Commit 5e317a2f authored by Jakub Kicinski's avatar Jakub Kicinski

Merge branch 'selftests-move-netfilter-tests-to-net'

Florian Westphal says:

====================
selftests: move netfilter tests to net

First patch in this series moves selftests/netfilter/
to selftests/net/netfilter/.

Passing this via net-next rather than nf-next for this reason.

Main motivation is that a lot of these scripts only work on my old
development VM, I hope that placing this in net/ will get these
tests to get run in more regular intervals (and tests get more robust).

Changes are:

- make use of existing 'setup_ns' and 'busywait' helpers
- fix shellcheck warnings
- add more SKIP checks to avoid failures
- get rid of netcat in favor of socat, too many test
  failures due to 'wrong' netcat flavor
- do not assume rp_filter sysctl is off

I have more patches that fix up the remaining test scripts,
but the series was too large to send them at once (34 patches).

After all scripts are fixed up, tests pass on both my Debian
and Fedora test machines.

MAINTAINERS is updated to reflect that future updates should be handled
via netfilter-devel@.
====================

Link: https://lore.kernel.org/r/20240411233624.8129-1-fw@strlen.deSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parents 982a73c7 49af681b
...@@ -15264,6 +15264,7 @@ F: net/*/netfilter.c ...@@ -15264,6 +15264,7 @@ F: net/*/netfilter.c
F: net/*/netfilter/ F: net/*/netfilter/
F: net/bridge/br_netfilter*.c F: net/bridge/br_netfilter*.c
F: net/netfilter/ F: net/netfilter/
F: tools/testing/selftests/net/netfilter/
NETROM NETWORK LAYER NETROM NETWORK LAYER
M: Ralf Baechle <ralf@linux-mips.org> M: Ralf Baechle <ralf@linux-mips.org>
......
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
nf-queue
connect_close
audit_logread audit_logread
connect_close
conntrack_dump_flush conntrack_dump_flush
sctp_collision sctp_collision
nf_queue
# SPDX-License-Identifier: GPL-2.0
top_srcdir = ../../../../..
HOSTPKG_CONFIG := pkg-config
MNL_CFLAGS := $(shell $(HOSTPKG_CONFIG) --cflags libmnl 2>/dev/null)
MNL_LDLIBS := $(shell $(HOSTPKG_CONFIG) --libs libmnl 2>/dev/null || echo -lmnl)
TEST_PROGS := br_netfilter.sh bridge_brouter.sh
TEST_PROGS += conntrack_icmp_related.sh
TEST_PROGS += conntrack_ipip_mtu.sh
TEST_PROGS += conntrack_tcp_unreplied.sh
TEST_PROGS += conntrack_sctp_collision.sh
TEST_PROGS += conntrack_vrf.sh
TEST_PROGS += ipvs.sh
TEST_PROGS += nf_nat_edemux.sh
TEST_PROGS += nft_audit.sh
TEST_PROGS += nft_concat_range.sh
TEST_PROGS += nft_conntrack_helper.sh
TEST_PROGS += nft_fib.sh
TEST_PROGS += nft_flowtable.sh
TEST_PROGS += nft_meta.sh
TEST_PROGS += nft_nat.sh
TEST_PROGS += nft_nat_zones.sh
TEST_PROGS += nft_queue.sh
TEST_PROGS += nft_synproxy.sh
TEST_PROGS += nft_zones_many.sh
TEST_PROGS += rpath.sh
TEST_PROGS += xt_string.sh
TEST_CUSTOM_PROGS += conntrack_dump_flush
TEST_GEN_FILES = audit_logread
TEST_GEN_FILES += conntrack_dump_flush
TEST_GEN_FILES += connect_close nf_queue
TEST_GEN_FILES += sctp_collision
include ../../lib.mk
$(OUTPUT)/nf_queue: CFLAGS += $(MNL_CFLAGS)
$(OUTPUT)/nf_queue: LDLIBS += $(MNL_LDLIBS)
$(OUTPUT)/conntrack_dump_flush: CFLAGS += $(MNL_CFLAGS)
$(OUTPUT)/conntrack_dump_flush: LDLIBS += $(MNL_LDLIBS)
#!/bin/bash #!/bin/bash
# SPDX-License-Identifier: GPL-2.0 # SPDX-License-Identifier: GPL-2.0
# #
# Test bridge netfilter + conntrack, a combination that doesn't really work, # Test for legacy br_netfilter module combined with connection tracking,
# with multicast/broadcast packets racing for hash table insertion. # a combination that doesn't really work.
# Multicast/broadcast packets race for hash table insertion.
# eth0 br0 eth0 # eth0 br0 eth0
# setup is: ns1 <->,ns0 <-> ns3 # setup is: ns1 <->,ns0 <-> ns3
# ns2 <-' `'-> ns4 # ns2 <-' `'-> ns4
# Kselftest framework requirement - SKIP code is 4. source lib.sh
ksft_skip=4
ret=0
sfx=$(mktemp -u "XXXXXXXX")
ns0="ns0-$sfx"
ns1="ns1-$sfx"
ns2="ns2-$sfx"
ns3="ns3-$sfx"
ns4="ns4-$sfx"
ebtables -V > /dev/null 2>&1
if [ $? -ne 0 ];then
echo "SKIP: Could not run test without ebtables"
exit $ksft_skip
fi
ip -Version > /dev/null 2>&1 checktool "nft --version" "run test without nft tool"
if [ $? -ne 0 ];then
echo "SKIP: Could not run test without ip tool"
exit $ksft_skip
fi
for i in $(seq 0 4); do
eval ip netns add \$ns$i
done
cleanup() { cleanup() {
for i in $(seq 0 4); do eval ip netns del \$ns$i;done cleanup_all_ns
} }
trap cleanup EXIT trap cleanup EXIT
setup_ns ns0 ns1 ns2 ns3 ns4
ret=0
do_ping() do_ping()
{ {
fromns="$1" fromns="$1"
dstip="$2" dstip="$2"
ip netns exec $fromns ping -c 1 -q $dstip > /dev/null if ! ip netns exec "$fromns" ping -c 1 -q "$dstip" > /dev/null; then
if [ $? -ne 0 ]; then
echo "ERROR: ping from $fromns to $dstip" echo "ERROR: ping from $fromns to $dstip"
ip netns exec ${ns0} nft list ruleset ip netns exec "$ns0" nft list ruleset
ret=1 ret=1
fi fi
} }
...@@ -59,75 +40,75 @@ bcast_ping() ...@@ -59,75 +40,75 @@ bcast_ping()
fromns="$1" fromns="$1"
dstip="$2" dstip="$2"
for i in $(seq 1 1000); do for i in $(seq 1 500); do
ip netns exec $fromns ping -q -f -b -c 1 -q $dstip > /dev/null 2>&1 if ! ip netns exec "$fromns" ping -q -f -b -c 1 -q "$dstip" > /dev/null 2>&1; then
if [ $? -ne 0 ]; then
echo "ERROR: ping -b from $fromns to $dstip" echo "ERROR: ping -b from $fromns to $dstip"
ip netns exec ${ns0} nft list ruleset ip netns exec "$ns0" nft list ruleset
ret=1
break
fi fi
done done
} }
ip link add veth1 netns ${ns0} type veth peer name eth0 netns ${ns1} ip netns exec "$ns0" sysctl -q net.ipv4.conf.all.rp_filter=0
if [ $? -ne 0 ]; then ip netns exec "$ns0" sysctl -q net.ipv4.conf.default.rp_filter=0
if ! ip link add veth1 netns "$ns0" type veth peer name eth0 netns "$ns1"; then
echo "SKIP: Can't create veth device" echo "SKIP: Can't create veth device"
exit $ksft_skip exit $ksft_skip
fi fi
ip link add veth2 netns ${ns0} type veth peer name eth0 netns $ns2 ip link add veth2 netns "$ns0" type veth peer name eth0 netns "$ns2"
ip link add veth3 netns ${ns0} type veth peer name eth0 netns $ns3 ip link add veth3 netns "$ns0" type veth peer name eth0 netns "$ns3"
ip link add veth4 netns ${ns0} type veth peer name eth0 netns $ns4 ip link add veth4 netns "$ns0" type veth peer name eth0 netns "$ns4"
ip -net ${ns0} link set lo up
for i in $(seq 1 4); do for i in $(seq 1 4); do
ip -net ${ns0} link set veth$i up ip -net "$ns0" link set "veth$i" up
done done
ip -net ${ns0} link add br0 type bridge stp_state 0 forward_delay 0 nf_call_iptables 1 nf_call_ip6tables 1 nf_call_arptables 1 if ! ip -net "$ns0" link add br0 type bridge stp_state 0 forward_delay 0 nf_call_iptables 1 nf_call_ip6tables 1 nf_call_arptables 1; then
if [ $? -ne 0 ]; then
echo "SKIP: Can't create bridge br0" echo "SKIP: Can't create bridge br0"
exit $ksft_skip exit $ksft_skip
fi fi
# make veth0,1,2 part of bridge. # make veth0,1,2 part of bridge.
for i in $(seq 1 3); do for i in $(seq 1 3); do
ip -net ${ns0} link set veth$i master br0 ip -net "$ns0" link set "veth$i" master br0
done done
# add a macvlan on top of the bridge. # add a macvlan on top of the bridge.
MACVLAN_ADDR=ba:f3:13:37:42:23 MACVLAN_ADDR=ba:f3:13:37:42:23
ip -net ${ns0} link add link br0 name macvlan0 type macvlan mode private ip -net "$ns0" link add link br0 name macvlan0 type macvlan mode private
ip -net ${ns0} link set macvlan0 address ${MACVLAN_ADDR} ip -net "$ns0" link set macvlan0 address ${MACVLAN_ADDR}
ip -net ${ns0} link set macvlan0 up ip -net "$ns0" link set macvlan0 up
ip -net ${ns0} addr add 10.23.0.1/24 dev macvlan0 ip -net "$ns0" addr add 10.23.0.1/24 dev macvlan0
# add a macvlan on top of veth4. # add a macvlan on top of veth4.
MACVLAN_ADDR=ba:f3:13:37:42:24 MACVLAN_ADDR=ba:f3:13:37:42:24
ip -net ${ns0} link add link veth4 name macvlan4 type macvlan mode vepa ip -net "$ns0" link add link veth4 name macvlan4 type macvlan mode passthru
ip -net ${ns0} link set macvlan4 address ${MACVLAN_ADDR} ip -net "$ns0" link set macvlan4 address ${MACVLAN_ADDR}
ip -net ${ns0} link set macvlan4 up ip -net "$ns0" link set macvlan4 up
# make the macvlan part of the bridge. # make the macvlan part of the bridge.
# veth4 is not a bridge port, only the macvlan on top of it. # veth4 is not a bridge port, only the macvlan on top of it.
ip -net ${ns0} link set macvlan4 master br0 ip -net "$ns0" link set macvlan4 master br0
ip -net ${ns0} link set br0 up ip -net "$ns0" link set br0 up
ip -net ${ns0} addr add 10.0.0.1/24 dev br0 ip -net "$ns0" addr add 10.0.0.1/24 dev br0
ip netns exec ${ns0} sysctl -q net.bridge.bridge-nf-call-iptables=1
ret=$? modprobe -q br_netfilter
if [ $ret -ne 0 ] ; then if ! ip netns exec "$ns0" sysctl -q net.bridge.bridge-nf-call-iptables=1; then
echo "SKIP: bridge netfilter not available" echo "SKIP: bridge netfilter not available"
ret=$ksft_skip ret=$ksft_skip
fi fi
# for testing, so namespaces will reply to ping -b probes. # for testing, so namespaces will reply to ping -b probes.
ip netns exec ${ns0} sysctl -q net.ipv4.icmp_echo_ignore_broadcasts=0 ip netns exec "$ns0" sysctl -q net.ipv4.icmp_echo_ignore_broadcasts=0
# enable conntrack in ns0 and drop broadcast packets in forward to # enable conntrack in ns0 and drop broadcast packets in forward to
# avoid them from getting confirmed in the postrouting hook before # avoid them from getting confirmed in the postrouting hook before
# the cloned skb is passed up the stack. # the cloned skb is passed up the stack.
ip netns exec ${ns0} nft -f - <<EOF ip netns exec "$ns0" nft -f - <<EOF
table ip filter { table ip filter {
chain input { chain input {
type filter hook input priority 1; policy accept type filter hook input priority 1; policy accept
...@@ -149,36 +130,30 @@ EOF ...@@ -149,36 +130,30 @@ EOF
# part of the bridge: the corresponding veth4 is not # part of the bridge: the corresponding veth4 is not
# part of the bridge, only its macvlan interface. # part of the bridge, only its macvlan interface.
for i in $(seq 1 4); do for i in $(seq 1 4); do
eval ip -net \$ns$i link set lo up eval ip -net \$ns"$i" link set eth0 up
eval ip -net \$ns$i link set eth0 up
done done
for i in $(seq 1 2); do for i in $(seq 1 2); do
eval ip -net \$ns$i addr add 10.0.0.1$i/24 dev eth0 eval ip -net \$ns"$i" addr add "10.0.0.1$i/24" dev eth0
done done
ip -net ${ns3} addr add 10.23.0.13/24 dev eth0 ip -net "$ns3" addr add 10.23.0.13/24 dev eth0
ip -net ${ns4} addr add 10.23.0.14/24 dev eth0 ip -net "$ns4" addr add 10.23.0.14/24 dev eth0
# test basic connectivity # test basic connectivity
do_ping ${ns1} 10.0.0.12 do_ping "$ns1" 10.0.0.12
do_ping ${ns3} 10.23.0.1 do_ping "$ns3" 10.23.0.1
do_ping ${ns4} 10.23.0.1 do_ping "$ns4" 10.23.0.1
if [ $ret -eq 0 ];then
echo "PASS: netns connectivity: ns1 can reach ns2, ns3 and ns4 can reach ns0"
fi
bcast_ping ${ns1} 10.0.0.255 bcast_ping "$ns1" 10.0.0.255
# This should deliver broadcast to macvlan0, which is on top of ns0:br0. # This should deliver broadcast to macvlan0, which is on top of ns0:br0.
bcast_ping ${ns3} 10.23.0.255 bcast_ping "$ns3" 10.23.0.255
# same, this time via veth4:macvlan4. # same, this time via veth4:macvlan4.
bcast_ping ${ns4} 10.23.0.255 bcast_ping "$ns4" 10.23.0.255
read t < /proc/sys/kernel/tainted read t < /proc/sys/kernel/tainted
if [ "$t" -eq 0 ];then
if [ $t -eq 0 ];then
echo PASS: kernel not tainted echo PASS: kernel not tainted
else else
echo ERROR: kernel is tainted echo ERROR: kernel is tainted
......
...@@ -5,142 +5,118 @@ ...@@ -5,142 +5,118 @@
# part of a bridge. # part of a bridge.
# eth0 br0 eth0 # eth0 br0 eth0
# setup is: ns1 <-> ns0 <-> ns2 # setup is: ns1 <-> nsbr <-> ns2
# Kselftest framework requirement - SKIP code is 4. source lib.sh
ksft_skip=4
ret=0
ebtables -V > /dev/null 2>&1 if ! ebtables -V > /dev/null 2>&1;then
if [ $? -ne 0 ];then
echo "SKIP: Could not run test without ebtables" echo "SKIP: Could not run test without ebtables"
exit $ksft_skip exit $ksft_skip
fi fi
ip -Version > /dev/null 2>&1 cleanup() {
if [ $? -ne 0 ];then cleanup_all_ns
echo "SKIP: Could not run test without ip tool" }
exit $ksft_skip
fi
ip netns add ns0 trap cleanup EXIT
ip netns add ns1
ip netns add ns2
ip link add veth0 netns ns0 type veth peer name eth0 netns ns1 setup_ns nsbr ns1 ns2
if [ $? -ne 0 ]; then
ip netns exec "$nsbr" sysctl -q net.ipv4.conf.default.rp_filter=0
ip netns exec "$nsbr" sysctl -q net.ipv4.conf.all.rp_filter=0
if ! ip link add veth0 netns "$nsbr" type veth peer name eth0 netns "$ns1"; then
echo "SKIP: Can't create veth device" echo "SKIP: Can't create veth device"
exit $ksft_skip exit $ksft_skip
fi fi
ip link add veth1 netns ns0 type veth peer name eth0 netns ns2 ip link add veth1 netns "$nsbr" type veth peer name eth0 netns "$ns2"
ip -net ns0 link set lo up
ip -net ns0 link set veth0 up
ip -net ns0 link set veth1 up
ip -net ns0 link add br0 type bridge if ! ip -net "$nsbr" link add br0 type bridge; then
if [ $? -ne 0 ]; then
echo "SKIP: Can't create bridge br0" echo "SKIP: Can't create bridge br0"
exit $ksft_skip exit $ksft_skip
fi fi
ip -net ns0 link set veth0 master br0 ip -net "$nsbr" link set veth0 up
ip -net ns0 link set veth1 master br0 ip -net "$nsbr" link set veth1 up
ip -net ns0 link set br0 up
ip -net ns0 addr add 10.0.0.1/24 dev br0 ip -net "$nsbr" link set veth0 master br0
ip -net "$nsbr" link set veth1 master br0
ip -net "$nsbr" link set br0 up
ip -net "$nsbr" addr add 10.0.0.1/24 dev br0
# place both in same subnet, ns1 and ns2 connected via ns0:br0 # place both in same subnet, ${ns1} and ${ns2} connected via ${nsbr}:br0
for i in 1 2; do ip -net "$ns1" link set eth0 up
ip -net ns$i link set lo up ip -net "$ns2" link set eth0 up
ip -net ns$i link set eth0 up ip -net "$ns1" addr add 10.0.0.11/24 dev eth0
ip -net ns$i addr add 10.0.0.1$i/24 dev eth0 ip -net "$ns2" addr add 10.0.0.12/24 dev eth0
done
test_ebtables_broute() test_ebtables_broute()
{ {
local cipt
# redirect is needed so the dstmac is rewritten to the bridge itself, # redirect is needed so the dstmac is rewritten to the bridge itself,
# ip stack won't process OTHERHOST (foreign unicast mac) packets. # ip stack won't process OTHERHOST (foreign unicast mac) packets.
ip netns exec ns0 ebtables -t broute -A BROUTING -p ipv4 --ip-protocol icmp -j redirect --redirect-target=DROP if ! ip netns exec "$nsbr" ebtables -t broute -A BROUTING -p ipv4 --ip-protocol icmp -j redirect --redirect-target=DROP; then
if [ $? -ne 0 ]; then
echo "SKIP: Could not add ebtables broute redirect rule" echo "SKIP: Could not add ebtables broute redirect rule"
return $ksft_skip return $ksft_skip
fi fi
# ping netns1, expected to not work (ip forwarding is off) ip netns exec "$nsbr" sysctl -q net.ipv4.conf.veth0.forwarding=0
ip netns exec ns1 ping -q -c 1 10.0.0.12 > /dev/null 2>&1
if [ $? -eq 0 ]; then # ping net${ns1}, expected to not work (ip forwarding is off)
if ip netns exec "$ns1" ping -q -c 1 10.0.0.12 -W 0.5 > /dev/null 2>&1; then
echo "ERROR: ping works, should have failed" 1>&2 echo "ERROR: ping works, should have failed" 1>&2
return 1 return 1
fi fi
# enable forwarding on both interfaces. # enable forwarding on both interfaces.
# neither needs an ip address, but at least the bridge needs # neither needs an ip address, but at least the bridge needs
# an ip address in same network segment as ns1 and ns2 (ns0 # an ip address in same network segment as ${ns1} and ${ns2} (${nsbr}
# needs to be able to determine route for to-be-forwarded packet). # needs to be able to determine route for to-be-forwarded packet).
ip netns exec ns0 sysctl -q net.ipv4.conf.veth0.forwarding=1 ip netns exec "$nsbr" sysctl -q net.ipv4.conf.veth0.forwarding=1
ip netns exec ns0 sysctl -q net.ipv4.conf.veth1.forwarding=1 ip netns exec "$nsbr" sysctl -q net.ipv4.conf.veth1.forwarding=1
sleep 1
ip netns exec ns1 ping -q -c 1 10.0.0.12 > /dev/null if ! ip netns exec "$ns1" ping -q -c 1 10.0.0.12 > /dev/null; then
if [ $? -ne 0 ]; then
echo "ERROR: ping did not work, but it should (broute+forward)" 1>&2 echo "ERROR: ping did not work, but it should (broute+forward)" 1>&2
return 1 return 1
fi fi
echo "PASS: ns1/ns2 connectivity with active broute rule" echo "PASS: ${ns1}/${ns2} connectivity with active broute rule"
ip netns exec ns0 ebtables -t broute -F ip netns exec "$nsbr" ebtables -t broute -F
# ping netns1, expected to work (frames are bridged) # ping net${ns1}, expected to work (frames are bridged)
ip netns exec ns1 ping -q -c 1 10.0.0.12 > /dev/null if ! ip netns exec "$ns1" ping -q -c 1 10.0.0.12 > /dev/null; then
if [ $? -ne 0 ]; then
echo "ERROR: ping did not work, but it should (bridged)" 1>&2 echo "ERROR: ping did not work, but it should (bridged)" 1>&2
return 1 return 1
fi fi
ip netns exec ns0 ebtables -t filter -A FORWARD -p ipv4 --ip-protocol icmp -j DROP ip netns exec "$nsbr" ebtables -t filter -A FORWARD -p ipv4 --ip-protocol icmp -j DROP
# ping netns1, expected to not work (DROP in bridge forward) # ping net${ns1}, expected to not work (DROP in bridge forward)
ip netns exec ns1 ping -q -c 1 10.0.0.12 > /dev/null 2>&1 if ip netns exec "$ns1" ping -q -c 1 10.0.0.12 -W 0.5 > /dev/null 2>&1; then
if [ $? -eq 0 ]; then
echo "ERROR: ping works, should have failed (icmp forward drop)" 1>&2 echo "ERROR: ping works, should have failed (icmp forward drop)" 1>&2
return 1 return 1
fi fi
# re-activate brouter # re-activate brouter
ip netns exec ns0 ebtables -t broute -A BROUTING -p ipv4 --ip-protocol icmp -j redirect --redirect-target=DROP ip netns exec "$nsbr" ebtables -t broute -A BROUTING -p ipv4 --ip-protocol icmp -j redirect --redirect-target=DROP
ip netns exec ns2 ping -q -c 1 10.0.0.11 > /dev/null if ! ip netns exec "$ns2" ping -q -c 1 10.0.0.11 > /dev/null; then
if [ $? -ne 0 ]; then
echo "ERROR: ping did not work, but it should (broute+forward 2)" 1>&2 echo "ERROR: ping did not work, but it should (broute+forward 2)" 1>&2
return 1 return 1
fi fi
echo "PASS: ns1/ns2 connectivity with active broute rule and bridge forward drop" echo "PASS: ${ns1}/${ns2} connectivity with active broute rule and bridge forward drop"
return 0 return 0
} }
# test basic connectivity # test basic connectivity
ip netns exec ns1 ping -c 1 -q 10.0.0.12 > /dev/null if ! ip netns exec "$ns1" ping -c 1 -q 10.0.0.12 > /dev/null; then
if [ $? -ne 0 ]; then echo "ERROR: Could not reach ${ns2} from ${ns1}" 1>&2
echo "ERROR: Could not reach ns2 from ns1" 1>&2 exit 1
ret=1
fi fi
ip netns exec ns2 ping -c 1 -q 10.0.0.11 > /dev/null if ! ip netns exec "$ns2" ping -c 1 -q 10.0.0.11 > /dev/null; then
if [ $? -ne 0 ]; then echo "ERROR: Could not reach ${ns1} from ${ns2}" 1>&2
echo "ERROR: Could not reach ns1 from ns2" 1>&2 exit 1
ret=1
fi
if [ $ret -eq 0 ];then
echo "PASS: netns connectivity: ns1 and ns2 can reach each other"
fi fi
test_ebtables_broute test_ebtables_broute
ret=$? exit $?
for i in 0 1 2; do ip netns del ns$i;done
exit $ret
CONFIG_AUDIT=y
CONFIG_BRIDGE_EBT_BROUTE=m
CONFIG_BRIDGE_EBT_REDIRECT=m
CONFIG_BRIDGE_NETFILTER=m
CONFIG_IP_NF_MATCH_RPFILTER=m
CONFIG_IP6_NF_MATCH_RPFILTER=m
CONFIG_IP_SCTP=m
CONFIG_IP_VS=m
CONFIG_IP_VS_PROTO_TCP=y
CONFIG_NET_CLS_U32=m
CONFIG_NET_SCH_NETEM=m
CONFIG_NET_SCH_HTB=m
CONFIG_NET_IPIP=m
CONFIG_NET_VRF=y
CONFIG_NETFILTER_NETLINK=m
CONFIG_NETFILTER_SYNPROXY=m
CONFIG_NETFILTER_XT_NAT=m
CONFIG_NETFILTER_XT_TARGET_REDIRECT=m
CONFIG_NF_CONNTRACK=m
CONFIG_NF_CONNTRACK_EVENTS=m
CONFIG_NF_CONNTRACK_ZONES=y
CONFIG_NF_CT_NETLINK=m
CONFIG_NF_CT_PROTO_SCTP=y
CONFIG_NF_TABLES=m
CONFIG_NF_TABLES_INET=y
CONFIG_NF_TABLES_IPV4=y
CONFIG_NF_TABLES_IPV6=y
CONFIG_NFT_CT=m
CONFIG_NFT_FIB=m
CONFIG_NFT_FIB_INET=m
CONFIG_NFT_FIB_IPV4=m
CONFIG_NFT_FIB_IPV6=m
CONFIG_NFT_MASQ=m
CONFIG_NFT_NAT=m
CONFIG_NFT_QUEUE=m
CONFIG_NFT_REDIR=m
CONFIG_NFT_SYNPROXY=m
...@@ -10,7 +10,7 @@ ...@@ -10,7 +10,7 @@
#include <linux/netfilter/nfnetlink.h> #include <linux/netfilter/nfnetlink.h>
#include <linux/netfilter/nfnetlink_conntrack.h> #include <linux/netfilter/nfnetlink_conntrack.h>
#include <linux/netfilter/nf_conntrack_tcp.h> #include <linux/netfilter/nf_conntrack_tcp.h>
#include "../kselftest_harness.h" #include "../../kselftest_harness.h"
#define TEST_ZONE_ID 123 #define TEST_ZONE_ID 123
#define NF_CT_DEFAULT_ZONE_ID 0 #define NF_CT_DEFAULT_ZONE_ID 0
......
