D11322.diff
No OneTemporary
Actions

Size

108 KB

Referenced Files

None

Subscribers

None

D11322.diff
View Options

	Index: head/etc/mtree/BSD.tests.dist
	===================================================================
	--- head/etc/mtree/BSD.tests.dist
	+++ head/etc/mtree/BSD.tests.dist
	@@ -378,6 +378,10 @@
	..
	mdconfig
	..
	+ pfctl
	+ files
	+ ..
	+ ..
	..
	secure
	lib
	Index: head/sbin/pfctl/Makefile
	===================================================================
	--- head/sbin/pfctl/Makefile
	+++ head/sbin/pfctl/Makefile
	@@ -31,4 +31,8 @@

	LIBADD= m md

	+.if ${MK_TESTS} != "no"
	+SUBDIR+= tests
	+.endif
	+
	.include <bsd.prog.mk>
	Index: head/sbin/pfctl/tests/Makefile
	===================================================================
	--- head/sbin/pfctl/tests/Makefile
	+++ head/sbin/pfctl/tests/Makefile
	@@ -0,0 +1,7 @@
	+# $FreeBSD$
	+
	+ATF_TESTS_SH= pfctl_test
	+
	+SUBDIR+= files
	+
	+.include <bsd.test.mk>
	Index: head/sbin/pfctl/tests/files/Makefile
	===================================================================
	--- head/sbin/pfctl/tests/files/Makefile
	+++ head/sbin/pfctl/tests/files/Makefile
	@@ -0,0 +1,12 @@
	+# $FreeBSD$
	+
	+TESTSDIR= ${TESTSBASE}/sbin/pfctl/files
	+BINDIR= ${TESTSDIR}
	+
	+# We use ${.CURDIR} as workaround so that the glob patterns work.
	+FILES= ${.CURDIR}/pf????.in
	+FILES+= ${.CURDIR}/pf????.include
	+FILES+= ${.CURDIR}/pf????.ok
	+FILES+= ${.CURDIR}/pfctl_test_descr.sh
	+
	+.include <bsd.progs.mk>
	Index: head/sbin/pfctl/tests/files/pf0001.in
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0001.in
	+++ head/sbin/pfctl/tests/files/pf0001.in
	@@ -0,0 +1,8 @@
	+pass in all
	+pass in from any to any no state
	+pass in proto tcp from any port <= 1024 to any label foo_bar
	+pass in proto tcp from any to any port = 25
	+pass in proto tcp from 10.0.0.0/8 port > 1024 to ! 10.1.2.3 port != 22
	+pass in proto igmp from 10.0.0.0/8 to 10.1.1.1 allow-opts
	+pass in proto tcp from { 1.2.3.4, 1.2.3.5 } to any label \
	+"$nr:$proto:$srcaddr:$srcport:$dstaddr:$dstport"
	Index: head/sbin/pfctl/tests/files/pf0001.ok
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0001.ok
	+++ head/sbin/pfctl/tests/files/pf0001.ok
	@@ -0,0 +1,8 @@
	+pass in all flags S/SA keep state
	+pass in all no state
	+pass in proto tcp from any port <= 1024 to any flags S/SA keep state label "foo_bar"
	+pass in proto tcp from any to any port = smtp flags S/SA keep state
	+pass in inet proto tcp from 10.0.0.0/8 port > 1024 to ! 10.1.2.3 port != ssh flags S/SA keep state
	+pass in inet proto igmp from 10.0.0.0/8 to 10.1.1.1 keep state allow-opts
	+pass in inet proto tcp from 1.2.3.4 to any flags S/SA keep state label "6:tcp:1.2.3.4::any:"
	+pass in inet proto tcp from 1.2.3.5 to any flags S/SA keep state label "7:tcp:1.2.3.5::any:"
	Index: head/sbin/pfctl/tests/files/pf0002.in
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0002.in
	+++ head/sbin/pfctl/tests/files/pf0002.in
	@@ -0,0 +1,34 @@
	+# test
	+
	+block out log on tun1000000 all
	+block in log on tun1000000 all
	+
	+block return-rst out log on tun1000000 proto tcp all
	+block return-rst in log on tun1000000 proto tcp all
	+block return-icmp out log on tun1000000 proto udp all
	+block return-icmp in log on tun1000000 proto udp all
	+
	+block out log quick on tun1000000 from ! 157.161.48.183 to any
	+
	+block in quick on tun1000000 from any to 255.255.255.255
	+
	+block in log quick on tun1000000 from 10.0.0.0/8 to any
	+block in log quick on tun1000000 from 172.16.0.0/12 to any
	+block in quick log on tun1000000 from 192.168.0.0/16 to any
	+block in quick log on tun1000000 from 255.255.255.255/32 to any
	+
	+block in log quick from no-route to any
	+
	+pass out on tun1000000 inet proto icmp all icmp-type 8 code 0 keep state
	+pass in on tun1000000 inet proto icmp all icmp-type 8 code 0 keep state
	+
	+pass out on tun1000000 proto udp all keep state
	+
	+pass in on tun1000000 proto udp from any to any port = domain keep state
	+
	+pass out on tun1000000 proto tcp all keep state
	+
	+pass in on tun1000000 proto tcp from any to any port = ssh keep state
	+pass in on tun1000000 proto tcp from any to any port = smtp keep state
	+pass in on tun1000000 proto tcp from any to any port = domain keep state
	+pass in on tun1000000 proto tcp from any to any port = auth keep state
	Index: head/sbin/pfctl/tests/files/pf0002.ok
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0002.ok
	+++ head/sbin/pfctl/tests/files/pf0002.ok
	@@ -0,0 +1,22 @@
	+block drop out log on tun1000000 all
	+block drop in log on tun1000000 all
	+block return-rst out log on tun1000000 proto tcp all
	+block return-rst in log on tun1000000 proto tcp all
	+block return-icmp(port-unr, port-unr) out log on tun1000000 proto udp all
	+block return-icmp(port-unr, port-unr) in log on tun1000000 proto udp all
	+block drop out log quick on tun1000000 inet from ! 157.161.48.183 to any
	+block drop in quick on tun1000000 inet from any to 255.255.255.255
	+block drop in log quick on tun1000000 inet from 10.0.0.0/8 to any
	+block drop in log quick on tun1000000 inet from 172.16.0.0/12 to any
	+block drop in log quick on tun1000000 inet from 192.168.0.0/16 to any
	+block drop in log quick on tun1000000 inet from 255.255.255.255 to any
	+block drop in log quick from no-route to any
	+pass out on tun1000000 inet proto icmp all icmp-type echoreq code 0 keep state
	+pass in on tun1000000 inet proto icmp all icmp-type echoreq code 0 keep state
	+pass out on tun1000000 proto udp all keep state
	+pass in on tun1000000 proto udp from any to any port = domain keep state
	+pass out on tun1000000 proto tcp all flags S/SA keep state
	+pass in on tun1000000 proto tcp from any to any port = ssh flags S/SA keep state
	+pass in on tun1000000 proto tcp from any to any port = smtp flags S/SA keep state
	+pass in on tun1000000 proto tcp from any to any port = domain flags S/SA keep state
	+pass in on tun1000000 proto tcp from any to any port = auth flags S/SA keep state
	Index: head/sbin/pfctl/tests/files/pf0003.in
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0003.in
	+++ head/sbin/pfctl/tests/files/pf0003.in
	@@ -0,0 +1,13 @@
	+pass in all
	+pass in from any to any
	+
	+block in proto tcp from any to any flags FUPEW/FSRPAUEW
	+block in proto tcp from any to any flags SF/SFRA
	+block in proto tcp from any to any flags /SFRAW
	+
	+pass in proto { udp, icmp, tcp } from any to any flags S/SA
	+pass in from any to any flags S/SA no state
	+pass in from any to any flags any no state
	+pass in from any to any flags any
	+pass in from any to any keep state
	+pass in from any to any
	Index: head/sbin/pfctl/tests/files/pf0003.ok
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0003.ok
	+++ head/sbin/pfctl/tests/files/pf0003.ok
	@@ -0,0 +1,13 @@
	+pass in all flags S/SA keep state
	+pass in all flags S/SA keep state
	+block drop in proto tcp all flags FPUEW/FSRPAUEW
	+block drop in proto tcp all flags FS/FSRA
	+block drop in proto tcp all flags /FSRAW
	+pass in proto udp all keep state
	+pass in proto icmp all keep state
	+pass in proto tcp all flags S/SA keep state
	+pass in all flags S/SA no state
	+pass in all no state
	+pass in all flags any keep state
	+pass in all flags S/SA keep state
	+pass in all flags S/SA keep state
	Index: head/sbin/pfctl/tests/files/pf0004.in
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0004.in
	+++ head/sbin/pfctl/tests/files/pf0004.in
	@@ -0,0 +1,16 @@
	+block in all
	+block in proto tcp all
	+block in proto { tcp, udp } all
	+
	+block in from any to any
	+block in from 10.0.0.0/8 to any
	+block in from ! 10.0.0.0/8 to any
	+block in from { 10.0.0.0/8, 172.16.0.0/12 } to any
	+
	+block in proto tcp from any port = ssh to any
	+block in proto tcp from any port { ssh, ftp >< 2048, != 1234, >= www } \
	+ to any port 1024:2048
	+
	+block in proto { tcp, udp } from { 10.0.0.0/8, 172.16.0.0/12 } port { ssh, ftp } \
	+ to { 192.168.0.0/16, 12.34.56.78 } port { 6667, 6668, 6669:65535 }
	+
	Index: head/sbin/pfctl/tests/files/pf0004.ok
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0004.ok
	+++ head/sbin/pfctl/tests/files/pf0004.ok
	@@ -0,0 +1,62 @@
	+block drop in all
	+block drop in proto tcp all
	+block drop in proto tcp all
	+block drop in proto udp all
	+block drop in all
	+block drop in inet from 10.0.0.0/8 to any
	+block drop in inet from ! 10.0.0.0/8 to any
	+block drop in inet from 10.0.0.0/8 to any
	+block drop in inet from 172.16.0.0/12 to any
	+block drop in proto tcp from any port = ssh to any
	+block drop in proto tcp from any port = ssh to any port 1024:2048
	+block drop in proto tcp from any port 21 >< 2048 to any port 1024:2048
	+block drop in proto tcp from any port != 1234 to any port 1024:2048
	+block drop in proto tcp from any port >= 80 to any port 1024:2048
	+block drop in inet proto tcp from 10.0.0.0/8 port = ssh to 192.168.0.0/16 port = ircd
	+block drop in inet proto tcp from 10.0.0.0/8 port = ssh to 192.168.0.0/16 port = 6668
	+block drop in inet proto tcp from 10.0.0.0/8 port = ssh to 192.168.0.0/16 port 6669:65535
	+block drop in inet proto tcp from 10.0.0.0/8 port = ssh to 12.34.56.78 port = ircd
	+block drop in inet proto tcp from 10.0.0.0/8 port = ssh to 12.34.56.78 port = 6668
	+block drop in inet proto tcp from 10.0.0.0/8 port = ssh to 12.34.56.78 port 6669:65535
	+block drop in inet proto tcp from 10.0.0.0/8 port = ftp to 192.168.0.0/16 port = ircd
	+block drop in inet proto tcp from 10.0.0.0/8 port = ftp to 192.168.0.0/16 port = 6668
	+block drop in inet proto tcp from 10.0.0.0/8 port = ftp to 192.168.0.0/16 port 6669:65535
	+block drop in inet proto tcp from 10.0.0.0/8 port = ftp to 12.34.56.78 port = ircd
	+block drop in inet proto tcp from 10.0.0.0/8 port = ftp to 12.34.56.78 port = 6668
	+block drop in inet proto tcp from 10.0.0.0/8 port = ftp to 12.34.56.78 port 6669:65535
	+block drop in inet proto tcp from 172.16.0.0/12 port = ssh to 192.168.0.0/16 port = ircd
	+block drop in inet proto tcp from 172.16.0.0/12 port = ssh to 192.168.0.0/16 port = 6668
	+block drop in inet proto tcp from 172.16.0.0/12 port = ssh to 192.168.0.0/16 port 6669:65535
	+block drop in inet proto tcp from 172.16.0.0/12 port = ssh to 12.34.56.78 port = ircd
	+block drop in inet proto tcp from 172.16.0.0/12 port = ssh to 12.34.56.78 port = 6668
	+block drop in inet proto tcp from 172.16.0.0/12 port = ssh to 12.34.56.78 port 6669:65535
	+block drop in inet proto tcp from 172.16.0.0/12 port = ftp to 192.168.0.0/16 port = ircd
	+block drop in inet proto tcp from 172.16.0.0/12 port = ftp to 192.168.0.0/16 port = 6668
	+block drop in inet proto tcp from 172.16.0.0/12 port = ftp to 192.168.0.0/16 port 6669:65535
	+block drop in inet proto tcp from 172.16.0.0/12 port = ftp to 12.34.56.78 port = ircd
	+block drop in inet proto tcp from 172.16.0.0/12 port = ftp to 12.34.56.78 port = 6668
	+block drop in inet proto tcp from 172.16.0.0/12 port = ftp to 12.34.56.78 port 6669:65535
	+block drop in inet proto udp from 10.0.0.0/8 port = ssh to 192.168.0.0/16 port = 6667
	+block drop in inet proto udp from 10.0.0.0/8 port = ssh to 192.168.0.0/16 port = 6668
	+block drop in inet proto udp from 10.0.0.0/8 port = ssh to 192.168.0.0/16 port 6669:65535
	+block drop in inet proto udp from 10.0.0.0/8 port = ssh to 12.34.56.78 port = 6667
	+block drop in inet proto udp from 10.0.0.0/8 port = ssh to 12.34.56.78 port = 6668
	+block drop in inet proto udp from 10.0.0.0/8 port = ssh to 12.34.56.78 port 6669:65535
	+block drop in inet proto udp from 10.0.0.0/8 port = ftp to 192.168.0.0/16 port = 6667
	+block drop in inet proto udp from 10.0.0.0/8 port = ftp to 192.168.0.0/16 port = 6668
	+block drop in inet proto udp from 10.0.0.0/8 port = ftp to 192.168.0.0/16 port 6669:65535
	+block drop in inet proto udp from 10.0.0.0/8 port = ftp to 12.34.56.78 port = 6667
	+block drop in inet proto udp from 10.0.0.0/8 port = ftp to 12.34.56.78 port = 6668
	+block drop in inet proto udp from 10.0.0.0/8 port = ftp to 12.34.56.78 port 6669:65535
	+block drop in inet proto udp from 172.16.0.0/12 port = ssh to 192.168.0.0/16 port = 6667
	+block drop in inet proto udp from 172.16.0.0/12 port = ssh to 192.168.0.0/16 port = 6668
	+block drop in inet proto udp from 172.16.0.0/12 port = ssh to 192.168.0.0/16 port 6669:65535
	+block drop in inet proto udp from 172.16.0.0/12 port = ssh to 12.34.56.78 port = 6667
	+block drop in inet proto udp from 172.16.0.0/12 port = ssh to 12.34.56.78 port = 6668
	+block drop in inet proto udp from 172.16.0.0/12 port = ssh to 12.34.56.78 port 6669:65535
	+block drop in inet proto udp from 172.16.0.0/12 port = ftp to 192.168.0.0/16 port = 6667
	+block drop in inet proto udp from 172.16.0.0/12 port = ftp to 192.168.0.0/16 port = 6668
	+block drop in inet proto udp from 172.16.0.0/12 port = ftp to 192.168.0.0/16 port 6669:65535
	+block drop in inet proto udp from 172.16.0.0/12 port = ftp to 12.34.56.78 port = 6667
	+block drop in inet proto udp from 172.16.0.0/12 port = ftp to 12.34.56.78 port = 6668
	+block drop in inet proto udp from 172.16.0.0/12 port = ftp to 12.34.56.78 port 6669:65535
	Index: head/sbin/pfctl/tests/files/pf0005.in
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0005.in
	+++ head/sbin/pfctl/tests/files/pf0005.in
	@@ -0,0 +1,6 @@
