pf tests: verify that we generate an ICMP6 packet too big error on route-to

Sponsored by: Rubicon Communications, LLC ("Netgate")
2026-06-12 10:10:24 -04:00 · 2025-04-09 14:04:36 +02:00 · 2025-04-09 14:04:36 +02:00 · a4bd4e4b56
commit a4bd4e4b56
parent d1f4b9ffab
1 changed files with 54 additions and 0 deletions
--- a/tests/sys/netpfil/pf/frag6.py
+++ b/tests/sys/netpfil/pf/frag6.py
@ -141,3 +141,57 @@ class TestFrag6_Overlap(VnetTestTemplate):
        for p in packets:
            p.show()
            assert not p.getlayer(sp.ICMPv6EchoReply)
+
+class TestFrag6_RouteTo(VnetTestTemplate):
+    REQUIRED_MODULES = ["pf"]
+    TOPOLOGY = {
+        "vnet1": {"ifaces": ["if1"]},
+        "vnet2": {"ifaces": ["if1", "if2"]},
+        "vnet3": {"ifaces": ["if2"]},
+        "if1": {"prefixes6": [("2001:db8::1/64", "2001:db8::2/64")]},
+        "if2": {"prefixes6": [("2001:db8:1::1/64", "2001:db8:1::2/64")]},
+    }
+
+    def vnet2_handler(self, vnet):
+        if2name = vnet.iface_alias_map["if2"].name
+        ToolsHelper.print_output("/sbin/pfctl -e")
+        ToolsHelper.print_output("/sbin/pfctl -x loud")
+        ToolsHelper.pf_rules([
+            "scrub fragment reassemble",
+            "pass in route-to (%s 2001:db8:1::2) from 2001:db8::1 to 2001:db8:666::1" % if2name,
+        ])
+
+        ToolsHelper.print_output("/sbin/ifconfig %s mtu 1300" % if2name)
+        ToolsHelper.print_output("/sbin/sysctl net.inet6.ip6.forwarding=1")
+
+    def vnet3_handler(self, vnet):
+        pass
+
+    def test_too_big(self):
+        ToolsHelper.print_output("/sbin/route add -6 default 2001:db8::2")
+
+        # Import in the correct vnet, so at to not confuse Scapy
+        import scapy.all as sp
+
+        pkt = sp.IPv6(dst="2001:db8:666::1") \
+            / sp.ICMPv6EchoRequest(data=sp.raw(bytes.fromhex('f0') * 3000))
+        frags = sp.fragment6(pkt, 1320)
+
+        reply = sp.sr1(frags, timeout=3)
+        if reply:
+            reply.show()
+
+        assert reply
+
+        ip6 = reply.getlayer(sp.IPv6)
+        icmp6 = reply.getlayer(sp.ICMPv6PacketTooBig)
+        err_ip6 = reply.getlayer(sp.IPerror6)
+
+        assert ip6
+        assert ip6.src == "2001:db8::2"
+        assert ip6.dst == "2001:db8::1"
+        assert icmp6
+        assert icmp6.mtu == 1300
+        assert err_ip6
+        assert err_ip6.src == "2001:db8::1"
+        assert err_ip6.dst == "2001:db8:666::1"