...@@ -14,35 +14,32 @@ ...@@ -14,35 +14,32 @@
# check the icmp errors are propagated to the correct host as per # check the icmp errors are propagated to the correct host as per
# nat of "established" icmp-echo "connection". # nat of "established" icmp-echo "connection".
# Kselftest framework requirement - SKIP code is 4. source lib.sh
ksft_skip=4
ret=0
nft --version > /dev/null 2>&1 if ! nft --version > /dev/null 2>&1;then
if [ $? -ne 0 ];then
echo "SKIP: Could not run test without nft tool" echo "SKIP: Could not run test without nft tool"
exit $ksft_skip exit $ksft_skip
fi fi
ip -Version > /dev/null 2>&1
if [ $? -ne 0 ];then
echo "SKIP: Could not run test without ip tool"
exit $ksft_skip
fi
cleanup() { cleanup() {
for i in 1 2;do ip netns del nsclient$i;done cleanup_all_ns
for i in 1 2;do ip netns del nsrouter$i;done
} }
trap cleanup EXIT trap cleanup EXIT
ipv4() { setup_ns nsclient1 nsclient2 nsrouter1 nsrouter2
echo -n 192.168.$1.2
} ret=0
add_addr()
{
ns=$1
dev=$2
i=$3
ipv6 () { ip -net "$ns" link set "$dev" up
echo -n dead:$1::2 ip -net "$ns" addr add "192.168.$i.2/24" dev "$dev"
ip -net "$ns" addr add "dead:$i::2/64" dev "$dev" nodad
} }
check_counter() check_counter()
...@@ -52,10 +49,9 @@ check_counter() ...@@ -52,10 +49,9 @@ check_counter()
expect=$3 expect=$3
local lret=0 local lret=0
cnt=$(ip netns exec $ns nft list counter inet filter "$name" | grep -q "$expect") if ! ip netns exec "$ns" nft list counter inet filter "$name" | grep -q "$expect"; then
if [ $? -ne 0 ]; then
echo "ERROR: counter $name in $ns has unexpected value (expected $expect)" 1>&2 echo "ERROR: counter $name in $ns has unexpected value (expected $expect)" 1>&2
ip netns exec $ns nft list counter inet filter "$name" 1>&2 ip netns exec "$ns" nft list counter inet filter "$name" 1>&2
lret=1 lret=1
fi fi
...@@ -65,9 +61,8 @@ check_counter() ...@@ -65,9 +61,8 @@ check_counter()
check_unknown() check_unknown()
{ {
expect="packets 0 bytes 0" expect="packets 0 bytes 0"
for n in nsclient1 nsclient2 nsrouter1 nsrouter2; do for n in ${nsclient1} ${nsclient2} ${nsrouter1} ${nsrouter2}; do
check_counter $n "unknown" "$expect" if ! check_counter "$n" "unknown" "$expect"; then
if [ $? -ne 0 ] ;then
return 1 return 1
fi fi
done done
...@@ -75,61 +70,48 @@ check_unknown() ...@@ -75,61 +70,48 @@ check_unknown()
return 0 return 0
} }
for n in nsclient1 nsclient2 nsrouter1 nsrouter2; do
ip netns add $n
ip -net $n link set lo up
done
DEV=veth0
ip link add $DEV netns nsclient1 type veth peer name eth1 netns nsrouter1
DEV=veth0 DEV=veth0
ip link add $DEV netns nsclient2 type veth peer name eth1 netns nsrouter2 ip link add "$DEV" netns "$nsclient1" type veth peer name eth1 netns "$nsrouter1"
ip link add "$DEV" netns "$nsclient2" type veth peer name eth1 netns "$nsrouter2"
ip link add "$DEV" netns "$nsrouter1" type veth peer name eth2 netns "$nsrouter2"
DEV=veth0 add_addr "$nsclient1" $DEV 1
ip link add $DEV netns nsrouter1 type veth peer name eth2 netns nsrouter2 add_addr "$nsclient2" $DEV 2
DEV=veth0 ip -net "$nsrouter1" link set eth1 up
for i in 1 2; do ip -net "$nsrouter1" link set $DEV up
ip -net nsclient$i link set $DEV up
ip -net nsclient$i addr add $(ipv4 $i)/24 dev $DEV
ip -net nsclient$i addr add $(ipv6 $i)/64 dev $DEV
done
ip -net nsrouter1 link set eth1 up
ip -net nsrouter1 link set veth0 up
ip -net nsrouter2 link set eth1 up ip -net "$nsrouter2" link set eth1 mtu 1280 up
ip -net nsrouter2 link set eth2 up ip -net "$nsrouter2" link set eth2 up
ip -net nsclient1 route add default via 192.168.1.1 ip -net "$nsclient1" route add default via 192.168.1.1
ip -net nsclient1 -6 route add default via dead:1::1 ip -net "$nsclient1" -6 route add default via dead:1::1
ip -net nsclient2 route add default via 192.168.2.1 ip -net "$nsclient2" route add default via 192.168.2.1
ip -net nsclient2 route add default via dead:2::1 ip -net "$nsclient2" route add default via dead:2::1
ip -net "$nsclient2" link set veth0 mtu 1280
i=3 ip -net "$nsrouter1" addr add 192.168.1.1/24 dev eth1
ip -net nsrouter1 addr add 192.168.1.1/24 dev eth1 ip -net "$nsrouter1" addr add 192.168.3.1/24 dev veth0
ip -net nsrouter1 addr add 192.168.3.1/24 dev veth0 ip -net "$nsrouter1" addr add dead:1::1/64 dev eth1 nodad
ip -net nsrouter1 addr add dead:1::1/64 dev eth1 ip -net "$nsrouter1" addr add dead:3::1/64 dev veth0 nodad
ip -net nsrouter1 addr add dead:3::1/64 dev veth0 ip -net "$nsrouter1" route add default via 192.168.3.10
ip -net nsrouter1 route add default via 192.168.3.10 ip -net "$nsrouter1" -6 route add default via dead:3::10
ip -net nsrouter1 -6 route add default via dead:3::10
ip -net nsrouter2 addr add 192.168.2.1/24 dev eth1 ip -net "$nsrouter2" addr add 192.168.2.1/24 dev eth1
ip -net nsrouter2 addr add 192.168.3.10/24 dev eth2 ip -net "$nsrouter2" addr add 192.168.3.10/24 dev eth2
ip -net nsrouter2 addr add dead:2::1/64 dev eth1 ip -net "$nsrouter2" addr add dead:2::1/64 dev eth1 nodad
ip -net nsrouter2 addr add dead:3::10/64 dev eth2 ip -net "$nsrouter2" addr add dead:3::10/64 dev eth2 nodad
ip -net nsrouter2 route add default via 192.168.3.1 ip -net "$nsrouter2" route add default via 192.168.3.1
ip -net nsrouter2 route add default via dead:3::1 ip -net "$nsrouter2" route add default via dead:3::1
sleep 2
for i in 4 6; do for i in 4 6; do
ip netns exec nsrouter1 sysctl -q net.ipv$i.conf.all.forwarding=1 ip netns exec "$nsrouter1" sysctl -q net.ipv$i.conf.all.forwarding=1
ip netns exec nsrouter2 sysctl -q net.ipv$i.conf.all.forwarding=1 ip netns exec "$nsrouter2" sysctl -q net.ipv$i.conf.all.forwarding=1
done done
for netns in nsrouter1 nsrouter2; do for netns in "$nsrouter1" "$nsrouter2"; do
ip netns exec $netns nft -f - <<EOF ip netns exec "$netns" nft -f - <<EOF
table inet filter { table inet filter {
counter unknown { } counter unknown { }
counter related { } counter related { }
...@@ -144,7 +126,7 @@ table inet filter { ...@@ -144,7 +126,7 @@ table inet filter {
EOF EOF
done done
ip netns exec nsclient1 nft -f - <<EOF ip netns exec "$nsclient1" nft -f - <<EOF
table inet filter { table inet filter {
counter unknown { } counter unknown { }
counter related { } counter related { }
...@@ -164,7 +146,7 @@ table inet filter { ...@@ -164,7 +146,7 @@ table inet filter {
} }
EOF EOF
ip netns exec nsclient2 nft -f - <<EOF ip netns exec "$nsclient2" nft -f - <<EOF
table inet filter { table inet filter {
counter unknown { } counter unknown { }
counter new { } counter new { }
...@@ -189,11 +171,10 @@ table inet filter { ...@@ -189,11 +171,10 @@ table inet filter {
} }
EOF EOF
# make sure NAT core rewrites adress of icmp error if nat is used according to # make sure NAT core rewrites adress of icmp error if nat is used according to
# conntrack nat information (icmp error will be directed at nsrouter1 address, # conntrack nat information (icmp error will be directed at nsrouter1 address,
# but it needs to be routed to nsclient1 address). # but it needs to be routed to nsclient1 address).
ip netns exec nsrouter1 nft -f - <<EOF ip netns exec "$nsrouter1" nft -f - <<EOF
table ip nat { table ip nat {
chain postrouting { chain postrouting {
type nat hook postrouting priority 0; policy accept; type nat hook postrouting priority 0; policy accept;
...@@ -208,44 +189,32 @@ table ip6 nat { ...@@ -208,44 +189,32 @@ table ip6 nat {
} }
EOF EOF
ip netns exec nsrouter2 ip link set eth1 mtu 1280 if ! ip netns exec "$nsclient1" ping -c 1 -s 1000 -q -M "do" 192.168.2.2 >/dev/null; then
ip netns exec nsclient2 ip link set veth0 mtu 1280
sleep 1
ip netns exec nsclient1 ping -c 1 -s 1000 -q -M do 192.168.2.2 >/dev/null
if [ $? -ne 0 ]; then
echo "ERROR: netns ip routing/connectivity broken" 1>&2 echo "ERROR: netns ip routing/connectivity broken" 1>&2
cleanup
exit 1 exit 1
fi fi
ip netns exec nsclient1 ping6 -q -c 1 -s 1000 dead:2::2 >/dev/null if ! ip netns exec "$nsclient1" ping -c 1 -s 1000 -q dead:2::2 >/dev/null; then
if [ $? -ne 0 ]; then
echo "ERROR: netns ipv6 routing/connectivity broken" 1>&2 echo "ERROR: netns ipv6 routing/connectivity broken" 1>&2
cleanup
exit 1 exit 1
fi fi
check_unknown if ! check_unknown; then
if [ $? -ne 0 ]; then
ret=1 ret=1
fi fi
expect="packets 0 bytes 0" expect="packets 0 bytes 0"
for netns in nsrouter1 nsrouter2 nsclient1;do for netns in "$nsrouter1" "$nsrouter2" "$nsclient1";do
check_counter "$netns" "related" "$expect" if ! check_counter "$netns" "related" "$expect"; then
if [ $? -ne 0 ]; then
ret=1 ret=1
fi fi
done done
expect="packets 2 bytes 2076" expect="packets 2 bytes 2076"
check_counter nsclient2 "new" "$expect" if ! check_counter "$nsclient2" "new" "$expect"; then
if [ $? -ne 0 ]; then
ret=1 ret=1
fi fi
ip netns exec nsclient1 ping -q -c 1 -s 1300 -M do 192.168.2.2 > /dev/null if ip netns exec "$nsclient1" ping -W 0.5 -q -c 1 -s 1300 -M "do" 192.168.2.2 > /dev/null; then
if [ $? -eq 0 ]; then
echo "ERROR: ping should have failed with PMTU too big error" 1>&2 echo "ERROR: ping should have failed with PMTU too big error" 1>&2
ret=1 ret=1
fi fi
...@@ -253,30 +222,26 @@ fi ...@@ -253,30 +222,26 @@ fi
# nsrouter2 should have generated the icmp error, so # nsrouter2 should have generated the icmp error, so
# related counter should be 0 (its in forward). # related counter should be 0 (its in forward).
expect="packets 0 bytes 0" expect="packets 0 bytes 0"
check_counter "nsrouter2" "related" "$expect" if ! check_counter "$nsrouter2" "related" "$expect"; then
if [ $? -ne 0 ]; then
ret=1 ret=1
fi fi
# but nsrouter1 should have seen it, same for nsclient1. # but nsrouter1 should have seen it, same for nsclient1.
expect="packets 1 bytes 576" expect="packets 1 bytes 576"
for netns in nsrouter1 nsclient1;do for netns in ${nsrouter1} ${nsclient1};do
check_counter "$netns" "related" "$expect" if ! check_counter "$netns" "related" "$expect"; then
if [ $? -ne 0 ]; then
ret=1 ret=1
fi fi
done done
ip netns exec nsclient1 ping6 -c 1 -s 1300 dead:2::2 > /dev/null if ip netns exec "${nsclient1}" ping6 -W 0.5 -c 1 -s 1300 dead:2::2 > /dev/null; then
if [ $? -eq 0 ]; then
echo "ERROR: ping6 should have failed with PMTU too big error" 1>&2 echo "ERROR: ping6 should have failed with PMTU too big error" 1>&2
ret=1 ret=1
fi fi
expect="packets 2 bytes 1856" expect="packets 2 bytes 1856"
for netns in nsrouter1 nsclient1;do for netns in "${nsrouter1}" "${nsclient1}";do
check_counter "$netns" "related" "$expect" if ! check_counter "$netns" "related" "$expect"; then
if [ $? -ne 0 ]; then
ret=1 ret=1
fi fi
done done
...@@ -288,21 +253,19 @@ else ...@@ -288,21 +253,19 @@ else
fi fi
# add 'bad' route, expect icmp REDIRECT to be generated # add 'bad' route, expect icmp REDIRECT to be generated
ip netns exec nsclient1 ip route add 192.168.1.42 via 192.168.1.1 ip netns exec "${nsclient1}" ip route add 192.168.1.42 via 192.168.1.1
ip netns exec nsclient1 ip route add dead:1::42 via dead:1::1 ip netns exec "${nsclient1}" ip route add dead:1::42 via dead:1::1
ip netns exec "nsclient1" ping -q -c 2 192.168.1.42 > /dev/null ip netns exec "$nsclient1" ping -W 1 -q -i 0.5 -c 2 192.168.1.42 > /dev/null
expect="packets 1 bytes 112" expect="packets 1 bytes 112"
check_counter nsclient1 "redir4" "$expect" if ! check_counter "$nsclient1" "redir4" "$expect"; then
if [ $? -ne 0 ];then
ret=1 ret=1
fi fi
ip netns exec "nsclient1" ping -c 1 dead:1::42 > /dev/null ip netns exec "$nsclient1" ping -W 1 -c 1 dead:1::42 > /dev/null
expect="packets 1 bytes 192" expect="packets 1 bytes 192"
check_counter nsclient1 "redir6" "$expect" if ! check_counter "$nsclient1" "redir6" "$expect"; then
if [ $? -ne 0 ];then
ret=1 ret=1
fi fi
......
#!/bin/bash #!/bin/bash
# SPDX-License-Identifier: GPL-2.0 # SPDX-License-Identifier: GPL-2.0
# Kselftest framework requirement - SKIP code is 4. source lib.sh
ksft_skip=4
# Conntrack needs to reassemble fragments in order to have complete # Conntrack needs to reassemble fragments in order to have complete
# packets for rule matching. Reassembly can lead to packet loss. # packets for rule matching. Reassembly can lead to packet loss.
...@@ -23,46 +22,34 @@ ksft_skip=4 ...@@ -23,46 +22,34 @@ ksft_skip=4
# between Client A and Client B over WAN. Wanrouter has MTU 1400 set # between Client A and Client B over WAN. Wanrouter has MTU 1400 set
# on its interfaces. # on its interfaces.
rnd=$(mktemp -u XXXXXXXX)
rx=$(mktemp) rx=$(mktemp)
r_a="ns-ra-$rnd"
r_b="ns-rb-$rnd"
r_w="ns-rw-$rnd"
c_a="ns-ca-$rnd"
c_b="ns-cb-$rnd"
checktool (){
if ! $1 > /dev/null 2>&1; then
echo "SKIP: Could not $2"
exit $ksft_skip
fi
}
checktool "iptables --version" "run test without iptables" checktool "iptables --version" "run test without iptables"
checktool "ip -Version" "run test without ip tool" checktool "socat -h" "run test without socat"
checktool "which socat" "run test without socat"
checktool "ip netns add ${r_a}" "create net namespace"
for n in ${r_b} ${r_w} ${c_a} ${c_b};do setup_ns r_a r_b r_w c_a c_b
ip netns add ${n}
done
cleanup() { cleanup() {
for n in ${r_a} ${r_b} ${r_w} ${c_a} ${c_b};do cleanup_all_ns
ip netns del ${n}
done
rm -f ${rx} rm -f ${rx}
} }
trap cleanup EXIT trap cleanup EXIT
listener_ready()
{
ns="$1"
port="$2"
ss -N "$ns" -lnu -o "sport = :$port" | grep -q "$port"
}
test_path() { test_path() {
msg="$1" msg="$1"
ip netns exec ${c_b} socat -t 3 - udp4-listen:5000,reuseaddr > ${rx} < /dev/null & ip netns exec ${c_b} socat -t 3 - udp4-listen:5000,reuseaddr > ${rx} < /dev/null &
sleep 1 busywait $BUSYWAIT_TIMEOUT listener_ready "$c_b" 5000
for i in 1 2 3; do for i in 1 2 3; do
head -c1400 /dev/zero | tr "\000" "a" | \ head -c1400 /dev/zero | tr "\000" "a" | \
ip netns exec ${c_a} socat -t 1 -u STDIN UDP:192.168.20.2:5000 ip netns exec ${c_a} socat -t 1 -u STDIN UDP:192.168.20.2:5000
...@@ -129,7 +116,7 @@ r_addr="10.2.2.1" ...@@ -129,7 +116,7 @@ r_addr="10.2.2.1"
ip netns exec ${r_b} ip link add ipip0 type ipip local ${l_addr} remote ${r_addr} mode ipip || exit $ksft_skip ip netns exec ${r_b} ip link add ipip0 type ipip local ${l_addr} remote ${r_addr} mode ipip || exit $ksft_skip
for dev in lo veth0 veth1 ipip0; do for dev in veth0 veth1 ipip0; do
ip -net ${r_b} link set $dev up ip -net ${r_b} link set $dev up
done done
...@@ -142,21 +129,18 @@ ip netns exec ${r_b} sysctl -q net.ipv4.conf.all.forwarding=1 > /dev/null ...@@ -142,21 +129,18 @@ ip netns exec ${r_b} sysctl -q net.ipv4.conf.all.forwarding=1 > /dev/null
# Client A # Client A
ip -net ${c_a} addr add 192.168.10.2/24 dev veth0 ip -net ${c_a} addr add 192.168.10.2/24 dev veth0
ip -net ${c_a} link set dev lo up
ip -net ${c_a} link set dev veth0 up ip -net ${c_a} link set dev veth0 up
ip -net ${c_a} route add default via 192.168.10.1 ip -net ${c_a} route add default via 192.168.10.1
# Client A # Client A
ip -net ${c_b} addr add 192.168.20.2/24 dev veth0 ip -net ${c_b} addr add 192.168.20.2/24 dev veth0
ip -net ${c_b} link set dev veth0 up ip -net ${c_b} link set dev veth0 up
ip -net ${c_b} link set dev lo up
ip -net ${c_b} route add default via 192.168.20.1 ip -net ${c_b} route add default via 192.168.20.1
# Wan # Wan
ip -net ${r_w} addr add 10.2.2.254/24 dev veth0 ip -net ${r_w} addr add 10.2.2.254/24 dev veth0
ip -net ${r_w} addr add 10.4.4.254/24 dev veth1 ip -net ${r_w} addr add 10.4.4.254/24 dev veth1
ip -net ${r_w} link set dev lo up
ip -net ${r_w} link set dev veth0 up mtu 1400 ip -net ${r_w} link set dev veth0 up mtu 1400
ip -net ${r_w} link set dev veth1 up mtu 1400 ip -net ${r_w} link set dev veth1 up mtu 1400
......