	+foo = "ssh, ftp"
	+bar = "other thing"
	+inside="10.0.0.0/8"
	+
	+block in proto udp from $inside port { echo, $foo, ident } \
	+ to 12.34.56.78 port { 6667, 0x10 }
	Index: head/sbin/pfctl/tests/files/pf0005.ok
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0005.ok
	+++ head/sbin/pfctl/tests/files/pf0005.ok
	@@ -0,0 +1,11 @@
	+foo = "ssh, ftp"
	+bar = "other thing"
	+inside = "10.0.0.0/8"
	+block drop in inet proto udp from 10.0.0.0/8 port = echo to 12.34.56.78 port = 6667
	+block drop in inet proto udp from 10.0.0.0/8 port = echo to 12.34.56.78 port = 16
	+block drop in inet proto udp from 10.0.0.0/8 port = ssh to 12.34.56.78 port = 6667
	+block drop in inet proto udp from 10.0.0.0/8 port = ssh to 12.34.56.78 port = 16
	+block drop in inet proto udp from 10.0.0.0/8 port = ftp to 12.34.56.78 port = 6667
	+block drop in inet proto udp from 10.0.0.0/8 port = ftp to 12.34.56.78 port = 16
	+block drop in inet proto udp from 10.0.0.0/8 port = auth to 12.34.56.78 port = 6667
	+block drop in inet proto udp from 10.0.0.0/8 port = auth to 12.34.56.78 port = 16
	Index: head/sbin/pfctl/tests/files/pf0006.in
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0006.in
	+++ head/sbin/pfctl/tests/files/pf0006.in
	@@ -0,0 +1,3 @@
	+a=b
	+c=x
	+a_b_c=d
	Index: head/sbin/pfctl/tests/files/pf0006.ok
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0006.ok
	+++ head/sbin/pfctl/tests/files/pf0006.ok
	@@ -0,0 +1,3 @@
	+a = "b"
	+c = "x"
	+a_b_c = "d"
	Index: head/sbin/pfctl/tests/files/pf0007.in
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0007.in
	+++ head/sbin/pfctl/tests/files/pf0007.in
	@@ -0,0 +1,34 @@
	+# test modulate state
	+
	+block out log on tun1000000 all
	+block in log on tun1000000 all
	+
	+block return-rst out log on tun1000000 proto tcp all
	+block return-rst in log on tun1000000 proto tcp all
	+block return-icmp out log on tun1000000 proto udp all
	+block return-icmp in log on tun1000000 proto udp all
	+
	+block out log quick on tun1000000 from ! 157.161.48.183 to any
	+
	+block in quick on tun1000000 from any to 255.255.255.255
	+
	+block in log quick on tun1000000 from 10.0.0.0/8 to any
	+block in log quick on tun1000000 from 172.16.0.0/12 to any
	+block in log quick on tun1000000 from 192.168.0.0/16 to any
	+block in log quick on tun1000000 from 255.255.255.255/32 to any
	+
	+pass out on tun1000000 inet proto icmp all icmp-type 8 code 0 keep state
	+pass in on tun1000000 inet proto icmp all icmp-type 8 code 0 keep state
	+
	+pass out on tun1000000 proto udp all keep state
	+
	+pass in on tun1000000 proto udp from any to any port = domain keep state
	+
	+pass out on tun1000000 proto tcp all modulate state
	+pass in on tun1000000 proto { tcp udp icmp } all modulate state
	+pass in on tun1000000 proto { udp tcp icmp } all flags S/SA synproxy state
	+
	+pass in on tun1000000 proto tcp from any to any port = ssh modulate state
	+pass in on tun1000000 proto tcp from any to any port = smtp modulate state
	+pass in on tun1000000 proto tcp from any to any port = domain modulate state
	+pass in on tun1000000 proto tcp from any to any port = auth modulate state
	Index: head/sbin/pfctl/tests/files/pf0007.ok
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0007.ok
	+++ head/sbin/pfctl/tests/files/pf0007.ok
	@@ -0,0 +1,27 @@
	+block drop out log on tun1000000 all
	+block drop in log on tun1000000 all
	+block return-rst out log on tun1000000 proto tcp all
	+block return-rst in log on tun1000000 proto tcp all
	+block return-icmp(port-unr, port-unr) out log on tun1000000 proto udp all
	+block return-icmp(port-unr, port-unr) in log on tun1000000 proto udp all
	+block drop out log quick on tun1000000 inet from ! 157.161.48.183 to any
	+block drop in quick on tun1000000 inet from any to 255.255.255.255
	+block drop in log quick on tun1000000 inet from 10.0.0.0/8 to any
	+block drop in log quick on tun1000000 inet from 172.16.0.0/12 to any
	+block drop in log quick on tun1000000 inet from 192.168.0.0/16 to any
	+block drop in log quick on tun1000000 inet from 255.255.255.255 to any
	+pass out on tun1000000 inet proto icmp all icmp-type echoreq code 0 keep state
	+pass in on tun1000000 inet proto icmp all icmp-type echoreq code 0 keep state
	+pass out on tun1000000 proto udp all keep state
	+pass in on tun1000000 proto udp from any to any port = domain keep state
	+pass out on tun1000000 proto tcp all flags S/SA modulate state
	+pass in on tun1000000 proto tcp all flags S/SA modulate state
	+pass in on tun1000000 proto udp all keep state
	+pass in on tun1000000 proto icmp all keep state
	+pass in on tun1000000 proto udp all keep state
	+pass in on tun1000000 proto tcp all flags S/SA synproxy state
	+pass in on tun1000000 proto icmp all keep state
	+pass in on tun1000000 proto tcp from any to any port = ssh flags S/SA modulate state
	+pass in on tun1000000 proto tcp from any to any port = smtp flags S/SA modulate state
	+pass in on tun1000000 proto tcp from any to any port = domain flags S/SA modulate state
	+pass in on tun1000000 proto tcp from any to any port = auth flags S/SA modulate state
	Index: head/sbin/pfctl/tests/files/pf0008.in
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0008.in
	+++ head/sbin/pfctl/tests/files/pf0008.in
	@@ -0,0 +1,2 @@
	+extern = "{ ! 10.0.0.0/8, 10.1.2.3 }"
	+block out log on tun1000001 from $extern to any
	Index: head/sbin/pfctl/tests/files/pf0008.ok
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0008.ok
	+++ head/sbin/pfctl/tests/files/pf0008.ok
	@@ -0,0 +1,3 @@
	+extern = "{ ! 10.0.0.0/8, 10.1.2.3 }"
	+block drop out log on tun1000001 inet from ! 10.0.0.0/8 to any
	+block drop out log on tun1000001 inet from 10.1.2.3 to any
	Index: head/sbin/pfctl/tests/files/pf0009.in
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0009.in
	+++ head/sbin/pfctl/tests/files/pf0009.in
	@@ -0,0 +1,3 @@
	+interfaces = "{ enc0, tun1000000 }"
	+
	+block in on $interfaces all
	Index: head/sbin/pfctl/tests/files/pf0009.ok
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0009.ok
	+++ head/sbin/pfctl/tests/files/pf0009.ok
	@@ -0,0 +1,3 @@
	+interfaces = "{ enc0, tun1000000 }"
	+block drop in on enc0 all
	+block drop in on tun1000000 all
	Index: head/sbin/pfctl/tests/files/pf0010.in
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0010.in
	+++ head/sbin/pfctl/tests/files/pf0010.in
	@@ -0,0 +1,31 @@
	+# return variants
	+pass in inet proto icmp all
	+pass in inet6 proto icmp6 all
	+block in inet proto icmp all
	+block in inet6 proto icmp6 all
	+block return-rst in inet proto tcp all
	+block return-rst in inet6 proto tcp all
	+block return-rst(ttl 10) in inet proto tcp all
	+block return-rst(ttl 10) in inet6 proto tcp all
	+block return-icmp in inet proto icmp all
	+block return-icmp(0) in inet proto icmp all
	+block return-icmp(net-unr) in inet proto icmp all
	+block return-icmp(5) in inet proto icmp all
	+block return-icmp(srcfail) in inet proto icmp all
	+block return-icmp(10) in inet proto icmp all
	+block return-icmp(host-prohib) in inet proto icmp all
	+block return-icmp(15) in inet proto icmp all
	+block return-icmp(cutoff-preced) in inet proto icmp all
	+block return-icmp6 in inet6 proto icmp6 all
	+block return-icmp6(0) in inet6 proto icmp6 all
	+block return-icmp6(noroute-unr) in inet6 proto icmp6 all
	+block return-icmp6(1) in inet6 proto icmp6 all
	+block return-icmp6(admin-unr) in inet6 proto icmp6 all
	+block return-icmp6(2) in inet6 proto icmp6 all
	+block return-icmp6(notnbr-unr) in inet6 proto icmp6 all
	+block return-icmp6(3) in inet6 proto icmp6 all
	+block return-icmp6(addr-unr) in inet6 proto icmp6 all
	+block return-icmp6(4) in inet6 proto icmp6 all
	+block return-icmp6(port-unr) in inet6 proto icmp6 all
	+block return-icmp(5, 1) in all
	+block return-icmp(srcfail, admin-unr) in all
	Index: head/sbin/pfctl/tests/files/pf0010.ok
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0010.ok
	+++ head/sbin/pfctl/tests/files/pf0010.ok
	@@ -0,0 +1,30 @@
	+pass in inet proto icmp all keep state
	+pass in inet6 proto ipv6-icmp all keep state
	+block drop in inet proto icmp all
	+block drop in inet6 proto ipv6-icmp all
	+block return-rst in inet proto tcp all
	+block return-rst in inet6 proto tcp all
	+block return-rst(ttl 10) in inet proto tcp all
	+block return-rst(ttl 10) in inet6 proto tcp all
	+block return-icmp(port-unr) in inet proto icmp all
	+block return-icmp(net-unr) in inet proto icmp all
	+block return-icmp(net-unr) in inet proto icmp all
	+block return-icmp(srcfail) in inet proto icmp all
	+block return-icmp(srcfail) in inet proto icmp all
	+block return-icmp(host-prohib) in inet proto icmp all
	+block return-icmp(host-prohib) in inet proto icmp all
	+block return-icmp(cutoff-preced) in inet proto icmp all
	+block return-icmp(cutoff-preced) in inet proto icmp all
	+block return-icmp6(port-unr) in inet6 proto ipv6-icmp all
	+block return-icmp6(noroute-unr) in inet6 proto ipv6-icmp all
	+block return-icmp6(noroute-unr) in inet6 proto ipv6-icmp all
	+block return-icmp6(admin-unr) in inet6 proto ipv6-icmp all
	+block return-icmp6(admin-unr) in inet6 proto ipv6-icmp all
	+block return-icmp6(notnbr-unr) in inet6 proto ipv6-icmp all
	+block return-icmp6(notnbr-unr) in inet6 proto ipv6-icmp all
	+block return-icmp6(addr-unr) in inet6 proto ipv6-icmp all
	+block return-icmp6(addr-unr) in inet6 proto ipv6-icmp all
	+block return-icmp6(port-unr) in inet6 proto ipv6-icmp all
	+block return-icmp6(port-unr) in inet6 proto ipv6-icmp all
	+block return-icmp(srcfail, admin-unr) in all
	+block return-icmp(srcfail, admin-unr) in all
	Index: head/sbin/pfctl/tests/files/pf0011.in
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0011.in
	+++ head/sbin/pfctl/tests/files/pf0011.in
	@@ -0,0 +1,18 @@
	+pass in inet proto icmp all icmp-type 0
	+pass in inet proto icmp all icmp-type 0 code 0
	+pass in inet proto icmp all icmp-type 1
	+pass in inet proto icmp all icmp-type 1 code 1
	+pass in inet6 proto ipv6-icmp all icmp6-type 0
	+pass in inet6 proto ipv6-icmp all icmp6-type 0 code 0
	+pass in inet6 proto ipv6-icmp all icmp6-type 1
	+pass in inet6 proto ipv6-icmp all icmp6-type 1 code 1
	+block in inet proto icmp all icmp-type 0
	+block in inet proto icmp all icmp-type 0 code 0
	+block in inet proto icmp all icmp-type 1
	+block in inet proto icmp all icmp-type 1 code 1
	+block in inet6 proto ipv6-icmp all icmp6-type 0
	+block in inet6 proto ipv6-icmp all icmp6-type 0 code 0
	+block in inet6 proto ipv6-icmp all icmp6-type 1
	+block in inet6 proto ipv6-icmp all icmp6-type 1 code 1
	+pass in inet proto icmp all icmp-type unreach code needfrag
	+pass in inet6 proto ipv6-icmp all icmp6-type timex code reassemb
	Index: head/sbin/pfctl/tests/files/pf0011.ok
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0011.ok
	+++ head/sbin/pfctl/tests/files/pf0011.ok
	@@ -0,0 +1,18 @@
	+pass in inet proto icmp all icmp-type echorep keep state
	+pass in inet proto icmp all icmp-type echorep code 0 keep state
	+pass in inet proto icmp all icmp-type 1 keep state
	+pass in inet proto icmp all icmp-type 1 code 1 keep state
	+pass in inet6 proto ipv6-icmp all icmp6-type 0 keep state
	+pass in inet6 proto ipv6-icmp all icmp6-type 0 code 0 keep state
	+pass in inet6 proto ipv6-icmp all icmp6-type unreach keep state
	+pass in inet6 proto ipv6-icmp all icmp6-type unreach code admin-unr keep state
	+block drop in inet proto icmp all icmp-type echorep
	+block drop in inet proto icmp all icmp-type echorep code 0
	+block drop in inet proto icmp all icmp-type 1
	+block drop in inet proto icmp all icmp-type 1 code 1
	+block drop in inet6 proto ipv6-icmp all icmp6-type 0
	+block drop in inet6 proto ipv6-icmp all icmp6-type 0 code 0
	+block drop in inet6 proto ipv6-icmp all icmp6-type unreach
	+block drop in inet6 proto ipv6-icmp all icmp6-type unreach code admin-unr
	+pass in inet proto icmp all icmp-type unreach code needfrag keep state
	+pass in inet6 proto ipv6-icmp all icmp6-type timex code reassemb keep state
	Index: head/sbin/pfctl/tests/files/pf0012.in
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0012.in
	+++ head/sbin/pfctl/tests/files/pf0012.in
	@@ -0,0 +1,5 @@
	+pass in from 127.0.0.1 to 127.0.0.1/8 no state
	+pass in from 127.0.0.1/16 to 127.0.0.1/24 no state
	+pass in from 127.0.0.1/25 to ! 127.0.0.1/26
	+pass in inet from ! localhost to localhost/16
	+pass in inet from ! lo0 to ! lo0/8
	Index: head/sbin/pfctl/tests/files/pf0012.ok
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0012.ok
	+++ head/sbin/pfctl/tests/files/pf0012.ok
	@@ -0,0 +1,5 @@
	+pass in inet from 127.0.0.1 to 127.0.0.0/8 no state
	+pass in inet from 127.0.0.0/16 to 127.0.0.0/24 no state
	+pass in inet from 127.0.0.0/25 to ! 127.0.0.0/26 flags S/SA keep state
	+pass in inet from ! 127.0.0.1 to 127.0.0.0/16 flags S/SA keep state
	+pass in inet from ! 127.0.0.1 to ! 127.0.0.0/8 flags S/SA keep state
	Index: head/sbin/pfctl/tests/files/pf0013.in
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0013.in
	+++ head/sbin/pfctl/tests/files/pf0013.in
	@@ -0,0 +1,22 @@
	+pass in quick on enc0 from any to any
	+pass in quick on enc0 inet from any to any
	+pass in quick on enc0 inet6 from any to any
	+
	+#pass out quick on tun1000000 inet from any to any route-to tun1000001
	+#pass out quick on tun1000000 from any to 192.168.1.1 route-to tun1000001
	+#pass out quick on tun1000000 from any to fec0::1 route-to tun1000001
	+
	+#pass in on tun1000000 proto tcp from any to any port = 21 dup-to (tun1000001 192.168.1.1)
	+#pass in on tun1000000 proto tcp from any to any port = 21 dup-to (tun1000001 fec0::1)
	+
	+#pass in quick on tun1000000 from 192.168.1.1/32 to 10.1.1.1/32 route-to tun1000001
	+#pass in quick on tun1000000 from fec0::1/64 to fec1::2/128 route-to tun1000001
	+
	+#pass in on tun1000000 proto tcp from any to any port = 21 reply-to (tun1000001 192.168.1.1)
	+#pass in on tun1000000 proto tcp from any to any port = 21 reply-to (tun1000001 fec0::1)
	+
	+#pass in quick on tun1000000 from 192.168.1.1/32 to 10.1.1.1/32 reply-to tun1000001
	+#pass in quick on tun1000000 from fec0::1/64 to fec1::2/128 reply-to tun1000001
	+
	+#pass in quick on tun1000000 from 192.168.1.1/32 to 10.1.1.1/32 dup-to (tun1000001 192.168.1.100)
	+#pass in quick on tun1000000 from fec0::1/64 to fec1::2/128 dup-to (tun1000001 fec1::2)
	Index: head/sbin/pfctl/tests/files/pf0013.ok
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0013.ok
	+++ head/sbin/pfctl/tests/files/pf0013.ok
	@@ -0,0 +1,3 @@
	+pass in quick on enc0 all flags S/SA keep state
	+pass in quick on enc0 inet all flags S/SA keep state
	+pass in quick on enc0 inet6 all flags S/SA keep state
	Index: head/sbin/pfctl/tests/files/pf0014.in
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0014.in
	+++ head/sbin/pfctl/tests/files/pf0014.in
	@@ -0,0 +1,6 @@
	+pass in quick on lo0 from fe80::1%lo0 to fe80::1%lo0
	+pass in quick from fe80::1%lo0 to fe80::1%lo0
	+pass in quick from fe80::1%lo0 to any
	+pass in quick from any to fe80::1%lo0
	+pass in quick on lo0 from fe80::1%lo0 to any
	+pass in quick on lo0 from any to fe80::1%lo0
	Index: head/sbin/pfctl/tests/files/pf0014.ok
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0014.ok
	+++ head/sbin/pfctl/tests/files/pf0014.ok
	@@ -0,0 +1,6 @@
	+pass in quick on lo0 inet6 from fe80::1 to fe80::1 flags S/SA keep state
	+pass in quick on lo0 inet6 from fe80::1 to fe80::1 flags S/SA keep state
	+pass in quick on lo0 inet6 from fe80::1 to any flags S/SA keep state
	+pass in quick on lo0 inet6 from any to fe80::1 flags S/SA keep state
	+pass in quick on lo0 inet6 from fe80::1 to any flags S/SA keep state
	+pass in quick on lo0 inet6 from any to fe80::1 flags S/SA keep state
	Index: head/sbin/pfctl/tests/files/pf0016.in
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0016.in
	+++ head/sbin/pfctl/tests/files/pf0016.in
	@@ -0,0 +1,5 @@
	+# Test rule order processing: should fail unless nat -> filter
	+#match out on lo0 from 192.168.1.1 to any nat-to 10.0.0.1
	+#match in on lo0 proto tcp from any to 1.2.3.4/32 port 2222 rdr-to 10.0.0.10 port 22
	+#match on lo0 from 192.168.1.1 to any binat-to 10.0.0.1
	+pass in on lo1000000 from any to any no state
	Index: head/sbin/pfctl/tests/files/pf0016.ok
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0016.ok
	+++ head/sbin/pfctl/tests/files/pf0016.ok
	@@ -0,0 +1 @@
	+pass in on lo1000000 all no state
	Index: head/sbin/pfctl/tests/files/pf0018.in
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0018.in
	+++ head/sbin/pfctl/tests/files/pf0018.in
	@@ -0,0 +1,19 @@
	+# test nat
	+
	+TEST_LIST1 = "{ 192.168.1.5, 192.168.1.6, 192.168.1.7 }"
	+TEST_LIST2 = "{ 172.6.1.1, 172.14.1.2/32, 172.16.2.0/24 }"
	+
	+#match out on lo0 from 192.168.1.1 to any nat-to 10.0.0.1
	+#match out on lo0 proto tcp from 192.168.1.2 to any nat-to 10.0.0.2
	+#match out on lo0 proto udp from 192.168.1.3 to any nat-to 10.0.0.3
	+#match out on lo0 proto icmp from 192.168.1.4 to any nat-to 10.0.0.4
	+
	+#match out on lo0 inet from $TEST_LIST1 to $TEST_LIST2 nat-to lo0
	+
	+#match out on lo0 inet from 192.168.0.1/24 to any nat-to (lo0)
	+
	+#match out on lo0 from 192.168.1.8 to ! 172.17.0.0/16 nat-to 10.0.0.8
	+
	+#match out on ! lo0 proto { udp, tcp } from any to any nat-to 10.0.0.8 static-port
	+
	+#match out on { lo0, tun1000000 } from any to any nat-to 10.0.0.8
	Index: head/sbin/pfctl/tests/files/pf0018.ok
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0018.ok
	+++ head/sbin/pfctl/tests/files/pf0018.ok
	@@ -0,0 +1,2 @@
	+TEST_LIST1 = "{ 192.168.1.5, 192.168.1.6, 192.168.1.7 }"
	+TEST_LIST2 = "{ 172.6.1.1, 172.14.1.2/32, 172.16.2.0/24 }"
	Index: head/sbin/pfctl/tests/files/pf0019.in
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0019.in
	+++ head/sbin/pfctl/tests/files/pf0019.in
	@@ -0,0 +1,9 @@
	+EVIL = "lo0"
	+GOOD = "{ lo0, lo1000000 }"
	+GOOD_NET = "{ 127.0.0.0/24, 10.0.1.0/24 }"
	+DEST_NET = "{ 1.2.3.4/25, 2.4.6.8/30 }"
	+
	+#match in on lo0 proto tcp from any to 1.2.3.4/32 port 2222 rdr-to 10.0.0.10 port 22
	+
	+# Test list processing
	+#match in on $GOOD proto tcp from $GOOD_NET to $DEST_NET port 21 rdr-to 127.0.0.1 port 8021
	Index: head/sbin/pfctl/tests/files/pf0019.ok
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0019.ok
	+++ head/sbin/pfctl/tests/files/pf0019.ok
	@@ -0,0 +1,4 @@
	+EVIL = "lo0"
	+GOOD = "{ lo0, lo1000000 }"
	+GOOD_NET = "{ 127.0.0.0/24, 10.0.1.0/24 }"
	+DEST_NET = "{ 1.2.3.4/25, 2.4.6.8/30 }"
	Index: head/sbin/pfctl/tests/files/pf0020.in
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0020.in
	+++ head/sbin/pfctl/tests/files/pf0020.in
	@@ -0,0 +1,9 @@
	+# Test whether list expansion in NAT/RDR works correctly
	+
	+EVIL = "lo0"
	+GOOD = "{ lo0, lo1000000 }"
	+GOOD_NET = "{ 127.0.0.0/24, 10.0.1.0/24 }"
	+DEST_NET = "{ 1.2.3.4/25, 2.4.6.8/30 }"
	+
	+#match out on $EVIL inet from $GOOD_NET to $DEST_NET nat-to $EVIL
	+#match in on $GOOD proto tcp from $GOOD_NET to $DEST_NET port 21 rdr-to 127.0.0.1 port 8021
	Index: head/sbin/pfctl/tests/files/pf0020.ok
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0020.ok
	+++ head/sbin/pfctl/tests/files/pf0020.ok
	@@ -0,0 +1,4 @@
	+EVIL = "lo0"
	+GOOD = "{ lo0, lo1000000 }"
	+GOOD_NET = "{ 127.0.0.0/24, 10.0.1.0/24 }"
	+DEST_NET = "{ 1.2.3.4/25, 2.4.6.8/30 }"
	Index: head/sbin/pfctl/tests/files/pf0022.in
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0022.in
	+++ head/sbin/pfctl/tests/files/pf0022.in
	@@ -0,0 +1,8 @@
	+set optimization aggressive
	+set timeout { tcp.closing 6, tcp.opening 6 }
	+set timeout tcp.first 6
	+set limit states 500
	+set limit {states 1000,frags 1000}
	+set loginterface lo0
	+set loginterface none
	+set hostid 1
	Index: head/sbin/pfctl/tests/files/pf0022.ok
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0022.ok
	+++ head/sbin/pfctl/tests/files/pf0022.ok
	@@ -0,0 +1,10 @@
	+set optimization aggressive
	+set timeout tcp.closing 6
	+set timeout tcp.opening 6
	+set timeout tcp.first 6
	+set limit states 500
	+set limit states 1000
	+set limit frags 1000
	+set loginterface lo0
	+set loginterface none
	+set hostid 0x00000001
	Index: head/sbin/pfctl/tests/files/pf0023.in
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0023.in
	+++ head/sbin/pfctl/tests/files/pf0023.in
	@@ -0,0 +1,2 @@
	+#test negated interface matching
	+block in on ! lo0 all
	Index: head/sbin/pfctl/tests/files/pf0023.ok
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0023.ok
	+++ head/sbin/pfctl/tests/files/pf0023.ok
	@@ -0,0 +1 @@
	+block drop in on ! lo0 all
	Index: head/sbin/pfctl/tests/files/pf0024.in
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0024.in
	+++ head/sbin/pfctl/tests/files/pf0024.in
	@@ -0,0 +1,8 @@
	+#test variable concat
	+a="ssh"
	+b="ftp"
	+c=$a $b
	+d=$a $b $a $b
	+e=$a $b $b "test" $a $b
	+
	+pass in proto tcp from any to any port { $c }
	Index: head/sbin/pfctl/tests/files/pf0024.ok
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0024.ok
	+++ head/sbin/pfctl/tests/files/pf0024.ok
	@@ -0,0 +1,7 @@
	+a = "ssh"
	+b = "ftp"
	+c = "ssh ftp"
	+d = "ssh ftp ssh ftp"
	+e = "ssh ftp ftp test ssh ftp"
	+pass in proto tcp from any to any port = ssh flags S/SA keep state
	+pass in proto tcp from any to any port = ftp flags S/SA keep state
	Index: head/sbin/pfctl/tests/files/pf0025.in
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0025.in
	+++ head/sbin/pfctl/tests/files/pf0025.in
	@@ -0,0 +1,4 @@
	+antispoof for lo0
	+antispoof log quick for lo0 inet
	+antispoof for (lo0)
	+antispoof log quick for (lo0) inet
	Index: head/sbin/pfctl/tests/files/pf0025.ok
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0025.ok
	+++ head/sbin/pfctl/tests/files/pf0025.ok
	@@ -0,0 +1,5 @@
	+block drop in on ! lo0 inet6 from ::1 to any
	+block drop in on ! lo0 inet from 127.0.0.0/8 to any
	+block drop in log quick on ! lo0 inet from 127.0.0.0/8 to any
	+block drop in on ! lo0 from (lo0:network) to any
	+block drop in log quick on ! lo0 inet from (lo0:network) to any
	Index: head/sbin/pfctl/tests/files/pf0026.in
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0026.in
	+++ head/sbin/pfctl/tests/files/pf0026.in
	@@ -0,0 +1,2 @@
	+block in on lo0 inet from ! (lo0) to any
	+block out on lo0 inet from any to ! (lo0)
	Index: head/sbin/pfctl/tests/files/pf0026.ok
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0026.ok
	+++ head/sbin/pfctl/tests/files/pf0026.ok
	@@ -0,0 +1,2 @@
	+block drop in on lo0 inet from ! (lo0) to any
	+block drop out on lo0 inet from any to ! (lo0)
	Index: head/sbin/pfctl/tests/files/pf0028.in
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0028.in
	+++ head/sbin/pfctl/tests/files/pf0028.in
	@@ -0,0 +1,7 @@
	+# test logging keywords, and log quick/quick log order
	+block in log (all) quick on lo0 all
	+block in quick log on lo0 all
	+block in quick log (all) on lo0 all
	+block in log quick on lo0 all
	+block in log on lo0 all
	+block in log (all) on lo0 all
	Index: head/sbin/pfctl/tests/files/pf0028.ok
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0028.ok
	+++ head/sbin/pfctl/tests/files/pf0028.ok
	@@ -0,0 +1,6 @@
	+block drop in log (all) quick on lo0 all
	+block drop in log quick on lo0 all
	+block drop in log (all) quick on lo0 all
	+block drop in log quick on lo0 all
	+block drop in log on lo0 all
	+block drop in log (all) on lo0 all
	Index: head/sbin/pfctl/tests/files/pf0030.in
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0030.in
	+++ head/sbin/pfctl/tests/files/pf0030.in
	@@ -0,0 +1,7 @@
	+#test line continuation
	+
	+block \
	+ in \
	+ on lo0 \
	+ from any \
	+ to any
	Index: head/sbin/pfctl/tests/files/pf0030.ok
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0030.ok
	+++ head/sbin/pfctl/tests/files/pf0030.ok
	@@ -0,0 +1 @@
	+block drop in on lo0 all
	Index: head/sbin/pfctl/tests/files/pf0031.in
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0031.in
	+++ head/sbin/pfctl/tests/files/pf0031.in
	@@ -0,0 +1,21 @@
	+set block-policy drop
	+block return in on lo0 all
	+block return in on lo0 inet all
	+block return in on lo0 inet6 all
	+block drop in on lo0 all
	+block drop in on lo0 inet all
	+block drop in on lo0 inet6 all
	+block in on lo0 all
	+block in on lo0 inet all
	+block in on lo0 inet6 all
	+#set block-policy return
	+block return in on lo0 all
	+block return in on lo0 inet all
	+block return in on lo0 inet6 all
	+block drop in on lo0 all
	+block drop in on lo0 inet all
	+block drop in on lo0 inet6 all
	+block in on lo0 all
	+block in on lo0 inet all
	+block in on lo0 inet6 all
	+
	Index: head/sbin/pfctl/tests/files/pf0031.ok
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0031.ok
	+++ head/sbin/pfctl/tests/files/pf0031.ok
	@@ -0,0 +1,19 @@
	+set block-policy drop
	+block return in on lo0 all
	+block return in on lo0 inet all
	+block return in on lo0 inet6 all
	+block drop in on lo0 all
	+block drop in on lo0 inet all
	+block drop in on lo0 inet6 all
	+block drop in on lo0 all
	+block drop in on lo0 inet all
	+block drop in on lo0 inet6 all
	+block return in on lo0 all
	+block return in on lo0 inet all
	+block return in on lo0 inet6 all
	+block drop in on lo0 all
	+block drop in on lo0 inet all
	+block drop in on lo0 inet6 all
	+block drop in on lo0 all
	+block drop in on lo0 inet all
	+block drop in on lo0 inet6 all
	Index: head/sbin/pfctl/tests/files/pf0032.in
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0032.in
	+++ head/sbin/pfctl/tests/files/pf0032.in
	@@ -0,0 +1,7 @@
	+pass in from 10/8 to any
	+pass in from 10.1/8 to any
	+pass in from 192.168.37.29/25 to any
	+pass in from 192.168.37.29/24 to any
	+pass in from 192.168.37.29/16 to any
	+pass in from 192.168.37.29/8 to any
	+
	Index: head/sbin/pfctl/tests/files/pf0032.ok
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0032.ok
	+++ head/sbin/pfctl/tests/files/pf0032.ok
	@@ -0,0 +1,6 @@
	+pass in inet from 10.0.0.0/8 to any flags S/SA keep state
	+pass in inet from 10.0.0.0/8 to any flags S/SA keep state
	+pass in inet from 192.168.37.0/25 to any flags S/SA keep state
	+pass in inet from 192.168.37.0/24 to any flags S/SA keep state
	+pass in inet from 192.168.0.0/16 to any flags S/SA keep state
	+pass in inet from 192.0.0.0/8 to any flags S/SA keep state
	Index: head/sbin/pfctl/tests/files/pf0034.in
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0034.in
	+++ head/sbin/pfctl/tests/files/pf0034.in
	@@ -0,0 +1,5 @@
	+#mixed af, probability
	+pass in from any to { 127.0.0.1, 2000::1 }
	+pass in probability 0.5
	+pass in probability 50%
	+pass in inet6 proto tcp from ::1 probability 0.8%
	Index: head/sbin/pfctl/tests/files/pf0034.ok
