2 # SPDX-License-Identifier: GPL-2.0
4 # Check that UNREPLIED tcp conntrack will eventually timeout.
7 # Kselftest framework requirement - SKIP code is 4.
12 sfx=$(mktemp -u "XXXXXXXX")
16 nft --version > /dev/null 2>&1
18 echo "SKIP: Could not run test without nft tool"
22 ip -Version > /dev/null 2>&1
24 echo "SKIP: Could not run test without ip tool"
29 ip netns pids $ns1 | xargs kill 2>/dev/null
30 ip netns pids $ns2 | xargs kill 2>/dev/null
47 cnt=$(ip netns exec $ns2 nft list counter inet filter "$name" | grep -q "$expect")
49 echo "ERROR: counter $name in $ns2 has unexpected value (expected $expect)" 1>&2
50 ip netns exec $ns2 nft list counter inet filter "$name" 1>&2
57 # Create test namespaces
58 ip netns add $ns1 || exit 1
62 ip netns add $ns2 || exit 1
64 # Connect the namespace to the host using a veth pair
65 ip -net $ns1 link add name veth1 type veth peer name veth2
66 ip -net $ns1 link set netns $ns2 dev veth2
68 ip -net $ns1 link set up dev lo
69 ip -net $ns2 link set up dev lo
70 ip -net $ns1 link set up dev veth1
71 ip -net $ns2 link set up dev veth2
73 ip -net $ns2 addr add 10.11.11.2/24 dev veth2
74 ip -net $ns2 route add default via 10.11.11.1
76 ip netns exec $ns2 sysctl -q net.ipv4.conf.veth2.forwarding=1
78 # add a rule inside NS so we enable conntrack
79 ip netns exec $ns1 iptables -A INPUT -m state --state established,related -j ACCEPT
81 ip -net $ns1 addr add 10.11.11.1/24 dev veth1
82 ip -net $ns1 route add 10.99.99.99 via 10.11.11.2
84 # Check connectivity works
85 ip netns exec $ns1 ping -q -c 2 10.11.11.2 >/dev/null || exit 1
87 ip netns exec $ns2 nc -l -p 8080 < /dev/null &
89 # however, conntrack entries are there
91 ip netns exec $ns2 nft -f - <<EOF
96 type filter hook input priority 0; policy accept;
97 ct state new tcp flags syn ip daddr 10.99.99.99 tcp dport 80 counter name "connreq" accept
98 ct state new ct status dnat tcp dport 8080 counter name "redir" accept
102 if [ $? -ne 0 ]; then
103 echo "ERROR: Could not load nft rules"
107 ip netns exec $ns2 sysctl -q net.netfilter.nf_conntrack_tcp_timeout_syn_sent=10
109 echo "INFO: connect $ns1 -> $ns2 to the virtual ip"
110 ip netns exec $ns1 bash -c 'while true ; do
111 nc -p 60000 10.99.99.99 80
117 ip netns exec $ns2 nft -f - <<EOF
120 type nat hook prerouting priority 0; policy accept;
121 ip daddr 10.99.99.99 tcp dport 80 redirect to :8080
125 if [ $? -ne 0 ]; then
126 echo "ERROR: Could not load nat redirect"
130 count=$(ip netns exec $ns2 conntrack -L -p tcp --dport 80 2>/dev/null | wc -l)
131 if [ $count -eq 0 ]; then
132 echo "ERROR: $ns2 did not pick up tcp connection from peer"
136 echo "INFO: NAT redirect added in ns $ns2, waiting for $waittime seconds for nat to take effect"
137 for i in $(seq 1 $waittime); do
142 count=$(ip netns exec $ns2 conntrack -L -p tcp --reply-port-src 8080 2>/dev/null | wc -l)
143 if [ $count -gt 0 ]; then
145 echo "PASS: redirection took effect after $i seconds"
150 if [ $m -eq 0 ]; then
151 echo " waited for $i seconds"
155 expect="packets 1 bytes 60"
156 check_counter "$ns2" "redir" "$expect"
157 if [ $? -ne 0 ]; then
161 if [ $ret -eq 0 ];then
162 echo "PASS: redirection counter has expected values"
164 echo "ERROR: no tcp connection was redirected"