pf tests: test that reassembly is or is not performed as expected

We can now tell scrub rules to not reassemble packets. Test that this
affects packets being passed or dropped as expected.

Sponsored by:	Rubicon Communications, LLC ("Netgate")

tests/sys/netpfil/pf/fragmentation.sh

@@ -269,6 +269,64 @@ overlimit_cleanup()
 	pft_cleanup
 }
 
+atf_test_case "reassemble" "cleanup"
+reassemble_head()
+{
+	atf_set descr 'Test reassembly'
+	atf_set require.user root
+}
+
+reassemble_body()
+{
+	pft_init
+
+	epair=$(vnet_mkepair)
+	vnet_mkjail alcatraz ${epair}a
+
+	ifconfig ${epair}b inet 192.0.2.1/24 up
+	jexec alcatraz ifconfig ${epair}a 192.0.2.2/24 up
+
+	# Sanity check
+	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2
+
+	jexec alcatraz pfctl -e
+	pft_set_rules alcatraz \
+		"pass out" \
+		"block in" \
+		"pass in inet proto icmp all icmp-type echoreq"
+
+	# Single fragment passes
+	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2
+
+	# But a fragmented ping does not
+	atf_check -s exit:2 -o ignore ping -c 1 -s 2000 192.0.2.2
+
+	pft_set_rules alcatraz \
+		"scrub in" \
+		"pass out" \
+		"block in" \
+		"pass in inet proto icmp all icmp-type echoreq"
+
+	# Both single packet & fragmented pass when we scrub
+	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2
+	atf_check -s exit:0 -o ignore ping -c 1 -s 2000 192.0.2.2
+
+	pft_set_rules alcatraz \
+		"scrub in fragment no reassemble" \
+		"pass out" \
+		"block in" \
+		"pass in inet proto icmp all icmp-type echoreq"
+
+	# And the fragmented ping doesn't pass if we do not reassemble
+	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2
+	atf_check -s exit:2 -o ignore ping -c 1 -s 2000 192.0.2.2
+}
+
+reassemble_cleanup()
+{
+	pft_cleanup
+}
+
 atf_init_test_cases()
 {
 	atf_add_test_case "too_many_fragments"
@@ -277,4 +335,5 @@ atf_init_test_cases()
 	atf_add_test_case "overreplace"
 	atf_add_test_case "overindex"
 	atf_add_test_case "overlimit"
+	atf_add_test_case "reassemble"
 }