#!/bin/bash
# SPDX-License-Identifier: GPL-2.0
#

# Kselftest framework requirement - SKIP code is 4.
ksft_skip=4
ret=0

rnd=$(mktemp -u XXXXXXXX)
nsr="nsr-$rnd"	# synproxy machine
ns1="ns1-$rnd"  # iperf client
ns2="ns2-$rnd"  # iperf server

checktool (){
	if ! $1 > /dev/null 2>&1; then
		echo "SKIP: Could not $2"
		exit $ksft_skip
	fi
}

checktool "nft --version" "run test without nft tool"
checktool "ip -Version" "run test without ip tool"
checktool "iperf3 --version" "run test without iperf3"
checktool "ip netns add $nsr" "create net namespace"

modprobe -q nf_conntrack

ip netns add $ns1
ip netns add $ns2

cleanup() {
	ip netns pids $ns1 | xargs kill 2>/dev/null
	ip netns pids $ns2 | xargs kill 2>/dev/null
	ip netns del $ns1
	ip netns del $ns2

	ip netns del $nsr
}

trap cleanup EXIT

ip link add veth0 netns $nsr type veth peer name eth0 netns $ns1
ip link add veth1 netns $nsr type veth peer name eth0 netns $ns2

for dev in lo veth0 veth1; do
ip -net $nsr link set $dev up
done

ip -net $nsr addr add 10.0.1.1/24 dev veth0
ip -net $nsr addr add 10.0.2.1/24 dev veth1

ip netns exec $nsr sysctl -q net.ipv4.conf.veth0.forwarding=1
ip netns exec $nsr sysctl -q net.ipv4.conf.veth1.forwarding=1
ip netns exec $nsr sysctl -q net.netfilter.nf_conntrack_tcp_loose=0

for n in $ns1 $ns2; do
  ip -net $n link set lo up
  ip -net $n link set eth0 up
done
ip -net $ns1 addr add 10.0.1.99/24 dev eth0
ip -net $ns2 addr add 10.0.2.99/24 dev eth0
ip -net $ns1 route add default via 10.0.1.1
ip -net $ns2 route add default via 10.0.2.1

# test basic connectivity
if ! ip netns exec $ns1 ping -c 1 -q 10.0.2.99 > /dev/null; then
  echo "ERROR: $ns1 cannot reach $ns2" 1>&2
  exit 1
fi

if ! ip netns exec $ns2 ping -c 1 -q 10.0.1.99 > /dev/null; then
  echo "ERROR: $ns2 cannot reach $ns1" 1>&2
  exit 1
fi

ip netns exec $ns2 iperf3 -s > /dev/null 2>&1 &
# ip netns exec $nsr tcpdump -vvv -n -i veth1 tcp | head -n 10 &

sleep 1

ip netns exec $nsr nft -f - <<EOF
table inet filter {
   chain prerouting {
      type filter hook prerouting priority -300; policy accept;
      meta iif veth0 tcp flags syn counter notrack
   }

  chain forward {
      type filter hook forward priority 0; policy accept;

      ct state new,established counter accept

      meta iif veth0 meta l4proto tcp ct state untracked,invalid synproxy mss 1460 sack-perm timestamp

      ct state invalid counter drop

      # make ns2 unreachable w.o. tcp synproxy
      tcp flags syn counter drop
   }
}
EOF
if [ $? -ne 0 ]; then
	echo "SKIP: Cannot add nft synproxy"
	exit $ksft_skip
fi

ip netns exec $ns1 timeout 5 iperf3 -c 10.0.2.99 -n $((1 * 1024 * 1024)) > /dev/null

if [ $? -ne 0 ]; then
	echo "FAIL: iperf3 returned an error" 1>&2
	ret=$?
	ip netns exec $nsr nft list ruleset
else
	echo "PASS: synproxy connection successful"
fi

exit $ret