Use merged config file format. The separate NAT loop can go away,

since all files are now loaded the same way. Add regress tests for
invalid ordering of scrub, nat, filter rules

13 files changed, 53 insertions, 16 deletions

diff --git a/regress/sbin/pfctl/Makefile b/regress/sbin/pfctl/Makefile
index 10839ae3377..f51e65fb9cc 100644
--- a/regress/sbin/pfctl/Makefile
+++ b/regress/sbin/pfctl/Makefile
@@ -1,13 +1,13 @@
-# $OpenBSD: Makefile,v 1.17 2002/06/10 02:10:39 kjell Exp $
+# $OpenBSD: Makefile,v 1.18 2002/06/11 02:16:30 kjell Exp $
 
-PFTESTS=1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
-PFFAIL=1 2 3 4 5 6 7 8
+PFTESTS=1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
+PFFAIL=1 2 3 4 5 6 7 8 9 10
 
 .for n in ${PFFAIL}
 REGRESSTARGETS+=pfail${n}
 
 pfail${n}:
-	if pfctl -nv -R - < ${.CURDIR}/pfail${n}.in > /dev/null 2>&1 ; then \
+	if pfctl -nv -f - < ${.CURDIR}/pfail${n}.in > /dev/null 2>&1 ; then \
 		false ; \
 	fi
 
@@ -17,22 +17,11 @@ pfail${n}:
 REGRESSTARGETS+=pf${n}
 
 pf${n}:
-	pfctl -nv -R - < ${.CURDIR}/pf${n}.in | \
+	pfctl -nv -f - < ${.CURDIR}/pf${n}.in | \
 	    cmp -s ${.CURDIR}/pf${n}.ok /dev/stdin
 
 .endfor
 
-NATTESTS=binat1 nat1 rdr1
-
-.for n in ${NATTESTS}
-REGRESSTARGETS+=${n}
-
-${n}:
-	pfctl -nv -N - < ${.CURDIR}/${n}.in | \
-	    cmp -s ${.CURDIR}/${n}.ok /dev/stdin
-
-.endfor
-
 .PHONY: ${REGRESSTARGETS}
 
