From 2b251cde1b3a7f569a51b7d4c320041ab826a600 Mon Sep 17 00:00:00 2001 From: Ryan Thomas McBride Date: Tue, 5 Oct 2004 18:33:45 +0000 Subject: Regress tests for pfctl -o rule reordering and duplicate rule removal. --- regress/sbin/pfctl/Makefile | 9 ++-- regress/sbin/pfctl/pf87.in | 24 +++++++++++ regress/sbin/pfctl/pf87.loaded | 88 +++++++++++++++++++++++++++++++++++++++ regress/sbin/pfctl/pf87.ok | 22 ++++++++++ regress/sbin/pfctl/pf87.optimized | 88 +++++++++++++++++++++++++++++++++++++++ regress/sbin/pfctl/pf88.in | 32 ++++++++++++++ regress/sbin/pfctl/pf88.loaded | 88 +++++++++++++++++++++++++++++++++++++++ regress/sbin/pfctl/pf88.ok | 22 ++++++++++ regress/sbin/pfctl/pf88.optimized | 64 ++++++++++++++++++++++++++++ 9 files changed, 433 insertions(+), 4 deletions(-) create mode 100644 regress/sbin/pfctl/pf87.in create mode 100644 regress/sbin/pfctl/pf87.loaded create mode 100644 regress/sbin/pfctl/pf87.ok create mode 100644 regress/sbin/pfctl/pf87.optimized create mode 100644 regress/sbin/pfctl/pf88.in create mode 100644 regress/sbin/pfctl/pf88.loaded create mode 100644 regress/sbin/pfctl/pf88.ok create mode 100644 regress/sbin/pfctl/pf88.optimized diff --git a/regress/sbin/pfctl/Makefile b/regress/sbin/pfctl/Makefile index 8c100e8f8aa..73b8c9a41e5 100644 --- a/regress/sbin/pfctl/Makefile +++ b/regress/sbin/pfctl/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.181 2004/10/01 23:19:17 mcbride Exp $ +# $OpenBSD: Makefile,v 1.182 2004/10/05 18:33:44 mcbride Exp $ # TARGETS # pf: feed pfNN.in through pfctl and check wether the output matches pfNN.ok @@ -14,19 +14,19 @@ PFTESTS=1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 PFTESTS+=28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 PFTESTS+=51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 -PFTESTS+=74 75 76 77 78 79 80 81 82 83 84 85 86 +PFTESTS+=74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 PFFAIL=1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 23 24 25 27 PFFAIL+=28 29 30 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 PFSIMPLE=1 2 PFSETUP=1 2 3 4 PFLOAD=1 2 3 4 5 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 23 24 25 26 27 28 29 PFLOAD+=30 31 32 34 36 38 39 40 44 46 47 48 49 54 56 60 61 65 66 67 68 69 70 71 -PFLOAD+=72 73 74 75 76 77 78 79 80 81 82 84 +PFLOAD+=72 73 74 75 76 77 78 79 80 81 82 84 87 88 PFALTQ=1 2 3 4 5 6 7 8 9 10 11 12 13 14 # disabled; no altq in anchors # PFLOAD+=33 35 37 42 43 45 51 58 59 62 63 64 # only testing parser, load test would be useless -# PFLOAD+=6 22 41 50 52 53 55 57 83 85 +# PFLOAD+=6 22 41 50 52 53 55 57 83 85 86 PFTABLE=1 2 3 4 5 6 7 8 9 10 11 12 13 PFOPT=1 2 3 4 5 PFIF2IP=1 2 3 @@ -159,6 +159,7 @@ pfoptimize${n}-update: pfoptimize: ${PFOPTIMIZE_TARGETS} pfoptimize-update: ${PFOPTIMIZE_UPDATES} REGRESS_TARGETS+=pfoptimize +UPDATE_TARGETS+=pfoptimize-update .for n in ${PFTABLE} PFR_TARGETS+=pfr${n} diff --git a/regress/sbin/pfctl/pf87.in b/regress/sbin/pfctl/pf87.in new file mode 100644 index 00000000000..cd19262b83e --- /dev/null +++ b/regress/sbin/pfctl/pf87.in @@ -0,0 +1,24 @@ +# pfctl -o rule reordering + +pass in on lo1000000 proto tcp from any to 10.0.0.2 port 22 keep state +pass in on lo1000001 proto tcp from 10.0.0.1 port 22 to 10.0.0.2 keep state +pass in on lo1000001 proto udp from 10.0.0.5 to 