pf tests: Add option to send fragmented packets

Add option to send fragmented packets and to properly sniff them by reassembling them by the sniffer itself. Reviewed by: kp Sponsored by: InnoGames GmbH Differential Revision: https://reviews.freebsd.org/D42354 (cherry picked from commit d7c9de2d68ca81c557e069c2b431529cf597886c) pf: Fix packet reassembly Don't drop fragmented packets when reassembly is disabled, they can be matched by rules with "fragment" keyword. Ensure that presence of scrub rules forces old behaviour. Reviewed by: kp Sponsored by: InnoGames GmbH Differential Revision: https://reviews.freebsd.org/D42355 (cherry picked from commit ede5d4ff5b39ccbc193c30fb6c093c7c4de9a464) pf: Update documentation regarding matching, scrubbing and reassembly Update pf documentation: - default behaviour of fragment reassembly - introduction of scrub option for filter rules - disadvantages of using the old scrub ruleset - options supported for match rules - fix missing list block end - remove duplicate description of match filter rule - update example to modern syntax Reviewed by: kp Fragments obtained from: OpenBSD Sponsored by: InnoGames GmbH Differential Revision: https://reviews.freebsd.org/D42270 (cherry picked from commit 5ed470bdb9da6442d6030cf0a7a8493f759fbb43)
2026-05-28 04:12:45 -04:00 · 2023-10-26 11:14:14 +02:00 · 2023-10-26 11:14:14 +02:00 · 9f3032b76b
commit 9f3032b76b
parent 7607204696
7 changed files with 307 additions and 88 deletions
--- a/share/man/man5/pf.conf.5
+++ b/share/man/man5/pf.conf.5
@ -401,7 +401,9 @@ set limit frags 20000
 .Ed
 .Pp
 sets the maximum number of entries in the memory pool used for fragment
-reassembly (generated by
+reassembly (generated by the
+.Ar set reassemble
+option or
 .Ar scrub
 rules) to 20000.
 Using
@ -495,6 +497,29 @@ For example:
 .Bd -literal -offset indent
 set optimization aggressive
 .Ed
+.It Ar set reassemble yes | no Op Cm no-df
+The
+.Cm reassemble
+option is used to enable or disable the reassembly of fragmented packets,
+and can be set to
+.Cm yes
+or
+.Cm no .
+If
+.Cm no-df
+is also specified, fragments with the
+.Dq dont-fragment
+bit set are reassembled too,
+instead of being dropped;
+the reassembled packet will have the
+.Dq dont-fragment
+bit cleared.
+The default value is
+.Cm no .
+.Pp
+This option is ignored if there are pre-FreeBSD 14
+.Cm scrub
+rules present.
 .It Ar set block-policy
 The
 .Ar block-policy
@ -768,19 +793,21 @@ Used to specify that packets must already be tagged with the given tag in order
 to match the rule.
 Inverse tag matching can also be done by specifying the !  operator before the
 tagged keyword.
+.El
 .Sh TRAFFIC NORMALIZATION
-Traffic normalization is used to sanitize packet content in such
-a way that there are no ambiguities in packet interpretation on
-the receiving side.
-The normalizer does IP fragment reassembly to prevent attacks
-that confuse intrusion detection systems by sending overlapping
-IP fragments.
-Packet normalization is invoked with the
-.Ar scrub
-directive.
+Traffic normalization is a broad umbrella term
+for aspects of the packet filter which deal with
+verifying packets, packet fragments, spoofed traffic,
+and other irregularities.
+.Ss Scrub
+Scrub involves sanitising packet content in such a way
+that there are no ambiguities in packet interpretation on the receiving side.
+It is invoked with the
+.Cm scrub
+option, added to filter rules.
 .Pp
-.Ar scrub
-has the following options:
+Parameters are specified enclosed in parentheses.
+At least one of the following parameters must be specified:
 .Bl -tag -width xxxx
 .It Ar no-df
 Clears the
@ -839,22 +866,8 @@ Replaces the IP identification field with random values to compensate
 for predictable values generated by many hosts.
 This option only applies to packets that are not fragmented
 after the optional fragment reassembly.
-.It Ar fragment reassemble
-Using
-.Ar scrub
-rules, fragments can be reassembled by normalization.
-In this case, fragments are buffered until they form a complete
-packet, and only the completed packet is passed on to the filter.
-The advantage is that filter rules have to deal only with complete
-packets, and can ignore fragments.
-The drawback of caching fragments is the additional memory cost.
-This is the default behaviour unless no fragment reassemble is specified.
-.It Ar no fragment reassemble
-Do not reassemble fragments.
 .It Ar reassemble tcp
 Statefully normalizes TCP connections.
-.Ar scrub reassemble tcp
