Index: tests/Makefile
===================================================================
--- tests/Makefile
+++ tests/Makefile
@@ -8,6 +8,7 @@
 
 KYUAFILE= yes
 
+SUBDIR+= sbin
 SUBDIR+= etc
 SUBDIR+= sys
 
Index: tests/sbin/Makefile
===================================================================
--- /dev/null
+++ tests/sbin/Makefile
@@ -0,0 +1,7 @@
+# $FreeBSD$
+
+TESTSDIR=		${TESTSBASE}/sbin
+TESTS_SUBDIRS+=		pfctl
+KYUAFILE=		yes
+
+.include <bsd.test.mk>
Index: tests/sbin/pfctl/Makefile
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/Makefile
@@ -0,0 +1,10 @@
+# $FreeBSD$
+
+TESTSDIR=	${TESTSBASE}/sbin/pfctl
+BINDIR=		${TESTSDIR}
+
+ATF_TESTS_SH=	pfctl_test
+
+SUBDIR+=	files
+
+.include <bsd.test.mk>
Index: tests/sbin/pfctl/files/Makefile
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/Makefile
@@ -0,0 +1,9 @@
+# $FreeBSD$
+
+TESTSDIR=	${TESTSBASE}/sbin/pfctl/files
+BINDIR=		${TESTSDIR}
+
+FILES=		pf????.in pf????.include pf????.ok
+FILES+=		pfctl_test.descr.sh
+
+.include <bsd.progs.mk>
Index: tests/sbin/pfctl/files/pf0001.in
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0001.in
@@ -0,0 +1,8 @@
+pass in all
+pass in from any to any no state
+pass in proto tcp from any port <= 1024 to any label foo_bar
+pass in proto tcp from any to any port = 25
+pass in proto tcp from 10.0.0.0/8 port > 1024 to ! 10.1.2.3 port != 22
+pass in proto igmp from 10.0.0.0/8 to 10.1.1.1 allow-opts
+pass in proto tcp from { 1.2.3.4, 1.2.3.5 } to any label \
+"$nr:$proto:$srcaddr:$srcport:$dstaddr:$dstport"
Index: tests/sbin/pfctl/files/pf0001.ok
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0001.ok
@@ -0,0 +1,8 @@
+pass in all flags S/SA keep state
+pass in all no state
+pass in proto tcp from any port <= 1024 to any flags S/SA keep state label "foo_bar"
+pass in proto tcp from any to any port = smtp flags S/SA keep state
+pass in inet proto tcp from 10.0.0.0/8 port > 1024 to ! 10.1.2.3 port != ssh flags S/SA keep state
+pass in inet proto igmp from 10.0.0.0/8 to 10.1.1.1 keep state allow-opts
+pass in inet proto tcp from 1.2.3.4 to any flags S/SA keep state label "6:tcp:1.2.3.4::any:"
+pass in inet proto tcp from 1.2.3.5 to any flags S/SA keep state label "7:tcp:1.2.3.5::any:"
Index: tests/sbin/pfctl/files/pf0002.in
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0002.in
@@ -0,0 +1,34 @@
+# test
+
+block	       out log on tun1000000		 all
+block	       in  log on tun1000000		 all
+
+block return-rst  out log on tun1000000 proto tcp all
+block return-rst  in  log on tun1000000 proto tcp all
+block return-icmp out log on tun1000000 proto udp all
+block return-icmp in  log on tun1000000 proto udp all
+
+block out log quick on tun1000000 from ! 157.161.48.183 to any
+
+block in quick on tun1000000 from any to 255.255.255.255
+
+block in log quick on tun1000000 from 10.0.0.0/8		to any
+block in log quick on tun1000000 from 172.16.0.0/12	to any
+block in quick log on tun1000000 from 192.168.0.0/16	to any
+block in quick log on tun1000000 from 255.255.255.255/32 to any
+
+block in log quick from no-route to any
+
+pass out on tun1000000 inet proto icmp all icmp-type 8 code 0 keep state
+pass in  on tun1000000 inet proto icmp all icmp-type 8 code 0 keep state
+
+pass out on tun1000000 proto udp all keep state
+
+pass in on tun1000000 proto udp from any to any port = domain keep state
+
+pass out on tun1000000 proto tcp all keep state
+
+pass in on tun1000000 proto tcp from any to any port = ssh    keep state
+pass in on tun1000000 proto tcp from any to any port = smtp   keep state
+pass in on tun1000000 proto tcp from any to any port = domain keep state
+pass in on tun1000000 proto tcp from any to any port = auth   keep state
Index: tests/sbin/pfctl/files/pf0002.ok
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0002.ok
@@ -0,0 +1,22 @@
+block drop out log on tun1000000 all
+block drop in log on tun1000000 all
+block return-rst out log on tun1000000 proto tcp all
+block return-rst in log on tun1000000 proto tcp all
+block return-icmp(port-unr, port-unr) out log on tun1000000 proto udp all
+block return-icmp(port-unr, port-unr) in log on tun1000000 proto udp all
+block drop out log quick on tun1000000 inet from ! 157.161.48.183 to any
+block drop in quick on tun1000000 inet from any to 255.255.255.255
+block drop in log quick on tun1000000 inet from 10.0.0.0/8 to any
+block drop in log quick on tun1000000 inet from 172.16.0.0/12 to any
+block drop in log quick on tun1000000 inet from 192.168.0.0/16 to any
+block drop in log quick on tun1000000 inet from 255.255.255.255 to any
+block drop in log quick from no-route to any
+pass out on tun1000000 inet proto icmp all icmp-type echoreq code 0 keep state
+pass in on tun1000000 inet proto icmp all icmp-type echoreq code 0 keep state
+pass out on tun1000000 proto udp all keep state
+pass in on tun1000000 proto udp from any to any port = domain keep state
+pass out on tun1000000 proto tcp all flags S/SA keep state
+pass in on tun1000000 proto tcp from any to any port = ssh flags S/SA keep state
+pass in on tun1000000 proto tcp from any to any port = smtp flags S/SA keep state
+pass in on tun1000000 proto tcp from any to any port = domain flags S/SA keep state
+pass in on tun1000000 proto tcp from any to any port = auth flags S/SA keep state
Index: tests/sbin/pfctl/files/pf0003.in
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0003.in
@@ -0,0 +1,13 @@
+pass in all
+pass in from any to any
+
+block in proto tcp from any to any flags FUPEW/FSRPAUEW
+block in proto tcp from any to any flags SF/SFRA
+block in proto tcp from any to any flags /SFRAW
+
+pass in proto { udp, icmp, tcp } from any to any flags S/SA
+pass in from any to any flags S/SA no state
+pass in from any to any flags any no state
+pass in from any to any flags any
+pass in from any to any keep state
+pass in from any to any
Index: tests/sbin/pfctl/files/pf0003.ok
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0003.ok
@@ -0,0 +1,13 @@
+pass in all flags S/SA keep state
+pass in all flags S/SA keep state
+block drop in proto tcp all flags FPUEW/FSRPAUEW
+block drop in proto tcp all flags FS/FSRA
+block drop in proto tcp all flags /FSRAW
+pass in proto udp all keep state
+pass in proto icmp all keep state
+pass in proto tcp all flags S/SA keep state
+pass in all flags S/SA no state
+pass in all no state
+pass in all flags any keep state
+pass in all flags S/SA keep state
+pass in all flags S/SA keep state
Index: tests/sbin/pfctl/files/pf0004.in
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0004.in
@@ -0,0 +1,16 @@
+block in all
+block in proto tcp all
+block in proto { tcp, udp } all
+
+block in from any to any
+block in from 10.0.0.0/8 to any
+block in from ! 10.0.0.0/8 to any
+block in from { 10.0.0.0/8, 172.16.0.0/12 } to any
+
+block in proto tcp from any port = ssh to any
+block in proto tcp from any port { ssh, ftp >< 2048, != 1234, >= www } \
+	to any port 1024:2048
+
+block in proto { tcp, udp } from { 10.0.0.0/8, 172.16.0.0/12 } port { ssh, ftp } \
+	to { 192.168.0.0/16, 12.34.56.78 } port { 6667, 6668, 6669:65535 }
+
Index: tests/sbin/pfctl/files/pf0004.ok
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0004.ok
@@ -0,0 +1,62 @@
+block drop in all
+block drop in proto tcp all
+block drop in proto tcp all
+block drop in proto udp all
+block drop in all
+block drop in inet from 10.0.0.0/8 to any
+block drop in inet from ! 10.0.0.0/8 to any
+block drop in inet from 10.0.0.0/8 to any
+block drop in inet from 172.16.0.0/12 to any
+block drop in proto tcp from any port = ssh to any
+block drop in proto tcp from any port = ssh to any port 1024:2048
+block drop in proto tcp from any port 21 >< 2048 to any port 1024:2048
+block drop in proto tcp from any port != 1234 to any port 1024:2048
+block drop in proto tcp from any port >= 80 to any port 1024:2048
+block drop in inet proto tcp from 10.0.0.0/8 port = ssh to 192.168.0.0/16 port = ircd
+block drop in inet proto tcp from 10.0.0.0/8 port = ssh to 192.168.0.0/16 port = 6668
+block drop in inet proto tcp from 10.0.0.0/8 port = ssh to 192.168.0.0/16 port 6669:65535
+block drop in inet proto tcp from 10.0.0.0/8 port = ssh to 12.34.56.78 port = ircd
+block drop in inet proto tcp from 10.0.0.0/8 port = ssh to 12.34.56.78 port = 6668
+block drop in inet proto tcp from 10.0.0.0/8 port = ssh to 12.34.56.78 port 6669:65535
+block drop in inet proto tcp from 10.0.0.0/8 port = ftp to 192.168.0.0/16 port = ircd
+block drop in inet proto tcp from 10.0.0.0/8 port = ftp to 192.168.0.0/16 port = 6668
+block drop in inet proto tcp from 10.0.0.0/8 port = ftp to 192.168.0.0/16 port 6669:65535
+block drop in inet proto tcp from 10.0.0.0/8 port = ftp to 12.34.56.78 port = ircd
+block drop in inet proto tcp from 10.0.0.0/8 port = ftp to 12.34.56.78 port = 6668
+block drop in inet proto tcp from 10.0.0.0/8 port = ftp to 12.34.56.78 port 6669:65535
+block drop in inet proto tcp from 172.16.0.0/12 port = ssh to 192.168.0.0/16 port = ircd
+block drop in inet proto tcp from 172.16.0.0/12 port = ssh to 192.168.0.0/16 port = 6668
+block drop in inet proto tcp from 172.16.0.0/12 port = ssh to 192.168.0.0/16 port 6669:65535
+block drop in inet proto tcp from 172.16.0.0/12 port = ssh to 12.34.56.78 port = ircd
+block drop in inet proto tcp from 172.16.0.0/12 port = ssh to 12.34.56.78 port = 6668
+block drop in inet proto tcp from 172.16.0.0/12 port = ssh to 12.34.56.78 port 6669:65535
+block drop in inet proto tcp from 172.16.0.0/12 port = ftp to 192.168.0.0/16 port = ircd
+block drop in inet proto tcp from 172.16.0.0/12 port = ftp to 192.168.0.0/16 port = 6668
+block drop in inet proto tcp from 172.16.0.0/12 port = ftp to 192.168.0.0/16 port 6669:65535
+block drop in inet proto tcp from 172.16.0.0/12 port = ftp to 12.34.56.78 port = ircd
+block drop in inet proto tcp from 172.16.0.0/12 port = ftp to 12.34.56.78 port = 6668
+block drop in inet proto tcp from 172.16.0.0/12 port = ftp to 12.34.56.78 port 6669:65535
+block drop in inet proto udp from 10.0.0.0/8 port = ssh to 192.168.0.0/16 port = 6667
+block drop in inet proto udp from 10.0.0.0/8 port = ssh to 192.168.0.0/16 port = 6668
+block drop in inet proto udp from 10.0.0.0/8 port = ssh to 192.168.0.0/16 port 6669:65535
+block drop in inet proto udp from 10.0.0.0/8 port = ssh to 12.34.56.78 port = 6667
+block drop in inet proto udp from 10.0.0.0/8 port = ssh to 12.34.56.78 port = 6668
+block drop in inet proto udp from 10.0.0.0/8 port = ssh to 12.34.56.78 port 6669:65535
+block drop in inet proto udp from 10.0.0.0/8 port = ftp to 192.168.0.0/16 port = 6667
+block drop in inet proto udp from 10.0.0.0/8 port = ftp to 192.168.0.0/16 port = 6668
+block drop in inet proto udp from 10.0.0.0/8 port = ftp to 192.168.0.0/16 port 6669:65535
+block drop in inet proto udp from 10.0.0.0/8 port = ftp to 12.34.56.78 port = 6667
+block drop in inet proto udp from 10.0.0.0/8 port = ftp to 12.34.56.78 port = 6668
+block drop in inet proto udp from 10.0.0.0/8 port = ftp to 12.34.56.78 port 6669:65535
+block drop in inet proto udp from 172.16.0.0/12 port = ssh to 192.168.0.0/16 port = 6667
+block drop in inet proto udp from 172.16.0.0/12 port = ssh to 192.168.0.0/16 port = 6668
+block drop in inet proto udp from 172.16.0.0/12 port = ssh to 192.168.0.0/16 port 6669:65535
+block drop in inet proto udp from 172.16.0.0/12 port = ssh to 12.34.56.78 port = 6667
+block drop in inet proto udp from 172.16.0.0/12 port = ssh to 12.34.56.78 port = 6668
+block drop in inet proto udp from 172.16.0.0/12 port = ssh to 12.34.56.78 port 6669:65535
+block drop in inet proto udp from 172.16.0.0/12 port = ftp to 192.168.0.0/16 port = 6667
+block drop in inet proto udp from 172.16.0.0/12 port = ftp to 192.168.0.0/16 port = 6668
+block drop in inet proto udp from 172.16.0.0/12 port = ftp to 192.168.0.0/16 port 6669:65535
+block drop in inet proto udp from 172.16.0.0/12 port = ftp to 12.34.56.78 port = 6667
+block drop in inet proto udp from 172.16.0.0/12 port = ftp to 12.34.56.78 port = 6668