10.0.0.4 port 53 keep state +pass in on lo1000000 proto udp from any to 10.0.0.2 port 53 keep state +pass in proto tcp to 10.0.0.1 port 80 keep state +pass out on lo1000001 proto udp from any to 10.0.0.2 port 53 keep state +pass in proto tcp to 10.0.0.3 port 80 keep state +pass out proto tcp to 10.0.0.1 port 81 keep state +pass in proto udp to 10.0.0.3 port 53 keep state +pass in on lo1000001 proto udp from 10.0.0.2 port 53 to 10.0.0.2 keep state +pass out proto udp to 10.0.0.1 port 53 keep state +pass out on lo1000000 proto udp from any to 10.0.0.2 port 53 keep state +pass out proto udp to 10.0.0.3 port 53 keep state +pass out on lo1000000 proto tcp from any to 10.0.0.2 port 22 keep state +pass in on lo1000001 proto tcp from any to 10.0.0.2 port 22 keep state +pass in on lo1000001 proto udp from any to 10.0.0.2 port 53 keep state +pass in on lo1000001 proto tcp from 10.0.0.1 to 10.0.0.4 keep state +pass out on lo1000001 proto tcp from any to 10.0.0.2 port 22 keep state +pass out proto tcp to 10.0.0.1 port 80 keep state +pass in proto udp to 10.0.0.1 port 53 keep state +pass in on lo1000001 proto tcp from 10.0.0.1 to 10.0.0.6 port 22 keep state +pass in on lo1000001 proto udp from 10.0.0.5 to 10.0.0.2 keep state diff --git a/regress/sbin/pfctl/pf87.loaded b/regress/sbin/pfctl/pf87.loaded new file mode 100644 index 00000000000..a3c36b9c4aa --- /dev/null +++ b/regress/sbin/pfctl/pf87.loaded @@ -0,0 +1,88 @@ +@0 pass in on lo1000000 inet proto tcp from any to 10.0.0.2 port = ssh keep state + [ Skip steps: d=5 f=end p=2 da=2 ] + [ queue: qname= qid=0 pqname= pqid=0 ] + [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] +@1 pass in on lo1000001 inet proto tcp from 10.0.0.1 port = ssh to 10.0.0.2 keep state + [ Skip steps: i=3 d=5 f=end ] + [ queue: qname= qid=0 pqname= pqid=0 ] + [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] +@2 pass in on lo1000001 inet proto udp from 10.0.0.5 to 10.0.0.4 port = domain keep state + [ Skip steps: d=5 f=end p=4 sp=9 dp=4 ] + [ queue: qname= qid=0 pqname= pqid=0 ] + [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] +@3 pass in on lo1000000 inet proto udp from any to 10.0.0.2 port = domain keep state + [ Skip steps: d=5 f=end sa=9 sp=9 ] + [ queue: qname= qid=0 pqname= pqid=0 ] + [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] +@4 pass in inet proto tcp from any to 10.0.0.1 port = www keep state + [ Skip steps: f=end sa=9 sp=9 ] + [ queue: qname= qid=0 pqname= pqid=0 ] + [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] +@5 pass out on lo1000001 inet proto udp from any to 10.0.0.2 port = domain keep state + [ Skip steps: f=end sa=9 sp=9 ] + [ queue: qname= qid=0 pqname= pqid=0 ] + [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] +@6 pass in inet proto tcp from any to 10.0.0.3 port = www keep state + [ Skip steps: i=9 f=end p=8 sa=9 sp=9 ] + [ queue: qname= qid=0 pqname= pqid=0 ] + [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] +@7 pass out inet proto tcp from any to 10.0.0.1 port = 81 keep state + [ Skip steps: i=9 f=end sa=9 sp=9 ] + [ queue: qname= qid=0 pqname= pqid=0 ] + [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] +@8 pass in inet proto udp from any to 10.0.0.3 port = domain keep state + [ Skip steps: d=10 f=end p=13 ] + [ queue: qname= qid=0 pqname= pqid=0 ] + [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] +@9 pass in on lo1000001 inet proto udp from 10.0.0.2 port = domain to 10.0.0.2 keep state + [ Skip steps: f=end p=13 ] + [ queue: qname= qid=0 pqname= pqid=0 ] + [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] +@10 pass out inet proto udp from any to 10.0.0.1 port = domain keep state + [ Skip steps: d=14 f=end p=13 sa=16 sp=end dp=13 ] + [ queue: qname= qid=0 pqname= pqid=0 ] + [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] +@11 pass out on lo1000000 inet proto udp from any to 10.0.0.2 port = domain keep state + [ Skip steps: d=14 f=end p=13 sa=16 sp=end dp=13 ] + [ queue: qname= qid=0 pqname= pqid=0 ] + [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] +@12 pass out inet proto udp from any to 10.0.0.3 port = domain keep state + [ Skip steps: d=14 f=end sa=16 sp=end ] + [ queue: qname= qid=0 pqname= pqid=0 ] + [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] +@13 pass out on lo1000000 inet proto tcp from any to 10.0.0.2 port = ssh keep state + [ Skip steps: f=end p=15 sa=16 sp=end da=16 dp=15 ] + [ queue: qname= qid=0 pqname= pqid=0 ] + [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] +@14 pass in on lo1000001 inet proto tcp from any to 10.0.0.2 port = ssh keep state + [ Skip steps: i=18 d=17 f=end sa=16 sp=end da=16 ] + [ queue: qname= qid=0 pqname= pqid=0 ] + [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] +@15 pass in on lo1000001 inet proto udp from any to 10.0.0.2 port = domain keep state + [ Skip steps: i=18 d=17 f=end sp=end ] + [ queue: qname= qid=0 pqname= pqid=0 ] + [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] +@16 pass in on lo1000001 inet proto tcp from 10.0.0.1 to 10.0.0.4 keep state + [ Skip steps: i=18 f=end p=19 sp=end ] + [ queue: qname= qid=0 pqname= pqid=0 ] + [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] +@17 pass out on lo1000001 inet proto tcp from any to 10.0.0.2 port = ssh keep state + [ Skip steps: d=19 f=end p=19 sa=20 sp=end ] + [ queue: qname= qid=0 pqname= pqid=0 ] + [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] +@18 pass out inet proto tcp from any to 10.0.0.1 port = www keep state + [ Skip steps: i=20 f=end sa=20 sp=end da=20 ] + [ queue: qname= qid=0 pqname= pqid=0 ] + [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] +@19 pass in inet proto udp from any to 10.0.0.1 port = domain keep state + [ Skip steps: d=end f=end sp=end ] + [ queue: qname= qid=0 pqname= pqid=0 ] + [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] +@20 pass in on lo1000001 inet proto tcp from 10.0.0.1 to 10.0.0.6 port = ssh keep state + [ Skip steps: i=end d=end f=end sp=end ] + [ queue: qname= qid=0 pqname= pqid=0 ] + [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] +@21 pass in on lo1000001 inet proto udp from 10.0.0.5 to 10.0.0.2 keep state + [ Skip steps: i=end d=end f=end p=end sa=end sp=end da=end dp=end ] + [ queue: qname= qid=0 pqname= pqid=0 ] + [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] diff --git a/regress/sbin/pfctl/pf87.ok b/regress/sbin/pfctl/pf87.ok new file mode 100644 index 00000000000..cdc783c8d8a --- /dev/null +++ b/regress/sbin/pfctl/pf87.ok @@ -0,0 +1,22 @@ +pass in on lo1000000 inet proto tcp from any to 10.0.0.2 port = ssh keep state +pass in on lo1000001 inet proto