xref: /linux/tools/testing/selftests/net/netfilter/nft_flowtable.sh (revision 90602c251cda8a1e526efb250f28c1ea3f87cd78) 
1#!/bin/bash
2# SPDX-License-Identifier: GPL-2.0
3#
4# This tests basic flowtable functionality.
5# Creates following default topology:
6#
7# Originator (MTU 9000) <-Router1-> MTU 1500 <-Router2-> Responder (MTU 2000)
8# Router1 is the one doing flow offloading, Router2 has no special
9# purpose other than having a link that is smaller than either Originator
10# and responder, i.e. TCPMSS announced values are too large and will still
11# result in fragmentation and/or PMTU discovery.
12#
13# You can check with different Orgininator/Link/Responder MTU eg:
14# nft_flowtable.sh -o8000 -l1500 -r2000
15#
16
17source lib.sh
18
19ret=0
20SOCAT_TIMEOUT=60
21
22nsin=""
23ns1out=""
24ns2out=""
25
26log_netns=$(sysctl -n net.netfilter.nf_log_all_netns)
27
28checktool "nft --version" "run test without nft tool"
29checktool "socat -h" "run test without socat"
30
31setup_ns ns1 ns2 nsr1 nsr2
32
33cleanup() {
34	ip netns pids "$ns1" | xargs kill 2>/dev/null
35	ip netns pids "$ns2" | xargs kill 2>/dev/null
36
37	cleanup_all_ns
38
39	rm -f "$nsin" "$ns1out" "$ns2out"
40
41	[ "$log_netns" -eq 0 ] && sysctl -q net.netfilter.nf_log_all_netns="$log_netns"
42}
43
44trap cleanup EXIT
45
46sysctl -q net.netfilter.nf_log_all_netns=1
47
48ip link add veth0 netns "$nsr1" type veth peer name eth0 netns "$ns1"
49ip link add veth1 netns "$nsr1" type veth peer name veth0 netns "$nsr2"
50
51ip link add veth1 netns "$nsr2" type veth peer name eth0 netns "$ns2"
52
53for dev in veth0 veth1; do
54    ip -net "$nsr1" link set "$dev" up
55    ip -net "$nsr2" link set "$dev" up
56done
57
58ip -net "$nsr1" addr add 10.0.1.1/24 dev veth0
59ip -net "$nsr1" addr add dead:1::1/64 dev veth0 nodad
60
61ip -net "$nsr2" addr add 10.0.2.1/24 dev veth1
62ip -net "$nsr2" addr add dead:2::1/64 dev veth1 nodad
63
64# set different MTUs so we need to push packets coming from ns1 (large MTU)
65# to ns2 (smaller MTU) to stack either to perform fragmentation (ip_no_pmtu_disc=1),
66# or to do PTMU discovery (send ICMP error back to originator).
67# ns2 is going via nsr2 with a smaller mtu, so that TCPMSS announced by both peers
68# is NOT the lowest link mtu.
69
70omtu=9000
71lmtu=1500
72rmtu=2000
73
74filesize=$((2 * 1024 * 1024))
75
76usage(){
77	echo "nft_flowtable.sh [OPTIONS]"
78	echo
79	echo "MTU options"
80	echo "   -o originator"
81	echo "   -l link"
82	echo "   -r responder"
83	exit 1
84}
85
86while getopts "o:l:r:s:" o
87do
88	case $o in
89		o) omtu=$OPTARG;;
90		l) lmtu=$OPTARG;;
91		r) rmtu=$OPTARG;;
92		s) filesize=$OPTARG;;
93		*) usage;;
94	esac
95done
96
97if ! ip -net "$nsr1" link set veth0 mtu "$omtu"; then
98	exit 1
99fi
100
101ip -net "$ns1" link set eth0 mtu "$omtu"
102
103if ! ip -net "$nsr2" link set veth1 mtu "$rmtu"; then
104	exit 1
105fi
106
107if ! ip -net "$nsr1" link set veth1 mtu "$lmtu"; then
108	exit 1
109fi
110
111if ! ip -net "$nsr2" link set veth0 mtu "$lmtu"; then
112	exit 1
113fi
114
115ip -net "$ns2" link set eth0 mtu "$rmtu"
116
117# transfer-net between nsr1 and nsr2.
118# these addresses are not used for connections.
