Skip to content

L
linux
Commit 5e317a2f authored by Jakub Kicinski's avatar Jakub Kicinski
Browse files
Options

Merge branch 'selftests-move-netfilter-tests-to-net' 

Florian Westphal says:

====================
selftests: move netfilter tests to net

First patch in this series moves selftests/netfilter/
to selftests/net/netfilter/.

Passing this via net-next rather than nf-next for this reason.

Main motivation is that a lot of these scripts only work on my old
development VM, I hope that placing this in net/ will get these
tests to get run in more regular intervals (and tests get more robust).

Changes are:

- make use of existing 'setup_ns' and 'busywait' helpers
- fix shellcheck warnings
- add more SKIP checks to avoid failures
- get rid of netcat in favor of socat, too many test
  failures due to 'wrong' netcat flavor
- do not assume rp_filter sysctl is off

I have more patches that fix up the remaining test scripts,
but the series was too large to send them at once (34 patches).

After all scripts are fixed up, tests pass on both my Debian
and Fedora test machines.

MAINTAINERS is updated to reflect that future updates should be handled
via netfilter-devel@.
====================

Link: https://lore.kernel.org/r/20240411233624.8129-1-fw@strlen.deSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parents 982a73c7 49af681b
Expand all Hide whitespace changes
Inline Side-by-side
Showing with 1493 additions and 792 deletions
MAINTAINERS
View file @ 5e317a2f
......@@ -15264,6 +15264,7 @@ F: net/*/netfilter.c
F: net/*/netfilter/
F: net/bridge/br_netfilter*.c
F: net/netfilter/
F: tools/testing/selftests/net/netfilter/
NETROM NETWORK LAYER
M: Ralf Baechle <ralf@linux-mips.org>
......
tools/testing/selftests/netfilter/.gitignore tools/testing/selftests/net/netfilter/.gitignore
View file @ 5e317a2f
# SPDX-License-Identifier: GPL-2.0-only
nf-queue
connect_close
audit_logread
connect_close
conntrack_dump_flush
sctp_collision
nf_queue
tools/testing/selftests/net/netfilter/Makefile 0 → 100644
View file @ 5e317a2f
# SPDX-License-Identifier: GPL-2.0
top_srcdir = ../../../../..
HOSTPKG_CONFIG := pkg-config
MNL_CFLAGS := $(shell $(HOSTPKG_CONFIG) --cflags libmnl 2>/dev/null)
MNL_LDLIBS := $(shell $(HOSTPKG_CONFIG) --libs libmnl 2>/dev/null || echo -lmnl)
TEST_PROGS := br_netfilter.sh bridge_brouter.sh
TEST_PROGS += conntrack_icmp_related.sh
TEST_PROGS += conntrack_ipip_mtu.sh
TEST_PROGS += conntrack_tcp_unreplied.sh
TEST_PROGS += conntrack_sctp_collision.sh
TEST_PROGS += conntrack_vrf.sh
TEST_PROGS += ipvs.sh
TEST_PROGS += nf_nat_edemux.sh
TEST_PROGS += nft_audit.sh
TEST_PROGS += nft_concat_range.sh
TEST_PROGS += nft_conntrack_helper.sh
TEST_PROGS += nft_fib.sh
TEST_PROGS += nft_flowtable.sh
TEST_PROGS += nft_meta.sh
TEST_PROGS += nft_nat.sh
TEST_PROGS += nft_nat_zones.sh
TEST_PROGS += nft_queue.sh
TEST_PROGS += nft_synproxy.sh
TEST_PROGS += nft_zones_many.sh
TEST_PROGS += rpath.sh
TEST_PROGS += xt_string.sh
TEST_CUSTOM_PROGS += conntrack_dump_flush
TEST_GEN_FILES = audit_logread
TEST_GEN_FILES += conntrack_dump_flush
TEST_GEN_FILES += connect_close nf_queue
TEST_GEN_FILES += sctp_collision
include ../../lib.mk
$(OUTPUT)/nf_queue: CFLAGS += $(MNL_CFLAGS)
$(OUTPUT)/nf_queue: LDLIBS += $(MNL_LDLIBS)
$(OUTPUT)/conntrack_dump_flush: CFLAGS += $(MNL_CFLAGS)
$(OUTPUT)/conntrack_dump_flush: LDLIBS += $(MNL_LDLIBS)
tools/testing/selftests/netfilter/bridge_netfilter.sh tools/testing/selftests/net/netfilter/br_netfilter.sh 100644 → 100755
View file @ 5e317a2f
#!/bin/bash
# SPDX-License-Identifier: GPL-2.0
#
# Test bridge netfilter + conntrack, a combination that doesn't really work,
# with multicast/broadcast packets racing for hash table insertion.
# Test for legacy br_netfilter module combined with connection tracking,
# a combination that doesn't really work.
# Multicast/broadcast packets race for hash table insertion.
# eth0 br0 eth0
# setup is: ns1 <->,ns0 <-> ns3
# ns2 <-' `'-> ns4
# Kselftest framework requirement - SKIP code is 4.
ksft_skip=4
ret=0
sfx=$(mktemp -u "XXXXXXXX")
ns0="ns0-$sfx"
ns1="ns1-$sfx"
ns2="ns2-$sfx"
ns3="ns3-$sfx"
ns4="ns4-$sfx"
ebtables -V > /dev/null 2>&1
if [ $? -ne 0 ];then
echo "SKIP: Could not run test without ebtables"
exit $ksft_skip
fi
source lib.sh
ip -Version > /dev/null 2>&1
if [ $? -ne 0 ];then
echo "SKIP: Could not run test without ip tool"
exit $ksft_skip
fi
for i in $(seq 0 4); do
eval ip netns add \$ns$i
done
checktool "nft --version" "run test without nft tool"
cleanup() {
for i in $(seq 0 4); do eval ip netns del \$ns$i;done
cleanup_all_ns
}
trap cleanup EXIT
setup_ns ns0 ns1 ns2 ns3 ns4
ret=0
do_ping()
{
fromns="$1"
dstip="$2"
ip netns exec $fromns ping -c 1 -q $dstip > /dev/null
if [ $? -ne 0 ]; then
if ! ip netns exec "$fromns" ping -c 1 -q "$dstip" > /dev/null; then
echo "ERROR: ping from $fromns to $dstip"
ip netns exec ${ns0} nft list ruleset
ip netns exec "$ns0" nft list ruleset
ret=1
fi
}
......@@ -59,75 +40,75 @@ bcast_ping()
fromns="$1"
dstip="$2"
for i in $(seq 1 1000); do
ip netns exec $fromns ping -q -f -b -c 1 -q $dstip > /dev/null 2>&1
if [ $? -ne 0 ]; then
for i in $(seq 1 500); do
if ! ip netns exec "$fromns" ping -q -f -b -c 1 -q "$dstip" > /dev/null 2>&1; then
echo "ERROR: ping -b from $fromns to $dstip"
ip netns exec ${ns0} nft list ruleset
fi
ip netns exec "$ns0" nft list ruleset
ret=1
break
fi
done
}
ip link add veth1 netns ${ns0} type veth peer name eth0 netns ${ns1}
if [ $? -ne 0 ]; then
ip netns exec "$ns0" sysctl -q net.ipv4.conf.all.rp_filter=0
ip netns exec "$ns0" sysctl -q net.ipv4.conf.default.rp_filter=0
if ! ip link add veth1 netns "$ns0" type veth peer name eth0 netns "$ns1"; then
echo "SKIP: Can't create veth device"
exit $ksft_skip
fi
ip link add veth2 netns ${ns0} type veth peer name eth0 netns $ns2
ip link add veth3 netns ${ns0} type veth peer name eth0 netns $ns3
ip link add veth4 netns ${ns0} type veth peer name eth0 netns $ns4
ip -net ${ns0} link set lo up
ip link add veth2 netns "$ns0" type veth peer name eth0 netns "$ns2"
ip link add veth3 netns "$ns0" type veth peer name eth0 netns "$ns3"
ip link add veth4 netns "$ns0" type veth peer name eth0 netns "$ns4"
for i in $(seq 1 4); do
ip -net ${ns0} link set veth$i up
ip -net "$ns0" link set "veth$i" up
done
ip -net ${ns0} link add br0 type bridge stp_state 0 forward_delay 0 nf_call_iptables 1 nf_call_ip6tables 1 nf_call_arptables 1
if [ $? -ne 0 ]; then
if ! ip -net "$ns0" link add br0 type bridge stp_state 0 forward_delay 0 nf_call_iptables 1 nf_call_ip6tables 1 nf_call_arptables 1; then
echo "SKIP: Can't create bridge br0"
exit $ksft_skip
fi
# make veth0,1,2 part of bridge.
for i in $(seq 1 3); do
ip -net ${ns0} link set veth$i master br0
ip -net "$ns0" link set "veth$i" master br0
done
# add a macvlan on top of the bridge.
MACVLAN_ADDR=ba:f3:13:37:42:23
ip -net ${ns0} link add link br0 name macvlan0 type macvlan mode private
ip -net ${ns0} link set macvlan0 address ${MACVLAN_ADDR}
ip -net ${ns0} link set macvlan0 up
ip -net ${ns0} addr add 10.23.0.1/24 dev macvlan0
ip -net "$ns0" link add link br0 name macvlan0 type macvlan mode private
ip -net "$ns0" link set macvlan0 address ${MACVLAN_ADDR}
ip -net "$ns0" link set macvlan0 up
ip -net "$ns0" addr add 10.23.0.1/24 dev macvlan0
# add a macvlan on top of veth4.
MACVLAN_ADDR=ba:f3:13:37:42:24
ip -net ${ns0} link add link veth4 name macvlan4 type macvlan mode vepa
ip -net ${ns0} link set macvlan4 address ${MACVLAN_ADDR}
ip -net ${ns0} link set macvlan4 up
ip -net "$ns0" link add link veth4 name macvlan4 type macvlan mode passthru
ip -net "$ns0" link set macvlan4 address ${MACVLAN_ADDR}
ip -net "$ns0" link set macvlan4 up
# make the macvlan part of the bridge.
# veth4 is not a bridge port, only the macvlan on top of it.
ip -net ${ns0} link set macvlan4 master br0
ip -net "$ns0" link set macvlan4 master br0
ip -net ${ns0} link set br0 up
ip -net ${ns0} addr add 10.0.0.1/24 dev br0
ip netns exec ${ns0} sysctl -q net.bridge.bridge-nf-call-iptables=1
ret=$?
if [ $ret -ne 0 ] ; then
ip -net "$ns0" link set br0 up
ip -net "$ns0" addr add 10.0.0.1/24 dev br0
modprobe -q br_netfilter
if ! ip netns exec "$ns0" sysctl -q net.bridge.bridge-nf-call-iptables=1; then
echo "SKIP: bridge netfilter not available"
ret=$ksft_skip
fi
# for testing, so namespaces will reply to ping -b probes.
ip netns exec ${ns0} sysctl -q net.ipv4.icmp_echo_ignore_broadcasts=0
ip netns exec "$ns0" sysctl -q net.ipv4.icmp_echo_ignore_broadcasts=0
# enable conntrack in ns0 and drop broadcast packets in forward to
# avoid them from getting confirmed in the postrouting hook before
# the cloned skb is passed up the stack.
ip netns exec ${ns0} nft -f - <<EOF
ip netns exec "$ns0" nft -f - <<EOF
table ip filter {
chain input {
type filter hook input priority 1; policy accept
......@@ -149,36 +130,30 @@ EOF
# part of the bridge: the corresponding veth4 is not
# part of the bridge, only its macvlan interface.
for i in $(seq 1 4); do
eval ip -net \$ns$i link set lo up
eval ip -net \$ns$i link set eth0 up
eval ip -net \$ns"$i" link set eth0 up
done
for i in $(seq 1 2); do
eval ip -net \$ns$i addr add 10.0.0.1$i/24 dev eth0
eval ip -net \$ns"$i" addr add "10.0.0.1$i/24" dev eth0
done
ip -net ${ns3} addr add 10.23.0.13/24 dev eth0
ip -net ${ns4} addr add 10.23.0.14/24 dev eth0
ip -net "$ns3" addr add 10.23.0.13/24 dev eth0
ip -net "$ns4" addr add 10.23.0.14/24 dev eth0
# test basic connectivity
do_ping ${ns1} 10.0.0.12
do_ping ${ns3} 10.23.0.1
do_ping ${ns4} 10.23.0.1
if [ $ret -eq 0 ];then
echo "PASS: netns connectivity: ns1 can reach ns2, ns3 and ns4 can reach ns0"
fi
do_ping "$ns1" 10.0.0.12
do_ping "$ns3" 10.23.0.1
do_ping "$ns4" 10.23.0.1
bcast_ping ${ns1} 10.0.0.255
bcast_ping "$ns1" 10.0.0.255
# This should deliver broadcast to macvlan0, which is on top of ns0:br0.
bcast_ping ${ns3} 10.23.0.255
bcast_ping "$ns3" 10.23.0.255
# same, this time via veth4:macvlan4.
bcast_ping ${ns4} 10.23.0.255
bcast_ping "$ns4" 10.23.0.255
read t < /proc/sys/kernel/tainted
if [ $t -eq 0 ];then
if [ "$t" -eq 0 ];then
echo PASS: kernel not tainted
else
echo ERROR: kernel is tainted
......