 .include <bsd.regress.mk>
diff --git a/regress/sbin/pfctl/pf16.in b/regress/sbin/pfctl/pf16.in
new file mode 100644
index 00000000000..b9767d66f39
--- /dev/null
+++ b/regress/sbin/pfctl/pf16.in
@@ -0,0 +1,7 @@
+# Test rule order processing: should fail unless scrub -> nat -> filter
+scrub in on lo0 all
+nat on lo0 from 192.168.1.1 to any -> 10.0.0.1
+rdr on lo0 proto tcp from any to 1.2.3.4/32 port 2222 -> 10.0.0.10 port 22   
+binat on lo0 from 192.168.1.1 to any -> 10.0.0.1
+pass in on lo1 all
+
diff --git a/regress/sbin/pfctl/pf16.ok b/regress/sbin/pfctl/pf16.ok
new file mode 100644
index 00000000000..9bd5491aa1b
--- /dev/null
+++ b/regress/sbin/pfctl/pf16.ok
@@ -0,0 +1,5 @@
+@0 scrub in all 
+nat on lo0 inet from 192.168.1.1 to any -> 10.0.0.1
+rdr on lo0 inet proto tcp from any to 1.2.3.4 port 2222 -> 10.0.0.10 port 22
+binat on lo0 inet from 192.168.1.1 to any -> 10.0.0.1
+@0 pass in on lo1 all 
diff --git a/regress/sbin/pfctl/binat1.in b/regress/sbin/pfctl/pf17.in
index 443600305c2..443600305c2 100644
--- a/regress/sbin/pfctl/binat1.in
+++ b/regress/sbin/pfctl/pf17.in
diff --git a/regress/sbin/pfctl/binat1.ok b/regress/sbin/pfctl/pf17.ok
index 6ef8dfeef33..6ef8dfeef33 100644
--- a/regress/sbin/pfctl/binat1.ok
+++ b/regress/sbin/pfctl/pf17.ok
diff --git a/regress/sbin/pfctl/nat1.in b/regress/sbin/pfctl/pf18.in
index 1b4a567ca28..1b4a567ca28 100644
--- a/regress/sbin/pfctl/nat1.in
+++ b/regress/sbin/pfctl/pf18.in
diff --git a/regress/sbin/pfctl/nat1.ok b/regress/sbin/pfctl/pf18.ok
index 3350699b4a2..3350699b4a2 100644
--- a/regress/sbin/pfctl/nat1.ok
+++ b/regress/sbin/pfctl/pf18.ok
diff --git a/regress/sbin/pfctl/rdr1.in b/regress/sbin/pfctl/pf19.in
index 2a261c24d9c..2a261c24d9c 100644
--- a/regress/sbin/pfctl/rdr1.in
+++ b/regress/sbin/pfctl/pf19.in
diff --git a/regress/sbin/pfctl/rdr1.ok b/regress/sbin/pfctl/pf19.ok
index 206b7492f33..206b7492f33 100644
--- a/regress/sbin/pfctl/rdr1.ok
+++ b/regress/sbin/pfctl/pf19.ok
diff --git a/regress/sbin/pfctl/pf20.in b/regress/sbin/pfctl/pf20.in
new file mode 100644
index 00000000000..3b22a5155c4
--- /dev/null
+++ b/regress/sbin/pfctl/pf20.in
@@ -0,0 +1,9 @@
+# Test whether list expansion in NAT/RDR works correctly
+
+EVIL = "lo0"
+GOOD = "{ lo0, lo1 }"
+GOOD_NET = "{ 127.0.0.0/24, 10.0.1.0/24 }"
+DEST_NET = "{ 1.2.3.4/25, 2.4.6.8/30 }"
+
+nat on $EVIL from $GOOD_NET to $DEST_NET -> $EVIL
+rdr on $GOOD proto tcp from $GOOD_NET to $DEST_NET port 21 -> 127.0.0.1 port 8021
diff --git a/regress/sbin/pfctl/pf20.ok b/regress/sbin/pfctl/pf20.ok
new file mode 100644
index 00000000000..1981663a207
--- /dev/null
+++ b/regress/sbin/pfctl/pf20.ok
@@ -0,0 +1,16 @@
+EVIL = lo0
+GOOD = { lo0, lo1 }
+GOOD_NET = { 127.0.0.0/24, 10.0.1.0/24 }
+DEST_NET = { 1.2.3.4/25, 2.4.6.8/30 }
+nat on lo0 inet from 10.0.1.0/24 to 2.4.6.8/30 -> 127.0.0.1
+nat on lo0 inet from 10.0.1.0/24 to 1.2.3.4/25 -> 127.0.0.1
+nat on lo0 inet from 127.0.0.0/24 to 2.4.6.8/30 -> 127.0.0.1
+nat on lo0 inet from 127.0.0.0/24 to 1.2.3.4/25 -> 127.0.0.1
+rdr on lo1 inet proto tcp from 10.0.1.0/24 to 2.4.6.8/30 port 21 -> 127.0.0.1 port 8021
+rdr on lo1 inet proto tcp from 10.0.1.0/24 to 1.2.3.4/25 port 21 -> 127.0.0.1 port 8021
+rdr on lo1 inet proto tcp from 127.0.0.0/24 to 2.4.6.8/30 port 21 -> 127.0.0.1 port 8021
+rdr on lo1 inet proto tcp from 127.0.0.0/24 to 1.2.3.4/25 port 21 -> 127.0.0.1 port 8021
+rdr on lo0 inet proto tcp from 10.0.1.0/24 to 2.4.6.8/30 port 21 -> 127.0.0.1 port 8021
+rdr on lo0 inet proto tcp from 10.0.1.0/24 to 1.2.3.4/25 port 21 -> 127.0.0.1 port 8021
+rdr on lo0 inet proto tcp from 127.0.0.0/24 to 2.4.6.8/30 port 21 -> 127.0.0.1 port 8021
+rdr on lo0 inet proto tcp from 127.0.0.0/24 to 1.2.3.4/25 port 21 -> 127.0.0.1 port 8021
diff --git a/regress/sbin/pfctl/pfail10.in b/regress/sbin/pfctl/pfail10.in
new file mode 100644
index 00000000000..507e6df0366
--- /dev/null
+++ b/regress/sbin/pfctl/pfail10.in
@@ -0,0 +1,5 @@
+# Test rule order processing: should fail unless scrub -> nat -> filter
+nat on lo0 all -> lo0
+pass in on lo1 all
+scrub in on lo0 all
+
diff --git a/regress/sbin/pfctl/pfail9.in b/regress/sbin/pfctl/pfail9.in
new file mode 100644
index 00000000000..bb075fb53c5
--- /dev/null
+++ b/regress/sbin/pfctl/pfail9.in
@@ -0,0 +1,6 @@
+# Test rule order processing: should fail unless scrub -> nat -> filter
+scrub in on lo0 all
+pass in on lo1 all
+# bork
+nat on lo0 all -> lo0
+