end dp=8 ]
+ [ queue: qname= qid=0 pqname= pqid=0 ]
+ [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
+@6 pass in on lo1000001 inet proto tcp from any to 10.0.0.2 port = ssh flags S/SA keep state (source-track rule, max-src-conn 10)
+ [ Skip steps: i=8 d=end f=end p=end sa=end sp=end dp=8 ]
+ [ queue: qname= qid=0 pqname= pqid=0 ]
+ [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
+@7 pass in on lo1000001 inet proto tcp from any to 10.0.0.3 port = ssh flags S/SA keep state (source-track rule, max-src-conn-rate 3/99, src.track 99)
+ [ Skip steps: d=end f=end p=end sa=end sp=end ]
+ [ queue: qname= qid=0 pqname= pqid=0 ]
+ [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
+@8 pass in on lo1000000 inet proto tcp from any to 10.0.0.1 port = www flags S/SA modulate state (source-track rule, max-src-conn 100, max-src-conn-rate 10/5, overload <bad> flush, src.track 5)
+ [ Skip steps: i=end d=end f=end p=end sa=end sp=end da=end ]
+ [ queue: qname= qid=0 pqname= pqid=0 ]
+ [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
+@9 pass in on lo1000000 inet proto tcp from any to 10.0.0.1 port = 8080 flags S/SA synproxy state (source-track rule, max-src-conn 1000, max-src-conn-rate 1000/5, overload <bad> flush global, src.track 5)
+ [ Skip steps: i=end d=end f=end p=end sa=end sp=end da=end dp=end ]
+ [ queue: qname= qid=0 pqname= pqid=0 ]
+ [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
generated by cgit v1.2.3 (git 2.25.1) at 2024-12-04 00:27:29 +0000