tools/testing/selftests/netfilter/bridge_brouter.sh tools/testing/selftests/net/netfilter/bridge_brouter.sh
View file @ 5e317a2f
......@@ -5,142 +5,118 @@
# part of a bridge.
# eth0 br0 eth0
# setup is: ns1 <-> ns0 <-> ns2
# setup is: ns1 <-> nsbr <-> ns2
# Kselftest framework requirement - SKIP code is 4.
ksft_skip=4
ret=0
source lib.sh
ebtables -V > /dev/null 2>&1
if [ $? -ne 0 ];then
if ! ebtables -V > /dev/null 2>&1;then
echo "SKIP: Could not run test without ebtables"
exit $ksft_skip
fi
ip -Version > /dev/null 2>&1
if [ $? -ne 0 ];then
echo "SKIP: Could not run test without ip tool"
exit $ksft_skip
fi
cleanup() {
cleanup_all_ns
}
ip netns add ns0
ip netns add ns1
ip netns add ns2
trap cleanup EXIT
ip link add veth0 netns ns0 type veth peer name eth0 netns ns1
if [ $? -ne 0 ]; then
setup_ns nsbr ns1 ns2
ip netns exec "$nsbr" sysctl -q net.ipv4.conf.default.rp_filter=0
ip netns exec "$nsbr" sysctl -q net.ipv4.conf.all.rp_filter=0
if ! ip link add veth0 netns "$nsbr" type veth peer name eth0 netns "$ns1"; then
echo "SKIP: Can't create veth device"
exit $ksft_skip
fi
ip link add veth1 netns ns0 type veth peer name eth0 netns ns2
ip -net ns0 link set lo up
ip -net ns0 link set veth0 up
ip -net ns0 link set veth1 up
ip link add veth1 netns "$nsbr" type veth peer name eth0 netns "$ns2"
ip -net ns0 link add br0 type bridge
if [ $? -ne 0 ]; then
if ! ip -net "$nsbr" link add br0 type bridge; then
echo "SKIP: Can't create bridge br0"
exit $ksft_skip
fi
ip -net ns0 link set veth0 master br0
ip -net ns0 link set veth1 master br0
ip -net ns0 link set br0 up
ip -net ns0 addr add 10.0.0.1/24 dev br0
ip -net "$nsbr" link set veth0 up
ip -net "$nsbr" link set veth1 up
ip -net "$nsbr" link set veth0 master br0
ip -net "$nsbr" link set veth1 master br0
ip -net "$nsbr" link set br0 up
ip -net "$nsbr" addr add 10.0.0.1/24 dev br0
# place both in same subnet, ns1 and ns2 connected via ns0:br0
for i in 1 2; do
ip -net ns$i link set lo up
ip -net ns$i link set eth0 up
ip -net ns$i addr add 10.0.0.1$i/24 dev eth0
done
# place both in same subnet, ${ns1} and ${ns2} connected via ${nsbr}:br0
ip -net "$ns1" link set eth0 up
ip -net "$ns2" link set eth0 up
ip -net "$ns1" addr add 10.0.0.11/24 dev eth0
ip -net "$ns2" addr add 10.0.0.12/24 dev eth0
test_ebtables_broute()
{
local cipt
# redirect is needed so the dstmac is rewritten to the bridge itself,
# ip stack won't process OTHERHOST (foreign unicast mac) packets.
ip netns exec ns0 ebtables -t broute -A BROUTING -p ipv4 --ip-protocol icmp -j redirect --redirect-target=DROP
if [ $? -ne 0 ]; then
if ! ip netns exec "$nsbr" ebtables -t broute -A BROUTING -p ipv4 --ip-protocol icmp -j redirect --redirect-target=DROP; then
echo "SKIP: Could not add ebtables broute redirect rule"
return $ksft_skip
fi
# ping netns1, expected to not work (ip forwarding is off)
ip netns exec ns1 ping -q -c 1 10.0.0.12 > /dev/null 2>&1
if [ $? -eq 0 ]; then
ip netns exec "$nsbr" sysctl -q net.ipv4.conf.veth0.forwarding=0
# ping net${ns1}, expected to not work (ip forwarding is off)
if ip netns exec "$ns1" ping -q -c 1 10.0.0.12 -W 0.5 > /dev/null 2>&1; then
echo "ERROR: ping works, should have failed" 1>&2
return 1
fi
# enable forwarding on both interfaces.
# neither needs an ip address, but at least the bridge needs
# an ip address in same network segment as ns1 and ns2 (ns0
# an ip address in same network segment as ${ns1} and ${ns2} (${nsbr}
# needs to be able to determine route for to-be-forwarded packet).
ip netns exec ns0 sysctl -q net.ipv4.conf.veth0.forwarding=1
ip netns exec ns0 sysctl -q net.ipv4.conf.veth1.forwarding=1
sleep 1
ip netns exec "$nsbr" sysctl -q net.ipv4.conf.veth0.forwarding=1
ip netns exec "$nsbr" sysctl -q net.ipv4.conf.veth1.forwarding=1
ip netns exec ns1 ping -q -c 1 10.0.0.12 > /dev/null
if [ $? -ne 0 ]; then
if ! ip netns exec "$ns1" ping -q -c 1 10.0.0.12 > /dev/null; then
echo "ERROR: ping did not work, but it should (broute+forward)" 1>&2
return 1
fi
echo "PASS: ns1/ns2 connectivity with active broute rule"
ip netns exec ns0 ebtables -t broute -F
echo "PASS: ${ns1}/${ns2} connectivity with active broute rule"
ip netns exec "$nsbr" ebtables -t broute -F
# ping netns1, expected to work (frames are bridged)
ip netns exec ns1 ping -q -c 1 10.0.0.12 > /dev/null
if [ $? -ne 0 ]; then
# ping net${ns1}, expected to work (frames are bridged)
if ! ip netns exec "$ns1" ping -q -c 1 10.0.0.12 > /dev/null; then
echo "ERROR: ping did not work, but it should (bridged)" 1>&2
return 1
fi
ip netns exec ns0 ebtables -t filter -A FORWARD -p ipv4 --ip-protocol icmp -j DROP
ip netns exec "$nsbr" ebtables -t filter -A FORWARD -p ipv4 --ip-protocol icmp -j DROP
# ping netns1, expected to not work (DROP in bridge forward)
ip netns exec ns1 ping -q -c 1 10.0.0.12 > /dev/null 2>&1
if [ $? -eq 0 ]; then
# ping net${ns1}, expected to not work (DROP in bridge forward)
if ip netns exec "$ns1" ping -q -c 1 10.0.0.12 -W 0.5 > /dev/null 2>&1; then
echo "ERROR: ping works, should have failed (icmp forward drop)" 1>&2
return 1
fi
# re-activate brouter
ip netns exec ns0 ebtables -t broute -A BROUTING -p ipv4 --ip-protocol icmp -j redirect --redirect-target=DROP
ip netns exec "$nsbr" ebtables -t broute -A BROUTING -p ipv4 --ip-protocol icmp -j redirect --redirect-target=DROP
ip netns exec ns2 ping -q -c 1 10.0.0.11 > /dev/null
if [ $? -ne 0 ]; then
if ! ip netns exec "$ns2" ping -q -c 1 10.0.0.11 > /dev/null; then
echo "ERROR: ping did not work, but it should (broute+forward 2)" 1>&2
return 1
fi
echo "PASS: ns1/ns2 connectivity with active broute rule and bridge forward drop"
echo "PASS: ${ns1}/${ns2} connectivity with active broute rule and bridge forward drop"
return 0
}
# test basic connectivity
ip netns exec ns1 ping -c 1 -q 10.0.0.12 > /dev/null
if [ $? -ne 0 ]; then
echo "ERROR: Could not reach ns2 from ns1" 1>&2
ret=1
if ! ip netns exec "$ns1" ping -c 1 -q 10.0.0.12 > /dev/null; then
echo "ERROR: Could not reach ${ns2} from ${ns1}" 1>&2
exit 1
fi
ip netns exec ns2 ping -c 1 -q 10.0.0.11 > /dev/null
if [ $? -ne 0 ]; then
echo "ERROR: Could not reach ns1 from ns2" 1>&2
ret=1
fi
if [ $ret -eq 0 ];then
echo "PASS: netns connectivity: ns1 and ns2 can reach each other"
if ! ip netns exec "$ns2" ping -c 1 -q 10.0.0.11 > /dev/null; then
echo "ERROR: Could not reach ${ns1} from ${ns2}" 1>&2
exit 1
fi
test_ebtables_broute
ret=$?
for i in 0 1 2; do ip netns del ns$i;done
exit $ret
exit $?
tools/testing/selftests/net/netfilter/config 0 → 100644
View file @ 5e317a2f
CONFIG_AUDIT=y
CONFIG_BRIDGE_EBT_BROUTE=m
CONFIG_BRIDGE_EBT_REDIRECT=m
CONFIG_BRIDGE_NETFILTER=m
CONFIG_IP_NF_MATCH_RPFILTER=m
CONFIG_IP6_NF_MATCH_RPFILTER=m
CONFIG_IP_SCTP=m
CONFIG_IP_VS=m
CONFIG_IP_VS_PROTO_TCP=y
CONFIG_NET_CLS_U32=m
CONFIG_NET_SCH_NETEM=m
CONFIG_NET_SCH_HTB=m
CONFIG_NET_IPIP=m
CONFIG_NET_VRF=y
CONFIG_NETFILTER_NETLINK=m
CONFIG_NETFILTER_SYNPROXY=m
CONFIG_NETFILTER_XT_NAT=m
CONFIG_NETFILTER_XT_TARGET_REDIRECT=m
CONFIG_NF_CONNTRACK=m
CONFIG_NF_CONNTRACK_EVENTS=m
CONFIG_NF_CONNTRACK_ZONES=y
CONFIG_NF_CT_NETLINK=m
CONFIG_NF_CT_PROTO_SCTP=y
CONFIG_NF_TABLES=m
CONFIG_NF_TABLES_INET=y
CONFIG_NF_TABLES_IPV4=y
CONFIG_NF_TABLES_IPV6=y
CONFIG_NFT_CT=m
CONFIG_NFT_FIB=m
CONFIG_NFT_FIB_INET=m
CONFIG_NFT_FIB_IPV4=m
CONFIG_NFT_FIB_IPV6=m
CONFIG_NFT_MASQ=m
CONFIG_NFT_NAT=m
CONFIG_NFT_QUEUE=m
CONFIG_NFT_REDIR=m
CONFIG_NFT_SYNPROXY=m
tools/testing/selftests/netfilter/conntrack_dump_flush.c tools/testing/selftests/net/netfilter/conntrack_dump_flush.c
View file @ 5e317a2f
......@@ -10,7 +10,7 @@
#include <linux/netfilter/nfnetlink.h>
#include <linux/netfilter/nfnetlink_conntrack.h>
#include <linux/netfilter/nf_conntrack_tcp.h>
#include "../kselftest_harness.h"
#include "../../kselftest_harness.h"
#define TEST_ZONE_ID 123
#define NF_CT_DEFAULT_ZONE_ID 0
......
tools/testing/selftests/netfilter/conntrack_icmp_related.sh tools/testing/selftests/net/netfilter/conntrack_icmp_related.sh
