102c7f38bSPeter Oskolkov#!/bin/sh 202c7f38bSPeter Oskolkov# SPDX-License-Identifier: GPL-2.0 302c7f38bSPeter Oskolkov# 402c7f38bSPeter Oskolkov# Run a couple of IP defragmentation tests. 502c7f38bSPeter Oskolkov 602c7f38bSPeter Oskolkovset +x 702c7f38bSPeter Oskolkovset -e 802c7f38bSPeter Oskolkov 9*aba69d49SPaolo Pisatimodprobe -q nf_defrag_ipv6 10*aba69d49SPaolo Pisati 11bccc1711SPeter Oskolkovreadonly NETNS="ns-$(mktemp -u XXXXXX)" 1202c7f38bSPeter Oskolkov 13bccc1711SPeter Oskolkovsetup() { 14bccc1711SPeter Oskolkov ip netns add "${NETNS}" 15bccc1711SPeter Oskolkov ip -netns "${NETNS}" link set lo up 163271a482SPeter Oskolkov 179dffa76cSPaolo Abeni ip netns exec "${NETNS}" sysctl -w net.ipv4.ipfrag_high_thresh=9000000 >/dev/null 2>&1 189dffa76cSPaolo Abeni ip netns exec "${NETNS}" sysctl -w net.ipv4.ipfrag_low_thresh=7000000 >/dev/null 2>&1 193271a482SPeter Oskolkov ip netns exec "${NETNS}" sysctl -w net.ipv4.ipfrag_time=1 >/dev/null 2>&1 203271a482SPeter Oskolkov 219dffa76cSPaolo Abeni ip netns exec "${NETNS}" sysctl -w net.ipv6.ip6frag_high_thresh=9000000 >/dev/null 2>&1 229dffa76cSPaolo Abeni ip netns exec "${NETNS}" sysctl -w net.ipv6.ip6frag_low_thresh=7000000 >/dev/null 2>&1 233271a482SPeter Oskolkov ip netns exec "${NETNS}" sysctl -w net.ipv6.ip6frag_time=1 >/dev/null 2>&1 243271a482SPeter Oskolkov 254c351048SPeter Oskolkov ip netns exec "${NETNS}" sysctl -w net.netfilter.nf_conntrack_frag6_high_thresh=9000000 >/dev/null 2>&1 264c351048SPeter Oskolkov ip netns exec "${NETNS}" sysctl -w net.netfilter.nf_conntrack_frag6_low_thresh=7000000 >/dev/null 2>&1 274c351048SPeter Oskolkov ip netns exec "${NETNS}" sysctl -w net.netfilter.nf_conntrack_frag6_timeout=1 >/dev/null 2>&1 284c351048SPeter Oskolkov 293271a482SPeter Oskolkov # DST cache can get full with a lot of frags, with GC not keeping up with the test. 303271a482SPeter Oskolkov ip netns exec "${NETNS}" sysctl -w net.ipv6.route.max_size=65536 >/dev/null 2>&1 3102c7f38bSPeter Oskolkov} 3202c7f38bSPeter Oskolkov 33bccc1711SPeter Oskolkovcleanup() { 34bccc1711SPeter Oskolkov ip netns del "${NETNS}" 35bccc1711SPeter Oskolkov} 36bccc1711SPeter Oskolkov 37bccc1711SPeter Oskolkovtrap cleanup EXIT 38bccc1711SPeter Oskolkovsetup 39bccc1711SPeter Oskolkov 40bccc1711SPeter Oskolkovecho "ipv4 defrag" 41bccc1711SPeter Oskolkovip netns exec "${NETNS}" ./ip_defrag -4 42bccc1711SPeter Oskolkov 4302c7f38bSPeter Oskolkovecho "ipv4 defrag with overlaps" 44bccc1711SPeter Oskolkovip netns exec "${NETNS}" ./ip_defrag -4o 4502c7f38bSPeter Oskolkov 46bccc1711SPeter Oskolkovecho "ipv6 defrag" 47bccc1711SPeter Oskolkovip netns exec "${NETNS}" ./ip_defrag -6 48bccc1711SPeter Oskolkov 49bccc1711SPeter Oskolkovecho "ipv6 defrag with overlaps" 50bccc1711SPeter Oskolkovip netns exec "${NETNS}" ./ip_defrag -6o 51bccc1711SPeter Oskolkov 524c351048SPeter Oskolkov# insert an nf_conntrack rule so that the codepath in nf_conntrack_reasm.c taken 534c351048SPeter Oskolkovip netns exec "${NETNS}" ip6tables -A INPUT -m conntrack --ctstate INVALID -j ACCEPT 544c351048SPeter Oskolkov 554c351048SPeter Oskolkovecho "ipv6 nf_conntrack defrag" 564c351048SPeter Oskolkovip netns exec "${NETNS}" ./ip_defrag -6 574c351048SPeter Oskolkov 584c351048SPeter Oskolkovecho "ipv6 nf_conntrack defrag with overlaps" 594c351048SPeter Oskolkov# netfilter will drop some invalid packets, so we run the test in 604c351048SPeter Oskolkov# permissive mode: i.e. pass the test if the packet is correctly assembled 614c351048SPeter Oskolkov# even if we sent an overlap 624c351048SPeter Oskolkovip netns exec "${NETNS}" ./ip_defrag -6op 634c351048SPeter Oskolkov 643271a482SPeter Oskolkovecho "all tests done" 65