pf: improve add state validation

Both for the DIOCADDSTATE ioctl and for states imported through pfsync packets.
Add a test case to exercise this code path.

Reported by:	Ilja Van Sprundel <ivansprundel@ioactive.com>
MFC after:	3 days
Sponsored by:	Rubicon Communications, LLC ("Netgate")
This commit is contained in:
Kristof Provost
2025-10-29 11:40:52 +01:00
parent 1da3c0ca5b
commit faacc0d968
2 changed files with 28 additions and 0 deletions
+25
View File
@@ -981,6 +981,30 @@ ATF_TC_CLEANUP(natlook, tc)
COMMON_CLEANUP();
}
ATF_TC_WITH_CLEANUP(addstate);
ATF_TC_HEAD(addstate, tc)
{
atf_tc_set_md_var(tc, "require.user", "root");
atf_tc_set_md_var(tc, "require.kmods", "pfsync");
}
ATF_TC_BODY(addstate, tc)
{
struct pfioc_state st;
COMMON_HEAD();
memset(&st, 'a', sizeof(st));
st.state.timeout = PFTM_TCP_FIRST_PACKET;
ATF_CHECK_ERRNO(EINVAL, ioctl(dev, DIOCADDSTATE, &st) == -1);
}
ATF_TC_CLEANUP(addstate, tc)
{
COMMON_CLEANUP();
}
ATF_TP_ADD_TCS(tp)
{
ATF_TP_ADD_TC(tp, addtables);
@@ -1007,6 +1031,7 @@ ATF_TP_ADD_TCS(tp)
ATF_TP_ADD_TC(tp, rpool_mtx);
ATF_TP_ADD_TC(tp, rpool_mtx2);
ATF_TP_ADD_TC(tp, natlook);
ATF_TP_ADD_TC(tp, addstate);
return (atf_no_error());
}