...@@ -12,69 +12,67 @@ ...@@ -12,69 +12,67 @@
# #
# TOPO: SERVER_NS (link0)<--->(link1) ROUTER_NS (link2)<--->(link3) CLIENT_NS # TOPO: SERVER_NS (link0)<--->(link1) ROUTER_NS (link2)<--->(link3) CLIENT_NS
CLIENT_NS=$(mktemp -u client-XXXXXXXX) source lib.sh
CLIENT_IP="198.51.200.1" CLIENT_IP="198.51.200.1"
CLIENT_PORT=1234 CLIENT_PORT=1234
SERVER_NS=$(mktemp -u server-XXXXXXXX)
SERVER_IP="198.51.100.1" SERVER_IP="198.51.100.1"
SERVER_PORT=1234 SERVER_PORT=1234
ROUTER_NS=$(mktemp -u router-XXXXXXXX)
CLIENT_GW="198.51.200.2" CLIENT_GW="198.51.200.2"
SERVER_GW="198.51.100.2" SERVER_GW="198.51.100.2"
# setup the topo # setup the topo
setup() { setup() {
ip net add $CLIENT_NS setup_ns CLIENT_NS SERVER_NS ROUTER_NS
ip net add $SERVER_NS ip -n "$SERVER_NS" link add link0 type veth peer name link1 netns "$ROUTER_NS"
ip net add $ROUTER_NS ip -n "$CLIENT_NS" link add link3 type veth peer name link2 netns "$ROUTER_NS"
ip -n $SERVER_NS link add link0 type veth peer name link1 netns $ROUTER_NS
ip -n $CLIENT_NS link add link3 type veth peer name link2 netns $ROUTER_NS
ip -n $SERVER_NS link set link0 up ip -n "$SERVER_NS" link set link0 up
ip -n $SERVER_NS addr add $SERVER_IP/24 dev link0 ip -n "$SERVER_NS" addr add $SERVER_IP/24 dev link0
ip -n $SERVER_NS route add $CLIENT_IP dev link0 via $SERVER_GW ip -n "$SERVER_NS" route add $CLIENT_IP dev link0 via $SERVER_GW
ip -n $ROUTER_NS link set link1 up ip -n "$ROUTER_NS" link set link1 up
ip -n $ROUTER_NS link set link2 up ip -n "$ROUTER_NS" link set link2 up
ip -n $ROUTER_NS addr add $SERVER_GW/24 dev link1 ip -n "$ROUTER_NS" addr add $SERVER_GW/24 dev link1
ip -n $ROUTER_NS addr add $CLIENT_GW/24 dev link2 ip -n "$ROUTER_NS" addr add $CLIENT_GW/24 dev link2
ip net exec $ROUTER_NS sysctl -wq net.ipv4.ip_forward=1 ip net exec "$ROUTER_NS" sysctl -wq net.ipv4.ip_forward=1
ip -n $CLIENT_NS link set link3 up ip -n "$CLIENT_NS" link set link3 up
ip -n $CLIENT_NS addr add $CLIENT_IP/24 dev link3 ip -n "$CLIENT_NS" addr add $CLIENT_IP/24 dev link3
ip -n $CLIENT_NS route add $SERVER_IP dev link3 via $CLIENT_GW ip -n "$CLIENT_NS" route add $SERVER_IP dev link3 via $CLIENT_GW
# simulate the delay on OVS upcall by setting up a delay for INIT_ACK with # simulate the delay on OVS upcall by setting up a delay for INIT_ACK with
# tc on $SERVER_NS side # tc on $SERVER_NS side
tc -n $SERVER_NS qdisc add dev link0 root handle 1: htb tc -n "$SERVER_NS" qdisc add dev link0 root handle 1: htb r2q 64
tc -n $SERVER_NS class add dev link0 parent 1: classid 1:1 htb rate 100mbit tc -n "$SERVER_NS" class add dev link0 parent 1: classid 1:1 htb rate 100mbit
tc -n $SERVER_NS filter add dev link0 parent 1: protocol ip u32 match ip protocol 132 \ tc -n "$SERVER_NS" filter add dev link0 parent 1: protocol ip u32 match ip protocol 132 \
0xff match u8 2 0xff at 32 flowid 1:1 0xff match u8 2 0xff at 32 flowid 1:1
tc -n $SERVER_NS qdisc add dev link0 parent 1:1 handle 10: netem delay 1200ms if ! tc -n "$SERVER_NS" qdisc add dev link0 parent 1:1 handle 10: netem delay 1200ms; then
echo "SKIP: Cannot add netem qdisc"
exit $ksft_skip
fi
# simulate the ctstate check on OVS nf_conntrack # simulate the ctstate check on OVS nf_conntrack
ip net exec $ROUTER_NS iptables -A FORWARD -m state --state INVALID,UNTRACKED -j DROP ip net exec "$ROUTER_NS" iptables -A FORWARD -m state --state INVALID,UNTRACKED -j DROP
ip net exec $ROUTER_NS iptables -A INPUT -p sctp -j DROP ip net exec "$ROUTER_NS" iptables -A INPUT -p sctp -j DROP
# use a smaller number for assoc's max_retrans to reproduce the issue # use a smaller number for assoc's max_retrans to reproduce the issue
modprobe sctp modprobe -q sctp
ip net exec $CLIENT_NS sysctl -wq net.sctp.association_max_retrans=3 ip net exec "$CLIENT_NS" sysctl -wq net.sctp.association_max_retrans=3
} }
cleanup() { cleanup() {
ip net exec $CLIENT_NS pkill sctp_collision 2>&1 >/dev/null ip net exec "$CLIENT_NS" pkill sctp_collision >/dev/null 2>&1
ip net exec $SERVER_NS pkill sctp_collision 2>&1 >/dev/null ip net exec "$SERVER_NS" pkill sctp_collision >/dev/null 2>&1
ip net del "$CLIENT_NS" cleanup_all_ns
ip net del "$SERVER_NS"
ip net del "$ROUTER_NS"
} }
do_test() { do_test() {
ip net exec $SERVER_NS ./sctp_collision server \ ip net exec "$SERVER_NS" ./sctp_collision server \
$SERVER_IP $SERVER_PORT $CLIENT_IP $CLIENT_PORT & $SERVER_IP $SERVER_PORT $CLIENT_IP $CLIENT_PORT &
ip net exec $CLIENT_NS ./sctp_collision client \ ip net exec "$CLIENT_NS" ./sctp_collision client \
$CLIENT_IP $CLIENT_PORT $SERVER_IP $SERVER_PORT $CLIENT_IP $CLIENT_PORT $SERVER_IP $SERVER_PORT
} }
......
...@@ -4,37 +4,29 @@ ...@@ -4,37 +4,29 @@
# Check that UNREPLIED tcp conntrack will eventually timeout. # Check that UNREPLIED tcp conntrack will eventually timeout.
# #
# Kselftest framework requirement - SKIP code is 4. source lib.sh
ksft_skip=4
ret=0
waittime=20
sfx=$(mktemp -u "XXXXXXXX")
ns1="ns1-$sfx"
ns2="ns2-$sfx"
nft --version > /dev/null 2>&1 if ! nft --version > /dev/null 2>&1;then
if [ $? -ne 0 ];then
echo "SKIP: Could not run test without nft tool" echo "SKIP: Could not run test without nft tool"
exit $ksft_skip exit $ksft_skip
fi fi
ip -Version > /dev/null 2>&1 if ! conntrack --version > /dev/null 2>&1;then
if [ $? -ne 0 ];then echo "SKIP: Could not run test without conntrack tool"
echo "SKIP: Could not run test without ip tool"
exit $ksft_skip exit $ksft_skip
fi fi
ret=0
cleanup() { cleanup() {
ip netns pids $ns1 | xargs kill 2>/dev/null ip netns pids "$ns1" | xargs kill 2>/dev/null
ip netns pids $ns2 | xargs kill 2>/dev/null ip netns pids "$ns2" | xargs kill 2>/dev/null
ip netns del $ns1 cleanup_all_ns
ip netns del $ns2
} }
ipv4() { ipv4() {
echo -n 192.168.$1.2 echo -n 192.168."$1".2
} }
check_counter() check_counter()
...@@ -44,51 +36,53 @@ check_counter() ...@@ -44,51 +36,53 @@ check_counter()
expect=$3 expect=$3
local lret=0 local lret=0
cnt=$(ip netns exec $ns2 nft list counter inet filter "$name" | grep -q "$expect") if ! ip netns exec "$ns2" nft list counter inet filter "$name" | grep -q "$expect"; then
if [ $? -ne 0 ]; then
echo "ERROR: counter $name in $ns2 has unexpected value (expected $expect)" 1>&2 echo "ERROR: counter $name in $ns2 has unexpected value (expected $expect)" 1>&2
ip netns exec $ns2 nft list counter inet filter "$name" 1>&2 ip netns exec "$ns2" nft list counter inet filter "$name" 1>&2
lret=1 lret=1
fi fi
return $lret return $lret
} }
# Create test namespaces
ip netns add $ns1 || exit 1
trap cleanup EXIT trap cleanup EXIT
ip netns add $ns2 || exit 1 # Create test namespaces
setup_ns ns1 ns2
# Connect the namespace to the host using a veth pair # Connect the namespace to the host using a veth pair
ip -net $ns1 link add name veth1 type veth peer name veth2 ip -net "$ns1" link add name veth1 type veth peer name veth2
ip -net $ns1 link set netns $ns2 dev veth2 ip -net "$ns1" link set netns "$ns2" dev veth2
ip -net $ns1 link set up dev lo ip -net "$ns1" link set up dev lo
ip -net $ns2 link set up dev lo ip -net "$ns2" link set up dev lo
ip -net $ns1 link set up dev veth1 ip -net "$ns1" link set up dev veth1
ip -net $ns2 link set up dev veth2 ip -net "$ns2" link set up dev veth2
ip -net $ns2 addr add 10.11.11.2/24 dev veth2 ip -net "$ns2" addr add 10.11.11.2/24 dev veth2
ip -net $ns2 route add default via 10.11.11.1 ip -net "$ns2" route add default via 10.11.11.1
ip netns exec $ns2 sysctl -q net.ipv4.conf.veth2.forwarding=1 ip netns exec "$ns2" sysctl -q net.ipv4.conf.veth2.forwarding=1
# add a rule inside NS so we enable conntrack # add a rule inside NS so we enable conntrack
ip netns exec $ns1 iptables -A INPUT -m state --state established,related -j ACCEPT ip netns exec "$ns1" nft -f - <<EOF
table inet filter {
chain input {
type filter hook input priority 0; policy accept;
ct state established accept
}
}
EOF
ip -net $ns1 addr add 10.11.11.1/24 dev veth1 ip -net "$ns1" addr add 10.11.11.1/24 dev veth1
ip -net $ns1 route add 10.99.99.99 via 10.11.11.2 ip -net "$ns1" route add 10.99.99.99 via 10.11.11.2
# Check connectivity works # Check connectivity works
ip netns exec $ns1 ping -q -c 2 10.11.11.2 >/dev/null || exit 1 ip netns exec "$ns1" ping -q -c 2 10.11.11.2 >/dev/null || exit 1
ip netns exec $ns2 nc -l -p 8080 < /dev/null &
# however, conntrack entries are there ip netns exec "$ns2" socat -u -4 TCP-LISTEN:8080,reuseaddr STDOUT &
ip netns exec $ns2 nft -f - <<EOF ip netns exec "$ns2" nft -f - <<EOF
table inet filter { table inet filter {
counter connreq { } counter connreq { }
counter redir { } counter redir { }
...@@ -104,17 +98,15 @@ if [ $? -ne 0 ]; then ...@@ -104,17 +98,15 @@ if [ $? -ne 0 ]; then
exit 1 exit 1
fi fi
ip netns exec $ns2 sysctl -q net.netfilter.nf_conntrack_tcp_timeout_syn_sent=10 ip netns exec "$ns2" sysctl -q net.netfilter.nf_conntrack_tcp_timeout_syn_sent=10
echo "INFO: connect $ns1 -> $ns2 to the virtual ip" echo "INFO: connect $ns1 -> $ns2 to the virtual ip"
ip netns exec $ns1 bash -c 'while true ; do ip netns exec "$ns1" bash -c 'for i in $(seq 1 $BUSYWAIT_TIMEOUT) ; do
nc -p 60000 10.99.99.99 80 socat -u STDIN TCP:10.99.99.99:80 < /dev/null
sleep 1 sleep 0.1
done' & done' &
sleep 1 ip netns exec "$ns2" nft -f - <<EOF
ip netns exec $ns2 nft -f - <<EOF
table inet nat { table inet nat {
chain prerouting { chain prerouting {
type nat hook prerouting priority 0; policy accept; type nat hook prerouting priority 0; policy accept;
...@@ -127,34 +119,28 @@ if [ $? -ne 0 ]; then ...@@ -127,34 +119,28 @@ if [ $? -ne 0 ]; then
exit 1 exit 1
fi fi
count=$(ip netns exec $ns2 conntrack -L -p tcp --dport 80 2>/dev/null | wc -l) count=$(ip netns exec "$ns2" conntrack -L -p tcp --dport 80 2>/dev/null | wc -l)
if [ $count -eq 0 ]; then if [ "$count" -eq 0 ]; then
echo "ERROR: $ns2 did not pick up tcp connection from peer" echo "ERROR: $ns2 did not pick up tcp connection from peer"
exit 1 exit 1
fi fi
echo "INFO: NAT redirect added in ns $ns2, waiting for $waittime seconds for nat to take effect" wait_for_redirect()
for i in $(seq 1 $waittime); do {
echo -n "." count=$(ip netns exec "$ns2" conntrack -L -p tcp --reply-port-src 8080 2>/dev/null | wc -l)
if [ "$count" -gt 0 ]; then
sleep 1 return 0
count=$(ip netns exec $ns2 conntrack -L -p tcp --reply-port-src 8080 2>/dev/null | wc -l)
if [ $count -gt 0 ]; then
echo
echo "PASS: redirection took effect after $i seconds"
break
fi fi
m=$((i%20)) return 1
if [ $m -eq 0 ]; then }
echo " waited for $i seconds" echo "INFO: NAT redirect added in ns $ns2, waiting for $BUSYWAIT_TIMEOUT ms for nat to take effect"
fi
done busywait $BUSYWAIT_TIMEOUT wait_for_redirect
ret=$?
expect="packets 1 bytes 60" expect="packets 1 bytes 60"
check_counter "$ns2" "redir" "$expect" if ! check_counter "$ns2" "redir" "$expect"; then
if [ $? -ne 0 ]; then
ret=1 ret=1
fi fi
......
#!/bin/sh #!/bin/bash
# This script demonstrates interaction of conntrack and vrf. # This script demonstrates interaction of conntrack and vrf.
# The vrf driver calls the netfilter hooks again, with oif/iif # The vrf driver calls the netfilter hooks again, with oif/iif
...@@ -28,84 +28,65 @@ ...@@ -28,84 +28,65 @@
# that was supposed to be fixed by the commit mentioned above to make sure # that was supposed to be fixed by the commit mentioned above to make sure
# that any fix to test case 1 won't break masquerade again. # that any fix to test case 1 won't break masquerade again.
ksft_skip=4 source lib.sh
IP0=172.30.30.1 IP0=172.30.30.1
IP1=172.30.30.2 IP1=172.30.30.2
PFXL=30 PFXL=30
ret=0 ret=0
sfx=$(mktemp -u "XXXXXXXX")
ns0="ns0-$sfx"
ns1="ns1-$sfx"
cleanup() cleanup()
{ {
ip netns pids $ns0 | xargs kill 2>/dev/null ip netns pids $ns0 | xargs kill 2>/dev/null
ip netns pids $ns1 | xargs kill 2>/dev/null ip netns pids $ns1 | xargs kill 2>/dev/null
ip netns del $ns0 $ns1 cleanup_all_ns
} }
nft --version > /dev/null 2>&1 if ! nft --version > /dev/null 2>&1;then
if [ $? -ne 0 ];then
echo "SKIP: Could not run test without nft tool" echo "SKIP: Could not run test without nft tool"
exit $ksft_skip exit $ksft_skip
fi fi
ip -Version > /dev/null 2>&1 if ! conntrack --version > /dev/null 2>&1;then
if [ $? -ne 0 ];then echo "SKIP: Could not run test without conntrack tool"
echo "SKIP: Could not run test without ip tool"
exit $ksft_skip
fi
ip netns add "$ns0"
if [ $? -ne 0 ];then
echo "SKIP: Could not create net namespace $ns0"
exit $ksft_skip exit $ksft_skip
fi fi
ip netns add "$ns1"
trap cleanup EXIT trap cleanup EXIT
ip netns exec $ns0 sysctl -q -w net.ipv4.conf.default.rp_filter=0 setup_ns ns0 ns1
ip netns exec $ns0 sysctl -q -w net.ipv4.conf.all.rp_filter=0
ip netns exec $ns0 sysctl -q -w net.ipv4.conf.all.rp_filter=0
ip link add veth0 netns "$ns0" type veth peer name veth0 netns "$ns1" > /dev/null 2>&1 ip netns exec "$ns0" sysctl -q -w net.ipv4.conf.default.rp_filter=0
if [ $? -ne 0 ];then ip netns exec "$ns0" sysctl -q -w net.ipv4.conf.all.rp_filter=0
ip netns exec "$ns0" sysctl -q -w net.ipv4.conf.all.rp_filter=0
if ! ip link add veth0 netns "$ns0" type veth peer name veth0 netns "$ns1" > /dev/null 2>&1; then
echo "SKIP: Could not add veth device" echo "SKIP: Could not add veth device"
exit $ksft_skip exit $ksft_skip
fi fi
ip -net $ns0 li add tvrf type vrf table 9876 if ! ip -net "$ns0" li add tvrf type vrf table 9876; then
if [ $? -ne 0 ];then
echo "SKIP: Could not add vrf device" echo "SKIP: Could not add vrf device"
exit $ksft_skip exit $ksft_skip
fi fi
ip -net $ns0 li set lo up ip -net "$ns0" li set veth0 master tvrf
ip -net "$ns0" li set tvrf up
ip -net $ns0 li set veth0 master tvrf ip -net "$ns0" li set veth0 up
ip -net $ns0 li set tvrf up ip -net "$ns1" li set veth0 up
ip -net $ns0 li set veth0 up
ip -net $ns1 li set veth0 up
ip -net $ns0 addr add $IP0/$PFXL dev veth0 ip -net "$ns0" addr add $IP0/$PFXL dev veth0
ip -net $ns1 addr add $IP1/$PFXL dev veth0 ip -net "$ns1" addr add $IP1/$PFXL dev veth0
ip netns exec $ns1 iperf3 -s > /dev/null 2>&1& ip netns exec "$ns1" iperf3 -s > /dev/null 2>&1 &
if [ $? -ne 0 ];then
echo "SKIP: Could not start iperf3"
exit $ksft_skip
fi
# test vrf ingress handling. # test vrf ingress handling.
# The incoming connection should be placed in conntrack zone 1, # The incoming connection should be placed in conntrack zone 1,
# as decided by the first iteration of the ruleset. # as decided by the first iteration of the ruleset.
test_ct_zone_in() test_ct_zone_in()
{ {
ip netns exec $ns0 nft -f - <<EOF ip netns exec "$ns0" nft -f - <<EOF
table testct { table testct {
chain rawpre { chain rawpre {
type filter hook prerouting priority raw; type filter hook prerouting priority raw;
...@@ -126,21 +107,21 @@ table testct { ...@@ -126,21 +107,21 @@ table testct {
} }
} }
EOF EOF
ip netns exec $ns1 ping -W 1 -c 1 -I veth0 $IP0 > /dev/null ip netns exec "$ns1" ping -W 1 -c 1 -I veth0 "$IP0" > /dev/null
# should be in zone 1, not zone 2 # should be in zone 1, not zone 2
count=$(ip netns exec $ns0 conntrack -L -s $IP1 -d $IP0 -p icmp --zone 1 2>/dev/null | wc -l) count=$(ip netns exec "$ns0" conntrack -L -s $IP1 -d $IP0 -p icmp --zone 1 2>/dev/null | wc -l)
if [ $count -eq 1 ]; then if [ "$count" -eq 1 ]; then
echo "PASS: entry found in conntrack zone 1" echo "PASS: entry found in conntrack zone 1"
else else
echo "FAIL: entry not found in conntrack zone 1" echo "FAIL: entry not found in conntrack zone 1"
count=$(ip netns exec $ns0 conntrack -L -s $IP1 -d $IP0 -p icmp --zone 2 2> /dev/null | wc -l) count=$(ip netns exec "$ns0" conntrack -L -s $IP1 -d $IP0 -p icmp --zone 2 2> /dev/null | wc -l)
if [ $count -eq 1 ]; then if [ "$count" -eq 1 ]; then
echo "FAIL: entry found in zone 2 instead" echo "FAIL: entry found in zone 2 instead"
else else
echo "FAIL: entry not in zone 1 or 2, dumping table" echo "FAIL: entry not in zone 1 or 2, dumping table"
ip netns exec $ns0 conntrack -L ip netns exec "$ns0" conntrack -L
ip netns exec $ns0 nft list ruleset ip netns exec "$ns0" nft list ruleset
fi fi
fi fi
} }
...@@ -153,12 +134,12 @@ test_masquerade_vrf() ...@@ -153,12 +134,12 @@ test_masquerade_vrf()
local qdisc=$1 local qdisc=$1
if [ "$qdisc" != "default" ]; then if [ "$qdisc" != "default" ]; then
tc -net $ns0 qdisc add dev tvrf root $qdisc tc -net "$ns0" qdisc add dev tvrf root "$qdisc"
fi fi
ip netns exec $ns0 conntrack -F 2>/dev/null ip netns exec "$ns0" conntrack -F 2>/dev/null
ip netns exec $ns0 nft -f - <<EOF ip netns exec "$ns0" nft -f - <<EOF
flush ruleset flush ruleset
table ip nat { table ip nat {
chain rawout { chain rawout {
...@@ -179,17 +160,15 @@ table ip nat { ...@@ -179,17 +160,15 @@ table ip nat {
} }
} }
EOF EOF
ip netns exec $ns0 ip vrf exec tvrf iperf3 -t 1 -c $IP1 >/dev/null if ! ip netns exec "$ns0" ip vrf exec tvrf iperf3 -t 1 -c $IP1 >/dev/null; then
if [ $? -ne 0 ]; then
echo "FAIL: iperf3 connect failure with masquerade + sport rewrite on vrf device" echo "FAIL: iperf3 connect failure with masquerade + sport rewrite on vrf device"
ret=1 ret=1
return return
fi fi
# must also check that nat table was evaluated on second (lower device) iteration. # must also check that nat table was evaluated on second (lower device) iteration.
ip netns exec $ns0 nft list table ip nat |grep -q 'counter packets 2' && ip netns exec "$ns0" nft list table ip nat |grep -q 'counter packets 2' &&
ip netns exec $ns0 nft list table ip nat |grep -q 'untracked counter packets [1-9]' if ip netns exec "$ns0" nft list table ip nat |grep -q 'untracked counter packets [1-9]'; then
if [ $? -eq 0 ]; then
echo "PASS: iperf3 connect with masquerade + sport rewrite on vrf device ($qdisc qdisc)" echo "PASS: iperf3 connect with masquerade + sport rewrite on vrf device ($qdisc qdisc)"
else else
echo "FAIL: vrf rules have unexpected counter value" echo "FAIL: vrf rules have unexpected counter value"
...@@ -197,7 +176,7 @@ EOF ...@@ -197,7 +176,7 @@ EOF
fi fi
if [ "$qdisc" != "default" ]; then if [ "$qdisc" != "default" ]; then
tc -net $ns0 qdisc del dev tvrf root tc -net "$ns0" qdisc del dev tvrf root
fi fi
} }
...@@ -206,8 +185,8 @@ EOF ...@@ -206,8 +185,8 @@ EOF
# oifname is the lower device (veth0 in this case). # oifname is the lower device (veth0 in this case).
test_masquerade_veth() test_masquerade_veth()
{ {
ip netns exec $ns0 conntrack -F 2>/dev/null ip netns exec "$ns0" conntrack -F 2>/dev/null
ip netns exec $ns0 nft -f - <<EOF ip netns exec "$ns0" nft -f - <<EOF
flush ruleset flush ruleset
table ip nat { table ip nat {
chain postrouting { chain postrouting {
...@@ -216,16 +195,14 @@ table ip nat { ...@@ -216,16 +195,14 @@ table ip nat {
} }
} }
EOF EOF
ip netns exec $ns0 ip vrf exec tvrf iperf3 -t 1 -c $IP1 > /dev/null if ! ip netns exec "$ns0" ip vrf exec tvrf iperf3 -t 1 -c $IP1 > /dev/null; then
if [ $? -ne 0 ]; then
echo "FAIL: iperf3 connect failure with masquerade + sport rewrite on veth device" echo "FAIL: iperf3 connect failure with masquerade + sport rewrite on veth device"
ret=1 ret=1
return return
fi fi
# must also check that nat table was evaluated on second (lower device) iteration. # must also check that nat table was evaluated on second (lower device) iteration.
ip netns exec $ns0 nft list table ip nat |grep -q 'counter packets 2' if ip netns exec "$ns0" nft list table ip nat |grep -q 'counter packets 2'; then
if [ $? -eq 0 ]; then
echo "PASS: iperf3 connect with masquerade + sport rewrite on veth device" echo "PASS: iperf3 connect with masquerade + sport rewrite on veth device"
else else
echo "FAIL: vrf masq rule has unexpected counter value" echo "FAIL: vrf masq rule has unexpected counter value"
......
