From owner-freebsd-pf@freebsd.org Sun May 28 21:00:22 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E15C0D86EF7 for ; Sun, 28 May 2017 21:00:22 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C003C185D for ; Sun, 28 May 2017 21:00:22 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v4SL0159035962 for ; Sun, 28 May 2017 21:00:22 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Message-Id: <201705282100.v4SL0159035962@kenobi.freebsd.org> From: bugzilla-noreply@FreeBSD.org To: freebsd-pf@FreeBSD.org Subject: Problem reports for freebsd-pf@FreeBSD.org that need special attention Date: Sun, 28 May 2017 21:00:22 +0000 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 28 May 2017 21:00:23 -0000 To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status | Bug Id | Description ------------+-----------+--------------------------------------------------- Open | 203735 | Transparent interception of ipv6 with squid and p 1 problems total for which you should take action. From owner-freebsd-pf@freebsd.org Tue May 30 16:17:47 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C1DA7B82BB6 for ; Tue, 30 May 2017 16:17:47 +0000 (UTC) (envelope-from vegeta@tuxpowered.net) Received: from mail-wm0-x243.google.com (mail-wm0-x243.google.com [IPv6:2a00:1450:400c:c09::243]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 6718D6A751 for ; Tue, 30 May 2017 16:17:47 +0000 (UTC) (envelope-from vegeta@tuxpowered.net) Received: by mail-wm0-x243.google.com with SMTP id g15so26189655wmc.2 for ; Tue, 30 May 2017 09:17:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tuxpowered-net.20150623.gappssmtp.com; s=20150623; h=from:to:subject:date:message-id:organization:user-agent :mime-version; bh=BV0c8qzioJUZbXhEXLyGay5VrsmLET6td9pO8/gIFBc=; b=I9wasPiVG5jBO8FdiuQbjAd9JzY5HlAugy6etOeRYQGek696XkSzL5x/bJM7n3NqWg n9j1eujo9yKbbTkYw/3HOD5R6urUE8bkcLCZMZ/zfrcSFoqPioIi7xesOpJ7yRFnm82y J0dS2kIfXJoz3se8+PzmZ9hNen8UGHvWdJBA44A9XNYVO0QKvrkEIpvJlBNgQc0ar6vk +dFfJlesDjgFRh7xn35p5unOlqPnWxMj4Ozoh11+la/0BjfNGoB1S5WKpzNqBWli33Qt rOLo/KYH1zu1FZWO1HV3gXti9VCPt6ppV6yP58ljl54uNCml7YEbUq95POvC/Y0YK26Y y2tg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:organization :user-agent:mime-version; bh=BV0c8qzioJUZbXhEXLyGay5VrsmLET6td9pO8/gIFBc=; b=bmKcpOQrrJoDdrhDtnBGYXZmKnxvdlEg8cQOpx7xj0yE3EF3/cJzPcIb9B7gzcKMbS oLJ8mBQS9fK1tmz59l9A9yP9kZe7UsV7U7UYsRfQhPVYXmegKjahVdoHudSTZEw+7QXC xh+qSymKIYRHxV1G47vuP2qLC8AODzX4lVqj67Auq4LK6AzpAvbuKEwdgJgkFK/s+6Ji ezIkKEdw9IvjMsEV4zHcNtQSM4r2PeHtKRVHtd2TPk0VNJUS1KkMwW7C/ePPldmZBK77 yCrxf/WO3WCwDYjs1/lP+IoQP1L2fb9+LmyuN/0la/klg9yuBVFQE+9u2lDGr6eFWJZC FXkw== X-Gm-Message-State: AODbwcC5BL2EX+CawbpQOZFnV0J4Mj8YpbsPwmHWAKOg/zdR8uGcNQ19 t6Gft2c4BkUEh+lboX3ayA== X-Received: by 10.80.147.94 with SMTP id n30mr17334146eda.146.1496161065498; Tue, 30 May 2017 09:17:45 -0700 (PDT) Received: from energia.localnet ([2a00:1f78:c:6::1000]) by smtp.gmail.com with ESMTPSA id e13sm5715371eda.15.2017.05.30.09.17.43 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 30 May 2017 09:17:43 -0700 (PDT) From: Kajetan Staszkiewicz To: freebsd-pf@freebsd.org Subject: pf not checking traffic from tunnels Date: Tue, 30 May 2017 18:17:30 +0200 Message-ID: <1853600.RL7SYQSJBX@energia> Organization: tuxpowered.net User-Agent: KMail/5.2.3 (Linux/4.11.0-3.1-liquorix-amd64; KDE/5.28.0; x86_64; ; ) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1513953.f5dSObalmV"; micalg="pgp-sha1"; protocol="application/pgp-signature" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 May 2017 16:17:47 -0000 --nextPart1513953.f5dSObalmV Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" Hello, I have a setup where FreeBSD-based routers serving datacenters are connected via gif tunnels which are additionally encrypted using transport mode IPsec. Each router runs pf and provides firewalling between multiple VLANs. Tunnel interfaces were always trusted, though. Every rule is with the following options: "flags any keep state (sloppy)" This of course makes the firewall a bit less secure but allows routers to be rebooted without (usually) resetting connections. Or at least that was the idea. Because of this rule I never noticed that in fact there are never states created for connections incoming on tunnels. In a very simple experiment, even without routing to vlans but just by communication between routers I get the following behaviour: 1. I have this rule: pass quick log on $if_tunnels flags any keep state (sloppy) 2. I ping this router from another one. 3. I observe pflog0. 4. The 1st entry appearing on pflog0 is ANSWER to the ping: 17:55:08.276321 rule 0..16777216/0(match): \ pass out on gif_aw2_YYY1: 10.XX.YYY.201 > 10.XX.YYY.130: \ ICMP echo reply, id 63443, seq 0, length 64 If I make a rule clearly matching incoming traffic, it won't ever match on packets, its counters won't increase. This is also seen here: [root@aw-router02 ~]% pfctl -qvvsI | grep -A10 gif_ No ALTQ support in kernel ALTQ related functions disabled gif_aw2_awpay1 Cleared: Tue May 30 16:35:25 2017 References: 3 In4/Pass: [ Packets: 9 Bytes: 660 ] In4/Block: [ Packets: 0 Bytes: 0 ] Out4/Pass: [ Packets: 10380 Bytes: 800248 ] Out4/Block: [ Packets: 0 Bytes: 0 ] In6/Pass: [ Packets: 0 Bytes: 0 ] In6/Block: [ Packets: 0 Bytes: 0 ] Out6/Pass: [ Packets: 0 Bytes: 0 ] Out6/Block: [ Packets: 0 Bytes: 0 ] Here I have a fast ping command running and Out4/Pass counters are increasing quite fast while In4/Pass does not grow at all. This particular machine runs FreeBSD 11.0, same thing happens on my other routers running FreeBSD 10. Is there any option to check from userspace if the gif interface has pf attached in netpfil hook for incoming traffic? Running tcpdump on gif interface correctly shows incoming icmp echo request. -- | pozdrawiam / greetings | powered by Debian, FreeBSD and CentOS | | Kajetan Staszkiewicz | jabber,email: vegeta()tuxpowered net | | Vegeta | www: http://vegeta.tuxpowered.net | `------------------------^---------------------------------------' --nextPart1513953.f5dSObalmV Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part. Content-Transfer-Encoding: 