Module Name: src
Committed By: riastradh
Date: Tue Oct 29 22:24:31 UTC 2024
Modified Files:
src/tests/net/npf: t_npf.sh
src/usr.sbin/npf/npftest: npftest.conf
src/usr.sbin/npf/npftest/libnpftest: npf_rule_test.c
Log Message:
npftest: Add a test to match groups of IPv6 addresses.
The npf_rule test group is now an xfail. (npftest doesn't have a way
to mark individual cases in a test group as xfail, so this will have
to do for now.)
PR bin/55403: npfctl miscompiles IPv6 rules
To generate a diff of this commit:
cvs rdiff -u -r1.4 -r1.5 src/tests/net/npf/t_npf.sh
cvs rdiff -u -r1.9 -r1.10 src/usr.sbin/npf/npftest/npftest.conf
cvs rdiff -u -r1.20 -r1.21 \
src/usr.sbin/npf/npftest/libnpftest/npf_rule_test.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/tests/net/npf/t_npf.sh
diff -u src/tests/net/npf/t_npf.sh:1.4 src/tests/net/npf/t_npf.sh:1.5
--- src/tests/net/npf/t_npf.sh:1.4 Mon Jun 1 11:08:57 2020
+++ src/tests/net/npf/t_npf.sh Tue Oct 29 22:24:30 2024
@@ -1,4 +1,4 @@
-# $NetBSD: t_npf.sh,v 1.4 2020/06/01 11:08:57 martin Exp $
+# $NetBSD: t_npf.sh,v 1.5 2024/10/29 22:24:30 riastradh Exp $
#
# Copyright (c) 2008, 2010 The NetBSD Foundation, Inc.
# All rights reserved.
@@ -29,6 +29,12 @@ run_test()
{
local name="${1}"
+ case $name in
+ npf_rule)
+ atf_expect_fail "PR bin/55403: npfctl miscompiles IPv6 rules"
+ ;;
+ esac
+
atf_check -o ignore -e ignore npfctl debug -c "$(atf_get_srcdir)/npftest.conf" -o ./npf.plist
atf_check -o ignore npftest -c npf.plist -T "${name}"
}
Index: src/usr.sbin/npf/npftest/npftest.conf
diff -u src/usr.sbin/npf/npftest/npftest.conf:1.9 src/usr.sbin/npf/npftest/npftest.conf:1.10
--- src/usr.sbin/npf/npftest/npftest.conf:1.9 Sat May 30 14:16:56 2020
+++ src/usr.sbin/npf/npftest/npftest.conf Tue Oct 29 22:24:30 2024
@@ -1,4 +1,4 @@
-# $NetBSD: npftest.conf,v 1.9 2020/05/30 14:16:56 rmind Exp $
+# $NetBSD: npftest.conf,v 1.10 2024/10/29 22:24:30 riastradh Exp $
$ext_if = "npftest0"
$int_if = "npftest1"
@@ -30,6 +30,10 @@ map $ext_if dynamic $local_ip1 port 6000
$net6_inner = fd01:203:405::/48
$net6_outer = 2001:db8:1::/48
+# Example of multiple addresses with a common 32-bit word, taken from
+# PR bin/55403: npfctl miscompiles IPv6 rules.
+$net6_pr55403 = { fe80::1, fe80::2 }
+
$net_a = 10.100.0.0/16
$net_b = 10.255.0.0/16
@@ -51,6 +55,9 @@ group "ext" on $ext_if {
pass stateful out final from $local_net
pass stateful in final to any port $ports
pass stateful in final proto icmp all
+
+ pass in final family inet6 proto tcp from $net6_pr55403
+
block all
}
Index: src/usr.sbin/npf/npftest/libnpftest/npf_rule_test.c
diff -u src/usr.sbin/npf/npftest/libnpftest/npf_rule_test.c:1.20 src/usr.sbin/npf/npftest/libnpftest/npf_rule_test.c:1.21
--- src/usr.sbin/npf/npftest/libnpftest/npf_rule_test.c:1.20 Tue Oct 29 22:13:52 2024
+++ src/usr.sbin/npf/npftest/libnpftest/npf_rule_test.c Tue Oct 29 22:24:30 2024
@@ -52,6 +52,29 @@ static const struct test_case {
.stateful_ret = RESULT_BLOCK, .ret = RESULT_BLOCK
},
+ /*
+ * Pass any of the { fe80::1, fe80::2 } group but nothing else
+ * in fe80::/112.
+ */
+ {
+ .af = AF_INET6,
+ .src = "fe80::1", .dst = "fe80::adec:c91c:d116:7592",
+ .ifname = IFNAME_EXT, .di = PFIL_IN,
+ .stateful_ret = RESULT_PASS, .ret = RESULT_PASS
+ },
+ {
+ .af = AF_INET6,
+ .src = "fe80::2", .dst = "fe80::adec:c91c:d116:7592",
+ .ifname = IFNAME_EXT, .di = PFIL_IN,
+ .stateful_ret = RESULT_PASS, .ret = RESULT_PASS
+ },
+ {
+ .af = AF_INET6,
+ .src = "fe80::3", .dst = "fe80::adec:c91c:d116:7592",
+ .ifname = IFNAME_EXT, .di = PFIL_IN,
+ .stateful_ret = RESULT_BLOCK, .ret = RESULT_BLOCK
+ },
+
/* Block. */
{
.af = AF_INET,