View file @ 5e317a2f
......@@ -14,35 +14,32 @@
# check the icmp errors are propagated to the correct host as per
# nat of "established" icmp-echo "connection".
# Kselftest framework requirement - SKIP code is 4.
ksft_skip=4
ret=0
source lib.sh
nft --version > /dev/null 2>&1
if [ $? -ne 0 ];then
if ! nft --version > /dev/null 2>&1;then
echo "SKIP: Could not run test without nft tool"
exit $ksft_skip
fi
ip -Version > /dev/null 2>&1
if [ $? -ne 0 ];then
echo "SKIP: Could not run test without ip tool"
exit $ksft_skip
fi
cleanup() {
for i in 1 2;do ip netns del nsclient$i;done
for i in 1 2;do ip netns del nsrouter$i;done
cleanup_all_ns
}
trap cleanup EXIT
ipv4() {
echo -n 192.168.$1.2
}
setup_ns nsclient1 nsclient2 nsrouter1 nsrouter2
ret=0
add_addr()
{
ns=$1
dev=$2
i=$3
ipv6 () {
echo -n dead:$1::2
ip -net "$ns" link set "$dev" up
ip -net "$ns" addr add "192.168.$i.2/24" dev "$dev"
ip -net "$ns" addr add "dead:$i::2/64" dev "$dev" nodad
}
check_counter()
......@@ -52,10 +49,9 @@ check_counter()
expect=$3
local lret=0
cnt=$(ip netns exec $ns nft list counter inet filter "$name" | grep -q "$expect")
if [ $? -ne 0 ]; then
if ! ip netns exec "$ns" nft list counter inet filter "$name" | grep -q "$expect"; then
echo "ERROR: counter $name in $ns has unexpected value (expected $expect)" 1>&2
ip netns exec $ns nft list counter inet filter "$name" 1>&2
ip netns exec "$ns" nft list counter inet filter "$name" 1>&2
lret=1
fi
......@@ -65,9 +61,8 @@ check_counter()
check_unknown()
{
expect="packets 0 bytes 0"
for n in nsclient1 nsclient2 nsrouter1 nsrouter2; do
check_counter $n "unknown" "$expect"
if [ $? -ne 0 ] ;then
for n in ${nsclient1} ${nsclient2} ${nsrouter1} ${nsrouter2}; do
if ! check_counter "$n" "unknown" "$expect"; then
return 1
fi
done
......@@ -75,61 +70,48 @@ check_unknown()
return 0
}
for n in nsclient1 nsclient2 nsrouter1 nsrouter2; do
ip netns add $n
ip -net $n link set lo up
done
DEV=veth0
ip link add $DEV netns nsclient1 type veth peer name eth1 netns nsrouter1
DEV=veth0
ip link add $DEV netns nsclient2 type veth peer name eth1 netns nsrouter2
ip link add "$DEV" netns "$nsclient1" type veth peer name eth1 netns "$nsrouter1"
ip link add "$DEV" netns "$nsclient2" type veth peer name eth1 netns "$nsrouter2"
ip link add "$DEV" netns "$nsrouter1" type veth peer name eth2 netns "$nsrouter2"
DEV=veth0
ip link add $DEV netns nsrouter1 type veth peer name eth2 netns nsrouter2
add_addr "$nsclient1" $DEV 1
add_addr "$nsclient2" $DEV 2
DEV=veth0
for i in 1 2; do
ip -net nsclient$i link set $DEV up
ip -net nsclient$i addr add $(ipv4 $i)/24 dev $DEV
ip -net nsclient$i addr add $(ipv6 $i)/64 dev $DEV
done
ip -net nsrouter1 link set eth1 up
ip -net nsrouter1 link set veth0 up
ip -net "$nsrouter1" link set eth1 up
ip -net "$nsrouter1" link set $DEV up
ip -net nsrouter2 link set eth1 up
ip -net nsrouter2 link set eth2 up
ip -net "$nsrouter2" link set eth1 mtu 1280 up
ip -net "$nsrouter2" link set eth2 up
ip -net nsclient1 route add default via 192.168.1.1
ip -net nsclient1 -6 route add default via dead:1::1
ip -net "$nsclient1" route add default via 192.168.1.1
ip -net "$nsclient1" -6 route add default via dead:1::1
ip -net nsclient2 route add default via 192.168.2.1
ip -net nsclient2 route add default via dead:2::1
ip -net "$nsclient2" route add default via 192.168.2.1
ip -net "$nsclient2" route add default via dead:2::1
ip -net "$nsclient2" link set veth0 mtu 1280
i=3
ip -net nsrouter1 addr add 192.168.1.1/24 dev eth1
ip -net nsrouter1 addr add 192.168.3.1/24 dev veth0
ip -net nsrouter1 addr add dead:1::1/64 dev eth1
ip -net nsrouter1 addr add dead:3::1/64 dev veth0
ip -net nsrouter1 route add default via 192.168.3.10
ip -net nsrouter1 -6 route add default via dead:3::10
ip -net "$nsrouter1" addr add 192.168.1.1/24 dev eth1
ip -net "$nsrouter1" addr add 192.168.3.1/24 dev veth0
ip -net "$nsrouter1" addr add dead:1::1/64 dev eth1 nodad
ip -net "$nsrouter1" addr add dead:3::1/64 dev veth0 nodad
ip -net "$nsrouter1" route add default via 192.168.3.10
ip -net "$nsrouter1" -6 route add default via dead:3::10
ip -net nsrouter2 addr add 192.168.2.1/24 dev eth1
ip -net nsrouter2 addr add 192.168.3.10/24 dev eth2
ip -net nsrouter2 addr add dead:2::1/64 dev eth1
ip -net nsrouter2 addr add dead:3::10/64 dev eth2
ip -net nsrouter2 route add default via 192.168.3.1
ip -net nsrouter2 route add default via dead:3::1
ip -net "$nsrouter2" addr add 192.168.2.1/24 dev eth1
ip -net "$nsrouter2" addr add 192.168.3.10/24 dev eth2
ip -net "$nsrouter2" addr add dead:2::1/64 dev eth1 nodad
ip -net "$nsrouter2" addr add dead:3::10/64 dev eth2 nodad
ip -net "$nsrouter2" route add default via 192.168.3.1
ip -net "$nsrouter2" route add default via dead:3::1
sleep 2
for i in 4 6; do
ip netns exec nsrouter1 sysctl -q net.ipv$i.conf.all.forwarding=1
ip netns exec nsrouter2 sysctl -q net.ipv$i.conf.all.forwarding=1
ip netns exec "$nsrouter1" sysctl -q net.ipv$i.conf.all.forwarding=1
ip netns exec "$nsrouter2" sysctl -q net.ipv$i.conf.all.forwarding=1
done
for netns in nsrouter1 nsrouter2; do
ip netns exec $netns nft -f - <<EOF
for netns in "$nsrouter1" "$nsrouter2"; do
ip netns exec "$netns" nft -f - <<EOF
table inet filter {
counter unknown { }
counter related { }
......@@ -144,7 +126,7 @@ table inet filter {
EOF
done
ip netns exec nsclient1 nft -f - <<EOF
ip netns exec "$nsclient1" nft -f - <<EOF
table inet filter {
counter unknown { }
counter related { }
......@@ -164,7 +146,7 @@ table inet filter {
}
EOF
ip netns exec nsclient2 nft -f - <<EOF
ip netns exec "$nsclient2" nft -f - <<EOF
table inet filter {
counter unknown { }
counter new { }
......@@ -189,11 +171,10 @@ table inet filter {
}
EOF
# make sure NAT core rewrites adress of icmp error if nat is used according to
# conntrack nat information (icmp error will be directed at nsrouter1 address,
# but it needs to be routed to nsclient1 address).
ip netns exec nsrouter1 nft -f - <<EOF
ip netns exec "$nsrouter1" nft -f - <<EOF
table ip nat {
chain postrouting {
type nat hook postrouting priority 0; policy accept;
......@@ -208,44 +189,32 @@ table ip6 nat {
}
EOF
ip netns exec nsrouter2 ip link set eth1 mtu 1280
ip netns exec nsclient2 ip link set veth0 mtu 1280
sleep 1
ip netns exec nsclient1 ping -c 1 -s 1000 -q -M do 192.168.2.2 >/dev/null
if [ $? -ne 0 ]; then
if ! ip netns exec "$nsclient1" ping -c 1 -s 1000 -q -M "do" 192.168.2.2 >/dev/null; then
echo "ERROR: netns ip routing/connectivity broken" 1>&2
cleanup
exit 1
fi
ip netns exec nsclient1 ping6 -q -c 1 -s 1000 dead:2::2 >/dev/null
if [ $? -ne 0 ]; then
if ! ip netns exec "$nsclient1" ping -c 1 -s 1000 -q dead:2::2 >/dev/null; then
echo "ERROR: netns ipv6 routing/connectivity broken" 1>&2
cleanup
exit 1
fi
check_unknown
if [ $? -ne 0 ]; then
if ! check_unknown; then
ret=1
fi
expect="packets 0 bytes 0"
for netns in nsrouter1 nsrouter2 nsclient1;do
check_counter "$netns" "related" "$expect"
if [ $? -ne 0 ]; then
for netns in "$nsrouter1" "$nsrouter2" "$nsclient1";do
if ! check_counter "$netns" "related" "$expect"; then
ret=1
fi
done
expect="packets 2 bytes 2076"
check_counter nsclient2 "new" "$expect"
if [ $? -ne 0 ]; then
if ! check_counter "$nsclient2" "new" "$expect"; then
ret=1
fi
ip netns exec nsclient1 ping -q -c 1 -s 1300 -M do 192.168.2.2 > /dev/null
if [ $? -eq 0 ]; then
if ip netns exec "$nsclient1" ping -W 0.5 -q -c 1 -s 1300 -M "do" 192.168.2.2 > /dev/null; then
echo "ERROR: ping should have failed with PMTU too big error" 1>&2
ret=1
fi
......@@ -253,30 +222,26 @@ fi
# nsrouter2 should have generated the icmp error, so
# related counter should be 0 (its in forward).
expect="packets 0 bytes 0"
check_counter "nsrouter2" "related" "$expect"
if [ $? -ne 0 ]; then
if ! check_counter "$nsrouter2" "related" "$expect"; then
ret=1
fi
# but nsrouter1 should have seen it, same for nsclient1.
expect="packets 1 bytes 576"
for netns in nsrouter1 nsclient1;do
check_counter "$netns" "related" "$expect"
if [ $? -ne 0 ]; then
for netns in ${nsrouter1} ${nsclient1};do
if ! check_counter "$netns" "related" "$expect"; then
ret=1
fi
done
ip netns exec nsclient1 ping6 -c 1 -s 1300 dead:2::2 > /dev/null
if [ $? -eq 0 ]; then
if ip netns exec "${nsclient1}" ping6 -W 0.5 -c 1 -s 1300 dead:2::2 > /dev/null; then
echo "ERROR: ping6 should have failed with PMTU too big error" 1>&2
ret=1
fi
expect="packets 2 bytes 1856"
for netns in nsrouter1 nsclient1;do
check_counter "$netns" "related" "$expect"
if [ $? -ne 0 ]; then
for netns in "${nsrouter1}" "${nsclient1}";do
if ! check_counter "$netns" "related" "$expect"; then
ret=1
fi
done
......@@ -288,21 +253,19 @@ else
fi
# add 'bad' route, expect icmp REDIRECT to be generated
ip netns exec nsclient1 ip route add 192.168.1.42 via 192.168.1.1
ip netns exec nsclient1 ip route add dead:1::42 via dead:1::1
ip netns exec "${nsclient1}" ip route add 192.168.1.42 via 192.168.1.1
ip netns exec "${nsclient1}" ip route add dead:1::42 via dead:1::1
ip netns exec "nsclient1" ping -q -c 2 192.168.1.42 > /dev/null
ip netns exec "$nsclient1" ping -W 1 -q -i 0.5 -c 2 192.168.1.42 > /dev/null
expect="packets 1 bytes 112"
check_counter nsclient1 "redir4" "$expect"
if [ $? -ne 0 ];then
if ! check_counter "$nsclient1" "redir4" "$expect"; then
ret=1
fi
ip netns exec "nsclient1" ping -c 1 dead:1::42 > /dev/null
ip netns exec "$nsclient1" ping -W 1 -c 1 dead:1::42 > /dev/null
expect="packets 1 bytes 192"
check_counter nsclient1 "redir6" "$expect"
if [ $? -ne 0 ];then
if ! check_counter "$nsclient1" "redir6" "$expect"; then
ret=1
fi
......
tools/testing/selftests/netfilter/ipip-conntrack-mtu.sh tools/testing/selftests/net/netfilter/conntrack_ipip_mtu.sh
View file @ 5e317a2f
#!/bin/bash
# SPDX-License-Identifier: GPL-2.0
# Kselftest framework requirement - SKIP code is 4.
ksft_skip=4
source lib.sh
# Conntrack needs to reassemble fragments in order to have complete
# packets for rule matching. Reassembly can lead to packet loss.
......@@ -23,46 +22,34 @@ ksft_skip=4
# between Client A and Client B over WAN. Wanrouter has MTU 1400 set
# on its interfaces.
rnd=$(mktemp -u XXXXXXXX)
rx=$(mktemp)
r_a="ns-ra-$rnd"
r_b="ns-rb-$rnd"
r_w="ns-rw-$rnd"
c_a="ns-ca-$rnd"
c_b="ns-cb-$rnd"
checktool (){
if ! $1 > /dev/null 2>&1; then
echo "SKIP: Could not $2"
exit $ksft_skip
fi
}
checktool "iptables --version" "run test without iptables"
checktool "ip -Version" "run test without ip tool"
checktool "which socat" "run test without socat"
checktool "ip netns add ${r_a}" "create net namespace"
checktool "socat -h" "run test without socat"
for n in ${r_b} ${r_w} ${c_a} ${c_b};do
ip netns add ${n}
done
setup_ns r_a r_b r_w c_a c_b
cleanup() {
for n in ${r_a} ${r_b} ${r_w} ${c_a} ${c_b};do
ip netns del ${n}
done
cleanup_all_ns
rm -f ${rx}
}
trap cleanup EXIT
listener_ready()
{
ns="$1"
port="$2"
ss -N "$ns" -lnu -o "sport = :$port" | grep -q "$port"
}
test_path() {
msg="$1"
ip netns exec ${c_b} socat -t 3 - udp4-listen:5000,reuseaddr > ${rx} < /dev/null &
sleep 1
busywait $BUSYWAIT_TIMEOUT listener_ready "$c_b" 5000
for i in 1 2 3; do
head -c1400 /dev/zero | tr "\000" "a" | \
ip netns exec ${c_a} socat -t 1 -u STDIN UDP:192.168.20.2:5000
......@@ -129,7 +116,7 @@ r_addr="10.2.2.1"
ip netns exec ${r_b} ip link add ipip0 type ipip local ${l_addr} remote ${r_addr} mode ipip || exit $ksft_skip
for dev in lo veth0 veth1 ipip0; do
for dev in veth0 veth1 ipip0; do
ip -net ${r_b} link set $dev up
done
......@@ -142,21 +129,18 @@ ip netns exec ${r_b} sysctl -q net.ipv4.conf.all.forwarding=1 > /dev/null
# Client A
ip -net ${c_a} addr add 192.168.10.2/24 dev veth0
ip -net ${c_a} link set dev lo up
ip -net ${c_a} link set dev veth0 up
ip -net ${c_a} route add default via 192.168.10.1
# Client A
ip -net ${c_b} addr add 192.168.20.2/24 dev veth0
ip -net ${c_b} link set dev veth0 up
ip -net ${c_b} link set dev lo up
ip -net ${c_b} route add default via 192.168.20.1
# Wan
ip -net ${r_w} addr add 10.2.2.254/24 dev veth0
ip -net ${r_w} addr add 10.4.4.254/24 dev veth1
ip -net ${r_w} link set dev lo up
ip -net ${r_w} link set dev veth0 up mtu 1400
ip -net ${r_w} link set dev veth1 up mtu 1400
......