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0034.ok
	+++ head/sbin/pfctl/tests/files/pf0034.ok
	@@ -0,0 +1,5 @@
	+pass in inet from any to 127.0.0.1 flags S/SA keep state
	+pass in inet6 from any to 2000::1 flags S/SA keep state
	+pass in all flags S/SA keep state probability 50%
	+pass in all flags S/SA keep state probability 50%
	+pass in inet6 proto tcp from ::1 to any flags S/SA keep state probability 0.8%
	Index: head/sbin/pfctl/tests/files/pf0035.in
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0035.in
	+++ head/sbin/pfctl/tests/files/pf0035.in
	@@ -0,0 +1,5 @@
	+#test matching on tos
	+
	+intf = "lo0"
	+pass out on $intf inet proto tcp from any to any port 22 tos 0x10
	+pass out on $intf inet proto tcp from any to any port 22 tos 0x08
	Index: head/sbin/pfctl/tests/files/pf0035.ok
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0035.ok
	+++ head/sbin/pfctl/tests/files/pf0035.ok
	@@ -0,0 +1,3 @@
	+intf = "lo0"
	+pass out on lo0 inet proto tcp from any to any port = ssh flags S/SA tos 0x10 keep state
	+pass out on lo0 inet proto tcp from any to any port = ssh flags S/SA tos 0x08 keep state
	Index: head/sbin/pfctl/tests/files/pf0038.in
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0038.in
	+++ head/sbin/pfctl/tests/files/pf0038.in
	@@ -0,0 +1,5 @@
	+# test
	+
	+pass in on tun1000000 proto tcp from any to any user bin
	+pass in on tun1000000 proto tcp from any to any group bin
	+pass in on tun1000000 proto tcp from any to any group wheel user root user bin
	Index: head/sbin/pfctl/tests/files/pf0038.ok
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0038.ok
	+++ head/sbin/pfctl/tests/files/pf0038.ok
	@@ -0,0 +1,4 @@
	+pass in on tun1000000 proto tcp all user = 3 flags S/SA keep state
	+pass in on tun1000000 proto tcp all group = 7 flags S/SA keep state
	+pass in on tun1000000 proto tcp all user = 3 group = 0 flags S/SA keep state
	+pass in on tun1000000 proto tcp all user = 0 group = 0 flags S/SA keep state
	Index: head/sbin/pfctl/tests/files/pf0039.in
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0039.in
	+++ head/sbin/pfctl/tests/files/pf0039.in
	@@ -0,0 +1,25 @@
	+#test random ordered opts
	+
	+body1="pass in log quick on lo0 inet proto icmp all "
	+body2="pass in log quick on lo0 inet proto tcp all "
	+o_user="user root "
	+o_user2="user bin "
	+o_group="group wheel "
	+o_group2="group nobody "
	+o_flags="flags S/SA "
	+o_icmpspec="icmp-type 0 code 0 "
	+o_tos="tos 0x08 "
	+o_keep="keep state "
	+o_fragment="fragment "
	+o_allowopts="allow-opts "
	+o_label="label blah"
	+o_prio="set prio 2"
	+
	+$body2 $o_fragment $o_keep $o_label $o_tos
	+$body2 $o_user $o_prio $o_tos $o_keep $o_group $o_label $o_allowopts \
	+$o_user2 $o_group2
	+$body1 $o_icmpspec $o_keep $o_label $o_prio
	+$body2 $o_keep
	+$body2 $o_label $o_keep $o_prio $o_tos
	+$body1 $o_icmpspec $o_tos
	+$body2 $o_flags $o_allowopts
	Index: head/sbin/pfctl/tests/files/pf0039.ok
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0039.ok
	+++ head/sbin/pfctl/tests/files/pf0039.ok
	@@ -0,0 +1,24 @@
	+body1 = "pass in log quick on lo0 inet proto icmp all "
	+body2 = "pass in log quick on lo0 inet proto tcp all "
	+o_user = "user root "
	+o_user2 = "user bin "
	+o_group = "group wheel "
	+o_group2 = "group nobody "
	+o_flags = "flags S/SA "
	+o_icmpspec = "icmp-type 0 code 0 "
	+o_tos = "tos 0x08 "
	+o_keep = "keep state "
	+o_fragment = "fragment "
	+o_allowopts = "allow-opts "
	+o_label = "label blah"
	+o_prio = "set prio 2"
	+pass in log quick on lo0 inet proto tcp all tos 0x08 keep state fragment label "blah"
	+pass in log quick on lo0 inet proto tcp all user = 3 group = 65534 flags S/SA tos 0x08 set ( prio 2 ) keep state allow-opts label "blah"
	+pass in log quick on lo0 inet proto tcp all user = 3 group = 0 flags S/SA tos 0x08 set ( prio 2 ) keep state allow-opts label "blah"
	+pass in log quick on lo0 inet proto tcp all user = 0 group = 65534 flags S/SA tos 0x08 set ( prio 2 ) keep state allow-opts label "blah"
	+pass in log quick on lo0 inet proto tcp all user = 0 group = 0 flags S/SA tos 0x08 set ( prio 2 ) keep state allow-opts label "blah"
	+pass in log quick on lo0 inet proto icmp all icmp-type echorep code 0 set ( prio 2 ) keep state label "blah"
	+pass in log quick on lo0 inet proto tcp all flags S/SA keep state
	+pass in log quick on lo0 inet proto tcp all flags S/SA tos 0x08 set ( prio 2 ) keep state label "blah"
	+pass in log quick on lo0 inet proto icmp all icmp-type echorep code 0 tos 0x08 keep state
	+pass in log quick on lo0 inet proto tcp all flags S/SA keep state allow-opts
	Index: head/sbin/pfctl/tests/files/pf0040.in
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0040.in
	+++ head/sbin/pfctl/tests/files/pf0040.in
	@@ -0,0 +1,20 @@
	+block
	+block return
	+block return-rst proto tcp
	+pass
	+pass in no state
	+pass out no state
	+pass all no state
	+block in all
	+block out all
	+block from any to any
	+pass in from any to any
	+pass out from any to any
	+block on lo0
	+pass on lo0 all
	+block on lo0 from any to any
	+pass proto tcp flags S/SA
	+pass proto udp keep state
	+pass in proto udp all keep state
	+pass out proto udp from any to any keep state
	+pass out on lo0 proto tcp from any to any port 25 keep state
	Index: head/sbin/pfctl/tests/files/pf0040.ok
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0040.ok
	+++ head/sbin/pfctl/tests/files/pf0040.ok
	@@ -0,0 +1,20 @@
	+block drop all
	+block return all
	+block return-rst proto tcp all
	+pass all flags S/SA keep state
	+pass in all no state
	+pass out all no state
	+pass all no state
	+block drop in all
	+block drop out all
	+block drop all
	+pass in all flags S/SA keep state
	+pass out all flags S/SA keep state
	+block drop on lo0 all
	+pass on lo0 all flags S/SA keep state
	+block drop on lo0 all
	+pass proto tcp all flags S/SA keep state
	+pass proto udp all keep state
	+pass in proto udp all keep state
	+pass out proto udp all keep state
	+pass out on lo0 proto tcp from any to any port = smtp flags S/SA keep state
	Index: head/sbin/pfctl/tests/files/pf0041.in
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0041.in
	+++ head/sbin/pfctl/tests/files/pf0041.in
	@@ -0,0 +1,12 @@
	+anchor foo
	+anchor bar all
	+anchor bar from any to any
	+anchor foo inet
	+anchor foo inet6
	+anchor foo inet all
	+anchor foo proto tcp
	+anchor foo inet proto tcp from 10.1.2.3 port smtp to 10.2.3.4 port ssh
	+anchor foobar inet6 proto udp from ::1 port 1 to ::1 port 2
	+anchor filteropt out proto tcp to any port 22 user root
	+anchor filteropt in proto tcp to (self) port 22 group sshd
	+anchor filteropt out inet proto icmp all icmp-type echoreq
	Index: head/sbin/pfctl/tests/files/pf0041.ok
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0041.ok
	+++ head/sbin/pfctl/tests/files/pf0041.ok
	@@ -0,0 +1,12 @@
	+anchor "foo" all
	+anchor "bar" all
	+anchor "bar" all
	+anchor "foo" inet all
	+anchor "foo" inet6 all
	+anchor "foo" inet all
	+anchor "foo" proto tcp all
	+anchor "foo" inet proto tcp from 10.1.2.3 port = smtp to 10.2.3.4 port = ssh
	+anchor "foobar" inet6 proto udp from ::1 port = tcpmux to ::1 port = compressnet
	+anchor "filteropt" out proto tcp from any to any port = ssh user = 0
	+anchor "filteropt" in proto tcp from any to (self) port = ssh group = 22
	+anchor "filteropt" out inet proto icmp all icmp-type echoreq
	Index: head/sbin/pfctl/tests/files/pf0047.in
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0047.in
	+++ head/sbin/pfctl/tests/files/pf0047.in
	@@ -0,0 +1,67 @@
	+pass in on lo0 all label ""
	+
	+pass in all label "$if"
	+pass in on lo0 all label "$if"
	+pass in on lo0 all label "$if$if"
	+
	+pass in on lo0 all label "$srcaddr"
	+pass in on lo0 from 0/0 to any label "$srcaddr"
	+pass in on lo0 from 127.0.0.1 to any label "$srcaddr"
	+pass in on lo0 from 127.0.0.1 to any label "$srcaddr$srcaddr"
	+pass in on lo0 from 127.0.0.1 to any label ":$srcaddr:$srcaddr:"
	+pass in on lo0 from 127.0.0.1/8 to any label "$srcaddr"
	+pass in on lo0 from 127.0.0.1/16 to any label "$srcaddr$srcaddr"
	+pass in on lo0 from 127.0.0.1/31 to any label ":$srcaddr:$srcaddr:"
	+pass in on lo0 inet6 from fe80::1 to any label "$srcaddr"
	+pass in on lo0 inet6 from fe80::1 to any label "$srcaddr$srcaddr"
	+pass in on lo0 inet6 from fe80::1 to any label ":$srcaddr:$srcaddr:"
	+pass in on lo0 inet6 from lo0/8 to any label "$srcaddr"
	+pass in on lo0 inet6 from lo0/64 to any label "$srcaddr$srcaddr"
	+pass in on lo0 inet6 from lo0/127 to any label ":$srcaddr:$srcaddr:"
	+
	+pass in on lo0 all label "!$dstaddr!"
	+pass in on lo0 inet from any to (lo0) label "$dstaddr"
	+pass in on lo0 inet from any to (lo0) label "$dstaddr$dstaddr"
	+pass in on lo0 inet from any to (lo0) label " $dstaddr $dstaddr "
	+pass in on lo0 from any to ! 127.0.0.1/8 label "$dstaddr"
	+pass in on lo0 from any to ! 127.0.0.1/16 label "$dstaddr$dstaddr"
	+pass in on lo0 from any to ! 127.0.0.1/31 label " $dstaddr $dstaddr "
	+pass in on lo0 inet6 from any to ! (lo0) label "$dstaddr"
	+pass in on lo0 inet6 from any to ! (lo0) label "$dstaddr$dstaddr"
	+pass in on lo0 inet6 from any to ! (lo0) label " $dstaddr $dstaddr "
	+pass in on lo0 inet6 from any to ! ::1/8 label "$dstaddr"
	+pass in on lo0 inet6 from any to ! ::1/64 label "$dstaddr$dstaddr"
	+pass in on lo0 inet6 from any to ! ::1/127 label " $dstaddr $dstaddr "
	+
	+pass in on lo0 all label "x$srcportx"
	+pass in on lo0 proto tcp from any port = 28 to any label "$srcport"
	+pass in on lo0 proto tcp from any port 28 >< 29 to any label "$srcport"
	+pass in on lo0 proto tcp from any port 28 <> 29 to any label "$srcport"
	+pass in on lo0 proto tcp from any port 28:29 to any label "$srcport"
	+pass in on lo0 proto tcp from any port != 28 to any label "$srcport"
	+pass in on lo0 proto tcp from any port < 28 to any label "$srcport"
	+pass in on lo0 proto tcp from any port <= 28 to any label "$srcport"
	+pass in on lo0 proto tcp from any port > 28 to any label "$srcport"
	+pass in on lo0 proto tcp from any port >= 28 to any label "$srcport"
	+pass in on lo0 proto tcp from any port = 28 to any label "$srcport$srcport"
	+pass in on lo0 proto tcp from any port = 28 to any label "$$srcport$$srcport$"
	+
	+pass in on lo0 all label "$dstport"
	+pass in on lo0 proto udp from any to any port = 29 label "$dstport"
	+pass in on lo0 proto udp from any to any port != 29 label "$dstport$dstport"
	+pass in on lo0 proto udp from any to any port > 29 label "x$dstportx$dstportx"
	+
	+pass in on lo0 all label "$proto"
	+pass in on lo0 proto esp all label "$proto"
	+pass in on lo0 proto esp all label "$proto$proto"
	+pass in on lo0 proto esp all label "-$proto-$proto-"
	+pass in on lo0 proto 166 all label "$proto"
	+pass in on lo0 proto 166 all label "$proto$proto"
	+pass in on lo0 proto 166 all label "_$proto_$proto_"
	+
	+pass in on lo0 all label "$nr"
	+pass in on lo0 all label "$nr$nr"
	+pass in on lo0 all label "%$nr%$nr%"
	+
	+pass in on lo0 proto tcp from 127.0.0.1 port = 30 to 127.0.0.2 port = 44 \
	+ label "if $if proto $proto $srcaddr $srcport $dstaddr $dstport"
	Index: head/sbin/pfctl/tests/files/pf0047.ok
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0047.ok
	+++ head/sbin/pfctl/tests/files/pf0047.ok
	@@ -0,0 +1,61 @@
	+pass in on lo0 all flags S/SA keep state
	+pass in all flags S/SA keep state label "any"
	+pass in on lo0 all flags S/SA keep state label "lo0"
	+pass in on lo0 all flags S/SA keep state label "lo0lo0"
	+pass in on lo0 all flags S/SA keep state label "any"
	+pass in on lo0 inet all flags S/SA keep state label "any"
	+pass in on lo0 inet from 127.0.0.1 to any flags S/SA keep state label "127.0.0.1"
	+pass in on lo0 inet from 127.0.0.1 to any flags S/SA keep state label "127.0.0.1127.0.0.1"
	+pass in on lo0 inet from 127.0.0.1 to any flags S/SA keep state label ":127.0.0.1:127.0.0.1:"
	+pass in on lo0 inet from 127.0.0.0/8 to any flags S/SA keep state label "127.0.0.0/8"
	+pass in on lo0 inet from 127.0.0.0/16 to any flags S/SA keep state label "127.0.0.0/16127.0.0.0/16"
	+pass in on lo0 inet from 127.0.0.0/31 to any flags S/SA keep state label ":127.0.0.0/31:127.0.0.0/31:"
	+pass in on lo0 inet6 from fe80::1 to any flags S/SA keep state label "fe80::1"
	+pass in on lo0 inet6 from fe80::1 to any flags S/SA keep state label "fe80::1fe80::1"
	+pass in on lo0 inet6 from fe80::1 to any flags S/SA keep state label ":fe80::1:fe80::1:"
	+pass in on lo0 inet6 from ::/8 to any flags S/SA keep state label "::/8"
	+pass in on lo0 inet6 from fe00::/8 to any flags S/SA keep state label "fe00::/8"
	+pass in on lo0 inet6 from ::/64 to any flags S/SA keep state label "::/64::/64"
	+pass in on lo0 inet6 from fe80::/64 to any flags S/SA keep state label "fe80::/64fe80::/64"
	+pass in on lo0 inet6 from ::/127 to any flags S/SA keep state label ":::/127:::/127:"
	+pass in on lo0 inet6 from fe80::/127 to any flags S/SA keep state label ":fe80::/127:fe80::/127:"
	+pass in on lo0 all flags S/SA keep state label "!any!"
	+pass in on lo0 inet from any to (lo0) flags S/SA keep state label "(lo0)"
	+pass in on lo0 inet from any to (lo0) flags S/SA keep state label "(lo0)(lo0)"
	+pass in on lo0 inet from any to (lo0) flags S/SA keep state label " (lo0) (lo0) "
	+pass in on lo0 inet from any to ! 127.0.0.0/8 flags S/SA keep state label "! 127.0.0.0/8"