+block drop in inet proto udp from 172.16.0.0/12 port = ftp to 12.34.56.78 port 6669:65535
Index: tests/sbin/pfctl/files/pf0005.in
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0005.in
@@ -0,0 +1,6 @@
+foo = "ssh, ftp"
+bar = "other thing"
+inside="10.0.0.0/8"
+
+block in proto udp from $inside port { echo, $foo, ident } \
+	to 12.34.56.78 port { 6667, 0x10 }
Index: tests/sbin/pfctl/files/pf0005.ok
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0005.ok
@@ -0,0 +1,11 @@
+foo = "ssh, ftp"
+bar = "other thing"
+inside = "10.0.0.0/8"
+block drop in inet proto udp from 10.0.0.0/8 port = echo to 12.34.56.78 port = 6667
+block drop in inet proto udp from 10.0.0.0/8 port = echo to 12.34.56.78 port = 16
+block drop in inet proto udp from 10.0.0.0/8 port = ssh to 12.34.56.78 port = 6667
+block drop in inet proto udp from 10.0.0.0/8 port = ssh to 12.34.56.78 port = 16
+block drop in inet proto udp from 10.0.0.0/8 port = ftp to 12.34.56.78 port = 6667
+block drop in inet proto udp from 10.0.0.0/8 port = ftp to 12.34.56.78 port = 16
+block drop in inet proto udp from 10.0.0.0/8 port = auth to 12.34.56.78 port = 6667
+block drop in inet proto udp from 10.0.0.0/8 port = auth to 12.34.56.78 port = 16
Index: tests/sbin/pfctl/files/pf0006.in
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0006.in
@@ -0,0 +1,3 @@
+a=b
+c=x
+a_b_c=d
Index: tests/sbin/pfctl/files/pf0006.ok
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0006.ok
@@ -0,0 +1,3 @@
+a = "b"
+c = "x"
+a_b_c = "d"
Index: tests/sbin/pfctl/files/pf0007.in
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0007.in
@@ -0,0 +1,34 @@
+# test modulate state
+
+block	       out log on tun1000000		 all
+block	       in  log on tun1000000		 all
+
+block return-rst  out log on tun1000000 proto tcp all
+block return-rst  in  log on tun1000000 proto tcp all
+block return-icmp out log on tun1000000 proto udp all
+block return-icmp in  log on tun1000000 proto udp all
+
+block out log quick on tun1000000 from ! 157.161.48.183 to any
+
+block in quick on tun1000000 from any to 255.255.255.255
+
+block in log quick on tun1000000 from 10.0.0.0/8		to any
+block in log quick on tun1000000 from 172.16.0.0/12	to any
+block in log quick on tun1000000 from 192.168.0.0/16	to any
+block in log quick on tun1000000 from 255.255.255.255/32 to any
+
+pass out on tun1000000 inet proto icmp all icmp-type 8 code 0 keep state
+pass in  on tun1000000 inet proto icmp all icmp-type 8 code 0 keep state
+
+pass out on tun1000000 proto udp all keep state
+
+pass in on tun1000000 proto udp from any to any port = domain keep state
+
+pass out on tun1000000 proto tcp all modulate state
+pass in on tun1000000 proto { tcp udp icmp } all modulate state
+pass in on tun1000000 proto { udp tcp icmp } all flags S/SA synproxy state
+
+pass in on tun1000000 proto tcp from any to any port = ssh    modulate state
+pass in on tun1000000 proto tcp from any to any port = smtp   modulate state
+pass in on tun1000000 proto tcp from any to any port = domain modulate state
+pass in on tun1000000 proto tcp from any to any port = auth   modulate state
Index: tests/sbin/pfctl/files/pf0007.ok
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0007.ok
@@ -0,0 +1,27 @@
+block drop out log on tun1000000 all
+block drop in log on tun1000000 all
+block return-rst out log on tun1000000 proto tcp all
+block return-rst in log on tun1000000 proto tcp all
+block return-icmp(port-unr, port-unr) out log on tun1000000 proto udp all
+block return-icmp(port-unr, port-unr) in log on tun1000000 proto udp all
+block drop out log quick on tun1000000 inet from ! 157.161.48.183 to any
+block drop in quick on tun1000000 inet from any to 255.255.255.255
+block drop in log quick on tun1000000 inet from 10.0.0.0/8 to any
+block drop in log quick on tun1000000 inet from 172.16.0.0/12 to any
+block drop in log quick on tun1000000 inet from 192.168.0.0/16 to any
+block drop in log quick on tun1000000 inet from 255.255.255.255 to any
+pass out on tun1000000 inet proto icmp all icmp-type echoreq code 0 keep state
+pass in on tun1000000 inet proto icmp all icmp-type echoreq code 0 keep state
+pass out on tun1000000 proto udp all keep state
+pass in on tun1000000 proto udp from any to any port = domain keep state
+pass out on tun1000000 proto tcp all flags S/SA modulate state
+pass in on tun1000000 proto tcp all flags S/SA modulate state
+pass in on tun1000000 proto udp all keep state
+pass in on tun1000000 proto icmp all keep state
+pass in on tun1000000 proto udp all keep state
+pass in on tun1000000 proto tcp all flags S/SA synproxy state
+pass in on tun1000000 proto icmp all keep state
+pass in on tun1000000 proto tcp from any to any port = ssh flags S/SA modulate state
+pass in on tun1000000 proto tcp from any to any port = smtp flags S/SA modulate state
+pass in on tun1000000 proto tcp from any to any port = domain flags S/SA modulate state
+pass in on tun1000000 proto tcp from any to any port = auth flags S/SA modulate state
Index: tests/sbin/pfctl/files/pf0008.in
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0008.in
@@ -0,0 +1,2 @@
+extern =  "{ ! 10.0.0.0/8, 10.1.2.3 }"
+block out log on tun1000001 from $extern to any
Index: tests/sbin/pfctl/files/pf0008.ok
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0008.ok
@@ -0,0 +1,3 @@
+extern = "{ ! 10.0.0.0/8, 10.1.2.3 }"
+block drop out log on tun1000001 inet from ! 10.0.0.0/8 to any
+block drop out log on tun1000001 inet from 10.1.2.3 to any
Index: tests/sbin/pfctl/files/pf0009.in
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0009.in
@@ -0,0 +1,3 @@
+interfaces = "{ enc0, tun1000000 }"
+
+block in on $interfaces all
Index: tests/sbin/pfctl/files/pf0009.ok
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0009.ok
@@ -0,0 +1,3 @@
+interfaces = "{ enc0, tun1000000 }"
+block drop in on enc0 all
+block drop in on tun1000000 all
Index: tests/sbin/pfctl/files/pf0010.in
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0010.in
@@ -0,0 +1,31 @@
+# return variants
+pass in inet proto icmp all
+pass in inet6 proto icmp6 all
+block in inet proto icmp all
+block in inet6 proto icmp6 all
+block return-rst in inet proto tcp all
+block return-rst in inet6 proto tcp all
+block return-rst(ttl 10) in inet proto tcp all
+block return-rst(ttl 10) in inet6 proto tcp all
+block return-icmp in inet proto icmp all
+block return-icmp(0) in inet proto icmp all
+block return-icmp(net-unr) in inet proto icmp all
+block return-icmp(5) in inet proto icmp all
+block return-icmp(srcfail) in inet proto icmp all
+block return-icmp(10) in inet proto icmp all
+block return-icmp(host-prohib) in inet proto icmp all
+block return-icmp(15) in inet proto icmp all
+block return-icmp(cutoff-preced) in inet proto icmp all
+block return-icmp6 in inet6 proto icmp6 all
+block return-icmp6(0) in inet6 proto icmp6 all
+block return-icmp6(noroute-unr) in inet6 proto icmp6 all
+block return-icmp6(1) in inet6 proto icmp6 all
+block return-icmp6(admin-unr) in inet6 proto icmp6 all
+block return-icmp6(2) in inet6 proto icmp6 all
+block return-icmp6(notnbr-unr) in inet6 proto icmp6 all
+block return-icmp6(3) in inet6 proto icmp6 all
+block return-icmp6(addr-unr) in inet6 proto icmp6 all
+block return-icmp6(4) in inet6 proto icmp6 all
+block return-icmp6(port-unr) in inet6 proto icmp6 all
+block return-icmp(5, 1) in all
+block return-icmp(srcfail, admin-unr) in all
Index: tests/sbin/pfctl/files/pf0010.ok
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0010.ok
@@ -0,0 +1,30 @@
+pass in inet proto icmp all keep state
+pass in inet6 proto ipv6-icmp all keep state
+block drop in inet proto icmp all
+block drop in inet6 proto ipv6-icmp all
+block return-rst in inet proto tcp all
+block return-rst in inet6 proto tcp all
+block return-rst(ttl 10) in inet proto tcp all
+block return-rst(ttl 10) in inet6 proto tcp all
+block return-icmp(port-unr) in inet proto icmp all
+block return-icmp(net-unr) in inet proto icmp all
+block return-icmp(net-unr) in inet proto icmp all
+block return-icmp(srcfail) in inet proto icmp all
+block return-icmp(srcfail) in inet proto icmp all
+block return-icmp(host-prohib) in inet proto icmp all
+block return-icmp(host-prohib) in inet proto icmp all
+block return-icmp(cutoff-preced) in inet proto icmp all
+block return-icmp(cutoff-preced) in inet proto icmp all
+block return-icmp6(port-unr) in inet6 proto ipv6-icmp all
+block return-icmp6(noroute-unr) in inet6 proto ipv6-icmp all
+block return-icmp6(noroute-unr) in inet6 proto ipv6-icmp all
+block return-icmp6(admin-unr) in inet6 proto ipv6-icmp all
+block return-icmp6(admin-unr) in inet6 proto ipv6-icmp all
+block return-icmp6(notnbr-unr) in inet6 proto ipv6-icmp all
+block return-icmp6(notnbr-unr) in inet6 proto ipv6-icmp all
+block return-icmp6(addr-unr) in inet6 proto ipv6-icmp all
+block return-icmp6(addr-unr) in inet6 proto ipv6-icmp all
+block return-icmp6(port-unr) in inet6 proto ipv6-icmp all
+block return-icmp6(port-unr) in inet6 proto ipv6-icmp all
+block return-icmp(srcfail, admin-unr) in all
+block return-icmp(srcfail, admin-unr) in all
Index: tests/sbin/pfctl/files/pf0011.in
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0011.in
@@ -0,0 +1,18 @@
+pass in inet proto icmp all icmp-type 0
+pass in inet proto icmp all icmp-type 0 code 0
+pass in inet proto icmp all icmp-type 1
+pass in inet proto icmp all icmp-type 1 code 1
+pass in inet6 proto ipv6-icmp all icmp6-type 0
+pass in inet6 proto ipv6-icmp all icmp6-type 0 code 0
+pass in inet6 proto ipv6-icmp all icmp6-type 1
+pass in inet6 proto ipv6-icmp all icmp6-type 1 code 1
+block in inet proto icmp all icmp-type 0
+block in inet proto icmp all icmp-type 0 code 0
+block in inet proto icmp all icmp-type 1
+block in inet proto icmp all icmp-type 1 code 1
+block in inet6 proto ipv6-icmp all icmp6-type 0
+block in inet6 proto ipv6-icmp all icmp6-type 0 code 0
+block in inet6 proto ipv6-icmp all icmp6-type 1
+block in inet6 proto ipv6-icmp all icmp6-type 1 code 1
+pass in inet proto icmp all icmp-type unreach code needfrag
+pass in inet6 proto ipv6-icmp all icmp6-type timex code reassemb
Index: tests/sbin/pfctl/files/pf0011.ok
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0011.ok
@@ -0,0 +1,18 @@
+pass in inet proto icmp all icmp-type echorep keep state
+pass in inet proto icmp all icmp-type echorep code 0 keep state
+pass in inet proto icmp all icmp-type 1 keep state
+pass in inet proto icmp all icmp-type 1 code 1 keep state
+pass in inet6 proto ipv6-icmp all icmp6-type 0 keep state
+pass in inet6 proto ipv6-icmp all icmp6-type 0 code 0 keep state
+pass in inet6 proto ipv6-icmp all icmp6-type unreach keep state
+pass in inet6 proto ipv6-icmp all icmp6-type unreach code admin-unr keep state
+block drop in inet proto icmp all icmp-type echorep
+block drop in inet proto icmp all icmp-type echorep code 0
+block drop in inet proto icmp all icmp-type 1
+block drop in inet proto icmp all icmp-type 1 code 1
+block drop in inet6 proto ipv6-icmp all icmp6-type 0
+block drop in inet6 proto ipv6-icmp all icmp6-type 0 code 0
+block drop in inet6 proto ipv6-icmp all icmp6-type unreach
+block drop in inet6 proto ipv6-icmp all icmp6-type unreach code admin-unr
+pass in inet proto icmp all icmp-type unreach code needfrag keep state
+pass in inet6 proto ipv6-icmp all icmp6-type timex code reassemb keep state
Index: tests/sbin/pfctl/files/pf0012.in
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0012.in
@@ -0,0 +1,5 @@
+pass in from 127.0.0.1 to 127.0.0.1/8 no state
+pass in from 127.0.0.1/16 to 127.0.0.1/24 no state
+pass in from 127.0.0.1/25 to ! 127.0.0.1/26
+pass in inet from ! localhost to localhost/16
+pass in inet from ! lo0 to ! lo0/8
Index: tests/sbin/pfctl/files/pf0012.ok
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0012.ok
@@ -0,0 +1,5 @@
+pass in inet from 127.0.0.1 to 127.0.0.0/8 no state
+pass in inet from 127.0.0.0/16 to 127.0.0.0/24 no state
+pass in inet from 127.0.0.0/25 to ! 127.0.0.0/26 flags S/SA keep state
+pass in inet from ! 127.0.0.1 to 127.0.0.0/16 flags S/SA keep state
