summaryrefslogtreecommitdiff
path: root/regress/sbin
AgeCommit message (Collapse)Author
2009-04-06more scrub scrubbingHenning Brauer
2009-04-06scrub goneHenning Brauer
2009-01-30If the "peer" address is not specified or derived from "to" forAlexander Bluhm
"ike" rules in ipsec.conf, the default peer is used. In theory ipsecctl -f ipsec.conf can configure the default peer for each "ike" entry. As isakmpd only supports one default peer, the last "ike" rule that uses a default peer wins. This configuration is then significant for all "ike" rules that use the default peer. Now a warning is printed if a later rule in ipsec.conf changes the configuration of the original default peer. This should be an error but that would break existing user configs. So only a warning is printed. ok hshoexer@, todd@
2009-01-29Remove ikefail10 ipsecctl regression test as it always fails. ItAlexander Bluhm
was expecting a certain parser error message. Accepting the ikefail10 config file is not considered to be a bug anymore. ok hshoexer@
2009-01-28Allow to specify ike and flow explicitly without peer. The anyAlexander Bluhm
keyword as argument for the peer parameter will do that. An ike without peer creates the peer-default config. A flow without peer acquires a host-to-host SA. tested by grunk@, todd@, ok grunk@, hshoexer@, todd@
2009-01-20Regression tests for source flow NAT support.Marco Pfatschbacher
OK hshoexer@, markus@.
2009-01-19Do not use "egress" keyword as it expands to an actual interface,Hans-Joerg Hoexer
which might be different on different machines. Use some fixed addresses instead. pointed out and ok david@
2008-12-22add regression test for aes-{128,192,256} being used with main and quickHans-Joerg Hoexer
mode.
2008-12-22Adopt to recent change: /32 now is treated as a network address.Hans-Joerg Hoexer
prodded by david@
2008-10-19The optional table counters added a field to the verboseMarco Pfatschbacher
table output. Adopt.
2008-10-19vmstat(8) now reports "InUse" instead of "Releases".Marco Pfatschbacher
Adopt for ktable/kentry usage/leakage tests. Also run vmstat verbose, to avoid matching failures if the pools haven't been used yet.
2008-07-01Isakmpd acquire mode did not work with a config generated fromAlexander Bluhm
ipsec.conf. The config created by isakmpd dynamically was different from the config that ipsecctl generated out of ipsec.conf. Both config formats are changed so that they match. One needs a passive ike line and a require flow line with the same parameters in the ipsec.conf. Then the acquire message generated by the kernel will trigger isakmpd to generate a config that matches the one that ipsecctl generated from the ike line. ok hshoexer, 'sounds good' todd
2008-07-01If multiple to addresses but no peer are given in an ike or flowAlexander Bluhm
rule, the current to address is taken as peer during expansion. This makes the broken regress test ikefail7 obsolete as address family mismatch cannot happen anymore. ok hshoexer
2008-06-16fix regress after scrub TOS and tagging additions; "commit it" henning@David Krause
2008-05-09convert port byte order in the production; add port keyword; ok deraadt@Markus Friedl
2008-05-09divert packets to local socket without modifying the ip header;Markus Friedl
makes transparent proxies much easier; ok beck@, feedback claudio@
2008-05-08Add/Fix regression tests for sequences of numbers and stackedMarco Pfatschbacher
assignments of variables. OK deraadt@
2008-05-07scrub packets based on tags; ok henningMarkus Friedl
2008-05-07allow setting TOS with scrub; ok mcbride, claudioMarkus Friedl
2008-04-21Test for blank lines and comments between and inline anchor and its rules.Ryan Thomas McBride
2008-02-01Add regress test for anchors matching on filter_opts.Ryan Thomas McBride
2008-01-04Add a regression test for handling addresses with trailing '/32' and addressHans-Joerg Hoexer
type IPV4_ADDR.
2007-11-25more existant -> existent, from Martynas Venckus;Jason McIntyre
pfctl changes: ok henning ssh changes: ok deraadt
2007-10-15Add new "reached end of file while parsing quoted string" as expectedHans-Joerg Hoexer
error message.
2007-10-14regression test for include directive (if anyone has a better way to doTheo de Raadt
this messy include file copy, let me know)
2007-10-13we decided numbers used as strings is wrongTheo de Raadt
2007-09-23Allow numbers to be used as unquoted strings again.Marco Pfatschbacher
While there, also restrict the use of concatenated, unquoted strings for variable assignments only. Eyeballed by markus@, OK henning@
2007-09-19Fix and re-enable tests for interface->address translation.Marco Pfatschbacher
OK henning
2007-09-19Add a few "flags any" and "no state" to have the rulesetsMarco Pfatschbacher
match against the old checksums again.
2007-09-19pfctl seems to report errors when accessing empty tables,Marco Pfatschbacher
in a different manner now. Use "-T show" now. OK henning
2007-09-19"flags S/SA keep state" is the default nowMarco Pfatschbacher
OK henning
2007-09-19Adopt 14 altq tests to the change of the queue output format.Marco Pfatschbacher
OK henning
2007-09-19This got broken when a second pool (pfrkentry2) was addedMarco Pfatschbacher
for source-tracking support about 3 years ago. OK henning
2007-09-19Remove "localhost" from the table test, since the result is dependentMarco Pfatschbacher
on the resolver. In some enviroments you'll get an AAAA for it, in others you won't. Testing the resolver isn't really the intention of this test anyway. OK henning
2007-08-30regress test address rangesDaniel Hartmeier
2007-07-03both 'proto 50' and 'proto esp' must work in flow specificationsMarkus Friedl
2007-06-20Allow "log" for nat rules without "pass".Marco Pfatschbacher
OK henning@, ``passt scho'' markus@
2007-05-19detect if newfs fails and add an extra test (amd64 floppy)Otto Moerbeek
2007-05-10Do not crash when lists include the "any" keyword. Reported byHans-Joerg Hoexer
<ralf.horstmann at gmx.net>, thanks! Slightly different fix. Also add a regression test. ok mpf@
2007-05-02now that optimization is on by default, fix the regress tests byDavid Krause
disabling optimization for the non-optimized tests, ok henning@
2007-04-18some newfs checks, not hooked in, because it needs certain disktabOtto Moerbeek
entries which are not available on all platforms
2007-03-16move autodetection of the ID type to the parser. this way theMarkus Friedl
static flows have the correct ID, too. ok hshoexer, reyk
2007-03-14We switched to aes cbc quite some time ago, so also use the correctHans-Joerg Hoexer
key sizes here, too. We now have to use 128 bit key instead of 160. Noticed by david@
2007-02-19add a test for null encryptionHans-Joerg Hoexer
2007-02-19we have to use '-k' now to show keys.Hans-Joerg Hoexer
2007-02-19previous commit to parse.y was undone. adopt these two regression tests.Hans-Joerg Hoexer
2007-02-16Adopt to recent change in parse.y (do not accept '\n' in quotedHans-Joerg Hoexer
strings). The syntax error is now reported at the correct line.
2007-01-10allow rule if there is at least _one_ matching address family combination.Markus Friedl
this allows 'flow from lo0 to 127.0.0.1' if lo0 has an ipv6 address. ok itojun@, hshoexer@
2007-01-04don't pass -1 as a netmask; report vicviq at gmail.comMarkus Friedl
2006-11-30wrong rid for protocolMarkus Friedl