7Bit -----BEGIN PGP SIGNATURE----- iF0EABECAB0WIQSOEQZObv2B8mf0JbnjtFCvbXs6FAUCWS2bGgAKCRDjtFCvbXs6 FOyNAKCv9f7cV8fHNfn/QsrNDSLKgY2CkQCg0lIchPG4DMI0HJsXYi+Vn9wbiG0= =w8d/ -----END PGP SIGNATURE----- --nextPart1513953.f5dSObalmV-- From owner-freebsd-pf@freebsd.org Tue May 30 16:22:20 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C0415B87079 for ; Tue, 30 May 2017 16:22:20 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mx1.sbone.de (bird.sbone.de [46.4.1.90]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "mx1.sbone.de", Issuer "SBone.DE" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 7E8CC6ABB5 for ; Tue, 30 May 2017 16:22:20 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id C33B325D3A0E; Tue, 30 May 2017 16:22:11 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id F2148D1F80E; Tue, 30 May 2017 16:22:10 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id m8p8ePVSTPdJ; Tue, 30 May 2017 16:22:09 +0000 (UTC) Received: from [10.248.105.171] (unknown [IPv6:fde9:577b:c1a9:f001::2]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id 1D788D1F7E3; Tue, 30 May 2017 16:22:07 +0000 (UTC) From: "Bjoern A. Zeeb" To: "Kajetan Staszkiewicz" Cc: freebsd-pf@freebsd.org Subject: Re: pf not checking traffic from tunnels Date: Tue, 30 May 2017 16:22:05 +0000 Message-ID: In-Reply-To: <1853600.RL7SYQSJBX@energia> References: <1853600.RL7SYQSJBX@energia> MIME-Version: 1.0 Content-Type: text/plain; format=flowed X-Mailer: MailMate (2.0BETAr6082) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 May 2017 16:22:20 -0000 On 30 May 2017, at 16:17, Kajetan Staszkiewicz wrote: > Hello, > > I have a setup where FreeBSD-based routers serving datacenters are > connected > via gif tunnels which are additionally encrypted using transport mode > IPsec. > Each router runs pf and provides firewalling between multiple VLANs. > Tunnel > interfaces were always trusted, though. .. > Is there any option to check from userspace if the gif interface has > pf > attached in netpfil hook for incoming traffic? Running tcpdump on gif > interface correctly shows incoming icmp echo request. What you want to read is man 4 enc I think. /bz From owner-freebsd-pf@freebsd.org Tue May 30 18:05:27 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id DB24DB9598A for ; Tue, 30 May 2017 18:05:27 +0000 (UTC) (envelope-from vegeta@tuxpowered.net) Received: from mail-wm0-x236.google.com (mail-wm0-x236.google.com [IPv6:2a00:1450:400c:c09::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 779A273700 for ; Tue, 30 May 2017 18:05:27 +0000 (UTC) (envelope-from vegeta@tuxpowered.net) Received: by mail-wm0-x236.google.com with SMTP id d127so104839194wmf.0 for ; Tue, 30 May 2017 11:05:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tuxpowered-net.