7 files changed, 506 insertions, 31 deletions

diff --git a/tests/sys/netinet/Makefile b/tests/sys/netinet/Makefile
index cc525bf24480..b3d76d1da125 100644
--- a/tests/sys/netinet/Makefile
+++ b/tests/sys/netinet/Makefile
@@ -30,6 +30,7 @@ ATF_TESTS_SH=	arp \
 
 ATF_TESTS_PYTEST+=	carp.py
 ATF_TESTS_PYTEST+=	igmp.py
+ATF_TESTS_PYTEST+=	tcp_hpts_test.py
 
 LIBADD.so_reuseport_lb_test=	pthread
 LIBADD.udp_bindings=		pthread
@@ -45,10 +46,12 @@ TEST_METADATA.fibs_test+= execenv="jail"		\
 TEST_METADATA.forward+=	required_programs="python"	\
 			execenv="jail"			\
 			execenv_jail_params="vnet allow.raw_sockets"
+TEST_METADATA.multicast+= execenv="jail"		\
+			execenv_jail_params="vnet"
 TEST_METADATA.output+=	required_programs="python"
 TEST_METADATA.redirect+= required_programs="python"
 
-PROGS=	udp_dontroute tcp_user_cookie sendto-IP_MULTICAST_IF
+PROGS=	udp_dontroute tcp_user_cookie multicast-send multicast-receive
 
 ${PACKAGE}FILES+=		redirect.py
 
diff --git a/tests/sys/netinet/carp.sh b/tests/sys/netinet/carp.sh
index 2aae2854826e..568d2beaf914 100755
--- a/tests/sys/netinet/carp.sh
+++ b/tests/sys/netinet/carp.sh
@@ -215,6 +215,9 @@ unicast_v4_body()
 
 unicast_v4_cleanup()
 {
+	jexec carp_uni_v4_one killall routed
+	jexec carp_uni_v4_two killall routed
+	jexec carp_uni_v4_three killall routed
 	vnet_cleanup
 }
 
