13 files changed, 53 insertions, 16 deletions

diff --git a/regress/sbin/pfctl/Makefile b/regress/sbin/pfctl/Makefile
index 10839ae3377..f51e65fb9cc 100644
--- a/regress/sbin/pfctl/Makefile
+++ b/regress/sbin/pfctl/Makefile
@@ -1,13 +1,13 @@
-# $OpenBSD: Makefile,v 1.17 2002/06/10 02:10:39 kjell Exp $
+# $OpenBSD: Makefile,v 1.18 2002/06/11 02:16:30 kjell Exp $
 
-PFTESTS=1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
-PFFAIL=1 2 3 4 5 6 7 8
+PFTESTS=1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
+PFFAIL=1 2 3 4 5 6 7 8 9 10
 
 .for n in ${PFFAIL}
 REGRESSTARGETS+=pfail${n}
 
 pfail${n}:
-	if pfctl -nv -R - < ${.CURDIR}/pfail${n}.in > /dev/null 2>&1 ; then \
+	if pfctl -nv -f - < ${.CURDIR}/pfail${n}.in > /dev/null 2>&1 ; then \
 		false ; \
 	fi
 
@@ -17,22 +17,11 @@ pfail${n}:
 REGRESSTARGETS+=pf${n}
 
 pf${n}:
-	pfctl -nv -R - < ${.CURDIR}/pf${n}.in | \
+	pfctl -nv -f - < ${.CURDIR}/pf${n}.in | \
 	    cmp -s ${.CURDIR}/pf${n}.ok /dev/stdin
 
 .endfor
 
-NATTESTS=binat1 nat1 rdr1
-
-.for n in ${NATTESTS}
-REGRESSTARGETS+=${n}
-
-${n}:
-	pfctl -nv -N - < ${.CURDIR}/${n}.in | \
-	    cmp -s ${.CURDIR}/${n}.ok /dev/stdin
-
-.endfor
-
 .PHONY: ${REGRESSTARGETS}
 