+pass in inet from ! 127.0.0.1 to ! 127.0.0.0/8 flags S/SA keep state
Index: tests/sbin/pfctl/files/pf0013.in
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0013.in
@@ -0,0 +1,22 @@
+pass in quick on enc0 from any to any
+pass in quick on enc0 inet from any to any
+pass in quick on enc0 inet6 from any to any
+
+#pass out quick on tun1000000 inet from any to any route-to tun1000001
+#pass out quick on tun1000000 from any to 192.168.1.1 route-to tun1000001
+#pass out quick on tun1000000 from any to fec0::1 route-to tun1000001
+
+#pass in on tun1000000 proto tcp from any to any port = 21 dup-to (tun1000001 192.168.1.1)
+#pass in on tun1000000 proto tcp from any to any port = 21 dup-to (tun1000001 fec0::1)
+
+#pass in quick on tun1000000 from 192.168.1.1/32 to 10.1.1.1/32 route-to tun1000001
+#pass in quick on tun1000000 from fec0::1/64 to fec1::2/128 route-to tun1000001
+
+#pass in on tun1000000 proto tcp from any to any port = 21 reply-to (tun1000001 192.168.1.1)
+#pass in on tun1000000 proto tcp from any to any port = 21 reply-to (tun1000001 fec0::1)
+
+#pass in quick on tun1000000 from 192.168.1.1/32 to 10.1.1.1/32 reply-to tun1000001
+#pass in quick on tun1000000 from fec0::1/64 to fec1::2/128 reply-to tun1000001
+
+#pass in quick on tun1000000 from 192.168.1.1/32 to 10.1.1.1/32 dup-to (tun1000001 192.168.1.100)
+#pass in quick on tun1000000 from fec0::1/64 to fec1::2/128 dup-to (tun1000001 fec1::2)
Index: tests/sbin/pfctl/files/pf0013.ok
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0013.ok
@@ -0,0 +1,3 @@
+pass in quick on enc0 all flags S/SA keep state
+pass in quick on enc0 inet all flags S/SA keep state
+pass in quick on enc0 inet6 all flags S/SA keep state
Index: tests/sbin/pfctl/files/pf0014.in
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0014.in
@@ -0,0 +1,6 @@
+pass in quick on lo0 from fe80::1%lo0 to fe80::1%lo0
+pass in quick from fe80::1%lo0 to fe80::1%lo0
+pass in quick from fe80::1%lo0 to any
+pass in quick from any to fe80::1%lo0
+pass in quick on lo0 from fe80::1%lo0 to any
+pass in quick on lo0 from any to fe80::1%lo0
Index: tests/sbin/pfctl/files/pf0014.ok
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0014.ok
@@ -0,0 +1,6 @@
+pass in quick on lo0 inet6 from fe80::1 to fe80::1 flags S/SA keep state
+pass in quick on lo0 inet6 from fe80::1 to fe80::1 flags S/SA keep state
+pass in quick on lo0 inet6 from fe80::1 to any flags S/SA keep state
+pass in quick on lo0 inet6 from any to fe80::1 flags S/SA keep state
+pass in quick on lo0 inet6 from fe80::1 to any flags S/SA keep state
+pass in quick on lo0 inet6 from any to fe80::1 flags S/SA keep state
Index: tests/sbin/pfctl/files/pf0016.in
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0016.in
@@ -0,0 +1,5 @@
+# Test rule order processing: should fail unless nat -> filter
+#match out on lo0 from 192.168.1.1 to any nat-to 10.0.0.1
+#match in on lo0 proto tcp from any to 1.2.3.4/32 port 2222 rdr-to 10.0.0.10 port 22   
+#match on lo0 from 192.168.1.1 to any binat-to 10.0.0.1
+pass in on lo1000000 from any to any no state
Index: tests/sbin/pfctl/files/pf0016.ok
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0016.ok
@@ -0,0 +1 @@
+pass in on lo1000000 all no state
Index: tests/sbin/pfctl/files/pf0018.in
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0018.in
@@ -0,0 +1,19 @@
+# test nat
+
+TEST_LIST1 = "{ 192.168.1.5, 192.168.1.6, 192.168.1.7 }"
+TEST_LIST2 = "{ 172.6.1.1, 172.14.1.2/32, 172.16.2.0/24 }"
+
+#match out on lo0 from 192.168.1.1 to any nat-to 10.0.0.1
+#match out on lo0 proto tcp from 192.168.1.2 to any nat-to 10.0.0.2
+#match out on lo0 proto udp from 192.168.1.3 to any nat-to 10.0.0.3
+#match out on lo0 proto icmp from 192.168.1.4 to any nat-to 10.0.0.4
+
+#match out on lo0 inet from $TEST_LIST1 to $TEST_LIST2 nat-to lo0
+
+#match out on lo0 inet from 192.168.0.1/24 to any nat-to (lo0)
+
+#match out on lo0 from 192.168.1.8 to ! 172.17.0.0/16 nat-to 10.0.0.8
+
+#match out on ! lo0 proto { udp, tcp } from any to any nat-to 10.0.0.8 static-port
+
+#match out on { lo0, tun1000000 } from any to any nat-to 10.0.0.8
Index: tests/sbin/pfctl/files/pf0018.ok
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0018.ok
@@ -0,0 +1,2 @@
+TEST_LIST1 = "{ 192.168.1.5, 192.168.1.6, 192.168.1.7 }"
+TEST_LIST2 = "{ 172.6.1.1, 172.14.1.2/32, 172.16.2.0/24 }"
Index: tests/sbin/pfctl/files/pf0019.in
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0019.in
@@ -0,0 +1,9 @@
+EVIL = "lo0"
+GOOD = "{ lo0, lo1000000 }"
+GOOD_NET = "{ 127.0.0.0/24, 10.0.1.0/24 }"
+DEST_NET = "{ 1.2.3.4/25, 2.4.6.8/30 }"
+
+#match in on lo0 proto tcp from any to 1.2.3.4/32 port 2222 rdr-to 10.0.0.10 port 22   
+
+# Test list processing
+#match in on $GOOD proto tcp from $GOOD_NET to $DEST_NET port 21 rdr-to 127.0.0.1 port 8021
Index: tests/sbin/pfctl/files/pf0019.ok
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0019.ok
@@ -0,0 +1,4 @@
+EVIL = "lo0"
+GOOD = "{ lo0, lo1000000 }"
+GOOD_NET = "{ 127.0.0.0/24, 10.0.1.0/24 }"
+DEST_NET = "{ 1.2.3.4/25, 2.4.6.8/30 }"
Index: tests/sbin/pfctl/files/pf0020.in
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0020.in
@@ -0,0 +1,9 @@
+# Test whether list expansion in NAT/RDR works correctly
+
+EVIL = "lo0"
+GOOD = "{ lo0, lo1000000 }"
+GOOD_NET = "{ 127.0.0.0/24, 10.0.1.0/24 }"
+DEST_NET = "{ 1.2.3.4/25, 2.4.6.8/30 }"
+
+#match out on $EVIL inet from $GOOD_NET to $DEST_NET nat-to $EVIL
+#match in on $GOOD proto tcp from $GOOD_NET to $DEST_NET port 21 rdr-to 127.0.0.1 port 8021
Index: tests/sbin/pfctl/files/pf0020.ok
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0020.ok
@@ -0,0 +1,4 @@
+EVIL = "lo0"
+GOOD = "{ lo0, lo1000000 }"
+GOOD_NET = "{ 127.0.0.0/24, 10.0.1.0/24 }"
+DEST_NET = "{ 1.2.3.4/25, 2.4.6.8/30 }"
Index: tests/sbin/pfctl/files/pf0022.in
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0022.in
@@ -0,0 +1,8 @@
+set optimization aggressive
+set timeout { tcp.closing 6, tcp.opening 6 }
+set timeout tcp.first 6
+set limit states 500
+set limit {states 1000,frags 1000}
+set loginterface lo0
+set loginterface none
+set hostid 1
Index: tests/sbin/pfctl/files/pf0022.ok
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0022.ok
@@ -0,0 +1,10 @@
+set optimization aggressive
+set timeout tcp.closing 6
+set timeout tcp.opening 6
+set timeout tcp.first 6
+set limit states 500
+set limit states 1000
+set limit frags 1000
+set loginterface lo0
+set loginterface none
+set hostid 0x00000001
Index: tests/sbin/pfctl/files/pf0023.in
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0023.in
@@ -0,0 +1,2 @@
+#test negated interface matching
+block in on ! lo0 all
Index: tests/sbin/pfctl/files/pf0023.ok
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0023.ok
@@ -0,0 +1 @@
+block drop in on ! lo0 all
Index: tests/sbin/pfctl/files/pf0024.in
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0024.in
@@ -0,0 +1,8 @@
+#test variable concat
+a="ssh"
+b="ftp"
+c=$a $b
+d=$a $b $a $b
+e=$a $b $b "test" $a $b
+
+pass in proto tcp from any to any port { $c }
Index: tests/sbin/pfctl/files/pf0024.ok
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0024.ok
@@ -0,0 +1,7 @@
+a = "ssh"
+b = "ftp"
+c = "ssh ftp"
+d = "ssh ftp ssh ftp"
+e = "ssh ftp ftp test ssh ftp"
+pass in proto tcp from any to any port = ssh flags S/SA keep state
+pass in proto tcp from any to any port = ftp flags S/SA keep state
Index: tests/sbin/pfctl/files/pf0025.in
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0025.in
@@ -0,0 +1,4 @@
+antispoof for lo0
+antispoof log quick for lo0 inet
+antispoof for (lo0)
+antispoof log quick for (lo0) inet
Index: tests/sbin/pfctl/files/pf0025.ok
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0025.ok
@@ -0,0 +1,5 @@
+block drop in on ! lo0 inet6 from ::1 to any
+block drop in on ! lo0 inet from 127.0.0.0/8 to any
+block drop in log quick on ! lo0 inet from 127.0.0.0/8 to any
+block drop in on ! lo0 from (lo0:network) to any
+block drop in log quick on ! lo0 inet from (lo0:network) to any
Index: tests/sbin/pfctl/files/pf0026.in
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0026.in
@@ -0,0 +1,2 @@
+block in on lo0 inet from ! (lo0) to any
+block out on lo0 inet from any to ! (lo0)
Index: tests/sbin/pfctl/files/pf0026.ok
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0026.ok
@@ -0,0 +1,2 @@
+block drop in on lo0 inet from ! (lo0) to any
+block drop out on lo0 inet from any to ! (lo0)
Index: tests/sbin/pfctl/files/pf0028.in
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0028.in
@@ -0,0 +1,7 @@
+# test logging keywords, and log quick/quick log order
+block in log (all) quick on lo0 all
+block in quick log       on lo0 all
+block in quick log (all) on lo0 all
+block in log quick       on lo0 all
+block in log             on lo0 all
+block in log (all)       on lo0 all 
Index: tests/sbin/pfctl/files/pf0028.ok
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0028.ok
@@ -0,0 +1,6 @@
+block drop in log (all) quick on lo0 all
+block drop in log quick on lo0 all
+block drop in log (all) quick on lo0 all
+block drop in log quick on lo0 all
+block drop in log on lo0 all
+block drop in log (all) on lo0 all
Index: tests/sbin/pfctl/files/pf0030.in
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0030.in
@@ -0,0 +1,7 @@
+#test line continuation
+
+block \
+    in \
+    on lo0 \
+    from any \
+    to any
Index: tests/sbin/pfctl/files/pf0030.ok
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0030.ok
@@ -0,0 +1 @@
+block drop in on lo0 all
Index: tests/sbin/pfctl/files/pf0031.in
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0031.in
@@ -0,0 +1,21 @@
+set block-policy drop
+block return in on lo0 all
+block return in on lo0 inet all
+block return in on lo0 inet6 all
+block drop in on lo0 all
+block drop in on lo0 inet all
+block drop in on lo0 inet6 all
+block in on lo0 all
+block in on lo0 inet all
+block in on lo0 inet6 all
+#set block-policy return
+block return in on lo0 all
+block return in on lo0 inet all
+block return in on lo0 inet6 all
+block drop in on lo0 all
+block drop in on lo0 inet all
+block drop in on lo0 inet6 all
+block in on lo0 all
+block in on lo0 inet all
+block in on lo0 inet6 all
+
Index: tests/sbin/pfctl/files/pf0031.ok
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0031.ok
@@ -0,0 +1,19 @@
+set block-policy drop
+block return in on lo0 all
+block return in on lo0 inet all
+block return in on lo0 inet6 all
+block drop in on lo0 all
+block drop in on lo0 inet all
+block drop in on lo0 inet6 all
+block drop in on lo0 all
+block drop in on lo0 inet all
+block drop in on lo0 inet6 all
+block return in on lo0 all
+block return in on lo0 inet all
+block return in on lo0 inet6 all
+block drop in on lo0 all
+block drop in on lo0 inet all
+block drop in on lo0 inet6 all
+block drop in on lo0 all
+block drop in on lo0 inet all
+block drop in on lo0 inet6 all
Index: tests/sbin/pfctl/files/pf0032.in
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0032.in
@@ -0,0 +1,7 @@
+pass in from 10/8 to any
+pass in from 10.1/8 to any
+pass in from 192.168.37.29/25 to any
+pass in from 192.168.37.29/24 to any
+pass in from 192.168.37.29/16 to any
+pass in from 192.168.37.29/8 to any
+
Index: tests/sbin/pfctl/files/pf0032.ok
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0032.ok
@@ -0,0 +1,6 @@
+pass in inet from 10.0.0.0/8 to any flags S/SA keep state
+pass in inet from 10.0.0.0/8 to any flags S/SA keep state
+pass in inet from 192.168.37.0/25 to any flags S/SA keep state
+pass in inet from 192.168.37.0/24 to any flags S/SA keep state
+pass in inet from 192.168.0.0/16 to any flags S/SA keep state
+pass in inet from 192.0.0.0/8 to any flags S/SA keep state
Index: tests/sbin/pfctl/files/pf0034.in
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0034.in
@@ -0,0 +1,5 @@
+#mixed af, probability
+pass in from any to { 127.0.0.1, 2000::1 }
+pass in probability 0.5
+pass in probability 50%
+pass in inet6 proto tcp from ::1 probability 0.8%
Index: tests/sbin/pfctl/files/pf0034.ok
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0034.ok
@@ -0,0 +1,5 @@
+pass in inet from any to 127.0.0.1 flags S/SA keep state
+pass in inet6 from any to 2000::1 flags S/SA keep state
+pass in all flags S/SA keep state probability 50%
+pass in all flags S/SA keep state probability 50%
+pass in inet6 proto tcp from ::1 to any flags S/SA keep state probability 0.8%
Index: tests/sbin/pfctl/files/pf0035.in
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0035.in
@@ -0,0 +1,5 @@
+#test matching on tos
+
+intf = "lo0"
+pass out on $intf inet proto tcp from any to any port 22 tos 0x10
+pass out on $intf inet proto tcp from any to any port 22 tos 0x08
Index: tests/sbin/pfctl/files/pf0035.ok
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0035.ok
@@ -0,0 +1,3 @@
+intf = "lo0"
+pass out on lo0 inet proto tcp from any to any port = ssh flags S/SA tos 0x10 keep state
+pass out on lo0 inet proto tcp from any to any port = ssh flags S/SA tos 0x08 keep state
Index: tests/sbin/pfctl/files/pf0038.in
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0038.in
@@ -0,0 +1,5 @@
+# test
+
+pass in on tun1000000 proto tcp from any to any user bin
+pass in on tun1000000 proto tcp from any to any group bin
+pass in on tun1000000 proto tcp from any to any group wheel user root user bin
Index: tests/sbin/pfctl/files/pf0038.ok
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0038.ok
@@ -0,0 +1,4 @@
+pass in on tun1000000 proto tcp all user = 3 flags S/SA keep state
+pass in on tun1000000 proto tcp all group = 7 flags S/SA keep state
+pass in on tun1000000 proto tcp all user = 3 group = 0 flags S/SA keep state
+pass in on tun1000000 proto tcp all user = 0 group = 0 flags S/SA keep state
Index: tests/sbin/pfctl/files/pf0039.in
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0039.in
@@ -0,0 +1,25 @@
+#test random ordered opts
+
+body1="pass in log quick on lo0 inet proto icmp all "
+body2="pass in log quick on lo0 inet proto tcp all "
+o_user="user root "
+o_user2="user bin "
+o_group="group wheel "
+o_group2="group nobody "
+o_flags="flags S/SA "
+o_icmpspec="icmp-type 0 code 0 "
+o_tos="tos 0x08 "
+o_keep="keep state "
+o_fragment="fragment "
+o_allowopts="allow-opts "
+o_label="label blah"
+o_prio="set prio 2"
+
+$body2 $o_fragment $o_keep $o_label $o_tos
+$body2 $o_user $o_prio $o_tos $o_keep $o_group $o_label $o_allowopts \
+$o_user2 $o_group2
+$body1 $o_icmpspec $o_keep $o_label $o_prio
+$body2 $o_keep
+$body2 $o_label $o_keep $o_prio $o_tos
+$body1 $o_icmpspec $o_tos
+$body2 $o_flags $o_allowopts 
Index: tests/sbin/pfctl/files/pf0039.ok
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0039.ok
@@ -0,0 +1,24 @@
+body1 = "pass in log quick on lo0 inet proto icmp all "
+body2 = "pass in log quick on lo0 inet proto tcp all "
+o_user = "user root "
+o_user2 = "user bin "
+o_group = "group wheel "
+o_group2 = "group nobody "
+o_flags = "flags S/SA "
+o_icmpspec = "icmp-type 0 code 0 "
+o_tos = "tos 0x08 "
+o_keep = "keep state "
+o_fragment = "fragment "
+o_allowopts = "allow-opts "
+o_label = "label blah"
+o_prio = "set prio 2"
+pass in log quick on lo0 inet proto tcp all tos 0x08 keep state fragment label "blah"
+pass in log quick on lo0 inet proto tcp all user = 3 group = 65534 flags S/SA tos 0x08 set ( prio 2 ) keep state allow-opts label "blah"
+pass in log quick on lo0 inet proto tcp all user = 3 group = 0 flags S/SA tos 0x08 set ( prio 2 ) keep state allow-opts label "blah"
+pass in log quick on lo0 inet proto tcp all user = 0 group = 65534 flags S/SA tos 0x08 set ( prio 2 ) keep state allow-opts label "blah"
+pass in log quick on lo0 inet proto tcp all user = 0 group = 0 flags S/SA tos 0x08 set ( prio 2 ) keep state allow-opts label "blah"
+pass in log quick on lo0 inet proto icmp all icmp-type echorep code 0 set ( prio 2 ) keep state label "blah"
+pass in log quick on lo0 inet proto tcp all flags S/SA keep state
+pass in log quick on lo0 inet proto tcp all flags S/SA tos 0x08 set ( prio 2 ) keep state label "blah"
+pass in log quick on lo0 inet proto icmp all icmp-type echorep code 0 tos 0x08 keep state
+pass in log quick on lo0 inet proto tcp all flags S/SA keep state allow-opts
Index: tests/sbin/pfctl/files/pf0040.in
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0040.in
@@ -0,0 +1,20 @@
+block
+block return
+block return-rst proto tcp
+pass
+pass in no state
+pass out no state
+pass all no state
+block in all
+block out all
+block from any to any
+pass in from any to any
+pass out from any to any
+block on lo0
+pass on lo0 all
+block on lo0 from any to any
+pass proto tcp flags S/SA
+pass proto udp keep state
+pass in proto udp all keep state
+pass out proto udp from any to any keep state
+pass out on lo0 proto tcp from any to any port 25 keep state
Index: tests/sbin/pfctl/files/pf0040.ok
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0040.ok
@@ -0,0 +1,20 @@
+block drop all
+block return all
+block return-rst proto tcp all
+pass all flags S/SA keep state
+pass in all no state
+pass out all no state
+pass all no state
+block drop in all
+block drop out all
+block drop all
+pass in all flags S/SA keep state
+pass out all flags S/SA keep state
+block drop on lo0 all
+pass on lo0 all flags S/SA keep state
+block drop on lo0 all
+pass proto tcp all flags S/SA keep state
+pass proto udp all keep state
+pass in proto udp all keep state
+pass out proto udp all keep state
+pass out on lo0 proto tcp from any to any port = smtp flags S/SA keep state
Index: tests/sbin/pfctl/files/pf0041.in
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0041.in
@@ -0,0 +1,12 @@
+anchor foo
+anchor bar all
+anchor bar from any to any
+anchor foo inet
+anchor foo inet6
+anchor foo inet all
+anchor foo proto tcp
+anchor foo inet proto tcp from 10.1.2.3 port smtp to 10.2.3.4 port ssh
+anchor foobar inet6 proto udp from ::1 port 1 to ::1 port 2
+anchor filteropt out proto tcp to any port 22 user root
+anchor filteropt in proto tcp to (self) port 22 group sshd
+anchor filteropt out inet proto icmp all icmp-type echoreq
Index: tests/sbin/pfctl/files/pf0041.ok
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0041.ok
@@ -0,0 +1,12 @@
+anchor "foo" all
+anchor "bar" all
+anchor "bar" all
+anchor "foo" inet all
+anchor "foo" inet6 all
+anchor "foo" inet all
+anchor "foo" proto tcp all
+anchor "foo" inet proto tcp from 10.1.2.3 port = smtp to 10.2.3.4 port = ssh
+anchor "foobar" inet6 proto udp from ::1 port = tcpmux to ::1 port = compressnet
+anchor "filteropt" out proto tcp from any to any port = ssh user = 0
+anchor "filteropt" in proto tcp from any to (self) port = ssh group = 22
+anchor "filteropt" out inet proto icmp all icmp-type echoreq
Index: tests/sbin/pfctl/files/pf0047.in
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0047.in
@@ -0,0 +1,67 @@
+pass in on lo0 all label ""
+
+pass in all label "$if"
+pass in on lo0 all label "$if"
+pass in on lo0 all label "$if$if"
+
+pass in on lo0 all label "$srcaddr"
+pass in on lo0 from 0/0 to any label "$srcaddr"
+pass in on lo0 from 127.0.0.1 to any label "$srcaddr"
+pass in on lo0 from 127.0.0.1 to any label "$srcaddr$srcaddr"
+pass in on lo0 from 127.0.0.1 to any label ":$srcaddr:$srcaddr:"
+pass in on lo0 from 127.0.0.1/8 to any label "$srcaddr"
+pass in on lo0 from 127.0.0.1/16 to any label "$srcaddr$srcaddr"
+pass in on lo0 from 127.0.0.1/31 to any label ":$srcaddr:$srcaddr:"
+pass in on lo0 inet6 from fe80::1 to any label "$srcaddr"
+pass in on lo0 inet6 from fe80::1 to any label "$srcaddr$srcaddr"
+pass in on lo0 inet6 from fe80::1 to any label ":$srcaddr:$srcaddr:"
+pass in on lo0 inet6 from lo0/8 to any label "$srcaddr"
+pass in on lo0 inet6 from lo0/64 to any label "$srcaddr$srcaddr"
+pass in on lo0 inet6 from lo0/127 to any label ":$srcaddr:$srcaddr:"
+
+pass in on lo0 all label "!$dstaddr!"
+pass in on lo0 inet from any to (lo0) label "$dstaddr"
+pass in on lo0 inet from any to (lo0) label "$dstaddr$dstaddr"
+pass in on lo0 inet from any to (lo0) label " $dstaddr $dstaddr "
+pass in on lo0 from any to ! 127.0.0.1/8 label "$dstaddr"
+pass in on lo0 from any to ! 127.0.0.1/16 label "$dstaddr$dstaddr"
+pass in on lo0 from any to ! 127.0.0.1/31 label " $dstaddr $dstaddr "
+pass in on lo0 inet6 from any to ! (lo0) label "$dstaddr"
+pass in on lo0 inet6 from any to ! (lo0) label "$dstaddr$dstaddr"
+pass in on lo0 inet6 from any to ! (lo0) label " $dstaddr $dstaddr "
+pass in on lo0 inet6 from any to ! ::1/8 label "$dstaddr"
+pass in on lo0 inet6 from any to ! ::1/64 label "$dstaddr$dstaddr"
+pass in on lo0 inet6 from any to ! ::1/127 label " $dstaddr $dstaddr "
+
+pass in on lo0 all label "x$srcportx"
+pass in on lo0 proto tcp from any port = 28 to any label "$srcport"
+pass in on lo0 proto tcp from any port 28 >< 29 to any label "$srcport"
+pass in on lo0 proto tcp from any port 28 <> 29 to any label "$srcport"
+pass in on lo0 proto tcp from any port 28:29 to any label "$srcport"
+pass in on lo0 proto tcp from any port != 28 to any label "$srcport"
+pass in on lo0 proto tcp from any port < 28 to any label "$srcport"
+pass in on lo0 proto tcp from any port <= 28 to any label "$srcport"
+pass in on lo0 proto tcp from any port > 28 to any label "$srcport"
+pass in on lo0 proto tcp from any port >= 28 to any label "$srcport"
+pass in on lo0 proto tcp from any port = 28 to any label "$srcport$srcport"
+pass in on lo0 proto tcp from any port = 28 to any label "$$srcport$$srcport$"
+
+pass in on lo0 all label "$dstport"
+pass in on lo0 proto udp from any to any port = 29 label "$dstport"
+pass in on lo0 proto udp from any to any port != 29 label "$dstport$dstport"
+pass in on lo0 proto udp from any to any port > 29 label "x$dstportx$dstportx"
+
+pass in on lo0 all label "$proto"
+pass in on lo0 proto esp all label "$proto"
+pass in on lo0 proto esp all label "$proto$proto"
+pass in on lo0 proto esp all label "-$proto-$proto-"
+pass in on lo0 proto 166 all label "$proto"
+pass in on lo0 proto 166 all label "$proto$proto"
+pass in on lo0 proto 166 all label "_$proto_$proto_"
+
+pass in on lo0 all label "$nr"
+pass in on lo0 all label "$nr$nr"
+pass in on lo0 all label "%$nr%$nr%"
+
+pass in on lo0 proto tcp from 127.0.0.1 port = 30 to 127.0.0.2 port = 44 \
+    label "if $if proto $proto $srcaddr $srcport $dstaddr $dstport"
Index: tests/sbin/pfctl/files/pf0047.ok
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0047.ok
@@ -0,0 +1,61 @@
+pass in on lo0 all flags S/SA keep state
+pass in all flags S/SA keep state label "any"
+pass in on lo0 all flags S/SA keep state label "lo0"
+pass in on lo0 all flags S/SA keep state label "lo0lo0"
+pass in on lo0 all flags S/SA keep state label "any"
+pass in on lo0 inet all flags S/SA keep state label "any"
+pass in on lo0 inet from 127.0.0.1 to any flags S/SA keep state label "127.0.0.1"
+pass in on lo0 inet from 127.0.0.1 to any flags S/SA keep state label "127.0.0.1127.0.0.1"
+pass in on lo0 inet from 127.0.0.1 to any flags S/SA keep state label ":127.0.0.1:127.0.0.1:"
+pass in on lo0 inet from 127.0.0.0/8 to any flags S/SA keep state label "127.0.0.0/8"
+pass in on lo0 inet from 127.0.0.0/16 to any flags S/SA keep state label "127.0.0.0/16127.0.0.0/16"
+pass in on lo0 inet from 127.0.0.0/31 to any flags S/SA keep state label ":127.0.0.0/31:127.0.0.0/31:"
+pass in on lo0 inet6 from fe80::1 to any flags S/SA keep state label "fe80::1"
+pass in on lo0 inet6 from fe80::1 to any flags S/SA keep state label "fe80::1fe80::1"
+pass in on lo0 inet6 from fe80::1 to any flags S/SA keep state label ":fe80::1:fe80::1:"
+pass in on lo0 inet6 from ::/8 to any flags S/SA keep state label "::/8"
+pass in on lo0 inet6 from fe00::/8 to any flags S/SA keep state label "fe00::/8"
+pass in on lo0 inet6 from ::/64 to any flags S/SA keep state label "::/64::/64"
+pass in on lo0 inet6 from fe80::/64 to any flags S/SA keep state label "fe80::/64fe80::/64"
+pass in on lo0 inet6 from ::/127 to any flags S/SA keep state label ":::/127:::/127:"
+pass in on lo0 inet6 from fe80::/127 to any flags S/SA keep state label ":fe80::/127:fe80::/127:"
+pass in on lo0 all flags S/SA keep state label "!any!"
+pass in on lo0 inet from any to (lo0) flags S/SA keep state label "(lo0)"
+pass in on lo0 inet from any to (lo0) flags S/SA keep state label "(lo0)(lo0)"
+pass in on lo0 inet from any to (lo0) flags S/SA keep state label " (lo0) (lo0) "
+pass in on lo0 inet from any to ! 127.0.0.0/8 flags S/SA keep state label "! 127.0.0.0/8"
+pass in on lo0 inet from any to ! 127.0.0.0/16 flags S/SA keep state label "! 127.0.0.0/16! 127.0.0.0/16"
+pass in on lo0 inet from any to ! 127.0.0.0/31 flags S/SA keep state label " ! 127.0.0.0/31 ! 127.0.0.0/31 "
+pass in on lo0 inet6 from any to ! (lo0) flags S/SA keep state label "! (lo0)"
+pass in on lo0 inet6 from any to ! (lo0) flags S/SA keep state label "! (lo0)! (lo0)"
+pass in on lo0 inet6 from any to ! (lo0) flags S/SA keep state label " ! (lo0) ! (lo0) "
+pass in on lo0 inet6 from any to ! ::/8 flags S/SA keep state label "! ::/8"
+pass in on lo0 inet6 from any to ! ::/64 flags S/SA keep state label "! ::/64! ::/64"
+pass in on lo0 inet6 from any to ! ::/127 flags S/SA keep state label " ! ::/127 ! ::/127 "
+pass in on lo0 all flags S/SA keep state label "xx"
+pass in on lo0 proto tcp from any port = 28 to any flags S/SA keep state label "28"
+pass in on lo0 proto tcp from any port 28 >< 29 to any flags S/SA keep state label "28><29"
+pass in on lo0 proto tcp from any port 28 <> 29 to any flags S/SA keep state label "28<>29"
+pass in on lo0 proto tcp from any port 28:29 to any flags S/SA keep state
+pass in on lo0 proto tcp from any port != 28 to any flags S/SA keep state label "!=28"
+pass in on lo0 proto tcp from any port < 28 to any flags S/SA keep state label "<28"
+pass in on lo0 proto tcp from any port <= 28 to any flags S/SA keep state label "<=28"
+pass in on lo0 proto tcp from any port > 28 to any flags S/SA keep state label ">28"
+pass in on lo0 proto tcp from any port >= 28 to any flags S/SA keep state label ">=28"
+pass in on lo0 proto tcp from any port = 28 to any flags S/SA keep state label "2828"
+pass in on lo0 proto tcp from any port = 28 to any flags S/SA keep state label "$28$28$"
+pass in on lo0 all flags S/SA keep state
+pass in on lo0 proto udp from any to any port = msg-icp keep state label "29"
+pass in on lo0 proto udp from any to any port != msg-icp keep state label "!=29!=29"
+pass in on lo0 proto udp from any to any port > 29 keep state label "x>29x>29x"
+pass in on lo0 all flags S/SA keep state label "ip"
+pass in on lo0 proto esp all keep state label "esp"
+pass in on lo0 proto esp all keep state label "espesp"
+pass in on lo0 proto esp all keep state label "-esp-esp-"
+pass in on lo0 proto 166 all keep state label "166"
+pass in on lo0 proto 166 all keep state label "166166"
+pass in on lo0 proto 166 all keep state label "_166_166_"
+pass in on lo0 all flags S/SA keep state label "57"
+pass in on lo0 all flags S/SA keep state label "5858"
+pass in on lo0 all flags S/SA keep state label "%59%59%"
+pass in on lo0 inet proto tcp from 127.0.0.1 port = 30 to 127.0.0.2 port = mpm-flags flags S/SA keep state label "if lo0 proto tcp 127.0.0.1 30 127.0.0.2 44"
Index: tests/sbin/pfctl/files/pf0048.in
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0048.in
@@ -0,0 +1,13 @@
+table < regress > { 1.2.3.4 !5.6.7.8 10/8 lo0 }
+table <regress.1> const { ::1 fe80::/64 }
+table <regress.a> { 1.2.3.4 !5.6.7.8 } { ::1 ::2 ::3 } file "/dev/null" const { 4.3.2.1 }
+#match out on lo0 inet from < regress.1> to <regress.2> nat-to lo0:0
+#match out on !lo0 inet from !<regress.1 > to <regress.2> nat-to lo0:0
+#match in on lo0 inet6 from <regress.1> to <regress.2> rdr-to lo0:0
+#match in on !lo0 inet6 from !< regress.1 > to <regress.2> rdr-to lo0:0
+#match in from { <regress.1> !<regress.2> } to any
+#match out from any to { !<regress.1>, <regress.2> }
+pass in from <regress> to any
+pass out from any to <regress >
+pass in from { <regress.1> <regress.2> } to any
+pass out from any to { !<regress.1>, !<regress.2> }
Index: tests/sbin/pfctl/files/pf0048.ok
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0048.ok
@@ -0,0 +1,9 @@
+table <regress> { 1.2.3.4 !5.6.7.8 10.0.0.0/8 ::1 fe80::1 127.0.0.1 }
+table <regress.1> const { ::1 fe80::/64 }
+table <regress.a> const { 1.2.3.4 !5.6.7.8 ::1 ::2 ::3 } file "/dev/null" { 4.3.2.1 }
+pass in from <regress> to any flags S/SA keep state
+pass out from any to <regress> flags S/SA keep state
+pass in from <regress.1> to any flags S/SA keep state
+pass in from <regress.2> to any flags S/SA keep state
+pass out from any to ! <regress.1> flags S/SA keep state
+pass out from any to ! <regress.2> flags S/SA keep state
Index: tests/sbin/pfctl/files/pf0049.in
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0049.in
@@ -0,0 +1,7 @@
+#test :broadcast and :network modifiers
+pass in on lo0 from lo0:network to any keep state
+pass out on lo0 inet from lo0:network to any
+pass in on lo0 inet6 from lo0:network to any keep state
+
+#broadcast on lo0 doesn't make sense at all!
+#block in on lo0 from any to lo0:broadcast
Index: tests/sbin/pfctl/files/pf0049.ok
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0049.ok
@@ -0,0 +1,4 @@
+pass in on lo0 inet6 from ::1 to any flags S/SA keep state
+pass in on lo0 inet from 127.0.0.0/8 to any flags S/SA keep state
+pass out on lo0 inet from 127.0.0.0/8 to any flags S/SA keep state
+pass in on lo0 inet6 from ::1 to any flags S/SA keep state
Index: tests/sbin/pfctl/files/pf0050.in
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0050.in
@@ -0,0 +1,4 @@
+# double macro set
+extif="wi0"
+extif="lo0"
+block in on $extif
Index: tests/sbin/pfctl/files/pf0050.ok
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0050.ok
@@ -0,0 +1,3 @@
+extif = "wi0"
+extif = "lo0"
+block drop in on lo0 all
Index: tests/sbin/pfctl/files/pf0052.in
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0052.in
@@ -0,0 +1,7 @@
+# test setting all optimizations to avoid future keyword clashes
+
+set optimization normal
+set optimization satellite
+set optimization high-latency
+set optimization conservative
+set optimization aggressive
Index: tests/sbin/pfctl/files/pf0052.ok
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0052.ok
@@ -0,0 +1,5 @@
+set optimization normal
+set optimization satellite
+set optimization high-latency
+set optimization conservative
+set optimization aggressive
Index: tests/sbin/pfctl/files/pf0053.in
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0053.in
@@ -0,0 +1,4 @@
+pass in proto tcp from { 1.2.3.4, 1.2.3.5 } to any label \
+"$nr:$if:$proto:$srcaddr:$srcport:$dstaddr:$dstport"
+pass in on lo0 proto tcp from { 1.2.3.4, 1.2.3.5 } to any label \
+"$nr:$if:$proto:$srcaddr:$srcport:$dstaddr:$dstport"
Index: tests/sbin/pfctl/files/pf0053.ok
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0053.ok
@@ -0,0 +1,4 @@
+pass in inet proto tcp from 1.2.3.4 to any flags S/SA keep state label "0:any:tcp:1.2.3.4::any:"
+pass in inet proto tcp from 1.2.3.5 to any flags S/SA keep state label "1:any:tcp:1.2.3.5::any:"
+pass in on lo0 inet proto tcp from 1.2.3.4 to any flags S/SA keep state label "2:lo0:tcp:1.2.3.4::any:"
+pass in on lo0 inet proto tcp from 1.2.3.5 to any flags S/SA keep state label "3:lo0:tcp:1.2.3.5::any:"
Index: tests/sbin/pfctl/files/pf0055.in
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0055.in
@@ -0,0 +1,18 @@
+set timeout { interval 43, frag 23 }
+set timeout { tcp.first 423, tcp.opening 123, tcp.established 43758 }
+set timeout { tcp.closing 744, tcp.finwait 25, tcp.closed 38 }
+set timeout { udp.first 356, udp.single 73, udp.multiple 34 }
+set timeout { icmp.first 464, icmp.error 34 }
+set timeout { other.first 455, other.single 54, other.multiple 324 }
+set timeout { src.track 3600 }
+set limit { states 4522, frags 43556 }
+set loginterface none
+set loginterface lo0
+set hostid 1
+set optimization normal
+set block-policy drop
+
+set limit states 43254
+set limit frags 34557
+set timeout interval 344
+set timeout frag 213
Index: tests/sbin/pfctl/files/pf0055.ok
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0055.ok
@@ -0,0 +1,28 @@
+set timeout interval 43
+set timeout frag 23
+set timeout tcp.first 423
+set timeout tcp.opening 123
+set timeout tcp.established 43758
+set timeout tcp.closing 744
+set timeout tcp.finwait 25
+set timeout tcp.closed 38
+set timeout udp.first 356
+set timeout udp.single 73
+set timeout udp.multiple 34
+set timeout icmp.first 464
+set timeout icmp.error 34
+set timeout other.first 455
+set timeout other.single 54
+set timeout other.multiple 324
+set timeout src.track 3600
+set limit states 4522
+set limit frags 43556
+set loginterface none
+set loginterface lo0
+set hostid 0x00000001
+set optimization normal
+set block-policy drop
+set limit states 43254
+set limit frags 34557
+set timeout interval 344
+set timeout frag 213
Index: tests/sbin/pfctl/files/pf0056.in
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0056.in
@@ -0,0 +1,2 @@
+pass in proto tcp from any to any port www keep state (tcp.established 60)
+pass in proto tcp from any to any port www keep state (max 10, no-sync, tcp.first 2)
Index: tests/sbin/pfctl/files/pf0056.ok
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0056.ok
@@ -0,0 +1,2 @@
+pass in proto tcp from any to any port = http flags S/SA keep state (tcp.established 60)
+pass in proto tcp from any to any port = http flags S/SA keep state (max 10, no-sync, tcp.first 2, adaptive.start 6, adaptive.end 12)
Index: tests/sbin/pfctl/files/pf0057.in
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0057.in
@@ -0,0 +1,4 @@
+a="10.0.0.1"
+b="x"
+b="y"
+pass in from $a
Index: tests/sbin/pfctl/files/pf0057.ok
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0057.ok
@@ -0,0 +1,4 @@
+a = "10.0.0.1"
+b = "x"
+b = "y"
+pass in inet from 10.0.0.1 to any flags S/SA keep state
Index: tests/sbin/pfctl/files/pf0060.in
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0060.in
@@ -0,0 +1,11 @@
+# netmask handling w/ multicast
+
+pass from 224.4.5.4/32
+pass from 224.4.5.4/16
+pass from 224.4.5.4/26
+pass from 224.4.5.65/26
+pass from 224.4.5.134/26
+pass from 224.4.5.199/26
+pass from 224.4.5.4
+
+
Index: tests/sbin/pfctl/files/pf0060.ok
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0060.ok
@@ -0,0 +1,7 @@
+pass inet from 224.4.5.4 to any flags S/SA keep state
+pass inet from 224.4.0.0/16 to any flags S/SA keep state
+pass inet from 224.4.5.0/26 to any flags S/SA keep state
+pass inet from 224.4.5.64/26 to any flags S/SA keep state
+pass inet from 224.4.5.128/26 to any flags S/SA keep state
+pass inet from 224.4.5.192/26 to any flags S/SA keep state
+pass inet from 224.4.5.4 to any flags S/SA keep state
Index: tests/sbin/pfctl/files/pf0061.in
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0061.in
@@ -0,0 +1,4 @@
+# dynaddr with netmask
+
+pass inet to (lo0)/24
+
Index: tests/sbin/pfctl/files/pf0061.ok
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0061.ok
@@ -0,0 +1 @@
+pass inet from any to (lo0)/24 flags S/SA keep state
Index: tests/sbin/pfctl/files/pf0065.in
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0065.in
@@ -0,0 +1,2 @@
+antispoof for lo0 label "antispoof-lo0"
+antispoof log quick for lo0 inet label "antispoof-lo0-2"
Index: tests/sbin/pfctl/files/pf0065.ok
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0065.ok
@@ -0,0 +1,3 @@
+block drop in on ! lo0 inet6 from ::1 to any label "antispoof-lo0"
+block drop in on ! lo0 inet from 127.0.0.0/8 to any label "antispoof-lo0"
+block drop in log quick on ! lo0 inet from 127.0.0.0/8 to any label "antispoof-lo0-2"
Index: tests/sbin/pfctl/files/pf0067.in
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0067.in
@@ -0,0 +1,3 @@
+pass in quick on tun1000000 keep state tag regress
+pass out quick on lo0 keep state tagged regress
+
Index: tests/sbin/pfctl/files/pf0067.ok
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0067.ok
@@ -0,0 +1,2 @@
+pass in quick on tun1000000 all flags S/SA keep state tag regress
+pass out quick on lo0 all flags S/SA keep state tagged regress
Index: tests/sbin/pfctl/files/pf0069.in
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0069.in
@@ -0,0 +1,3 @@
+#match out on lo0 inet all tag regress nat-to lo0
+pass out quick on lo0 keep state tagged regress
+
Index: tests/sbin/pfctl/files/pf0069.ok
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0069.ok
@@ -0,0 +1 @@
+pass out quick on lo0 all flags S/SA keep state tagged regress
Index: tests/sbin/pfctl/files/pf0070.in
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0070.in
@@ -0,0 +1,3 @@
+#match out on lo0 from 10.0.0.0/8 to any nat-to lo0
+block out on lo0 tagged regress
+
Index: tests/sbin/pfctl/files/pf0070.ok
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0070.ok
@@ -0,0 +1 @@
+block drop out on lo0 all tagged regress
Index: tests/sbin/pfctl/files/pf0071.in
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0071.in
@@ -0,0 +1,3 @@
+#match in on lo0 proto tcp from 10.0.0.0/8 to port 80 rdr-to lo0
+block out on lo0 tagged regress
+
Index: tests/sbin/pfctl/files/pf0071.ok
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0071.ok
@@ -0,0 +1 @@
+block drop out on lo0 all tagged regress
Index: tests/sbin/pfctl/files/pf0072.in
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0072.in
@@ -0,0 +1,4 @@
+# test binat tagging
+#match on lo0 from 192.168.1.1 to any tag regress binat-to 10.0.0.1
+block out on lo0 tagged regress
+
Index: tests/sbin/pfctl/files/pf0072.ok
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0072.ok
@@ -0,0 +1 @@
+block drop out on lo0 all tagged regress
Index: tests/sbin/pfctl/files/pf0074.in
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0074.in
@@ -0,0 +1 @@
+pass in proto tcp synproxy state
Index: tests/sbin/pfctl/files/pf0074.ok
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0074.ok
@@ -0,0 +1 @@
+pass in proto tcp all flags S/SA synproxy state
Index: tests/sbin/pfctl/files/pf0075.in
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0075.in
@@ -0,0 +1,3 @@
+block in on lo0 proto tcp from 192.168.0.0/24 to port 22 tag ssh
+block in quick on lo0 ! tagged ssh
+ 
\ No newline at end of file
Index: tests/sbin/pfctl/files/pf0075.ok
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0075.ok
@@ -0,0 +1,2 @@
+block drop in on lo0 inet proto tcp from 192.168.0.0/24 to any port = ssh tag ssh
+block drop in quick on lo0 all ! tagged ssh
Index: tests/sbin/pfctl/files/pf0077.in
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0077.in
@@ -0,0 +1,5 @@
+# dynaddr with netmask. I never want to see this again:
+# <henning@quigon:1>$ echo "pass inet from (le0)/8" | pfctl -nvf -
+# pass inet from (l)/8 to any 
+
+pass inet from (lo0)/8
Index: tests/sbin/pfctl/files/pf0077.ok
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0077.ok
@@ -0,0 +1 @@
+pass inet from (lo0)/8 to any flags S/SA keep state
Index: tests/sbin/pfctl/files/pf0078.in
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0078.in
@@ -0,0 +1,2 @@
+pass in from 10.0.0.1 to <regress> label "$srcaddr:$dstaddr"
+
Index: tests/sbin/pfctl/files/pf0078.ok
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0078.ok
@@ -0,0 +1 @@
+pass in inet from 10.0.0.1 to <regress> flags S/SA keep state label "10.0.0.1:<regress>"
Index: tests/sbin/pfctl/files/pf0079.in
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0079.in
@@ -0,0 +1,2 @@
+pass in from 10.0.0.1 to no-route label "$srcaddr:$dstaddr"
+
Index: tests/sbin/pfctl/files/pf0079.ok
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0079.ok
@@ -0,0 +1 @@
+pass in inet from 10.0.0.1 to no-route flags S/SA keep state label "10.0.0.1:no-route"
Index: tests/sbin/pfctl/files/pf0081.in
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0081.in
@@ -0,0 +1,12 @@
+# skip step optimization involving dynaddr, tables, no-route
+# optimisation should be done on theses rules
+
+ip_list="{ ::1 ::2 ::3 0.0.0.1 0.0.0.2 0.0.0.3 }"
+table_list="{ <bar1> <bar2> <bar3> }"
+pass from (lo0) to $ip_list
+pass from <foo> to $table_list
+pass from <foo> to $ip_list
+pass from <foo> to $table_list
+pass from no-route to $table_list
+pass from no-route to $ip_list
+pass from no-route to $table_list
Index: tests/sbin/pfctl/files/pf0081.ok
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0081.ok
@@ -0,0 +1,32 @@
+ip_list = "{ ::1 ::2 ::3 0.0.0.1 0.0.0.2 0.0.0.3 }"
+table_list = "{ <bar1> <bar2> <bar3> }"
+pass inet6 from (lo0) to ::1 flags S/SA keep state
+pass inet6 from (lo0) to ::2 flags S/SA keep state
+pass inet6 from (lo0) to ::3 flags S/SA keep state
+pass inet from (lo0) to 0.0.0.1 flags S/SA keep state
+pass inet from (lo0) to 0.0.0.2 flags S/SA keep state
+pass inet from (lo0) to 0.0.0.3 flags S/SA keep state
+pass from <foo> to <bar1> flags S/SA keep state
+pass from <foo> to <bar2> flags S/SA keep state
+pass from <foo> to <bar3> flags S/SA keep state
+pass inet6 from <foo> to ::1 flags S/SA keep state
+pass inet6 from <foo> to ::2 flags S/SA keep state
+pass inet6 from <foo> to ::3 flags S/SA keep state
+pass inet from <foo> to 0.0.0.1 flags S/SA keep state
+pass inet from <foo> to 0.0.0.2 flags S/SA keep state
+pass inet from <foo> to 0.0.0.3 flags S/SA keep state
+pass from <foo> to <bar1> flags S/SA keep state
+pass from <foo> to <bar2> flags S/SA keep state
+pass from <foo> to <bar3> flags S/SA keep state
+pass from no-route to <bar1> flags S/SA keep state
+pass from no-route to <bar2> flags S/SA keep state
+pass from no-route to <bar3> flags S/SA keep state
+pass inet6 from no-route to ::1 flags S/SA keep state
+pass inet6 from no-route to ::2 flags S/SA keep state
+pass inet6 from no-route to ::3 flags S/SA keep state
+pass inet from no-route to 0.0.0.1 flags S/SA keep state
+pass inet from no-route to 0.0.0.2 flags S/SA keep state
+pass inet from no-route to 0.0.0.3 flags S/SA keep state
+pass from no-route to <bar1> flags S/SA keep state
+pass from no-route to <bar2> flags S/SA keep state
+pass from no-route to <bar3> flags S/SA keep state
Index: tests/sbin/pfctl/files/pf0082.in
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0082.in
@@ -0,0 +1,15 @@
+# skip step optimization involving dynaddr, tables, no-route
+
+pass inet from (lo0)
+pass inet from !(lo0)
+pass inet from (lo0)
+pass inet6 from (lo0)
+pass from <foo>
+pass from !<foo>
+pass from <foo>
+pass inet from <bar>
+pass from <bar>
+pass inet6 from <foo>
+pass from <foo>
+pass inet from no-route
+pass from no-route
Index: tests/sbin/pfctl/files/pf0082.ok
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0082.ok
@@ -0,0 +1,13 @@
+pass inet from (lo0) to any flags S/SA keep state
+pass inet from ! (lo0) to any flags S/SA keep state
+pass inet from (lo0) to any flags S/SA keep state
+pass inet6 from (lo0) to any flags S/SA keep state
+pass from <foo> to any flags S/SA keep state
+pass from ! <foo> to any flags S/SA keep state
+pass from <foo> to any flags S/SA keep state
+pass inet from <bar> to any flags S/SA keep state
+pass from <bar> to any flags S/SA keep state
+pass inet6 from <foo> to any flags S/SA keep state
+pass from <foo> to any flags S/SA keep state
+pass inet from no-route to any flags S/SA keep state
+pass from no-route to any flags S/SA keep state
Index: tests/sbin/pfctl/files/pf0084.in
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0084.in
@@ -0,0 +1,17 @@
+#match out on tun1000000 from 10.0.0.0/24 to any \
+#	nat-to { 10.0.1.1, 10.0.1.2 } round-robin sticky-address
+#match in on tun1000000 from any to 10.0.1.1 \
+#	rdr-to { 10.0.0.0/24 } sticky-address random
+#match in on tun1000000 from any to 10.0.1.2 \
+#	rdr-to { 10.0.0.1, 10.0.0.2 } sticky-address
+
+pass in proto tcp from any to any port 22 \
+	keep state (source-track)
+pass in proto tcp from any to any port 25 \
+	keep state (source-track global)
+pass in proto tcp from any to any port 80 \
+	keep state (source-track rule, max-src-nodes 1000, max-src-states 3)
+pass in proto tcp from any to any port 123 \
+	keep state (source-track, max-src-nodes 1000)
+pass in proto tcp from any to any port 321 \
+	keep state (source-track, max-src-states 3)
Index: tests/sbin/pfctl/files/pf0084.ok
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0084.ok
@@ -0,0 +1,5 @@
+pass in proto tcp from any to any port = ssh flags S/SA keep state (source-track global)
+pass in proto tcp from any to any port = smtp flags S/SA keep state (source-track global)
+pass in proto tcp from any to any port = http flags S/SA keep state (source-track rule, max-src-states 3, max-src-nodes 1000)
+pass in proto tcp from any to any port = ntp flags S/SA keep state (source-track rule, max-src-nodes 1000)
+pass in proto tcp from any to any port = pip flags S/SA keep state (source-track global, max-src-states 3)
Index: tests/sbin/pfctl/files/pf0085.in
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0085.in
@@ -0,0 +1,3 @@
+# test tag macro expansion
+pass from { 127.0.0.1 127.0.0.2 127.0.0.3 } keep state tag "$srcaddr"
+pass from { 127.0.0.1 127.0.0.2 127.0.0.3 } keep state tagged "$srcaddr"
Index: tests/sbin/pfctl/files/pf0085.ok
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0085.ok
@@ -0,0 +1,6 @@
+pass inet from 127.0.0.1 to any flags S/SA keep state tag 127.0.0.1
+pass inet from 127.0.0.2 to any flags S/SA keep state tag 127.0.0.2
+pass inet from 127.0.0.3 to any flags S/SA keep state tag 127.0.0.3
+pass inet from 127.0.0.1 to any flags S/SA keep state tagged 127.0.0.1
+pass inet from 127.0.0.2 to any flags S/SA keep state tagged 127.0.0.2
+pass inet from 127.0.0.3 to any flags S/SA keep state tagged 127.0.0.3
Index: tests/sbin/pfctl/files/pf0087.in
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0087.in
@@ -0,0 +1,24 @@
+# pfctl -o  rule reordering
+
+pass in on lo1000000 proto tcp from any to 10.0.0.2 port 22 keep state
+pass in on lo1000001 proto tcp from 10.0.0.1 port 22 to 10.0.0.2 keep state
+pass in on lo1000001 proto udp from 10.0.0.5 to 10.0.0.4 port 53 keep state
+pass in on lo1000000 proto udp from any to 10.0.0.2 port 53 keep state
+pass in proto tcp to 10.0.0.1 port 80 keep state
+pass out on lo1000001 proto udp from any to 10.0.0.2 port 53 keep state
+pass in proto tcp to 10.0.0.3 port 80 keep state
+pass out proto tcp to 10.0.0.1 port 81 keep state
+pass in proto udp to 10.0.0.3 port 53 keep state
+pass in on lo1000001 proto udp from 10.0.0.2 port 53 to 10.0.0.2 keep state
+pass out proto udp to 10.0.0.1 port 53 keep state
+pass out on lo1000000 proto udp from any to 10.0.0.2 port 53 keep state
+pass out proto udp to 10.0.0.3 port 53 keep state
+pass out on lo1000000 proto tcp from any to 10.0.0.2 port 22 keep state
+pass in on lo1000001 proto tcp from any to 10.0.0.2 port 22 keep state
+pass in on lo1000001 proto udp from any to 10.0.0.2 port 53 keep state
+pass in on lo1000001 proto tcp from 10.0.0.1 to 10.0.0.4 keep state
+pass out on lo1000001 proto tcp from any to 10.0.0.2 port 22 keep state
+pass out proto tcp to 10.0.0.1 port 80 keep state
+pass in proto udp to 10.0.0.1 port 53 keep state
+pass in on lo1000001 proto tcp from 10.0.0.1 to 10.0.0.6 port 22 keep state
+pass in on lo1000001 proto udp from 10.0.0.5 to 10.0.0.2 keep state
Index: tests/sbin/pfctl/files/pf0087.ok
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0087.ok
@@ -0,0 +1,22 @@
+pass in on lo1000000 inet proto tcp from any to 10.0.0.2 port = ssh flags S/SA keep state
+pass in on lo1000001 inet proto tcp from 10.0.0.1 port = ssh to 10.0.0.2 flags S/SA keep state
+pass in on lo1000001 inet proto udp from 10.0.0.5 to 10.0.0.4 port = domain keep state
+pass in on lo1000000 inet proto udp from any to 10.0.0.2 port = domain keep state
+pass in inet proto tcp from any to 10.0.0.1 port = http flags S/SA keep state
+pass out on lo1000001 inet proto udp from any to 10.0.0.2 port = domain keep state
+pass in inet proto tcp from any to 10.0.0.3 port = http flags S/SA keep state
+pass out inet proto tcp from any to 10.0.0.1 port = hosts2-ns flags S/SA keep state
+pass in inet proto udp from any to 10.0.0.3 port = domain keep state
+pass in on lo1000001 inet proto udp from 10.0.0.2 port = domain to 10.0.0.2 keep state
+pass out inet proto udp from any to 10.0.0.1 port = domain keep state
+pass out on lo1000000 inet proto udp from any to 10.0.0.2 port = domain keep state
+pass out inet proto udp from any to 10.0.0.3 port = domain keep state
+pass out on lo1000000 inet proto tcp from any to 10.0.0.2 port = ssh flags S/SA keep state
+pass in on lo1000001 inet proto tcp from any to 10.0.0.2 port = ssh flags S/SA keep state
+pass in on lo1000001 inet proto udp from any to 10.0.0.2 port = domain keep state
+pass in on lo1000001 inet proto tcp from 10.0.0.1 to 10.0.0.4 flags S/SA keep state
+pass out on lo1000001 inet proto tcp from any to 10.0.0.2 port = ssh flags S/SA keep state
+pass out inet proto tcp from any to 10.0.0.1 port = http flags S/SA keep state
+pass in inet proto udp from any to 10.0.0.1 port = domain keep state
+pass in on lo1000001 inet proto tcp from 10.0.0.1 to 10.0.0.6 port = ssh flags S/SA keep state
+pass in on lo1000001 inet proto udp from 10.0.0.5 to 10.0.0.2 keep state
Index: tests/sbin/pfctl/files/pf0088.in
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0088.in
@@ -0,0 +1,32 @@
+# pfctl -o duplicate rules
+
+pass in on lo1000000 from any to 10.0.0.1
+pass in on lo1000000 inet from any to 10.0.0.1
+
+pass
+pass out
+pass out 
+pass out quick
+
+pass on lo1000001 to 10.0.0.1
+pass on lo1000000 from any to 10.0.0.1
+
+pass to 10.0.0.2 modulate state
+pass to 10.0.0.2 keep state
+block from 10.0.0.3 to 10.0.0.2
+pass to 10.0.0.2 modulate state
+block from 10.0.0.3 to 10.0.0.2
+pass to 10.0.0.2 synproxy state
+
+
+pass out proto tcp from 10.0.0.4 to 10.0.0.5 keep state
+pass out proto tcp from 10.0.0.4 to 10.0.0.5 port 80 keep state
+
+pass out
+pass in
+
+pass in on lo1000001 from any to any
+pass in on lo1000001 from any to any keep state
+pass in on lo1000001 from any to any
+
+block
Index: tests/sbin/pfctl/files/pf0088.ok
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0088.ok
@@ -0,0 +1,22 @@
+pass in on lo1000000 inet from any to 10.0.0.1 flags S/SA keep state
+pass in on lo1000000 inet from any to 10.0.0.1 flags S/SA keep state
+pass all flags S/SA keep state
+pass out all flags S/SA keep state
+pass out all flags S/SA keep state
+pass out quick all flags S/SA keep state
+pass on lo1000001 inet from any to 10.0.0.1 flags S/SA keep state
+pass on lo1000000 inet from any to 10.0.0.1 flags S/SA keep state
+pass inet from any to 10.0.0.2 flags S/SA modulate state
+pass inet from any to 10.0.0.2 flags S/SA keep state
+block drop inet from 10.0.0.3 to 10.0.0.2
+pass inet from any to 10.0.0.2 flags S/SA modulate state
+block drop inet from 10.0.0.3 to 10.0.0.2
+pass inet from any to 10.0.0.2 flags S/SA synproxy state
+pass out inet proto tcp from 10.0.0.4 to 10.0.0.5 flags S/SA keep state
+pass out inet proto tcp from 10.0.0.4 to 10.0.0.5 port = http flags S/SA keep state
+pass out all flags S/SA keep state
+pass in all flags S/SA keep state
+pass in on lo1000001 all flags S/SA keep state
+pass in on lo1000001 all flags S/SA keep state
+pass in on lo1000001 all flags S/SA keep state
+block drop all
Index: tests/sbin/pfctl/files/pf0089.in
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0089.in
@@ -0,0 +1,25 @@
+# TCP connection tracking
+
+table <bad> persist
+
+block all
+block quick from <bad>
+
+pass out proto tcp flags S/SA keep state
+pass out proto { icmp, udp } keep state
+
+pass in on lo1000001 proto tcp to 10.0.0.1 port 22 flags S/SA \
+    keep state (max-src-conn 10, max-src-conn-rate 3/99)
+
+pass in on lo1000001 proto tcp to 10.0.0.2 port 22 flags S/SA keep state \
+	(max-src-conn 10)
+
+pass in on lo1000001 proto tcp to 10.0.0.3 port 22 flags S/SA keep state \
+	(max-src-conn-rate 3/99)
+
+pass in on lo1000000 proto tcp to 10.0.0.1 port 80 flags S/SA modulate state \
+	(max-src-conn 100, max-src-conn-rate 10/5, overload <bad> flush)
+
+pass in on lo1000000 proto tcp to 10.0.0.1 port 8080 flags S/SA synproxy state \
+	(max-src-conn 1000, max-src-conn-rate 1000/5, overload <bad> \
+		flush global)
Index: tests/sbin/pfctl/files/pf0089.ok
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0089.ok
@@ -0,0 +1,11 @@
+table <bad> persist
+block drop all
+block drop quick from <bad> to any
+pass out proto tcp all flags S/SA keep state
+pass out proto icmp all keep state
+pass out proto udp all keep state
+pass in on lo1000001 inet proto tcp from any to 10.0.0.1 port = ssh flags S/SA keep state (source-track rule, max-src-conn 10, max-src-conn-rate 3/99, src.track 99)
+pass in on lo1000001 inet proto tcp from any to 10.0.0.2 port = ssh flags S/SA keep state (source-track rule, max-src-conn 10)
+pass in on lo1000001 inet proto tcp from any to 10.0.0.3 port = ssh flags S/SA keep state (source-track rule, max-src-conn-rate 3/99, src.track 99)
+pass in on lo1000000 inet proto tcp from any to 10.0.0.1 port = http flags S/SA modulate state (source-track rule, max-src-conn 100, max-src-conn-rate 10/5, overload <bad> flush, src.track 5)
+pass in on lo1000000 inet proto tcp from any to 10.0.0.1 port = 8080 flags S/SA synproxy state (source-track rule, max-src-conn 1000, max-src-conn-rate 1000/5, overload <bad> flush global, src.track 5)
Index: tests/sbin/pfctl/files/pf0090.in
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0090.in
@@ -0,0 +1,5 @@
+pass log (user)
+pass log (all)
+pass log (to pflog7)
+block log (all, user, to pflog1)
+block log (to pflog1, user)
Index: tests/sbin/pfctl/files/pf0090.ok
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0090.ok
@@ -0,0 +1,5 @@
+pass log (user) all flags S/SA keep state
+pass log (all) all flags S/SA keep state
+pass log (to pflog7) all flags S/SA keep state
+block drop log (all, user, to pflog1) all
+block drop log (user, to pflog1) all
Index: tests/sbin/pfctl/files/pf0091.in
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0091.in
@@ -0,0 +1,11 @@
+# basic anchor test
+anchor on tun1000000 {
+	anchor foo out {
+		pass proto tcp to port 1234 
+		anchor proto tcp to port 2413 user root label "foo" {
+			block
+			pass from 127.0.0.1
+		}
+	}
+	pass in proto tcp to port 1234 
+}
Index: tests/sbin/pfctl/files/pf0091.ok
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0091.ok
@@ -0,0 +1,10 @@
+anchor on tun1000000 all {
+  anchor "foo" out all {
+    pass proto tcp from any to any port = 1234 flags S/SA keep state
+    anchor proto tcp from any to any port = 2413 user = 0 label "foo" {
+      block drop all
+      pass inet from 127.0.0.1 to any flags S/SA keep state
+    }
+  }
+  pass in proto tcp from any to any port = 1234 flags S/SA keep state
+}
Index: tests/sbin/pfctl/files/pf0092.in
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0092.in
@@ -0,0 +1,30 @@
+anchor { # testing comments
+	anchor in {
+		# comment before rule
+		pass quick
+	}
+	# silly nesting
+	anchor out {
+		anchor in {
+			anchor out {
+				anchor in {
+					anchor out {
+						anchor in {
+							anchor out {
+								anchor in {
+									pass
+								}
+							}
+						}
+					}
+				}
+			}
+		}
+	}
+	pass in on tun1000000
+	anchor foo on tun1000000 {
+
+		pass
+	}
+} # comment after closing brace
+
Index: tests/sbin/pfctl/files/pf0092.ok
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0092.ok
@@ -0,0 +1,26 @@
+anchor all {
+  anchor in all {
+    pass quick all flags S/SA keep state
+  }
+  anchor out all {
+    anchor in all {
+      anchor out all {
+        anchor in all {
+          anchor out all {
+            anchor in all {
+              anchor out all {
+                anchor in all {
+                  pass all flags S/SA keep state
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+  pass in on tun1000000 all flags S/SA keep state
+  anchor "foo" on tun1000000 all {
+    pass all flags S/SA keep state
+  }
+}
Index: tests/sbin/pfctl/files/pf0094.in
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0094.in
@@ -0,0 +1,4 @@
+pass from 10.1.2.3 - 10.1.2.4 to 10.2.3.4 - 10.3.4.5
+pass from 0.0.0.0 - 255.255.255.255
+pass from 2001:6f8:1098::2 - 2001:6f8:1098::5 to 2001:6f8:1098::3 - 2001:6f8:1098::4
+pass from ::0 - ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
Index: tests/sbin/pfctl/files/pf0094.ok
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0094.ok
@@ -0,0 +1,4 @@
+pass inet from 10.1.2.3 - 10.1.2.4 to 10.2.3.4 - 10.3.4.5 flags S/SA keep state
+pass inet from 0.0.0.0 - 255.255.255.255 to any flags S/SA keep state
+pass inet6 from 2001:6f8:1098::2 - 2001:6f8:1098::5 to 2001:6f8:1098::3 - 2001:6f8:1098::4 flags S/SA keep state
+pass inet6 from :: - ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff to any flags S/SA keep state
Index: tests/sbin/pfctl/files/pf0095.in
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0095.in
@@ -0,0 +1,4 @@
+
+include "./pf0095.include"
+
+block out proto tcp
Index: tests/sbin/pfctl/files/pf0095.include
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0095.include
@@ -0,0 +1,2 @@
+
+block in proto udp
Index: tests/sbin/pfctl/files/pf0095.ok
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0095.ok
@@ -0,0 +1,2 @@
+block drop in proto udp all
+block drop out proto tcp all
Index: tests/sbin/pfctl/files/pf0096.in
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0096.in
@@ -0,0 +1,5 @@
+# varset allows concatenated strings as numbers
+myports = 5555 6666
+# and also can be used within another macro
+moreports = $myports 7777
+pass in proto tcp from any to any port { $moreports }
Index: tests/sbin/pfctl/files/pf0096.ok
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0096.ok
@@ -0,0 +1,5 @@
+myports = "5555 6666"
+moreports = "5555 6666 7777"
+pass in proto tcp from any to any port = 5555 flags S/SA keep state
+pass in proto tcp from any to any port = 6666 flags S/SA keep state
+pass in proto tcp from any to any port = 7777 flags S/SA keep state
Index: tests/sbin/pfctl/files/pf0097.in
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0097.in
@@ -0,0 +1,4 @@
+pass in on em0 inet proto tcp from any to any port 220:230 divert-to 127.0.0.1 port 22
+#pass out on em0 inet proto tcp from any to any port 220:230 divert-reply
+pass on em0 inet proto tcp from any to any port 80 divert-to 127.0.0.1 port 8080
+pass in on em0 inet proto 103 divert-to 127.0.0.1 port 103 # FIXME
Index: tests/sbin/pfctl/files/pf0097.ok
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0097.ok
@@ -0,0 +1,3 @@
+pass in on em0 inet proto tcp from any to any port 220:230 flags S/SA keep state divert-to 22
+pass on em0 inet proto tcp from any to any port = http flags S/SA keep state divert-to 8080
+pass in on em0 inet proto pim all keep state divert-to 103
Index: tests/sbin/pfctl/files/pf0098.in
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0098.in
@@ -0,0 +1,4 @@
+# Test rule order processing should pass (require-order no longer required)
+pass in on lo1000000 all
+#match out on lo0 inet6 all nat-to lo0
+
Index: tests/sbin/pfctl/files/pf0098.ok
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0098.ok
@@ -0,0 +1 @@
+pass in on lo1000000 all flags S/SA keep state
Index: tests/sbin/pfctl/files/pf0100.in
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0100.in
@@ -0,0 +1,20 @@
+pass
+anchor "a/b"
+anchor "1/2/3"		# test anchors with multiple path components
+anchor "relative" {
+	pass in on lo0 label TEST1
+}
+anchor "camield/*"      # empty wildcard anchor
+
+anchor "relayd/*"
+
+anchor "foo" in on lo0 {
+	anchor "bar" in {		# nested named inlined anchor
+		anchor "/1/2/3"		# absolute multicomponent path
+		anchor "/relative"	# absolute path
+		pass in on lo0 label FOO
+	}
+	anchor in {			# nested unnamed inlined anchor
+		pass in on lo0 label BAR
+	}
+}
Index: tests/sbin/pfctl/files/pf0100.ok
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0100.ok
@@ -0,0 +1,18 @@
+pass all flags S/SA keep state
+anchor "/b" all
+anchor "/3" all
+anchor "relative" all {
+  pass in on lo0 all flags S/SA keep state label "TEST1"
+}
+anchor "/*" all
+anchor "/*" all
+anchor "foo" in on lo0 all {
+  anchor "bar" in all {
+    anchor "/3" all
+    anchor "/relative" all
+    pass in on lo0 all flags S/SA keep state label "FOO"
+  }
+  anchor in all {
+    pass in on lo0 all flags S/SA keep state label "BAR"
+  }
+}
Index: tests/sbin/pfctl/files/pf0101.in
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0101.in
@@ -0,0 +1,8 @@
+# test prio
+
+pass set prio 3
+
+pass out on lo1000000 proto tcp from any to any port 22 set prio (5 2)
+
+pass proto udp from any to { 127.0.0.1 127.0.0.2 } port 53 set prio 4
+
Index: tests/sbin/pfctl/files/pf0101.ok
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0101.ok
@@ -0,0 +1,4 @@
+pass all flags S/SA set ( prio 3 ) keep state
+pass out on lo1000000 proto tcp from any to any port = ssh flags S/SA set ( prio(5, 2) ) keep state
+pass inet proto udp from any to 127.0.0.1 port = domain set ( prio 4 ) keep state
+pass inet proto udp from any to 127.0.0.2 port = domain set ( prio 4 ) keep state
Index: tests/sbin/pfctl/files/pf0102.in
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0102.in
@@ -0,0 +1,9 @@
+# test rule expansion with mixed af
+
+pass from {1.1.1.1 2002::} to (self)
+
+pass from {2002:: 1.1.1.1} to (self)
+
+pass from {1.1.1.1 2002::} to (self)/40
+
+pass from {2002:: 1.1.1.1} to (self)/40
Index: tests/sbin/pfctl/files/pf0102.ok
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0102.ok
@@ -0,0 +1,8 @@
+pass inet from 1.1.1.1 to (self) flags S/SA keep state
+pass inet6 from 2002:: to (self)/32 flags S/SA keep state
+pass inet6 from 2002:: to (self) flags S/SA keep state
+pass inet from 1.1.1.1 to (self) flags S/SA keep state
+pass inet from 1.1.1.1 to (self) flags S/SA keep state
+pass inet6 from 2002:: to (self)/32 flags S/SA keep state
+pass inet6 from 2002:: to (self)/40 flags S/SA keep state
+pass inet from 1.1.1.1 to (self) flags S/SA keep state
Index: tests/sbin/pfctl/files/pf0104.in
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0104.in
@@ -0,0 +1,10 @@
+# This test assumes that localhost points to 127.0.0.1 first
+pass in       proto tcp to port 25 divert-to localhost port 8025
+# Test IPv4 addresses
+pass in       proto tcp to port 25 divert-to 127.0.0.1 port 8025
+pass in inet  proto tcp to port 25 divert-to 127.0.0.1 port 8025
+pass in inet  proto tcp to port 25 divert-to localhost port 8025
+# Test IPv6 addresses
+pass in       proto tcp to port 25 divert-to ::1       port 8025
+pass in inet6 proto tcp to port 25 divert-to ::1       port 8025
+pass in inet6 proto tcp to port 25 divert-to localhost port 8025
Index: tests/sbin/pfctl/files/pf0104.ok
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf0104.ok
@@ -0,0 +1,7 @@
+pass in proto tcp from any to any port = smtp flags S/SA keep state divert-to 8025
+pass in proto tcp from any to any port = smtp flags S/SA keep state divert-to 8025
+pass in inet proto tcp from any to any port = smtp flags S/SA keep state divert-to 8025
+pass in inet proto tcp from any to any port = smtp flags S/SA keep state divert-to 8025
+pass in proto tcp from any to any port = smtp flags S/SA keep state divert-to 8025
+pass in inet6 proto tcp from any to any port = smtp flags S/SA keep state divert-to 8025
+pass in inet6 proto tcp from any to any port = smtp flags S/SA keep state divert-to 8025
Index: tests/sbin/pfctl/files/pf1001.in
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf1001.in
@@ -0,0 +1,2 @@
+binat on em0 inet6 from fc00::/64 to any -> fc00:0:0:1::/64
+binat on em0 inet6 from any to fc00:0:0:1::/64 -> fc00::/64
Index: tests/sbin/pfctl/files/pf1001.ok
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf1001.ok
@@ -0,0 +1,2 @@
+binat on em0 inet6 from fc00::/64 to any -> fc00:0:0:1::/64
+binat on em0 inet6 from any to fc00:0:0:1::/64 -> fc00::/64
Index: tests/sbin/pfctl/files/pf1002.in
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf1002.in
@@ -0,0 +1 @@
+set timeout interval 10
Index: tests/sbin/pfctl/files/pf1002.ok
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf1002.ok
@@ -0,0 +1 @@
+set timeout interval 10
Index: tests/sbin/pfctl/files/pf1003.in
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf1003.in
@@ -0,0 +1,3 @@
+altq on em0 cbq(default) bandwidth 100Kb queue qmain
+queue qmain priority 4
+pass on em0 queue qmain
Index: tests/sbin/pfctl/files/pf1003.ok
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf1003.ok
@@ -0,0 +1,3 @@
+altq on em0 cbq( default ) bandwidth 100Kb tbrsize 1500 queue { qmain }
+queue qmain priority 4 
+pass on em0 all flags S/SA keep state queue qmain
Index: tests/sbin/pfctl/files/pf1004.in
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf1004.in
@@ -0,0 +1,6 @@
+altq on em0 cbq(default codel) bandwidth 20Mb queue qmain
+queue qmain { q1 q2 }
+queue q1 priority 1 bandwidth 60%
+queue q2 priority 2 bandwidth 40%
+pass on em0 queue q1
+block on em0 queue q2
Index: tests/sbin/pfctl/files/pf1004.ok
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pf1004.ok
@@ -0,0 +1,6 @@
+altq on em0 cbq( codel default ) bandwidth 20Mb tbrsize 12000 queue { qmain }
+queue qmain { q1 q2 }
+queue q1 bandwidth 60% 
+queue q2 bandwidth 40% priority 2 
+pass on em0 all flags S/SA keep state queue q1
+block drop on em0 all queue q2
Index: tests/sbin/pfctl/files/pfctl_test.descr.sh
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/files/pfctl_test.descr.sh
@@ -0,0 +1,83 @@
+# atf-sh, to be sourced by run.sh
+
+# Keep description string without whitespace, or problems might occur
+# with the eval expressions in the main file!
+
+pf0001_descr () { echo "pass" ; }
+pf0002_descr () { echo "return" ; }
+pf0003_descr () { echo "flags" ; }
+pf0004_descr () { echo "port" ; }
+pf0005_descr () { echo "var" ; }
+pf0006_descr () { echo "assign" ; }
+pf0007_descr () { echo "modulate" ; }
+pf0008_descr () { echo "extern" ; }
+pf0009_descr () { echo "interfaces" ; }
+pf0010_descr () { echo "return var" ; }
+pf0011_descr () { echo "icmp type" ; }
+pf0012_descr () { echo "from not" ; }
+pf0013_descr () { echo "quick any" ; }
+pf0014_descr () { echo "quick on" ; }
+pf0016_descr () { echo "no state" ; }
+pf0018_descr () { echo "test list" ; }
+pf0019_descr () { echo "evil good in" ; }
+pf0020_descr () { echo "evil good out" ; }
+pf0022_descr () { echo "set" ; }
+pf0023_descr () { echo "block on not" ; }
+pf0024_descr () { echo "pass assign" ; }
+pf0025_descr () { echo "antispoof" ; }
+pf0026_descr () { echo "block bracket" ; }
+pf0028_descr () { echo "block quick" ; }
+pf0030_descr () { echo "line continuation" ; }
+pf0031_descr () { echo "block policy" ; }
+pf0032_descr () { echo "pass to any" ; }
+pf0034_descr () { echo "probability" ; }
+pf0035_descr () { echo "match on tos" ; }
+pf0038_descr () { echo "user" ; }
+pf0039_descr () { echo "random ordered opts" ; }
+pf0040_descr () { echo "block pass" ; }
+pf0041_descr () { echo "anchor" ; }
+pf0047_descr () { echo "label" ; }
+pf0048_descr () { echo "table" ; }
+pf0049_descr () { echo "network broadcast" ; }
+pf0050_descr () { echo "double macro set" ; }
+pf0052_descr () { echo "set optimization" ; }
+pf0053_descr () { echo "pass to label" ; }
+pf0055_descr () { echo "set timeout" ; }
+pf0056_descr () { echo "bracket opts" ; }
+pf0057_descr () { echo "double assign" ; }
+pf0060_descr () { echo "netmask multicast" ; }
+pf0061_descr () { echo "dynaddr with netmask" ; }
+pf0065_descr () { echo "antispoof label" ; }
+pf0067_descr () { echo "tag regress" ; }
+pf0069_descr () { echo "pass tag regress" ; }
+pf0070_descr () { echo "block out tag regress" ; }
+pf0071_descr () { echo "block in tag regress" ; }
+pf0072_descr () { echo "binat to tag regress" ; }
+pf0074_descr () { echo "synproxy" ; }
+pf0075_descr () { echo "tag ssh" ; }
+pf0077_descr () { echo "dynaddr netmask" ; }
+pf0078_descr () { echo "table regress" ; }
+pf0079_descr () { echo "no route" ; }
+pf0081_descr () { echo "ip list table list" ; }
+pf0082_descr () { echo "pass from table" ; }
+pf0084_descr () { echo "source track" ; }
+pf0085_descr () { echo "tag macro expansion" ; }
+pf0087_descr () { echo "rule reordering" ; }
+pf0088_descr () { echo "duplicate rules" ; }
+pf0089_descr () { echo "tcp connection tracking" ; }
+pf0090_descr () { echo "log bracket" ; }
+pf0091_descr () { echo "nested anchor" ; }
+pf0092_descr () { echo "comments" ; }
+pf0094_descr () { echo "ipv6 range" ; }
+pf0095_descr () { echo "include" ; }
+pf0096_descr () { echo "varset" ; }
+pf0097_descr () { echo "divert to" ; }
+pf0098_descr () { echo "pass all" ; }
+pf0100_descr () { echo "anchor paths" ; }
+pf0101_descr () { echo "prio" ; }
+pf0102_descr () { echo "mixed af" ; }
+pf0104_descr () { echo "localhost divert to" ; }
+pf1001_descr () { echo "binat" ; }
+pf1002_descr () { echo "set timeout interval" ; }
+pf1003_descr () { echo "altq" ; }
+pf1004_descr () { echo "altq cbq codel" ; }
Index: tests/sbin/pfctl/pfctl_test.sh
===================================================================
--- /dev/null
+++ tests/sbin/pfctl/pfctl_test.sh
@@ -0,0 +1,48 @@
+# Make will add a shebang line at the top of this file.
+
+pfctl_bin=/usr/obj/usr/src/sbin/pfctl/pfctl
+
+# Tests 0001-0999 are copied from OpenBSD's regress/sbin/pfctl.
+# Tests 1001-1999 are ours (FreeBSD's own).
+
+# pf: Run pfctl -nv on pfNNNN.in and check that the output matches pfNNNN.ok.
+#     Copied from OpenBSD.  Main differences are some things not working
+#     in FreeBSD:
+#         * The action 'match'
+#         * The command 'set reassemble'
+#         * The 'from'/'to' options together with 'route-to'
+#         * The option 'scrub' (it is an action in FreeBSD)
+#         * Accepting undefined routing tables in actions (??: see pf0093.in)
+#         * The 'route' option
+#         * The 'set queue def' option
+# selfpf: Feed pfctl output through pfctl again and verify it stays the same.
+#         Copied from OpenBSD.
+
+pftests="0001 0002 0003 0004 0005 0006 0007 0008 0009 0010 0011 0012
+0013 0014 0016 0018 0019 0020 0022 0023 0024 0025 0026 0028 0030 0031
+0032 0034 0035 0038 0039 0040 0041 0047 0048 0049 0050 0052 0053 0055
+0056 0057 0060 0061 0065 0067 0069 0070 0071 0072 0074 0075 0077 0078
+0079 0081 0082 0084 0085 0087 0088 0089 0090 0091 0092 0094 0095 0096
+0097 0098 0100 0101 0102 0104 1001 1002 1003 1004"
+
+. $(atf_get_srcdir)/files/pfctl_test.descr.sh
+
+for i in ${pftests} ; do
+    atf_test_case "pf${i}"
+    eval "pf${i}_head () { atf_set descr \"$(pf${i}_descr)\" ; }"
+    eval "pf${i}_body () { \
+              cd $(atf_get_srcdir)/files && \
+              atf_check -o file:pf${i}.ok \
+                  ${pfctl_bin} -o none -nvf - < pf${i}.in ; }"
+
+    atf_test_case "selfpf${i}"
+    eval "selfpf${i}_head () { atf_set descr \"self$(pf${i}_descr)\" ; }"
+    eval "selfpf${i}_body () { \
+              cd $(atf_get_srcdir)/files && \
+              atf_check -o file:pf${i}.ok \
+                  ${pfctl_bin} -o none -nvf - < pf${i}.ok ; }"
+done
+
+atf_init_test_cases () {
+    for i in ${pftests} ; do atf_add_test_case "pf${i}"
+			     atf_add_test_case "selfpf${i}" ; done ; }
Index: tests/sys/netpfil/Kyuafile
===================================================================
--- /dev/null
+++ tests/sys/netpfil/Kyuafile
@@ -0,0 +1,52 @@
+-- $FreeBSD$
+--
+-- Copyright 2011 Google Inc.
+-- All rights reserved.
+--
+-- Redistribution and use in source and binary forms, with or without
+-- modification, are permitted provided that the following conditions are
+-- met:
+--
+-- * Redistributions of source code must retain the above copyright
+--   notice, this list of conditions and the following disclaimer.
+-- * Redistributions in binary form must reproduce the above copyright
+--   notice, this list of conditions and the following disclaimer in the
+--   documentation and/or other materials provided with the distribution.
+-- * Neither the name of Google Inc. nor the names of its contributors
+--   may be used to endorse or promote products derived from this software
+--   without specific prior written permission.
+--
+-- THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+-- "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+-- LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+-- A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+-- OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+-- SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+-- LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+-- DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+-- THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+-- (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+-- OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+-- Automatically recurses into any subdirectory that holds a Kyuafile.
+-- As such, this Kyuafile is suitable for installation into the root of
+-- the tests hierarchy as well as into any other subdirectory that needs
+-- "auto-discovery" of tests.
+--
+-- This file is based on the Kyuafile.top sample file distributed in the
+-- kyua-cli package.
+
+syntax(2)
+
+local directory = fs.dirname(current_kyuafile())
+for file in fs.files(directory) do
+    if file == "." or file == ".." then
+        -- Skip these special entries.
+    else
+        local kyuafile_relative = fs.join(file, "Kyuafile")
+        local kyuafile_absolute = fs.join(directory, kyuafile_relative)
+        if fs.exists(kyuafile_absolute) then
+            include(kyuafile_relative)
+        end
+    end
+end
Index: tests/sys/netpfil/Makefile
===================================================================
--- /dev/null
+++ tests/sys/netpfil/Makefile
@@ -0,0 +1,7 @@
+# $FreeBSD$
+
+TESTSDIR=		${TESTSBASE}/sys/netpfil
+TESTS_SUBDIRS+=		pf
+KYUAFILE=		yes
+
+.include <bsd.test.mk>
Index: tests/sys/netpfil/pf/Makefile
===================================================================
--- /dev/null
+++ tests/sys/netpfil/pf/Makefile
@@ -0,0 +1,10 @@
+# $FreeBSD$
+
+TESTSDIR=	${TESTSBASE}/sys/netpfil/pf
+BINDIR=		${TESTSDIR}
+
+ATF_TESTS_SH=	pf_test
+
+SUBDIR+=	files
+
+.include <bsd.test.mk>
Index: tests/sys/netpfil/pf/files/Makefile
===================================================================
--- /dev/null
+++ tests/sys/netpfil/pf/files/Makefile
@@ -0,0 +1,8 @@
+# $FreeBSD$
+
+TESTSDIR=	${TESTSBASE}/sys/netpfil/pf/files
+BINDIR=		${TESTSDIR}
+
+FILES=		pf_test.conf.sh
+
+.include <bsd.progs.mk>
Index: tests/sys/netpfil/pf/files/pf_test.conf.sh
===================================================================
--- /dev/null
+++ tests/sys/netpfil/pf/files/pf_test.conf.sh
@@ -0,0 +1,7 @@
+# You need to set these variables for the tests to work.
+
+#LOCAL_ADDR=192.168.0.1
+#LOCAL_IF=tap0
+REMOTE_ADDR=192.168.0.2
+REMOTE_IF=vtnet0
+SSH=root@192.168.0.2
Index: tests/sys/netpfil/pf/pf_test.sh
===================================================================
--- /dev/null
+++ tests/sys/netpfil/pf/pf_test.sh
@@ -0,0 +1,58 @@
+# Make will add a shebang line at the top of this file.
+
+# These tests connect to a remote test machine, load a rules file,
+# possibly start some services, and run some tests.  The tests cleanup
+# the test machine in the end.
+#
+# SSH root access to the test machine is required for the tests to
+# work.
+
+. "$(atf_get_srcdir)/files/pf_test.conf.sh"
+
+# Starts two instances of nc on the remote machine, listening on two
+# different ports, of which one port is blocked-with-return by the
+# remote pf.  The test tries then to connect to the two instances from
+# the local machine.  The test succeeds if one connection succeeds but
+# the other one fails.
+atf_test_case block_return cleanup
+block_return_head () {
+    atf_set descr 'Block-with-return a port and test that it is blocked.'
+}
+block_return_body () {
+    rules="block return in on $REMOTE_IF proto tcp to port 50000"
+    atf_check ssh "$SSH" kldload -n pf
+    echo "$rules" | atf_check -e ignore ssh "$SSH" pfctl -ef -
+    atf_check daemon -p nc.50000.pid ssh "$SSH" nc -l 50000
+    atf_check daemon -p nc.50001.pid ssh "$SSH" nc -l 50001
+    atf_check -s exit:1 -e empty  nc -z "$REMOTE_ADDR" 50000
+    atf_check -s exit:0 -e ignore nc -z "$REMOTE_ADDR" 50001
+}
+block_return_cleanup () {
+    atf_check -e ignore ssh "$SSH" pfctl -dFa
+    [ -e nc.50000.pid ] && kill `cat nc.50000.pid`
+    [ -e nc.50001.pid ] && kill `cat nc.50001.pid`
+}
+
+atf_test_case block_drop cleanup
+block_drop_head () {
+    atf_set descr 'Block-with-drop a port and test that it is blocked.'
+}
+block_drop_body () {
+    rules="block drop in on $REMOTE_IF proto tcp to port 50000"
+    atf_check ssh "$SSH" kldload -n pf
+    echo "$rules" | atf_check -e ignore ssh "$SSH" pfctl -ef -
+    atf_check daemon -p nc.50000.pid ssh "$SSH" nc -l 50000
+    atf_check daemon -p nc.50001.pid ssh "$SSH" nc -l 50001
+    atf_check -s exit:1 -e empty  nc -z -w 4 "$REMOTE_ADDR" 50000
+    atf_check -s exit:0 -e ignore nc -z "$REMOTE_ADDR" 50001
+}
+block_drop_cleanup () {
+    atf_check -e ignore ssh "$SSH" pfctl -dFa
+    [ -e nc.50000.pid ] && kill `cat nc.50000.pid`
+    [ -e nc.50001.pid ] && kill `cat nc.50001.pid`
+}
+
+atf_init_test_cases () {
+    atf_add_test_case block_return
+    atf_add_test_case block_drop
+}