tcp from 10.0.0.1 port = ssh to 10.0.0.2 keep state +pass in on lo1000001 inet proto udp from 10.0.0.5 to 10.0.0.4 port = domain keep state +pass in on lo1000000 inet proto udp from any to 10.0.0.2 port = domain keep state +pass in inet proto tcp from any to 10.0.0.1 port = www keep state +pass out on lo1000001 inet proto udp from any to 10.0.0.2 port = domain keep state +pass in inet proto tcp from any to 10.0.0.3 port = www keep state +pass out inet proto tcp from any to 10.0.0.1 port = 81 keep state +pass in inet proto udp from any to 10.0.0.3 port = domain keep state +pass in on lo1000001 inet proto udp from 10.0.0.2 port = domain to 10.0.0.2 keep state +pass out inet proto udp from any to 10.0.0.1 port = domain keep state +pass out on lo1000000 inet proto udp from any to 10.0.0.2 port = domain keep state +pass out inet proto udp from any to 10.0.0.3 port = domain keep state +pass out on lo1000000 inet proto tcp from any to 10.0.0.2 port = ssh keep state +pass in on lo1000001 inet proto tcp from any to 10.0.0.2 port = ssh keep state +pass in on lo1000001 inet proto udp from any to 10.0.0.2 port = domain keep state +pass in on lo1000001 inet proto tcp from 10.0.0.1 to 10.0.0.4 keep state +pass out on lo1000001 inet proto tcp from any to 10.0.0.2 port = ssh keep state +pass out inet proto tcp from any to 10.0.0.1 port = www keep state +pass in inet proto udp from any to 10.0.0.1 port = domain keep state +pass in on lo1000001 inet proto tcp from 10.0.0.1 to 10.0.0.6 port = ssh keep state +pass in on lo1000001 inet proto udp from 10.0.0.5 to 10.0.0.2 keep state diff --git a/regress/sbin/pfctl/pf87.optimized b/regress/sbin/pfctl/pf87.optimized new file mode 100644 index 00000000000..4285cdd1b47 --- /dev/null +++ b/regress/sbin/pfctl/pf87.optimized @@ -0,0 +1,88 @@ +@0 pass in on lo1000001 inet proto udp from 10.0.0.2 port = domain to 10.0.0.2 keep state + [ Skip steps: i=8 d=14 f=end p=3 da=5 ] + [ queue: qname= qid=0 pqname= pqid=0 ] + [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] +@1 pass in on lo1000001 inet proto udp from any to 10.0.0.2 port = domain keep state + [ Skip steps: i=8 d=14 f=end p=3 sp=3 da=5 ] + [ queue: qname= qid=0 pqname= pqid=0 ] + [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] +@2 pass in on lo1000001 inet proto udp from 10.0.0.5 to 10.0.0.2 keep state + [ Skip steps: i=8 d=14 f=end da=5 dp=4 ] + [ queue: qname= qid=0 pqname= pqid=0 ] + [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] +@3 pass in on lo1000001 inet proto tcp from 10.0.0.1 port = ssh to 10.0.0.2 keep state + [ Skip steps: i=8 d=14 f=end p=7 da=5 ] + [ queue: qname= qid=0 pqname= pqid=0 ] + [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] +@4 pass in on lo1000001 inet proto tcp from any to 10.0.0.2 port = ssh keep state + [ Skip steps: i=8 d=14 f=end p=7 sp=end ] + [ queue: qname= qid=0 pqname= pqid=0 ] + [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] +@5 pass in on lo1000001 inet proto tcp from 10.0.0.1 to 10.0.0.4 keep state + [ Skip steps: i=8 d=14 f=end p=7 sa=7 sp=end ] + [ queue: qname= qid=0 pqname= pqid=0 ] + [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] +@6 pass in on lo1000001 inet proto tcp from 10.0.0.1 to 10.0.0.6 port = ssh keep state + [ Skip steps: i=8 d=14 f=end sp=end ] + [ queue: qname= qid=0 