tools/testing/selftests/netfilter/conntrack_sctp_collision.sh tools/testing/selftests/net/netfilter/conntrack_sctp_collision.sh
View file @ 5e317a2f
......@@ -12,69 +12,67 @@
#
# TOPO: SERVER_NS (link0)<--->(link1) ROUTER_NS (link2)<--->(link3) CLIENT_NS
CLIENT_NS=$(mktemp -u client-XXXXXXXX)
source lib.sh
CLIENT_IP="198.51.200.1"
CLIENT_PORT=1234
SERVER_NS=$(mktemp -u server-XXXXXXXX)
SERVER_IP="198.51.100.1"
SERVER_PORT=1234
ROUTER_NS=$(mktemp -u router-XXXXXXXX)
CLIENT_GW="198.51.200.2"
SERVER_GW="198.51.100.2"
# setup the topo
setup() {
ip net add $CLIENT_NS
ip net add $SERVER_NS
ip net add $ROUTER_NS
ip -n $SERVER_NS link add link0 type veth peer name link1 netns $ROUTER_NS
ip -n $CLIENT_NS link add link3 type veth peer name link2 netns $ROUTER_NS
setup_ns CLIENT_NS SERVER_NS ROUTER_NS
ip -n "$SERVER_NS" link add link0 type veth peer name link1 netns "$ROUTER_NS"
ip -n "$CLIENT_NS" link add link3 type veth peer name link2 netns "$ROUTER_NS"
ip -n $SERVER_NS link set link0 up
ip -n $SERVER_NS addr add $SERVER_IP/24 dev link0
ip -n $SERVER_NS route add $CLIENT_IP dev link0 via $SERVER_GW
ip -n "$SERVER_NS" link set link0 up
ip -n "$SERVER_NS" addr add $SERVER_IP/24 dev link0
ip -n "$SERVER_NS" route add $CLIENT_IP dev link0 via $SERVER_GW
ip -n $ROUTER_NS link set link1 up
ip -n $ROUTER_NS link set link2 up
ip -n $ROUTER_NS addr add $SERVER_GW/24 dev link1
ip -n $ROUTER_NS addr add $CLIENT_GW/24 dev link2
ip net exec $ROUTER_NS sysctl -wq net.ipv4.ip_forward=1
ip -n "$ROUTER_NS" link set link1 up
ip -n "$ROUTER_NS" link set link2 up
ip -n "$ROUTER_NS" addr add $SERVER_GW/24 dev link1
ip -n "$ROUTER_NS" addr add $CLIENT_GW/24 dev link2
ip net exec "$ROUTER_NS" sysctl -wq net.ipv4.ip_forward=1
ip -n $CLIENT_NS link set link3 up
ip -n $CLIENT_NS addr add $CLIENT_IP/24 dev link3
ip -n $CLIENT_NS route add $SERVER_IP dev link3 via $CLIENT_GW
ip -n "$CLIENT_NS" link set link3 up
ip -n "$CLIENT_NS" addr add $CLIENT_IP/24 dev link3
ip -n "$CLIENT_NS" route add $SERVER_IP dev link3 via $CLIENT_GW
# simulate the delay on OVS upcall by setting up a delay for INIT_ACK with
# tc on $SERVER_NS side
tc -n $SERVER_NS qdisc add dev link0 root handle 1: htb
tc -n $SERVER_NS class add dev link0 parent 1: classid 1:1 htb rate 100mbit
tc -n $SERVER_NS filter add dev link0 parent 1: protocol ip u32 match ip protocol 132 \
tc -n "$SERVER_NS" qdisc add dev link0 root handle 1: htb r2q 64
tc -n "$SERVER_NS" class add dev link0 parent 1: classid 1:1 htb rate 100mbit
tc -n "$SERVER_NS" filter add dev link0 parent 1: protocol ip u32 match ip protocol 132 \
0xff match u8 2 0xff at 32 flowid 1:1
tc -n $SERVER_NS qdisc add dev link0 parent 1:1 handle 10: netem delay 1200ms
if ! tc -n "$SERVER_NS" qdisc add dev link0 parent 1:1 handle 10: netem delay 1200ms; then
echo "SKIP: Cannot add netem qdisc"
exit $ksft_skip
fi
# simulate the ctstate check on OVS nf_conntrack
ip net exec $ROUTER_NS iptables -A FORWARD -m state --state INVALID,UNTRACKED -j DROP
ip net exec $ROUTER_NS iptables -A INPUT -p sctp -j DROP
ip net exec "$ROUTER_NS" iptables -A FORWARD -m state --state INVALID,UNTRACKED -j DROP
ip net exec "$ROUTER_NS" iptables -A INPUT -p sctp -j DROP
# use a smaller number for assoc's max_retrans to reproduce the issue
modprobe sctp
ip net exec $CLIENT_NS sysctl -wq net.sctp.association_max_retrans=3
modprobe -q sctp
ip net exec "$CLIENT_NS" sysctl -wq net.sctp.association_max_retrans=3
}
cleanup() {
ip net exec $CLIENT_NS pkill sctp_collision 2>&1 >/dev/null
ip net exec $SERVER_NS pkill sctp_collision 2>&1 >/dev/null
ip net del "$CLIENT_NS"
ip net del "$SERVER_NS"
ip net del "$ROUTER_NS"
ip net exec "$CLIENT_NS" pkill sctp_collision >/dev/null 2>&1
ip net exec "$SERVER_NS" pkill sctp_collision >/dev/null 2>&1
cleanup_all_ns
}
do_test() {
ip net exec $SERVER_NS ./sctp_collision server \
ip net exec "$SERVER_NS" ./sctp_collision server \
$SERVER_IP $SERVER_PORT $CLIENT_IP $CLIENT_PORT &
ip net exec $CLIENT_NS ./sctp_collision client \
ip net exec "$CLIENT_NS" ./sctp_collision client \
$CLIENT_IP $CLIENT_PORT $SERVER_IP $SERVER_PORT
}
......
tools/testing/selftests/netfilter/conntrack_tcp_unreplied.sh tools/testing/selftests/net/netfilter/conntrack_tcp_unreplied.sh
View file @ 5e317a2f
......@@ -4,37 +4,29 @@
# Check that UNREPLIED tcp conntrack will eventually timeout.
#
# Kselftest framework requirement - SKIP code is 4.
ksft_skip=4
ret=0
waittime=20
sfx=$(mktemp -u "XXXXXXXX")
ns1="ns1-$sfx"
ns2="ns2-$sfx"
source lib.sh
nft --version > /dev/null 2>&1
if [ $? -ne 0 ];then
if ! nft --version > /dev/null 2>&1;then
echo "SKIP: Could not run test without nft tool"
exit $ksft_skip
fi
ip -Version > /dev/null 2>&1
if [ $? -ne 0 ];then
echo "SKIP: Could not run test without ip tool"
if ! conntrack --version > /dev/null 2>&1;then
echo "SKIP: Could not run test without conntrack tool"
exit $ksft_skip
fi
ret=0
cleanup() {
ip netns pids $ns1 | xargs kill 2>/dev/null
ip netns pids $ns2 | xargs kill 2>/dev/null
ip netns pids "$ns1" | xargs kill 2>/dev/null
ip netns pids "$ns2" | xargs kill 2>/dev/null
ip netns del $ns1
ip netns del $ns2
cleanup_all_ns
}
ipv4() {
echo -n 192.168.$1.2
echo -n 192.168."$1".2
}
check_counter()
......@@ -44,51 +36,53 @@ check_counter()
expect=$3
local lret=0
cnt=$(ip netns exec $ns2 nft list counter inet filter "$name" | grep -q "$expect")
if [ $? -ne 0 ]; then
if ! ip netns exec "$ns2" nft list counter inet filter "$name" | grep -q "$expect"; then
echo "ERROR: counter $name in $ns2 has unexpected value (expected $expect)" 1>&2
ip netns exec $ns2 nft list counter inet filter "$name" 1>&2
ip netns exec "$ns2" nft list counter inet filter "$name" 1>&2
lret=1
fi
return $lret
}
# Create test namespaces
ip netns add $ns1 || exit 1
trap cleanup EXIT
ip netns add $ns2 || exit 1
# Create test namespaces
setup_ns ns1 ns2
# Connect the namespace to the host using a veth pair
ip -net $ns1 link add name veth1 type veth peer name veth2
ip -net $ns1 link set netns $ns2 dev veth2
ip -net "$ns1" link add name veth1 type veth peer name veth2
ip -net "$ns1" link set netns "$ns2" dev veth2
ip -net $ns1 link set up dev lo
ip -net $ns2 link set up dev lo
ip -net $ns1 link set up dev veth1
ip -net $ns2 link set up dev veth2
ip -net "$ns1" link set up dev lo
ip -net "$ns2" link set up dev lo
ip -net "$ns1" link set up dev veth1
ip -net "$ns2" link set up dev veth2
ip -net $ns2 addr add 10.11.11.2/24 dev veth2
ip -net $ns2 route add default via 10.11.11.1
ip -net "$ns2" addr add 10.11.11.2/24 dev veth2
ip -net "$ns2" route add default via 10.11.11.1
ip netns exec $ns2 sysctl -q net.ipv4.conf.veth2.forwarding=1
ip netns exec "$ns2" sysctl -q net.ipv4.conf.veth2.forwarding=1
# add a rule inside NS so we enable conntrack
ip netns exec $ns1 iptables -A INPUT -m state --state established,related -j ACCEPT
ip netns exec "$ns1" nft -f - <<EOF
table inet filter {
chain input {
type filter hook input priority 0; policy accept;
ct state established accept
}
}
EOF
ip -net $ns1 addr add 10.11.11.1/24 dev veth1
ip -net $ns1 route add 10.99.99.99 via 10.11.11.2
ip -net "$ns1" addr add 10.11.11.1/24 dev veth1
ip -net "$ns1" route add 10.99.99.99 via 10.11.11.2
# Check connectivity works
ip netns exec $ns1 ping -q -c 2 10.11.11.2 >/dev/null || exit 1
ip netns exec $ns2 nc -l -p 8080 < /dev/null &
ip netns exec "$ns1" ping -q -c 2 10.11.11.2 >/dev/null || exit 1
# however, conntrack entries are there
ip netns exec "$ns2" socat -u -4 TCP-LISTEN:8080,reuseaddr STDOUT &
ip netns exec $ns2 nft -f - <<EOF
ip netns exec "$ns2" nft -f - <<EOF
table inet filter {
counter connreq { }
counter redir { }
......@@ -104,17 +98,15 @@ if [ $? -ne 0 ]; then
exit 1
fi
ip netns exec $ns2 sysctl -q net.netfilter.nf_conntrack_tcp_timeout_syn_sent=10
ip netns exec "$ns2" sysctl -q net.netfilter.nf_conntrack_tcp_timeout_syn_sent=10
echo "INFO: connect $ns1 -> $ns2 to the virtual ip"
ip netns exec $ns1 bash -c 'while true ; do
nc -p 60000 10.99.99.99 80
sleep 1
ip netns exec "$ns1" bash -c 'for i in $(seq 1 $BUSYWAIT_TIMEOUT) ; do
socat -u STDIN TCP:10.99.99.99:80 < /dev/null
sleep 0.1
done' &
sleep 1
ip netns exec $ns2 nft -f - <<EOF
ip netns exec "$ns2" nft -f - <<EOF
table inet nat {
chain prerouting {
type nat hook prerouting priority 0; policy accept;
......@@ -127,34 +119,28 @@ if [ $? -ne 0 ]; then
exit 1
fi
count=$(ip netns exec $ns2 conntrack -L -p tcp --dport 80 2>/dev/null | wc -l)
if [ $count -eq 0 ]; then
count=$(ip netns exec "$ns2" conntrack -L -p tcp --dport 80 2>/dev/null | wc -l)
if [ "$count" -eq 0 ]; then
echo "ERROR: $ns2 did not pick up tcp connection from peer"
exit 1
fi
echo "INFO: NAT redirect added in ns $ns2, waiting for $waittime seconds for nat to take effect"
for i in $(seq 1 $waittime); do
echo -n "."
sleep 1
count=$(ip netns exec $ns2 conntrack -L -p tcp --reply-port-src 8080 2>/dev/null | wc -l)
if [ $count -gt 0 ]; then
echo
echo "PASS: redirection took effect after $i seconds"
break
wait_for_redirect()
{
count=$(ip netns exec "$ns2" conntrack -L -p tcp --reply-port-src 8080 2>/dev/null | wc -l)
if [ "$count" -gt 0 ]; then
return 0
fi
m=$((i%20))
if [ $m -eq 0 ]; then
echo " waited for $i seconds"
fi
done
return 1
}
echo "INFO: NAT redirect added in ns $ns2, waiting for $BUSYWAIT_TIMEOUT ms for nat to take effect"
busywait $BUSYWAIT_TIMEOUT wait_for_redirect
ret=$?
