3 # check that ICMP df-needed/pkttoobig icmp are set are set as related
8 # nsclient1 -> nsrouter1 -> nsrouter2 -> nsclient2
9 # MTU 1500, except for nsrouter2 <-> nsclient2 link (1280).
10 # ping nsclient2 from nsclient1, checking that conntrack did set RELATED
11 # 'fragmentation needed' icmp packet.
13 # In addition, nsrouter1 will perform IP masquerading, i.e. also
14 # check the icmp errors are propagated to the correct host as per
15 # nat of "established" icmp-echo "connection".
17 # Kselftest framework requirement - SKIP code is 4.
21 nft --version > /dev/null 2>&1
23 echo "SKIP: Could not run test without nft tool"
27 ip -Version > /dev/null 2>&1
29 echo "SKIP: Could not run test without ip tool"
34 for i in 1 2;do ip netns del nsclient$i;done
35 for i in 1 2;do ip netns del nsrouter$i;done
55 cnt=$(ip netns exec $ns nft list counter inet filter "$name" | grep -q "$expect")
57 echo "ERROR: counter $name in $ns has unexpected value (expected $expect)" 1>&2
58 ip netns exec $ns nft list counter inet filter "$name" 1>&2
67 expect="packets 0 bytes 0"
68 for n in nsclient1 nsclient2 nsrouter1 nsrouter2; do
69 check_counter $n "unknown" "$expect"
78 for n in nsclient1 nsclient2 nsrouter1 nsrouter2; do
80 ip -net $n link set lo up
84 ip link add $DEV netns nsclient1 type veth peer name eth1 netns nsrouter1
86 ip link add $DEV netns nsclient2 type veth peer name eth1 netns nsrouter2
89 ip link add $DEV netns nsrouter1 type veth peer name eth2 netns nsrouter2
93 ip -net nsclient$i link set $DEV up
94 ip -net nsclient$i addr add $(ipv4 $i)/24 dev $DEV
95 ip -net nsclient$i addr add $(ipv6 $i)/64 dev $DEV
98 ip -net nsrouter1 link set eth1 up
99 ip -net nsrouter1 link set veth0 up
101 ip -net nsrouter2 link set eth1 up
102 ip -net nsrouter2 link set eth2 up
104 ip -net nsclient1 route add default via 192.168.1.1
105 ip -net nsclient1 -6 route add default via dead:1::1
107 ip -net nsclient2 route add default via 192.168.2.1
108 ip -net nsclient2 route add default via dead:2::1
111 ip -net nsrouter1 addr add 192.168.1.1/24 dev eth1
112 ip -net nsrouter1 addr add 192.168.3.1/24 dev veth0
113 ip -net nsrouter1 addr add dead:1::1/64 dev eth1
114 ip -net nsrouter1 addr add dead:3::1/64 dev veth0
115 ip -net nsrouter1 route add default via 192.168.3.10
116 ip -net nsrouter1 -6 route add default via dead:3::10
118 ip -net nsrouter2 addr add 192.168.2.1/24 dev eth1
119 ip -net nsrouter2 addr add 192.168.3.10/24 dev eth2
120 ip -net nsrouter2 addr add dead:2::1/64 dev eth1
121 ip -net nsrouter2 addr add dead:3::10/64 dev eth2
122 ip -net nsrouter2 route add default via 192.168.3.1
123 ip -net nsrouter2 route add default via dead:3::1
127 ip netns exec nsrouter1 sysctl -q net.ipv$i.conf.all.forwarding=1
128 ip netns exec nsrouter2 sysctl -q net.ipv$i.conf.all.forwarding=1
131 for netns in nsrouter1 nsrouter2; do
132 ip netns exec $netns nft -f - <<EOF
137 type filter hook forward priority 0; policy accept;
138 meta l4proto icmpv6 icmpv6 type "packet-too-big" ct state "related" counter name "related" accept
139 meta l4proto icmp icmp type "destination-unreachable" ct state "related" counter name "related" accept
140 meta l4proto { icmp, icmpv6 } ct state new,established accept
141 counter name "unknown" drop
147 ip netns exec nsclient1 nft -f - <<EOF
154 type filter hook input priority 0; policy accept;
156 icmp type "redirect" ct state "related" counter name "redir4" accept
157 icmpv6 type "nd-redirect" ct state "related" counter name "redir6" accept
159 meta l4proto { icmp, icmpv6 } ct state established,untracked accept
160 meta l4proto { icmp, icmpv6 } ct state "related" counter name "related" accept
162 counter name "unknown" drop
167 ip netns exec nsclient2 nft -f - <<EOF
171 counter established { }
174 type filter hook input priority 0; policy accept;
175 meta l4proto { icmp, icmpv6 } ct state established,untracked accept
177 meta l4proto { icmp, icmpv6 } ct state "new" counter name "new" accept
178 meta l4proto { icmp, icmpv6 } ct state "established" counter name "established" accept
179 counter name "unknown" drop
182 type filter hook output priority 0; policy accept;
183 meta l4proto { icmp, icmpv6 } ct state established,untracked accept
185 meta l4proto { icmp, icmpv6 } ct state "new" counter name "new"
186 meta l4proto { icmp, icmpv6 } ct state "established" counter name "established"
187 counter name "unknown" drop
193 # make sure NAT core rewrites adress of icmp error if nat is used according to
194 # conntrack nat information (icmp error will be directed at nsrouter1 address,
195 # but it needs to be routed to nsclient1 address).
