1 files changed, 47 insertions, 5 deletions

diff --git a/tests/sys/netpfil/pf/nat.sh b/tests/sys/netpfil/pf/nat.sh
index e55f46418221..0824671fa0f1 100644
--- a/tests/sys/netpfil/pf/nat.sh
+++ b/tests/sys/netpfil/pf/nat.sh
@@ -55,6 +55,9 @@ exhaust_body()
 	jexec echo ifconfig ${epair_echo}b 198.51.100.2/24 up
 	jexec echo /usr/sbin/inetd -p ${PWD}/inetd-echo.pid $(atf_get_srcdir)/echo_inetd.conf
 
+	# Disable checksum offload on one of the interfaces to ensure pf handles that
+	jexec nat ifconfig ${epair_nat}a -txcsum
+
 	# Enable pf!
 	jexec nat pfctl -e
 	pft_set_rules nat \
@@ -474,14 +477,49 @@ no_addrs_random_cleanup()
 	pft_cleanup
 }
 
-nat_pass_head()
+atf_test_case "nat_pass_in" "cleanup"
+nat_pass_in_head()
+{
+	atf_set descr 'IPv4 NAT on inbound pass rule'
+	atf_set require.user root
+	atf_set require.progs scapy
+}
+
+nat_pass_in_body()
+{
+	setup_router_server_ipv4
+	# Delete the route back to make sure that the traffic has been NAT-ed
+	jexec server route del -net ${net_tester} ${net_server_host_router}
+	# Provide routing back to the NAT address
+	jexec server route add 203.0.113.0/24 ${net_server_host_router}
+	jexec router route add 203.0.113.0/24 -iface ${epair_tester}b
+
+	pft_set_rules router \
+		"block" \
+		"pass in  on ${epair_tester}b inet proto tcp nat-to 203.0.113.0 keep state" \
+		"pass out on ${epair_server}a inet proto tcp keep state"
+
+	ping_server_check_reply exit:0 --ping-type=tcp3way --send-sport=4201
+
+	jexec router pfctl -qvvsr
+	jexec router pfctl -qvvss
+	jexec router ifconfig
+	jexec router netstat -rn
+}
+
+nat_pass_in_cleanup()
+{
+	pft_cleanup
+}
+
+nat_pass_out_head()
 {
-	atf_set descr 'IPv4 NAT on pass rule'
+	atf_set descr 'IPv4 NAT on outbound pass rule'
 	atf_set require.user root
 	atf_set require.progs scapy
 }
 
-nat_pass_body()
+nat_pass_out_body()
 {
 	setup_router_server_ipv4
 	# Delete the route back to make sure that the traffic has been NAT-ed
@@ -500,11 +538,12 @@ nat_pass_body()
 	jexec router netstat -rn
 }
 
-nat_pass_cleanup()
+nat_pass_out_cleanup()
 {
 	pft_cleanup
 }
 
+atf_test_case "nat_match" "cleanup"
 nat_match_head()
 {
 	atf_set descr 'IPv4 NAT on match rule'
@@ -644,6 +683,7 @@ map_e_pass_cleanup()
 	pft_cleanup
 }
 
+atf_test_case "binat_compat" "cleanup"
 binat_compat_head()
 {
 	atf_set descr 'IPv4 BINAT with nat ruleset'
@@ -710,6 +750,7 @@ binat_compat_cleanup()
 	kill $(cat ${PWD}/inetd_tester.pid)
 }
 
+atf_test_case "binat_match" "cleanup"
 binat_match_head()
 {
 	atf_set descr 'IPv4 BINAT with nat ruleset'
@@ -867,7 +908,8 @@ atf_init_test_cases()
 	atf_add_test_case "no_addrs_random"
 	atf_add_test_case "map_e_compat"
 	atf_add_test_case "map_e_pass"
-	atf_add_test_case "nat_pass"
+	atf_add_test_case "nat_pass_in"
+	atf_add_test_case "nat_pass_out"
 	atf_add_test_case "nat_match"
 	atf_add_test_case "binat_compat"
 	atf_add_test_case "binat_match"