summaryrefslogtreecommitdiff
path: root/regress/sbin
AgeCommit message (Collapse)Author
2009-09-07implement binat-to as a macro-like rule: a rule using the new binat-toReyk Floeter
syntax will be expanded by the parser to a nat-to+rdr-to combination to be loaded into the kernel. this simplifies the migration from old binat rules and is less error-prone. feedback from many, manpage bits from jmc@ ok henning@
2009-09-03Adapt to new pfctl, remove use of -Fn and -snJonathan Gray
Thanks to phessler for pointing out that the show command was buried in '-gvvsn' ok henning
2009-09-03adapt to new pfJonathan Gray
ok henning
2009-09-03adapt to nat changesJonathan Gray
ok henning
2009-09-02convert a bunch of rdr/nat rules to the new syntaxJonathan Gray
Things still need to be changed for route-to/binat/command line options among other things. ok henning
2009-08-04Add regress tests with IPv4 and IPv6 addresses for the srcid and/or dstid.Joel Sing
ok hshoexer@
2009-06-30add "-o none" to pfctl call to prevent automatic table creation ofDavid Krause
multiple addresses which causes the test to fail; ok sthen@
2009-06-30update after the "reassemble tcp" fix (kernel/6178); ok sthen@David Krause
2009-06-24fix this regression test; "reassemble tcp" should be in this locationStuart Henderson
in the output. this test currently fails; see kernel/6178
2009-05-14handle the new require-order default of "no" in existing tests, and addStuart Henderson
a new test to check it's working correctly. ok deraadt@
2009-04-26- check equality with '==', from skreuzer@exit2shell.comOkan Demirmen
- unbreak, since -r was removed from disklabel(8) ok otto@
2009-04-06more scrub scrubbingHenning Brauer
2009-04-06scrub goneHenning Brauer
2009-01-30If the "peer" address is not specified or derived from "to" forAlexander Bluhm
"ike" rules in ipsec.conf, the default peer is used. In theory ipsecctl -f ipsec.conf can configure the default peer for each "ike" entry. As isakmpd only supports one default peer, the last "ike" rule that uses a default peer wins. This configuration is then significant for all "ike" rules that use the default peer. Now a warning is printed if a later rule in ipsec.conf changes the configuration of the original default peer. This should be an error but that would break existing user configs. So only a warning is printed. ok hshoexer@, todd@
2009-01-29Remove ikefail10 ipsecctl regression test as it always fails. ItAlexander Bluhm
was expecting a certain parser error message. Accepting the ikefail10 config file is not considered to be a bug anymore. ok hshoexer@
2009-01-28Allow to specify ike and flow explicitly without peer. The anyAlexander Bluhm
keyword as argument for the peer parameter will do that. An ike without peer creates the peer-default config. A flow without peer acquires a host-to-host SA. tested by grunk@, todd@, ok grunk@, hshoexer@, todd@
2009-01-20Regression tests for source flow NAT support.Marco Pfatschbacher
OK hshoexer@, markus@.
2009-01-19Do not use "egress" keyword as it expands to an actual interface,Hans-Joerg Hoexer
which might be different on different machines. Use some fixed addresses instead. pointed out and ok david@
2008-12-22add regression test for aes-{128,192,256} being used with main and quickHans-Joerg Hoexer
mode.
2008-12-22Adopt to recent change: /32 now is treated as a network address.Hans-Joerg Hoexer
prodded by david@
2008-10-19The optional table counters added a field to the verboseMarco Pfatschbacher
table output. Adopt.
2008-10-19vmstat(8) now reports "InUse" instead of "Releases".Marco Pfatschbacher
Adopt for ktable/kentry usage/leakage tests. Also run vmstat verbose, to avoid matching failures if the pools haven't been used yet.
2008-07-01Isakmpd acquire mode did not work with a config generated fromAlexander Bluhm
ipsec.conf. The config created by isakmpd dynamically was different from the config that ipsecctl generated out of ipsec.conf. Both config formats are changed so that they match. One needs a passive ike line and a require flow line with the same parameters in the ipsec.conf. Then the acquire message generated by the kernel will trigger isakmpd to generate a config that matches the one that ipsecctl generated from the ike line. ok hshoexer, 'sounds good' todd
2008-07-01If multiple to addresses but no peer are given in an ike or flowAlexander Bluhm
rule, the current to address is taken as peer during expansion. This makes the broken regress test ikefail7 obsolete as address family mismatch cannot happen anymore. ok hshoexer
2008-06-16fix regress after scrub TOS and tagging additions; "commit it" henning@David Krause
2008-05-09convert port byte order in the production; add port keyword; ok deraadt@Markus Friedl
2008-05-09divert packets to local socket without modifying the ip header;Markus Friedl
makes transparent proxies much easier; ok beck@, feedback claudio@
2008-05-08Add/Fix regression tests for sequences of numbers and stackedMarco Pfatschbacher
assignments of variables. OK deraadt@
2008-05-07scrub packets based on tags; ok henningMarkus Friedl
2008-05-07allow setting TOS with scrub; ok mcbride, claudioMarkus Friedl
2008-04-21Test for blank lines and comments between and inline anchor and its rules.Ryan Thomas McBride
2008-02-01Add regress test for anchors matching on filter_opts.Ryan Thomas McBride
2008-01-04Add a regression test for handling addresses with trailing '/32' and addressHans-Joerg Hoexer
type IPV4_ADDR.
2007-11-25more existant -> existent, from Martynas Venckus;Jason McIntyre
pfctl changes: ok henning ssh changes: ok deraadt
2007-10-15Add new "reached end of file while parsing quoted string" as expectedHans-Joerg Hoexer
error message.
2007-10-14regression test for include directive (if anyone has a better way to doTheo de Raadt
this messy include file copy, let me know)
2007-10-13we decided numbers used as strings is wrongTheo de Raadt
2007-09-23Allow numbers to be used as unquoted strings again.Marco Pfatschbacher
While there, also restrict the use of concatenated, unquoted strings for variable assignments only. Eyeballed by markus@, OK henning@
2007-09-19Fix and re-enable tests for interface->address translation.Marco Pfatschbacher
OK henning
2007-09-19Add a few "flags any" and "no state" to have the rulesetsMarco Pfatschbacher
match against the old checksums again.
2007-09-19pfctl seems to report errors when accessing empty tables,Marco Pfatschbacher
in a different manner now. Use "-T show" now. OK henning
2007-09-19"flags S/SA keep state" is the default nowMarco Pfatschbacher
OK henning
2007-09-19Adopt 14 altq tests to the change of the queue output format.Marco Pfatschbacher
OK henning
2007-09-19This got broken when a second pool (pfrkentry2) was addedMarco Pfatschbacher
for source-tracking support about 3 years ago. OK henning
2007-09-19Remove "localhost" from the table test, since the result is dependentMarco Pfatschbacher
on the resolver. In some enviroments you'll get an AAAA for it, in others you won't. Testing the resolver isn't really the intention of this test anyway. OK henning
2007-08-30regress test address rangesDaniel Hartmeier
2007-07-03both 'proto 50' and 'proto esp' must work in flow specificationsMarkus Friedl
2007-06-20Allow "log" for nat rules without "pass".Marco Pfatschbacher
OK henning@, ``passt scho'' markus@
2007-05-19detect if newfs fails and add an extra test (amd64 floppy)Otto Moerbeek
2007-05-10Do not crash when lists include the "any" keyword. Reported byHans-Joerg Hoexer
<ralf.horstmann at gmx.net>, thanks! Slightly different fix. Also add a regression test. ok mpf@