pf: Fix state handling when ICMP packets are diverted

Commit 66f2f1c832 ("pf: handle divert packets") missed a case that I
happened to hit while testing something.

Add a regression test for the ICMP case, based on the existing test.
Fix a buglet in the existing test (missing whitespace after "[").

Reviewed by:	kp
Sponsored by:	OPNsense
Sponsored by:	Klara, Inc.
MFC after:	2 weeks
Differential Revision:	https://reviews.freebsd.org/D54321
This commit is contained in:
Mark Johnston
2025-12-20 18:18:50 +00:00
parent 183513d15f
commit 15178d8ed2
2 changed files with 44 additions and 6 deletions
+38 -2
View File
@@ -402,8 +402,7 @@ pr260867_body()
"pass in on ${epair}b proto tcp from any to port 7 divert-to 0.0.0.0 port 1001"
reply=$(echo "foo" | nc -N 192.0.2.2 7)
if ["${reply}" != "foo" ];
then
if [ "${reply}" != "foo" ]; then
atf_fail "Did not receive echo reply"
fi
}
@@ -413,6 +412,42 @@ pr260867_cleanup()
pft_cleanup
}
atf_test_case "pr260867_icmp" "cleanup"
pr260867_icmp_head()
{
atf_set descr 'Variant of the PR260867 test'
atf_set require.user root
}
pr260867_icmp_body()
{
pft_init
divert_init
epair=$(vnet_mkepair)
atf_check ifconfig ${epair}a 192.0.2.1/24 up
vnet_mkjail alcatraz ${epair}b
jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up
# Sanity check
atf_check -s exit:0 -o ignore ping -c3 192.0.2.2
jexec alcatraz $(atf_get_srcdir)/../common/divapp 1001 divert-back &
jexec alcatraz pfctl -e
pft_set_rules alcatraz \
"pass in on ${epair}b proto icmp from any to any divert-to 0.0.0.0 port 1001"
atf_check -o ignore ping -c 3 192.0.2.2
}
pr260867_icmp_cleanup()
{
pft_cleanup
}
atf_init_test_cases()
{
atf_add_test_case "in_div"
@@ -426,4 +461,5 @@ atf_init_test_cases()
atf_add_test_case "in_dn_in_div_in_out_div_out_dn_out"
atf_add_test_case "pr260867"
atf_add_test_case "pr260867_icmp"
}