git: bc66cb3bfa9b - main - pf tests: verify that ICMP port unreachable makes it through NAT64
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 17 Dec 2024 10:07:57 UTC
The branch main has been updated by kp:
URL: https://cgit.FreeBSD.org/src/commit/?id=bc66cb3bfa9be8a99805a3109c72420c22e72f3b
commit bc66cb3bfa9be8a99805a3109c72420c22e72f3b
Author: Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2024-11-08 16:34:56 +0000
Commit: Kristof Provost <kp@FreeBSD.org>
CommitDate: 2024-12-17 10:07:15 +0000
pf tests: verify that ICMP port unreachable makes it through NAT64
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D47797
---
tests/sys/netpfil/pf/nat64.py | 22 +++++++++++++++++++++-
1 file changed, 21 insertions(+), 1 deletion(-)
diff --git a/tests/sys/netpfil/pf/nat64.py b/tests/sys/netpfil/pf/nat64.py
index 0053a2401872..a3bd6048028e 100644
--- a/tests/sys/netpfil/pf/nat64.py
+++ b/tests/sys/netpfil/pf/nat64.py
@@ -39,7 +39,7 @@ class TestNAT64(VnetTestTemplate):
}
def vnet3_handler(self, vnet):
- ToolsHelper.print_output("echo foo | nc -l 1234")
+ ToolsHelper.print_output("echo foo | nc -l 1234 &")
def vnet2_handler(self, vnet):
ifname = vnet.iface_alias_map["if1"].name
@@ -82,3 +82,23 @@ class TestNAT64(VnetTestTemplate):
assert "S" in tcp.flags
assert "A" in tcp.flags
+ @pytest.mark.require_user("root")
+ def test_udp_port_closed(self):
+ ToolsHelper.print_output("/sbin/route -6 add default 2001:db8::1")
+
+ import scapy.all as sp
+
+ packet = sp.IPv6(dst="64:ff9b::192.0.2.2") \
+ / sp.UDP(dport=1222) / sp.Raw("bar")
+ reply = sp.sr1(packet, timeout=3)
+ print(reply.show())
+
+ # We expect an ICMPv6 error, not a UDP reply
+ assert not reply.getlayer(sp.UDP)
+ icmp = reply.getlayer(sp.ICMPv6DestUnreach)
+ assert icmp
+ assert icmp.type == 1
+ assert icmp.code == 4
+ udp = reply.getlayer(sp.UDPerror)
+ assert udp
+ assert udp.dport == 1222