#!/bin/sh #!/bin/bash
# SPDX-License-Identifier: GPL-2.0 # SPDX-License-Identifier: GPL-2.0
# #
# End-to-end ipvs test suite # End-to-end ipvs test suite
...@@ -24,8 +24,8 @@ ...@@ -24,8 +24,8 @@
# We assume that all network driver are loaded # We assume that all network driver are loaded
# #
# Kselftest framework requirement - SKIP code is 4. source lib.sh
ksft_skip=4
ret=0 ret=0
GREEN='\033[0;92m' GREEN='\033[0;92m'
RED='\033[0;31m' RED='\033[0;31m'
...@@ -46,53 +46,39 @@ readonly datalen=32 ...@@ -46,53 +46,39 @@ readonly datalen=32
sysipvsnet="/proc/sys/net/ipv4/vs/" sysipvsnet="/proc/sys/net/ipv4/vs/"
if [ ! -d $sysipvsnet ]; then if [ ! -d $sysipvsnet ]; then
modprobe -q ip_vs if ! modprobe -q ip_vs; then
if [ $? -ne 0 ]; then
echo "skip: could not run test without ipvs module" echo "skip: could not run test without ipvs module"
exit $ksft_skip exit $ksft_skip
fi fi
fi fi
ip -Version > /dev/null 2>&1 checktool "ipvsadm -v" "run test without ipvsadm"
if [ $? -ne 0 ]; then checktool "socat -h" "run test without socat"
echo "SKIP: Could not run test without ip tool"
exit $ksft_skip
fi
ipvsadm -v > /dev/null 2>&1
if [ $? -ne 0 ]; then
echo "SKIP: Could not run test without ipvsadm"
exit $ksft_skip
fi
setup() { setup() {
ip netns add ns0 setup_ns ns0 ns1 ns2
ip netns add ns1
ip netns add ns2 ip link add veth01 netns "${ns0}" type veth peer name veth10 netns "${ns1}"
ip link add veth02 netns "${ns0}" type veth peer name veth20 netns "${ns2}"
ip link add veth01 netns ns0 type veth peer name veth10 netns ns1 ip link add veth12 netns "${ns1}" type veth peer name veth21 netns "${ns2}"
ip link add veth02 netns ns0 type veth peer name veth20 netns ns2
ip link add veth12 netns ns1 type veth peer name veth21 netns ns2 ip netns exec "${ns0}" ip link set veth01 up
ip netns exec "${ns0}" ip link set veth02 up
ip netns exec ns0 ip link set veth01 up ip netns exec "${ns0}" ip link add br0 type bridge
ip netns exec ns0 ip link set veth02 up ip netns exec "${ns0}" ip link set veth01 master br0
ip netns exec ns0 ip link add br0 type bridge ip netns exec "${ns0}" ip link set veth02 master br0
ip netns exec ns0 ip link set veth01 master br0 ip netns exec "${ns0}" ip link set br0 up
ip netns exec ns0 ip link set veth02 master br0 ip netns exec "${ns0}" ip addr add "${cip_v4}/24" dev br0
ip netns exec ns0 ip link set br0 up
ip netns exec ns0 ip addr add ${cip_v4}/24 dev br0 ip netns exec "${ns1}" ip link set veth10 up
ip netns exec "${ns1}" ip addr add "${gip_v4}/24" dev veth10
ip netns exec ns1 ip link set lo up ip netns exec "${ns1}" ip link set veth12 up
ip netns exec ns1 ip link set veth10 up ip netns exec "${ns1}" ip addr add "${dip_v4}/24" dev veth12
ip netns exec ns1 ip addr add ${gip_v4}/24 dev veth10
ip netns exec ns1 ip link set veth12 up ip netns exec "${ns2}" ip link set veth21 up
ip netns exec ns1 ip addr add ${dip_v4}/24 dev veth12 ip netns exec "${ns2}" ip addr add "${rip_v4}/24" dev veth21
ip netns exec "${ns2}" ip link set veth20 up
ip netns exec ns2 ip link set lo up ip netns exec "${ns2}" ip addr add "${sip_v4}/24" dev veth20
ip netns exec ns2 ip link set veth21 up
ip netns exec ns2 ip addr add ${rip_v4}/24 dev veth21
ip netns exec ns2 ip link set veth20 up
ip netns exec ns2 ip addr add ${sip_v4}/24 dev veth20
sleep 1 sleep 1
...@@ -100,10 +86,7 @@ setup() { ...@@ -100,10 +86,7 @@ setup() {
} }
cleanup() { cleanup() {
for i in 0 1 2 cleanup_all_ns
do
ip netns del ns$i > /dev/null 2>&1
done
if [ -f "${outfile}" ]; then if [ -f "${outfile}" ]; then
rm "${outfile}" rm "${outfile}"
...@@ -114,13 +97,13 @@ cleanup() { ...@@ -114,13 +97,13 @@ cleanup() {
} }
server_listen() { server_listen() {
ip netns exec ns2 nc -l -p 8080 > "${outfile}" & ip netns exec "$ns2" socat -u -4 TCP-LISTEN:8080,reuseaddr STDOUT > "${outfile}" &
server_pid=$! server_pid=$!
sleep 0.2 sleep 0.2
} }
client_connect() { client_connect() {
ip netns exec ns0 timeout 2 nc -w 1 ${vip_v4} ${port} < "${infile}" ip netns exec "${ns0}" timeout 2 socat -u -4 STDIN TCP:"${vip_v4}":"${port}" < "${infile}"
} }
verify_data() { verify_data() {
...@@ -136,58 +119,58 @@ test_service() { ...@@ -136,58 +119,58 @@ test_service() {
test_dr() { test_dr() {
ip netns exec ns0 ip route add ${vip_v4} via ${gip_v4} dev br0 ip netns exec "${ns0}" ip route add "${vip_v4}" via "${gip_v4}" dev br0
ip netns exec ns1 sysctl -qw net.ipv4.ip_forward=1 ip netns exec "${ns1}" sysctl -qw net.ipv4.ip_forward=1
ip netns exec ns1 ipvsadm -A -t ${vip_v4}:${port} -s rr ip netns exec "${ns1}" ipvsadm -A -t "${vip_v4}:${port}" -s rr
ip netns exec ns1 ipvsadm -a -t ${vip_v4}:${port} -r ${rip_v4}:${port} ip netns exec "${ns1}" ipvsadm -a -t "${vip_v4}:${port}" -r "${rip_v4}:${port}"
ip netns exec ns1 ip addr add ${vip_v4}/32 dev lo:1 ip netns exec "${ns1}" ip addr add "${vip_v4}/32" dev lo:1
# avoid incorrect arp response # avoid incorrect arp response
ip netns exec ns2 sysctl -qw net.ipv4.conf.all.arp_ignore=1 ip netns exec "${ns2}" sysctl -qw net.ipv4.conf.all.arp_ignore=1
ip netns exec ns2 sysctl -qw net.ipv4.conf.all.arp_announce=2 ip netns exec "${ns2}" sysctl -qw net.ipv4.conf.all.arp_announce=2
# avoid reverse route lookup # avoid reverse route lookup
ip netns exec ns2 sysctl -qw net.ipv4.conf.all.rp_filter=0 ip netns exec "${ns2}" sysctl -qw net.ipv4.conf.all.rp_filter=0
ip netns exec ns2 sysctl -qw net.ipv4.conf.veth21.rp_filter=0 ip netns exec "${ns2}" sysctl -qw net.ipv4.conf.veth21.rp_filter=0
ip netns exec ns2 ip addr add ${vip_v4}/32 dev lo:1 ip netns exec "${ns2}" ip addr add "${vip_v4}/32" dev lo:1
test_service test_service
} }
test_nat() { test_nat() {
ip netns exec ns0 ip route add ${vip_v4} via ${gip_v4} dev br0 ip netns exec "${ns0}" ip route add "${vip_v4}" via "${gip_v4}" dev br0
ip netns exec ns1 sysctl -qw net.ipv4.ip_forward=1 ip netns exec "${ns1}" sysctl -qw net.ipv4.ip_forward=1
ip netns exec ns1 ipvsadm -A -t ${vip_v4}:${port} -s rr ip netns exec "${ns1}" ipvsadm -A -t "${vip_v4}:${port}" -s rr
ip netns exec ns1 ipvsadm -a -m -t ${vip_v4}:${port} -r ${rip_v4}:${port} ip netns exec "${ns1}" ipvsadm -a -m -t "${vip_v4}:${port}" -r "${rip_v4}:${port}"
ip netns exec ns1 ip addr add ${vip_v4}/32 dev lo:1 ip netns exec "${ns1}" ip addr add "${vip_v4}/32" dev lo:1
ip netns exec ns2 ip link del veth20 ip netns exec "${ns2}" ip link del veth20
ip netns exec ns2 ip route add default via ${dip_v4} dev veth21 ip netns exec "${ns2}" ip route add default via "${dip_v4}" dev veth21
test_service test_service
} }
test_tun() { test_tun() {
ip netns exec ns0 ip route add ${vip_v4} via ${gip_v4} dev br0 ip netns exec "${ns0}" ip route add "${vip_v4}" via "${gip_v4}" dev br0
ip netns exec ns1 modprobe ipip ip netns exec "${ns1}" modprobe -q ipip
ip netns exec ns1 ip link set tunl0 up ip netns exec "${ns1}" ip link set tunl0 up
ip netns exec ns1 sysctl -qw net.ipv4.ip_forward=0 ip netns exec "${ns1}" sysctl -qw net.ipv4.ip_forward=0
ip netns exec ns1 sysctl -qw net.ipv4.conf.all.send_redirects=0 ip netns exec "${ns1}" sysctl -qw net.ipv4.conf.all.send_redirects=0
ip netns exec ns1 sysctl -qw net.ipv4.conf.default.send_redirects=0 ip netns exec "${ns1}" sysctl -qw net.ipv4.conf.default.send_redirects=0
ip netns exec ns1 ipvsadm -A -t ${vip_v4}:${port} -s rr ip netns exec "${ns1}" ipvsadm -A -t "${vip_v4}:${port}" -s rr
ip netns exec ns1 ipvsadm -a -i -t ${vip_v4}:${port} -r ${rip_v4}:${port} ip netns exec "${ns1}" ipvsadm -a -i -t "${vip_v4}:${port}" -r ${rip_v4}:${port}
ip netns exec ns1 ip addr add ${vip_v4}/32 dev lo:1 ip netns exec "${ns1}" ip addr add ${vip_v4}/32 dev lo:1
ip netns exec ns2 modprobe ipip ip netns exec "${ns2}" modprobe -q ipip
ip netns exec ns2 ip link set tunl0 up ip netns exec "${ns2}" ip link set tunl0 up
ip netns exec ns2 sysctl -qw net.ipv4.conf.all.arp_ignore=1 ip netns exec "${ns2}" sysctl -qw net.ipv4.conf.all.arp_ignore=1
ip netns exec ns2 sysctl -qw net.ipv4.conf.all.arp_announce=2 ip netns exec "${ns2}" sysctl -qw net.ipv4.conf.all.arp_announce=2
ip netns exec ns2 sysctl -qw net.ipv4.conf.all.rp_filter=0 ip netns exec "${ns2}" sysctl -qw net.ipv4.conf.all.rp_filter=0
ip netns exec ns2 sysctl -qw net.ipv4.conf.tunl0.rp_filter=0 ip netns exec "${ns2}" sysctl -qw net.ipv4.conf.tunl0.rp_filter=0
ip netns exec ns2 sysctl -qw net.ipv4.conf.veth21.rp_filter=0 ip netns exec "${ns2}" sysctl -qw net.ipv4.conf.veth21.rp_filter=0
ip netns exec ns2 ip addr add ${vip_v4}/32 dev lo:1 ip netns exec "${ns2}" ip addr add "${vip_v4}/32" dev lo:1
test_service test_service
} }
......
net_netfilter_dir=$(dirname "$(readlink -e "${BASH_SOURCE[0]}")")
source "$net_netfilter_dir/../lib.sh"
checktool (){
if ! $1 > /dev/null 2>&1; then
echo "SKIP: Could not $2"
exit $ksft_skip
fi
}
...@@ -4,88 +4,60 @@ ...@@ -4,88 +4,60 @@
# Test NAT source port clash resolution # Test NAT source port clash resolution
# #
# Kselftest framework requirement - SKIP code is 4. source lib.sh
ksft_skip=4
ret=0 ret=0
sfx=$(mktemp -u "XXXXXXXX")
ns1="ns1-$sfx"
ns2="ns2-$sfx"
socatpid=0 socatpid=0
cleanup() cleanup()
{ {
[ $socatpid -gt 0 ] && kill $socatpid [ "$socatpid" -gt 0 ] && kill "$socatpid"
ip netns del $ns1
ip netns del $ns2
}
socat -h > /dev/null 2>&1
if [ $? -ne 0 ];then
echo "SKIP: Could not run test without socat"
exit $ksft_skip
fi
iptables --version > /dev/null 2>&1
if [ $? -ne 0 ];then
echo "SKIP: Could not run test without iptables"
exit $ksft_skip
fi
ip -Version > /dev/null 2>&1 cleanup_all_ns
if [ $? -ne 0 ];then }
echo "SKIP: Could not run test without ip tool"
exit $ksft_skip
fi
ip netns add "$ns1" checktool "socat -h" "run test without socat"
if [ $? -ne 0 ];then checktool "iptables --version" "run test without iptables"
echo "SKIP: Could not create net namespace $ns1"
exit $ksft_skip
fi
trap cleanup EXIT trap cleanup EXIT
ip netns add $ns2 setup_ns ns1 ns2
# Connect the namespaces using a veth pair # Connect the namespaces using a veth pair
ip link add name veth2 type veth peer name veth1 ip link add name veth2 type veth peer name veth1
ip link set netns $ns1 dev veth1 ip link set netns "$ns1" dev veth1
ip link set netns $ns2 dev veth2 ip link set netns "$ns2" dev veth2
ip netns exec $ns1 ip link set up dev lo ip netns exec "$ns1" ip link set up dev lo
ip netns exec $ns1 ip link set up dev veth1 ip netns exec "$ns1" ip link set up dev veth1
ip netns exec $ns1 ip addr add 192.168.1.1/24 dev veth1 ip netns exec "$ns1" ip addr add 192.168.1.1/24 dev veth1
ip netns exec $ns2 ip link set up dev lo ip netns exec "$ns2" ip link set up dev lo
ip netns exec $ns2 ip link set up dev veth2 ip netns exec "$ns2" ip link set up dev veth2
ip netns exec $ns2 ip addr add 192.168.1.2/24 dev veth2 ip netns exec "$ns2" ip addr add 192.168.1.2/24 dev veth2
# Create a server in one namespace # Create a server in one namespace
ip netns exec $ns1 socat -u TCP-LISTEN:5201,fork OPEN:/dev/null,wronly=1 & ip netns exec "$ns1" socat -u TCP-LISTEN:5201,fork OPEN:/dev/null,wronly=1 &
socatpid=$! socatpid=$!
# Restrict source port to just one so we don't have to exhaust # Restrict source port to just one so we don't have to exhaust
# all others. # all others.
ip netns exec $ns2 sysctl -q net.ipv4.ip_local_port_range="10000 10000" ip netns exec "$ns2" sysctl -q net.ipv4.ip_local_port_range="10000 10000"
# add a virtual IP using DNAT # add a virtual IP using DNAT
ip netns exec $ns2 iptables -t nat -A OUTPUT -d 10.96.0.1/32 -p tcp --dport 443 -j DNAT --to-destination 192.168.1.1:5201 ip netns exec "$ns2" iptables -t nat -A OUTPUT -d 10.96.0.1/32 -p tcp --dport 443 -j DNAT --to-destination 192.168.1.1:5201
# ... and route it to the other namespace # ... and route it to the other namespace
ip netns exec $ns2 ip route add 10.96.0.1 via 192.168.1.1 ip netns exec "$ns2" ip route add 10.96.0.1 via 192.168.1.1
sleep 1
# add a persistent connection from the other namespace # add a persistent connection from the other namespace
ip netns exec $ns2 socat -t 10 - TCP:192.168.1.1:5201 > /dev/null & ip netns exec "$ns2" socat -t 10 - TCP:192.168.1.1:5201 > /dev/null &
sleep 1 sleep 1
# ip daddr:dport will be rewritten to 192.168.1.1 5201 # ip daddr:dport will be rewritten to 192.168.1.1 5201
# NAT must reallocate source port 10000 because # NAT must reallocate source port 10000 because
# 192.168.1.2:10000 -> 192.168.1.1:5201 is already in use # 192.168.1.2:10000 -> 192.168.1.1:5201 is already in use
echo test | ip netns exec $ns2 socat -t 3 -u STDIN TCP:10.96.0.1:443,connect-timeout=3 >/dev/null echo test | ip netns exec "$ns2" socat -t 3 -u STDIN TCP:10.96.0.1:443,connect-timeout=3 >/dev/null
ret=$? ret=$?
# Check socat can connect to 10.96.0.1:443 (aka 192.168.1.1:5201). # Check socat can connect to 10.96.0.1:443 (aka 192.168.1.1:5201).
...@@ -96,16 +68,14 @@ else ...@@ -96,16 +68,14 @@ else
fi fi
# check sport clashres. # check sport clashres.
ip netns exec $ns1 iptables -t nat -A PREROUTING -p tcp --dport 5202 -j REDIRECT --to-ports 5201 ip netns exec "$ns1" iptables -t nat -A PREROUTING -p tcp --dport 5202 -j REDIRECT --to-ports 5201
ip netns exec $ns1 iptables -t nat -A PREROUTING -p tcp --dport 5203 -j REDIRECT --to-ports 5201 ip netns exec "$ns1" iptables -t nat -A PREROUTING -p tcp --dport 5203 -j REDIRECT --to-ports 5201
sleep 5 | ip netns exec $ns2 socat -t 5 -u STDIN TCP:192.168.1.1:5202,connect-timeout=5 >/dev/null & sleep 5 | ip netns exec "$ns2" socat -t 5 -u STDIN TCP:192.168.1.1:5202,connect-timeout=5 >/dev/null &
cpid1=$!
sleep 1
# if connect succeeds, client closes instantly due to EOF on stdin. # if connect succeeds, client closes instantly due to EOF on stdin.
# if connect hangs, it will time out after 5s. # if connect hangs, it will time out after 5s.
echo | ip netns exec $ns2 socat -t 3 -u STDIN TCP:192.168.1.1:5203,connect-timeout=5 >/dev/null & echo | ip netns exec "$ns2" socat -t 3 -u STDIN TCP:192.168.1.1:5203,connect-timeout=5 >/dev/null &
cpid2=$! cpid2=$!
time_then=$(date +%s) time_then=$(date +%s)
...@@ -117,7 +87,7 @@ time_now=$(date +%s) ...@@ -117,7 +87,7 @@ time_now=$(date +%s)
# 'cpid2' to connect and then exit (and no connect delay). # 'cpid2' to connect and then exit (and no connect delay).
delta=$((time_now - time_then)) delta=$((time_now - time_then))
if [ $delta -lt 2 -a $rv -eq 0 ]; then if [ $delta -lt 2 ] && [ $rv -eq 0 ]; then
echo "PASS: could connect to service via redirected ports" echo "PASS: could connect to service via redirected ports"
else else
echo "FAIL: socat cannot connect to service via redirect ($delta seconds elapsed, returned $rv)" echo "FAIL: socat cannot connect to service via redirect ($delta seconds elapsed, returned $rv)"
......
...@@ -5,72 +5,48 @@ ...@@ -5,72 +5,48 @@
# 2. auto-assign still works. # 2. auto-assign still works.
# #
# Kselftest framework requirement - SKIP code is 4. # Kselftest framework requirement - SKIP code is 4.
ksft_skip=4
source lib.sh
ret=0 ret=0
sfx=$(mktemp -u "XXXXXXXX")
ns1="ns1-$sfx"
ns2="ns2-$sfx"
testipv6=1 testipv6=1
checktool "socat -h" "run test without socat"
checktool "conntrack --version" "run test without conntrack"
checktool "nft --version" "run test without nft"
cleanup() cleanup()
{ {
ip netns del ${ns1} ip netns pids "$ns1" | xargs kill 2>/dev/null
ip netns del ${ns2}
}
nft --version > /dev/null 2>&1
if [ $? -ne 0 ];then
echo "SKIP: Could not run test without nft tool"
exit $ksft_skip
fi
ip -Version > /dev/null 2>&1
if [ $? -ne 0 ];then
echo "SKIP: Could not run test without ip tool"
exit $ksft_skip
fi
conntrack -V > /dev/null 2>&1
if [ $? -ne 0 ];then
echo "SKIP: Could not run test without conntrack tool"
exit $ksft_skip
fi
which nc >/dev/null 2>&1 ip netns del "$ns1"
if [ $? -ne 0 ];then ip netns del "$ns2"
echo "SKIP: Could not run test without netcat tool" }
exit $ksft_skip
fi
trap cleanup EXIT trap cleanup EXIT
ip netns add ${ns1} setup_ns ns1 ns2
ip netns add ${ns2}
ip link add veth0 netns ${ns1} type veth peer name veth0 netns ${ns2} > /dev/null 2>&1 if ! ip link add veth0 netns "$ns1" type veth peer name veth0 netns "$ns2" > /dev/null 2>&1;then
if [ $? -ne 0 ];then
echo "SKIP: No virtual ethernet pair device support in kernel" echo "SKIP: No virtual ethernet pair device support in kernel"
exit $ksft_skip exit $ksft_skip
fi fi
ip -net ${ns1} link set lo up ip -net "$ns1" link set veth0 up
ip -net ${ns1} link set veth0 up ip -net "$ns2" link set veth0 up
ip -net ${ns2} link set lo up
ip -net ${ns2} link set veth0 up
ip -net ${ns1} addr add 10.0.1.1/24 dev veth0 ip -net "$ns1" addr add 10.0.1.1/24 dev veth0
ip -net ${ns1} addr add dead:1::1/64 dev veth0 ip -net "$ns1" addr add dead:1::1/64 dev veth0 nodad
ip -net ${ns2} addr add 10.0.1.2/24 dev veth0 ip -net "$ns2" addr add 10.0.1.2/24 dev veth0
ip -net ${ns2} addr add dead:1::2/64 dev veth0 ip -net "$ns2" addr add dead:1::2/64 dev veth0 nodad
load_ruleset_family() { load_ruleset_family() {
local family=$1 local family=$1
local ns=$2 local ns=$2
ip netns exec ${ns} nft -f - <<EOF ip netns exec "$ns" nft -f - <<EOF
table $family raw { table $family raw {
ct helper ftp { ct helper ftp {
type "ftp" protocol tcp type "ftp" protocol tcp
...@@ -94,22 +70,21 @@ check_for_helper() ...@@ -94,22 +70,21 @@ check_for_helper()
local message=$2 local message=$2
local port=$3 local port=$3
if echo $message |grep -q 'ipv6';then if echo "$message" |grep -q 'ipv6';then
local family="ipv6" local family="ipv6"
else else
local family="ipv4" local family="ipv4"
fi fi
ip netns exec ${netns} conntrack -L -f $family -p tcp --dport $port 2> /dev/null |grep -q 'helper=ftp' if ! ip netns exec "$netns" conntrack -L -f $family -p tcp --dport "$port" 2> /dev/null |grep -q 'helper=ftp';then
if [ $? -ne 0 ] ; then if [ "$autoassign" -eq 0 ] ;then
if [ $autoassign -eq 0 ] ;then
echo "FAIL: ${netns} did not show attached helper $message" 1>&2 echo "FAIL: ${netns} did not show attached helper $message" 1>&2
ret=1 ret=1
else else
echo "PASS: ${netns} did not show attached helper $message" 1>&2 echo "PASS: ${netns} did not show attached helper $message" 1>&2
fi fi
else else
if [ $autoassign -eq 0 ] ;then if [ "$autoassign" -eq 0 ] ;then
echo "PASS: ${netns} connection on port $port has ftp helper attached" 1>&2 echo "PASS: ${netns} connection on port $port has ftp helper attached" 1>&2
else else
echo "FAIL: ${netns} connection on port $port has ftp helper attached" 1>&2 echo "FAIL: ${netns} connection on port $port has ftp helper attached" 1>&2
...@@ -120,69 +95,68 @@ check_for_helper() ...@@ -120,69 +95,68 @@ check_for_helper()
return 0 return 0
} }
listener_ready()
{
ns="$1"
port="$2"
proto="$3"
ss -N "$ns" -lnt -o "sport = :$port" | grep -q "$port"
}
test_helper() test_helper()
{ {
local port=$1 local port=$1
local autoassign=$2 local autoassign=$2
if [ $autoassign -eq 0 ] ;then if [ "$autoassign" -eq 0 ] ;then
msg="set via ruleset" msg="set via ruleset"
else else
msg="auto-assign" msg="auto-assign"
fi fi
sleep 3 | ip netns exec ${ns2} nc -w 2 -l -p $port > /dev/null & ip netns exec "$ns2" socat -t 3 -u -4 TCP-LISTEN:"$port",reuseaddr STDOUT > /dev/null &
busywait "$BUSYWAIT_TIMEOUT" listener_ready "$ns2" "$port" "-4"
sleep 1 | ip netns exec ${ns1} nc -w 2 10.0.1.2 $port > /dev/null & ip netns exec "$ns1" socat -u -4 STDIN TCP:10.0.1.2:"$port" < /dev/null > /dev/null
sleep 1
check_for_helper "$ns1" "ip $msg" $port $autoassign check_for_helper "$ns1" "ip $msg" "$port" "$autoassign"
check_for_helper "$ns2" "ip $msg" $port $autoassign check_for_helper "$ns2" "ip $msg" "$port" "$autoassign"
wait
if [ $testipv6 -eq 0 ] ;then if [ $testipv6 -eq 0 ] ;then
return 0 return 0
fi fi
ip netns exec ${ns1} conntrack -F 2> /dev/null ip netns exec "$ns1" conntrack -F 2> /dev/null
ip netns exec ${ns2} conntrack -F 2> /dev/null ip netns exec "$ns2" conntrack -F 2> /dev/null
sleep 3 | ip netns exec ${ns2} nc -w 2 -6 -l -p $port > /dev/null &
sleep 1 | ip netns exec ${ns1} nc -w 2 -6 dead:1::2 $port > /dev/null & ip netns exec "$ns2" socat -t 3 -u -6 TCP-LISTEN:"$port",reuseaddr STDOUT > /dev/null &
sleep 1 busywait $BUSYWAIT_TIMEOUT listener_ready "$ns2" "$port" "-6"
check_for_helper "$ns1" "ipv6 $msg" $port ip netns exec "$ns1" socat -t 3 -u -6 STDIN TCP:"[dead:1::2]":"$port" < /dev/null > /dev/null
check_for_helper "$ns2" "ipv6 $msg" $port
wait check_for_helper "$ns1" "ipv6 $msg" "$port"
check_for_helper "$ns2" "ipv6 $msg" "$port"
} }
load_ruleset_family ip ${ns1} if ! load_ruleset_family ip "$ns1"; then
if [ $? -ne 0 ];then
echo "FAIL: ${ns1} cannot load ip ruleset" 1>&2 echo "FAIL: ${ns1} cannot load ip ruleset" 1>&2
exit 1 exit 1
fi fi
load_ruleset_family ip6 ${ns1} if ! load_ruleset_family ip6 "$ns1"; then
if [ $? -ne 0 ];then
echo "SKIP: ${ns1} cannot load ip6 ruleset" 1>&2 echo "SKIP: ${ns1} cannot load ip6 ruleset" 1>&2
testipv6=0 testipv6=0
fi fi
load_ruleset_family inet ${ns2} if ! load_ruleset_family inet "${ns2}"; then
if [ $? -ne 0 ];then
echo "SKIP: ${ns1} cannot load inet ruleset" 1>&2 echo "SKIP: ${ns1} cannot load inet ruleset" 1>&2
load_ruleset_family ip ${ns2} if ! load_ruleset_family ip "${ns2}"; then
if [ $? -ne 0 ];then
echo "FAIL: ${ns2} cannot load ip ruleset" 1>&2 echo "FAIL: ${ns2} cannot load ip ruleset" 1>&2
exit 1 exit 1
fi fi
if [ $testipv6 -eq 1 ] ;then if [ "$testipv6" -eq 1 ] ;then
load_ruleset_family ip6 ${ns2} if ! load_ruleset_family ip6 "$ns2"; then
if [ $? -ne 0 ];then
echo "FAIL: ${ns2} cannot load ip6 ruleset" 1>&2 echo "FAIL: ${ns2} cannot load ip6 ruleset" 1>&2
exit 1 exit 1
fi fi
...@@ -190,8 +164,8 @@ if [ $? -ne 0 ];then ...@@ -190,8 +164,8 @@ if [ $? -ne 0 ];then
fi fi
test_helper 2121 0 test_helper 2121 0
ip netns exec ${ns1} sysctl -qe 'net.netfilter.nf_conntrack_helper=1' ip netns exec "$ns1" sysctl -qe 'net.netfilter.nf_conntrack_helper=1'
ip netns exec ${ns2} sysctl -qe 'net.netfilter.nf_conntrack_helper=1' ip netns exec "$ns2" sysctl -qe 'net.netfilter.nf_conntrack_helper=1'