diff --git a/tests/sys/netinet/multicast-receive.c b/tests/sys/netinet/multicast-receive.c
new file mode 100644
index 000000000000..62fc68200dd6
--- /dev/null
+++ b/tests/sys/netinet/multicast-receive.c
@@ -0,0 +1,134 @@
+/*-
+ * SPDX-License-Identifier: BSD-2-Clause
+ *
+ * Copyright (c) 2025 Gleb Smirnoff <glebius@FreeBSD.org>
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <netinet/ip.h>
+#include <arpa/inet.h>
+#include <net/if.h>
+#include <assert.h>
+#include <errno.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sysexits.h>
+#include <limits.h>
+#include <err.h>
+
+static in_port_t
+atop(const char *c)
+{
+	unsigned long ul;
+
+	errno = 0;
+	if ((ul = strtol(c, NULL, 10)) < 1 || ul > IPPORT_MAX || errno != 0)
+		err(1, "can't parse %s", c);
+
+	return ((in_port_t)ul);
+}
+
+int
+main(int argc, char *argv[])
+{
+	char buf[IP_MAXPACKET + 1];
+	struct sockaddr_in sin = {
+		.sin_family = AF_INET,
+		.sin_len = sizeof(struct sockaddr_in),
+	};
+	socklen_t slen = sizeof(struct sockaddr_in);
+	struct in_addr maddr, ifaddr;
+	ssize_t len;
+	int s, ifindex;
+	bool index;
+
+	if (argc < 4)
+usage:
+		errx(1, "Usage: %s (ip_mreq|ip_mreqn|group_req) "
+		    "IPv4-group port interface", argv[0]);
+
+	if (inet_pton(AF_INET, argv[2], &maddr) != 1)
+		err(1, "inet_pton(%s) failed", argv[2]);
+	sin.sin_port = htons(atop(argv[3]));
+	if (inet_pton(AF_INET, argv[4], &ifaddr) == 1)
+		index = false;
+	else if ((ifindex = if_nametoindex(argv[4])) > 0)
+		index = true;
+	else if (strcmp(argv[4], "0") == 0) {
+		ifindex = 0;
+		index = true;
+	} else
+		err(1, "if_nametoindex(%s) failed", argv[4]);
+
+	assert((s = socket(PF_INET, SOCK_DGRAM, 0)) > 0);
+	assert(bind(s, (struct sockaddr *)&sin, sizeof(sin)) == 0);
+
+	if (strcmp(argv[1], "ip_mreq") == 0) {
+		if (index)
+			errx(1, "ip_mreq doesn't accept index");
+		struct ip_mreq mreq = {
+			.imr_multiaddr = maddr,
+			.imr_interface = ifaddr,
+		};
+		if (setsockopt(s, IPPROTO_IP, IP_ADD_MEMBERSHIP, &mreq,
+		    sizeof(mreq)) != 0)
+			err(EX_OSERR, "setsockopt");
+	} else if (strcmp(argv[1], "ip_mreqn") == 0) {
+		/*
+		 * ip_mreqn shall be used with index, but for testing
+		 * purposes accept address too.
+		 */
+		struct ip_mreqn mreqn = {
+			.imr_multiaddr = maddr,
+			.imr_address = index ? (struct in_addr){ 0 } : ifaddr,
+			.imr_ifindex = index ? ifindex : 0,
+		};
+		if (setsockopt(s, IPPROTO_IP, IP_ADD_MEMBERSHIP, &mreqn,
+		    sizeof(mreqn)) != 0)
+			err(EX_OSERR, "setsockopt");
+	} else if (strcmp(argv[1], "group_req") == 0) {
+		if (!index)
+			errx(1, "group_req expects index");
+		struct group_req greq = { .gr_interface = ifindex };
+		struct sockaddr_in *gsa = (struct sockaddr_in *)&greq.gr_group;
+
+		gsa->sin_family = AF_INET;
+		gsa->sin_len = sizeof(struct sockaddr_in);
+		gsa->sin_addr = maddr;
+		if (setsockopt(s, IPPROTO_IP, MCAST_JOIN_GROUP, &greq,
+		    sizeof(greq)) != 0)
+			err(EX_OSERR, "setsockopt");
+	} else
+		goto usage;
+
+	assert((len = recvfrom(s, buf, sizeof(buf) - 1, 0,
+	    (struct sockaddr *)&sin, &slen)) > 0);
+	buf[len] = '\0';
+	printf("%s:%u %s\n", inet_ntoa(sin.sin_addr), ntohs(sin.sin_port), buf);
+
+	return (0);
+}
diff --git a/tests/sys/netinet/sendto-IP_MULTICAST_IF.c b/tests/sys/netinet/multicast-send.c
index d478e4da0b3b..f10b2b6338dd 100644
--- a/tests/sys/netinet/sendto-IP_MULTICAST_IF.c
+++ b/tests/sys/netinet/multicast-send.c
@@ -28,35 +28,69 @@
 #include <sys/socket.h>
 #include <netinet/in.h>
 #include <arpa/inet.h>
+#include <net/if.h>
 #include <assert.h>
+#include <errno.h>
+#include <limits.h>
+#include <stdbool.h>
+#include <stdlib.h>
+#include <string.h>
 #include <err.h>
 
+static in_port_t
+atop(const char *c)
+{
+	unsigned long ul;
+
+	errno = 0;
+	if ((ul = strtol(c, NULL, 10)) < 1 || ul > IPPORT_MAX || errno != 0)
+		err(1, "can't parse %s", c);
+
+	return ((in_port_t)ul);
+}
+
 int
 main(int argc, char *argv[])
 {
-	struct sockaddr_in sin = {
+	struct sockaddr_in src = {
+		.sin_family = AF_INET,
+		.sin_len = sizeof(struct sockaddr_in),
+	}, dst = {
 		.sin_family = AF_INET,
 		.sin_len = sizeof(struct sockaddr_in),
 	};
+	struct ip_mreqn mreqn;
 	struct in_addr in;
-	int s, rv;
+	int s;
+	bool index;
 
-	if (argc < 2)
-		errx(1, "Usage: %s IPv4-address", argv[0]);
+	if (argc < 7)
+		errx(1, "Usage: %s src-IPv4 src-port dst-IPv4 dst-port "
+		    "interface payload", argv[0]);
 
