3 # check that ICMP df-needed/pkttoobig icmp are set are set as related
8 # nsclient1 -> nsrouter1 -> nsrouter2 -> nsclient2
9 # MTU 1500, except for nsrouter2 <-> nsclient2 link (1280).
10 # ping nsclient2 from nsclient1, checking that conntrack did set RELATED
11 # 'fragmentation needed' icmp packet.
13 # In addition, nsrouter1 will perform IP masquerading, i.e. also
14 # check the icmp errors are propagated to the correct host as per
15 # nat of "established" icmp-echo "connection".
17 # Kselftest framework requirement - SKIP code is 4.
21 nft --version > /dev/null 2>&1
23 echo "SKIP: Could not run test without nft tool"
27 ip -Version > /dev/null 2>&1
29 echo "SKIP: Could not run test without ip tool"
34 for i in 1 2;do ip netns del nsclient$i;done
35 for i in 1 2;do ip netns del nsrouter$i;done
53 cnt=$(ip netns exec $ns nft list counter inet filter "$name" | grep -q "$expect")
55 echo "ERROR: counter $name in $ns has unexpected value (expected $expect)" 1>&2
56 ip netns exec $ns nft list counter inet filter "$name" 1>&2
65 expect="packets 0 bytes 0"
66 for n in nsclient1 nsclient2 nsrouter1 nsrouter2; do
67 check_counter $n "unknown" "$expect"
76 for n in nsclient1 nsclient2 nsrouter1 nsrouter2; do
78 ip -net $n link set lo up
82 ip link add $DEV netns nsclient1 type veth peer name eth1 netns nsrouter1
84 ip link add $DEV netns nsclient2 type veth peer name eth1 netns nsrouter2
87 ip link add $DEV netns nsrouter1 type veth peer name eth2 netns nsrouter2
91 ip -net nsclient$i link set $DEV up
92 ip -net nsclient$i addr add $(ipv4 $i)/24 dev $DEV
93 ip -net nsclient$i addr add $(ipv6 $i)/64 dev $DEV
96 ip -net nsrouter1 link set eth1 up
97 ip -net nsrouter1 link set veth0 up
99 ip -net nsrouter2 link set eth1 up
100 ip -net nsrouter2 link set eth2 up
102 ip -net nsclient1 route add default via 192.168.1.1
103 ip -net nsclient1 -6 route add default via dead:1::1
105 ip -net nsclient2 route add default via 192.168.2.1
106 ip -net nsclient2 route add default via dead:2::1
109 ip -net nsrouter1 addr add 192.168.1.1/24 dev eth1
110 ip -net nsrouter1 addr add 192.168.3.1/24 dev veth0
111 ip -net nsrouter1 addr add dead:1::1/64 dev eth1
112 ip -net nsrouter1 addr add dead:3::1/64 dev veth0
113 ip -net nsrouter1 route add default via 192.168.3.10
114 ip -net nsrouter1 -6 route add default via dead:3::10
116 ip -net nsrouter2 addr add 192.168.2.1/24 dev eth1
117 ip -net nsrouter2 addr add 192.168.3.10/24 dev eth2
118 ip -net nsrouter2 addr add dead:2::1/64 dev eth1
119 ip -net nsrouter2 addr add dead:3::10/64 dev eth2
120 ip -net nsrouter2 route add default via 192.168.3.1
121 ip -net nsrouter2 route add default via dead:3::1
125 ip netns exec nsrouter1 sysctl -q net.ipv$i.conf.all.forwarding=1
126 ip netns exec nsrouter2 sysctl -q net.ipv$i.conf.all.forwarding=1
129 for netns in nsrouter1 nsrouter2; do
130 ip netns exec $netns nft -f - <<EOF
135 type filter hook forward priority 0; policy accept;
136 meta l4proto icmpv6 icmpv6 type "packet-too-big" ct state "related" counter name "related" accept
137 meta l4proto icmp icmp type "destination-unreachable" ct state "related" counter name "related" accept
138 meta l4proto { icmp, icmpv6 } ct state new,established accept
139 counter name "unknown" drop
145 ip netns exec nsclient1 nft -f - <<EOF
150 type filter hook input priority 0; policy accept;
151 meta l4proto { icmp, icmpv6 } ct state established,untracked accept
153 meta l4proto { icmp, icmpv6 } ct state "related" counter name "related" accept
154 counter name "unknown" drop
159 ip netns exec nsclient2 nft -f - <<EOF
163 counter established { }
166 type filter hook input priority 0; policy accept;
167 meta l4proto { icmp, icmpv6 } ct state established,untracked accept
169 meta l4proto { icmp, icmpv6 } ct state "new" counter name "new" accept
170 meta l4proto { icmp, icmpv6 } ct state "established" counter name "established" accept
171 counter name "unknown" drop
174 type filter hook output priority 0; policy accept;
175 meta l4proto { icmp, icmpv6 } ct state established,untracked accept
177 meta l4proto { icmp, icmpv6 } ct state "new" counter name "new"
178 meta l4proto { icmp, icmpv6 } ct state "established" counter name "established"
179 counter name "unknown" drop
185 # make sure NAT core rewrites adress of icmp error if nat is used according to
186 # conntrack nat information (icmp error will be directed at nsrouter1 address,
187 # but it needs to be routed to nsclient1 address).
188 ip netns exec nsrouter1 nft -f - <<EOF
191 type nat hook postrouting priority 0; policy accept;
192 ip protocol icmp oifname "veth0" counter masquerade
197 type nat hook postrouting priority 0; policy accept;
198 ip6 nexthdr icmpv6 oifname "veth0" counter masquerade
203 ip netns exec nsrouter2 ip link set eth1 mtu 1280
204 ip netns exec nsclient2 ip link set veth0 mtu 1280
207 ip netns exec nsclient1 ping -c 1 -s 1000 -q -M do 192.168.2.2 >/dev/null
208 if [ $? -ne 0 ]; then
209 echo "ERROR: netns ip routing/connectivity broken" 1>&2
213 ip netns exec nsclient1 ping6 -q -c 1 -s 1000 dead:2::2 >/dev/null
214 if [ $? -ne 0 ]; then
215 echo "ERROR: netns ipv6 routing/connectivity broken" 1>&2
221 if [ $? -ne 0 ]; then
225 expect="packets 0 bytes 0"
226 for netns in nsrouter1 nsrouter2 nsclient1;do
227 check_counter "$netns" "related" "$expect"
228 if [ $? -ne 0 ]; then
233 expect="packets 2 bytes 2076"
234 check_counter nsclient2 "new" "$expect"
235 if [ $? -ne 0 ]; then
239 ip netns exec nsclient1 ping -q -c 1 -s 1300 -M do 192.168.2.2 > /dev/null
240 if [ $? -eq 0 ]; then
241 echo "ERROR: ping should have failed with PMTU too big error" 1>&2
245 # nsrouter2 should have generated the icmp error, so
246 # related counter should be 0 (its in forward).
247 expect="packets 0 bytes 0"
248 check_counter "nsrouter2" "related" "$expect"
249 if [ $? -ne 0 ]; then
253 # but nsrouter1 should have seen it, same for nsclient1.
254 expect="packets 1 bytes 576"
255 for netns in nsrouter1 nsclient1;do
256 check_counter "$netns" "related" "$expect"
257 if [ $? -ne 0 ]; then
262 ip netns exec nsclient1 ping6 -c 1 -s 1300 dead:2::2 > /dev/null
263 if [ $? -eq 0 ]; then
264 echo "ERROR: ping6 should have failed with PMTU too big error" 1>&2
268 expect="packets 2 bytes 1856"
269 for netns in nsrouter1 nsclient1;do
270 check_counter "$netns" "related" "$expect"
271 if [ $? -ne 0 ]; then
276 if [ $ret -eq 0 ];then
277 echo "PASS: icmp mtu error had RELATED state"
279 echo "ERROR: icmp error RELATED state test has failed"