196 ip netns exec nsrouter1 nft -f - <<EOF
199 type nat hook postrouting priority 0; policy accept;
200 ip protocol icmp oifname "veth0" counter masquerade
205 type nat hook postrouting priority 0; policy accept;
206 ip6 nexthdr icmpv6 oifname "veth0" counter masquerade
211 ip netns exec nsrouter2 ip link set eth1 mtu 1280
212 ip netns exec nsclient2 ip link set veth0 mtu 1280
215 ip netns exec nsclient1 ping -c 1 -s 1000 -q -M do 192.168.2.2 >/dev/null
216 if [ $? -ne 0 ]; then
217 echo "ERROR: netns ip routing/connectivity broken" 1>&2
221 ip netns exec nsclient1 ping6 -q -c 1 -s 1000 dead:2::2 >/dev/null
222 if [ $? -ne 0 ]; then
223 echo "ERROR: netns ipv6 routing/connectivity broken" 1>&2
229 if [ $? -ne 0 ]; then
233 expect="packets 0 bytes 0"
234 for netns in nsrouter1 nsrouter2 nsclient1;do
235 check_counter "$netns" "related" "$expect"
236 if [ $? -ne 0 ]; then
241 expect="packets 2 bytes 2076"
242 check_counter nsclient2 "new" "$expect"
243 if [ $? -ne 0 ]; then
247 ip netns exec nsclient1 ping -q -c 1 -s 1300 -M do 192.168.2.2 > /dev/null
248 if [ $? -eq 0 ]; then
249 echo "ERROR: ping should have failed with PMTU too big error" 1>&2
253 # nsrouter2 should have generated the icmp error, so
254 # related counter should be 0 (its in forward).
255 expect="packets 0 bytes 0"
256 check_counter "nsrouter2" "related" "$expect"
257 if [ $? -ne 0 ]; then
261 # but nsrouter1 should have seen it, same for nsclient1.
262 expect="packets 1 bytes 576"
263 for netns in nsrouter1 nsclient1;do
264 check_counter "$netns" "related" "$expect"
265 if [ $? -ne 0 ]; then
270 ip netns exec nsclient1 ping6 -c 1 -s 1300 dead:2::2 > /dev/null
271 if [ $? -eq 0 ]; then
272 echo "ERROR: ping6 should have failed with PMTU too big error" 1>&2
276 expect="packets 2 bytes 1856"
277 for netns in nsrouter1 nsclient1;do
278 check_counter "$netns" "related" "$expect"
279 if [ $? -ne 0 ]; then
284 if [ $ret -eq 0 ];then
285 echo "PASS: icmp mtu error had RELATED state"
287 echo "ERROR: icmp error RELATED state test has failed"
290 # add 'bad' route, expect icmp REDIRECT to be generated
291 ip netns exec nsclient1 ip route add 192.168.1.42 via 192.168.1.1
292 ip netns exec nsclient1 ip route add dead:1::42 via dead:1::1
294 ip netns exec "nsclient1" ping -q -c 2 192.168.1.42 > /dev/null
296 expect="packets 1 bytes 112"
297 check_counter nsclient1 "redir4" "$expect"
302 ip netns exec "nsclient1" ping -c 1 dead:1::42 > /dev/null
303 expect="packets 1 bytes 192"
304 check_counter nsclient1 "redir6" "$expect"
309 if [ $ret -eq 0 ];then
310 echo "PASS: icmp redirects had RELATED state"
312 echo "ERROR: icmp redirect RELATED state test has failed"