expect="packets 1 bytes 60"
check_counter "$ns2" "redir" "$expect"
if [ $? -ne 0 ]; then
if ! check_counter "$ns2" "redir" "$expect"; then
ret=1
fi
......
tools/testing/selftests/netfilter/conntrack_vrf.sh tools/testing/selftests/net/netfilter/conntrack_vrf.sh
View file @ 5e317a2f
#!/bin/sh
#!/bin/bash
# This script demonstrates interaction of conntrack and vrf.
# The vrf driver calls the netfilter hooks again, with oif/iif
......@@ -28,84 +28,65 @@
# that was supposed to be fixed by the commit mentioned above to make sure
# that any fix to test case 1 won't break masquerade again.
ksft_skip=4
source lib.sh
IP0=172.30.30.1
IP1=172.30.30.2
PFXL=30
ret=0
sfx=$(mktemp -u "XXXXXXXX")
ns0="ns0-$sfx"
ns1="ns1-$sfx"
cleanup()
{
ip netns pids $ns0 | xargs kill 2>/dev/null
ip netns pids $ns1 | xargs kill 2>/dev/null
ip netns del $ns0 $ns1
cleanup_all_ns
}
nft --version > /dev/null 2>&1
if [ $? -ne 0 ];then
if ! nft --version > /dev/null 2>&1;then
echo "SKIP: Could not run test without nft tool"
exit $ksft_skip
fi
ip -Version > /dev/null 2>&1
if [ $? -ne 0 ];then
echo "SKIP: Could not run test without ip tool"
exit $ksft_skip
fi
ip netns add "$ns0"
if [ $? -ne 0 ];then
echo "SKIP: Could not create net namespace $ns0"
if ! conntrack --version > /dev/null 2>&1;then
echo "SKIP: Could not run test without conntrack tool"
exit $ksft_skip
fi
ip netns add "$ns1"
trap cleanup EXIT
ip netns exec $ns0 sysctl -q -w net.ipv4.conf.default.rp_filter=0
ip netns exec $ns0 sysctl -q -w net.ipv4.conf.all.rp_filter=0
ip netns exec $ns0 sysctl -q -w net.ipv4.conf.all.rp_filter=0
setup_ns ns0 ns1
ip link add veth0 netns "$ns0" type veth peer name veth0 netns "$ns1" > /dev/null 2>&1
if [ $? -ne 0 ];then
ip netns exec "$ns0" sysctl -q -w net.ipv4.conf.default.rp_filter=0
ip netns exec "$ns0" sysctl -q -w net.ipv4.conf.all.rp_filter=0
ip netns exec "$ns0" sysctl -q -w net.ipv4.conf.all.rp_filter=0
if ! ip link add veth0 netns "$ns0" type veth peer name veth0 netns "$ns1" > /dev/null 2>&1; then
echo "SKIP: Could not add veth device"
exit $ksft_skip
fi
ip -net $ns0 li add tvrf type vrf table 9876
if [ $? -ne 0 ];then
if ! ip -net "$ns0" li add tvrf type vrf table 9876; then
echo "SKIP: Could not add vrf device"
exit $ksft_skip
fi
ip -net $ns0 li set lo up
ip -net $ns0 li set veth0 master tvrf
ip -net $ns0 li set tvrf up
ip -net $ns0 li set veth0 up
ip -net $ns1 li set veth0 up
ip -net "$ns0" li set veth0 master tvrf
ip -net "$ns0" li set tvrf up
ip -net "$ns0" li set veth0 up
ip -net "$ns1" li set veth0 up
ip -net $ns0 addr add $IP0/$PFXL dev veth0
ip -net $ns1 addr add $IP1/$PFXL dev veth0
ip -net "$ns0" addr add $IP0/$PFXL dev veth0
ip -net "$ns1" addr add $IP1/$PFXL dev veth0
ip netns exec $ns1 iperf3 -s > /dev/null 2>&1&
if [ $? -ne 0 ];then
echo "SKIP: Could not start iperf3"
exit $ksft_skip
fi
ip netns exec "$ns1" iperf3 -s > /dev/null 2>&1 &
# test vrf ingress handling.
# The incoming connection should be placed in conntrack zone 1,
# as decided by the first iteration of the ruleset.
test_ct_zone_in()
{
ip netns exec $ns0 nft -f - <<EOF
ip netns exec "$ns0" nft -f - <<EOF
table testct {
chain rawpre {
type filter hook prerouting priority raw;
......@@ -126,21 +107,21 @@ table testct {
}
}
EOF
ip netns exec $ns1 ping -W 1 -c 1 -I veth0 $IP0 > /dev/null
ip netns exec "$ns1" ping -W 1 -c 1 -I veth0 "$IP0" > /dev/null
# should be in zone 1, not zone 2
count=$(ip netns exec $ns0 conntrack -L -s $IP1 -d $IP0 -p icmp --zone 1 2>/dev/null | wc -l)
if [ $count -eq 1 ]; then
count=$(ip netns exec "$ns0" conntrack -L -s $IP1 -d $IP0 -p icmp --zone 1 2>/dev/null | wc -l)
if [ "$count" -eq 1 ]; then
echo "PASS: entry found in conntrack zone 1"
else
echo "FAIL: entry not found in conntrack zone 1"
count=$(ip netns exec $ns0 conntrack -L -s $IP1 -d $IP0 -p icmp --zone 2 2> /dev/null | wc -l)
if [ $count -eq 1 ]; then
count=$(ip netns exec "$ns0" conntrack -L -s $IP1 -d $IP0 -p icmp --zone 2 2> /dev/null | wc -l)
if [ "$count" -eq 1 ]; then
echo "FAIL: entry found in zone 2 instead"
else
echo "FAIL: entry not in zone 1 or 2, dumping table"
ip netns exec $ns0 conntrack -L
ip netns exec $ns0 nft list ruleset
ip netns exec "$ns0" conntrack -L
ip netns exec "$ns0" nft list ruleset
fi
fi
}
......@@ -153,12 +134,12 @@ test_masquerade_vrf()
local qdisc=$1
if [ "$qdisc" != "default" ]; then
tc -net $ns0 qdisc add dev tvrf root $qdisc
tc -net "$ns0" qdisc add dev tvrf root "$qdisc"
fi
ip netns exec $ns0 conntrack -F 2>/dev/null
ip netns exec "$ns0" conntrack -F 2>/dev/null
ip netns exec $ns0 nft -f - <<EOF
ip netns exec "$ns0" nft -f - <<EOF
flush ruleset
table ip nat {
chain rawout {
......@@ -179,17 +160,15 @@ table ip nat {
}
}
EOF
ip netns exec $ns0 ip vrf exec tvrf iperf3 -t 1 -c $IP1 >/dev/null
if [ $? -ne 0 ]; then
if ! ip netns exec "$ns0" ip vrf exec tvrf iperf3 -t 1 -c $IP1 >/dev/null; then
echo "FAIL: iperf3 connect failure with masquerade + sport rewrite on vrf device"
ret=1
return
fi
# must also check that nat table was evaluated on second (lower device) iteration.
ip netns exec $ns0 nft list table ip nat |grep -q 'counter packets 2' &&
ip netns exec $ns0 nft list table ip nat |grep -q 'untracked counter packets [1-9]'
if [ $? -eq 0 ]; then
ip netns exec "$ns0" nft list table ip nat |grep -q 'counter packets 2' &&
if ip netns exec "$ns0" nft list table ip nat |grep -q 'untracked counter packets [1-9]'; then
echo "PASS: iperf3 connect with masquerade + sport rewrite on vrf device ($qdisc qdisc)"
else
echo "FAIL: vrf rules have unexpected counter value"
......@@ -197,7 +176,7 @@ EOF
fi
if [ "$qdisc" != "default" ]; then
tc -net $ns0 qdisc del dev tvrf root
tc -net "$ns0" qdisc del dev tvrf root
fi
}
......@@ -206,8 +185,8 @@ EOF
# oifname is the lower device (veth0 in this case).
test_masquerade_veth()
{
ip netns exec $ns0 conntrack -F 2>/dev/null
ip netns exec $ns0 nft -f - <<EOF
ip netns exec "$ns0" conntrack -F 2>/dev/null
ip netns exec "$ns0" nft -f - <<EOF
flush ruleset
table ip nat {
chain postrouting {
......@@ -216,16 +195,14 @@ table ip nat {
}
}
EOF
ip netns exec $ns0 ip vrf exec tvrf iperf3 -t 1 -c $IP1 > /dev/null
if [ $? -ne 0 ]; then
if ! ip netns exec "$ns0" ip vrf exec tvrf iperf3 -t 1 -c $IP1 > /dev/null; then
echo "FAIL: iperf3 connect failure with masquerade + sport rewrite on veth device"
ret=1
return
fi
# must also check that nat table was evaluated on second (lower device) iteration.
ip netns exec $ns0 nft list table ip nat |grep -q 'counter packets 2'
if [ $? -eq 0 ]; then
if ip netns exec "$ns0" nft list table ip nat |grep -q 'counter packets 2'; then
echo "PASS: iperf3 connect with masquerade + sport rewrite on veth device"
else
echo "FAIL: vrf masq rule has unexpected counter value"
......
tools/testing/selftests/netfilter/ipvs.sh tools/testing/selftests/net/netfilter/ipvs.sh
View file @ 5e317a2f
#!/bin/sh
#!/bin/bash
# SPDX-License-Identifier: GPL-2.0
#
# End-to-end ipvs test suite
......@@ -24,8 +24,8 @@
# We assume that all network driver are loaded
#
# Kselftest framework requirement - SKIP code is 4.
ksft_skip=4
source lib.sh
ret=0
GREEN='\033[0;92m'
RED='\033[0;31m'
......@@ -46,53 +46,39 @@ readonly datalen=32
sysipvsnet="/proc/sys/net/ipv4/vs/"
if [ ! -d $sysipvsnet ]; then
modprobe -q ip_vs
if [ $? -ne 0 ]; then
if ! modprobe -q ip_vs; then
echo "skip: could not run test without ipvs module"
exit $ksft_skip
fi
fi
ip -Version > /dev/null 2>&1
if [ $? -ne 0 ]; then
echo "SKIP: Could not run test without ip tool"
exit $ksft_skip
fi
ipvsadm -v > /dev/null 2>&1
if [ $? -ne 0 ]; then
echo "SKIP: Could not run test without ipvsadm"
exit $ksft_skip
fi
checktool "ipvsadm -v" "run test without ipvsadm"
checktool "socat -h" "run test without socat"
setup() {
ip netns add ns0
ip netns add ns1
ip netns add ns2
ip link add veth01 netns ns0 type veth peer name veth10 netns ns1
ip link add veth02 netns ns0 type veth peer name veth20 netns ns2
ip link add veth12 netns ns1 type veth peer name veth21 netns ns2
ip netns exec ns0 ip link set veth01 up
ip netns exec ns0 ip link set veth02 up
ip netns exec ns0 ip link add br0 type bridge
ip netns exec ns0 ip link set veth01 master br0
ip netns exec ns0 ip link set veth02 master br0
ip netns exec ns0 ip link set br0 up
ip netns exec ns0 ip addr add ${cip_v4}/24 dev br0
ip netns exec ns1 ip link set lo up
ip netns exec ns1 ip link set veth10 up
ip netns exec ns1 ip addr add ${gip_v4}/24 dev veth10
ip netns exec ns1 ip link set veth12 up
ip netns exec ns1 ip addr add ${dip_v4}/24 dev veth12
ip netns exec ns2 ip link set lo up
ip netns exec ns2 ip link set veth21 up
ip netns exec ns2 ip addr add ${rip_v4}/24 dev veth21
ip netns exec ns2 ip link set veth20 up
ip netns exec ns2 ip addr add ${sip_v4}/24 dev veth20
setup_ns ns0 ns1 ns2
ip link add veth01 netns "${ns0}" type veth peer name veth10 netns "${ns1}"
ip link add veth02 netns "${ns0}" type veth peer name veth20 netns "${ns2}"
ip link add veth12 netns "${ns1}" type veth peer name veth21 netns "${ns2}"
ip netns exec "${ns0}" ip link set veth01 up
ip netns exec "${ns0}" ip link set veth02 up
ip netns exec "${ns0}" ip link add br0 type bridge
ip netns exec "${ns0}" ip link set veth01 master br0
ip netns exec "${ns0}" ip link set veth02 master br0
ip netns exec "${ns0}" ip link set br0 up
ip netns exec "${ns0}" ip addr add "${cip_v4}/24" dev br0
ip netns exec "${ns1}" ip link set veth10 up
ip netns exec "${ns1}" ip addr add "${gip_v4}/24" dev veth10
ip netns exec "${ns1}" ip link set veth12 up
ip netns exec "${ns1}" ip addr add "${dip_v4}/24" dev veth12
ip netns exec "${ns2}" ip link set veth21 up
ip netns exec "${ns2}" ip addr add "${rip_v4}/24" dev veth21
ip netns exec "${ns2}" ip link set veth20 up
ip netns exec "${ns2}" ip addr add "${sip_v4}/24" dev veth20
sleep 1
......@@ -100,10 +86,7 @@ setup() {
}
cleanup() {
for i in 0 1 2
do
ip netns del ns$i > /dev/null 2>&1
done
cleanup_all_ns
if [ -f "${outfile}" ]; then
rm "${outfile}"
......@@ -114,13 +97,13 @@ cleanup() {
}
server_listen() {
ip netns exec ns2 nc -l -p 8080 > "${outfile}" &
ip netns exec "$ns2" socat -u -4 TCP-LISTEN:8080,reuseaddr STDOUT > "${outfile}" &
server_pid=$!
