Switch to scapy with python 3.

Do not use privileged or NFS source ports for UDP packets as inetd
ignores such packets. This should avoid some sporadic failures.
While there, use variable names consistently in all tests.

During sniffing filter strictly on icmp6 "packet too big" to avoid
that "neighbor discovery" confuses the test.

By removing all the sleeps I created a race in the pf tests. The
packet was sent and its reply received before the sniffer was up
and running. So sleep a second after starting the sniffer thread
bu

By removing all the sleeps I created a race in the pf tests. The
packet was sent and its reply received before the sniffer was up
and running. So sleep a second after starting the sniffer thread
but before sending the packet. With pf_forward 0m51.54s, pf_fragment
1m33.59s, pf_state 0m03.64s the test are still faster than with
forking.

show more ...

Replace fork() and sleep() with a Python thread for sniffing packets.
This reduces test execution time from 1m20.34s to 0m37.32s.

Fix tests: Restrict getpid() to lower 16 bit so that it can still
be used as packet id. Now scapy calls nexthopmtu with this name
explicitly in icmp structure.

fter fixing poll(2) semantics in dynamic TCP buffer size update,
making netcat non-blocking and fixing ip6_forward() ICMP6 checksum,
this test can be made more aggressive. Delete the path MTU route

fter fixing poll(2) semantics in dynamic TCP buffer size update,
making netcat non-blocking and fixing ip6_forward() ICMP6 checksum,
this test can be made more aggressive. Delete the path MTU route
before sending TCP streams through the pf firewall. This checks
that PMTU discovery works with outgoing interface MTU and router
MTU.
Test IPv4 and IPv6 protocols ICMP echo, UDP, TCP with pf nat-to,
rdr-to, af-to, route-to, reply-to. Some af-to cases seem to be
broken.

show more ...

Extend the pf forward and fragment tests with a second challenge
for path MTU discovery. The router behind the pf machine has MTU
1300. The ICMP packet generated by the router matches the pf state

Extend the pf forward and fragment tests with a second challenge
for path MTU discovery. The router behind the pf machine has MTU
1300. The ICMP packet generated by the router matches the pf state
and is NATed correctly. Additionally the pf machine itself has an
interface MTU 1400. So when pf is sending a packet is has to
generate a correct "fragmentation needed" or "packet too big" ICMP
response. This is done with pf route-to and reply-to.

show more ...

Use a simpler expression to check the ether type in scapy. This
makes the fragment tests work on FreeBSD. From Ilya Bakulin.

Add a workaround that scapy srp1() cannot detect ICMP6 error replies
with broken checksums in the quoted IPv6 packet. Fork a process
to sendp() the packet in the background and sniff() the reply
man

Add a workaround that scapy srp1() cannot detect ICMP6 error replies
with broken checksums in the quoted IPv6 packet. Fork a process
to sendp() the packet in the background and sniff() the reply
manually in the foreground.

show more ...

Add a subtest to the MTU ping that checks wether the ip length of
the original packet and the icmp quoted packet are the same.

Add a test suite to route ip packets through a box running pf. You
have to setup four machines manually as described in the makefile.
The test uses netcat and scapy to send ping or udp echo packets

Add a test suite to route ip packets through a box running pf. You
have to setup four machines manually as described in the makefile.
The test uses netcat and scapy to send ping or udp echo packets or
tcp streams along the routers. It analyzes the returned reply or
icmp error packets. It tests the forward and net/rdr and net64
paths.

show more ...