-	if (inet_pton(AF_INET, argv[1], &in) != 1)
+	if (inet_pton(AF_INET, argv[1], &src.sin_addr) != 1)
 		err(1, "inet_pton(%s) failed", argv[1]);
+	src.sin_port = htons(atop(argv[2]));
+	if (inet_pton(AF_INET, argv[3], &dst.sin_addr) != 1)
+		err(1, "inet_pton(%s) failed", argv[3]);
+	dst.sin_port = htons(atop(argv[4]));
+	if (inet_pton(AF_INET, argv[5], &in) == 1)
+		index = false;
+	else if ((mreqn.imr_ifindex = if_nametoindex(argv[5])) > 0)
+		index = true;
+	else
+		err(1, "if_nametoindex(%s) failed", argv[5]);
 
 	assert((s = socket(PF_INET, SOCK_DGRAM, 0)) > 0);
-	assert(bind(s, (struct sockaddr *)&sin, sizeof(sin)) == 0);
-	assert(setsockopt(s, IPPROTO_IP, IP_MULTICAST_IF, &in, sizeof(in))
-	  == 0);
-	/* RFC 6676 */
-	assert(inet_pton(AF_INET, "233.252.0.1", &sin.sin_addr) == 1);
-	sin.sin_port = htons(6676);
-	rv = sendto(s, &sin, sizeof(sin), 0,
-	    (struct sockaddr *)&sin, sizeof(sin));
-	if (rv != sizeof(sin))
+	assert(bind(s, (struct sockaddr *)&src, sizeof(src)) == 0);
+	if (index)
+		assert(setsockopt(s, IPPROTO_IP, IP_MULTICAST_IF, &mreqn,
+		    sizeof(mreqn)) == 0);
+	else
+		assert(setsockopt(s, IPPROTO_IP, IP_MULTICAST_IF, &in,
+		    sizeof(in)) == 0);
+	if (sendto(s, argv[6], strlen(argv[6]) + 1, 0, (struct sockaddr *)&dst,
+	    sizeof(dst)) != (ssize_t)strlen(argv[6]) + 1)
 		err(1, "sendto failed");
 
 	return (0);
diff --git a/tests/sys/netinet/multicast.sh b/tests/sys/netinet/multicast.sh
index eb2b962dac70..34094ff08705 100644..100755
--- a/tests/sys/netinet/multicast.sh
+++ b/tests/sys/netinet/multicast.sh
@@ -26,36 +26,180 @@
 
 . $(atf_get_srcdir)/../common/vnet.subr
 
-# See regression fixed in baad45c9c12028964acd0b58096f3aaa0fb22859
-atf_test_case "IP_MULTICAST_IF" "cleanup"
-IP_MULTICAST_IF_head()
+# Set up two jails, mjail1 and mjail2, connected with two interface pairs
+multicast_vnet_init()
 {
-	atf_set descr \
-	    'sendto() for IP_MULTICAST_IF socket does not do routing lookup'
+
+	vnet_init
+	epair1=$(vnet_mkepair)
+	epair2=$(vnet_mkepair)
+	vnet_mkjail mjail1 ${epair1}a ${epair2}a
+	jexec mjail1 ifconfig ${epair1}a up
+	jexec mjail1 ifconfig ${epair1}a 192.0.2.1/24
+	jexec mjail1 ifconfig ${epair2}a up
+	jexec mjail1 ifconfig ${epair2}a 192.0.3.1/24
+	vnet_mkjail mjail2 ${epair1}b ${epair2}b
+	jexec mjail2 ifconfig ${epair1}b up
+	jexec mjail2 ifconfig ${epair1}b 192.0.2.2/24
+	jexec mjail2 ifconfig ${epair2}b up
+	jexec mjail2 ifconfig ${epair2}b 192.0.3.2/24
+}
+
+multicast_join()
+{
+	jexec mjail2 $(atf_get_srcdir)/multicast-receive \
+	    $1 233.252.0.1 6676 $2 > out & pid=$!
+	while ! jexec mjail2 ifmcstat | grep -q 233\.252\.0\.1; do
+		sleep 0.01
+	done
+}
+
+atf_test_case "IP_ADD_MEMBERSHIP_ip_mreq" "cleanup"
+IP_ADD_MEMBERSHIP_ip_mreq_head()
+{
+	atf_set descr 'IP_ADD_MEMBERSHIP / IP_MULTICAST_IF with ip_mreq'
 	atf_set require.user root
+}
+IP_ADD_MEMBERSHIP_ip_mreq_body()
+{
+	multicast_vnet_init
+
+	# join group on interface with IP address 192.0.2.2
+	multicast_join ip_mreq 192.0.2.2
+	atf_check -s exit:0 -o empty \
+	    jexec mjail1 $(atf_get_srcdir)/multicast-send \
+	    0.0.0.0 6676 233.252.0.1 6676 192.0.2.1 hello
+	atf_check -s exit:0 sh -c "wait $pid; exit $?"
+	atf_check -s exit:0 -o inline:"192.0.2.1:6676 hello\n" cat out
+
+	# join group on interface with IP address 192.0.3.2
+	multicast_join ip_mreq 192.0.3.2
+	atf_check -s exit:0 -o empty \
+	    jexec mjail1 $(atf_get_srcdir)/multicast-send \
+	    0.0.0.0 6676 233.252.0.1 6676 192.0.3.1 hello
+	atf_check -s exit:0 sh -c "wait $pid; exit $?"
+	atf_check -s exit:0 -o inline:"192.0.3.1:6676 hello\n" cat out
+
+	# join group on the first multicast capable interface (epair1a)
+	multicast_join ip_mreq 0.0.0.0
+	atf_check -s exit:0 -o empty \
+	    jexec mjail1 $(atf_get_srcdir)/multicast-send \
+	    0.0.0.0 6676 233.252.0.1 6676 192.0.2.1 hello
+	atf_check -s exit:0 sh -c "wait $pid; exit $?"
+	atf_check -s exit:0 -o inline:"192.0.2.1:6676 hello\n" cat out
+
+	# Set up the receiving jail so that first multicast capable interface
+	# is epair1a and default route points into epair2a.  This will allow us
+	# to exercise both branches of inp_lookup_mcast_ifp().
+	jexec mjail2 route add default 192.0.3.254
 
