aojea · June 11, 2021 09:44
diff --git a/gistfile1.txt b/gistfile1.txt
 # Create test namespaces
 sudo ip netns add testNS

 # Connect the namespace to the host using a veth pair
 sudo ip link add name vethHost type veth peer name vethNS
 sudo ip link set netns testNS dev vethNS

 # Configure the namespaces network so they can reach each other
 sudo ip netns exec testNS ip link set up dev lo
 sudo ip netns exec testNS ip link set up dev vethNS
 sudo ip netns exec testNS ip addr add 10.11.11.2/24 dev vethNS
 sudo ip netns exec testNS ip route add default via 10.11.11.1

 # add a rule inside NS so we enable conntrack
 sudo ip netns exec testNS iptables -A INPUT -m state --state established,related -j ACCEPT

 # Configure the host network
 sudo ip addr add 10.11.11.1/24 dev vethHost
 # Virtual IP on the namespace
 sudo ip route add 10.99.99.99 via 10.11.11.2

 # Check connectivity works
 ping -c 2 10.11.11.2

 # Test behavior connecting to the virtual IP
 while true; do nc -p 60000 10.99.99.99 80; sleep 1; done

 # it sends icmp redirects

 sudo ip netns exec testNS tcpdump -i any -nnv icmp                                                               
 tcpdump: data link type LINUX_SLL2                             
 dropped privs to tcpdump                                       
 tcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes                               
 11:56:49.441452 vethNS Out IP (tos 0xc0, ttl 64, id 35221, offset 0, flags [none], proto ICMP (1), length 88)                 
    10.11.11.2 > 10.11.11.1: ICMP redirect 10.99.99.99 to host 10.11.11.1, length 68                                          
        IP (tos 0x0, ttl 63, id 40142, offset 0, flags [DF], proto TCP (6), length 60)                                        
    10.11.11.1.60000 > 10.99.99.99.80: Flags [S], cksum 0x8300 (incorrect -> 0x3995), seq 4129209595, win 64240, options [mss 1460,sackOK,TS val 1640927502 ecr 0,nop,wscale 7], length 0

 # however, conntrack entries are there

 # conntrack -L
 tcp      6 116 SYN_SENT src=10.11.11.1 dst=10.99.99.99 sport=60000 dport=80 [UNREPLIED] src=10.99.99.99 dst=10.11.11.1 sport=80 dport=60000 mark=0 use=1
 conntrack v1.4.5 (conntrack-tools): 1 flow entries have been shown.
	# Create test namespaces
	sudo ip netns add testNS

	# Connect the namespace to the host using a veth pair
	sudo ip link add name vethHost type veth peer name vethNS
	sudo ip link set netns testNS dev vethNS

	# Configure the namespaces network so they can reach each other
	sudo ip netns exec testNS ip link set up dev lo
	sudo ip netns exec testNS ip link set up dev vethNS
	sudo ip netns exec testNS ip addr add 10.11.11.2/24 dev vethNS
	sudo ip netns exec testNS ip route add default via 10.11.11.1

	# add a rule inside NS so we enable conntrack
	sudo ip netns exec testNS iptables -A INPUT -m state --state established,related -j ACCEPT

	# Configure the host network
	sudo ip addr add 10.11.11.1/24 dev vethHost
	# Virtual IP on the namespace
	sudo ip route add 10.99.99.99 via 10.11.11.2

	# Check connectivity works
	ping -c 2 10.11.11.2

	# Test behavior connecting to the virtual IP
	while true; do nc -p 60000 10.99.99.99 80; sleep 1; done

	# it sends icmp redirects

	sudo ip netns exec testNS tcpdump -i any -nnv icmp
	tcpdump: data link type LINUX_SLL2
	dropped privs to tcpdump
	tcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
	11:56:49.441452 vethNS Out IP (tos 0xc0, ttl 64, id 35221, offset 0, flags [none], proto ICMP (1), length 88)
	10.11.11.2 > 10.11.11.1: ICMP redirect 10.99.99.99 to host 10.11.11.1, length 68
	IP (tos 0x0, ttl 63, id 40142, offset 0, flags [DF], proto TCP (6), length 60)
	10.11.11.1.60000 > 10.99.99.99.80: Flags [S], cksum 0x8300 (incorrect -> 0x3995), seq 4129209595, win 64240, options [mss 1460,sackOK,TS val 1640927502 ecr 0,nop,wscale 7], length 0

	# however, conntrack entries are there

	# conntrack -L
	tcp 6 116 SYN_SENT src=10.11.11.1 dst=10.99.99.99 sport=60000 dport=80 [UNREPLIED] src=10.99.99.99 dst=10.11.11.1 sport=80 dport=60000 mark=0 use=1
	conntrack v1.4.5 (conntrack-tools): 1 flow entries have been shown.