test_helper 21 1 test_helper 21 1
exit $ret exit $ret
...@@ -3,43 +3,25 @@ ...@@ -3,43 +3,25 @@
# This tests the fib expression. # This tests the fib expression.
# #
# Kselftest framework requirement - SKIP code is 4. # Kselftest framework requirement - SKIP code is 4.
ksft_skip=4
source lib.sh
ret=0 ret=0
sfx=$(mktemp -u "XXXXXXXX")
ns1="ns1-$sfx"
ns2="ns2-$sfx"
nsrouter="nsrouter-$sfx"
timeout=4 timeout=4
log_netns=$(sysctl -n net.netfilter.nf_log_all_netns) log_netns=$(sysctl -n net.netfilter.nf_log_all_netns)
cleanup() cleanup()
{ {
ip netns del ${ns1} cleanup_all_ns
ip netns del ${ns2}
ip netns del ${nsrouter}
[ $log_netns -eq 0 ] && sysctl -q net.netfilter.nf_log_all_netns=$log_netns [ $log_netns -eq 0 ] && sysctl -q net.netfilter.nf_log_all_netns=$log_netns
} }
nft --version > /dev/null 2>&1 checktool "nft --version" "run test without nft"
if [ $? -ne 0 ];then
echo "SKIP: Could not run test without nft tool"
exit $ksft_skip
fi
ip -Version > /dev/null 2>&1 setup_ns nsrouter ns1 ns2
if [ $? -ne 0 ];then
echo "SKIP: Could not run test without ip tool"
exit $ksft_skip
fi
ip netns add ${nsrouter}
if [ $? -ne 0 ];then
echo "SKIP: Could not create net namespace"
exit $ksft_skip
fi
trap cleanup EXIT trap cleanup EXIT
...@@ -50,8 +32,6 @@ if [ $? -eq 0 ]; then ...@@ -50,8 +32,6 @@ if [ $? -eq 0 ]; then
fi fi
sysctl -q net.netfilter.nf_log_all_netns=1 sysctl -q net.netfilter.nf_log_all_netns=1
ip netns add ${ns1}
ip netns add ${ns2}
load_ruleset() { load_ruleset() {
local netns=$1 local netns=$1
...@@ -95,8 +75,7 @@ EOF ...@@ -95,8 +75,7 @@ EOF
} }
check_drops() { check_drops() {
dmesg | grep -q ' nft_rpfilter: ' if dmesg | grep -q ' nft_rpfilter: ';then
if [ $? -eq 0 ]; then
dmesg | grep ' nft_rpfilter: ' dmesg | grep ' nft_rpfilter: '
echo "FAIL: rpfilter did drop packets" echo "FAIL: rpfilter did drop packets"
return 1 return 1
...@@ -130,35 +109,30 @@ load_ruleset ${nsrouter} ...@@ -130,35 +109,30 @@ load_ruleset ${nsrouter}
load_ruleset ${ns1} load_ruleset ${ns1}
load_ruleset ${ns2} load_ruleset ${ns2}
ip link add veth0 netns ${nsrouter} type veth peer name eth0 netns ${ns1} > /dev/null 2>&1 if ! ip link add veth0 netns "$nsrouter" type veth peer name eth0 netns "$ns1" > /dev/null 2>&1; then
if [ $? -ne 0 ];then
echo "SKIP: No virtual ethernet pair device support in kernel" echo "SKIP: No virtual ethernet pair device support in kernel"
exit $ksft_skip exit $ksft_skip
fi fi
ip link add veth1 netns ${nsrouter} type veth peer name eth0 netns ${ns2} ip link add veth1 netns ${nsrouter} type veth peer name eth0 netns ${ns2}
ip -net ${nsrouter} link set lo up
ip -net ${nsrouter} link set veth0 up ip -net ${nsrouter} link set veth0 up
ip -net ${nsrouter} addr add 10.0.1.1/24 dev veth0 ip -net ${nsrouter} addr add 10.0.1.1/24 dev veth0
ip -net ${nsrouter} addr add dead:1::1/64 dev veth0 ip -net ${nsrouter} addr add dead:1::1/64 dev veth0 nodad
ip -net ${nsrouter} link set veth1 up ip -net ${nsrouter} link set veth1 up
ip -net ${nsrouter} addr add 10.0.2.1/24 dev veth1 ip -net ${nsrouter} addr add 10.0.2.1/24 dev veth1
ip -net ${nsrouter} addr add dead:2::1/64 dev veth1 ip -net ${nsrouter} addr add dead:2::1/64 dev veth1 nodad
ip -net ${ns1} link set lo up
ip -net ${ns1} link set eth0 up ip -net ${ns1} link set eth0 up
ip -net ${ns2} link set lo up
ip -net ${ns2} link set eth0 up ip -net ${ns2} link set eth0 up
ip -net ${ns1} addr add 10.0.1.99/24 dev eth0 ip -net ${ns1} addr add 10.0.1.99/24 dev eth0
ip -net ${ns1} addr add dead:1::99/64 dev eth0 ip -net ${ns1} addr add dead:1::99/64 dev eth0 nodad
ip -net ${ns1} route add default via 10.0.1.1 ip -net ${ns1} route add default via 10.0.1.1
ip -net ${ns1} route add default via dead:1::1 ip -net ${ns1} route add default via dead:1::1
ip -net ${ns2} addr add 10.0.2.99/24 dev eth0 ip -net ${ns2} addr add 10.0.2.99/24 dev eth0
ip -net ${ns2} addr add dead:2::99/64 dev eth0 ip -net ${ns2} addr add dead:2::99/64 dev eth0 nodad
ip -net ${ns2} route add default via 10.0.2.1 ip -net ${ns2} route add default via 10.0.2.1
ip -net ${ns2} route add default via dead:2::1 ip -net ${ns2} route add default via dead:2::1
...@@ -166,17 +140,13 @@ test_ping() { ...@@ -166,17 +140,13 @@ test_ping() {
local daddr4=$1 local daddr4=$1
local daddr6=$2 local daddr6=$2
ip netns exec ${ns1} ping -c 1 -q $daddr4 > /dev/null if ! ip netns exec "$ns1" ping -c 1 -q "$daddr4" > /dev/null; then
ret=$?
if [ $ret -ne 0 ];then
check_drops check_drops
echo "FAIL: ${ns1} cannot reach $daddr4, ret $ret" 1>&2 echo "FAIL: ${ns1} cannot reach $daddr4, ret $ret" 1>&2
return 1 return 1
fi fi
ip netns exec ${ns1} ping -c 3 -q $daddr6 > /dev/null if ! ip netns exec "$ns1" ping -c 1 -q "$daddr6" > /dev/null; then
ret=$?
if [ $ret -ne 0 ];then
check_drops check_drops
echo "FAIL: ${ns1} cannot reach $daddr6, ret $ret" 1>&2 echo "FAIL: ${ns1} cannot reach $daddr6, ret $ret" 1>&2
return 1 return 1
...@@ -191,8 +161,6 @@ ip netns exec ${nsrouter} sysctl net.ipv4.conf.veth1.forwarding=1 > /dev/null ...@@ -191,8 +161,6 @@ ip netns exec ${nsrouter} sysctl net.ipv4.conf.veth1.forwarding=1 > /dev/null
ip netns exec ${nsrouter} sysctl net.ipv4.conf.all.rp_filter=0 > /dev/null ip netns exec ${nsrouter} sysctl net.ipv4.conf.all.rp_filter=0 > /dev/null
ip netns exec ${nsrouter} sysctl net.ipv4.conf.veth0.rp_filter=0 > /dev/null ip netns exec ${nsrouter} sysctl net.ipv4.conf.veth0.rp_filter=0 > /dev/null
sleep 3
test_ping 10.0.2.1 dead:2::1 || exit 1 test_ping 10.0.2.1 dead:2::1 || exit 1
check_drops || exit 1 check_drops || exit 1
...@@ -210,12 +178,12 @@ ip -net ${ns1} addr del 10.0.1.99/24 dev eth0 ...@@ -210,12 +178,12 @@ ip -net ${ns1} addr del 10.0.1.99/24 dev eth0
ip -net ${ns1} addr del dead:1::99/64 dev eth0 ip -net ${ns1} addr del dead:1::99/64 dev eth0
ip -net ${ns1} addr add 10.0.2.99/24 dev eth0 ip -net ${ns1} addr add 10.0.2.99/24 dev eth0
ip -net ${ns1} addr add dead:2::99/64 dev eth0 ip -net "$ns1" addr add dead:2::99/64 dev eth0 nodad
ip -net ${ns1} route add default via 10.0.2.1 ip -net ${ns1} route add default via 10.0.2.1
ip -net ${ns1} -6 route add default via dead:2::1 ip -net ${ns1} -6 route add default via dead:2::1
ip -net ${nsrouter} addr add dead:2::1/64 dev veth0 ip -net "$nsrouter" addr add dead:2::1/64 dev veth0 nodad
# switch to ruleset that doesn't log, this time # switch to ruleset that doesn't log, this time
# its expected that this does drop the packets. # its expected that this does drop the packets.
...@@ -227,11 +195,10 @@ load_ruleset_count ${nsrouter} ...@@ -227,11 +195,10 @@ load_ruleset_count ${nsrouter}
check_fib_counter 0 ${nsrouter} 1.1.1.1 || exit 1 check_fib_counter 0 ${nsrouter} 1.1.1.1 || exit 1
check_fib_counter 0 ${nsrouter} 1c3::c01d || exit 1 check_fib_counter 0 ${nsrouter} 1c3::c01d || exit 1
ip netns exec ${ns1} ping -c 1 -W 1 -q 1.1.1.1 > /dev/null ip netns exec "$ns1" ping -W 0.5 -c 1 -q 1.1.1.1 > /dev/null
check_fib_counter 1 ${nsrouter} 1.1.1.1 || exit 1 check_fib_counter 1 ${nsrouter} 1.1.1.1 || exit 1
sleep 2 ip netns exec "$ns1" ping -W 0.5 -i 0.1 -c 3 -q 1c3::c01d > /dev/null
ip netns exec ${ns1} ping -c 3 -q 1c3::c01d > /dev/null
check_fib_counter 3 ${nsrouter} 1c3::c01d || exit 1 check_fib_counter 3 ${nsrouter} 1c3::c01d || exit 1
# delete all rules # delete all rules
...@@ -240,7 +207,7 @@ ip netns exec ${ns2} nft flush ruleset ...@@ -240,7 +207,7 @@ ip netns exec ${ns2} nft flush ruleset
ip netns exec ${nsrouter} nft flush ruleset ip netns exec ${nsrouter} nft flush ruleset
ip -net ${ns1} addr add 10.0.1.99/24 dev eth0 ip -net ${ns1} addr add 10.0.1.99/24 dev eth0
ip -net ${ns1} addr add dead:1::99/64 dev eth0 ip -net "$ns1" addr add dead:1::99/64 dev eth0 nodad
ip -net ${ns1} addr del 10.0.2.99/24 dev eth0 ip -net ${ns1} addr del 10.0.2.99/24 dev eth0
ip -net ${ns1} addr del dead:2::99/64 dev eth0 ip -net ${ns1} addr del dead:2::99/64 dev eth0
......
...@@ -14,14 +14,8 @@ ...@@ -14,14 +14,8 @@
# nft_flowtable.sh -o8000 -l1500 -r2000 # nft_flowtable.sh -o8000 -l1500 -r2000
# #
sfx=$(mktemp -u "XXXXXXXX") source lib.sh
ns1="ns1-$sfx"
ns2="ns2-$sfx"
nsr1="nsr1-$sfx"
nsr2="nsr2-$sfx"
# Kselftest framework requirement - SKIP code is 4.
ksft_skip=4
ret=0 ret=0
nsin="" nsin=""
...@@ -30,27 +24,16 @@ ns2out="" ...@@ -30,27 +24,16 @@ ns2out=""
log_netns=$(sysctl -n net.netfilter.nf_log_all_netns) log_netns=$(sysctl -n net.netfilter.nf_log_all_netns)
checktool (){
if ! $1 > /dev/null 2>&1; then
echo "SKIP: Could not $2"
exit $ksft_skip
fi
}
checktool "nft --version" "run test without nft tool" checktool "nft --version" "run test without nft tool"
checktool "ip -Version" "run test without ip tool" checktool "socat -h" "run test without socat"
checktool "which nc" "run test without nc (netcat)"
checktool "ip netns add $nsr1" "create net namespace $nsr1"
ip netns add $ns1 setup_ns ns1 ns2 nsr1 nsr2
ip netns add $ns2
ip netns add $nsr2
cleanup() { cleanup() {
ip netns del $ns1 ip netns pids "$ns1" | xargs kill 2>/dev/null
ip netns del $ns2 ip netns pids "$ns2" | xargs kill 2>/dev/null
ip netns del $nsr1
ip netns del $nsr2 cleanup_all_ns
rm -f "$nsin" "$ns1out" "$ns2out" rm -f "$nsin" "$ns1out" "$ns2out"
...@@ -66,16 +49,16 @@ ip link add veth1 netns $nsr1 type veth peer name veth0 netns $nsr2 ...@@ -66,16 +49,16 @@ ip link add veth1 netns $nsr1 type veth peer name veth0 netns $nsr2
ip link add veth1 netns $nsr2 type veth peer name eth0 netns $ns2 ip link add veth1 netns $nsr2 type veth peer name eth0 netns $ns2
for dev in lo veth0 veth1; do for dev in veth0 veth1; do
ip -net $nsr1 link set $dev up ip -net "$nsr1" link set "$dev" up
ip -net $nsr2 link set $dev up ip -net "$nsr2" link set "$dev" up
done done
ip -net $nsr1 addr add 10.0.1.1/24 dev veth0 ip -net "$nsr1" addr add 10.0.1.1/24 dev veth0
ip -net $nsr1 addr add dead:1::1/64 dev veth0 ip -net "$nsr1" addr add dead:1::1/64 dev veth0 nodad
ip -net $nsr2 addr add 10.0.2.1/24 dev veth1 ip -net "$nsr2" addr add 10.0.2.1/24 dev veth1
ip -net $nsr2 addr add dead:2::1/64 dev veth1 ip -net "$nsr2" addr add dead:2::1/64 dev veth1 nodad
# set different MTUs so we need to push packets coming from ns1 (large MTU) # set different MTUs so we need to push packets coming from ns1 (large MTU)
# to ns2 (smaller MTU) to stack either to perform fragmentation (ip_no_pmtu_disc=1), # to ns2 (smaller MTU) to stack either to perform fragmentation (ip_no_pmtu_disc=1),
...@@ -121,11 +104,11 @@ ip -net $ns2 link set eth0 mtu $rmtu ...@@ -121,11 +104,11 @@ ip -net $ns2 link set eth0 mtu $rmtu
# transfer-net between nsr1 and nsr2. # transfer-net between nsr1 and nsr2.
# these addresses are not used for connections. # these addresses are not used for connections.
ip -net $nsr1 addr add 192.168.10.1/24 dev veth1 ip -net "$nsr1" addr add 192.168.10.1/24 dev veth1
ip -net $nsr1 addr add fee1:2::1/64 dev veth1 ip -net "$nsr1" addr add fee1:2::1/64 dev veth1 nodad
ip -net $nsr2 addr add 192.168.10.2/24 dev veth0 ip -net "$nsr2" addr add 192.168.10.2/24 dev veth0
ip -net $nsr2 addr add fee1:2::2/64 dev veth0 ip -net "$nsr2" addr add fee1:2::2/64 dev veth0 nodad
for i in 0 1; do for i in 0 1; do
ip netns exec $nsr1 sysctl net.ipv4.conf.veth$i.forwarding=1 > /dev/null ip netns exec $nsr1 sysctl net.ipv4.conf.veth$i.forwarding=1 > /dev/null
...@@ -148,8 +131,8 @@ ip -net $ns1 addr add 10.0.1.99/24 dev eth0 ...@@ -148,8 +131,8 @@ ip -net $ns1 addr add 10.0.1.99/24 dev eth0
ip -net $ns2 addr add 10.0.2.99/24 dev eth0 ip -net $ns2 addr add 10.0.2.99/24 dev eth0
ip -net $ns1 route add default via 10.0.1.1 ip -net $ns1 route add default via 10.0.1.1
ip -net $ns2 route add default via 10.0.2.1 ip -net $ns2 route add default via 10.0.2.1
ip -net $ns1 addr add dead:1::99/64 dev eth0 ip -net $ns1 addr add dead:1::99/64 dev eth0 nodad
ip -net $ns2 addr add dead:2::99/64 dev eth0 ip -net $ns2 addr add dead:2::99/64 dev eth0 nodad
ip -net $ns1 route add default via dead:1::1 ip -net $ns1 route add default via dead:1::1
ip -net $ns2 route add default via dead:2::1 ip -net $ns2 route add default via dead:2::1
...@@ -219,10 +202,6 @@ if ! ip netns exec $ns2 ping -c 1 -q 10.0.1.99 > /dev/null; then ...@@ -219,10 +202,6 @@ if ! ip netns exec $ns2 ping -c 1 -q 10.0.1.99 > /dev/null; then
exit 1 exit 1
fi fi
if [ $ret -eq 0 ];then
echo "PASS: netns routing/connectivity: $ns1 can reach $ns2"
fi
nsin=$(mktemp) nsin=$(mktemp)
ns1out=$(mktemp) ns1out=$(mktemp)
ns2out=$(mktemp) ns2out=$(mktemp)
...@@ -345,6 +324,11 @@ check_transfer() ...@@ -345,6 +324,11 @@ check_transfer()
return 0 return 0
} }
listener_ready()
{
ss -N "$nsb" -lnt -o "sport = :12345" | grep -q 12345
}
test_tcp_forwarding_ip() test_tcp_forwarding_ip()
{ {
local nsa=$1 local nsa=$1
...@@ -353,33 +337,14 @@ test_tcp_forwarding_ip() ...@@ -353,33 +337,14 @@ test_tcp_forwarding_ip()
local dstport=$4 local dstport=$4
local lret=0 local lret=0
ip netns exec $nsb nc -w 5 -l -p 12345 < "$nsin" > "$ns2out" & timeout 10 ip netns exec "$nsb" socat -4 TCP-LISTEN:12345,reuseaddr STDIO < "$nsin" > "$ns2out" &
lpid=$! lpid=$!
sleep 1 busywait 1000 listener_ready
ip netns exec $nsa nc -w 4 "$dstip" "$dstport" < "$nsin" > "$ns1out" &
cpid=$!