	+pass in on lo0 inet from any to ! 127.0.0.0/16 flags S/SA keep state label "! 127.0.0.0/16! 127.0.0.0/16"
	+pass in on lo0 inet from any to ! 127.0.0.0/31 flags S/SA keep state label " ! 127.0.0.0/31 ! 127.0.0.0/31 "
	+pass in on lo0 inet6 from any to ! (lo0) flags S/SA keep state label "! (lo0)"
	+pass in on lo0 inet6 from any to ! (lo0) flags S/SA keep state label "! (lo0)! (lo0)"
	+pass in on lo0 inet6 from any to ! (lo0) flags S/SA keep state label " ! (lo0) ! (lo0) "
	+pass in on lo0 inet6 from any to ! ::/8 flags S/SA keep state label "! ::/8"
	+pass in on lo0 inet6 from any to ! ::/64 flags S/SA keep state label "! ::/64! ::/64"
	+pass in on lo0 inet6 from any to ! ::/127 flags S/SA keep state label " ! ::/127 ! ::/127 "
	+pass in on lo0 all flags S/SA keep state label "xx"
	+pass in on lo0 proto tcp from any port = 28 to any flags S/SA keep state label "28"
	+pass in on lo0 proto tcp from any port 28 >< 29 to any flags S/SA keep state label "28><29"
	+pass in on lo0 proto tcp from any port 28 <> 29 to any flags S/SA keep state label "28<>29"
	+pass in on lo0 proto tcp from any port 28:29 to any flags S/SA keep state
	+pass in on lo0 proto tcp from any port != 28 to any flags S/SA keep state label "!=28"
	+pass in on lo0 proto tcp from any port < 28 to any flags S/SA keep state label "<28"
	+pass in on lo0 proto tcp from any port <= 28 to any flags S/SA keep state label "<=28"
	+pass in on lo0 proto tcp from any port > 28 to any flags S/SA keep state label ">28"
	+pass in on lo0 proto tcp from any port >= 28 to any flags S/SA keep state label ">=28"
	+pass in on lo0 proto tcp from any port = 28 to any flags S/SA keep state label "2828"
	+pass in on lo0 proto tcp from any port = 28 to any flags S/SA keep state label "$28$28$"
	+pass in on lo0 all flags S/SA keep state
	+pass in on lo0 proto udp from any to any port = msg-icp keep state label "29"
	+pass in on lo0 proto udp from any to any port != msg-icp keep state label "!=29!=29"
	+pass in on lo0 proto udp from any to any port > 29 keep state label "x>29x>29x"
	+pass in on lo0 all flags S/SA keep state label "ip"
	+pass in on lo0 proto esp all keep state label "esp"
	+pass in on lo0 proto esp all keep state label "espesp"
	+pass in on lo0 proto esp all keep state label "-esp-esp-"
	+pass in on lo0 proto 166 all keep state label "166"
	+pass in on lo0 proto 166 all keep state label "166166"
	+pass in on lo0 proto 166 all keep state label "_166_166_"
	+pass in on lo0 all flags S/SA keep state label "57"
	+pass in on lo0 all flags S/SA keep state label "5858"
	+pass in on lo0 all flags S/SA keep state label "%59%59%"
	+pass in on lo0 inet proto tcp from 127.0.0.1 port = 30 to 127.0.0.2 port = mpm-flags flags S/SA keep state label "if lo0 proto tcp 127.0.0.1 30 127.0.0.2 44"
	Index: head/sbin/pfctl/tests/files/pf0048.in
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0048.in
	+++ head/sbin/pfctl/tests/files/pf0048.in
	@@ -0,0 +1,13 @@
	+table < regress > { 1.2.3.4 !5.6.7.8 10/8 lo0 }
	+table <regress.1> const { ::1 fe80::/64 }
	+table <regress.a> { 1.2.3.4 !5.6.7.8 } { ::1 ::2 ::3 } file "/dev/null" const { 4.3.2.1 }
	+#match out on lo0 inet from < regress.1> to <regress.2> nat-to lo0:0
	+#match out on !lo0 inet from !<regress.1 > to <regress.2> nat-to lo0:0
	+#match in on lo0 inet6 from <regress.1> to <regress.2> rdr-to lo0:0
	+#match in on !lo0 inet6 from !< regress.1 > to <regress.2> rdr-to lo0:0
	+#match in from { <regress.1> !<regress.2> } to any
	+#match out from any to { !<regress.1>, <regress.2> }
	+pass in from <regress> to any
	+pass out from any to <regress >
	+pass in from { <regress.1> <regress.2> } to any
	+pass out from any to { !<regress.1>, !<regress.2> }
	Index: head/sbin/pfctl/tests/files/pf0048.ok
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0048.ok
	+++ head/sbin/pfctl/tests/files/pf0048.ok
	@@ -0,0 +1,9 @@
	+table <regress> { 1.2.3.4 !5.6.7.8 10.0.0.0/8 ::1 fe80::1 127.0.0.1 }
	+table <regress.1> const { ::1 fe80::/64 }
	+table <regress.a> const { 1.2.3.4 !5.6.7.8 ::1 ::2 ::3 } file "/dev/null" { 4.3.2.1 }
	+pass in from <regress> to any flags S/SA keep state
	+pass out from any to <regress> flags S/SA keep state
	+pass in from <regress.1> to any flags S/SA keep state
	+pass in from <regress.2> to any flags S/SA keep state
	+pass out from any to ! <regress.1> flags S/SA keep state
	+pass out from any to ! <regress.2> flags S/SA keep state
	Index: head/sbin/pfctl/tests/files/pf0049.in
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0049.in
	+++ head/sbin/pfctl/tests/files/pf0049.in
	@@ -0,0 +1,7 @@
	+#test :broadcast and :network modifiers
	+pass in on lo0 from lo0:network to any keep state
	+pass out on lo0 inet from lo0:network to any
	+pass in on lo0 inet6 from lo0:network to any keep state
	+
	+#broadcast on lo0 doesn't make sense at all!
	+#block in on lo0 from any to lo0:broadcast
	Index: head/sbin/pfctl/tests/files/pf0049.ok
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0049.ok
	+++ head/sbin/pfctl/tests/files/pf0049.ok
	@@ -0,0 +1,4 @@
	+pass in on lo0 inet6 from ::1 to any flags S/SA keep state
	+pass in on lo0 inet from 127.0.0.0/8 to any flags S/SA keep state
	+pass out on lo0 inet from 127.0.0.0/8 to any flags S/SA keep state
	+pass in on lo0 inet6 from ::1 to any flags S/SA keep state
	Index: head/sbin/pfctl/tests/files/pf0050.in
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0050.in
	+++ head/sbin/pfctl/tests/files/pf0050.in
	@@ -0,0 +1,4 @@
	+# double macro set
	+extif="wi0"
	+extif="lo0"
	+block in on $extif
	Index: head/sbin/pfctl/tests/files/pf0050.ok
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0050.ok
	+++ head/sbin/pfctl/tests/files/pf0050.ok
	@@ -0,0 +1,3 @@
	+extif = "wi0"
	+extif = "lo0"
	+block drop in on lo0 all
	Index: head/sbin/pfctl/tests/files/pf0052.in
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0052.in
	+++ head/sbin/pfctl/tests/files/pf0052.in
	@@ -0,0 +1,7 @@
	+# test setting all optimizations to avoid future keyword clashes
	+
	+set optimization normal
	+set optimization satellite
	+set optimization high-latency
	+set optimization conservative
	+set optimization aggressive
	Index: head/sbin/pfctl/tests/files/pf0052.ok
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0052.ok
	+++ head/sbin/pfctl/tests/files/pf0052.ok
	@@ -0,0 +1,5 @@
	+set optimization normal
	+set optimization satellite
	+set optimization high-latency
	+set optimization conservative
	+set optimization aggressive
	Index: head/sbin/pfctl/tests/files/pf0053.in
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0053.in
	+++ head/sbin/pfctl/tests/files/pf0053.in
	@@ -0,0 +1,4 @@
	+pass in proto tcp from { 1.2.3.4, 1.2.3.5 } to any label \
	+"$nr:$if:$proto:$srcaddr:$srcport:$dstaddr:$dstport"
	+pass in on lo0 proto tcp from { 1.2.3.4, 1.2.3.5 } to any label \
	+"$nr:$if:$proto:$srcaddr:$srcport:$dstaddr:$dstport"
	Index: head/sbin/pfctl/tests/files/pf0053.ok
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0053.ok
	+++ head/sbin/pfctl/tests/files/pf0053.ok
	@@ -0,0 +1,4 @@
	+pass in inet proto tcp from 1.2.3.4 to any flags S/SA keep state label "0:any:tcp:1.2.3.4::any:"
	+pass in inet proto tcp from 1.2.3.5 to any flags S/SA keep state label "1:any:tcp:1.2.3.5::any:"
	+pass in on lo0 inet proto tcp from 1.2.3.4 to any flags S/SA keep state label "2:lo0:tcp:1.2.3.4::any:"
	+pass in on lo0 inet proto tcp from 1.2.3.5 to any flags S/SA keep state label "3:lo0:tcp:1.2.3.5::any:"
	Index: head/sbin/pfctl/tests/files/pf0055.in
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0055.in
	+++ head/sbin/pfctl/tests/files/pf0055.in
	@@ -0,0 +1,18 @@
	+set timeout { interval 43, frag 23 }
	+set timeout { tcp.first 423, tcp.opening 123, tcp.established 43758 }
	+set timeout { tcp.closing 744, tcp.finwait 25, tcp.closed 38 }
	+set timeout { udp.first 356, udp.single 73, udp.multiple 34 }
	+set timeout { icmp.first 464, icmp.error 34 }
	+set timeout { other.first 455, other.single 54, other.multiple 324 }
	+set timeout { src.track 3600 }
	+set limit { states 4522, frags 43556 }
	+set loginterface none
	+set loginterface lo0
	+set hostid 1
	+set optimization normal
	+set block-policy drop
	+
	+set limit states 43254
	+set limit frags 34557
	+set timeout interval 344
	+set timeout frag 213
	Index: head/sbin/pfctl/tests/files/pf0055.ok
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0055.ok
	+++ head/sbin/pfctl/tests/files/pf0055.ok
	@@ -0,0 +1,28 @@
	+set timeout interval 43
	+set timeout frag 23
	+set timeout tcp.first 423
	+set timeout tcp.opening 123
	+set timeout tcp.established 43758
	+set timeout tcp.closing 744
	+set timeout tcp.finwait 25
	+set timeout tcp.closed 38
	+set timeout udp.first 356
	+set timeout udp.single 73
	+set timeout udp.multiple 34
	+set timeout icmp.first 464
	+set timeout icmp.error 34
	+set timeout other.first 455
	+set timeout other.single 54
	+set timeout other.multiple 324
	+set timeout src.track 3600
	+set limit states 4522
	+set limit frags 43556
	+set loginterface none
	+set loginterface lo0
	+set hostid 0x00000001
	+set optimization normal
	+set block-policy drop
	+set limit states 43254
	+set limit frags 34557
	+set timeout interval 344
	+set timeout frag 213
	Index: head/sbin/pfctl/tests/files/pf0056.in
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0056.in
	+++ head/sbin/pfctl/tests/files/pf0056.in
	@@ -0,0 +1,2 @@
	+pass in proto tcp from any to any port www keep state (tcp.established 60)
	+pass in proto tcp from any to any port www keep state (max 10, no-sync, tcp.first 2)
	Index: head/sbin/pfctl/tests/files/pf0056.ok
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0056.ok
	+++ head/sbin/pfctl/tests/files/pf0056.ok
	@@ -0,0 +1,2 @@
	+pass in proto tcp from any to any port = http flags S/SA keep state (tcp.established 60)
	+pass in proto tcp from any to any port = http flags S/SA keep state (max 10, no-sync, tcp.first 2, adaptive.start 6, adaptive.end 12)
	Index: head/sbin/pfctl/tests/files/pf0057.in
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0057.in
	+++ head/sbin/pfctl/tests/files/pf0057.in
	@@ -0,0 +1,4 @@
	+a="10.0.0.1"
	+b="x"
	+b="y"
	+pass in from $a
	Index: head/sbin/pfctl/tests/files/pf0057.ok
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0057.ok
	+++ head/sbin/pfctl/tests/files/pf0057.ok
	@@ -0,0 +1,4 @@
	+a = "10.0.0.1"
	+b = "x"
	+b = "y"
	+pass in inet from 10.0.0.1 to any flags S/SA keep state
	Index: head/sbin/pfctl/tests/files/pf0060.in
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0060.in
	+++ head/sbin/pfctl/tests/files/pf0060.in
	@@ -0,0 +1,11 @@
	+# netmask handling w/ multicast
	+
	+pass from 224.4.5.4/32
	+pass from 224.4.5.4/16
	+pass from 224.4.5.4/26
	+pass from 224.4.5.65/26
	+pass from 224.4.5.134/26
	+pass from 224.4.5.199/26
	+pass from 224.4.5.4
	+
	+
	Index: head/sbin/pfctl/tests/files/pf0060.ok
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0060.ok
	+++ head/sbin/pfctl/tests/files/pf0060.ok
	@@ -0,0 +1,7 @@
	+pass inet from 224.4.5.4 to any flags S/SA keep state
	+pass inet from 224.4.0.0/16 to any flags S/SA keep state
	+pass inet from 224.4.5.0/26 to any flags S/SA keep state
	+pass inet from 224.4.5.64/26 to any flags S/SA keep state
	+pass inet from 224.4.5.128/26 to any flags S/SA keep state
	+pass inet from 224.4.5.192/26 to any flags S/SA keep state
	+pass inet from 224.4.5.4 to any flags S/SA keep state
	Index: head/sbin/pfctl/tests/files/pf0061.in
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0061.in
	+++ head/sbin/pfctl/tests/files/pf0061.in
	@@ -0,0 +1,4 @@
	+# dynaddr with netmask
	+
	+pass inet to (lo0)/24
	+
	Index: head/sbin/pfctl/tests/files/pf0061.ok
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0061.ok
	+++ head/sbin/pfctl/tests/files/pf0061.ok
	@@ -0,0 +1 @@
	+pass inet from any to (lo0)/24 flags S/SA keep state
	Index: head/sbin/pfctl/tests/files/pf0065.in
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0065.in
	+++ head/sbin/pfctl/tests/files/pf0065.in
	@@ -0,0 +1,2 @@
	+antispoof for lo0 label "antispoof-lo0"
	+antispoof log quick for lo0 inet label "antispoof-lo0-2"
	Index: head/sbin/pfctl/tests/files/pf0065.ok
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0065.ok
	+++ head/sbin/pfctl/tests/files/pf0065.ok
	@@ -0,0 +1,3 @@
	+block drop in on ! lo0 inet6 from ::1 to any label "antispoof-lo0"
	+block drop in on ! lo0 inet from 127.0.0.0/8 to any label "antispoof-lo0"
	+block drop in log quick on ! lo0 inet from 127.0.0.0/8 to any label "antispoof-lo0-2"
	Index: head/sbin/pfctl/tests/files/pf0067.in
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0067.in
	+++ head/sbin/pfctl/tests/files/pf0067.in
	@@ -0,0 +1,3 @@
	+pass in quick on tun1000000 keep state tag regress
	+pass out quick on lo0 keep state tagged regress
	+
	Index: head/sbin/pfctl/tests/files/pf0067.ok
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0067.ok
	+++ head/sbin/pfctl/tests/files/pf0067.ok
	@@ -0,0 +1,2 @@
	+pass in quick on tun1000000 all flags S/SA keep state tag regress
	+pass out quick on lo0 all flags S/SA keep state tagged regress
	Index: head/sbin/pfctl/tests/files/pf0069.in
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0069.in
	+++ head/sbin/pfctl/tests/files/pf0069.in