pqname= pqid=0 ] + [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] +@7 pass in on lo1000001 inet proto udp from 10.0.0.5 to 10.0.0.4 port = domain keep state + [ Skip steps: d=14 f=end p=11 sp=end dp=11 ] + [ queue: qname= qid=0 pqname= pqid=0 ] + [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] +@8 pass in on lo1000000 inet proto udp from any to 10.0.0.2 port = domain keep state + [ Skip steps: d=14 f=end p=11 sa=end sp=end dp=11 ] + [ queue: qname= qid=0 pqname= pqid=0 ] + [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] +@9 pass in inet proto udp from any to 10.0.0.3 port = domain keep state + [ Skip steps: i=13 d=14 f=end p=11 sa=end sp=end dp=11 ] + [ queue: qname= qid=0 pqname= pqid=0 ] + [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] +@10 pass in inet proto udp from any to 10.0.0.1 port = domain keep state + [ Skip steps: i=13 d=14 f=end sa=end sp=end da=12 ] + [ queue: qname= qid=0 pqname= pqid=0 ] + [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] +@11 pass in inet proto tcp from any to 10.0.0.1 port = www keep state + [ Skip steps: i=13 d=14 f=end p=14 sa=end sp=end dp=13 ] + [ queue: qname= qid=0 pqname= pqid=0 ] + [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] +@12 pass in inet proto tcp from any to 10.0.0.3 port = www keep state + [ Skip steps: d=14 f=end p=14 sa=end sp=end ] + [ queue: qname= qid=0 pqname= pqid=0 ] + [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] +@13 pass in on lo1000000 inet proto tcp from any to 10.0.0.2 port = ssh keep state + [ Skip steps: f=end sa=end sp=end da=16 ] + [ queue: qname= qid=0 pqname= pqid=0 ] + [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] +@14 pass out on lo1000001 inet proto udp from any to 10.0.0.2 port = domain keep state + [ Skip steps: d=end f=end p=18 sa=end sp=end da=16 dp=18 ] + [ queue: qname= qid=0 pqname= pqid=0 ] + [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] +@15 pass out on lo1000000 inet proto udp from any to 10.0.0.2 port = domain keep state + [ Skip steps: d=end f=end p=18 sa=end sp=end dp=18 ] + [ queue: qname= qid=0 pqname= pqid=0 ] + [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] +@16 pass out inet proto udp from any to 10.0.0.1 port = domain keep state + [ Skip steps: i=18 d=end f=end p=18 sa=end sp=end dp=18 ] + [ queue: qname= qid=0 pqname= pqid=0 ] + [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] +@17 pass out inet proto udp from any to 10.0.0.3 port = domain keep state + [ Skip steps: d=end f=end sa=end sp=end ] + [ queue: qname= qid=0 pqname= pqid=0 ] + [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] +@18 pass out on lo1000000 inet proto tcp from any to 10.0.0.2 port = ssh keep state + [ Skip steps: d=end f=end p=end sa=end sp=end da=20 dp=20 ] + [ queue: qname= qid=0 pqname= pqid=0 ] + [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] +@19 pass out on lo1000001 inet proto tcp from any to 10.0.0.2 port = ssh keep state + [ Skip steps: d=end f=end p=end sa=end sp=end ] + [ queue: qname= qid=0 pqname= pqid=0 ] + [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] +@20 pass out inet proto tcp from any to 10.0.0.1 port = 81 keep state + [ Skip steps: i=end d=end f=end p=end sa=end sp=end da=end ] + [ queue: qname= qid=0 pqname= pqid=0 ] + [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] +@21 