sleep 1
prev="$(ls -l $ns1out $ns2out)"
sleep 1
while [[ "$prev" != "$(ls -l $ns1out $ns2out)" ]]; do
sleep 1;
prev="$(ls -l $ns1out $ns2out)"
done
if test -d /proc/"$lpid"/; then timeout 10 ip netns exec "$nsa" socat -4 TCP:"$dstip":"$dstport" STDIO < "$nsin" > "$ns1out"
kill $lpid
fi
if test -d /proc/"$cpid"/; then
kill $cpid
fi
wait $lpid wait $lpid
wait $cpid
if ! check_transfer "$nsin" "$ns2out" "ns1 -> ns2"; then if ! check_transfer "$nsin" "$ns2out" "ns1 -> ns2"; then
lret=1 lret=1
...@@ -550,7 +515,7 @@ ip -net $nsr1 addr flush dev veth0 ...@@ -550,7 +515,7 @@ ip -net $nsr1 addr flush dev veth0
ip -net $nsr1 link set up dev veth0 ip -net $nsr1 link set up dev veth0
ip -net $nsr1 link set veth0 master br0 ip -net $nsr1 link set veth0 master br0
ip -net $nsr1 addr add 10.0.1.1/24 dev br0 ip -net $nsr1 addr add 10.0.1.1/24 dev br0
ip -net $nsr1 addr add dead:1::1/64 dev br0 ip -net $nsr1 addr add dead:1::1/64 dev br0 nodad
ip -net $nsr1 link set up dev br0 ip -net $nsr1 link set up dev br0
ip netns exec $nsr1 sysctl net.ipv4.conf.br0.forwarding=1 > /dev/null ip netns exec $nsr1 sysctl net.ipv4.conf.br0.forwarding=1 > /dev/null
...@@ -593,7 +558,7 @@ ip -net $ns1 link set eth0 up ...@@ -593,7 +558,7 @@ ip -net $ns1 link set eth0 up
ip -net $ns1 link set eth0.10 up ip -net $ns1 link set eth0.10 up
ip -net $ns1 addr add 10.0.1.99/24 dev eth0.10 ip -net $ns1 addr add 10.0.1.99/24 dev eth0.10
ip -net $ns1 route add default via 10.0.1.1 ip -net $ns1 route add default via 10.0.1.1
ip -net $ns1 addr add dead:1::99/64 dev eth0.10 ip -net $ns1 addr add dead:1::99/64 dev eth0.10 nodad
if ! test_tcp_forwarding_nat $ns1 $ns2 1 "bridge and VLAN"; then if ! test_tcp_forwarding_nat $ns1 $ns2 1 "bridge and VLAN"; then
echo "FAIL: flow offload for ns1/ns2 with bridge NAT and VLAN" 1>&2 echo "FAIL: flow offload for ns1/ns2 with bridge NAT and VLAN" 1>&2
...@@ -616,10 +581,10 @@ ip -net $ns1 link delete eth0.10 type vlan ...@@ -616,10 +581,10 @@ ip -net $ns1 link delete eth0.10 type vlan
ip -net $ns1 link set eth0 up ip -net $ns1 link set eth0 up
ip -net $ns1 addr add 10.0.1.99/24 dev eth0 ip -net $ns1 addr add 10.0.1.99/24 dev eth0
ip -net $ns1 route add default via 10.0.1.1 ip -net $ns1 route add default via 10.0.1.1
ip -net $ns1 addr add dead:1::99/64 dev eth0 ip -net $ns1 addr add dead:1::99/64 dev eth0 nodad
ip -net $ns1 route add default via dead:1::1 ip -net $ns1 route add default via dead:1::1
ip -net $nsr1 addr add 10.0.1.1/24 dev veth0 ip -net $nsr1 addr add 10.0.1.1/24 dev veth0
ip -net $nsr1 addr add dead:1::1/64 dev veth0 ip -net $nsr1 addr add dead:1::1/64 dev veth0 nodad
ip -net $nsr1 link set up dev veth0 ip -net $nsr1 link set up dev veth0
KEY_SHA="0x"$(ps -af | sha1sum | cut -d " " -f 1) KEY_SHA="0x"$(ps -af | sha1sum | cut -d " " -f 1)
...@@ -647,7 +612,6 @@ do_esp() { ...@@ -647,7 +612,6 @@ do_esp() {
ip -net $ns xfrm policy add src $lnet dst $rnet dir out tmpl src $me dst $remote proto esp mode tunnel priority 1 action allow ip -net $ns xfrm policy add src $lnet dst $rnet dir out tmpl src $me dst $remote proto esp mode tunnel priority 1 action allow
# to fwd decrypted packets after esp processing: # to fwd decrypted packets after esp processing:
ip -net $ns xfrm policy add src $rnet dst $lnet dir fwd tmpl src $remote dst $me proto esp mode tunnel priority 1 action allow ip -net $ns xfrm policy add src $rnet dst $lnet dir fwd tmpl src $remote dst $me proto esp mode tunnel priority 1 action allow
} }
do_esp $nsr1 192.168.10.1 192.168.10.2 10.0.1.0/24 10.0.2.0/24 $SPI1 $SPI2 do_esp $nsr1 192.168.10.1 192.168.10.2 10.0.1.0/24 10.0.2.0/24 $SPI1 $SPI2
...@@ -661,12 +625,12 @@ ip -net $ns2 route del 192.168.10.1 via 10.0.2.1 ...@@ -661,12 +625,12 @@ ip -net $ns2 route del 192.168.10.1 via 10.0.2.1
ip -net $ns2 route add default via 10.0.2.1 ip -net $ns2 route add default via 10.0.2.1
ip -net $ns2 route add default via dead:2::1 ip -net $ns2 route add default via dead:2::1
if test_tcp_forwarding $ns1 $ns2; then if test_tcp_forwarding "$ns1" "$ns2"; then
check_counters "ipsec tunnel mode for ns1/ns2" check_counters "ipsec tunnel mode for ns1/ns2"
else else
echo "FAIL: ipsec tunnel mode for ns1/ns2" echo "FAIL: ipsec tunnel mode for ns1/ns2"
ip netns exec $nsr1 nft list ruleset 1>&2 ip netns exec "$nsr1" nft list ruleset 1>&2
ip netns exec $nsr1 cat /proc/net/xfrm_stat 1>&2 ip netns exec "$nsr1" cat /proc/net/xfrm_stat 1>&2
fi fi
exit $ret exit $ret
...@@ -3,77 +3,60 @@ ...@@ -3,77 +3,60 @@
# This test is for basic NAT functionality: snat, dnat, redirect, masquerade. # This test is for basic NAT functionality: snat, dnat, redirect, masquerade.
# #
# Kselftest framework requirement - SKIP code is 4. source lib.sh
ksft_skip=4
ret=0 ret=0
test_inet_nat=true test_inet_nat=true
sfx=$(mktemp -u "XXXXXXXX") checktool "nft --version" "run test without nft tool"
ns0="ns0-$sfx" checktool "socat -h" "run test without socat"
ns1="ns1-$sfx"
ns2="ns2-$sfx"
cleanup() cleanup()
{ {
for i in 0 1 2; do ip netns del ns$i-"$sfx";done ip netns pids "$ns0" | xargs kill 2>/dev/null
} ip netns pids "$ns1" | xargs kill 2>/dev/null
ip netns pids "$ns2" | xargs kill 2>/dev/null
nft --version > /dev/null 2>&1 rm -f "$INFILE" "$OUTFILE"
if [ $? -ne 0 ];then
echo "SKIP: Could not run test without nft tool"
exit $ksft_skip
fi
ip -Version > /dev/null 2>&1
if [ $? -ne 0 ];then
echo "SKIP: Could not run test without ip tool"
exit $ksft_skip
fi
ip netns add "$ns0" cleanup_all_ns
if [ $? -ne 0 ];then }
echo "SKIP: Could not create net namespace $ns0"
exit $ksft_skip
fi
trap cleanup EXIT trap cleanup EXIT
ip netns add "$ns1" INFILE=$(mktemp)
if [ $? -ne 0 ];then OUTFILE=$(mktemp)
echo "SKIP: Could not create net namespace $ns1"
exit $ksft_skip
fi
ip netns add "$ns2" setup_ns ns0 ns1 ns2
if [ $? -ne 0 ];then
echo "SKIP: Could not create net namespace $ns2"
exit $ksft_skip
fi
ip link add veth0 netns "$ns0" type veth peer name eth0 netns "$ns1" > /dev/null 2>&1 if ! ip link add veth0 netns "$ns0" type veth peer name eth0 netns "$ns1" > /dev/null 2>&1;then
if [ $? -ne 0 ];then
echo "SKIP: No virtual ethernet pair device support in kernel" echo "SKIP: No virtual ethernet pair device support in kernel"
exit $ksft_skip exit $ksft_skip
fi fi
ip link add veth1 netns "$ns0" type veth peer name eth0 netns "$ns2" ip link add veth1 netns "$ns0" type veth peer name eth0 netns "$ns2"
ip -net "$ns0" link set lo up
ip -net "$ns0" link set veth0 up ip -net "$ns0" link set veth0 up
ip -net "$ns0" addr add 10.0.1.1/24 dev veth0 ip -net "$ns0" addr add 10.0.1.1/24 dev veth0
ip -net "$ns0" addr add dead:1::1/64 dev veth0 ip -net "$ns0" addr add dead:1::1/64 dev veth0 nodad
ip -net "$ns0" link set veth1 up ip -net "$ns0" link set veth1 up
ip -net "$ns0" addr add 10.0.2.1/24 dev veth1 ip -net "$ns0" addr add 10.0.2.1/24 dev veth1
ip -net "$ns0" addr add dead:2::1/64 dev veth1 ip -net "$ns0" addr add dead:2::1/64 dev veth1 nodad
for i in 1 2; do do_config()
ip -net ns$i-$sfx link set lo up {
ip -net ns$i-$sfx link set eth0 up ns="$1"
ip -net ns$i-$sfx addr add 10.0.$i.99/24 dev eth0 subnet="$2"
ip -net ns$i-$sfx route add default via 10.0.$i.1
ip -net ns$i-$sfx addr add dead:$i::99/64 dev eth0 ip -net "$ns" link set eth0 up
ip -net ns$i-$sfx route add default via dead:$i::1 ip -net "$ns" addr add "10.0.$subnet.99/24" dev eth0
done ip -net "$ns" route add default via "10.0.$subnet.1"
ip -net "$ns" addr add "dead:$subnet::99/64" dev eth0 nodad
ip -net "$ns" route add default via "dead:$subnet::1"
}
do_config "$ns1" 1
do_config "$ns2" 2
bad_counter() bad_counter()
{ {
...@@ -83,7 +66,7 @@ bad_counter() ...@@ -83,7 +66,7 @@ bad_counter()
local tag=$4 local tag=$4
echo "ERROR: $counter counter in $ns has unexpected value (expected $expect) at $tag" 1>&2 echo "ERROR: $counter counter in $ns has unexpected value (expected $expect) at $tag" 1>&2
ip netns exec $ns nft list counter inet filter $counter 1>&2 ip netns exec "$ns" nft list counter inet filter "$counter" 1>&2
} }
check_counters() check_counters()
...@@ -91,26 +74,23 @@ check_counters() ...@@ -91,26 +74,23 @@ check_counters()
ns=$1 ns=$1
local lret=0 local lret=0
cnt=$(ip netns exec $ns nft list counter inet filter ns0in | grep -q "packets 1 bytes 84") if ! ip netns exec "$ns" nft list counter inet filter ns0in | grep -q "packets 1 bytes 84";then
if [ $? -ne 0 ]; then bad_counter "$ns" ns0in "packets 1 bytes 84" "check_counters 1"
bad_counter $ns ns0in "packets 1 bytes 84" "check_counters 1"
lret=1 lret=1
fi fi
cnt=$(ip netns exec $ns nft list counter inet filter ns0out | grep -q "packets 1 bytes 84")
if [ $? -ne 0 ]; then if ! ip netns exec "$ns" nft list counter inet filter ns0out | grep -q "packets 1 bytes 84";then
bad_counter $ns ns0out "packets 1 bytes 84" "check_counters 2" bad_counter "$ns" ns0out "packets 1 bytes 84" "check_counters 2"
lret=1 lret=1
fi fi
expect="packets 1 bytes 104" expect="packets 1 bytes 104"
cnt=$(ip netns exec $ns nft list counter inet filter ns0in6 | grep -q "$expect") if ! ip netns exec "$ns" nft list counter inet filter ns0in6 | grep -q "$expect";then
if [ $? -ne 0 ]; then bad_counter "$ns" ns0in6 "$expect" "check_counters 3"
bad_counter $ns ns0in6 "$expect" "check_counters 3"
lret=1 lret=1
fi fi
cnt=$(ip netns exec $ns nft list counter inet filter ns0out6 | grep -q "$expect") if ! ip netns exec "$ns" nft list counter inet filter ns0out6 | grep -q "$expect";then
if [ $? -ne 0 ]; then bad_counter "$ns" ns0out6 "$expect" "check_counters 4"
bad_counter $ns ns0out6 "$expect" "check_counters 4"
lret=1 lret=1
fi fi
...@@ -122,41 +102,35 @@ check_ns0_counters() ...@@ -122,41 +102,35 @@ check_ns0_counters()
local ns=$1 local ns=$1
local lret=0 local lret=0
cnt=$(ip netns exec "$ns0" nft list counter inet filter ns0in | grep -q "packets 0 bytes 0") if ! ip netns exec "$ns0" nft list counter inet filter ns0in | grep -q "packets 0 bytes 0";then
if [ $? -ne 0 ]; then
bad_counter "$ns0" ns0in "packets 0 bytes 0" "check_ns0_counters 1" bad_counter "$ns0" ns0in "packets 0 bytes 0" "check_ns0_counters 1"
lret=1 lret=1
fi fi
cnt=$(ip netns exec "$ns0" nft list counter inet filter ns0in6 | grep -q "packets 0 bytes 0") if ! ip netns exec "$ns0" nft list counter inet filter ns0in6 | grep -q "packets 0 bytes 0";then
if [ $? -ne 0 ]; then
bad_counter "$ns0" ns0in6 "packets 0 bytes 0" bad_counter "$ns0" ns0in6 "packets 0 bytes 0"
lret=1 lret=1
fi fi
cnt=$(ip netns exec "$ns0" nft list counter inet filter ns0out | grep -q "packets 0 bytes 0") if ! ip netns exec "$ns0" nft list counter inet filter ns0out | grep -q "packets 0 bytes 0";then
if [ $? -ne 0 ]; then
bad_counter "$ns0" ns0out "packets 0 bytes 0" "check_ns0_counters 2" bad_counter "$ns0" ns0out "packets 0 bytes 0" "check_ns0_counters 2"
lret=1 lret=1
fi fi
cnt=$(ip netns exec "$ns0" nft list counter inet filter ns0out6 | grep -q "packets 0 bytes 0") if ! ip netns exec "$ns0" nft list counter inet filter ns0out6 | grep -q "packets 0 bytes 0";then
if [ $? -ne 0 ]; then
bad_counter "$ns0" ns0out6 "packets 0 bytes 0" "check_ns0_counters3 " bad_counter "$ns0" ns0out6 "packets 0 bytes 0" "check_ns0_counters3 "
lret=1 lret=1
fi fi
for dir in "in" "out" ; do for dir in "in" "out" ; do
expect="packets 1 bytes 84" expect="packets 1 bytes 84"
cnt=$(ip netns exec "$ns0" nft list counter inet filter ${ns}${dir} | grep -q "$expect") if ! ip netns exec "$ns0" nft list counter inet filter "${ns}${dir}" | grep -q "$expect";then
if [ $? -ne 0 ]; then bad_counter "$ns0" "$ns${dir}" "$expect" "check_ns0_counters 4"
bad_counter "$ns0" $ns$dir "$expect" "check_ns0_counters 4"
lret=1 lret=1
fi fi
expect="packets 1 bytes 104" expect="packets 1 bytes 104"
cnt=$(ip netns exec "$ns0" nft list counter inet filter ${ns}${dir}6 | grep -q "$expect") if ! ip netns exec "$ns0" nft list counter inet filter "${ns}${dir}6" | grep -q "$expect";then
if [ $? -ne 0 ]; then bad_counter "$ns0" "$ns${dir}6" "$expect" "check_ns0_counters 5"
bad_counter "$ns0" $ns$dir6 "$expect" "check_ns0_counters 5"
lret=1 lret=1
fi fi
done done
...@@ -166,8 +140,8 @@ check_ns0_counters() ...@@ -166,8 +140,8 @@ check_ns0_counters()
reset_counters() reset_counters()
{ {
for i in 0 1 2;do for i in "$ns0" "$ns1" "$ns2" ;do
ip netns exec ns$i-$sfx nft reset counters inet > /dev/null ip netns exec "$i" nft reset counters inet > /dev/null
done done
} }
...@@ -177,7 +151,7 @@ test_local_dnat6() ...@@ -177,7 +151,7 @@ test_local_dnat6()
local lret=0 local lret=0
local IPF="" local IPF=""
if [ $family = "inet" ];then if [ "$family" = "inet" ];then
IPF="ip6" IPF="ip6"
fi fi
...@@ -195,8 +169,7 @@ EOF ...@@ -195,8 +169,7 @@ EOF
fi fi
# ping netns1, expect rewrite to netns2 # ping netns1, expect rewrite to netns2
ip netns exec "$ns0" ping -q -c 1 dead:1::99 > /dev/null if ! ip netns exec "$ns0" ping -q -c 1 dead:1::99 > /dev/null;then
if [ $? -ne 0 ]; then
lret=1 lret=1
echo "ERROR: ping6 failed" echo "ERROR: ping6 failed"
return $lret return $lret
...@@ -204,8 +177,7 @@ EOF ...@@ -204,8 +177,7 @@ EOF
expect="packets 0 bytes 0" expect="packets 0 bytes 0"
for dir in "in6" "out6" ; do for dir in "in6" "out6" ; do
cnt=$(ip netns exec "$ns0" nft list counter inet filter ns1${dir} | grep -q "$expect") if ! ip netns exec "$ns0" nft list counter inet filter "ns1${dir}" | grep -q "$expect";then
if [ $? -ne 0 ]; then
bad_counter "$ns0" ns1$dir "$expect" "test_local_dnat6 1" bad_counter "$ns0" ns1$dir "$expect" "test_local_dnat6 1"
lret=1 lret=1
fi fi
...@@ -213,8 +185,7 @@ EOF ...@@ -213,8 +185,7 @@ EOF
expect="packets 1 bytes 104" expect="packets 1 bytes 104"
for dir in "in6" "out6" ; do for dir in "in6" "out6" ; do
cnt=$(ip netns exec "$ns0" nft list counter inet filter ns2${dir} | grep -q "$expect") if ! ip netns exec "$ns0" nft list counter inet filter "ns2${dir}" | grep -q "$expect";then
if [ $? -ne 0 ]; then
bad_counter "$ns0" ns2$dir "$expect" "test_local_dnat6 2" bad_counter "$ns0" ns2$dir "$expect" "test_local_dnat6 2"
lret=1 lret=1
fi fi
...@@ -223,8 +194,7 @@ EOF ...@@ -223,8 +194,7 @@ EOF
# expect 0 count in ns1 # expect 0 count in ns1
expect="packets 0 bytes 0" expect="packets 0 bytes 0"
for dir in "in6" "out6" ; do for dir in "in6" "out6" ; do
cnt=$(ip netns exec "$ns1" nft list counter inet filter ns0${dir} | grep -q "$expect") if ! ip netns exec "$ns1" nft list counter inet filter "ns0${dir}" | grep -q "$expect";then
if [ $? -ne 0 ]; then
bad_counter "$ns1" ns0$dir "$expect" "test_local_dnat6 3" bad_counter "$ns1" ns0$dir "$expect" "test_local_dnat6 3"
lret=1 lret=1
fi fi
...@@ -233,8 +203,7 @@ EOF ...@@ -233,8 +203,7 @@ EOF
# expect 1 packet in ns2 # expect 1 packet in ns2
expect="packets 1 bytes 104" expect="packets 1 bytes 104"
for dir in "in6" "out6" ; do for dir in "in6" "out6" ; do
cnt=$(ip netns exec "$ns2" nft list counter inet filter ns0${dir} | grep -q "$expect") if ! ip netns exec "$ns2" nft list counter inet filter "ns0${dir}" | grep -q "$expect";then
if [ $? -ne 0 ]; then
bad_counter "$ns2" ns0$dir "$expect" "test_local_dnat6 4" bad_counter "$ns2" ns0$dir "$expect" "test_local_dnat6 4"
lret=1 lret=1
fi fi
...@@ -252,7 +221,7 @@ test_local_dnat() ...@@ -252,7 +221,7 @@ test_local_dnat()
local lret=0 local lret=0
local IPF="" local IPF=""
if [ $family = "inet" ];then if [ "$family" = "inet" ];then
IPF="ip" IPF="ip"
fi fi
...@@ -265,7 +234,7 @@ table $family nat { ...@@ -265,7 +234,7 @@ table $family nat {
} }
EOF EOF
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
if [ $family = "inet" ];then if [ "$family" = "inet" ];then
echo "SKIP: inet nat tests" echo "SKIP: inet nat tests"
test_inet_nat=false test_inet_nat=false
return $ksft_skip return $ksft_skip
...@@ -275,8 +244,7 @@ EOF ...@@ -275,8 +244,7 @@ EOF
fi fi
# ping netns1, expect rewrite to netns2 # ping netns1, expect rewrite to netns2
ip netns exec "$ns0" ping -q -c 1 10.0.1.99 > /dev/null if ! ip netns exec "$ns0" ping -q -c 1 10.0.1.99 > /dev/null;then
if [ $? -ne 0 ]; then
lret=1 lret=1
echo "ERROR: ping failed" echo "ERROR: ping failed"
return $lret return $lret
...@@ -284,18 +252,16 @@ EOF ...@@ -284,18 +252,16 @@ EOF
expect="packets 0 bytes 0" expect="packets 0 bytes 0"
for dir in "in" "out" ; do for dir in "in" "out" ; do
cnt=$(ip netns exec "$ns0" nft list counter inet filter ns1${dir} | grep -q "$expect") if ! ip netns exec "$ns0" nft list counter inet filter "ns1${dir}" | grep -q "$expect";then
if [ $? -ne 0 ]; then bad_counter "$ns0" "ns1$dir" "$expect" "test_local_dnat 1"
bad_counter "$ns0" ns1$dir "$expect" "test_local_dnat 1"
lret=1 lret=1
fi fi
done done
expect="packets 1 bytes 84" expect="packets 1 bytes 84"
for dir in "in" "out" ; do for dir in "in" "out" ; do
cnt=$(ip netns exec "$ns0" nft list counter inet filter ns2${dir} | grep -q "$expect") if ! ip netns exec "$ns0" nft list counter inet filter "ns2${dir}" | grep -q "$expect";then
if [ $? -ne 0 ]; then bad_counter "$ns0" "ns2$dir" "$expect" "test_local_dnat 2"
bad_counter "$ns0" ns2$dir "$expect" "test_local_dnat 2"
lret=1 lret=1
fi fi
done done
...@@ -303,9 +269,8 @@ EOF ...@@ -303,9 +269,8 @@ EOF
# expect 0 count in ns1 # expect 0 count in ns1
expect="packets 0 bytes 0" expect="packets 0 bytes 0"
for dir in "in" "out" ; do for dir in "in" "out" ; do
cnt=$(ip netns exec "$ns1" nft list counter inet filter ns0${dir} | grep -q "$expect") if ! ip netns exec "$ns1" nft list counter inet filter ns0${dir} | grep -q "$expect";then
if [ $? -ne 0 ]; then bad_counter "$ns1" "ns0$dir" "$expect" "test_local_dnat 3"
bad_counter "$ns1" ns0$dir "$expect" "test_local_dnat 3"
lret=1 lret=1
fi fi
done done
...@@ -313,20 +278,18 @@ EOF ...@@ -313,20 +278,18 @@ EOF
# expect 1 packet in ns2 # expect 1 packet in ns2
expect="packets 1 bytes 84" expect="packets 1 bytes 84"
for dir in "in" "out" ; do for dir in "in" "out" ; do
cnt=$(ip netns exec "$ns2" nft list counter inet filter ns0${dir} | grep -q "$expect") if ! ip netns exec "$ns2" nft list counter inet filter ns0${dir} | grep -q "$expect";then
if [ $? -ne 0 ]; then bad_counter "$ns2" "ns0$dir" "$expect" "test_local_dnat 4"
bad_counter "$ns2" ns0$dir "$expect" "test_local_dnat 4"
lret=1 lret=1
fi fi
done done
test $lret -eq 0 && echo "PASS: ping to $ns1 was $family NATted to $ns2" test $lret -eq 0 && echo "PASS: ping to $ns1 was $family NATted to $ns2"
ip netns exec "$ns0" nft flush chain $family nat output ip netns exec "$ns0" nft flush chain "$family" nat output
reset_counters reset_counters
ip netns exec "$ns0" ping -q -c 1 10.0.1.99 > /dev/null if ! ip netns exec "$ns0" ping -q -c 1 10.0.1.99 > /dev/null;then
if [ $? -ne 0 ]; then
lret=1 lret=1
echo "ERROR: ping failed" echo "ERROR: ping failed"
return $lret return $lret
...@@ -334,16 +297,14 @@ EOF ...@@ -334,16 +297,14 @@ EOF
expect="packets 1 bytes 84" expect="packets 1 bytes 84"
for dir in "in" "out" ; do for dir in "in" "out" ; do
cnt=$(ip netns exec "$ns0" nft list counter inet filter ns1${dir} | grep -q "$expect") if ! ip netns exec "$ns0" nft list counter inet filter "ns1${dir}" | grep -q "$expect";then
if [ $? -ne 0 ]; then
bad_counter "$ns1" ns1$dir "$expect" "test_local_dnat 5" bad_counter "$ns1" ns1$dir "$expect" "test_local_dnat 5"
lret=1 lret=1
fi fi
done done
expect="packets 0 bytes 0" expect="packets 0 bytes 0"
for dir in "in" "out" ; do for dir in "in" "out" ; do
cnt=$(ip netns exec "$ns0" nft list counter inet filter ns2${dir} | grep -q "$expect") if ! ip netns exec "$ns0" nft list counter inet filter "ns2${dir}" | grep -q "$expect";then
if [ $? -ne 0 ]; then
bad_counter "$ns0" ns2$dir "$expect" "test_local_dnat 6" bad_counter "$ns0" ns2$dir "$expect" "test_local_dnat 6"
lret=1 lret=1
fi fi
...@@ -352,8 +313,7 @@ EOF ...@@ -352,8 +313,7 @@ EOF
# expect 1 count in ns1 # expect 1 count in ns1
expect="packets 1 bytes 84" expect="packets 1 bytes 84"
for dir in "in" "out" ; do for dir in "in" "out" ; do
cnt=$(ip netns exec "$ns1" nft list counter inet filter ns0${dir} | grep -q "$expect") if ! ip netns exec "$ns1" nft list counter inet filter "ns0${dir}" | grep -q "$expect";then
if [ $? -ne 0 ]; then
bad_counter "$ns0" ns0$dir "$expect" "test_local_dnat 7" bad_counter "$ns0" ns0$dir "$expect" "test_local_dnat 7"
lret=1 lret=1
fi fi
...@@ -362,8 +322,7 @@ EOF ...@@ -362,8 +322,7 @@ EOF
# expect 0 packet in ns2 # expect 0 packet in ns2
expect="packets 0 bytes 0" expect="packets 0 bytes 0"
for dir in "in" "out" ; do for dir in "in" "out" ; do
cnt=$(ip netns exec "$ns2" nft list counter inet filter ns0${dir} | grep -q "$expect") if ! ip netns exec "$ns2" nft list counter inet filter "ns0${dir}" | grep -q "$expect";then
if [ $? -ne 0 ]; then
bad_counter "$ns2" ns0$dir "$expect" "test_local_dnat 8" bad_counter "$ns2" ns0$dir "$expect" "test_local_dnat 8"
lret=1 lret=1
fi fi
...@@ -374,13 +333,19 @@ EOF ...@@ -374,13 +333,19 @@ EOF
return $lret return $lret
} }
listener_ready()
{
local ns="$1"
local port="$2"
local proto="$3"
ss -N "$ns" -ln "$proto" -o "sport = :$port" | grep -q "$port"
}
test_local_dnat_portonly() test_local_dnat_portonly()
{ {
local family=$1 local family=$1
local daddr=$2 local daddr=$2
local lret=0 local lret=0
local sr_s
local sr_r
ip netns exec "$ns0" nft -f /dev/stdin <<EOF ip netns exec "$ns0" nft -f /dev/stdin <<EOF
table $family nat { table $family nat {
...@@ -392,7 +357,7 @@ table $family nat { ...@@ -392,7 +357,7 @@ table $family nat {
} }
EOF EOF
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
if [ $family = "inet" ];then if [ "$family" = "inet" ];then
echo "SKIP: inet port test" echo "SKIP: inet port test"
test_inet_nat=false test_inet_nat=false
return return
...@@ -401,17 +366,16 @@ EOF ...@@ -401,17 +366,16 @@ EOF
return return
fi fi
echo SERVER-$family | ip netns exec "$ns1" timeout 5 socat -u STDIN TCP-LISTEN:2000 & echo "SERVER-$family" | ip netns exec "$ns1" timeout 3 socat -u STDIN TCP-LISTEN:2000 &
sc_s=$!
sleep 1 busywait $BUSYWAIT_TIMEOUT listener_ready "$ns1" 2000 "-t"
result=$(ip netns exec "$ns0" timeout 1 socat TCP:$daddr:2000 STDOUT) result=$(ip netns exec "$ns0" timeout 1 socat -u TCP:"$daddr":2000 STDOUT)
if [ "$result" = "SERVER-inet" ];then if [ "$result" = "SERVER-inet" ];then
echo "PASS: inet port rewrite without l3 address" echo "PASS: inet port rewrite without l3 address"
else else
echo "ERROR: inet port rewrite" echo "ERROR: inet port rewrite without l3 address, got $result"
ret=1 ret=1
fi fi
} }
...@@ -424,24 +388,20 @@ test_masquerade6() ...@@ -424,24 +388,20 @@ test_masquerade6()
ip netns exec "$ns0" sysctl net.ipv6.conf.all.forwarding=1 > /dev/null ip netns exec "$ns0" sysctl net.ipv6.conf.all.forwarding=1 > /dev/null
ip netns exec "$ns2" ping -q -c 1 dead:1::99 > /dev/null # ping ns2->ns1 if ! ip netns exec "$ns2" ping -q -c 1 dead:1::99 > /dev/null;then
if [ $? -ne 0 ] ; then
echo "ERROR: cannot ping $ns1 from $ns2 via ipv6" echo "ERROR: cannot ping $ns1 from $ns2 via ipv6"
return 1 return 1
lret=1
fi fi
expect="packets 1 bytes 104" expect="packets 1 bytes 104"
for dir in "in6" "out6" ; do for dir in "in6" "out6" ; do
cnt=$(ip netns exec "$ns1" nft list counter inet filter ns2${dir} | grep -q "$expect") if ! ip netns exec "$ns1" nft list counter inet filter "ns2${dir}" | grep -q "$expect";then
if [ $? -ne 0 ]; then bad_counter "$ns1" "ns2$dir" "$expect" "test_masquerade6 1"
bad_counter "$ns1" ns2$dir "$expect" "test_masquerade6 1"
lret=1 lret=1
fi fi
cnt=$(ip netns exec "$ns2" nft list counter inet filter ns1${dir} | grep -q "$expect") if ! ip netns exec "$ns2" nft list counter inet filter "ns1${dir}" | grep -q "$expect";then
if [ $? -ne 0 ]; then bad_counter "$ns2" "ns1$dir" "$expect" "test_masquerade6 2"
bad_counter "$ns2" ns1$dir "$expect" "test_masquerade6 2"
lret=1 lret=1
fi fi
done done
...@@ -462,8 +422,7 @@ EOF ...@@ -462,8 +422,7 @@ EOF
return $ksft_skip return $ksft_skip
fi fi
ip netns exec "$ns2" ping -q -c 1 dead:1::99 > /dev/null # ping ns2->ns1 if ! ip netns exec "$ns2" ping -q -c 1 dead:1::99 > /dev/null;then
if [ $? -ne 0 ] ; then
echo "ERROR: cannot ping $ns1 from $ns2 with active $family masquerade $natflags" echo "ERROR: cannot ping $ns1 from $ns2 with active $family masquerade $natflags"
lret=1 lret=1
fi fi
...@@ -471,14 +430,12 @@ EOF ...@@ -471,14 +430,12 @@ EOF
# ns1 should have seen packets from ns0, due to masquerade # ns1 should have seen packets from ns0, due to masquerade
expect="packets 1 bytes 104" expect="packets 1 bytes 104"
for dir in "in6" "out6" ; do for dir in "in6" "out6" ; do
cnt=$(ip netns exec "$ns1" nft list counter inet filter ns0${dir} | grep -q "$expect") if ! ip netns exec "$ns1" nft list counter inet filter "ns0${dir}" | grep -q "$expect";then
if [ $? -ne 0 ]; then
bad_counter "$ns1" ns0$dir "$expect" "test_masquerade6 3" bad_counter "$ns1" ns0$dir "$expect" "test_masquerade6 3"
lret=1 lret=1
fi fi
cnt=$(ip netns exec "$ns2" nft list counter inet filter ns1${dir} | grep -q "$expect") if ! ip netns exec "$ns2" nft list counter inet filter "ns1${dir}" | grep -q "$expect";then
if [ $? -ne 0 ]; then
bad_counter "$ns2" ns1$dir "$expect" "test_masquerade6 4" bad_counter "$ns2" ns1$dir "$expect" "test_masquerade6 4"
lret=1 lret=1
fi fi
...@@ -487,27 +444,23 @@ EOF ...@@ -487,27 +444,23 @@ EOF
# ns1 should not have seen packets from ns2, due to masquerade # ns1 should not have seen packets from ns2, due to masquerade
expect="packets 0 bytes 0" expect="packets 0 bytes 0"
for dir in "in6" "out6" ; do for dir in "in6" "out6" ; do
cnt=$(ip netns exec "$ns1" nft list counter inet filter ns2${dir} | grep -q "$expect") if ! ip netns exec "$ns1" nft list counter inet filter "ns2${dir}" | grep -q "$expect";then
if [ $? -ne 0 ]; then
bad_counter "$ns1" ns0$dir "$expect" "test_masquerade6 5" bad_counter "$ns1" ns0$dir "$expect" "test_masquerade6 5"
lret=1 lret=1
fi fi
cnt=$(ip netns exec "$ns0" nft list counter inet filter ns1${dir} | grep -q "$expect") if ! ip netns exec "$ns0" nft list counter inet filter "ns1${dir}" | grep -q "$expect";then
if [ $? -ne 0 ]; then bad_counter "$ns0" "ns1$dir" "$expect" "test_masquerade6 6"
bad_counter "$ns0" ns1$dir "$expect" "test_masquerade6 6"
lret=1 lret=1
fi fi
done done
ip netns exec "$ns2" ping -q -c 1 dead:1::99 > /dev/null # ping ns2->ns1 if ! ip netns exec "$ns2" ping -q -c 1 dead:1::99 > /dev/null;then
if [ $? -ne 0 ] ; then
echo "ERROR: cannot ping $ns1 from $ns2 with active ipv6 masquerade $natflags (attempt 2)" echo "ERROR: cannot ping $ns1 from $ns2 with active ipv6 masquerade $natflags (attempt 2)"
lret=1 lret=1
fi fi
ip netns exec "$ns0" nft flush chain $family nat postrouting if ! ip netns exec "$ns0" nft flush chain "$family" nat postrouting;then
if [ $? -ne 0 ]; then
echo "ERROR: Could not flush $family nat postrouting" 1>&2 echo "ERROR: Could not flush $family nat postrouting" 1>&2
lret=1 lret=1
fi fi
...@@ -526,23 +479,20 @@ test_masquerade() ...@@ -526,23 +479,20 @@ test_masquerade()
ip netns exec "$ns0" sysctl net.ipv4.conf.veth0.forwarding=1 > /dev/null ip netns exec "$ns0" sysctl net.ipv4.conf.veth0.forwarding=1 > /dev/null
ip netns exec "$ns0" sysctl net.ipv4.conf.veth1.forwarding=1 > /dev/null ip netns exec "$ns0" sysctl net.ipv4.conf.veth1.forwarding=1 > /dev/null
ip netns exec "$ns2" ping -q -c 1 10.0.1.99 > /dev/null # ping ns2->ns1 if ! ip netns exec "$ns2" ping -q -c 1 10.0.1.99 > /dev/null;then
if [ $? -ne 0 ] ; then echo "ERROR: cannot ping $ns1 from $ns2 $natflags"
echo "ERROR: cannot ping $ns1 from "$ns2" $natflags"
lret=1 lret=1
fi fi
expect="packets 1 bytes 84" expect="packets 1 bytes 84"
for dir in "in" "out" ; do for dir in "in" "out" ; do
cnt=$(ip netns exec "$ns1" nft list counter inet filter ns2${dir} | grep -q "$expect") if ! ip netns exec "$ns1" nft list counter inet filter "ns2${dir}" | grep -q "$expect";then
if [ $? -ne 0 ]; then bad_counter "$ns1" "ns2$dir" "$expect" "test_masquerade 1"
bad_counter "$ns1" ns2$dir "$expect" "test_masquerade 1"
lret=1 lret=1
fi fi
cnt=$(ip netns exec "$ns2" nft list counter inet filter ns1${dir} | grep -q "$expect") if ! ip netns exec "$ns2" nft list counter inet filter "ns1${dir}" | grep -q "$expect";then
if [ $? -ne 0 ]; then bad_counter "$ns2" "ns1$dir" "$expect" "test_masquerade 2"
bad_counter "$ns2" ns1$dir "$expect" "test_masquerade 2"
lret=1 lret=1
fi fi
done done
...@@ -563,8 +513,7 @@ EOF ...@@ -563,8 +513,7 @@ EOF
return $ksft_skip return $ksft_skip
fi fi
ip netns exec "$ns2" ping -q -c 1 10.0.1.99 > /dev/null # ping ns2->ns1 if ! ip netns exec "$ns2" ping -q -c 1 10.0.1.99 > /dev/null;then
if [ $? -ne 0 ] ; then
echo "ERROR: cannot ping $ns1 from $ns2 with active $family masquerade $natflags" echo "ERROR: cannot ping $ns1 from $ns2 with active $family masquerade $natflags"
lret=1 lret=1
fi fi
...@@ -572,15 +521,13 @@ EOF ...@@ -572,15 +521,13 @@ EOF
# ns1 should have seen packets from ns0, due to masquerade # ns1 should have seen packets from ns0, due to masquerade
expect="packets 1 bytes 84" expect="packets 1 bytes 84"
for dir in "in" "out" ; do for dir in "in" "out" ; do
cnt=$(ip netns exec "$ns1" nft list counter inet filter ns0${dir} | grep -q "$expect") if ! ip netns exec "$ns1" nft list counter inet filter "ns0${dir}" | grep -q "$expect";then
if [ $? -ne 0 ]; then bad_counter "$ns1" "ns0$dir" "$expect" "test_masquerade 3"
bad_counter "$ns1" ns0$dir "$expect" "test_masquerade 3"
lret=1 lret=1
fi fi
cnt=$(ip netns exec "$ns2" nft list counter inet filter ns1${dir} | grep -q "$expect") if ! ip netns exec "$ns2" nft list counter inet filter "ns1${dir}" | grep -q "$expect";then
if [ $? -ne 0 ]; then bad_counter "$ns2" "ns1$dir" "$expect" "test_masquerade 4"
bad_counter "$ns2" ns1$dir "$expect" "test_masquerade 4"
lret=1 lret=1
fi fi
done done
...@@ -588,27 +535,23 @@ EOF ...@@ -588,27 +535,23 @@ EOF
# ns1 should not have seen packets from ns2, due to masquerade # ns1 should not have seen packets from ns2, due to masquerade
expect="packets 0 bytes 0" expect="packets 0 bytes 0"
for dir in "in" "out" ; do for dir in "in" "out" ; do
cnt=$(ip netns exec "$ns1" nft list counter inet filter ns2${dir} | grep -q "$expect") if ! ip netns exec "$ns1" nft list counter inet filter "ns2${dir}" | grep -q "$expect";then
if [ $? -ne 0 ]; then bad_counter "$ns1" "ns0$dir" "$expect" "test_masquerade 5"
bad_counter "$ns1" ns0$dir "$expect" "test_masquerade 5"
lret=1 lret=1
fi fi
cnt=$(ip netns exec "$ns0" nft list counter inet filter ns1${dir} | grep -q "$expect") if ! ip netns exec "$ns0" nft list counter inet filter "ns1${dir}" | grep -q "$expect";then
if [ $? -ne 0 ]; then bad_counter "$ns0" "ns1$dir" "$expect" "test_masquerade 6"
bad_counter "$ns0" ns1$dir "$expect" "test_masquerade 6"
lret=1 lret=1
fi fi
done done
ip netns exec "$ns2" ping -q -c 1 10.0.1.99 > /dev/null # ping ns2->ns1 if ! ip netns exec "$ns2" ping -q -c 1 10.0.1.99 > /dev/null;then
if [ $? -ne 0 ] ; then
echo "ERROR: cannot ping $ns1 from $ns2 with active ip masquerade $natflags (attempt 2)" echo "ERROR: cannot ping $ns1 from $ns2 with active ip masquerade $natflags (attempt 2)"
lret=1 lret=1
fi fi
ip netns exec "$ns0" nft flush chain $family nat postrouting if ! ip netns exec "$ns0" nft flush chain "$family" nat postrouting; then
if [ $? -ne 0 ]; then
echo "ERROR: Could not flush $family nat postrouting" 1>&2 echo "ERROR: Could not flush $family nat postrouting" 1>&2
lret=1 lret=1
fi fi
...@@ -625,22 +568,19 @@ test_redirect6() ...@@ -625,22 +568,19 @@ test_redirect6()
ip netns exec "$ns0" sysctl net.ipv6.conf.all.forwarding=1 > /dev/null ip netns exec "$ns0" sysctl net.ipv6.conf.all.forwarding=1 > /dev/null
ip netns exec "$ns2" ping -q -c 1 dead:1::99 > /dev/null # ping ns2->ns1 if ! ip netns exec "$ns2" ping -q -c 1 dead:1::99 > /dev/null;then
if [ $? -ne 0 ] ; then
echo "ERROR: cannnot ping $ns1 from $ns2 via ipv6" echo "ERROR: cannnot ping $ns1 from $ns2 via ipv6"
lret=1 lret=1
fi fi
expect="packets 1 bytes 104" expect="packets 1 bytes 104"
for dir in "in6" "out6" ; do for dir in "in6" "out6" ; do
cnt=$(ip netns exec "$ns1" nft list counter inet filter ns2${dir} | grep -q "$expect") if ! ip netns exec "$ns1" nft list counter inet filter "ns2${dir}" | grep -q "$expect";then
if [ $? -ne 0 ]; then
bad_counter "$ns1" ns2$dir "$expect" "test_redirect6 1" bad_counter "$ns1" ns2$dir "$expect" "test_redirect6 1"
lret=1 lret=1
fi fi
cnt=$(ip netns exec "$ns2" nft list counter inet filter ns1${dir} | grep -q "$expect") if ! ip netns exec "$ns2" nft list counter inet filter "ns1${dir}" | grep -q "$expect";then
if [ $? -ne 0 ]; then
bad_counter "$ns2" ns1$dir "$expect" "test_redirect6 2" bad_counter "$ns2" ns1$dir "$expect" "test_redirect6 2"
lret=1 lret=1
fi fi
...@@ -662,8 +602,7 @@ EOF ...@@ -662,8 +602,7 @@ EOF
return $ksft_skip return $ksft_skip
fi fi
ip netns exec "$ns2" ping -q -c 1 dead:1::99 > /dev/null # ping ns2->ns1 if ! ip netns exec "$ns2" ping -q -c 1 dead:1::99 > /dev/null;then
if [ $? -ne 0 ] ; then
echo "ERROR: cannot ping $ns1 from $ns2 via ipv6 with active $family redirect" echo "ERROR: cannot ping $ns1 from $ns2 via ipv6 with active $family redirect"
lret=1 lret=1
fi fi
...@@ -671,8 +610,7 @@ EOF ...@@ -671,8 +610,7 @@ EOF
# ns1 should have seen no packets from ns2, due to redirection # ns1 should have seen no packets from ns2, due to redirection
expect="packets 0 bytes 0" expect="packets 0 bytes 0"
for dir in "in6" "out6" ; do for dir in "in6" "out6" ; do
cnt=$(ip netns exec "$ns1" nft list counter inet filter ns2${dir} | grep -q "$expect") if ! ip netns exec "$ns1" nft list counter inet filter "ns2${dir}" | grep -q "$expect";then
if [ $? -ne 0 ]; then
bad_counter "$ns1" ns0$dir "$expect" "test_redirect6 3" bad_counter "$ns1" ns0$dir "$expect" "test_redirect6 3"
lret=1 lret=1
fi fi
...@@ -681,15 +619,13 @@ EOF ...@@ -681,15 +619,13 @@ EOF
# ns0 should have seen packets from ns2, due to masquerade # ns0 should have seen packets from ns2, due to masquerade
expect="packets 1 bytes 104" expect="packets 1 bytes 104"
for dir in "in6" "out6" ; do for dir in "in6" "out6" ; do
cnt=$(ip netns exec "$ns0" nft list counter inet filter ns2${dir} | grep -q "$expect") if ! ip netns exec "$ns0" nft list counter inet filter "ns2${dir}" | grep -q "$expect";then
if [ $? -ne 0 ]; then
bad_counter "$ns1" ns0$dir "$expect" "test_redirect6 4" bad_counter "$ns1" ns0$dir "$expect" "test_redirect6 4"
lret=1 lret=1
fi fi
done done
ip netns exec "$ns0" nft delete table $family nat if ! ip netns exec "$ns0" nft delete table "$family" nat;then
if [ $? -ne 0 ]; then
echo "ERROR: Could not delete $family nat table" 1>&2 echo "ERROR: Could not delete $family nat table" 1>&2
lret=1 lret=1
fi fi
...@@ -707,22 +643,19 @@ test_redirect() ...@@ -707,22 +643,19 @@ test_redirect()
ip netns exec "$ns0" sysctl net.ipv4.conf.veth0.forwarding=1 > /dev/null ip netns exec "$ns0" sysctl net.ipv4.conf.veth0.forwarding=1 > /dev/null
ip netns exec "$ns0" sysctl net.ipv4.conf.veth1.forwarding=1 > /dev/null ip netns exec "$ns0" sysctl net.ipv4.conf.veth1.forwarding=1 > /dev/null
ip netns exec "$ns2" ping -q -c 1 10.0.1.99 > /dev/null # ping ns2->ns1 if ! ip netns exec "$ns2" ping -q -c 1 10.0.1.99 > /dev/null;then
if [ $? -ne 0 ] ; then
echo "ERROR: cannot ping $ns1 from $ns2" echo "ERROR: cannot ping $ns1 from $ns2"
lret=1 lret=1
fi fi
expect="packets 1 bytes 84" expect="packets 1 bytes 84"
for dir in "in" "out" ; do for dir in "in" "out" ; do
cnt=$(ip netns exec "$ns1" nft list counter inet filter ns2${dir} | grep -q "$expect") if ! ip netns exec "$ns1" nft list counter inet filter "ns2${dir}" | grep -q "$expect";then
if [ $? -ne 0 ]; then bad_counter "$ns1" "$ns2$dir" "$expect" "test_redirect 1"
bad_counter "$ns1" $ns2$dir "$expect" "test_redirect 1"
lret=1 lret=1
fi fi
cnt=$(ip netns exec "$ns2" nft list counter inet filter ns1${dir} | grep -q "$expect") if ! ip netns exec "$ns2" nft list counter inet filter ns1${dir} | grep -q "$expect";then
if [ $? -ne 0 ]; then
bad_counter "$ns2" ns1$dir "$expect" "test_redirect 2" bad_counter "$ns2" ns1$dir "$expect" "test_redirect 2"
lret=1 lret=1
fi fi
...@@ -744,8 +677,7 @@ EOF ...@@ -744,8 +677,7 @@ EOF
return $ksft_skip return $ksft_skip
fi fi
ip netns exec "$ns2" ping -q -c 1 10.0.1.99 > /dev/null # ping ns2->ns1 if ! ip netns exec "$ns2" ping -q -c 1 10.0.1.99 > /dev/null;then
if [ $? -ne 0 ] ; then
echo "ERROR: cannot ping $ns1 from $ns2 with active $family ip redirect" echo "ERROR: cannot ping $ns1 from $ns2 with active $family ip redirect"
lret=1 lret=1
fi fi
...@@ -754,8 +686,7 @@ EOF ...@@ -754,8 +686,7 @@ EOF
expect="packets 0 bytes 0" expect="packets 0 bytes 0"
for dir in "in" "out" ; do for dir in "in" "out" ; do
cnt=$(ip netns exec "$ns1" nft list counter inet filter ns2${dir} | grep -q "$expect") if ! ip netns exec "$ns1" nft list counter inet filter "ns2${dir}" | grep -q "$expect";then
if [ $? -ne 0 ]; then
bad_counter "$ns1" ns0$dir "$expect" "test_redirect 3" bad_counter "$ns1" ns0$dir "$expect" "test_redirect 3"
lret=1 lret=1
fi fi
...@@ -764,15 +695,13 @@ EOF ...@@ -764,15 +695,13 @@ EOF
# ns0 should have seen packets from ns2, due to masquerade # ns0 should have seen packets from ns2, due to masquerade
expect="packets 1 bytes 84" expect="packets 1 bytes 84"
for dir in "in" "out" ; do for dir in "in" "out" ; do
cnt=$(ip netns exec "$ns0" nft list counter inet filter ns2${dir} | grep -q "$expect") if ! ip netns exec "$ns0" nft list counter inet filter "ns2${dir}" | grep -q "$expect";then
if [ $? -ne 0 ]; then
bad_counter "$ns0" ns0$dir "$expect" "test_redirect 4" bad_counter "$ns0" ns0$dir "$expect" "test_redirect 4"
lret=1 lret=1
fi fi
done done
ip netns exec "$ns0" nft delete table $family nat if ! ip netns exec "$ns0" nft delete table "$family" nat;then
if [ $? -ne 0 ]; then
echo "ERROR: Could not delete $family nat table" 1>&2 echo "ERROR: Could not delete $family nat table" 1>&2
lret=1 lret=1
fi fi
...@@ -803,13 +732,13 @@ test_port_shadow() ...@@ -803,13 +732,13 @@ test_port_shadow()
# make shadow entry, from client (ns2), going to (ns1), port 41404, sport 1405. # make shadow entry, from client (ns2), going to (ns1), port 41404, sport 1405.
echo "fake-entry" | ip netns exec "$ns2" timeout 1 socat -u STDIN UDP:"$daddrc":41404,sourceport=1405 echo "fake-entry" | ip netns exec "$ns2" timeout 1 socat -u STDIN UDP:"$daddrc":41404,sourceport=1405
echo ROUTER | ip netns exec "$ns0" timeout 5 socat -u STDIN UDP4-LISTEN:1405 & echo ROUTER | ip netns exec "$ns0" timeout 3 socat -T 3 -u STDIN UDP4-LISTEN:1405 2>/dev/null &
sc_r=$! local sc_r=$!
echo CLIENT | ip netns exec "$ns2" timeout 3 socat -T 3 -u STDIN UDP4-LISTEN:1405,reuseport 2>/dev/null &
local sc_c=$!
echo CLIENT | ip netns exec "$ns2" timeout 5 socat -u STDIN UDP4-LISTEN:1405,reuseport & busywait $BUSYWAIT_TIMEOUT listener_ready "$ns0" 1405 "-u"
sc_c=$! busywait $BUSYWAIT_TIMEOUT listener_ready "$ns2" 1405 "-u"
sleep 0.3
# ns1 tries to connect to ns0:1405. With default settings this should connect # ns1 tries to connect to ns0:1405. With default settings this should connect
# to client, it matches the conntrack entry created above. # to client, it matches the conntrack entry created above.
...@@ -846,7 +775,7 @@ table $family filter { ...@@ -846,7 +775,7 @@ table $family filter {
EOF EOF
test_port_shadow "port-filter" "ROUTER" test_port_shadow "port-filter" "ROUTER"
ip netns exec "$ns0" nft delete table $family filter ip netns exec "$ns0" nft delete table "$family" filter
} }
# This prevents port shadow of router service via notrack. # This prevents port shadow of router service via notrack.
...@@ -868,7 +797,7 @@ table $family raw { ...@@ -868,7 +797,7 @@ table $family raw {
EOF EOF
test_port_shadow "port-notrack" "ROUTER" test_port_shadow "port-notrack" "ROUTER"
ip netns exec "$ns0" nft delete table $family raw ip netns exec "$ns0" nft delete table "$family" raw
} }
# This prevents port shadow of router service via sport remap. # This prevents port shadow of router service via sport remap.