	@@ -0,0 +1,3 @@
	+#match out on lo0 inet all tag regress nat-to lo0
	+pass out quick on lo0 keep state tagged regress
	+
	Index: head/sbin/pfctl/tests/files/pf0069.ok
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0069.ok
	+++ head/sbin/pfctl/tests/files/pf0069.ok
	@@ -0,0 +1 @@
	+pass out quick on lo0 all flags S/SA keep state tagged regress
	Index: head/sbin/pfctl/tests/files/pf0070.in
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0070.in
	+++ head/sbin/pfctl/tests/files/pf0070.in
	@@ -0,0 +1,3 @@
	+#match out on lo0 from 10.0.0.0/8 to any nat-to lo0
	+block out on lo0 tagged regress
	+
	Index: head/sbin/pfctl/tests/files/pf0070.ok
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0070.ok
	+++ head/sbin/pfctl/tests/files/pf0070.ok
	@@ -0,0 +1 @@
	+block drop out on lo0 all tagged regress
	Index: head/sbin/pfctl/tests/files/pf0071.in
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0071.in
	+++ head/sbin/pfctl/tests/files/pf0071.in
	@@ -0,0 +1,3 @@
	+#match in on lo0 proto tcp from 10.0.0.0/8 to port 80 rdr-to lo0
	+block out on lo0 tagged regress
	+
	Index: head/sbin/pfctl/tests/files/pf0071.ok
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0071.ok
	+++ head/sbin/pfctl/tests/files/pf0071.ok
	@@ -0,0 +1 @@
	+block drop out on lo0 all tagged regress
	Index: head/sbin/pfctl/tests/files/pf0072.in
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0072.in
	+++ head/sbin/pfctl/tests/files/pf0072.in
	@@ -0,0 +1,4 @@
	+# test binat tagging
	+#match on lo0 from 192.168.1.1 to any tag regress binat-to 10.0.0.1
	+block out on lo0 tagged regress
	+
	Index: head/sbin/pfctl/tests/files/pf0072.ok
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0072.ok
	+++ head/sbin/pfctl/tests/files/pf0072.ok
	@@ -0,0 +1 @@
	+block drop out on lo0 all tagged regress
	Index: head/sbin/pfctl/tests/files/pf0074.in
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0074.in
	+++ head/sbin/pfctl/tests/files/pf0074.in
	@@ -0,0 +1 @@
	+pass in proto tcp synproxy state
	Index: head/sbin/pfctl/tests/files/pf0074.ok
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0074.ok
	+++ head/sbin/pfctl/tests/files/pf0074.ok
	@@ -0,0 +1 @@
	+pass in proto tcp all flags S/SA synproxy state
	Index: head/sbin/pfctl/tests/files/pf0075.in
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0075.in
	+++ head/sbin/pfctl/tests/files/pf0075.in
	@@ -0,0 +1,3 @@
	+block in on lo0 proto tcp from 192.168.0.0/24 to port 22 tag ssh
	+block in quick on lo0 ! tagged ssh
	+
	\ No newline at end of file
	Index: head/sbin/pfctl/tests/files/pf0075.ok
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0075.ok
	+++ head/sbin/pfctl/tests/files/pf0075.ok
	@@ -0,0 +1,2 @@
	+block drop in on lo0 inet proto tcp from 192.168.0.0/24 to any port = ssh tag ssh
	+block drop in quick on lo0 all ! tagged ssh
	Index: head/sbin/pfctl/tests/files/pf0077.in
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0077.in
	+++ head/sbin/pfctl/tests/files/pf0077.in
	@@ -0,0 +1,5 @@
	+# dynaddr with netmask. I never want to see this again:
	+# <henning@quigon:1>$ echo "pass inet from (le0)/8" \| pfctl -nvf -
	+# pass inet from (l)/8 to any
	+
	+pass inet from (lo0)/8
	Index: head/sbin/pfctl/tests/files/pf0077.ok
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0077.ok
	+++ head/sbin/pfctl/tests/files/pf0077.ok
	@@ -0,0 +1 @@
	+pass inet from (lo0)/8 to any flags S/SA keep state
	Index: head/sbin/pfctl/tests/files/pf0078.in
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0078.in
	+++ head/sbin/pfctl/tests/files/pf0078.in
	@@ -0,0 +1,2 @@
	+pass in from 10.0.0.1 to <regress> label "$srcaddr:$dstaddr"
	+
	Index: head/sbin/pfctl/tests/files/pf0078.ok
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0078.ok
	+++ head/sbin/pfctl/tests/files/pf0078.ok
	@@ -0,0 +1 @@
	+pass in inet from 10.0.0.1 to <regress> flags S/SA keep state label "10.0.0.1:<regress>"
	Index: head/sbin/pfctl/tests/files/pf0079.in
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0079.in
	+++ head/sbin/pfctl/tests/files/pf0079.in
	@@ -0,0 +1,2 @@
	+pass in from 10.0.0.1 to no-route label "$srcaddr:$dstaddr"
	+
	Index: head/sbin/pfctl/tests/files/pf0079.ok
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0079.ok
	+++ head/sbin/pfctl/tests/files/pf0079.ok
	@@ -0,0 +1 @@
	+pass in inet from 10.0.0.1 to no-route flags S/SA keep state label "10.0.0.1:no-route"
	Index: head/sbin/pfctl/tests/files/pf0081.in
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0081.in
	+++ head/sbin/pfctl/tests/files/pf0081.in
	@@ -0,0 +1,12 @@
	+# skip step optimization involving dynaddr, tables, no-route
	+# optimisation should be done on theses rules
	+
	+ip_list="{ ::1 ::2 ::3 0.0.0.1 0.0.0.2 0.0.0.3 }"
	+table_list="{ <bar1> <bar2> <bar3> }"
	+pass from (lo0) to $ip_list
	+pass from <foo> to $table_list
	+pass from <foo> to $ip_list
	+pass from <foo> to $table_list
	+pass from no-route to $table_list
	+pass from no-route to $ip_list
	+pass from no-route to $table_list
	Index: head/sbin/pfctl/tests/files/pf0081.ok
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0081.ok
	+++ head/sbin/pfctl/tests/files/pf0081.ok
	@@ -0,0 +1,32 @@
	+ip_list = "{ ::1 ::2 ::3 0.0.0.1 0.0.0.2 0.0.0.3 }"
	+table_list = "{ <bar1> <bar2> <bar3> }"
	+pass inet6 from (lo0) to ::1 flags S/SA keep state
	+pass inet6 from (lo0) to ::2 flags S/SA keep state
	+pass inet6 from (lo0) to ::3 flags S/SA keep state
	+pass inet from (lo0) to 0.0.0.1 flags S/SA keep state
	+pass inet from (lo0) to 0.0.0.2 flags S/SA keep state
	+pass inet from (lo0) to 0.0.0.3 flags S/SA keep state
	+pass from <foo> to <bar1> flags S/SA keep state
	+pass from <foo> to <bar2> flags S/SA keep state
	+pass from <foo> to <bar3> flags S/SA keep state
	+pass inet6 from <foo> to ::1 flags S/SA keep state
	+pass inet6 from <foo> to ::2 flags S/SA keep state
	+pass inet6 from <foo> to ::3 flags S/SA keep state
	+pass inet from <foo> to 0.0.0.1 flags S/SA keep state
	+pass inet from <foo> to 0.0.0.2 flags S/SA keep state
	+pass inet from <foo> to 0.0.0.3 flags S/SA keep state
	+pass from <foo> to <bar1> flags S/SA keep state
	+pass from <foo> to <bar2> flags S/SA keep state
	+pass from <foo> to <bar3> flags S/SA keep state
	+pass from no-route to <bar1> flags S/SA keep state
	+pass from no-route to <bar2> flags S/SA keep state
	+pass from no-route to <bar3> flags S/SA keep state
	+pass inet6 from no-route to ::1 flags S/SA keep state
	+pass inet6 from no-route to ::2 flags S/SA keep state
	+pass inet6 from no-route to ::3 flags S/SA keep state
	+pass inet from no-route to 0.0.0.1 flags S/SA keep state
	+pass inet from no-route to 0.0.0.2 flags S/SA keep state
	+pass inet from no-route to 0.0.0.3 flags S/SA keep state
	+pass from no-route to <bar1> flags S/SA keep state
	+pass from no-route to <bar2> flags S/SA keep state
	+pass from no-route to <bar3> flags S/SA keep state
	Index: head/sbin/pfctl/tests/files/pf0082.in
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0082.in
	+++ head/sbin/pfctl/tests/files/pf0082.in
	@@ -0,0 +1,15 @@
	+# skip step optimization involving dynaddr, tables, no-route
	+
	+pass inet from (lo0)
	+pass inet from !(lo0)
	+pass inet from (lo0)
	+pass inet6 from (lo0)
	+pass from <foo>
	+pass from !<foo>
	+pass from <foo>
	+pass inet from <bar>
	+pass from <bar>
	+pass inet6 from <foo>
	+pass from <foo>
	+pass inet from no-route
	+pass from no-route
	Index: head/sbin/pfctl/tests/files/pf0082.ok
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0082.ok
	+++ head/sbin/pfctl/tests/files/pf0082.ok
	@@ -0,0 +1,13 @@
	+pass inet from (lo0) to any flags S/SA keep state
	+pass inet from ! (lo0) to any flags S/SA keep state
	+pass inet from (lo0) to any flags S/SA keep state
	+pass inet6 from (lo0) to any flags S/SA keep state
	+pass from <foo> to any flags S/SA keep state
	+pass from ! <foo> to any flags S/SA keep state
	+pass from <foo> to any flags S/SA keep state
	+pass inet from <bar> to any flags S/SA keep state
	+pass from <bar> to any flags S/SA keep state
	+pass inet6 from <foo> to any flags S/SA keep state
	+pass from <foo> to any flags S/SA keep state
	+pass inet from no-route to any flags S/SA keep state
	+pass from no-route to any flags S/SA keep state
	Index: head/sbin/pfctl/tests/files/pf0084.in
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0084.in
	+++ head/sbin/pfctl/tests/files/pf0084.in
	@@ -0,0 +1,17 @@
	+#match out on tun1000000 from 10.0.0.0/24 to any \
	+# nat-to { 10.0.1.1, 10.0.1.2 } round-robin sticky-address
	+#match in on tun1000000 from any to 10.0.1.1 \
	+# rdr-to { 10.0.0.0/24 } sticky-address random
	+#match in on tun1000000 from any to 10.0.1.2 \
	+# rdr-to { 10.0.0.1, 10.0.0.2 } sticky-address
	+
	+pass in proto tcp from any to any port 22 \
	+ keep state (source-track)
	+pass in proto tcp from any to any port 25 \
	+ keep state (source-track global)
	+pass in proto tcp from any to any port 80 \
	+ keep state (source-track rule, max-src-nodes 1000, max-src-states 3)
	+pass in proto tcp from any to any port 123 \
	+ keep state (source-track, max-src-nodes 1000)
	+pass in proto tcp from any to any port 321 \
	+ keep state (source-track, max-src-states 3)
	Index: head/sbin/pfctl/tests/files/pf0084.ok
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0084.ok
	+++ head/sbin/pfctl/tests/files/pf0084.ok
	@@ -0,0 +1,5 @@
	+pass in proto tcp from any to any port = ssh flags S/SA keep state (source-track global)
	+pass in proto tcp from any to any port = smtp flags S/SA keep state (source-track global)
	+pass in proto tcp from any to any port = http flags S/SA keep state (source-track rule, max-src-states 3, max-src-nodes 1000)
	+pass in proto tcp from any to any port = ntp flags S/SA keep state (source-track rule, max-src-nodes 1000)
	+pass in proto tcp from any to any port = pip flags S/SA keep state (source-track global, max-src-states 3)
	Index: head/sbin/pfctl/tests/files/pf0085.in
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0085.in
	+++ head/sbin/pfctl/tests/files/pf0085.in
	@@ -0,0 +1,3 @@
	+# test tag macro expansion
	+pass from { 127.0.0.1 127.0.0.2 127.0.0.3 } keep state tag "$srcaddr"
	+pass from { 127.0.0.1 127.0.0.2 127.0.0.3 } keep state tagged "$srcaddr"
	Index: head/sbin/pfctl/tests/files/pf0085.ok
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0085.ok
	+++ head/sbin/pfctl/tests/files/pf0085.ok
	@@ -0,0 +1,6 @@
	+pass inet from 127.0.0.1 to any flags S/SA keep state tag 127.0.0.1
	+pass inet from 127.0.0.2 to any flags S/SA keep state tag 127.0.0.2
	+pass inet from 127.0.0.3 to any flags S/SA keep state tag 127.0.0.3
	+pass inet from 127.0.0.1 to any flags S/SA keep state tagged 127.0.0.1
	+pass inet from 127.0.0.2 to any flags S/SA keep state tagged 127.0.0.2
	+pass inet from 127.0.0.3 to any flags S/SA keep state tagged 127.0.0.3
	Index: head/sbin/pfctl/tests/files/pf0087.in
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0087.in
	+++ head/sbin/pfctl/tests/files/pf0087.in
	@@ -0,0 +1,24 @@
	+# pfctl -o rule reordering
	+
	+pass in on lo1000000 proto tcp from any to 10.0.0.2 port 22 keep state
	+pass in on lo1000001 proto tcp from 10.0.0.1 port 22 to 10.0.0.2 keep state
	+pass in on lo1000001 proto udp from 10.0.0.5 to 10.0.0.4 port 53 keep state
	+pass in on lo1000000 proto udp from any to 10.0.0.2 port 53 keep state
	+pass in proto tcp to 10.0.0.1 port 80 keep state
	+pass out on lo1000001 proto udp from any to 10.0.0.2 port 53 keep state
	+pass in proto tcp to 10.0.0.3 port 80 keep state
	+pass out proto tcp to 10.0.0.1 port 81 keep state
	+pass in proto udp to 10.0.0.3 port 53 keep state
	+pass in on lo1000001 proto udp from 10.0.0.2 port 53 to 10.0.0.2 keep state
	+pass out proto udp to 10.0.0.1 port 53 keep state
	+pass out on lo1000000 proto udp from any to 10.0.0.2 port 53 keep state
	+pass out proto udp to 10.0.0.3 port 53 keep state
	+pass out on lo1000000 proto tcp from any to 10.0.0.2 port 22 keep state
	+pass in on lo1000001 proto tcp from any to 10.0.0.2 port 22 keep state
	+pass in on lo1000001 proto udp from any to 10.0.0.2 port 53 keep state
	+pass in on lo1000001 proto tcp from 10.0.0.1 to 10.0.0.4 keep state
	+pass out on lo1000001 proto tcp from any to 10.0.0.2 port 22 keep state
	+pass out proto tcp to 10.0.0.1 port 80 keep state
	+pass in proto udp to 10.0.0.1 port 53 keep state
	+pass in on lo1000001 proto tcp from 10.0.0.1 to 10.0.0.6 port 22 keep state
	+pass in on lo1000001 proto udp from 10.0.0.5 to 10.0.0.2 keep state
	Index: head/sbin/pfctl/tests/files/pf0087.ok
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0087.ok
	+++ head/sbin/pfctl/tests/files/pf0087.ok
	@@ -0,0 +1,22 @@
	+pass in on lo1000000 inet proto tcp from any to 10.0.0.2 port = ssh flags S/SA keep state
	+pass in on lo1000001 inet proto tcp from 10.0.0.1 port = ssh to 10.0.0.2 flags S/SA keep state
	+pass in on lo1000001 inet proto udp from 10.0.0.5 to 10.0.0.4 port = domain keep state
	+pass in on lo1000000 inet proto udp from any to 10.0.0.2 port = domain keep state
	+pass in inet proto tcp from any to 10.0.0.1 port = http flags S/SA keep state
	+pass out on lo1000001 inet proto udp from any to 10.0.0.2 port = domain keep state
	+pass in inet proto tcp from any to 10.0.0.3 port = http flags S/SA keep state
	+pass out inet proto tcp from any to 10.0.0.1 port = hosts2-ns flags S/SA keep state
