9897a66923
If NAT rules cause inbound connections to different external IPs to be mapped to the same internal IP, and some application uses the same source port for multiple such connections, rdr translation may result in conflicts that cause some of the connections to be dropped. Address this by letting rdr rules detect state conflicts and modulate the source port to avoid them. Reviewed by: kp, allanjude MFC after: 3 months Sponsored by: Klara, Inc. Sponsored by: Modirum Differential Revision: https://reviews.freebsd.org/D44488
90 lines
1.6 KiB
Makefile
90 lines
1.6 KiB
Makefile
PACKAGE= tests
|
|
|
|
TESTSDIR= ${TESTSBASE}/sys/netpfil/pf
|
|
BINDIR= ${TESTSDIR}
|
|
TESTS_SUBDIRS+= ioctl
|
|
|
|
ATF_TESTS_SH+= altq \
|
|
anchor \
|
|
debug \
|
|
divert-to \
|
|
dup \
|
|
ether \
|
|
forward \
|
|
fragmentation_compat \
|
|
fragmentation_pass \
|
|
fragmentation_no_reassembly \
|
|
get_state \
|
|
icmp \
|
|
icmp6 \
|
|
if_enc \
|
|
limits \
|
|
loginterface \
|
|
killstate \
|
|
macro \
|
|
map_e \
|
|
match \
|
|
mbuf \
|
|
modulate \
|
|
names \
|
|
nat \
|
|
pass_block \
|
|
pflog \
|
|
pflow \
|
|
pfsync \
|
|
prio \
|
|
proxy \
|
|
rdr \
|
|
ridentifier \
|
|
route_to \
|
|
rtable \
|
|
rules_counter \
|
|
scrub_compat \
|
|
scrub_pass \
|
|
sctp \
|
|
set_skip \
|
|
set_tos \
|
|
src_track \
|
|
status \
|
|
syncookie \
|
|
synproxy \
|
|
table \
|
|
tcp \
|
|
tos
|
|
|
|
ATF_TESTS_PYTEST+= frag6.py
|
|
ATF_TESTS_PYTEST+= nat66.py
|
|
ATF_TESTS_PYTEST+= sctp.py
|
|
|
|
# Allow tests to run in parallel in their own jails
|
|
TEST_METADATA+= execenv="jail"
|
|
TEST_METADATA+= execenv_jail_params="vnet allow.raw_sockets"
|
|
|
|
PROGS= divapp
|
|
|
|
${PACKAGE}FILES+= CVE-2019-5597.py \
|
|
CVE-2019-5598.py \
|
|
daytime_inetd.conf \
|
|
echo_inetd.conf \
|
|
fragcommon.py \
|
|
frag-overindex.py \
|
|
frag-overlimit.py \
|
|
frag-overreplace.py \
|
|
pfsync_defer.py \
|
|
pft_ether.py \
|
|
pft_read_ipfix.py \
|
|
rdr-srcport.py \
|
|
utils.subr
|
|
|
|
${PACKAGE}FILESMODE_CVE-2019-5597.py= 0555
|
|
${PACKAGE}FILESMODE_CVE-2019-5598.py= 0555
|
|
${PACKAGE}FILESMODE_fragcommon.py= 0555
|
|
${PACKAGE}FILESMODE_frag-overindex.py= 0555
|
|
${PACKAGE}FILESMODE_frag-overlimit.py= 0555
|
|
${PACKAGE}FILESMODE_frag-overreplace.py= 0555
|
|
${PACKAGE}FILESMODE_pfsync_defer.py= 0555
|
|
${PACKAGE}FILESMODE_pft_ether.py= 0555
|
|
${PACKAGE}FILESMODE_pft_read_ipfix.py= 0555
|
|
|
|
.include <bsd.test.mk>
|