 .include <bsd.regress.mk>
diff --git a/regress/sbin/pfctl/pf16.in b/regress/sbin/pfctl/pf16.in
new file mode 100644
index 00000000000..b9767d66f39
--- /dev/null
+++ b/regress/sbin/pfctl/pf16.in
@@ -0,0 +1,7 @@
+# Test rule order processing: should fail unless scrub -> nat -> filter
+scrub in on lo0 all
+nat on lo0 from 192.168.1.1 to any -> 10.0.0.1
+rdr on lo0 proto tcp from any to 1.2.3.4/32 port 2222 -> 10.0.0.10 port 22   
+binat on lo0 from 192.168.1.1 to any -> 10.0.0.1
+pass in on lo1 all
+
diff --git a/regress/sbin/pfctl/pf16.ok b/regress/sbin/pfctl/pf16.ok
new file mode 100644
index 00000000000..9bd5491aa1b
--- /dev/null
+++ b/regress/sbin/pfctl/pf16.ok
@@ -0,0 +1,5 @@
+@0 scrub in all 
+nat on lo0 inet from 192.168.1.1 to any -> 10.0.0.1
+rdr on lo0 inet proto tcp from any to 1.2.3.4 port 2222 -> 10.0.0.10 port 22
+binat on lo0 inet from 192.168.1.1 to any -> 10.0.0.1
+@0 pass in on lo1 all 
diff --git a/regress/sbin/pfctl/binat1.in b/regress/sbin/pfctl/pf17.in
index 443600305c2..443600305c2 100644
--- a/regress/sbin/pfctl/binat1.in
+++ b/regress/sbin/pfctl/pf17.in
diff --git a/regress/sbin/pfctl/binat1.ok b/regress/sbin/pfctl/pf17.ok
index 6ef8dfeef33..6ef8dfeef33 100644
--- a/regress/sbin/pfctl/binat1.ok
+++ b/regress/sbin/pfctl/pf17.ok
diff --git a/regress/sbin/pfctl/nat1.in b/regress/sbin/pfctl/pf18.in
index 1b4a567ca28..1b4a567ca28 100644
--- a/regress/sbin/pfctl/nat1.in
+++ b/regress/sbin/pfctl/pf18.in
diff --git a/regress/sbin/pfctl/nat1.ok b/regress/sbin/pfctl/pf18.ok
index 3350699b4a2..3350699b4a2 100644
--- a/regress/sbin/pfctl/nat1.ok
+++ b/regress/sbin/pfctl/pf18.ok
diff --git a/regress/sbin/pfctl/rdr1.in b/regress/sbin/pfctl/pf19.in
index 2a261c24d9c..2a261c24d9c 100644
--- a/regress/sbin/pfctl/rdr1.in
+++ b/regress/sbin/pfctl/pf19.in
diff --git a/regress/sbin/pfctl/rdr1.ok b/regress/sbin/pfctl/pf19.ok
index 206b7492f33..206b7492f33 100644
--- a/regress/sbin/pfctl/rdr1.ok
+++ b/regress/sbin/pfctl/pf19.ok
diff --git a/regress/sbin/pfctl/pf20.in b/regress/sbin/pfctl/pf20.in
new file mode 100644
index 00000000000..3b22a5155c4
--- /dev/null
+++ b/regress/sbin/pfctl/pf20.in
@@ -0,0 +1,9 @@
+# Test whether list expansion in NAT/RDR works correctly
+
+EVIL = "lo0"
+GOOD = "{ lo0, lo1 }"
+GOOD_NET = "{ 127.0.0.0/24, 10.0.1.0/24 }"
+DEST_NET = "{ 1.2.3.4/25, 2.4.6.8/30 }"
+
+nat on $EVIL from $GOOD_NET to $DEST_NET -> $EVIL
+rdr on $GOOD proto tcp from $GOOD_NET to $DEST_NET port 21 -> 127.0.0.1 port 8021
diff --git a/regress/sbin/pfctl/pf20.ok b/regress/sbin/pfctl/pf20.ok
new file mode 100644
index 00000000000..1981663a207
--- /dev/null
+++ b/regress/sbin/pfctl/pf20.ok
@@ -0,0 +1,16 @@
+EVIL = lo0
+GOOD = { lo0, lo1 }
+GOOD_NET = { 127.0.0.0/24, 10.0.1.0/24 }
+DEST_NET = { 1.2.3.4/25, 2.4.6.8/30 }
+nat on lo0 inet from 10.0.1.0/24 to 2.4.6.8/30 -> 127.0.0.1
+nat on lo0 inet from 10.0.1.0/24 to 1.2.3.4/25 -> 127.0.0.1
+nat on lo0 inet from 127.0.0.0/24 to 2.4.6.8/30 -> 127.0.0.1
+nat on lo0 inet from 127.0.0.0/24 to 1.2.3.4/25 -> 127.0.0.1
+rdr on lo1 inet proto tcp from 10.0.1.0/24 to 2.4.6.8/30 port 21 -> 127.0.0.1 port 8021
+rdr on lo1 inet proto tcp from 10.0.1.0/24 to 1.2.3.4/25 port 21 -> 127.0.0.1 port 8021
+rdr on lo1 inet proto tcp from 127.0.0.0/24 to 2.4.6.8/30 port 21 -> 127.0.0.1 port 8021
+rdr on lo1 inet proto tcp from 127.0.0.0/24 to 1.2.3.4/25 port 21 -> 127.0.0.1 port 8021
+rdr on lo0 inet proto tcp from 10.0.1.0/24 to 2.4.6.8/30 port 21 -> 127.0.0.1 port 8021
+rdr on lo0 inet proto tcp from 10.0.1.0/24 to 1.2.3.4/25 port 21 -> 127.0.0.1 port 8021
+rdr on lo0 inet proto tcp from 127.0.0.0/24 to 2.4.6.8/30 port 21 -> 127.0.0.1 port 8021
+rdr on lo0 inet proto tcp from 127.0.0.0/24 to 1.2.3.4/25 port 21 -> 127.0.0.1 port 8021
diff --git a/regress/sbin/pfctl/pfail10.in b/regress/sbin/pfctl/pfail10.in
new file mode 100644
index 00000000000..507e6df0366
--- /dev/null
+++ b/regress/sbin/pfctl/pfail10.in
@@ -0,0 +1,5 @@
+# Test rule order processing: should fail unless scrub -> nat -> filter
+nat on lo0 all -> lo0
+pass in on lo1 all
+scrub in on lo0 all
+
diff --git a/regress/sbin/pfctl/pfail9.in b/regress/sbin/pfctl/pfail9.in
new file mode 100644
index 00000000000..bb075fb53c5
--- /dev/null
+++ b/regress/sbin/pfctl/pfail9.in
@@ -0,0 +1,6 @@
+# Test rule order processing: should fail unless scrub -> nat -> filter
+scrub in on lo0 all
+pass in on lo1 all
+# bork
+nat on lo0 all -> lo0
+