119ip -net "$nsr1" addr add 192.168.10.1/24 dev veth1
120ip -net "$nsr1" addr add fee1:2::1/64 dev veth1 nodad
121
122ip -net "$nsr2" addr add 192.168.10.2/24 dev veth0
123ip -net "$nsr2" addr add fee1:2::2/64 dev veth0 nodad
124
125for i in 0 1; do
126  ip netns exec "$nsr1" sysctl net.ipv4.conf.veth$i.forwarding=1 > /dev/null
127  ip netns exec "$nsr2" sysctl net.ipv4.conf.veth$i.forwarding=1 > /dev/null
128done
129
130for ns in "$ns1" "$ns2";do
131  ip -net "$ns" link set eth0 up
132
133  if ! ip netns exec "$ns" sysctl net.ipv4.tcp_no_metrics_save=1 > /dev/null; then
134	echo "ERROR: Check Originator/Responder values (problem during address addition)"
135	exit 1
136  fi
137  # don't set ip DF bit for first two tests
138  ip netns exec "$ns" sysctl net.ipv4.ip_no_pmtu_disc=1 > /dev/null
139done
140
141ip -net "$ns1" addr add 10.0.1.99/24 dev eth0
142ip -net "$ns2" addr add 10.0.2.99/24 dev eth0
143ip -net "$ns1" route add default via 10.0.1.1
144ip -net "$ns2" route add default via 10.0.2.1
145ip -net "$ns1" addr add dead:1::99/64 dev eth0 nodad
146ip -net "$ns2" addr add dead:2::99/64 dev eth0 nodad
147ip -net "$ns1" route add default via dead:1::1
148ip -net "$ns2" route add default via dead:2::1
149
150ip -net "$nsr1" route add default via 192.168.10.2
151ip -net "$nsr2" route add default via 192.168.10.1
152
153ip netns exec "$nsr1" nft -f - <<EOF
154table inet filter {
155  flowtable f1 {
156     hook ingress priority 0
157     devices = { veth0, veth1 }
158   }
159
160   counter routed_orig { }
161   counter routed_repl { }
162
163   chain forward {
164      type filter hook forward priority 0; policy drop;
165
166      # flow offloaded? Tag ct with mark 1, so we can detect when it fails.
167      meta oif "veth1" tcp dport 12345 ct mark set 1 flow add @f1 counter name routed_orig accept
168
169      # count packets supposedly offloaded as per direction.
170      ct mark 1 counter name ct direction map { original : routed_orig, reply : routed_repl } accept
171
172      ct state established,related accept
173
174      meta nfproto ipv4 meta l4proto icmp accept
175      meta nfproto ipv6 meta l4proto icmpv6 accept
176   }
177}
178EOF
179
180if [ $? -ne 0 ]; then
181	echo "SKIP: Could not load nft ruleset"
182	exit $ksft_skip
183fi
184
185ip netns exec "$ns2" nft -f - <<EOF
186table inet filter {
187   counter ip4dscp0 { }
188   counter ip4dscp3 { }
189
190   chain input {
191      type filter hook input priority 0; policy accept;
192      meta l4proto tcp goto {
193	      ip dscp cs3 counter name ip4dscp3 accept
194	      ip dscp 0 counter name ip4dscp0 accept
195      }
196   }
197}
198EOF
199
200if [ $? -ne 0 ]; then
201	echo -n "SKIP: Could not load ruleset: "
202	nft --version
203	exit $ksft_skip
204fi
205
206# test basic connectivity
207if ! ip netns exec "$ns1" ping -c 1 -q 10.0.2.99 > /dev/null; then
208  echo "ERROR: $ns1 cannot reach ns2" 1>&2
209  exit 1
210fi
211
212if ! ip netns exec "$ns2" ping -c 1 -q 10.0.1.99 > /dev/null; then
213  echo "ERROR: $ns2 cannot reach $ns1" 1>&2
214  exit 1
215fi
216
217nsin=$(mktemp)
218ns1out=$(mktemp)
219ns2out=$(mktemp)
220
221make_file()
222{
223	name="$1"
224	sz="$2"
225
226	head -c "$sz" < /dev/urandom > "$name"
227}
228
229check_counters()
230{
231	local what=$1
232	local ok=1
233
234	local orig repl
235	orig=$(ip netns exec "$nsr1" nft reset counter inet filter routed_orig | grep packets)
236	repl=$(ip netns exec "$nsr1" nft reset counter inet filter routed_repl | grep packets)
237
238	local orig_cnt=${orig#*bytes}
239	local repl_cnt=${repl#*bytes}
240
241	local fs
242	fs=$(du -sb "$nsin")
243	local max_orig=${fs%%/*}
244	local max_repl=$((max_orig))
245
246	# flowtable fastpath should bypass normal routing one, i.e. the counters in forward hook
247	# should always be lower than the size of the transmitted file (max_orig).
