git: 373d6dbf34a8 - main - pf tests: verify that ICMP destination unreachable makes it through NAT64

From: Kristof Provost <kp_at_FreeBSD.org>
Date: Tue, 17 Dec 2024 10:07:58 UTC
The branch main has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=373d6dbf34a8c4c506ccaa6ac3f7cc42493d8b48

commit 373d6dbf34a8c4c506ccaa6ac3f7cc42493d8b48
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2024-11-11 16:48:49 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2024-12-17 10:07:15 +0000

    pf tests: verify that ICMP destination unreachable makes it through NAT64
    
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
    Differential Revision:  https://reviews.freebsd.org/D47798
---
 tests/sys/netpfil/pf/nat64.py | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/tests/sys/netpfil/pf/nat64.py b/tests/sys/netpfil/pf/nat64.py
index a3bd6048028e..12793662c171 100644
--- a/tests/sys/netpfil/pf/nat64.py
+++ b/tests/sys/netpfil/pf/nat64.py
@@ -39,11 +39,13 @@ class TestNAT64(VnetTestTemplate):
     }
 
     def vnet3_handler(self, vnet):
+        ToolsHelper.print_output("/sbin/sysctl net.inet.ip.forwarding=1")
         ToolsHelper.print_output("echo foo | nc -l 1234 &")
 
     def vnet2_handler(self, vnet):
         ifname = vnet.iface_alias_map["if1"].name
 
+        ToolsHelper.print_output("/sbin/route add default 192.0.2.2")
         ToolsHelper.print_output("/sbin/pfctl -e")
         ToolsHelper.pf_rules([
             "pass inet6 proto icmp6",
@@ -102,3 +104,24 @@ class TestNAT64(VnetTestTemplate):
         udp = reply.getlayer(sp.UDPerror)
         assert udp
         assert udp.dport == 1222
+
+    @pytest.mark.require_user("root")
+    def test_address_unreachable(self):
+        ToolsHelper.print_output("/sbin/route -6 add default 2001:db8::1")
+
+        import scapy.all as sp
+
+        packet = sp.IPv6(dst="64:ff9b::198.51.100.3") \
+            / sp.UDP(dport=1222) / sp.Raw("bar")
+        reply = sp.sr1(packet, timeout=3)
+        print(reply.show())
+
+        # We expect an ICMPv6 error, not a UDP reply
+        assert not reply.getlayer(sp.UDP)
+        icmp = reply.getlayer(sp.ICMPv6DestUnreach)
+        assert icmp
+        assert icmp.type == 1
+        assert icmp.code == 0
+        udp = reply.getlayer(sp.UDPerror)
+        assert udp
+        assert udp.dport == 1222