diff options
| author | Jason A. Donenfeld <Jason@zx2c4.com> | 2020-02-10 20:33:35 +0100 |
|---|---|---|
| committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2020-02-12 20:13:12 +0100 |
| commit | fb2b4ccf24b5ce56e58de9d99b67f2a6258e36b3 (patch) | |
| tree | b13c19389bc60d0d8f3a210ad14378a7a4fc335b /src/tests | |
| parent | a7e4885d83a33ad1f857df1b9d68abafe49378f3 (diff) | |
netns: ensure that icmp src address is correct with nat
This is a small test to ensure that icmp_ndo_send is actually doing the
right with with regards to the source address. It tests this by
ensuring that the error comes back along the right path.
Also, backport the new ndo function for this.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Diffstat (limited to 'src/tests')
| -rwxr-xr-x | src/tests/netns.sh | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/src/tests/netns.sh b/src/tests/netns.sh index 315ccc4..ba5f83a 100755 --- a/src/tests/netns.sh +++ b/src/tests/netns.sh @@ -24,6 +24,7 @@ set -e exec 3>&1 +export LANG=C export WG_HIDE_KEYS=never netns0="wg-test-$$-0" netns1="wg-test-$$-1" @@ -300,7 +301,17 @@ if [[ $(ip1 -4 rule show all) == *suppress_prefixlength* ]]; then n1 ping -W 1 -c 100 -f abab::1111 fi +# Have ns2 NAT into wg0 packets from ns0, but return an icmp error along the right route. +n2 iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -d 192.168.241.0/24 -j SNAT --to 192.168.241.2 +n0 iptables -t filter -A INPUT \! -s 10.0.0.0/24 -i vethrs -j DROP # Manual rpfilter just to be explicit. +n2 bash -c 'printf 1 > /proc/sys/net/ipv4/ip_forward' +ip0 -4 route add 192.168.241.1 via 10.0.0.100 +n2 wg set wg0 peer "$pub1" remove +[[ $(! n0 ping -W 1 -c 1 192.168.241.1 || false) == *"From 10.0.0.100 icmp_seq=1 Destination Host Unreachable"* ]] + n0 iptables -t nat -F +n0 iptables -t filter -F +n2 iptables -t nat -F ip0 link del vethrc ip0 link del vethrs ip1 link del wg0 |