pf tests: make ether:dummynet test a little more robust

Allow slightly more bandwidth, but cause ping to give up sooner.

MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")

Remove $FreeBSD$: one-line sh pattern

Remove /^\s*#[#!]?\s*\$FreeBSD\$.*$\n/

spdx: The BSD-2-Clause-FreeBSD identifier is obsolete, drop -FreeBSD

The SPDX folks have obsoleted the BSD-2-Clause-FreeBSD identifier. Catch
up to that fact and revert to their recommended match of BSD-2-Clause.

Discussed with: pfg
MFC After: 3 days
Sponsored by: Netflix

pf tests: bridge-to test case

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D37194

pf tests: require scapy for ether:short_pkt

The pft_ether.py script requires both python and scapy to be installed.
Check for this so we properly skip the test when it is unavailable.

Reviewed by: kp
Fixes: 07ffa50ba075d ("pf tests: test short packets")
Differential Revision: https://reviews.freebsd.org/D36561

pf tests: support packet size range in pft_ether.py

Teach pft_ether.py to send a range of packet sizes. Use this to move the
size sweep into Python, removing the repeated Python startup overhead
and greatly speeding up the pf.ether.short_pkt test.

This should fix test timeouts seen on ci.freebsd.org.

While here also extend the range of packet sizes tested, because it adds
very little runtime now.

Sponsored by: Rubicon Communications, LLC ("Netgate")

pf: handle dummynet for non-IP packets

Do not panic if we try to dummynet an Ethernet packet that's not IPv4 or
IPv6. Simply give it to dummynet.

Sponsored by: Rubicon Communications, LLC ("Netgate")

pf tests: test short packets

Test sending very short packets (i.e. too short for an IP header)
packets in the Ethernet filtering code.

Sponsored by: Rubicon Communications, LLC ("Netgate")

pf tests: basic 'tagged' test for Ethernet rules

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D35364

pf tests: basic 'tagged' test for Ethernet rules

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D35363

pf tests: extend ethernet dummynet test

Extend the existing ethernet dummynet test to also test dummynet on the
outbound direction.
This used to be a problem as traffic shaping wasn't done in the ethernet
code. It merely tagged the packet and left shaping up to the layer 3 pf
code. This works in the inbound direction, but not for outbound traffic
where we hit the L3 code first and only then the L2 code.

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D35258

pf tests: factor out common dummynet check

Reviewed by: glebius
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D35160

pf: allow the use of tables in ethernet rules

Allow tables to be used for the l3 source/destination matching.
This requires taking the PF_RULES read lock.

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D34917

pf: support listing ethernet anchors

Sponsored by: Rubicon Communications, LLC ("Netgate")

pf: ether l3 rules can only use addresses

Disallow the use of tables in ethernet rules. Using tables requires
taking the PF_RULES lock. Moreover, the current table code isn't ready
to deal with ethernet rules.

Disallow their use for now.

Sponsored by: Rubicon Communications, LLC ("Netgate")

pf tests: Test new L3 inspection for pf 'ether' rules

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D34483

pf tests: extend ether test to verify mac address masks

Sponsored by: Rubicon Communications, LLC ("Netgate")

pf tests: Ensure 'pfctl -F ethernet' works

Sponsored by: Rubicon Communications, LLC ("Netgate")

pf tests: slightly more complect captive portal setup

Combine anchor, dummynet and rdr to produce a more complex captive
portal setup.

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D32484

pf tests: basic test for ether anchors

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D32483

pfctl: support lists of mac addresses

Teach the 'ether' rules to accept { mac1, mac2, ... } lists, similar to
the lists of interfaces or IP addresses we already supported for layer 3
filtering.

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D32481

pf tests: test dummynet for ether traffic

Test that we can set dummynet information on L2, which is processed by
L3 later (assuming it's not overruled by L3 rules, of course).

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D32223

pf tests: Test ether direction

Test that we correctly match inbound ('in') or outbound ('out') Ethernet
packets.

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D31747

pf tests: Basic captive portal like test

Use the ether rules to selectively (i.e. per MAC address) redirect
certain connections. Test that tags carry over to the layer-3 pf code.

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D31746

pf tests: Test EtherType filtering

Test filtering packets by their EtherType (i.e. ARP/IPv4/IPv6/...).

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D31745

pf tests: Test MAC address negation

Test that we can express 'ether block from ! 00:01:02:03:04:05'.

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D31744

pf tests: MAC address filtering test

Test the MAC address filtering capability in the new 'ether' feature in
pf.

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D31743