-rules may not have the direction (in/out) specified.
 .Ar reassemble tcp
 performs the following normalizations:
 .Pp
@ -906,6 +919,41 @@ blind attacker would have to guess the timestamp as well.
 .Pp
 For example,
 .Bd -literal -offset indent
+match in all scrub (no-df random-id max-mss 1440)
+.Ed
+.Ss Scrub ruleset (pre-FreeBSD 14)
+In order to maintain compatibility with older releases of FreeBSD
+.Ar scrub
+rules can also be specified in their own ruleset.
+In such case they are invoked with the
+.Ar scrub
+directive.
+If there are such rules present they determine packet reassembly behaviour.
+When no such rules are present the option
+.Ar set reassembly
+takes precedence.
+The
+.Ar scrub
+rules can take all parameters specified above for a
+.Ar scrub
+option of filter rules and 2 more parameters controlling fragment reassembly:
+.Bl -tag -width xxxx
+.It Ar fragment reassemble
+Using
+.Ar scrub
+rules, fragments can be reassembled by normalization.
+In this case, fragments are buffered until they form a complete
+packet, and only the completed packet is passed on to the filter.
+The advantage is that filter rules have to deal only with complete
+packets, and can ignore fragments.
+The drawback of caching fragments is the additional memory cost.
+This is the default behaviour unless no fragment reassemble is specified.
+.It Ar no fragment reassemble
+Do not reassemble fragments.
+.El
+.Pp
+For example,
+.Bd -literal -offset indent
 scrub in on $ext_if all fragment reassemble
 .Ed
 .Pp
@ -917,6 +965,14 @@ much in the same way as
 works in the packet filter (see below).
 This mechanism should be used when it is necessary to exclude specific packets
 from broader scrub rules.
+.Pp
+.Ar scrub
+rules in the
+.Ar scrub
+ruleset are evaluated for every packet before stateful filtering.
+This means excessive usage of them will cause performance penalty.
+.Ar scrub reassemble tcp
+rules must not have the direction (in/out) specified.
 .Sh QUEUEING with ALTQ
 The ALTQ system is currently not available in the GENERIC kernel nor as
 loadable modules.
@ -1494,28 +1550,21 @@ rules differ from
 .Ar block
 and
 .Ar pass
-rules in that parameters are set every time a packet matches the rule, not only
+rules in that parameters are set for every rule a packet matches, not only
 on the last matching rule.
 For the following parameters, this means that the parameter effectively becomes
 "sticky" until explicitly overridden:
 .Ar queue ,
 .Ar dnpipe ,
-.Ar dnqueue
+.Ar dnqueue ,
+.Ar rtable ,
+.Ar scrub
 .
 .It Ar pass
 The packet is passed;
 state is created unless the
 .Ar no state
 option is specified.
-.It Ar match
-Action is unaltered, the previously matched rule's action still matters.
-Match rules apply queue and rtable assignments for every matched packet,
-subsequent matching pass or match rules can overwrite the assignment,
-if they don't specify a queue or an rtable, respectively, the previously
-set value remains.
-Additionally, match rules can contain log statements; the is logging done
-for each and every matching match rule, so it is possible to log a single
-packet multiple times.
 .El
 .Pp
 By default
@ -2597,6 +2646,8 @@ contain the necessary header information for the subprotocol that allows
 to filter on things such as TCP ports or to perform NAT.
 .Pp
 Besides the use of
+.Ar set reassemble
+option or
 .Ar scrub
 rules as described in
 .Sx TRAFFIC NORMALIZATION
@ -2605,7 +2656,11 @@ above, there are three options for handling fragments in the packet filter.
 One alternative is to filter individual fragments with filter rules.
 If no
 .Ar scrub
-rule applies to a fragment, it is passed to the filter.
+rule applies to a fragment or
+.Ar set reassemble
+is set to
+.Cm no
+, it is passed to the filter.
 Filter rules with matching IP header parameters decide whether the
 fragment is passed or blocked, in the same way as complete packets
 are filtered.
@ -2638,11 +2693,13 @@ rules.
 .Pp
 In most cases, the benefits of reassembly outweigh the additional
 memory cost, and it's recommended to use
+.Ar set reassemble
+option or
 .Ar scrub
-rules to reassemble
-all fragments via the
+rules with the
 .Ar fragment reassemble
-modifier.
+modifier to reassemble
+all fragments.
 .Pp
 The memory allocated for fragment caching can be limited using
 .Xr pfctl 8 .
@ -3007,12 +3064,12 @@ rdr on $ext_if proto tcp from any to any port 80 \e
 # (157.161.48.183, the only routable address)
 # and the private network is 10.0.0.0/8, for which we are doing NAT.