...@@ -886,21 +815,19 @@ table $family pat { ...@@ -886,21 +815,19 @@ table $family pat {
EOF EOF
test_port_shadow "pat" "ROUTER" test_port_shadow "pat" "ROUTER"
ip netns exec "$ns0" nft delete table $family pat ip netns exec "$ns0" nft delete table "$family" pat
} }
test_port_shadowing() test_port_shadowing()
{ {
local family="ip" local family="ip"
conntrack -h >/dev/null 2>&1 if ! conntrack -h >/dev/null 2>&1;then
if [ $? -ne 0 ];then
echo "SKIP: Could not run nat port shadowing test without conntrack tool" echo "SKIP: Could not run nat port shadowing test without conntrack tool"
return return
fi fi
socat -h > /dev/null 2>&1 if ! socat -h > /dev/null 2>&1;then
if [ $? -ne 0 ];then
echo "SKIP: Could not run nat port shadowing test without socat tool" echo "SKIP: Could not run nat port shadowing test without socat tool"
return return
fi fi
...@@ -946,8 +873,7 @@ test_stateless_nat_ip() ...@@ -946,8 +873,7 @@ test_stateless_nat_ip()
ip netns exec "$ns0" sysctl net.ipv4.conf.veth0.forwarding=1 > /dev/null ip netns exec "$ns0" sysctl net.ipv4.conf.veth0.forwarding=1 > /dev/null
ip netns exec "$ns0" sysctl net.ipv4.conf.veth1.forwarding=1 > /dev/null ip netns exec "$ns0" sysctl net.ipv4.conf.veth1.forwarding=1 > /dev/null
ip netns exec "$ns2" ping -q -c 1 10.0.1.99 > /dev/null # ping ns2->ns1 if ! ip netns exec "$ns2" ping -q -c 1 10.0.1.99 > /dev/null;then
if [ $? -ne 0 ] ; then
echo "ERROR: cannot ping $ns1 from $ns2 before loading stateless rules" echo "ERROR: cannot ping $ns1 from $ns2 before loading stateless rules"
return 1 return 1
fi fi
...@@ -981,23 +907,20 @@ EOF ...@@ -981,23 +907,20 @@ EOF
reset_counters reset_counters
ip netns exec "$ns2" ping -q -c 1 10.0.1.99 > /dev/null # ping ns2->ns1 if ! ip netns exec "$ns2" ping -q -c 1 10.0.1.99 > /dev/null; then
if [ $? -ne 0 ] ; then
echo "ERROR: cannot ping $ns1 from $ns2 with stateless rules" echo "ERROR: cannot ping $ns1 from $ns2 with stateless rules"
lret=1 lret=1
fi fi
# ns1 should have seen packets from .2.2, due to stateless rewrite. # ns1 should have seen packets from .2.2, due to stateless rewrite.
expect="packets 1 bytes 84" expect="packets 1 bytes 84"
cnt=$(ip netns exec "$ns1" nft list counter inet filter ns0insl | grep -q "$expect") if ! ip netns exec "$ns1" nft list counter inet filter ns0insl | grep -q "$expect";then
if [ $? -ne 0 ]; then
bad_counter "$ns1" ns0insl "$expect" "test_stateless 1" bad_counter "$ns1" ns0insl "$expect" "test_stateless 1"
lret=1 lret=1
fi fi
for dir in "in" "out" ; do for dir in "in" "out" ; do
cnt=$(ip netns exec "$ns2" nft list counter inet filter ns1${dir} | grep -q "$expect") if ! ip netns exec "$ns2" nft list counter inet filter ns1${dir} | grep -q "$expect";then
if [ $? -ne 0 ]; then
bad_counter "$ns2" ns1$dir "$expect" "test_stateless 2" bad_counter "$ns2" ns1$dir "$expect" "test_stateless 2"
lret=1 lret=1
fi fi
...@@ -1006,14 +929,12 @@ EOF ...@@ -1006,14 +929,12 @@ EOF
# ns1 should not have seen packets from ns2, due to masquerade # ns1 should not have seen packets from ns2, due to masquerade
expect="packets 0 bytes 0" expect="packets 0 bytes 0"
for dir in "in" "out" ; do for dir in "in" "out" ; do
cnt=$(ip netns exec "$ns1" nft list counter inet filter ns2${dir} | grep -q "$expect") if ! ip netns exec "$ns1" nft list counter inet filter ns2${dir} | grep -q "$expect";then
if [ $? -ne 0 ]; then
bad_counter "$ns1" ns0$dir "$expect" "test_stateless 3" bad_counter "$ns1" ns0$dir "$expect" "test_stateless 3"
lret=1 lret=1
fi fi
cnt=$(ip netns exec "$ns0" nft list counter inet filter ns1${dir} | grep -q "$expect") if ! ip netns exec "$ns0" nft list counter inet filter ns1${dir} | grep -q "$expect";then
if [ $? -ne 0 ]; then
bad_counter "$ns0" ns1$dir "$expect" "test_stateless 4" bad_counter "$ns0" ns1$dir "$expect" "test_stateless 4"
lret=1 lret=1
fi fi
...@@ -1021,8 +942,7 @@ EOF ...@@ -1021,8 +942,7 @@ EOF
reset_counters reset_counters
socat -h > /dev/null 2>&1 if ! socat -h > /dev/null 2>&1;then
if [ $? -ne 0 ];then
echo "SKIP: Could not run stateless nat frag test without socat tool" echo "SKIP: Could not run stateless nat frag test without socat tool"
if [ $lret -eq 0 ]; then if [ $lret -eq 0 ]; then
return $ksft_skip return $ksft_skip
...@@ -1032,42 +952,36 @@ EOF ...@@ -1032,42 +952,36 @@ EOF
return $lret return $lret
fi fi
local tmpfile=$(mktemp) dd if=/dev/urandom of="$INFILE" bs=4096 count=1 2>/dev/null
dd if=/dev/urandom of=$tmpfile bs=4096 count=1 2>/dev/null
local outfile=$(mktemp) ip netns exec "$ns1" timeout 3 socat -u UDP4-RECV:4233 OPEN:"$OUTFILE" < /dev/null 2>/dev/null &
ip netns exec "$ns1" timeout 3 socat -u UDP4-RECV:4233 OPEN:$outfile < /dev/null &
sc_r=$! busywait $BUSYWAIT_TIMEOUT listener_ready "$ns1" 4233 "-u"
sleep 1
# re-do with large ping -> ip fragmentation # re-do with large ping -> ip fragmentation
ip netns exec "$ns2" timeout 3 socat - UDP4-SENDTO:"10.0.1.99:4233" < "$tmpfile" > /dev/null if ! ip netns exec "$ns2" timeout 3 socat -u STDIN UDP4-SENDTO:"10.0.1.99:4233" < "$INFILE" > /dev/null;then
if [ $? -ne 0 ] ; then
echo "ERROR: failed to test udp $ns1 to $ns2 with stateless ip nat" 1>&2 echo "ERROR: failed to test udp $ns1 to $ns2 with stateless ip nat" 1>&2
lret=1 lret=1
fi fi
wait wait
cmp "$tmpfile" "$outfile" if ! cmp "$INFILE" "$OUTFILE";then
if [ $? -ne 0 ]; then ls -l "$INFILE" "$OUTFILE"
ls -l "$tmpfile" "$outfile"
echo "ERROR: in and output file mismatch when checking udp with stateless nat" 1>&2 echo "ERROR: in and output file mismatch when checking udp with stateless nat" 1>&2
lret=1 lret=1
fi fi
rm -f "$tmpfile" "$outfile" :> "$OUTFILE"
# ns1 should have seen packets from 2.2, due to stateless rewrite. # ns1 should have seen packets from 2.2, due to stateless rewrite.
expect="packets 3 bytes 4164" expect="packets 3 bytes 4164"
cnt=$(ip netns exec "$ns1" nft list counter inet filter ns0insl | grep -q "$expect") if ! ip netns exec "$ns1" nft list counter inet filter ns0insl | grep -q "$expect";then
if [ $? -ne 0 ]; then
bad_counter "$ns1" ns0insl "$expect" "test_stateless 5" bad_counter "$ns1" ns0insl "$expect" "test_stateless 5"
lret=1 lret=1
fi fi
ip netns exec "$ns0" nft delete table ip stateless if ! ip netns exec "$ns0" nft delete table ip stateless; then
if [ $? -ne 0 ]; then
echo "ERROR: Could not delete table ip stateless" 1>&2 echo "ERROR: Could not delete table ip stateless" 1>&2
lret=1 lret=1
fi fi
...@@ -1078,8 +992,8 @@ EOF ...@@ -1078,8 +992,8 @@ EOF
} }
# ip netns exec "$ns0" ping -c 1 -q 10.0.$i.99 # ip netns exec "$ns0" ping -c 1 -q 10.0.$i.99
for i in 0 1 2; do for i in "$ns0" "$ns1" "$ns2" ;do
ip netns exec ns$i-$sfx nft -f /dev/stdin <<EOF ip netns exec "$i" nft -f /dev/stdin <<EOF
table inet filter { table inet filter {
counter ns0in {} counter ns0in {}
counter ns1in {} counter ns1in {}
...@@ -1145,7 +1059,7 @@ done ...@@ -1145,7 +1059,7 @@ done
# special case for stateless nat check, counter needs to # special case for stateless nat check, counter needs to
# be done before (input) ip defragmentation # be done before (input) ip defragmentation
ip netns exec ns1-$sfx nft -f /dev/stdin <<EOF ip netns exec "$ns1" nft -f /dev/stdin <<EOF
table inet filter { table inet filter {
counter ns0insl {} counter ns0insl {}
...@@ -1156,31 +1070,49 @@ table inet filter { ...@@ -1156,31 +1070,49 @@ table inet filter {
} }
EOF EOF
sleep 3 ping_basic()
# test basic connectivity {
for i in 1 2; do i="$1"
ip netns exec "$ns0" ping -c 1 -q 10.0.$i.99 > /dev/null if ! ip netns exec "$ns0" ping -c 1 -q 10.0."$i".99 > /dev/null;then
if [ $? -ne 0 ];then
echo "ERROR: Could not reach other namespace(s)" 1>&2 echo "ERROR: Could not reach other namespace(s)" 1>&2
ret=1 ret=1
fi fi
ip netns exec "$ns0" ping -c 1 -q dead:$i::99 > /dev/null if ! ip netns exec "$ns0" ping -c 1 -q dead:"$i"::99 > /dev/null;then
if [ $? -ne 0 ];then
echo "ERROR: Could not reach other namespace(s) via ipv6" 1>&2 echo "ERROR: Could not reach other namespace(s) via ipv6" 1>&2
ret=1 ret=1
fi fi
check_counters ns$i-$sfx }
if [ $? -ne 0 ]; then
ret=1 test_basic_conn()
{
local nsexec
name="$1"
nsexec=$(eval echo \$"$1")
ping_basic 1
ping_basic 2
if ! check_counters "$nsexec";then
return 1
fi fi
check_ns0_counters ns$i if ! check_ns0_counters "$name";then
if [ $? -ne 0 ]; then return 1
ret=1
fi fi
reset_counters reset_counters
done return 0
}
if ! test_basic_conn "ns1" ; then
echo "ERROR: basic test for ns1 failed" 1>&2
exit 1
fi
if ! test_basic_conn "ns2"; then
echo "ERROR: basic test for ns1 failed" 1>&2
fi
if [ $ret -eq 0 ];then if [ $ret -eq 0 ];then
echo "PASS: netns routing/connectivity: $ns0 can reach $ns1 and $ns2" echo "PASS: netns routing/connectivity: $ns0 can reach $ns1 and $ns2"
......
...@@ -222,9 +222,9 @@ test_queue() ...@@ -222,9 +222,9 @@ test_queue()
local expected=$1 local expected=$1
local last="" local last=""
# spawn nf-queue listeners # spawn nf_queue listeners
ip netns exec ${nsrouter} ./nf-queue -c -q 0 -t $timeout > "$TMPFILE0" & ip netns exec ${nsrouter} ./nf_queue -c -q 0 -t $timeout > "$TMPFILE0" &
ip netns exec ${nsrouter} ./nf-queue -c -q 1 -t $timeout > "$TMPFILE1" & ip netns exec ${nsrouter} ./nf_queue -c -q 1 -t $timeout > "$TMPFILE1" &
sleep 1 sleep 1
test_ping test_ping
ret=$? ret=$?
...@@ -259,7 +259,7 @@ test_queue() ...@@ -259,7 +259,7 @@ test_queue()
test_tcp_forward() test_tcp_forward()
{ {
ip netns exec ${nsrouter} ./nf-queue -q 2 -t $timeout & ip netns exec ${nsrouter} ./nf_queue -q 2 -t $timeout &
local nfqpid=$! local nfqpid=$!
tmpfile=$(mktemp) || exit 1 tmpfile=$(mktemp) || exit 1
...@@ -285,7 +285,7 @@ test_tcp_localhost() ...@@ -285,7 +285,7 @@ test_tcp_localhost()
ip netns exec ${nsrouter} nc -w 5 -l -p 12345 <"$tmpfile" >/dev/null & ip netns exec ${nsrouter} nc -w 5 -l -p 12345 <"$tmpfile" >/dev/null &
local rpid=$! local rpid=$!
ip netns exec ${nsrouter} ./nf-queue -q 3 -t $timeout & ip netns exec ${nsrouter} ./nf_queue -q 3 -t $timeout &
local nfqpid=$! local nfqpid=$!
sleep 1 sleep 1
...@@ -303,7 +303,7 @@ test_tcp_localhost_connectclose() ...@@ -303,7 +303,7 @@ test_tcp_localhost_connectclose()
ip netns exec ${nsrouter} ./connect_close -p 23456 -t $timeout & ip netns exec ${nsrouter} ./connect_close -p 23456 -t $timeout &
ip netns exec ${nsrouter} ./nf-queue -q 3 -t $timeout & ip netns exec ${nsrouter} ./nf_queue -q 3 -t $timeout &
local nfqpid=$! local nfqpid=$!
sleep 1 sleep 1
...@@ -334,11 +334,11 @@ EOF ...@@ -334,11 +334,11 @@ EOF
ip netns exec ${nsrouter} nc -w 5 -l -p 12345 <"$tmpfile" >/dev/null & ip netns exec ${nsrouter} nc -w 5 -l -p 12345 <"$tmpfile" >/dev/null &
local rpid=$! local rpid=$!
ip netns exec ${nsrouter} ./nf-queue -c -q 1 -t $timeout > "$TMPFILE2" & ip netns exec ${nsrouter} ./nf_queue -c -q 1 -t $timeout > "$TMPFILE2" &
# nfqueue 1 will be called via output hook. But this time, # nfqueue 1 will be called via output hook. But this time,
# re-queue the packet to nfqueue program on queue 2. # re-queue the packet to nfqueue program on queue 2.
ip netns exec ${nsrouter} ./nf-queue -G -d 150 -c -q 0 -Q 1 -t $timeout > "$TMPFILE3" & ip netns exec ${nsrouter} ./nf_queue -G -d 150 -c -q 0 -Q 1 -t $timeout > "$TMPFILE3" &
sleep 1 sleep 1
ip netns exec ${nsrouter} nc -w 5 127.0.0.1 12345 <"$tmpfile" > /dev/null ip netns exec ${nsrouter} nc -w 5 127.0.0.1 12345 <"$tmpfile" > /dev/null
...@@ -380,7 +380,7 @@ table inet filter { ...@@ -380,7 +380,7 @@ table inet filter {
} }
} }
EOF EOF
ip netns exec ${ns1} ./nf-queue -q 1 -t $timeout & ip netns exec ${ns1} ./nf_queue -q 1 -t $timeout &
local nfqpid=$! local nfqpid=$!
sleep 1 sleep 1
......
# SPDX-License-Identifier: GPL-2.0
# Makefile for netfilter selftests
TEST_PROGS := nft_trans_stress.sh nft_fib.sh nft_nat.sh bridge_brouter.sh \
conntrack_icmp_related.sh nft_flowtable.sh ipvs.sh \
nft_concat_range.sh nft_conntrack_helper.sh \
nft_queue.sh nft_meta.sh nf_nat_edemux.sh \
ipip-conntrack-mtu.sh conntrack_tcp_unreplied.sh \
conntrack_vrf.sh nft_synproxy.sh rpath.sh nft_audit.sh \
conntrack_sctp_collision.sh xt_string.sh \
bridge_netfilter.sh
HOSTPKG_CONFIG := pkg-config
CFLAGS += $(shell $(HOSTPKG_CONFIG) --cflags libmnl 2>/dev/null)
LDLIBS += $(shell $(HOSTPKG_CONFIG) --libs libmnl 2>/dev/null || echo -lmnl)
TEST_GEN_FILES = nf-queue connect_close audit_logread sctp_collision \
conntrack_dump_flush
include ../lib.mk
CONFIG_NET_NS=y
CONFIG_NF_TABLES_INET=y
CONFIG_NFT_QUEUE=m
CONFIG_NFT_NAT=m
CONFIG_NFT_REDIR=m
CONFIG_NFT_MASQ=m
CONFIG_NFT_FLOW_OFFLOAD=m
CONFIG_NF_CT_NETLINK=m
CONFIG_AUDIT=y
#!/bin/bash
#
# This test is for stress-testing the nf_tables config plane path vs.
# packet path processing: Make sure we never release rules that are
# still visible to other cpus.
#
# set -e
# Kselftest framework requirement - SKIP code is 4.
ksft_skip=4
testns=testns-$(mktemp -u "XXXXXXXX")
tmp=""
tables="foo bar baz quux"
global_ret=0
eret=0
lret=0
cleanup() {
ip netns pids "$testns" | xargs kill 2>/dev/null
ip netns del "$testns"
rm -f "$tmp"
}
check_result()
{
local r=$1
local OK="PASS"
if [ $r -ne 0 ] ;then
OK="FAIL"
global_ret=$r
fi
echo "$OK: nft $2 test returned $r"
eret=0
}
nft --version > /dev/null 2>&1
if [ $? -ne 0 ];then
echo "SKIP: Could not run test without nft tool"
exit $ksft_skip
fi
ip -Version > /dev/null 2>&1
if [ $? -ne 0 ];then
echo "SKIP: Could not run test without ip tool"
exit $ksft_skip
fi
trap cleanup EXIT
tmp=$(mktemp)
for table in $tables; do
echo add table inet "$table" >> "$tmp"
echo flush table inet "$table" >> "$tmp"
echo "add chain inet $table INPUT { type filter hook input priority 0; }" >> "$tmp"
echo "add chain inet $table OUTPUT { type filter hook output priority 0; }" >> "$tmp"
for c in $(seq 1 400); do
chain=$(printf "chain%03u" "$c")
echo "add chain inet $table $chain" >> "$tmp"
done
for c in $(seq 1 400); do
chain=$(printf "chain%03u" "$c")
for BASE in INPUT OUTPUT; do
echo "add rule inet $table $BASE counter jump $chain" >> "$tmp"
done
echo "add rule inet $table $chain counter return" >> "$tmp"
done
done
ip netns add "$testns"
ip -netns "$testns" link set lo up
lscpu | grep ^CPU\(s\): | ( read cpu cpunum ;
cpunum=$((cpunum-1))
for i in $(seq 0 $cpunum);do
mask=$(printf 0x%x $((1<<$i)))
ip netns exec "$testns" taskset $mask ping -4 127.0.0.1 -fq > /dev/null &
ip netns exec "$testns" taskset $mask ping -6 ::1 -fq > /dev/null &
done)
sleep 1
ip netns exec "$testns" nft -f "$tmp"
for i in $(seq 1 10) ; do ip netns exec "$testns" nft -f "$tmp" & done
for table in $tables;do
randsleep=$((RANDOM%2))
sleep $randsleep
ip netns exec "$testns" nft delete table inet $table
lret=$?
if [ $lret -ne 0 ]; then
eret=$lret
fi
done
check_result $eret "add/delete"
for i in $(seq 1 10) ; do
(echo "flush ruleset"; cat "$tmp") | ip netns exec "$testns" nft -f /dev/stdin
lret=$?
if [ $lret -ne 0 ]; then
eret=$lret
fi
done
check_result $eret "reload"
for i in $(seq 1 10) ; do
(echo "flush ruleset"; cat "$tmp"
echo "insert rule inet foo INPUT meta nftrace set 1"
echo "insert rule inet foo OUTPUT meta nftrace set 1"
) | ip netns exec "$testns" nft -f /dev/stdin
lret=$?
if [ $lret -ne 0 ]; then
eret=$lret
fi
(echo "flush ruleset"; cat "$tmp"
) | ip netns exec "$testns" nft -f /dev/stdin
lret=$?
if [ $lret -ne 0 ]; then
eret=$lret
fi
done
check_result $eret "add/delete with nftrace enabled"
echo "insert rule inet foo INPUT meta nftrace set 1" >> $tmp
echo "insert rule inet foo OUTPUT meta nftrace set 1" >> $tmp
for i in $(seq 1 10) ; do
(echo "flush ruleset"; cat "$tmp") | ip netns exec "$testns" nft -f /dev/stdin
lret=$?
if [ $lret -ne 0 ]; then
eret=1
fi
done
check_result $lret "add/delete with nftrace enabled"
exit $global_ret
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment