Commit 117e149e authored by Florian Westphal's avatar Florian Westphal

selftests: netfilter: test nat source port clash resolution interaction with tcp early demux

Test that nat engine resolves the source port clash and tcp packet
is passed to the correct socket.

While at it, get rid of the iperf3 dependency, just use socat for
listener side too.
Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
parent e27c3295
...@@ -11,16 +11,18 @@ ret=0 ...@@ -11,16 +11,18 @@ ret=0
sfx=$(mktemp -u "XXXXXXXX") sfx=$(mktemp -u "XXXXXXXX")
ns1="ns1-$sfx" ns1="ns1-$sfx"
ns2="ns2-$sfx" ns2="ns2-$sfx"
socatpid=0
cleanup() cleanup()
{ {
[ $socatpid -gt 0 ] && kill $socatpid
ip netns del $ns1 ip netns del $ns1
ip netns del $ns2 ip netns del $ns2
} }
iperf3 -v > /dev/null 2>&1 socat -h > /dev/null 2>&1
if [ $? -ne 0 ];then if [ $? -ne 0 ];then
echo "SKIP: Could not run test without iperf3" echo "SKIP: Could not run test without socat"
exit $ksft_skip exit $ksft_skip
fi fi
...@@ -60,8 +62,8 @@ ip netns exec $ns2 ip link set up dev veth2 ...@@ -60,8 +62,8 @@ ip netns exec $ns2 ip link set up dev veth2
ip netns exec $ns2 ip addr add 192.168.1.2/24 dev veth2 ip netns exec $ns2 ip addr add 192.168.1.2/24 dev veth2
# Create a server in one namespace # Create a server in one namespace
ip netns exec $ns1 iperf3 -s > /dev/null 2>&1 & ip netns exec $ns1 socat -u TCP-LISTEN:5201,fork OPEN:/dev/null,wronly=1 &
iperfs=$! socatpid=$!
# Restrict source port to just one so we don't have to exhaust # Restrict source port to just one so we don't have to exhaust
# all others. # all others.
...@@ -83,17 +85,43 @@ sleep 1 ...@@ -83,17 +85,43 @@ sleep 1
# ip daddr:dport will be rewritten to 192.168.1.1 5201 # ip daddr:dport will be rewritten to 192.168.1.1 5201
# NAT must reallocate source port 10000 because # NAT must reallocate source port 10000 because
# 192.168.1.2:10000 -> 192.168.1.1:5201 is already in use # 192.168.1.2:10000 -> 192.168.1.1:5201 is already in use
echo test | ip netns exec $ns2 socat -t 3 -u STDIN TCP:10.96.0.1:443 >/dev/null echo test | ip netns exec $ns2 socat -t 3 -u STDIN TCP:10.96.0.1:443,connect-timeout=3 >/dev/null
ret=$? ret=$?
kill $iperfs
# Check socat can connect to 10.96.0.1:443 (aka 192.168.1.1:5201). # Check socat can connect to 10.96.0.1:443 (aka 192.168.1.1:5201).
if [ $ret -eq 0 ]; then if [ $ret -eq 0 ]; then
echo "PASS: socat can connect via NAT'd address" echo "PASS: socat can connect via NAT'd address"
else else
echo "FAIL: socat cannot connect via NAT'd address" echo "FAIL: socat cannot connect via NAT'd address"
exit 1
fi fi
exit 0 # check sport clashres.
ip netns exec $ns1 iptables -t nat -A PREROUTING -p tcp --dport 5202 -j REDIRECT --to-ports 5201
ip netns exec $ns1 iptables -t nat -A PREROUTING -p tcp --dport 5203 -j REDIRECT --to-ports 5201
sleep 5 | ip netns exec $ns2 socat -t 5 -u STDIN TCP:192.168.1.1:5202,connect-timeout=5 >/dev/null &
cpid1=$!
sleep 1
# if connect succeeds, client closes instantly due to EOF on stdin.
# if connect hangs, it will time out after 5s.
echo | ip netns exec $ns2 socat -t 3 -u STDIN TCP:192.168.1.1:5203,connect-timeout=5 >/dev/null &
cpid2=$!
time_then=$(date +%s)
wait $cpid2
rv=$?
time_now=$(date +%s)
# Check how much time has elapsed, expectation is for
# 'cpid2' to connect and then exit (and no connect delay).
delta=$((time_now - time_then))
if [ $delta -lt 2 -a $rv -eq 0 ]; then
echo "PASS: could connect to service via redirected ports"
else
echo "FAIL: socat cannot connect to service via redirect ($delta seconds elapsed, returned $rv)"
ret=1
fi
exit $ret
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment