#! /bin/bash -x

# NFT_TEST_SKIP(NFT_TEST_SKIP_slow)

rnd=$(mktemp -u XXXXXXXX)
R="flowtable-router-$rnd"
C="flowtable-client-$rnd"
S="flowtbale-server-$rnd"

cleanup()
{
	for i in $R $C $S;do
		kill $(ip netns pid $i) 2>/dev/null
		ip netns del $i
	done
}

trap cleanup EXIT

ip netns add $R
ip netns add $S
ip netns add $C

ip link add s_r netns $S type veth peer name r_s netns $R
ip netns exec $S ip link set s_r up
ip netns exec $R ip link set r_s up
ip link add c_r netns $C type veth peer name r_c netns $R
ip netns exec $R ip link set r_c up
ip netns exec $C ip link set c_r up

ip netns exec $S ip -6 addr add 2001:db8:ffff:22::1/64 dev s_r
ip netns exec $C ip -6 addr add 2001:db8:ffff:21::2/64 dev c_r
ip netns exec $R ip -6 addr add 2001:db8:ffff:22::fffe/64 dev r_s
ip netns exec $R ip -6 addr add 2001:db8:ffff:21::fffe/64 dev r_c
ip netns exec $R sysctl -w net.ipv6.conf.all.forwarding=1
ip netns exec $C ip route add 2001:db8:ffff:22::/64 via 2001:db8:ffff:21::fffe dev c_r
ip netns exec $S ip route add 2001:db8:ffff:21::/64 via 2001:db8:ffff:22::fffe dev s_r
ip netns exec $S ethtool -K s_r tso off
ip netns exec $C ethtool -K c_r tso off

sleep 3
ip netns exec $C ping -6 2001:db8:ffff:22::1 -c1 || exit 1

ip netns exec $R nft -f - <<EOF
table ip6 filter {
        flowtable f1 {
                hook ingress priority -100
                devices = { r_c, r_s }
        }

        chain forward {
                type filter hook forward priority filter; policy accept;
                ip6 nexthdr tcp ct state established,related counter packets 0 bytes 0 flow add @f1 counter packets 0 bytes 0
                ip6 nexthdr tcp ct state invalid counter packets 0 bytes 0 drop
                tcp flags fin,rst counter packets 0 bytes 0 accept
                meta l4proto tcp meta length < 100 counter packets 0 bytes 0 accept
                ip6 nexthdr tcp counter packets 0 bytes 0 log drop
        }
}
EOF

if [ ! -r /proc/net/nf_conntrack ]
then
	echo "E: nf_conntrack unreadable, skipping" >&2	
	exit 77
fi

ip netns exec $R nft list ruleset
ip netns exec $R sysctl -w net.netfilter.nf_flowtable_tcp_timeout=5 || {
	echo "E: set net.netfilter.nf_flowtable_tcp_timeout fail, skipping" >&2
        exit 77
}
ip netns exec $R sysctl -w net.netfilter.nf_conntrack_tcp_timeout_established=86400 || {
        echo "E: set net.netfilter.nf_conntrack_tcp_timeout_established fail, skipping" >&2
        exit 77

}

# A trick to control the timing to send a packet
ip netns exec $S socat TCP6-LISTEN:10001 GOPEN:pipefile,ignoreeof &
sleep 1
ip netns exec $C socat -b 2048 PIPE:/tmp/pipefile-$rnd 'TCP:[2001:db8:ffff:22::1]:10001' &
sleep 1
ip netns exec $R grep 'OFFLOAD' /proc/net/nf_conntrack   || { echo "check [OFFLOAD] tag (failed)"; exit 1; }
ip netns exec $R cat /proc/net/nf_conntrack
sleep 6
ip netns exec $R grep 'OFFLOAD' /proc/net/nf_conntrack   && { echo "CT OFFLOAD timeout, fail back to classical path (failed)"; exit 1; }
ip netns exec $R grep '8639[0-9]' /proc/net/nf_conntrack || { echo "check nf_conntrack_tcp_timeout_established (failed)"; exit 1; }
ip netns exec $C echo "send sth" >> /tmp/pipefile-$rnd
ip netns exec $R grep 'OFFLOAD' /proc/net/nf_conntrack   || { echo "traffic seen, back to OFFLOAD path (failed)"; exit 1; }
ip netns exec $C sleep 3
ip netns exec $C echo "send sth" >> /tmp/pipefile-$rnd
ip netns exec $C sleep 3
ip netns exec $R grep 'OFFLOAD' /proc/net/nf_conntrack   || { echo "Traffic seen in 5s (nf_flowtable_tcp_timeout), so stay in OFFLOAD (failed)"; exit 1; }

exit 0