+	# join group on the interface determined by the route lookup
+	multicast_join ip_mreq 0.0.0.0
+	atf_check -s exit:0 -o empty \
+	    jexec mjail1 $(atf_get_srcdir)/multicast-send \
+	    0.0.0.0 6676 233.252.0.1 6676 192.0.3.1 hello
+	atf_check -s exit:0 sh -c "wait $pid; exit $?"
+	atf_check -s exit:0 -o inline:"192.0.3.1:6676 hello\n" cat out
+}
+IP_ADD_MEMBERSHIP_ip_mreq_cleanup()
+{
+	rm out
+	vnet_cleanup
 }
 
-IP_MULTICAST_IF_body()
+atf_test_case "IP_ADD_MEMBERSHIP_ip_mreqn" "cleanup"
+IP_ADD_MEMBERSHIP_ip_mreqn_head()
 {
-	local epair mjail
+	atf_set descr 'IP_ADD_MEMBERSHIP / IP_MULTICAST_IF with ip_mreqn'
+	atf_set require.user root
+}
+IP_ADD_MEMBERSHIP_ip_mreqn_body()
+{
+	multicast_vnet_init
 
-	vnet_init
-	# The test doesn't use our half of epair
-	epair=$(vnet_mkepair)
-	vnet_mkjail mjail ${epair}a
-	jexec mjail ifconfig ${epair}a up
-	jexec mjail ifconfig ${epair}a 192.0.2.1/24
+	# join group on interface epair2
+	multicast_join ip_mreqn ${epair1}b
 	atf_check -s exit:0 -o empty \
-	    jexec mjail $(atf_get_srcdir)/sendto-IP_MULTICAST_IF 192.0.2.1
+	    jexec mjail1 $(atf_get_srcdir)/multicast-send \
+	    0.0.0.0 6676 233.252.0.1 6676 ${epair1}a hello
+	atf_check -s exit:0 sh -c "wait $pid; exit $?"
+	atf_check -s exit:0 -o inline:"192.0.2.1:6676 hello\n" cat out
+
+	# join group on interface epair2
+	multicast_join ip_mreqn ${epair2}b
+	atf_check -s exit:0 -o empty \
+	    jexec mjail1 $(atf_get_srcdir)/multicast-send \
+	    0.0.0.0 6676 233.252.0.1 6676 ${epair2}a hello
+	atf_check -s exit:0 sh -c "wait $pid; exit $?"
+	atf_check -s exit:0 -o inline:"192.0.3.1:6676 hello\n" cat out
+
+	# try to join group on the interface determined by the route lookup
+	atf_check -s exit:71 -e inline:"multicast-receive: setsockopt: Can't assign requested address\n" \
+	    jexec mjail2 $(atf_get_srcdir)/multicast-receive \
+	    ip_mreqn 233.252.0.1 6676 0
+	# add route and try again
+	jexec mjail2 route add default 192.0.3.254
+        multicast_join ip_mreqn 0
+	atf_check -s exit:0 -o empty \
+	    jexec mjail1 $(atf_get_srcdir)/multicast-send \
+	    0.0.0.0 6676 233.252.0.1 6676 192.0.3.1 hello
+	atf_check -s exit:0 sh -c "wait $pid; exit $?"
+	atf_check -s exit:0 -o inline:"192.0.3.1:6676 hello\n" cat out
+}
+IP_ADD_MEMBERSHIP_ip_mreqn_cleanup()
+{
+	rm out
+	vnet_cleanup
 }
 
-IP_MULTICAST_IF_cleanup()
+atf_test_case "MCAST_JOIN_GROUP" "cleanup"
+MCAST_JOIN_GROUP_head()
+{
+	atf_set descr 'MCAST_JOIN_GROUP'
+	atf_set require.user root
+}
+MCAST_JOIN_GROUP_body()
+{
+	multicast_vnet_init
+
+	# join group on interface epair1
+	multicast_join group_req ${epair1}b
+	atf_check -s exit:0 -o empty \
+	    jexec mjail1 $(atf_get_srcdir)/multicast-send \
+	    0.0.0.0 6676 233.252.0.1 6676 ${epair1}a hello
+	atf_check -s exit:0 sh -c "wait $pid; exit $?"
+	atf_check -s exit:0 -o inline:"192.0.2.1:6676 hello\n" cat out
+
+	# join group on interface epair2
+	multicast_join group_req ${epair2}b
+	atf_check -s exit:0 -o empty \
+	    jexec mjail1 $(atf_get_srcdir)/multicast-send \
+	    0.0.0.0 6676 233.252.0.1 6676 ${epair2}a hello
+	atf_check -s exit:0 sh -c "wait $pid; exit $?"
+	atf_check -s exit:0 -o inline:"192.0.3.1:6676 hello\n" cat out
+
+	# try to join group on the interface determined by the route lookup
+	atf_check -s exit:71 -e inline:"multicast-receive: setsockopt: Can't assign requested address\n" \
+	    jexec mjail2 $(atf_get_srcdir)/multicast-receive \
+	    group_req 233.252.0.1 6676 0
+	# add route and try again
+	jexec mjail2 route add default 192.0.3.254
+        multicast_join group_req 0
+	atf_check -s exit:0 -o empty \
+	    jexec mjail1 $(atf_get_srcdir)/multicast-send \
+	    0.0.0.0 6676 233.252.0.1 6676 192.0.3.1 hello
+	atf_check -s exit:0 sh -c "wait $pid; exit $?"
+	atf_check -s exit:0 -o inline:"192.0.3.1:6676 hello\n" cat out
+}
+MCAST_JOIN_GROUP_cleanup()
 {
+	rm out
 	vnet_cleanup
 }
 
 atf_init_test_cases()
 {
-	atf_add_test_case "IP_MULTICAST_IF"
+	atf_add_test_case "IP_ADD_MEMBERSHIP_ip_mreq"
+	atf_add_test_case "IP_ADD_MEMBERSHIP_ip_mreqn"
+	atf_add_test_case "MCAST_JOIN_GROUP"
 }
diff --git a/tests/sys/netinet/so_reuseport_lb_test.c b/tests/sys/netinet/so_reuseport_lb_test.c
index fa9d6e425884..393a626af5a4 100644
--- a/tests/sys/netinet/so_reuseport_lb_test.c
+++ b/tests/sys/netinet/so_reuseport_lb_test.c
@@ -29,6 +29,8 @@
 
 #include <sys/param.h>
 #include <sys/event.h>
+#include <sys/filio.h>
+#include <sys/ioccom.h>
 #include <sys/socket.h>
 