+# Reassemble incoming traffic
+set reassemble yes
+
 # use a macro for the interface name, so it can be changed easily
 ext_if = \&"kue0\&"

-# normalize all incoming traffic
-scrub in on $ext_if all fragment reassemble
-
 # block and log everything by default
 block return log on $ext_if all

--- a/sys/netpfil/pf/pf_norm.c
+++ b/sys/netpfil/pf/pf_norm.c
@ -1043,14 +1043,22 @@ pf_normalize_ip(struct mbuf **m0, struct pfi_kkif *kif, u_short *reason,
 	int			 ip_len;
 	int			 tag = -1;
 	int			 verdict;
-	int			 srs;
+	bool			 scrub_compat;

 	PF_RULES_RASSERT();

 	r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_SCRUB].active.ptr);
-	/* Check if there any scrub rules. Lack of scrub rules means enforced
-	 * packet normalization operation just like in OpenBSD. */
-	srs = (r != NULL);
+	/*
+	 * Check if there are any scrub rules, matching or not.
+	 * Lack of scrub rules means:
+	 *  - enforced packet normalization operation just like in OpenBSD
+	 *  - fragment reassembly depends on V_pf_status.reass
+	 * With scrub rules:
+	 *  - packet normalization is performed if there is a matching scrub rule
+	 *  - fragment reassembly is performed if the matching rule has no
+	 *    PFRULE_FRAGMENT_NOREASS flag
+	 */
+	scrub_compat = (r != NULL);
 	while (r != NULL) {
 		pf_counter_u64_add(&r->evaluations, 1);
 		if (pfi_kkif_match(r->kif, kif) == r->ifnot)
@ -1076,7 +1084,7 @@ pf_normalize_ip(struct mbuf **m0, struct pfi_kkif *kif, u_short *reason,
 			break;
 	}

-	if (srs) {
+	if (scrub_compat) {
 		/* With scrub rules present IPv4 normalization happens only
 		 * if one of rules has matched and it's not a "no scrub" rule */
 		if (r == NULL || r->action == PF_NOSCRUB)
@ -1087,12 +1095,6 @@ pf_normalize_ip(struct mbuf **m0, struct pfi_kkif *kif, u_short *reason,
 		pf_counter_u64_add_protected(&r->bytes[pd->dir == PF_OUT], pd->tot_len);
 		pf_counter_u64_critical_exit();
 		pf_rule_to_actions(r, &pd->act);
-	} else if ((!V_pf_status.reass && (h->ip_off & htons(IP_MF | IP_OFFMASK)))) {
-		/* With no scrub rules IPv4 fragment reassembly depends on the
-		 * global switch. Fragments can be dropped early if reassembly
-		 * is disabled. */
-		REASON_SET(reason, PFRES_NORM);
-		goto drop;
 	}

 	/* Check for illegal packets */
@ -1107,9 +1109,10 @@ pf_normalize_ip(struct mbuf **m0, struct pfi_kkif *kif, u_short *reason,
 	}

 	/* Clear IP_DF if the rule uses the no-df option or we're in no-df mode */
-	if ((((r && r->rule_flag & PFRULE_NODF) ||
-	    (V_pf_status.reass & PF_REASS_NODF)) && h->ip_off & htons(IP_DF)
-	)) {
+	if (((!scrub_compat && V_pf_status.reass & PF_REASS_NODF) ||
+	    (r != NULL && r->rule_flag & PFRULE_NODF)) &&
+	    (h->ip_off & htons(IP_DF))
+	) {
 		u_int16_t ip_off = h->ip_off;

 		h->ip_off &= htons(~IP_DF);
@ -1143,7 +1146,9 @@ pf_normalize_ip(struct mbuf **m0, struct pfi_kkif *kif, u_short *reason,
 		goto bad;
 	}