pass out inet proto tcp from any to 10.0.0.1 port = www keep state + [ Skip steps: i=end d=end f=end p=end sa=end sp=end da=end dp=end ] + [ queue: qname= qid=0 pqname= pqid=0 ] + [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] diff --git a/regress/sbin/pfctl/pf88.in b/regress/sbin/pfctl/pf88.in new file mode 100644 index 00000000000..4700b6916b7 --- /dev/null +++ b/regress/sbin/pfctl/pf88.in @@ -0,0 +1,32 @@ +# pfctl -o duplicate rules + +pass in on lo1000000 from any to 10.0.0.1 +pass in on lo1000000 inet from any to 10.0.0.1 + +pass +pass out +pass out +pass out quick + +pass on lo1000001 to 10.0.0.1 +pass on lo1000000 from any to 10.0.0.1 + +pass to 10.0.0.2 modulate state +pass to 10.0.0.2 keep state +block from 10.0.0.3 to 10.0.0.2 +pass to 10.0.0.2 modulate state +block from 10.0.0.3 to 10.0.0.2 +pass to 10.0.0.2 synproxy state + + +pass out proto tcp from 10.0.0.4 to 10.0.0.5 keep state +pass out proto tcp from 10.0.0.4 to 10.0.0.5 port 80 keep state + +pass out +pass in + +pass in on lo1000001 from any to any +pass in on lo1000001 from any to any keep state +pass in on lo1000001 from any to any + +block diff --git a/regress/sbin/pfctl/pf88.loaded b/regress/sbin/pfctl/pf88.loaded new file mode 100644 index 00000000000..dadee1a65cd --- /dev/null +++ b/regress/sbin/pfctl/pf88.loaded @@ -0,0 +1,88 @@ +@0 pass in on lo1000000 inet from any to 10.0.0.1 + [ Skip steps: i=2 d=2 f=2 p=14 sa=10 sp=end da=2 dp=15 ] + [ queue: qname= qid=0 pqname= pqid=0 ] + [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] +@1 pass in on lo1000000 inet from any to 10.0.0.1 + [ Skip steps: p=14 sa=10 sp=end dp=15 ] + [ queue: qname= qid=0 pqname= pqid=0 ] + [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] +@2 pass all + [ Skip steps: i=6 f=6 p=14 sa=10 sp=end da=6 dp=15 ] + [ queue: qname= qid=0 pqname= pqid=0 ] + [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] +@3 pass out all + [ Skip steps: i=6 d=6 f=6 p=14 sa=10 sp=end da=6 dp=15 ] + [ queue: qname= qid=0 pqname= pqid=0 ] + [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] +@4 pass out all + [ Skip steps: i=6 d=6 f=6 p=14 sa=10 sp=end da=6 dp=15 ] + [ queue: qname= qid=0 pqname= pqid=0 ] + [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] +@5 pass out quick all + [ Skip steps: p=14 sa=10 sp=end dp=15 ] + [ queue: qname= qid=0 pqname= pqid=0 ] + [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] +@6 pass on lo1000001 inet from any to 10.0.0.1 + [ Skip steps: d=14 f=16 p=14 sa=10 sp=end da=8 dp=15 ] + [ queue: qname= qid=0 pqname= pqid=0 ] + [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] +@7 pass on lo1000000 inet from any to 10.0.0.1 + [ Skip steps: d=14 f=16 p=14 sa=10 sp=end dp=15 ] + [ queue: qname= qid=0 pqname= pqid=0 ] + [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] +@8 pass inet from any to 10.0.0.2 modulate state + [ Skip steps: i=18 d=14 f=16 p=14 sa=10 sp=end da=14 dp=15 ] + [ queue: qname= qid=0 pqname= pqid=0 ] + [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] +@9 pass inet from any to 10.0.0.2 keep state + [ Skip steps: i=18 d=14 f=16 p=14 sp=end da=14 dp=15 ] + [ queue: qname= qid=0 pqname= pqid=0 ] + [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] +@10 block drop inet from 10.0.0.3 to 10.0.0.2 + [ Skip steps: i=18 d=14 f=16 p=14 sp=end da=14 dp=15 ] + [ queue: qname= qid=0 pqname= pqid=0 ] + [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] +@11 pass inet from any to 10.0.0.2 modulate state + [ Skip steps: i=18 d=14 f=16 p=14 sp=end da=14 dp=15 ] + [ queue: qname= qid=0 pqname= pqid=0 ] + [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] +@12 block drop inet from 10.0.0.3 to 10.0.0.2 + [ Skip steps: i=18 d=14 f=16 p=14 sp=end da=14 dp=15 ] + [ queue: qname= qid=0 pqname= pqid=0 ] + [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] +@13 pass inet from any to 10.0.0.2 synproxy state + [ Skip steps: i=18 f=16 sp=end dp=15 ] + [ queue: qname= qid=0 pqname= pqid=0 ] + [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] +@14 pass out inet proto tcp from 10.0.0.4 to 10.0.0.5 keep state + [ Skip steps: i=18 d=17 f=16 p=16 sa=16 sp=end da=16 ] + [ queue: qname= qid=0 pqname= pqid=0 ] + [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] +@15 pass out inet proto tcp from 10.0.0.4 to 10.0.0.5 port = www keep state + [ Skip steps: i=18 d=17 sp=end ] + [ queue: qname= qid=0 pqname= pqid=0 ] + [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] +@16 pass out all + [ Skip steps: i=18 f=end p=end sa=end sp=end da=end dp=end ] + [ queue: qname= qid=0 pqname= pqid=0 ] + [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] +@17 pass in all + [ Skip steps: d=21 f=end p=end sa=end sp=end da=end dp=end ] + [ queue: qname= qid=0 pqname= pqid=0 ] + [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] +@18 pass in on lo1000001 all + [ Skip steps: i=21 d=21 f=end p=end sa=end sp=end da=end dp=end ] + [ queue: qname= qid=0 pqname= pqid=0 ] + [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] +@19 pass in on lo1000001 all keep state + [ Skip steps: i=21 d=21 f=end p=end sa=end sp=end da=end dp=end ] + [ queue: qname= qid=0 pqname= pqid=0 ] + [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] +@20 pass in on lo1000001 all + [ Skip steps: f=end p=end sa=end sp=end da=end dp=end ] + [ queue: qname= qid=0 pqname= pqid=0 ] + [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] +@21 block drop all + [ Skip steps: i=end d=end f=end p=end sa=end sp=end da=end dp=end ] + [ queue: qname= qid=0 pqname= pqid=0 ] + [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] diff --git a/regress/sbin/pfctl/pf88.ok b/regress/sbin/pfctl/pf88.ok new file mode 100644 index 00000000000..e54fe473491 --- /dev/null +++ b/regress/sbin/pfctl/pf88.ok @@ -0,0 +1,22 @@ +pass in on lo1000000 inet from any to 10.0.0.1 +pass in on lo1000000 inet from any to 10.0.0.1 +pass all +pass out all +pass out all +pass out quick all +pass on lo1000001 inet from any to 10.0.0.1 +pass on lo1000000 inet from any to 10.0.0.1 +pass inet from any to 10.0.0.2 modulate state +pass inet from any to 10.0.0.2 keep state +block drop inet from 10.0.0.3 to 10.0.0.2 +pass inet from any to 10.0.0.2 modulate state +block drop inet from 10.0.0.3 to 10.0.0.2 +pass inet from any to 10.0.0.2 synproxy state +pass out inet proto tcp from 10.0.0.4 to 10.0.0.5 keep state +pass out inet proto tcp from 10.0.0.4 to 10.0.0.5 port = www keep state +pass out all +pass in all +pass in on lo1000001 all +pass in on lo1000001 all keep state +pass in on lo1000001 all +block drop all diff --git a/regress/sbin/pfctl/pf88.optimized b/regress/sbin/pfctl/pf88.optimized new file mode 100644 index 00000000000..d937634d7b7 --- /dev/null +++ b/regress/sbin/pfctl/pf88.optimized @@ -0,0 +1,64 @@ +@0 pass all + [ Skip steps: i=2 f=2 p=10 sa=6 sp=end da=2 dp=end ] + [ queue: qname= qid=0 pqname= pqid=0 ] + [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] +@1 pass out quick all + [ Skip steps: p=10 sa=6 sp=end dp=end ] + [ queue: qname= qid=0 pqname= pqid=0 ] + [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] +@2 pass on lo1000001 inet from any to 10.0.0.1 + [ Skip steps: d=10 f=11 p=10 sa=6 sp=end da=4 dp=end ] + [ queue: qname= qid=0 pqname= pqid=0 ] + [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] +@3 pass on lo1000000 inet from any to 10.0.0.1 + [ Skip steps: d=10 f=11 p=10 sa=6 sp=end dp=end ] + [ queue: qname= qid=0 pqname= pqid=0 ] + [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] +@4 pass inet from any to 10.0.0.2 modulate state + [ Skip steps: i=13 d=10 f=11 p=10 sa=6 sp=end da=10 dp=end ] + [ queue: qname= qid=0 pqname= pqid=0 ] + [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] +@5 pass inet from any to 10.0.0.2 keep state + [ Skip steps: i=13 d=10 f=11 p=10 sp=end da=10 dp=end ] + [ queue: qname= qid=0 pqname= pqid=0 ] + [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] +@6 block drop inet from 10.0.0.3 to 10.0.0.2 + [ Skip steps: i=13 d=10 f=11 p=10 sp=end da=10 dp=end ] + [ queue: qname= qid=0 pqname= pqid=0 ] + [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] +@7 pass inet from any to 10.0.0.2 modulate state + [ Skip steps: i=13 d=10 f=11 p=10 sp=end da=10 dp=end ] + [ queue: qname= qid=0 pqname= pqid=0 ] + [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] +@8 block drop inet from 10.0.0.3 to 10.0.0.2 + [ Skip steps: i=13 d=10 f=11 p=10 sp=end da=10 dp=end ] + [ queue: qname= qid=0 pqname= pqid=0 ] + [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] +@9 pass inet from any to 10.0.0.2 synproxy state + [ Skip steps: i=13 f=11 sp=end dp=end ] + [ queue: qname= qid=0 pqname= pqid=0 ] + [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] +@10 pass out inet proto tcp from 10.0.0.4 to 10.0.0.5 keep state + [ Skip steps: i=13 d=12 sp=end dp=end ] + [ queue: qname= qid=0 pqname= pqid=0 ] + [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] +@11 pass out all + [ Skip steps: i=13 f=end p=end sa=end sp=end da=end dp=end ] + [ queue: qname= qid=0 pqname= pqid=0 ] + [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] +@12 pass in all + [ Skip steps: d=15 f=end p=end sa=end sp=end da=end dp=end ] + [ queue: qname= qid=0 pqname= pqid=0 ] + [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] +@13 pass in on lo1000001 all keep state + [ Skip steps: i=15 d=15 f=end p=end sa=end sp=end da=end dp=end ] + [ queue: qname= qid=0 pqname= pqid=0 ] + [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] +@14 pass in on lo1000001 all + [ Skip steps: f=end p=end sa=end sp=end da=end dp=end ] + [ queue: qname= qid=0 pqname= pqid=0 ] + [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] +@15 block drop all + [ Skip steps: i=end d=end f=end p=end sa=end sp=end da=end dp=end ] + [ queue: qname= qid=0 pqname= pqid=0 ] + [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] -- cgit v1.2.3