diff options
author | Florian Westphal <fw@strlen.de> | 2019-03-25 23:11:53 +0100 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2019-04-13 14:52:57 +0200 |
commit | becf2319f320cae43e20cf179cc51a355a0deb5f (patch) | |
tree | 2dac4dba100aebdea4c177729b1de364b6195d17 /tools/testing/selftests/netfilter/Makefile | |
parent | ipv4: recompile ip options in ipv4_link_failure (diff) | |
download | wireguard-linux-becf2319f320cae43e20cf179cc51a355a0deb5f.tar.xz wireguard-linux-becf2319f320cae43e20cf179cc51a355a0deb5f.zip |
selftests: netfilter: check icmp pkttoobig errors are set as related
When an icmp error such as pkttoobig is received, conntrack checks
if the "inner" header (header of packet that did not fit link mtu)
is matches an existing connection, and, if so, sets that packet as
being related to the conntrack entry it found.
It was recently reported that this "related" setting also works
if the inner header is from another, different connection (i.e.,
artificial/forged icmp error).
Add a test, followup patch will add additional "inner dst matches
outer dst in reverse direction" check before setting related state.
Link: https://www.synacktiv.com/posts/systems/icmp-reachable.html
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'tools/testing/selftests/netfilter/Makefile')
-rw-r--r-- | tools/testing/selftests/netfilter/Makefile | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/tools/testing/selftests/netfilter/Makefile b/tools/testing/selftests/netfilter/Makefile index c9ff2b47bd1c..a37cb1192c6a 100644 --- a/tools/testing/selftests/netfilter/Makefile +++ b/tools/testing/selftests/netfilter/Makefile @@ -1,6 +1,6 @@ # SPDX-License-Identifier: GPL-2.0 # Makefile for netfilter selftests -TEST_PROGS := nft_trans_stress.sh nft_nat.sh +TEST_PROGS := nft_trans_stress.sh nft_nat.sh conntrack_icmp_related.sh include ../lib.mk |