248	if [ "$orig_cnt" -gt "$max_orig" ];then
249		echo "FAIL: $what: original counter $orig_cnt exceeds expected value $max_orig, reply counter $repl_cnt" 1>&2
250		ret=1
251		ok=0
252	fi
253
254	if [ "$repl_cnt" -gt $max_repl ];then
255		echo "FAIL: $what: reply counter $repl_cnt exceeds expected value $max_repl, original counter $orig_cnt" 1>&2
256		ret=1
257		ok=0
258	fi
259
260	if [ $ok -eq 1 ]; then
261		echo "PASS: $what"
262	fi
263}
264
265check_dscp()
266{
267	local what=$1
268	local ok=1
269
270	local counter
271	counter=$(ip netns exec "$ns2" nft reset counter inet filter ip4dscp3 | grep packets)
272
273	local pc4=${counter%*bytes*}
274	local pc4=${pc4#*packets}
275
276	counter=$(ip netns exec "$ns2" nft reset counter inet filter ip4dscp0 | grep packets)
277	local pc4z=${counter%*bytes*}
278	local pc4z=${pc4z#*packets}
279
280	case "$what" in
281	"dscp_none")
282		if [ "$pc4" -gt 0 ] || [ "$pc4z" -eq 0 ]; then
283			echo "FAIL: dscp counters do not match, expected dscp3 == 0, dscp0 > 0, but got $pc4,$pc4z" 1>&2
284			ret=1
285			ok=0
286		fi
287		;;
288	"dscp_fwd")
289		if [ "$pc4" -eq 0 ] || [ "$pc4z" -eq 0 ]; then
290			echo "FAIL: dscp counters do not match, expected dscp3 and dscp0 > 0 but got $pc4,$pc4z" 1>&2
291			ret=1
292			ok=0
293		fi
294		;;
295	"dscp_ingress")
296		if [ "$pc4" -eq 0 ] || [ "$pc4z" -gt 0 ]; then
297			echo "FAIL: dscp counters do not match, expected dscp3 > 0, dscp0 == 0 but got $pc4,$pc4z" 1>&2
298			ret=1
299			ok=0
300		fi
301		;;
302	"dscp_egress")
303		if [ "$pc4" -eq 0 ] || [ "$pc4z" -gt 0 ]; then
304			echo "FAIL: dscp counters do not match, expected dscp3 > 0, dscp0 == 0 but got $pc4,$pc4z" 1>&2
305			ret=1
306			ok=0
307		fi
308		;;
309	*)
310		echo "FAIL: Unknown DSCP check" 1>&2
311		ret=1
312		ok=0
313	esac
314
315	if [ "$ok" -eq 1 ] ;then
316		echo "PASS: $what: dscp packet counters match"
317	fi
318}
319
320check_transfer()
321{
322	in=$1
323	out=$2
324	what=$3
325
326	if ! cmp "$in" "$out" > /dev/null 2>&1; then
327		echo "FAIL: file mismatch for $what" 1>&2
328		ls -l "$in"
329		ls -l "$out"
330		return 1
331	fi
332
333	return 0
334}
335
336listener_ready()
337{
338	ss -N "$nsb" -lnt -o "sport = :12345" | grep -q 12345
339}
340
341test_tcp_forwarding_ip()
342{
343	local nsa=$1
344	local nsb=$2
345	local dstip=$3
346	local dstport=$4
347	local lret=0
348
349	timeout "$SOCAT_TIMEOUT" ip netns exec "$nsb" socat -4 TCP-LISTEN:12345,reuseaddr STDIO < "$nsin" > "$ns2out" &
350	lpid=$!
351
352	busywait 1000 listener_ready
353
354	timeout "$SOCAT_TIMEOUT" ip netns exec "$nsa" socat -4 TCP:"$dstip":"$dstport" STDIO < "$nsin" > "$ns1out"
355
356	wait $lpid
357
358	if ! check_transfer "$nsin" "$ns2out" "ns1 -> ns2"; then
359		lret=1
360		ret=1
361	fi
362
363	if ! check_transfer "$nsin" "$ns1out" "ns1 <- ns2"; then
364		lret=1
365		ret=1
366	fi
367
368	return $lret
369}
370
371test_tcp_forwarding()
372{
373	test_tcp_forwarding_ip "$1" "$2" 10.0.2.99 12345
374
375	return $?
376}
377
378test_tcp_forwarding_set_dscp()
379{
380	check_dscp "dscp_none"
381
382ip netns exec "$nsr1" nft -f - <<EOF
383table netdev dscpmangle {
384   chain setdscp0 {
385      type filter hook ingress device "veth0" priority 0; policy accept
386	ip dscp set cs3
387  }
388}
389EOF
390if [ $? -eq 0 ]; then
391	test_tcp_forwarding_ip "$1" "$2"  10.0.2.99 12345
392	check_dscp "dscp_ingress"
393
394	ip netns exec "$nsr1" nft delete table netdev dscpmangle
395else
396	echo "SKIP: Could not load netdev:ingress for veth0"
397fi
398
399ip netns exec "$nsr1" nft -f - <<EOF
400table netdev dscpmangle {
401   chain setdscp0 {
402      type filter hook egress device "veth1" priority 0; policy accept
403      ip dscp set cs3
404  }
405}
406EOF
407if [ $? -eq 0 ]; then
408	test_tcp_forwarding_ip "$1" "$2"  10.0.2.99 12345
409	check_dscp "dscp_egress"
410
411	ip netns exec "$nsr1" nft flush table netdev dscpmangle
412else
413	echo "SKIP: Could not load netdev:egress for veth1"
414fi
415
416	# partial.  If flowtable really works, then both dscp-is-0 and dscp-is-cs3
417	# counters should have seen packets (before and after ft offload kicks in).
418	ip netns exec "$nsr1" nft -a insert rule inet filter forward ip dscp set cs3
419	test_tcp_forwarding_ip "$1" "$2"  10.0.2.99 12345
420	check_dscp "dscp_fwd"
421}
422
423test_tcp_forwarding_nat()
424{
425	local lret
426	local pmtu
427
428	test_tcp_forwarding_ip "$1" "$2" 10.0.2.99 12345
429	lret=$?
430
431	pmtu=$3
432	what=$4
433
434	if [ "$lret" -eq 0 ] ; then
435		if [ "$pmtu" -eq 1 ] ;then
436			check_counters "flow offload for ns1/ns2 with masquerade and pmtu discovery $what"
437		else
438			echo "PASS: flow offload for ns1/ns2 with masquerade $what"
439		fi
440
441		test_tcp_forwarding_ip "$1" "$2" 10.6.6.6 1666
442		lret=$?
443		if [ "$pmtu" -eq 1 ] ;then
444			check_counters "flow offload for ns1/ns2 with dnat and pmtu discovery $what"
445		elif [ "$lret" -eq 0 ] ; then
446			echo "PASS: flow offload for ns1/ns2 with dnat $what"
447		fi
448	fi
449
450	return $lret
451}
452
453make_file "$nsin" "$filesize"
454
455# First test:
456# No PMTU discovery, nsr1 is expected to fragment packets from ns1 to ns2 as needed.
457# Due to MTU mismatch in both directions, all packets (except small packets like pure
458# acks) have to be handled by normal forwarding path.  Therefore, packet counters
459# are not checked.
460if test_tcp_forwarding "$ns1" "$ns2"; then
461	echo "PASS: flow offloaded for ns1/ns2"
462else
463	echo "FAIL: flow offload for ns1/ns2:" 1>&2
464	ip netns exec "$nsr1" nft list ruleset
465	ret=1
466fi
467
468# delete default route, i.e. ns2 won't be able to reach ns1 and
469# will depend on ns1 being masqueraded in nsr1.
470# expect ns1 has nsr1 address.
471ip -net "$ns2" route del default via 10.0.2.1
472ip -net "$ns2" route del default via dead:2::1
473ip -net "$ns2" route add 192.168.10.1 via 10.0.2.1
474
475# Second test:
476# Same, but with NAT enabled.  Same as in first test: we expect normal forward path
477# to handle most packets.
478ip netns exec "$nsr1" nft -f - <<EOF
479table ip nat {
480   chain prerouting {
481      type nat hook prerouting priority 0; policy accept;
482      meta iif "veth0" ip daddr 10.6.6.6 tcp dport 1666 counter dnat ip to 10.0.2.99:12345
483   }
484
485   chain postrouting {
486      type nat hook postrouting priority 0; policy accept;
487      meta oifname "veth1" counter masquerade
488   }
489}
490EOF
491
492if ! test_tcp_forwarding_set_dscp "$ns1" "$ns2" 0 ""; then
493	echo "FAIL: flow offload for ns1/ns2 with dscp update" 1>&2
494	exit 0
495fi
496
497if ! test_tcp_forwarding_nat "$ns1" "$ns2" 0 ""; then
498	echo "FAIL: flow offload for ns1/ns2 with NAT" 1>&2
499	ip netns exec "$nsr1" nft list ruleset
500	ret=1
501fi
502
503# Third test:
504# Same as second test, but with PMTU discovery enabled. This
505# means that we expect the fastpath to handle packets as soon
506# as the endpoints adjust the packet size.
507ip netns exec "$ns1" sysctl net.ipv4.ip_no_pmtu_disc=0 > /dev/null
508ip netns exec "$ns2" sysctl net.ipv4.ip_no_pmtu_disc=0 > /dev/null
509
510# reset counters.
511# With pmtu in-place we'll also check that nft counters
512# are lower than file size and packets were forwarded via flowtable layer.
513# For earlier tests (large mtus), packets cannot be handled via flowtable
514# (except pure acks and other small packets).
515ip netns exec "$nsr1" nft reset counters table inet filter >/dev/null
516
517if ! test_tcp_forwarding_nat "$ns1" "$ns2" 1 ""; then
518	echo "FAIL: flow offload for ns1/ns2 with NAT and pmtu discovery" 1>&2
519	ip netns exec "$nsr1" nft list ruleset
520fi
521
522# Another test:
523# Add bridge interface br0 to Router1, with NAT enabled.
524test_bridge() {
525if ! ip -net "$nsr1" link add name br0 type bridge 2>/dev/null;then
526	echo "SKIP: could not add bridge br0"
527	[ "$ret" -eq 0 ] && ret=$ksft_skip
528	return
529fi
530ip -net "$nsr1" addr flush dev veth0
531ip -net "$nsr1" link set up dev veth0
532ip -net "$nsr1" link set veth0 master br0
533ip -net "$nsr1" addr add 10.0.1.1/24 dev br0
534ip -net "$nsr1" addr add dead:1::1/64 dev br0 nodad
535ip -net "$nsr1" link set up dev br0
536
537ip netns exec "$nsr1" sysctl net.ipv4.conf.br0.forwarding=1 > /dev/null
538
539# br0 with NAT enabled.
540ip netns exec "$nsr1" nft -f - <<EOF
541flush table ip nat
542table ip nat {
543   chain prerouting {
544      type nat hook prerouting priority 0; policy accept;
545      meta iif "br0" ip daddr 10.6.6.6 tcp dport 1666 counter dnat ip to 10.0.2.99:12345
546   }
547
548   chain postrouting {
549      type nat hook postrouting priority 0; policy accept;
550      meta oifname "veth1" counter masquerade
551   }
552}
553EOF
554
555if ! test_tcp_forwarding_nat "$ns1" "$ns2" 1 "on bridge"; then
556	echo "FAIL: flow offload for ns1/ns2 with bridge NAT" 1>&2
557	ip netns exec "$nsr1" nft list ruleset
558	ret=1
559fi
560
561
562# Another test:
563# Add bridge interface br0 to Router1, with NAT and VLAN.
564ip -net "$nsr1" link set veth0 nomaster
565ip -net "$nsr1" link set down dev veth0
566ip -net "$nsr1" link add link veth0 name veth0.10 type vlan id 10
567ip -net "$nsr1" link set up dev veth0
568ip -net "$nsr1" link set up dev veth0.10
569ip -net "$nsr1" link set veth0.10 master br0
570
571ip -net "$ns1" addr flush dev eth0
572ip -net "$ns1" link add link eth0 name eth0.10 type vlan id 10
573ip -net "$ns1" link set eth0 up
574ip -net "$ns1" link set eth0.10 up
575ip -net "$ns1" addr add 10.0.1.99/24 dev eth0.10
576ip -net "$ns1" route add default via 10.0.1.1
577ip -net "$ns1" addr add dead:1::99/64 dev eth0.10 nodad
578
579if ! test_tcp_forwarding_nat "$ns1" "$ns2" 1 "bridge and VLAN"; then
580	echo "FAIL: flow offload for ns1/ns2 with bridge NAT and VLAN" 1>&2
581	ip netns exec "$nsr1" nft list ruleset
582	ret=1
583fi
584
585# restore test topology (remove bridge and VLAN)
586ip -net "$nsr1" link set veth0 nomaster
587ip -net "$nsr1" link set veth0 down
588ip -net "$nsr1" link set veth0.10 down
589ip -net "$nsr1" link delete veth0.10 type vlan
590ip -net "$nsr1" link delete br0 type bridge
591ip -net "$ns1" addr flush dev eth0.10
592ip -net "$ns1" link set eth0.10 down
593ip -net "$ns1" link set eth0 down
594ip -net "$ns1" link delete eth0.10 type vlan
595
596# restore address in ns1 and nsr1
597ip -net "$ns1" link set eth0 up
598ip -net "$ns1" addr add 10.0.1.99/24 dev eth0
599ip -net "$ns1" route add default via 10.0.1.1
600ip -net "$ns1" addr add dead:1::99/64 dev eth0 nodad
601ip -net "$ns1" route add default via dead:1::1
602ip -net "$nsr1" addr add 10.0.1.1/24 dev veth0
603ip -net "$nsr1" addr add dead:1::1/64 dev veth0 nodad
604ip -net "$nsr1" link set up dev veth0
605}
606
607test_bridge
608
609KEY_SHA="0x"$(ps -af | sha1sum | cut -d " " -f 1)
610KEY_AES="0x"$(ps -af | md5sum | cut -d " " -f 1)
611SPI1=$RANDOM
612SPI2=$RANDOM
613
614if [ $SPI1 -eq $SPI2 ]; then
615	SPI2=$((SPI2+1))
616fi
617
618do_esp() {
619    local ns=$1
620    local me=$2
621    local remote=$3
622    local lnet=$4
623    local rnet=$5
624    local spi_out=$6
625    local spi_in=$7
626
627    ip -net "$ns" xfrm state add src "$remote" dst "$me" proto esp spi "$spi_in"  enc aes "$KEY_AES"  auth sha1 "$KEY_SHA" mode tunnel sel src "$rnet" dst "$lnet"
628    ip -net "$ns" xfrm state add src "$me"  dst "$remote" proto esp spi "$spi_out" enc aes "$KEY_AES" auth sha1 "$KEY_SHA" mode tunnel sel src "$lnet" dst "$rnet"
629
630    # to encrypt packets as they go out (includes forwarded packets that need encapsulation)
631    ip -net "$ns" xfrm policy add src "$lnet" dst "$rnet" dir out tmpl src "$me" dst "$remote" proto esp mode tunnel priority 1 action allow
632    # to fwd decrypted packets after esp processing:
633    ip -net "$ns" xfrm policy add src "$rnet" dst "$lnet" dir fwd tmpl src "$remote" dst "$me" proto esp mode tunnel priority 1 action allow
634}
635
636do_esp "$nsr1" 192.168.10.1 192.168.10.2 10.0.1.0/24 10.0.2.0/24 "$SPI1" "$SPI2"
637
638do_esp "$nsr2" 192.168.10.2 192.168.10.1 10.0.2.0/24 10.0.1.0/24 "$SPI2" "$SPI1"
639
640ip netns exec "$nsr1" nft delete table ip nat
641
642# restore default routes
643ip -net "$ns2" route del 192.168.10.1 via 10.0.2.1
644ip -net "$ns2" route add default via 10.0.2.1
645ip -net "$ns2" route add default via dead:2::1
646
647if test_tcp_forwarding "$ns1" "$ns2"; then
648	check_counters "ipsec tunnel mode for ns1/ns2"
649else
650	echo "FAIL: ipsec tunnel mode for ns1/ns2"
651	ip netns exec "$nsr1" nft list ruleset 1>&2
652	ip netns exec "$nsr1" cat /proc/net/xfrm_stat 1>&2
653fi
654
655if [ "$1" = "" ]; then
656	low=1280
657	mtu=$((65536 - low))
658	o=$(((RANDOM%mtu) + low))
659	l=$(((RANDOM%mtu) + low))
660	r=$(((RANDOM%mtu) + low))
661
662	MINSIZE=$((2 *  1000 * 1000))
663	MAXSIZE=$((64 * 1000 * 1000))
664
665	filesize=$(((RANDOM * RANDOM) % MAXSIZE))
666	if [ "$filesize" -lt "$MINSIZE" ]; then
667		filesize=$((filesize+MINSIZE))
668	fi
669
670	echo "re-run with random mtus and file size: -o $o -l $l -r $r -s $filesize"
671	$0 -o "$o" -l "$l" -r "$r" -s "$filesize"
672fi
673
674exit $ret
675