 #include <netinet/in.h>
@@ -375,6 +377,11 @@ ATF_TC_BODY(concurrent_add, tc)
 
 		usleep(20000);
 	}
+
+	for (size_t j = nitems(threads); j > 0; j--) {
+		ATF_REQUIRE(pthread_cancel(threads[j - 1]) == 0);
+		ATF_REQUIRE(pthread_join(threads[j - 1], NULL) == 0);
+	}
 }
 
 /*
@@ -551,6 +558,150 @@ ATF_TC_BODY(connect_bound, tc)
 	close(s);
 }
 
+/*
+ * The kernel erroneously permits calling connect() on a UDP socket with
+ * SO_REUSEPORT_LB set.  Verify that packets sent to the bound address are
+ * dropped unless they come from the connected address.
+ */
+ATF_TC_WITHOUT_HEAD(connect_udp);
+ATF_TC_BODY(connect_udp, tc)
+{
+	struct sockaddr_in sin = {
+		.sin_family = AF_INET,
+		.sin_len = sizeof(sin),
+		.sin_addr = { htonl(INADDR_LOOPBACK) },
+	};
+	ssize_t n;
+	int error, len, s1, s2, s3;
+	char ch;
+
+	s1 = socket(PF_INET, SOCK_DGRAM, 0);
+	ATF_REQUIRE(s1 >= 0);
+	s2 = socket(PF_INET, SOCK_DGRAM, 0);
+	ATF_REQUIRE(s2 >= 0);
+	s3 = socket(PF_INET, SOCK_DGRAM, 0);
+	ATF_REQUIRE(s3 >= 0);
+
+	error = setsockopt(s1, SOL_SOCKET, SO_REUSEPORT_LB, (int[]){1},
+	    sizeof(int));
+	ATF_REQUIRE_MSG(error == 0,
+	    "setsockopt(SO_REUSEPORT_LB) failed: %s", strerror(errno));
+	error = bind(s1, (struct sockaddr *)&sin, sizeof(sin));
+	ATF_REQUIRE_MSG(error == 0, "bind() failed: %s", strerror(errno));
+
+	error = bind(s2, (struct sockaddr *)&sin, sizeof(sin));
+	ATF_REQUIRE_MSG(error == 0, "bind() failed: %s", strerror(errno));
+
+	error = bind(s3, (struct sockaddr *)&sin, sizeof(sin));
+	ATF_REQUIRE_MSG(error == 0, "bind() failed: %s", strerror(errno));
+
+	/* Connect to an address not owned by s2. */
+	error = getsockname(s3, (struct sockaddr *)&sin,
+	    (socklen_t[]){sizeof(sin)});
+	ATF_REQUIRE(error == 0);
+	error = connect(s1, (struct sockaddr *)&sin, sizeof(sin));
+	ATF_REQUIRE_MSG(error == 0, "connect() failed: %s", strerror(errno));
+
+	/* Try to send a packet to s1 from s2. */
+	error = getsockname(s1, (struct sockaddr *)&sin,
+	    (socklen_t[]){sizeof(sin)});
+	ATF_REQUIRE(error == 0);
+
+	ch = 42;
+	n = sendto(s2, &ch, sizeof(ch), 0, (struct sockaddr *)&sin,
+	    sizeof(sin));
+	ATF_REQUIRE(n == 1);
+
+	/* Give the packet some time to arrive. */
+	usleep(100000);
+
+	/* s1 is connected to s3 and shouldn't receive from s2. */
+	error = ioctl(s1, FIONREAD, &len);
+	ATF_REQUIRE(error == 0);
+	ATF_REQUIRE_MSG(len == 0, "unexpected data available");
+
+	/* ... but s3 can of course send to s1. */
+	n = sendto(s3, &ch, sizeof(ch), 0, (struct sockaddr *)&sin,
+	    sizeof(sin));
+	ATF_REQUIRE(n == 1);
+	usleep(100000);
+	error = ioctl(s1, FIONREAD, &len);
+	ATF_REQUIRE(error == 0);
+	ATF_REQUIRE_MSG(len == 1, "expected data available");
+}
+
+/*
+ * The kernel erroneously permits calling connect() on a UDP socket with
+ * SO_REUSEPORT_LB set.  Verify that packets sent to the bound address are
+ * dropped unless they come from the connected address.
+ */
+ATF_TC_WITHOUT_HEAD(connect_udp6);
+ATF_TC_BODY(connect_udp6, tc)
+{
+	struct sockaddr_in6 sin6 = {
+		.sin6_family = AF_INET6,
+		.sin6_len = sizeof(sin6),
+		.sin6_addr = IN6ADDR_LOOPBACK_INIT,
+	};
+	ssize_t n;
+	int error, len, s1, s2, s3;
+	char ch;
+
+	s1 = socket(PF_INET6, SOCK_DGRAM, 0);
+	ATF_REQUIRE(s1 >= 0);
+	s2 = socket(PF_INET6, SOCK_DGRAM, 0);
+	ATF_REQUIRE(s2 >= 0);
+	s3 = socket(PF_INET6, SOCK_DGRAM, 0);
+	ATF_REQUIRE(s3 >= 0);
+
+	error = setsockopt(s1, SOL_SOCKET, SO_REUSEPORT_LB, (int[]){1},
+	    sizeof(int));
+	ATF_REQUIRE_MSG(error == 0,
+	    "setsockopt(SO_REUSEPORT_LB) failed: %s", strerror(errno));
+	error = bind(s1, (struct sockaddr *)&sin6, sizeof(sin6));
+	ATF_REQUIRE_MSG(error == 0, "bind() failed: %s", strerror(errno));
+
+	error = bind(s2, (struct sockaddr *)&sin6, sizeof(sin6));
+	ATF_REQUIRE_MSG(error == 0, "bind() failed: %s", strerror(errno));
+
+	error = bind(s3, (struct sockaddr *)&sin6, sizeof(sin6));
+	ATF_REQUIRE_MSG(error == 0, "bind() failed: %s", strerror(errno));
+
+	/* Connect to an address not owned by s2. */
+	error = getsockname(s3, (struct sockaddr *)&sin6,
+	    (socklen_t[]){sizeof(sin6)});
+	ATF_REQUIRE(error == 0);
+	error = connect(s1, (struct sockaddr *)&sin6, sizeof(sin6));
+	ATF_REQUIRE_MSG(error == 0, "connect() failed: %s", strerror(errno));
+
+	/* Try to send a packet to s1 from s2. */
+	error = getsockname(s1, (struct sockaddr *)&sin6,
+	    (socklen_t[]){sizeof(sin6)});
+	ATF_REQUIRE(error == 0);
+
+	ch = 42;
+	n = sendto(s2, &ch, sizeof(ch), 0, (struct sockaddr *)&sin6,
+	    sizeof(sin6));
+	ATF_REQUIRE(n == 1);
+
+	/* Give the packet some time to arrive. */
+	usleep(100000);
+
+	/* s1 is connected to s3 and shouldn't receive from s2. */
+	error = ioctl(s1, FIONREAD, &len);
+	ATF_REQUIRE(error == 0);
+	ATF_REQUIRE_MSG(len == 0, "unexpected data available");
+
+	/* ... but s3 can of course send to s1. */
+	n = sendto(s3, &ch, sizeof(ch), 0, (struct sockaddr *)&sin6,
+	    sizeof(sin6));
+	ATF_REQUIRE(n == 1);
+	usleep(100000);
+	error = ioctl(s1, FIONREAD, &len);
+	ATF_REQUIRE(error == 0);
+	ATF_REQUIRE_MSG(len == 1, "expected data available");
+}
+
 ATF_TP_ADD_TCS(tp)
 {
 	ATF_TP_ADD_TC(tp, basic_ipv4);
@@ -561,6 +712,8 @@ ATF_TP_ADD_TCS(tp)
 	ATF_TP_ADD_TC(tp, bind_without_listen);
 	ATF_TP_ADD_TC(tp, connect_not_bound);
 	ATF_TP_ADD_TC(tp, connect_bound);
+	ATF_TP_ADD_TC(tp, connect_udp);
+	ATF_TP_ADD_TC(tp, connect_udp6);
 
 	return (atf_no_error());
 }
diff --git a/tests/sys/netinet/tcp_hpts_test.py b/tests/sys/netinet/tcp_hpts_test.py
new file mode 100644
index 000000000000..c56383fb310f
--- /dev/null
+++ b/tests/sys/netinet/tcp_hpts_test.py
@@ -0,0 +1,4 @@
+from atf_python.ktest import BaseKernelTest
+
+class TestTcpHpts(BaseKernelTest):
+    KTEST_MODULE_NAME = "ktest_tcphpts"