-	if (r==NULL || !(r->rule_flag & PFRULE_FRAGMENT_NOREASS)) {
+	if ((!scrub_compat && V_pf_status.reass) ||
+	    (r != NULL && !(r->rule_flag & PFRULE_FRAGMENT_NOREASS))
+	) {
 		max = fragoff + ip_len;

 		/* Fully buffer all of the fragments
@ -1203,14 +1208,20 @@ pf_normalize_ip6(struct mbuf **m0, struct pfi_kkif *kif,
 	int			 ooff;
 	u_int8_t		 proto;
 	int			 terminal;
-	int			 srs;
+	bool			 scrub_compat;

 	PF_RULES_RASSERT();

 	r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_SCRUB].active.ptr);
-	/* Check if there any scrub rules. Lack of scrub rules means enforced
-	 * packet normalization operation just like in OpenBSD. */
-	srs = (r != NULL);
+	/*
+	 * Check if there are any scrub rules, matching or not.
+	 * Lack of scrub rules means:
+	 *  - enforced packet normalization operation just like in OpenBSD
+	 * With scrub rules:
+	 *  - packet normalization is performed if there is a matching scrub rule
+	 * XXX: Fragment reassembly always performed for IPv6!
+	 */
+	scrub_compat = (r != NULL);
 	while (r != NULL) {
 		pf_counter_u64_add(&r->evaluations, 1);
 		if (pfi_kkif_match(r->kif, kif) == r->ifnot)
@ -1235,7 +1246,7 @@ pf_normalize_ip6(struct mbuf **m0, struct pfi_kkif *kif,
 			break;
 	}

-	if (srs) {
+	if (scrub_compat) {
 		/* With scrub rules present IPv6 normalization happens only
 		 * if one of rules has matched and it's not a "no scrub" rule */
 		if (r == NULL || r->action == PF_NOSCRUB)
--- a/tests/sys/netpfil/common/pft_ping.py
+++ b/tests/sys/netpfil/common/pft_ping.py
@ -82,17 +82,29 @@ def prepare_ipv4(dst_address, send_params):

 def send_icmp_ping(dst_address, sendif, send_params):
    send_length = send_params['length']
+    send_frag_length = send_params['frag_length']
+    packets = []
    ether = sp.Ether()
    if ':' in dst_address:
        ip6 = prepare_ipv6(dst_address, send_params)
        icmp = sp.ICMPv6EchoRequest(data=sp.raw(build_payload(send_length)))
-        req = ether / ip6 / icmp
+        if send_frag_length:
+            for packet in sp.fragment(ip6 / icmp, fragsize=send_frag_length):
+                packets.append(ether / packet)
+        else:
+            packets.append(ether / ip6 / icmp)
+
    else:
        ip = prepare_ipv4(dst_address, send_params)
        icmp = sp.ICMP(type='echo-request')
        raw = sp.raw(build_payload(send_length))
-        req = ether / ip / icmp / raw
-    sp.sendp(req, sendif, verbose=False)
+        if send_frag_length:
+            for packet in sp.fragment(ip / icmp / raw, fragsize=send_frag_length):
+                packets.append(ether / packet)
+        else:
+            packets.append(ether / ip / icmp / raw)
+    for packet in packets:
+        sp.sendp(packet, sendif, verbose=False)


 def send_tcp_syn(dst_address, sendif, send_params):
@ -372,7 +384,7 @@ def check_tcp_syn_reply(expect_params, packet):
        return check_tcp_syn_reply_4(expect_params, packet)


-def setup_sniffer(recvif, ping_type, sniff_type, expect_params):
+def setup_sniffer(recvif, ping_type, sniff_type, expect_params, defrag):
    if ping_type == 'icmp' and sniff_type == 'request':
        checkfn = check_ping_request
    elif ping_type == 'icmp' and sniff_type == 'reply':
@ -384,7 +396,7 @@ def setup_sniffer(recvif, ping_type, sniff_type, expect_params):
    else:
        raise Exception('Unspported ping or sniff type')

