1 files changed, 92 insertions, 5 deletions

diff --git a/tests/sys/netpfil/pf/nat.sh b/tests/sys/netpfil/pf/nat.sh
index 5ea1dd6d8b2f..0824671fa0f1 100644
--- a/tests/sys/netpfil/pf/nat.sh
+++ b/tests/sys/netpfil/pf/nat.sh
@@ -55,6 +55,9 @@ exhaust_body()
 	jexec echo ifconfig ${epair_echo}b 198.51.100.2/24 up
 	jexec echo /usr/sbin/inetd -p ${PWD}/inetd-echo.pid $(atf_get_srcdir)/echo_inetd.conf
 
+	# Disable checksum offload on one of the interfaces to ensure pf handles that
+	jexec nat ifconfig ${epair_nat}a -txcsum
+
 	# Enable pf!
 	jexec nat pfctl -e
 	pft_set_rules nat \
@@ -474,14 +477,49 @@ no_addrs_random_cleanup()
 	pft_cleanup
 }
 
-nat_pass_head()
+atf_test_case "nat_pass_in" "cleanup"
+nat_pass_in_head()
 {
-	atf_set descr 'IPv4 NAT on pass rule'
+	atf_set descr 'IPv4 NAT on inbound pass rule'
 	atf_set require.user root
 	atf_set require.progs scapy
 }
 
-nat_pass_body()
+nat_pass_in_body()
+{
+	setup_router_server_ipv4
+	# Delete the route back to make sure that the traffic has been NAT-ed
+	jexec server route del -net ${net_tester} ${net_server_host_router}
+	# Provide routing back to the NAT address
+	jexec server route add 203.0.113.0/24 ${net_server_host_router}
+	jexec router route add 203.0.113.0/24 -iface ${epair_tester}b
+
+	pft_set_rules router \
+		"block" \
+		"pass in  on ${epair_tester}b inet proto tcp nat-to 203.0.113.0 keep state" \
+		"pass out on ${epair_server}a inet proto tcp keep state"
+
+	ping_server_check_reply exit:0 --ping-type=tcp3way --send-sport=4201
+
+	jexec router pfctl -qvvsr
+	jexec router pfctl -qvvss
+	jexec router ifconfig
+	jexec router netstat -rn
+}
+
+nat_pass_in_cleanup()
+{
+	pft_cleanup
+}
+
+nat_pass_out_head()
+{
+	atf_set descr 'IPv4 NAT on outbound pass rule'
+	atf_set require.user root
+	atf_set require.progs scapy
+}
+
+nat_pass_out_body()
 {
 	setup_router_server_ipv4
 	# Delete the route back to make sure that the traffic has been NAT-ed
@@ -500,11 +538,12 @@ nat_pass_body()
 	jexec router netstat -rn
 }
 
-nat_pass_cleanup()
+nat_pass_out_cleanup()
 {
 	pft_cleanup
 }
 
+atf_test_case "nat_match" "cleanup"
 nat_match_head()
 {
 	atf_set descr 'IPv4 NAT on match rule'
@@ -644,6 +683,7 @@ map_e_pass_cleanup()
 	pft_cleanup
 }
 
+atf_test_case "binat_compat" "cleanup"
 binat_compat_head()
 {
 	atf_set descr 'IPv4 BINAT with nat ruleset'
@@ -710,6 +750,7 @@ binat_compat_cleanup()
 	kill $(cat ${PWD}/inetd_tester.pid)
 }
 
+atf_test_case "binat_match" "cleanup"
 binat_match_head()
 {
 	atf_set descr 'IPv4 BINAT with nat ruleset'
@@ -810,6 +851,50 @@ empty_pool_cleanup()
 	pft_cleanup
 }
 
+atf_test_case "dummynet_mask" "cleanup"
+dummynet_mask_head()
+{
+	atf_set descr 'Verify that dummynet uses the pre-nat address for masking'
+	atf_set require.user root
+}
+
+dummynet_mask_body()
+{
+	dummynet_init
+
+	epair_srv=$(vnet_mkepair)
+	epair_cl=$(vnet_mkepair)
+
+	ifconfig ${epair_cl}b 192.0.2.2/24 up
+	route add default 192.0.2.1
+
+	vnet_mkjail srv ${epair_srv}a
+	jexec srv ifconfig ${epair_srv}a 198.51.100.2/24 up
+
+	vnet_mkjail gw ${epair_srv}b ${epair_cl}a
+	jexec gw ifconfig ${epair_srv}b 198.51.100.1/24 up
+	jexec gw ifconfig ${epair_cl}a 192.0.2.1/24 up
+	jexec gw sysctl net.inet.ip.forwarding=1
+
+	jexec gw dnctl pipe 1 config delay 100 mask src-ip 0xffffff00
+	jexec gw pfctl -e
+	pft_set_rules gw \
+	    "nat on ${epair_srv}b inet from 192.0.2.0/24 to any -> (${epair_srv}b)" \
+	    "pass out dnpipe 1"
+
+	atf_check -s exit:0 -o ignore \
+	    ping -c  3 198.51.100.2
+
+	# Now check that dummynet looked at the correct address
+	atf_check -s exit:0 -o match:"ip.*192.0.2.0/0" \
+	    jexec gw dnctl pipe show
+}
+
+dummynet_mask_cleanup()
+{
+	pft_cleanup
+}
+
 atf_init_test_cases()
 {
 	atf_add_test_case "exhaust"
@@ -823,9 +908,11 @@ atf_init_test_cases()
 	atf_add_test_case "no_addrs_random"
 	atf_add_test_case "map_e_compat"
 	atf_add_test_case "map_e_pass"
-	atf_add_test_case "nat_pass"
+	atf_add_test_case "nat_pass_in"
+	atf_add_test_case "nat_pass_out"
 	atf_add_test_case "nat_match"
 	atf_add_test_case "binat_compat"
 	atf_add_test_case "binat_match"
 	atf_add_test_case "empty_pool"
+	atf_add_test_case "dummynet_mask"
 }