sleep 0.2
}
client_connect() {
ip netns exec ns0 timeout 2 nc -w 1 ${vip_v4} ${port} < "${infile}"
ip netns exec "${ns0}" timeout 2 socat -u -4 STDIN TCP:"${vip_v4}":"${port}" < "${infile}"
}
verify_data() {
......@@ -136,58 +119,58 @@ test_service() {
test_dr() {
ip netns exec ns0 ip route add ${vip_v4} via ${gip_v4} dev br0
ip netns exec "${ns0}" ip route add "${vip_v4}" via "${gip_v4}" dev br0
ip netns exec ns1 sysctl -qw net.ipv4.ip_forward=1
ip netns exec ns1 ipvsadm -A -t ${vip_v4}:${port} -s rr
ip netns exec ns1 ipvsadm -a -t ${vip_v4}:${port} -r ${rip_v4}:${port}
ip netns exec ns1 ip addr add ${vip_v4}/32 dev lo:1
ip netns exec "${ns1}" sysctl -qw net.ipv4.ip_forward=1
ip netns exec "${ns1}" ipvsadm -A -t "${vip_v4}:${port}" -s rr
ip netns exec "${ns1}" ipvsadm -a -t "${vip_v4}:${port}" -r "${rip_v4}:${port}"
ip netns exec "${ns1}" ip addr add "${vip_v4}/32" dev lo:1
# avoid incorrect arp response
ip netns exec ns2 sysctl -qw net.ipv4.conf.all.arp_ignore=1
ip netns exec ns2 sysctl -qw net.ipv4.conf.all.arp_announce=2
ip netns exec "${ns2}" sysctl -qw net.ipv4.conf.all.arp_ignore=1
ip netns exec "${ns2}" sysctl -qw net.ipv4.conf.all.arp_announce=2
# avoid reverse route lookup
ip netns exec ns2 sysctl -qw net.ipv4.conf.all.rp_filter=0
ip netns exec ns2 sysctl -qw net.ipv4.conf.veth21.rp_filter=0
ip netns exec ns2 ip addr add ${vip_v4}/32 dev lo:1
ip netns exec "${ns2}" sysctl -qw net.ipv4.conf.all.rp_filter=0
ip netns exec "${ns2}" sysctl -qw net.ipv4.conf.veth21.rp_filter=0
ip netns exec "${ns2}" ip addr add "${vip_v4}/32" dev lo:1
test_service
}
test_nat() {
ip netns exec ns0 ip route add ${vip_v4} via ${gip_v4} dev br0
ip netns exec "${ns0}" ip route add "${vip_v4}" via "${gip_v4}" dev br0
ip netns exec ns1 sysctl -qw net.ipv4.ip_forward=1
ip netns exec ns1 ipvsadm -A -t ${vip_v4}:${port} -s rr
ip netns exec ns1 ipvsadm -a -m -t ${vip_v4}:${port} -r ${rip_v4}:${port}
ip netns exec ns1 ip addr add ${vip_v4}/32 dev lo:1
ip netns exec "${ns1}" sysctl -qw net.ipv4.ip_forward=1
ip netns exec "${ns1}" ipvsadm -A -t "${vip_v4}:${port}" -s rr
ip netns exec "${ns1}" ipvsadm -a -m -t "${vip_v4}:${port}" -r "${rip_v4}:${port}"
ip netns exec "${ns1}" ip addr add "${vip_v4}/32" dev lo:1
ip netns exec ns2 ip link del veth20
ip netns exec ns2 ip route add default via ${dip_v4} dev veth21
ip netns exec "${ns2}" ip link del veth20
ip netns exec "${ns2}" ip route add default via "${dip_v4}" dev veth21
test_service
}
test_tun() {
ip netns exec ns0 ip route add ${vip_v4} via ${gip_v4} dev br0
ip netns exec ns1 modprobe ipip
ip netns exec ns1 ip link set tunl0 up
ip netns exec ns1 sysctl -qw net.ipv4.ip_forward=0
ip netns exec ns1 sysctl -qw net.ipv4.conf.all.send_redirects=0
ip netns exec ns1 sysctl -qw net.ipv4.conf.default.send_redirects=0
ip netns exec ns1 ipvsadm -A -t ${vip_v4}:${port} -s rr
ip netns exec ns1 ipvsadm -a -i -t ${vip_v4}:${port} -r ${rip_v4}:${port}
ip netns exec ns1 ip addr add ${vip_v4}/32 dev lo:1
ip netns exec ns2 modprobe ipip
ip netns exec ns2 ip link set tunl0 up
ip netns exec ns2 sysctl -qw net.ipv4.conf.all.arp_ignore=1
ip netns exec ns2 sysctl -qw net.ipv4.conf.all.arp_announce=2
ip netns exec ns2 sysctl -qw net.ipv4.conf.all.rp_filter=0
ip netns exec ns2 sysctl -qw net.ipv4.conf.tunl0.rp_filter=0
ip netns exec ns2 sysctl -qw net.ipv4.conf.veth21.rp_filter=0
ip netns exec ns2 ip addr add ${vip_v4}/32 dev lo:1
ip netns exec "${ns0}" ip route add "${vip_v4}" via "${gip_v4}" dev br0
ip netns exec "${ns1}" modprobe -q ipip
ip netns exec "${ns1}" ip link set tunl0 up
ip netns exec "${ns1}" sysctl -qw net.ipv4.ip_forward=0
ip netns exec "${ns1}" sysctl -qw net.ipv4.conf.all.send_redirects=0
ip netns exec "${ns1}" sysctl -qw net.ipv4.conf.default.send_redirects=0
ip netns exec "${ns1}" ipvsadm -A -t "${vip_v4}:${port}" -s rr
ip netns exec "${ns1}" ipvsadm -a -i -t "${vip_v4}:${port}" -r ${rip_v4}:${port}
ip netns exec "${ns1}" ip addr add ${vip_v4}/32 dev lo:1
ip netns exec "${ns2}" modprobe -q ipip
ip netns exec "${ns2}" ip link set tunl0 up
ip netns exec "${ns2}" sysctl -qw net.ipv4.conf.all.arp_ignore=1
ip netns exec "${ns2}" sysctl -qw net.ipv4.conf.all.arp_announce=2
ip netns exec "${ns2}" sysctl -qw net.ipv4.conf.all.rp_filter=0
ip netns exec "${ns2}" sysctl -qw net.ipv4.conf.tunl0.rp_filter=0
ip netns exec "${ns2}" sysctl -qw net.ipv4.conf.veth21.rp_filter=0
ip netns exec "${ns2}" ip addr add "${vip_v4}/32" dev lo:1
test_service
}
......
tools/testing/selftests/net/netfilter/lib.sh 0 → 100644
View file @ 5e317a2f
net_netfilter_dir=$(dirname "$(readlink -e "${BASH_SOURCE[0]}")")
source "$net_netfilter_dir/../lib.sh"
checktool (){
if ! $1 > /dev/null 2>&1; then
echo "SKIP: Could not $2"
exit $ksft_skip
fi
}
tools/testing/selftests/netfilter/nf_nat_edemux.sh tools/testing/selftests/net/netfilter/nf_nat_edemux.sh
View file @ 5e317a2f
......@@ -4,88 +4,60 @@
# Test NAT source port clash resolution
#
# Kselftest framework requirement - SKIP code is 4.
ksft_skip=4
source lib.sh
ret=0
sfx=$(mktemp -u "XXXXXXXX")
ns1="ns1-$sfx"
ns2="ns2-$sfx"
socatpid=0
cleanup()
{
[ $socatpid -gt 0 ] && kill $socatpid
ip netns del $ns1
ip netns del $ns2
}
socat -h > /dev/null 2>&1
if [ $? -ne 0 ];then
echo "SKIP: Could not run test without socat"
exit $ksft_skip
fi
iptables --version > /dev/null 2>&1
if [ $? -ne 0 ];then
echo "SKIP: Could not run test without iptables"
exit $ksft_skip
fi
[ "$socatpid" -gt 0 ] && kill "$socatpid"
ip -Version > /dev/null 2>&1
if [ $? -ne 0 ];then
echo "SKIP: Could not run test without ip tool"
exit $ksft_skip
fi
cleanup_all_ns
}
ip netns add "$ns1"
if [ $? -ne 0 ];then
echo "SKIP: Could not create net namespace $ns1"
exit $ksft_skip
fi
checktool "socat -h" "run test without socat"
checktool "iptables --version" "run test without iptables"
trap cleanup EXIT
ip netns add $ns2
setup_ns ns1 ns2
# Connect the namespaces using a veth pair
ip link add name veth2 type veth peer name veth1
ip link set netns $ns1 dev veth1
ip link set netns $ns2 dev veth2
ip link set netns "$ns1" dev veth1
ip link set netns "$ns2" dev veth2
ip netns exec $ns1 ip link set up dev lo
ip netns exec $ns1 ip link set up dev veth1
ip netns exec $ns1 ip addr add 192.168.1.1/24 dev veth1
ip netns exec "$ns1" ip link set up dev lo
ip netns exec "$ns1" ip link set up dev veth1
ip netns exec "$ns1" ip addr add 192.168.1.1/24 dev veth1
ip netns exec $ns2 ip link set up dev lo
ip netns exec $ns2 ip link set up dev veth2
ip netns exec $ns2 ip addr add 192.168.1.2/24 dev veth2
ip netns exec "$ns2" ip link set up dev lo
ip netns exec "$ns2" ip link set up dev veth2
ip netns exec "$ns2" ip addr add 192.168.1.2/24 dev veth2
# Create a server in one namespace
ip netns exec $ns1 socat -u TCP-LISTEN:5201,fork OPEN:/dev/null,wronly=1 &
ip netns exec "$ns1" socat -u TCP-LISTEN:5201,fork OPEN:/dev/null,wronly=1 &
socatpid=$!
# Restrict source port to just one so we don't have to exhaust
# all others.
ip netns exec $ns2 sysctl -q net.ipv4.ip_local_port_range="10000 10000"
ip netns exec "$ns2" sysctl -q net.ipv4.ip_local_port_range="10000 10000"
# add a virtual IP using DNAT
ip netns exec $ns2 iptables -t nat -A OUTPUT -d 10.96.0.1/32 -p tcp --dport 443 -j DNAT --to-destination 192.168.1.1:5201
ip netns exec "$ns2" iptables -t nat -A OUTPUT -d 10.96.0.1/32 -p tcp --dport 443 -j DNAT --to-destination 192.168.1.1:5201
# ... and route it to the other namespace
ip netns exec $ns2 ip route add 10.96.0.1 via 192.168.1.1
sleep 1
ip netns exec "$ns2" ip route add 10.96.0.1 via 192.168.1.1
# add a persistent connection from the other namespace
ip netns exec $ns2 socat -t 10 - TCP:192.168.1.1:5201 > /dev/null &
ip netns exec "$ns2" socat -t 10 - TCP:192.168.1.1:5201 > /dev/null &
sleep 1
# ip daddr:dport will be rewritten to 192.168.1.1 5201
# NAT must reallocate source port 10000 because
# 192.168.1.2:10000 -> 192.168.1.1:5201 is already in use
echo test | ip netns exec $ns2 socat -t 3 -u STDIN TCP:10.96.0.1:443,connect-timeout=3 >/dev/null
echo test | ip netns exec "$ns2" socat -t 3 -u STDIN TCP:10.96.0.1:443,connect-timeout=3 >/dev/null
ret=$?
