You'll have to check your editor settings. It's expanded tabs into spaces.

Same here. This is all indented with spaces, but should be using tabs.
This seems to apply to all files (Good, at least it's consistent.)

Check for stray trailing spaces here. (In vim ':set list').

It looks a little odd to have ${firewall}_init and then firewall_cleanup.

I wonder if it'd be better to firewall_init $firewall and do the ${firewall}_init thing in a wrapper function in utils.subr. That would also let you do vnet_init in firewall_init, rather than three times in the different firewall init functions.

While I think about it, it'd probably also be good to pass the firewall type to the cleanup function (i.e. firewall_cleanup ${firewall}. We don't need it know, but might need it in the future, and then the required argument will be there.

There's no need for the '\' on the last line.

I think the style wants there to be a space between ';' and 'do'.

The 'then' can go on the same line, expect it becomes an overly long line then.
This check also repeats in firewall_config. It's probably a good idea to factor it out into its own function.

It's probably a good idea to check that $testcase is set here, and it might also be good to check for duplicates (i.e. someone does setup_tests foo pf ipfw pf bar pf)

This belongs with pf_init.

It's also not immediately clear to my what this is for.

That belongs with ipf_init.

It's probably better to elif [ ${fw} == "ipfnat" ] here, and then have a default case that throws an error.

Possibly 'case' / 'esac' instead of if/elif/elf/...?

I'd atf_fail here too.

'All rights reserved' no longer has any legal meaning.

https://www.iusmentis.com/copyright/allrightsreserved/
https://abovethelaw.com/2018/10/all-rights-reserved-a-copyright-relic/

We have been going through the tree removing it in places, I'd prefer we not introduce more instances. This applies to all copyright declarations in this review.

For future the preferred license for new files in in the committers handbook:
https://www.freebsd.org/doc/en_US.ISO8859-1/articles/committers-guide/pref-license.html

Why are you disabling duplicate address detection?

2001::db8 (documentation) addresses are the wrong address space to use for tests. You should use unique local addresses (https://en.wikipedia.org/wiki/Unique_local_address) for the test addresses. I think this is also a problem in the v4 pftests too, I owe @kristof a diff

@bz Does using ULA addresses for tests seem correct to you?

I think the error message here should be something like

"no testcase passed to setup_test"

The pf tests do that too. I seem to remember because that means the address is applied immediately, rather than waiting for DAD to be done. This speeds up the tests, means we don't need silly little 'sleep X' calls after address assignment, and makes things more robust.

Ahsan will have used 2001:db8 because I did that in pf. Your diff will be welcomed.

service ipfilter start relies on ipfilter_enabled="YES" in /etc/rc.conf. We shouldn't assume that.
Start ipf using 'ipf -E'.