	+pass in inet proto udp from any to 10.0.0.3 port = domain keep state
	+pass in on lo1000001 inet proto udp from 10.0.0.2 port = domain to 10.0.0.2 keep state
	+pass out inet proto udp from any to 10.0.0.1 port = domain keep state
	+pass out on lo1000000 inet proto udp from any to 10.0.0.2 port = domain keep state
	+pass out inet proto udp from any to 10.0.0.3 port = domain keep state
	+pass out on lo1000000 inet proto tcp from any to 10.0.0.2 port = ssh flags S/SA keep state
	+pass in on lo1000001 inet proto tcp from any to 10.0.0.2 port = ssh flags S/SA keep state
	+pass in on lo1000001 inet proto udp from any to 10.0.0.2 port = domain keep state
	+pass in on lo1000001 inet proto tcp from 10.0.0.1 to 10.0.0.4 flags S/SA keep state
	+pass out on lo1000001 inet proto tcp from any to 10.0.0.2 port = ssh flags S/SA keep state
	+pass out inet proto tcp from any to 10.0.0.1 port = http flags S/SA keep state
	+pass in inet proto udp from any to 10.0.0.1 port = domain keep state
	+pass in on lo1000001 inet proto tcp from 10.0.0.1 to 10.0.0.6 port = ssh flags S/SA keep state
	+pass in on lo1000001 inet proto udp from 10.0.0.5 to 10.0.0.2 keep state
	Index: head/sbin/pfctl/tests/files/pf0088.in
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0088.in
	+++ head/sbin/pfctl/tests/files/pf0088.in
	@@ -0,0 +1,32 @@
	+# pfctl -o duplicate rules
	+
	+pass in on lo1000000 from any to 10.0.0.1
	+pass in on lo1000000 inet from any to 10.0.0.1
	+
	+pass
	+pass out
	+pass out
	+pass out quick
	+
	+pass on lo1000001 to 10.0.0.1
	+pass on lo1000000 from any to 10.0.0.1
	+
	+pass to 10.0.0.2 modulate state
	+pass to 10.0.0.2 keep state
	+block from 10.0.0.3 to 10.0.0.2
	+pass to 10.0.0.2 modulate state
	+block from 10.0.0.3 to 10.0.0.2
	+pass to 10.0.0.2 synproxy state
	+
	+
	+pass out proto tcp from 10.0.0.4 to 10.0.0.5 keep state
	+pass out proto tcp from 10.0.0.4 to 10.0.0.5 port 80 keep state
	+
	+pass out
	+pass in
	+
	+pass in on lo1000001 from any to any
	+pass in on lo1000001 from any to any keep state
	+pass in on lo1000001 from any to any
	+
	+block
	Index: head/sbin/pfctl/tests/files/pf0088.ok
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0088.ok
	+++ head/sbin/pfctl/tests/files/pf0088.ok
	@@ -0,0 +1,22 @@
	+pass in on lo1000000 inet from any to 10.0.0.1 flags S/SA keep state
	+pass in on lo1000000 inet from any to 10.0.0.1 flags S/SA keep state
	+pass all flags S/SA keep state
	+pass out all flags S/SA keep state
	+pass out all flags S/SA keep state
	+pass out quick all flags S/SA keep state
	+pass on lo1000001 inet from any to 10.0.0.1 flags S/SA keep state
	+pass on lo1000000 inet from any to 10.0.0.1 flags S/SA keep state
	+pass inet from any to 10.0.0.2 flags S/SA modulate state
	+pass inet from any to 10.0.0.2 flags S/SA keep state
	+block drop inet from 10.0.0.3 to 10.0.0.2
	+pass inet from any to 10.0.0.2 flags S/SA modulate state
	+block drop inet from 10.0.0.3 to 10.0.0.2
	+pass inet from any to 10.0.0.2 flags S/SA synproxy state
	+pass out inet proto tcp from 10.0.0.4 to 10.0.0.5 flags S/SA keep state
	+pass out inet proto tcp from 10.0.0.4 to 10.0.0.5 port = http flags S/SA keep state
	+pass out all flags S/SA keep state
	+pass in all flags S/SA keep state
	+pass in on lo1000001 all flags S/SA keep state
	+pass in on lo1000001 all flags S/SA keep state
	+pass in on lo1000001 all flags S/SA keep state
	+block drop all
	Index: head/sbin/pfctl/tests/files/pf0089.in
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0089.in
	+++ head/sbin/pfctl/tests/files/pf0089.in
	@@ -0,0 +1,25 @@
	+# TCP connection tracking
	+
	+table <bad> persist
	+
	+block all
	+block quick from <bad>
	+
	+pass out proto tcp flags S/SA keep state
	+pass out proto { icmp, udp } keep state
	+
	+pass in on lo1000001 proto tcp to 10.0.0.1 port 22 flags S/SA \
	+ keep state (max-src-conn 10, max-src-conn-rate 3/99)
	+
	+pass in on lo1000001 proto tcp to 10.0.0.2 port 22 flags S/SA keep state \
	+ (max-src-conn 10)
	+
	+pass in on lo1000001 proto tcp to 10.0.0.3 port 22 flags S/SA keep state \
	+ (max-src-conn-rate 3/99)
	+
	+pass in on lo1000000 proto tcp to 10.0.0.1 port 80 flags S/SA modulate state \
	+ (max-src-conn 100, max-src-conn-rate 10/5, overload <bad> flush)
	+
	+pass in on lo1000000 proto tcp to 10.0.0.1 port 8080 flags S/SA synproxy state \
	+ (max-src-conn 1000, max-src-conn-rate 1000/5, overload <bad> \
	+ flush global)
	Index: head/sbin/pfctl/tests/files/pf0089.ok
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0089.ok
	+++ head/sbin/pfctl/tests/files/pf0089.ok
	@@ -0,0 +1,11 @@
	+table <bad> persist
	+block drop all
	+block drop quick from <bad> to any
	+pass out proto tcp all flags S/SA keep state
	+pass out proto icmp all keep state
	+pass out proto udp all keep state
	+pass in on lo1000001 inet proto tcp from any to 10.0.0.1 port = ssh flags S/SA keep state (source-track rule, max-src-conn 10, max-src-conn-rate 3/99, src.track 99)
	+pass in on lo1000001 inet proto tcp from any to 10.0.0.2 port = ssh flags S/SA keep state (source-track rule, max-src-conn 10)
	+pass in on lo1000001 inet proto tcp from any to 10.0.0.3 port = ssh flags S/SA keep state (source-track rule, max-src-conn-rate 3/99, src.track 99)
	+pass in on lo1000000 inet proto tcp from any to 10.0.0.1 port = http flags S/SA modulate state (source-track rule, max-src-conn 100, max-src-conn-rate 10/5, overload <bad> flush, src.track 5)
	+pass in on lo1000000 inet proto tcp from any to 10.0.0.1 port = 8080 flags S/SA synproxy state (source-track rule, max-src-conn 1000, max-src-conn-rate 1000/5, overload <bad> flush global, src.track 5)
	Index: head/sbin/pfctl/tests/files/pf0090.in
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0090.in
	+++ head/sbin/pfctl/tests/files/pf0090.in
	@@ -0,0 +1,5 @@
	+pass log (user)
	+pass log (all)
	+pass log (to pflog7)
	+block log (all, user, to pflog1)
	+block log (to pflog1, user)
	Index: head/sbin/pfctl/tests/files/pf0090.ok
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0090.ok
	+++ head/sbin/pfctl/tests/files/pf0090.ok
	@@ -0,0 +1,5 @@
	+pass log (user) all flags S/SA keep state
	+pass log (all) all flags S/SA keep state
	+pass log (to pflog7) all flags S/SA keep state
	+block drop log (all, user, to pflog1) all
	+block drop log (user, to pflog1) all
	Index: head/sbin/pfctl/tests/files/pf0091.in
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0091.in
	+++ head/sbin/pfctl/tests/files/pf0091.in
	@@ -0,0 +1,11 @@
	+# basic anchor test
	+anchor on tun1000000 {
	+ anchor foo out {
	+ pass proto tcp to port 1234
	+ anchor proto tcp to port 2413 user root label "foo" {
	+ block
	+ pass from 127.0.0.1
	+ }
	+ }
	+ pass in proto tcp to port 1234
	+}
	Index: head/sbin/pfctl/tests/files/pf0091.ok
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0091.ok
	+++ head/sbin/pfctl/tests/files/pf0091.ok
	@@ -0,0 +1,10 @@
	+anchor on tun1000000 all {
	+ anchor "foo" out all {
	+ pass proto tcp from any to any port = 1234 flags S/SA keep state
	+ anchor proto tcp from any to any port = 2413 user = 0 label "foo" {
	+ block drop all
	+ pass inet from 127.0.0.1 to any flags S/SA keep state
	+ }
	+ }
	+ pass in proto tcp from any to any port = 1234 flags S/SA keep state
	+}
	Index: head/sbin/pfctl/tests/files/pf0092.in
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0092.in
	+++ head/sbin/pfctl/tests/files/pf0092.in
	@@ -0,0 +1,30 @@
	+anchor { # testing comments
	+ anchor in {
	+ # comment before rule
	+ pass quick
	+ }
	+ # silly nesting
	+ anchor out {
	+ anchor in {
	+ anchor out {
	+ anchor in {
	+ anchor out {
	+ anchor in {
	+ anchor out {
	+ anchor in {
	+ pass
	+ }
	+ }
	+ }
	+ }
	+ }
	+ }
	+ }
	+ }
	+ pass in on tun1000000
	+ anchor foo on tun1000000 {
	+
	+ pass
	+ }
	+} # comment after closing brace
	+
	Index: head/sbin/pfctl/tests/files/pf0092.ok
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0092.ok
	+++ head/sbin/pfctl/tests/files/pf0092.ok
	@@ -0,0 +1,26 @@
	+anchor all {
	+ anchor in all {
	+ pass quick all flags S/SA keep state
	+ }
	+ anchor out all {
	+ anchor in all {
	+ anchor out all {
	+ anchor in all {
	+ anchor out all {
	+ anchor in all {
	+ anchor out all {
	+ anchor in all {
	+ pass all flags S/SA keep state
	+ }
	+ }
	+ }
	+ }
	+ }
	+ }
	+ }
	+ }
	+ pass in on tun1000000 all flags S/SA keep state
	+ anchor "foo" on tun1000000 all {
	+ pass all flags S/SA keep state
	+ }
	+}
	Index: head/sbin/pfctl/tests/files/pf0094.in
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0094.in
	+++ head/sbin/pfctl/tests/files/pf0094.in
	@@ -0,0 +1,4 @@
	+pass from 10.1.2.3 - 10.1.2.4 to 10.2.3.4 - 10.3.4.5
	+pass from 0.0.0.0 - 255.255.255.255
	+pass from 2001:6f8:1098::2 - 2001:6f8:1098::5 to 2001:6f8:1098::3 - 2001:6f8:1098::4
	+pass from ::0 - ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
	Index: head/sbin/pfctl/tests/files/pf0094.ok
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0094.ok
	+++ head/sbin/pfctl/tests/files/pf0094.ok
	@@ -0,0 +1,4 @@
	+pass inet from 10.1.2.3 - 10.1.2.4 to 10.2.3.4 - 10.3.4.5 flags S/SA keep state
	+pass inet from 0.0.0.0 - 255.255.255.255 to any flags S/SA keep state
	+pass inet6 from 2001:6f8:1098::2 - 2001:6f8:1098::5 to 2001:6f8:1098::3 - 2001:6f8:1098::4 flags S/SA keep state
	+pass inet6 from :: - ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff to any flags S/SA keep state
	Index: head/sbin/pfctl/tests/files/pf0095.in
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0095.in
	+++ head/sbin/pfctl/tests/files/pf0095.in
	@@ -0,0 +1,4 @@
	+
	+include "./pf0095.include"
	+
	+block out proto tcp
	Index: head/sbin/pfctl/tests/files/pf0095.include
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0095.include
	+++ head/sbin/pfctl/tests/files/pf0095.include
	@@ -0,0 +1,2 @@
	+
	+block in proto udp
	Index: head/sbin/pfctl/tests/files/pf0095.ok
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0095.ok
	+++ head/sbin/pfctl/tests/files/pf0095.ok
	@@ -0,0 +1,2 @@
	+block drop in proto udp all
	+block drop out proto tcp all
	Index: head/sbin/pfctl/tests/files/pf0096.in
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0096.in
	+++ head/sbin/pfctl/tests/files/pf0096.in
	@@ -0,0 +1,5 @@
	+# varset allows concatenated strings as numbers
	+myports = 5555 6666
	+# and also can be used within another macro
	+moreports = $myports 7777
	+pass in proto tcp from any to any port { $moreports }
	Index: head/sbin/pfctl/tests/files/pf0096.ok
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0096.ok
	+++ head/sbin/pfctl/tests/files/pf0096.ok
	@@ -0,0 +1,5 @@
	+myports = "5555 6666"
	+moreports = "5555 6666 7777"
	+pass in proto tcp from any to any port = 5555 flags S/SA keep state
	+pass in proto tcp from any to any port = 6666 flags S/SA keep state
	+pass in proto tcp from any to any port = 7777 flags S/SA keep state
	Index: head/sbin/pfctl/tests/files/pf0097.in
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0097.in
	+++ head/sbin/pfctl/tests/files/pf0097.in
	@@ -0,0 +1,4 @@
	+pass in on em0 inet proto tcp from any to any port 220:230 divert-to 127.0.0.1 port 22
	+#pass out on em0 inet proto tcp from any to any port 220:230 divert-reply
	+pass on em0 inet proto tcp from any to any port 80 divert-to 127.0.0.1 port 8080
	+pass in on em0 inet proto 103 divert-to 127.0.0.1 port 103 # FIXME
	Index: head/sbin/pfctl/tests/files/pf0097.ok
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0097.ok
	+++ head/sbin/pfctl/tests/files/pf0097.ok
	@@ -0,0 +1,3 @@
	+pass in on em0 inet proto tcp from any to any port 220:230 flags S/SA keep state divert-to 22
	+pass on em0 inet proto tcp from any to any port = http flags S/SA keep state divert-to 8080
	+pass in on em0 inet proto pim all keep state divert-to 103
	Index: head/sbin/pfctl/tests/files/pf0098.in
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0098.in
	+++ head/sbin/pfctl/tests/files/pf0098.in
	@@ -0,0 +1,4 @@
	+# Test rule order processing should pass (require-order no longer required)
	+pass in on lo1000000 all
	+#match out on lo0 inet6 all nat-to lo0
	+
	Index: head/sbin/pfctl/tests/files/pf0098.ok
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0098.ok
	+++ head/sbin/pfctl/tests/files/pf0098.ok
	@@ -0,0 +1 @@
	+pass in on lo1000000 all flags S/SA keep state
	Index: head/sbin/pfctl/tests/files/pf0100.in
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0100.in
	+++ head/sbin/pfctl/tests/files/pf0100.in
	@@ -0,0 +1,20 @@
	+pass
	+anchor "a/b"
	+anchor "1/2/3" # test anchors with multiple path components
	+anchor "relative" {
	+ pass in on lo0 label TEST1
	+}
	+anchor "camield/*" # empty wildcard anchor
	+
	+anchor "relayd/*"
	+
	+anchor "foo" in on lo0 {
	+ anchor "bar" in { # nested named inlined anchor
	+ anchor "/1/2/3" # absolute multicomponent path
	+ anchor "/relative" # absolute path
	+ pass in on lo0 label FOO
	+ }
	+ anchor in { # nested unnamed inlined anchor
	+ pass in on lo0 label BAR
	+ }
	+}
	Index: head/sbin/pfctl/tests/files/pf0100.ok
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0100.ok
	+++ head/sbin/pfctl/tests/files/pf0100.ok
	@@ -0,0 +1,18 @@
	+pass all flags S/SA keep state
	+anchor "/b" all
	+anchor "/3" all
	+anchor "relative" all {
	+ pass in on lo0 all flags S/SA keep state label "TEST1"
	+}
	+anchor "/*" all
	+anchor "/*" all
	+anchor "foo" in on lo0 all {
	+ anchor "bar" in all {
	+ anchor "/3" all
	+ anchor "/relative" all
	+ pass in on lo0 all flags S/SA keep state label "FOO"
	+ }
	+ anchor in all {
	+ pass in on lo0 all flags S/SA keep state label "BAR"
	+ }
	+}
	Index: head/sbin/pfctl/tests/files/pf0101.in
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0101.in
	+++ head/sbin/pfctl/tests/files/pf0101.in
	@@ -0,0 +1,8 @@
	+# test prio
	+
	+pass set prio 3
	+
	+pass out on lo1000000 proto tcp from any to any port 22 set prio (5 2)
	+
	+pass proto udp from any to { 127.0.0.1 127.0.0.2 } port 53 set prio 4
	+
	Index: head/sbin/pfctl/tests/files/pf0101.ok
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0101.ok
	+++ head/sbin/pfctl/tests/files/pf0101.ok
	@@ -0,0 +1,4 @@
	+pass all flags S/SA set ( prio 3 ) keep state
	+pass out on lo1000000 proto tcp from any to any port = ssh flags S/SA set ( prio(5, 2) ) keep state
	+pass inet proto udp from any to 127.0.0.1 port = domain set ( prio 4 ) keep state
	+pass inet proto udp from any to 127.0.0.2 port = domain set ( prio 4 ) keep state
	Index: head/sbin/pfctl/tests/files/pf0102.in
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0102.in
	+++ head/sbin/pfctl/tests/files/pf0102.in
	@@ -0,0 +1,9 @@
	+# test rule expansion with mixed af
	+
	+pass from {1.1.1.1 2002::} to (self)
	+
	+pass from {2002:: 1.1.1.1} to (self)
	+
	+pass from {1.1.1.1 2002::} to (self)/40
	+
	+pass from {2002:: 1.1.1.1} to (self)/40
	Index: head/sbin/pfctl/tests/files/pf0102.ok
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0102.ok
	+++ head/sbin/pfctl/tests/files/pf0102.ok
	@@ -0,0 +1,8 @@
	+pass inet from 1.1.1.1 to (self) flags S/SA keep state
	+pass inet6 from 2002:: to (self)/32 flags S/SA keep state
	+pass inet6 from 2002:: to (self) flags S/SA keep state
	+pass inet from 1.1.1.1 to (self) flags S/SA keep state
	+pass inet from 1.1.1.1 to (self) flags S/SA keep state
	+pass inet6 from 2002:: to (self)/32 flags S/SA keep state
	+pass inet6 from 2002:: to (self)/40 flags S/SA keep state
	+pass inet from 1.1.1.1 to (self) flags S/SA keep state
	Index: head/sbin/pfctl/tests/files/pf0104.in
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0104.in
	+++ head/sbin/pfctl/tests/files/pf0104.in
	@@ -0,0 +1,10 @@
	+# This test assumes that localhost points to 127.0.0.1 first
	+pass in proto tcp to port 25 divert-to localhost port 8025
	+# Test IPv4 addresses
	+pass in proto tcp to port 25 divert-to 127.0.0.1 port 8025
	+pass in inet proto tcp to port 25 divert-to 127.0.0.1 port 8025
	+pass in inet proto tcp to port 25 divert-to localhost port 8025
	+# Test IPv6 addresses
	+pass in proto tcp to port 25 divert-to ::1 port 8025
	+pass in inet6 proto tcp to port 25 divert-to ::1 port 8025
	+pass in inet6 proto tcp to port 25 divert-to localhost port 8025
	Index: head/sbin/pfctl/tests/files/pf0104.ok
	===================================================================
	--- head/sbin/pfctl/tests/files/pf0104.ok
	+++ head/sbin/pfctl/tests/files/pf0104.ok
	@@ -0,0 +1,7 @@
	+pass in proto tcp from any to any port = smtp flags S/SA keep state divert-to 8025
	+pass in proto tcp from any to any port = smtp flags S/SA keep state divert-to 8025
	+pass in inet proto tcp from any to any port = smtp flags S/SA keep state divert-to 8025
	+pass in inet proto tcp from any to any port = smtp flags S/SA keep state divert-to 8025
	+pass in proto tcp from any to any port = smtp flags S/SA keep state divert-to 8025
	+pass in inet6 proto tcp from any to any port = smtp flags S/SA keep state divert-to 8025
	+pass in inet6 proto tcp from any to any port = smtp flags S/SA keep state divert-to 8025
	Index: head/sbin/pfctl/tests/files/pf1001.in
	===================================================================
	--- head/sbin/pfctl/tests/files/pf1001.in
	+++ head/sbin/pfctl/tests/files/pf1001.in
	@@ -0,0 +1,2 @@
	+binat on em0 inet6 from fc00::/64 to any -> fc00:0:0:1::/64
	+binat on em0 inet6 from any to fc00:0:0:1::/64 -> fc00::/64
	Index: head/sbin/pfctl/tests/files/pf1001.ok
	===================================================================
	--- head/sbin/pfctl/tests/files/pf1001.ok
	+++ head/sbin/pfctl/tests/files/pf1001.ok
	@@ -0,0 +1,2 @@
	+binat on em0 inet6 from fc00::/64 to any -> fc00:0:0:1::/64
	+binat on em0 inet6 from any to fc00:0:0:1::/64 -> fc00::/64
	Index: head/sbin/pfctl/tests/files/pf1002.in
	===================================================================
	--- head/sbin/pfctl/tests/files/pf1002.in
	+++ head/sbin/pfctl/tests/files/pf1002.in
	@@ -0,0 +1 @@
	+set timeout interval 10
	Index: head/sbin/pfctl/tests/files/pf1002.ok
	===================================================================
	--- head/sbin/pfctl/tests/files/pf1002.ok
	+++ head/sbin/pfctl/tests/files/pf1002.ok
	@@ -0,0 +1 @@
	+set timeout interval 10
	Index: head/sbin/pfctl/tests/files/pf1003.in
	===================================================================
	--- head/sbin/pfctl/tests/files/pf1003.in
	+++ head/sbin/pfctl/tests/files/pf1003.in
	@@ -0,0 +1,3 @@
	+altq on em0 cbq(default) bandwidth 100Kb queue qmain
	+queue qmain priority 4
	+pass on em0 queue qmain
	Index: head/sbin/pfctl/tests/files/pf1003.ok
	===================================================================
	--- head/sbin/pfctl/tests/files/pf1003.ok
	+++ head/sbin/pfctl/tests/files/pf1003.ok
	@@ -0,0 +1,3 @@
	+altq on em0 cbq( default ) bandwidth 100Kb tbrsize 1500 queue { qmain }
	+queue qmain priority 4
	+pass on em0 all flags S/SA keep state queue qmain
	Index: head/sbin/pfctl/tests/files/pf1004.in
	===================================================================
	--- head/sbin/pfctl/tests/files/pf1004.in
	+++ head/sbin/pfctl/tests/files/pf1004.in
	@@ -0,0 +1,6 @@
	+altq on em0 cbq(default codel) bandwidth 20Mb queue qmain
	+queue qmain { q1 q2 }
	+queue q1 priority 1 bandwidth 60%
	+queue q2 priority 2 bandwidth 40%
	+pass on em0 queue q1
	+block on em0 queue q2
	Index: head/sbin/pfctl/tests/files/pf1004.ok
	===================================================================
	--- head/sbin/pfctl/tests/files/pf1004.ok
	+++ head/sbin/pfctl/tests/files/pf1004.ok
	@@ -0,0 +1,6 @@
	+altq on em0 cbq( codel default ) bandwidth 20Mb tbrsize 12000 queue { qmain }
	+queue qmain { q1 q2 }
	+queue q1 bandwidth 60%
	+queue q2 bandwidth 40% priority 2
	+pass on em0 all flags S/SA keep state queue q1
	+block drop on em0 all queue q2
	Index: head/sbin/pfctl/tests/files/pfctl_test_descr.sh
	===================================================================
	--- head/sbin/pfctl/tests/files/pfctl_test_descr.sh
	+++ head/sbin/pfctl/tests/files/pfctl_test_descr.sh
	@@ -0,0 +1,81 @@
	+# $FreeBSD$
	+# atf-sh, to be sourced by run.sh
	+
	+pf0001_descr () { echo "Pass with labels" ; }
	+pf0002_descr () { echo "Block/pass" ; }
	+pf0003_descr () { echo "Block/pass with flags" ; }
	+pf0004_descr () { echo "Block" ; }
	+pf0005_descr () { echo "Block with variables" ; }
	+pf0006_descr () { echo "Variables" ; }
	+pf0007_descr () { echo "Block/pass with return" ; }
	+pf0008_descr () { echo "Block with address list" ; }
	+pf0009_descr () { echo "Block with interface list" ; }
	+pf0010_descr () { echo "Block/pass with return" ; }
	+pf0011_descr () { echo "Block/pass ICMP" ; }
	+pf0012_descr () { echo "Pass to subnets" ; }
	+pf0013_descr () { echo "Pass quick" ; }
	+pf0014_descr () { echo "Pass quick IPv6" ; }
	+pf0016_descr () { echo "Pass with no state" ; }
	+pf0018_descr () { echo "Address lists" ; }
	+pf0019_descr () { echo "Lists" ; }
	+pf0020_descr () { echo "Lists" ; }
	+pf0022_descr () { echo "Set options" ; }
	+pf0023_descr () { echo "Block on negated interface" ; }
	+pf0024_descr () { echo "Variable concatenation" ; }
	+pf0025_descr () { echo "Antispoof" ; }
	+pf0026_descr () { echo "Block from negated interface" ; }
	+pf0028_descr () { echo "Block with log and quick" ; }
	+pf0030_descr () { echo "Line continuation" ; }
	+pf0031_descr () { echo "Block policy" ; }
	+pf0032_descr () { echo "Pass to any" ; }
	+pf0034_descr () { echo "Pass with probability" ; }
	+pf0035_descr () { echo "Matching on TOS" ; }
	+pf0038_descr () { echo "Pass with user" ; }
	+pf0039_descr () { echo "Ordered opts" ; }
	+pf0040_descr () { echo "Block/pass" ; }
	+pf0041_descr () { echo "Anchors" ; }
	+pf0047_descr () { echo "Pass with labels" ; }
	+pf0048_descr () { echo "Tables" ; }
	+pf0049_descr () { echo "Broadcast and network modifiers" ; }
	+pf0050_descr () { echo "Double macro set" ; }
	+pf0052_descr () { echo "Set optimization" ; }
	+pf0053_descr () { echo "Pass with labels" ; }
	+pf0055_descr () { echo "Set options" ; }
	+pf0056_descr () { echo "State opts" ; }
	+pf0057_descr () { echo "Variables" ; }
	+pf0060_descr () { echo "Pass from multicast" ; }
	+pf0061_descr () { echo "Dynaddr with netmask" ; }
	+pf0065_descr () { echo "Antispoof with labels" ; }
	+pf0067_descr () { echo "Tags" ; }
	+pf0069_descr () { echo "Tags" ; }
	+pf0070_descr () { echo "Tags" ; }
	+pf0071_descr () { echo "Tags" ; }
	+pf0072_descr () { echo "Tags" ; }
	+pf0074_descr () { echo "Synproxy" ; }
	+pf0075_descr () { echo "Block quick with tags" ; }
	+pf0077_descr () { echo "Dynaddr with netmask" ; }
	+pf0078_descr () { echo "Table with label" ; }
	+pf0079_descr () { echo "No-route with label" ; }
	+pf0081_descr () { echo "Address list and table list with no-route" ; }
	+pf0082_descr () { echo "Pass with interface, table and no-route" ; }
	+pf0084_descr () { echo "Source track" ; }
	+pf0085_descr () { echo "Tag macro expansion" ; }
	+pf0087_descr () { echo "Optimization rule reordering" ; }
	+pf0088_descr () { echo "Optimization duplicate rules handling" ; }
	+pf0089_descr () { echo "TCP connection tracking" ; }
	+pf0090_descr () { echo "Log opts" ; }
	+pf0091_descr () { echo "Nested anchors" ; }
	+pf0092_descr () { echo "Comments" ; }
	+pf0094_descr () { echo "Address ranges" ; }
	+pf0095_descr () { echo "Include" ; }
	+pf0096_descr () { echo "Variables" ; }
	+pf0097_descr () { echo "Divert-to" ; }
	+pf0098_descr () { echo "Pass" ; }
	+pf0100_descr () { echo "Anchor with multiple path components" ; }
	+pf0101_descr () { echo "Prio" ; }
	+pf0102_descr () { echo "Address lists with mixed address family" ; }
	+pf0104_descr () { echo "Divert-to with localhost" ; }
	+pf1001_descr () { echo "Binat" ; }
	+pf1002_descr () { echo "Set timeout interval" ; }
	+pf1003_descr () { echo "ALTQ" ; }
	+pf1004_descr () { echo "ALTQ with Codel" ; }
	Index: head/sbin/pfctl/tests/pfctl_test.sh
	===================================================================
	--- head/sbin/pfctl/tests/pfctl_test.sh
	+++ head/sbin/pfctl/tests/pfctl_test.sh
	@@ -0,0 +1,47 @@
	+# $FreeBSD$
	+# Make will add a #! line at the top of this file.
	+
	+# Tests 0001-0999 are copied from OpenBSD's regress/sbin/pfctl.
	+# Tests 1001-1999 are ours (FreeBSD's own).
	+
	+# pf: Run pfctl -nv on pfNNNN.in and check that the output matches pfNNNN.ok.
	+# Copied from OpenBSD. Main differences are some things not working
	+# in FreeBSD:
	+# * The action 'match'
	+# * The command 'set reassemble'
	+# * The 'from'/'to' options together with 'route-to'
	+# * The option 'scrub' (it is an action in FreeBSD)
	+# * Accepting undefined routing tables in actions (??: see pf0093.in)
	+# * The 'route' option
	+# * The 'set queue def' option
	+# selfpf: Feed pfctl output through pfctl again and verify it stays the same.
	+# Copied from OpenBSD.
	+
	+pftests="0001 0002 0003 0004 0005 0006 0007 0008 0009 0010 0011 0012
	+0013 0014 0016 0018 0019 0020 0022 0023 0024 0025 0026 0028 0030 0031
	+0032 0034 0035 0038 0039 0040 0041 0047 0048 0049 0050 0052 0053 0055
	+0056 0057 0060 0061 0065 0067 0069 0070 0071 0072 0074 0075 0077 0078
	+0079 0081 0082 0084 0085 0087 0088 0089 0090 0091 0092 0094 0095 0096
	+0097 0098 0100 0101 0102 0104 1001 1002 1003 1004"
	+
	+. $(atf_get_srcdir)/files/pfctl_test_descr.sh
	+
	+for i in ${pftests} ; do
	+ atf_test_case "pf${i}"
	+ eval "pf${i}_head () { atf_set descr \"$(pf${i}_descr)\" ; }"
	+ eval "pf${i}_body () { \
	+ cd $(atf_get_srcdir)/files && \
	+ atf_check -o file:pf${i}.ok \
	+ pfctl -o none -nvf - < pf${i}.in ; }"
	+
	+ atf_test_case "selfpf${i}"
	+ eval "selfpf${i}_head () { atf_set descr \"self$(pf${i}_descr)\" ; }"
	+ eval "selfpf${i}_body () { \
	+ cd $(atf_get_srcdir)/files && \
	+ atf_check -o file:pf${i}.ok \
	+ pfctl -o none -nvf - < pf${i}.ok ; }"
	+done
	+
	+atf_init_test_cases () {
	+ for i in ${pftests} ; do atf_add_test_case "pf${i}"
	+ atf_add_test_case "selfpf${i}" ; done ; }
	Index: head/targets/pseudo/tests/Makefile.depend
	===================================================================
	--- head/targets/pseudo/tests/Makefile.depend
	+++ head/targets/pseudo/tests/Makefile.depend
	@@ -185,6 +185,7 @@
	sbin/growfs/tests \
	sbin/ifconfig/tests \
	sbin/mdconfig/tests \
	+ sbin/pfctl/tests \
	sbin/tests \
	secure/lib/tests \
	secure/libexec/tests \

File Metadata

Mime Type: text/plain
Expires: Sun, Feb 1, 12:09 AM (10 h, 44 m)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 28223790
Default Alt Text: D11322.diff (108 KB)

D11322.diffNo OneTemporaryActions

D11322.diffView Options

File Metadata

Event Timeline

D11322.diff
No OneTemporary
Actions

D11322.diff
View Options