# Check socat can connect to 10.96.0.1:443 (aka 192.168.1.1:5201).
......@@ -96,16 +68,14 @@ else
fi
# check sport clashres.
ip netns exec $ns1 iptables -t nat -A PREROUTING -p tcp --dport 5202 -j REDIRECT --to-ports 5201
ip netns exec $ns1 iptables -t nat -A PREROUTING -p tcp --dport 5203 -j REDIRECT --to-ports 5201
ip netns exec "$ns1" iptables -t nat -A PREROUTING -p tcp --dport 5202 -j REDIRECT --to-ports 5201
ip netns exec "$ns1" iptables -t nat -A PREROUTING -p tcp --dport 5203 -j REDIRECT --to-ports 5201
sleep 5 | ip netns exec $ns2 socat -t 5 -u STDIN TCP:192.168.1.1:5202,connect-timeout=5 >/dev/null &
cpid1=$!
sleep 1
sleep 5 | ip netns exec "$ns2" socat -t 5 -u STDIN TCP:192.168.1.1:5202,connect-timeout=5 >/dev/null &
# if connect succeeds, client closes instantly due to EOF on stdin.
# if connect hangs, it will time out after 5s.
echo | ip netns exec $ns2 socat -t 3 -u STDIN TCP:192.168.1.1:5203,connect-timeout=5 >/dev/null &
echo | ip netns exec "$ns2" socat -t 3 -u STDIN TCP:192.168.1.1:5203,connect-timeout=5 >/dev/null &
cpid2=$!
time_then=$(date +%s)
......@@ -117,7 +87,7 @@ time_now=$(date +%s)
# 'cpid2' to connect and then exit (and no connect delay).
delta=$((time_now - time_then))
if [ $delta -lt 2 -a $rv -eq 0 ]; then
if [ $delta -lt 2 ] && [ $rv -eq 0 ]; then
echo "PASS: could connect to service via redirected ports"
else
echo "FAIL: socat cannot connect to service via redirect ($delta seconds elapsed, returned $rv)"
......
tools/testing/selftests/netfilter/nft_conntrack_helper.sh tools/testing/selftests/net/netfilter/nft_conntrack_helper.sh
View file @ 5e317a2f
......@@ -5,72 +5,48 @@
# 2. auto-assign still works.
#
# Kselftest framework requirement - SKIP code is 4.
ksft_skip=4
source lib.sh
ret=0
sfx=$(mktemp -u "XXXXXXXX")
ns1="ns1-$sfx"
ns2="ns2-$sfx"
testipv6=1
checktool "socat -h" "run test without socat"
checktool "conntrack --version" "run test without conntrack"
checktool "nft --version" "run test without nft"
cleanup()
{
ip netns del ${ns1}
ip netns del ${ns2}
}
nft --version > /dev/null 2>&1
if [ $? -ne 0 ];then
echo "SKIP: Could not run test without nft tool"
exit $ksft_skip
fi
ip -Version > /dev/null 2>&1
if [ $? -ne 0 ];then
echo "SKIP: Could not run test without ip tool"
exit $ksft_skip
fi
conntrack -V > /dev/null 2>&1
if [ $? -ne 0 ];then
echo "SKIP: Could not run test without conntrack tool"
exit $ksft_skip
fi
ip netns pids "$ns1" | xargs kill 2>/dev/null
which nc >/dev/null 2>&1
if [ $? -ne 0 ];then
echo "SKIP: Could not run test without netcat tool"
exit $ksft_skip
fi
ip netns del "$ns1"
ip netns del "$ns2"
}
trap cleanup EXIT
ip netns add ${ns1}
ip netns add ${ns2}
setup_ns ns1 ns2
ip link add veth0 netns ${ns1} type veth peer name veth0 netns ${ns2} > /dev/null 2>&1
if [ $? -ne 0 ];then
if ! ip link add veth0 netns "$ns1" type veth peer name veth0 netns "$ns2" > /dev/null 2>&1;then
echo "SKIP: No virtual ethernet pair device support in kernel"
exit $ksft_skip
fi
ip -net ${ns1} link set lo up
ip -net ${ns1} link set veth0 up
ip -net "$ns1" link set veth0 up
ip -net "$ns2" link set veth0 up
ip -net ${ns2} link set lo up
ip -net ${ns2} link set veth0 up
ip -net "$ns1" addr add 10.0.1.1/24 dev veth0
ip -net "$ns1" addr add dead:1::1/64 dev veth0 nodad
ip -net ${ns1} addr add 10.0.1.1/24 dev veth0
ip -net ${ns1} addr add dead:1::1/64 dev veth0
ip -net ${ns2} addr add 10.0.1.2/24 dev veth0
ip -net ${ns2} addr add dead:1::2/64 dev veth0
ip -net "$ns2" addr add 10.0.1.2/24 dev veth0
ip -net "$ns2" addr add dead:1::2/64 dev veth0 nodad
load_ruleset_family() {
local family=$1
local ns=$2
ip netns exec ${ns} nft -f - <<EOF
ip netns exec "$ns" nft -f - <<EOF
table $family raw {
ct helper ftp {
type "ftp" protocol tcp
......@@ -94,22 +70,21 @@ check_for_helper()
local message=$2
local port=$3
if echo $message |grep -q 'ipv6';then
if echo "$message" |grep -q 'ipv6';then
local family="ipv6"
else
local family="ipv4"
fi
ip netns exec ${netns} conntrack -L -f $family -p tcp --dport $port 2> /dev/null |grep -q 'helper=ftp'
if [ $? -ne 0 ] ; then
if [ $autoassign -eq 0 ] ;then
if ! ip netns exec "$netns" conntrack -L -f $family -p tcp --dport "$port" 2> /dev/null |grep -q 'helper=ftp';then
if [ "$autoassign" -eq 0 ] ;then
echo "FAIL: ${netns} did not show attached helper $message" 1>&2
ret=1
else
echo "PASS: ${netns} did not show attached helper $message" 1>&2
fi
else
if [ $autoassign -eq 0 ] ;then
if [ "$autoassign" -eq 0 ] ;then
echo "PASS: ${netns} connection on port $port has ftp helper attached" 1>&2
else
echo "FAIL: ${netns} connection on port $port has ftp helper attached" 1>&2
......@@ -120,69 +95,68 @@ check_for_helper()
return 0
}
listener_ready()
{
ns="$1"
port="$2"
proto="$3"
ss -N "$ns" -lnt -o "sport = :$port" | grep -q "$port"
}
test_helper()
{
local port=$1
local autoassign=$2
if [ $autoassign -eq 0 ] ;then
if [ "$autoassign" -eq 0 ] ;then
msg="set via ruleset"
else
msg="auto-assign"
fi
sleep 3 | ip netns exec ${ns2} nc -w 2 -l -p $port > /dev/null &
ip netns exec "$ns2" socat -t 3 -u -4 TCP-LISTEN:"$port",reuseaddr STDOUT > /dev/null &
busywait "$BUSYWAIT_TIMEOUT" listener_ready "$ns2" "$port" "-4"
sleep 1 | ip netns exec ${ns1} nc -w 2 10.0.1.2 $port > /dev/null &
sleep 1
ip netns exec "$ns1" socat -u -4 STDIN TCP:10.0.1.2:"$port" < /dev/null > /dev/null
check_for_helper "$ns1" "ip $msg" $port $autoassign
check_for_helper "$ns2" "ip $msg" $port $autoassign
wait
check_for_helper "$ns1" "ip $msg" "$port" "$autoassign"
check_for_helper "$ns2" "ip $msg" "$port" "$autoassign"
if [ $testipv6 -eq 0 ] ;then
return 0
fi
ip netns exec ${ns1} conntrack -F 2> /dev/null
ip netns exec ${ns2} conntrack -F 2> /dev/null
sleep 3 | ip netns exec ${ns2} nc -w 2 -6 -l -p $port > /dev/null &
ip netns exec "$ns1" conntrack -F 2> /dev/null
ip netns exec "$ns2" conntrack -F 2> /dev/null
sleep 1 | ip netns exec ${ns1} nc -w 2 -6 dead:1::2 $port > /dev/null &
sleep 1
ip netns exec "$ns2" socat -t 3 -u -6 TCP-LISTEN:"$port",reuseaddr STDOUT > /dev/null &
busywait $BUSYWAIT_TIMEOUT listener_ready "$ns2" "$port" "-6"
check_for_helper "$ns1" "ipv6 $msg" $port
check_for_helper "$ns2" "ipv6 $msg" $port
ip netns exec "$ns1" socat -t 3 -u -6 STDIN TCP:"[dead:1::2]":"$port" < /dev/null > /dev/null
wait
check_for_helper "$ns1" "ipv6 $msg" "$port"
check_for_helper "$ns2" "ipv6 $msg" "$port"
}
load_ruleset_family ip ${ns1}
if [ $? -ne 0 ];then
if ! load_ruleset_family ip "$ns1"; then
echo "FAIL: ${ns1} cannot load ip ruleset" 1>&2
exit 1
fi
load_ruleset_family ip6 ${ns1}
if [ $? -ne 0 ];then
if ! load_ruleset_family ip6 "$ns1"; then
echo "SKIP: ${ns1} cannot load ip6 ruleset" 1>&2
testipv6=0
fi
load_ruleset_family inet ${ns2}
if [ $? -ne 0 ];then
if ! load_ruleset_family inet "${ns2}"; then
echo "SKIP: ${ns1} cannot load inet ruleset" 1>&2
load_ruleset_family ip ${ns2}
if [ $? -ne 0 ];then
if ! load_ruleset_family ip "${ns2}"; then
echo "FAIL: ${ns2} cannot load ip ruleset" 1>&2
exit 1
fi
if [ $testipv6 -eq 1 ] ;then
load_ruleset_family ip6 ${ns2}
if [ $? -ne 0 ];then
if [ "$testipv6" -eq 1 ] ;then
if ! load_ruleset_family ip6 "$ns2"; then
echo "FAIL: ${ns2} cannot load ip6 ruleset" 1>&2
exit 1
fi
......@@ -190,8 +164,8 @@ if [ $? -ne 0 ];then
fi
test_helper 2121 0
ip netns exec ${ns1} sysctl -qe 'net.netfilter.nf_conntrack_helper=1'
ip netns exec ${ns2} sysctl -qe 'net.netfilter.nf_conntrack_helper=1'
ip netns exec "$ns1" sysctl -qe 'net.netfilter.nf_conntrack_helper=1'
ip netns exec "$ns2" sysctl -qe 'net.netfilter.nf_conntrack_helper=1'
test_helper 21 1
exit $ret
tools/testing/selftests/netfilter/nft_fib.sh tools/testing/selftests/net/netfilter/nft_fib.sh
View file @ 5e317a2f
......@@ -3,43 +3,25 @@
# This tests the fib expression.
#
# Kselftest framework requirement - SKIP code is 4.
ksft_skip=4
source lib.sh
ret=0
sfx=$(mktemp -u "XXXXXXXX")
ns1="ns1-$sfx"
ns2="ns2-$sfx"
nsrouter="nsrouter-$sfx"
timeout=4
log_netns=$(sysctl -n net.netfilter.nf_log_all_netns)
cleanup()
{
ip netns del ${ns1}
ip netns del ${ns2}
ip netns del ${nsrouter}
cleanup_all_ns
[ $log_netns -eq 0 ] && sysctl -q net.netfilter.nf_log_all_netns=$log_netns
}
nft --version > /dev/null 2>&1
if [ $? -ne 0 ];then
echo "SKIP: Could not run test without nft tool"
exit $ksft_skip
fi
checktool "nft --version" "run test without nft"
ip -Version > /dev/null 2>&1
if [ $? -ne 0 ];then
echo "SKIP: Could not run test without ip tool"
exit $ksft_skip
fi
ip netns add ${nsrouter}
if [ $? -ne 0 ];then
echo "SKIP: Could not create net namespace"
exit $ksft_skip
fi
setup_ns nsrouter ns1 ns2
trap cleanup EXIT
......@@ -50,8 +32,6 @@ if [ $? -eq 0 ]; then
fi
sysctl -q net.netfilter.nf_log_all_netns=1
ip netns add ${ns1}
ip netns add ${ns2}
load_ruleset() {
local netns=$1
......@@ -95,8 +75,7 @@ EOF
}
check_drops() {
dmesg | grep -q ' nft_rpfilter: '
if [ $? -eq 0 ]; then
if dmesg | grep -q ' nft_rpfilter: ';then
dmesg | grep ' nft_rpfilter: '
echo "FAIL: rpfilter did drop packets"
return 1
......@@ -130,35 +109,30 @@ load_ruleset ${nsrouter}
load_ruleset ${ns1}
load_ruleset ${ns2}
ip link add veth0 netns ${nsrouter} type veth peer name eth0 netns ${ns1} > /dev/null 2>&1
if [ $? -ne 0 ];then
if ! ip link add veth0 netns "$nsrouter" type veth peer name eth0 netns "$ns1" > /dev/null 2>&1; then
echo "SKIP: No virtual ethernet pair device support in kernel"
exit $ksft_skip
fi
ip link add veth1 netns ${nsrouter} type veth peer name eth0 netns ${ns2}
ip -net ${nsrouter} link set lo up
ip -net ${nsrouter} link set veth0 up
ip -net ${nsrouter} addr add 10.0.1.1/24 dev veth0
ip -net ${nsrouter} addr add dead:1::1/64 dev veth0
ip -net ${nsrouter} addr add dead:1::1/64 dev veth0 nodad
ip -net ${nsrouter} link set veth1 up
ip -net ${nsrouter} addr add 10.0.2.1/24 dev veth1
ip -net ${nsrouter} addr add dead:2::1/64 dev veth1
ip -net ${nsrouter} addr add dead:2::1/64 dev veth1 nodad
ip -net ${ns1} link set lo up
ip -net ${ns1} link set eth0 up
ip -net ${ns2} link set lo up
ip -net ${ns2} link set eth0 up
ip -net ${ns1} addr add 10.0.1.99/24 dev eth0
ip -net ${ns1} addr add dead:1::99/64 dev eth0
ip -net ${ns1} addr add dead:1::99/64 dev eth0 nodad
ip -net ${ns1} route add default via 10.0.1.1
ip -net ${ns1} route add default via dead:1::1
ip -net ${ns2} addr add 10.0.2.99/24 dev eth0
ip -net ${ns2} addr add dead:2::99/64 dev eth0
ip -net ${ns2} addr add dead:2::99/64 dev eth0 nodad
ip -net ${ns2} route add default via 10.0.2.1
ip -net ${ns2} route add default via dead:2::1
......@@ -166,17 +140,13 @@ test_ping() {
local daddr4=$1
local daddr6=$2
ip netns exec ${ns1} ping -c 1 -q $daddr4 > /dev/null
ret=$?