-    return Sniffer(expect_params, checkfn, recvif)
+    return Sniffer(expect_params, checkfn, recvif, defrag=defrag)


 def parse_args():
@ -417,6 +429,8 @@ def parse_args():
    parser_send = parser.add_argument_group('Values set in transmitted packets')
    parser_send.add_argument('--send-flags', nargs=1, type=str,
        help='IPv4 fragmentation flags')
+    parser_send.add_argument('--send-frag-length', nargs=1, type=int,
+         help='Force IP fragmentation with given fragment length')
    parser_send.add_argument('--send-hlim', nargs=1, type=int,
        help='IPv6 Hop Limit or IPv4 Time To Live')
    parser_send.add_argument('--send-mss', nargs=1, type=int,
@ -428,7 +442,7 @@ def parse_args():
    parser_send.add_argument('--send-tc', nargs=1, type=int,
        help='IPv6 Traffic Class or IPv4 DiffServ / ToS')
    parser_send.add_argument('--send-tcpopt-unaligned', action='store_true',
-            help='Include unaligned TCP options')
+         help='Include unaligned TCP options')

    # Expectations
    parser_expect = parser.add_argument_group('Values expected in sniffed packets')
@ -467,7 +481,7 @@ def main():
    # Standardize parameters which have nargs=1.
    send_params = {}
    expect_params = {}
-    for param_name in ('flags', 'hlim', 'length', 'mss', 'seq', 'tc'):
+    for param_name in ('flags', 'hlim', 'length', 'mss', 'seq', 'tc', 'frag_length'):
        param_arg = vars(args).get(f'send_{param_name}')
        send_params[param_name] = param_arg[0] if param_arg else None
        param_arg = vars(args).get(f'expect_{param_name}')
@ -488,6 +502,11 @@ def main():

    sniffers = []

+    if send_params['frag_length']:
+        defrag = True
+    else:
+        defrag = False
+
    if recv_ifs:
        sniffer_params = copy(expect_params)
        sniffer_params['src_address'] = None
@ -495,7 +514,8 @@ def main():
        for iface in recv_ifs:
            LOGGER.debug(f'Installing receive sniffer on {iface}')
            sniffers.append(
-                setup_sniffer(iface, args.ping_type, 'request', sniffer_params,
+                setup_sniffer(iface, args.ping_type, 'request',
+                              sniffer_params, defrag,
            ))

    if reply_ifs:
@ -505,7 +525,8 @@ def main():
        for iface in reply_ifs:
            LOGGER.debug(f'Installing reply sniffer on {iface}')
            sniffers.append(
-                setup_sniffer(iface, args.ping_type, 'reply', sniffer_params,
+                setup_sniffer(iface, args.ping_type, 'reply',
+                              sniffer_params, defrag,
            ))

    LOGGER.debug(f'Installed {len(sniffers)} sniffers')
--- a/tests/sys/netpfil/common/sniffer.py
+++ b/tests/sys/netpfil/common/sniffer.py
@ -30,7 +30,7 @@ import scapy.all as sp
 import sys

 class Sniffer(threading.Thread):
-	def __init__(self, args, check_function, recvif, timeout=3):
+	def __init__(self, args, check_function, recvif, timeout=3, defrag=False):
 		threading.Thread.__init__(self)

 		self._sem = threading.Semaphore(0)
@ -38,6 +38,7 @@ class Sniffer(threading.Thread):
 		self._timeout = timeout
 		self._recvif = recvif
 		self._check_function = check_function
+		self._defrag = defrag
 		self.correctPackets = 0

 		self.start()
@ -55,6 +56,15 @@ class Sniffer(threading.Thread):

 	def run(self):
 		self.packets = []
-		self.packets = sp.sniff(iface=self._recvif,
-			stop_filter=self._checkPacket, timeout=self._timeout,
-			started_callback=self._startedCb)
+		if self._defrag:
+			# With fragment reassembly we can't stop the sniffer after catching
+			# the good packets, as those have not been reassembled. We must
+			#  wait for sniffer to finish and check returned packets instead.
+			self.packets = sp.sniff(session=sp.IPSession, iface=self._recvif,
+				timeout=self._timeout, started_callback=self._startedCb)
+			for p in self.packets:
+				self._checkPacket(p)
+		else:
+			self.packets = sp.sniff(iface=self._recvif,
+				stop_filter=self._checkPacket, timeout=self._timeout,
+				started_callback=self._startedCb)
--- a/tests/sys/netpfil/pf/Makefile
+++ b/tests/sys/netpfil/pf/Makefile
@ -13,6 +13,7 @@ ATF_TESTS_SH+=	altq \
 		forward \
 		fragmentation_compat \
 		fragmentation_pass \
+		fragmentation_no_reassembly \
 		get_state \
 		icmp \
 		killstate \
--- a/tests/sys/netpfil/pf/fragmentation_compat.sh
+++ b/tests/sys/netpfil/pf/fragmentation_compat.sh
@ -300,17 +300,6 @@ reassemble_body()
 	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2