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:organization:user-agent :in-reply-to:references:mime-version; bh=UqIqMuToY7yaqntYErUpTX+zernui+48Hc5Tt/sJR+Q=; b=VtI7viumlAoYUxGhtvQeqyzv/t+b2RDSqFhtShZghrmmx14OJwOoYmpBbtyFdeKwuJ 0/1MIFxOou2nFwH7+EkhPWGVQQU6/jHQxG6yQw1dqqnvFWBOyAvZNmbtO0GTJ1yEw3Pe VQDgqd9C9uxKZAtRwwByh9lebU8pX07BW0lNhCdVMtekgCSQhuGpaLCK6r00f3omPnqB jr4zIGW6fe32MHOSs+dc4myXdPo6kTeunACKpwXAx0HiCBeTi0x9F7AKkAO5NcqtF/Vx B4OSDgQxrEQZaoi/9MUL1xbMxd1UIJnAXLCmgmZi2PmgrQV0PzvFqWLLPLSBxa5hbJ6H +2Dg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:organization :user-agent:in-reply-to:references:mime-version; bh=UqIqMuToY7yaqntYErUpTX+zernui+48Hc5Tt/sJR+Q=; b=roeTujWaIDSTRvc8BGlxIKXQh76BFXwqGF2YbmYsQ28a1kIIM+5zsiJ6ZbLhR3MdIo KDRBGtLsrrHrH2xx4X6mpgiLhETCUbBZ7DqybtSZAVgF3SUQnUZhEFWebT96CWY1PWVp xZ5NM4D+CtjKajPvKcVFoU8zxSFfI+i1XlU5TWmRSzC1MIxrNVHGuTImL2Los0Dpb/wL QsCpOin/q1c3oQLoSGWymxMrLL4vIFddV8U9/hil2c+jwA6CHxmMDNWQlpVD3SeJEtUK n7yFy3wnKEDmgAD96liibG6+wZRSAvFi1End5LH5RbDCuqOBM7/WKkDfLOzxRbP7uysm Fihw== X-Gm-Message-State: AODbwcC3DxkgKRIu8ifANB9B1sYjXowAZQz9yBlltX8LalAPRrhHouBK 0r/o03cf3p82HkDIAzBo4Q== X-Received: by 10.80.184.24 with SMTP id j24mr17453146ede.176.1496167525900; Tue, 30 May 2017 11:05:25 -0700 (PDT) Received: from energia.localnet ([2a02:8108:4b3f:d254::5]) by smtp.gmail.com with ESMTPSA id a54sm7031404edd.68.2017.05.30.11.05.24 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 30 May 2017 11:05:24 -0700 (PDT) From: Kajetan Staszkiewicz To: "Bjoern A. Zeeb" Cc: freebsd-pf@freebsd.org Subject: Re: pf not checking traffic from tunnels Date: Tue, 30 May 2017 20:05:19 +0200 Message-ID: <2427866.HH9brvnEOx@energia> Organization: tuxpowered.net User-Agent: KMail/5.2.3 (Linux/4.9.0-22.1-liquorix-amd64; KDE/5.28.0; x86_64; ; ) In-Reply-To: References: <1853600.RL7SYQSJBX@energia> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart5735402.ZaQVCjWN4Q"; micalg="pgp-sha1"; protocol="application/pgp-signature" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 May 2017 18:05:28 -0000 --nextPart5735402.ZaQVCjWN4Q Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="us-ascii" Dnia wtorek, 30 maja 2017 16:22:05 CEST Bjoern A. Zeeb pisze: > On 30 May 2017, at 16:17, Kajetan Staszkiewicz wrote: > > Is there any option to check from userspace if the gif interface has > > pf > > attached in netpfil hook for incoming traffic? Running tcpdump on gif > > interface correctly shows incoming icmp echo request. >=20 > What you want to read is > man 4 enc > I think. That was close but not really :) Proper lecture was man 4 ipsec and this switch: net.inet.ipsec.filtertunnel =2D-=20 | pozdrawiam / greetings | powered by Debian, FreeBSD and CentOS | | Kajetan Staszkiewicz | jabber,email: vegeta()tuxpowered net | | Vegeta | www: http://vegeta.tuxpowered.net | `------------------------^---------------------------------------' --nextPart5735402.ZaQVCjWN4Q Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part. Content-Transfer-Encoding: 7Bit -----BEGIN PGP SIGNATURE----- iF0EABECAB0WIQSOEQZObv2B8mf0JbnjtFCvbXs6FAUCWS20XwAKCRDjtFCvbXs6 FBdPAJ4wIRW4A5G8X3eoeNloa/k74CPELACgvsDPUuEKSj2zIY0JXjEGG0ZNDEU= =ImwS -----END PGP SIGNATURE----- --nextPart5735402.ZaQVCjWN4Q-- From owner-freebsd-pf@freebsd.org Fri Jun 2 15:00:58 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BC486BF94D6 for ; Fri, 2 Jun 2017 15:00:58 +0000 (UTC) (envelope-from paggas@gmx.com) Received: from mout.gmx.net (mout.gmx.net [212.227.17.22]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "mout.gmx.net", Issuer "TeleSec ServerPass DE-2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 22812652D0; Fri, 2 Jun 2017 15:00:57 +0000 (UTC) (envelope-from paggas@gmx.com) Received: from [192.168.1.89] ([81.228.159.10]) by mail.gmx.com (mrgmx101 [212.227.17.174]) with ESMTPSA (Nemesis) id 0LrrRi-1e2g1P2gxC-013drH; Fri, 02 Jun 2017 17:00:49 +0200 From: Panagiotes Mousikides Subject: Gather tests for pfctl To: FreeBSD PF Cc: Kristof Provost Message-ID: <11f45476-cd0d-34d6-3166-ef11baf4d4c4@gmx.com> Date: Fri, 2 Jun 2017 15:00:48 +0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.1.1 MIME-Version: 1.0 Content-Type: text/plain; charset=windows-1252; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Provags-ID: V03:K0:9ceG7Pk5wsKeeh8svZgIVVyjtfy1KE7Pp5l3zYWdMR31dIx3vu/ 9vkjRXNvtqFJh1U9dj6Rrb8w+ToAFqLGkg/eTcq6XA7gJ9Hm2y9dr7dqMSx6zGZOEgsqvuq uTLHg7XtriR8sj5KimSb3WqjyPm1IVhBsAgM7GAKUrSCkoQ2FKYboghmalOuVAHSepOxznZ KRSrGDy/inc2rThMEqaNA== X-UI-Out-Filterresults: notjunk:1;V01:K0:ydfJp87RHhM=:ogIunpTsel7MKJg0qYXJgC EzILOxf1WM9j3RP9gF4BOqemp5aPNlQWGe7Qf0ODXTEVVZCENX47rzN1IaYj+cUHa2jmbVnTC 9669xeVqlZ2X0Y/Z4ycLMgXUhVL+KYZxSqfT24CFpfJ2a5cxezQVgJ9I8+Pn/RYrybE5I2v5J hOxW8SY3rkq9ztbvNRCtW+oOS6Mn7w44eiB40uw4QP85p9Yo8C8pPYz6T/zTH0gWS08PA8wh/ 7Gj/i3zFoamDEygMFh0aZpUKJVh+TSYbG6qRAv9v0tYB823FLMr+3OQ4T+1t5S2zBu2cEbemt TTc9fIQbr1/Bsdo+UfkQdD4in+eeEYuDhVebLFo8enOQKVbLJHY5MSL7h6nN2VhkpLVnT3F+b MCLUmllbboi+LGXLYybu3GG7UagoEdtuZitzr96b8dX7qGUrl1rezb7etBDzN7UXVRfncOD5a ejPysqazHx2x+oTP744XqThZ9a80nw4JYHi/AHU1/3Om4RsknaXAQ8vVMEHVZ92yi90gGu1M9 5wLFHXeFL05L2NEElIwFdxQH3PrUXyntM3muXyjCYm4FONsecT4bf/zxPnhy0LjC1hnFZeDt4 nEZxfo1n06NaW+MfHwc8hSTMAZ7fwsRZuVav+NjGklyiC2ihY/mVxaST4zmHSGi48zlBwOfpB Uj3mYyOp+2ZSqoD8UqeaEFik90uz8r6ooxbCWphC9IToGt95/ZqNnePK8Xl8VmFJiEHDv502k nDanz8oBk0eGO+JVJe1dnelEivK/59Qn/2OLOesF3y7gcZGNV0SW3XuN1OSDk5Pqh3oTHAWws OCr9ATN X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Jun 2017 15:00:58 -0000 Hello everybody! I am Panagiotes Mousikides, taking part in Google Summer of Code for 2017. I will be focusing on testing PF for FreeBSD, possibly borrowing from how OpenBSD does it. I have a project page on the wiki at https://wiki.freebsd.org/SummerOfCode2017/PfTesting. I am still at the start of the project, and want to focus now on testing pfctl, the PF parser and loader. The idea is to have a collection of sample rc.conf files, which would be parsed and loaded with pfctl -f, and then query pf with pfctl -sa to check that the rules got parsed and loaded correctly. I would be interested in gathering test cases, and thought that this mailing list would be a great place to start! This summer project will also focus on testing the function of pf as well as build a test environment, probably on Jenkins. Any comments or insights are also welcome! All the best, Panagiotes