 	jexec alcatraz pfctl -e
-	pft_set_rules alcatraz \
-		"pass out" \
-		"block in" \
-		"pass in inet proto icmp all icmp-type echoreq"
-
-	# Single fragment passes
-	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2
-
-	# But a fragmented ping does not
-	atf_check -s exit:2 -o ignore ping -c 1 -s 2000 192.0.2.2
-
 	pft_set_rules alcatraz \
 		"scrub in" \
 		"pass out" \
--- a/tests/sys/netpfil/pf/fragmentation_no_reassembly.sh
+++ b/tests/sys/netpfil/pf/fragmentation_no_reassembly.sh
@ -0,0 +1,130 @@
+#
+# SPDX-License-Identifier: BSD-2-Clause
+#
+# Copyright (c) 2017 Kristof Provost <kp@FreeBSD.org>
+# Copyright (c) 2023 Kajetan Staszkiewicz <vegeta@tuxpowered.net>
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+
+. $(atf_get_srcdir)/utils.subr
+
+atf_test_case "match_full_v4" "cleanup"
+match_full_v4_head()
+{
+    atf_set descr 'Matching non-fragmented IPv4 packets'
+    atf_set require.user root
+    atf_set require.progs scapy
+}
+
+match_full_v4_body()
+{
+    setup_router_dummy_ipv4
+
+    # Sanity check.
+    ping_dummy_check_request exit:0 --ping-type=icmp
+
+    # Only non-fragmented packets are passed
+    jexec router pfctl -e
+    pft_set_rules router \
+        "pass out" \
+        "block in" \
+        "pass in inet proto icmp all icmp-type echoreq"
+    ping_dummy_check_request exit:0 --ping-type=icmp
+    ping_dummy_check_request exit:1 --ping-type=icmp --send-length=2000 --send-frag-length 1000
+}
+
+match_full_v4_cleanup()
+{
+    pft_cleanup
+}
+
+
+atf_test_case "match_fragment_v4" "cleanup"
+match_fragment_v4_head()
+{
+    atf_set descr 'Matching fragmented IPv4 packets'
+    atf_set require.user root
+    atf_set require.progs scapy
+}
+
+match_fragment_v4_body()
+{
+    setup_router_dummy_ipv4
+
+    # Sanity check.
+    ping_dummy_check_request exit:0 --ping-type=icmp
+
+    # Only fragmented packets are passed
+    pft_set_rules router \
+        "pass out" \
+        "block in" \
+        "pass in inet proto icmp fragment"
+    ping_dummy_check_request exit:1 --ping-type=icmp
+    ping_dummy_check_request exit:0 --ping-type=icmp --send-length=2000 --send-frag-length 1000
+}
+
+match_fragment_v4_cleanup()
+{
+    pft_cleanup
+}
+
+
+atf_test_case "compat_override_v4" "cleanup"
+compat_override_v4_head()
+{
+    atf_set descr 'Scrub rules override "set reassemble" for IPv4'
+    atf_set require.user root
+    atf_set require.progs scapy
+}
+
+compat_override_v4_body()
+{
+    setup_router_dummy_ipv4
+
+    # Sanity check.
+    ping_dummy_check_request exit:0 --ping-type=icmp
+
+    # The same as match_fragment_v4 but with "set reassemble yes" which
+    # is ignored because of presence of scrub rules.
+    # Only fragmented packets are passed.
+    pft_set_rules router \
+        "set reassemble yes" \
+        "no scrub" \
+        "pass out" \
+        "block in" \
+        "pass in inet proto icmp fragment"
+    ping_dummy_check_request exit:1 --ping-type=icmp
+    ping_dummy_check_request exit:0 --ping-type=icmp --send-length=2000 --send-frag-length 1000
+}
+
+compat_override_v4_cleanup()
+{
+    pft_cleanup
+}
+
+
+atf_init_test_cases()
+{
+    atf_add_test_case "match_full_v4"
+    atf_add_test_case "match_fragment_v4"
+    atf_add_test_case "compat_override_v4"
+}