if [ $ret -ne 0 ];then
if ! ip netns exec "$ns1" ping -c 1 -q "$daddr4" > /dev/null; then
check_drops
echo "FAIL: ${ns1} cannot reach $daddr4, ret $ret" 1>&2
return 1
fi
ip netns exec ${ns1} ping -c 3 -q $daddr6 > /dev/null
ret=$?
if [ $ret -ne 0 ];then
if ! ip netns exec "$ns1" ping -c 1 -q "$daddr6" > /dev/null; then
check_drops
echo "FAIL: ${ns1} cannot reach $daddr6, ret $ret" 1>&2
return 1
......@@ -191,8 +161,6 @@ ip netns exec ${nsrouter} sysctl net.ipv4.conf.veth1.forwarding=1 > /dev/null
ip netns exec ${nsrouter} sysctl net.ipv4.conf.all.rp_filter=0 > /dev/null
ip netns exec ${nsrouter} sysctl net.ipv4.conf.veth0.rp_filter=0 > /dev/null
sleep 3
test_ping 10.0.2.1 dead:2::1 || exit 1
check_drops || exit 1
......@@ -210,12 +178,12 @@ ip -net ${ns1} addr del 10.0.1.99/24 dev eth0
ip -net ${ns1} addr del dead:1::99/64 dev eth0
ip -net ${ns1} addr add 10.0.2.99/24 dev eth0
ip -net ${ns1} addr add dead:2::99/64 dev eth0
ip -net "$ns1" addr add dead:2::99/64 dev eth0 nodad
ip -net ${ns1} route add default via 10.0.2.1
ip -net ${ns1} -6 route add default via dead:2::1
ip -net ${nsrouter} addr add dead:2::1/64 dev veth0
ip -net "$nsrouter" addr add dead:2::1/64 dev veth0 nodad
# switch to ruleset that doesn't log, this time
# its expected that this does drop the packets.
......@@ -227,11 +195,10 @@ load_ruleset_count ${nsrouter}
check_fib_counter 0 ${nsrouter} 1.1.1.1 || exit 1
check_fib_counter 0 ${nsrouter} 1c3::c01d || exit 1
ip netns exec ${ns1} ping -c 1 -W 1 -q 1.1.1.1 > /dev/null
ip netns exec "$ns1" ping -W 0.5 -c 1 -q 1.1.1.1 > /dev/null
check_fib_counter 1 ${nsrouter} 1.1.1.1 || exit 1
sleep 2
ip netns exec ${ns1} ping -c 3 -q 1c3::c01d > /dev/null
ip netns exec "$ns1" ping -W 0.5 -i 0.1 -c 3 -q 1c3::c01d > /dev/null
check_fib_counter 3 ${nsrouter} 1c3::c01d || exit 1
# delete all rules
......@@ -240,7 +207,7 @@ ip netns exec ${ns2} nft flush ruleset
ip netns exec ${nsrouter} nft flush ruleset
ip -net ${ns1} addr add 10.0.1.99/24 dev eth0
ip -net ${ns1} addr add dead:1::99/64 dev eth0
ip -net "$ns1" addr add dead:1::99/64 dev eth0 nodad
ip -net ${ns1} addr del 10.0.2.99/24 dev eth0
ip -net ${ns1} addr del dead:2::99/64 dev eth0
......
tools/testing/selftests/netfilter/nft_flowtable.sh tools/testing/selftests/net/netfilter/nft_flowtable.sh
View file @ 5e317a2f
......@@ -14,14 +14,8 @@
# nft_flowtable.sh -o8000 -l1500 -r2000
#
sfx=$(mktemp -u "XXXXXXXX")
ns1="ns1-$sfx"
ns2="ns2-$sfx"
nsr1="nsr1-$sfx"
nsr2="nsr2-$sfx"
# Kselftest framework requirement - SKIP code is 4.
ksft_skip=4
source lib.sh
ret=0
nsin=""
......@@ -30,27 +24,16 @@ ns2out=""
log_netns=$(sysctl -n net.netfilter.nf_log_all_netns)
checktool (){
if ! $1 > /dev/null 2>&1; then
echo "SKIP: Could not $2"
exit $ksft_skip
fi
}
checktool "nft --version" "run test without nft tool"
checktool "ip -Version" "run test without ip tool"
checktool "which nc" "run test without nc (netcat)"
checktool "ip netns add $nsr1" "create net namespace $nsr1"
checktool "socat -h" "run test without socat"
ip netns add $ns1
ip netns add $ns2
ip netns add $nsr2
setup_ns ns1 ns2 nsr1 nsr2
cleanup() {
ip netns del $ns1
ip netns del $ns2
ip netns del $nsr1
ip netns del $nsr2
ip netns pids "$ns1" | xargs kill 2>/dev/null
ip netns pids "$ns2" | xargs kill 2>/dev/null
cleanup_all_ns
rm -f "$nsin" "$ns1out" "$ns2out"
......@@ -66,16 +49,16 @@ ip link add veth1 netns $nsr1 type veth peer name veth0 netns $nsr2
ip link add veth1 netns $nsr2 type veth peer name eth0 netns $ns2
for dev in lo veth0 veth1; do
ip -net $nsr1 link set $dev up
ip -net $nsr2 link set $dev up
for dev in veth0 veth1; do
ip -net "$nsr1" link set "$dev" up
ip -net "$nsr2" link set "$dev" up
done
ip -net $nsr1 addr add 10.0.1.1/24 dev veth0
ip -net $nsr1 addr add dead:1::1/64 dev veth0
ip -net "$nsr1" addr add 10.0.1.1/24 dev veth0
ip -net "$nsr1" addr add dead:1::1/64 dev veth0 nodad
ip -net $nsr2 addr add 10.0.2.1/24 dev veth1
ip -net $nsr2 addr add dead:2::1/64 dev veth1
ip -net "$nsr2" addr add 10.0.2.1/24 dev veth1
ip -net "$nsr2" addr add dead:2::1/64 dev veth1 nodad
# set different MTUs so we need to push packets coming from ns1 (large MTU)
# to ns2 (smaller MTU) to stack either to perform fragmentation (ip_no_pmtu_disc=1),
......@@ -121,11 +104,11 @@ ip -net $ns2 link set eth0 mtu $rmtu
# transfer-net between nsr1 and nsr2.
# these addresses are not used for connections.
ip -net $nsr1 addr add 192.168.10.1/24 dev veth1
ip -net $nsr1 addr add fee1:2::1/64 dev veth1
ip -net "$nsr1" addr add 192.168.10.1/24 dev veth1
ip -net "$nsr1" addr add fee1:2::1/64 dev veth1 nodad
ip -net $nsr2 addr add 192.168.10.2/24 dev veth0
ip -net $nsr2 addr add fee1:2::2/64 dev veth0
ip -net "$nsr2" addr add 192.168.10.2/24 dev veth0
ip -net "$nsr2" addr add fee1:2::2/64 dev veth0 nodad
for i in 0 1; do
ip netns exec $nsr1 sysctl net.ipv4.conf.veth$i.forwarding=1 > /dev/null
......@@ -148,8 +131,8 @@ ip -net $ns1 addr add 10.0.1.99/24 dev eth0
ip -net $ns2 addr add 10.0.2.99/24 dev eth0
ip -net $ns1 route add default via 10.0.1.1
ip -net $ns2 route add default via 10.0.2.1
ip -net $ns1 addr add dead:1::99/64 dev eth0
ip -net $ns2 addr add dead:2::99/64 dev eth0
ip -net $ns1 addr add dead:1::99/64 dev eth0 nodad
ip -net $ns2 addr add dead:2::99/64 dev eth0 nodad
ip -net $ns1 route add default via dead:1::1
ip -net $ns2 route add default via dead:2::1
......@@ -219,10 +202,6 @@ if ! ip netns exec $ns2 ping -c 1 -q 10.0.1.99 > /dev/null; then
exit 1
fi
if [ $ret -eq 0 ];then
echo "PASS: netns routing/connectivity: $ns1 can reach $ns2"
fi
nsin=$(mktemp)
ns1out=$(mktemp)
ns2out=$(mktemp)
......@@ -345,6 +324,11 @@ check_transfer()
return 0
}
listener_ready()
{
ss -N "$nsb" -lnt -o "sport = :12345" | grep -q 12345
}
test_tcp_forwarding_ip()
{
local nsa=$1
......@@ -353,33 +337,14 @@ test_tcp_forwarding_ip()
local dstport=$4
local lret=0
ip netns exec $nsb nc -w 5 -l -p 12345 < "$nsin" > "$ns2out" &
timeout 10 ip netns exec "$nsb" socat -4 TCP-LISTEN:12345,reuseaddr STDIO < "$nsin" > "$ns2out" &
lpid=$!
sleep 1
ip netns exec $nsa nc -w 4 "$dstip" "$dstport" < "$nsin" > "$ns1out" &
cpid=$!
sleep 1
prev="$(ls -l $ns1out $ns2out)"
sleep 1
busywait 1000 listener_ready
while [[ "$prev" != "$(ls -l $ns1out $ns2out)" ]]; do
sleep 1;
prev="$(ls -l $ns1out $ns2out)"
done
if test -d /proc/"$lpid"/; then
kill $lpid
fi
if test -d /proc/"$cpid"/; then
kill $cpid
fi
timeout 10 ip netns exec "$nsa" socat -4 TCP:"$dstip":"$dstport" STDIO < "$nsin" > "$ns1out"
wait $lpid
wait $cpid
if ! check_transfer "$nsin" "$ns2out" "ns1 -> ns2"; then
lret=1
......@@ -550,7 +515,7 @@ ip -net $nsr1 addr flush dev veth0
ip -net $nsr1 link set up dev veth0
ip -net $nsr1 link set veth0 master br0
ip -net $nsr1 addr add 10.0.1.1/24 dev br0
ip -net $nsr1 addr add dead:1::1/64 dev br0
ip -net $nsr1 addr add dead:1::1/64 dev br0 nodad
ip -net $nsr1 link set up dev br0
ip netns exec $nsr1 sysctl net.ipv4.conf.br0.forwarding=1 > /dev/null
......@@ -593,7 +558,7 @@ ip -net $ns1 link set eth0 up
ip -net $ns1 link set eth0.10 up
ip -net $ns1 addr add 10.0.1.99/24 dev eth0.10
ip -net $ns1 route add default via 10.0.1.1
ip -net $ns1 addr add dead:1::99/64 dev eth0.10
ip -net $ns1 addr add dead:1::99/64 dev eth0.10 nodad
if ! test_tcp_forwarding_nat $ns1 $ns2 1 "bridge and VLAN"; then
echo "FAIL: flow offload for ns1/ns2 with bridge NAT and VLAN" 1>&2
......@@ -616,10 +581,10 @@ ip -net $ns1 link delete eth0.10 type vlan
ip -net $ns1 link set eth0 up
ip -net $ns1 addr add 10.0.1.99/24 dev eth0
ip -net $ns1 route add default via 10.0.1.1
ip -net $ns1 addr add dead:1::99/64 dev eth0
ip -net $ns1 addr add dead:1::99/64 dev eth0 nodad
ip -net $ns1 route add default via dead:1::1
ip -net $nsr1 addr add 10.0.1.1/24 dev veth0
ip -net $nsr1 addr add dead:1::1/64 dev veth0
ip -net $nsr1 addr add dead:1::1/64 dev veth0 nodad
ip -net $nsr1 link set up dev veth0
KEY_SHA="0x"$(ps -af | sha1sum | cut -d " " -f 1)
......@@ -647,7 +612,6 @@ do_esp() {
ip -net $ns xfrm policy add src $lnet dst $rnet dir out tmpl src $me dst $remote proto esp mode tunnel priority 1 action allow
# to fwd decrypted packets after esp processing:
ip -net $ns xfrm policy add src $rnet dst $lnet dir fwd tmpl src $remote dst $me proto esp mode tunnel priority 1 action allow
}
do_esp $nsr1 192.168.10.1 192.168.10.2 10.0.1.0/24 10.0.2.0/24 $SPI1 $SPI2
......@@ -661,12 +625,12 @@ ip -net $ns2 route del 192.168.10.1 via 10.0.2.1
ip -net $ns2 route add default via 10.0.2.1
ip -net $ns2 route add default via dead:2::1
if test_tcp_forwarding $ns1 $ns2; then
if test_tcp_forwarding "$ns1" "$ns2"; then
check_counters "ipsec tunnel mode for ns1/ns2"
else
echo "FAIL: ipsec tunnel mode for ns1/ns2"
ip netns exec $nsr1 nft list ruleset 1>&2
ip netns exec $nsr1 cat /proc/net/xfrm_stat 1>&2
ip netns exec "$nsr1" nft list ruleset 1>&2
ip netns exec "$nsr1" cat /proc/net/xfrm_stat 1>&2
fi
exit $ret
tools/testing/selftests/netfilter/nft_queue.sh tools/testing/selftests/net/netfilter/nft_queue.sh
View file @ 5e317a2f
......@@ -222,9 +222,9 @@ test_queue()
local expected=$1
local last=""
# spawn nf-queue listeners
ip netns exec ${nsrouter} ./nf-queue -c -q 0 -t $timeout > "$TMPFILE0" &
ip netns exec ${nsrouter} ./nf-queue -c -q 1 -t $timeout > "$TMPFILE1" &
# spawn nf_queue listeners
ip netns exec ${nsrouter} ./nf_queue -c -q 0 -t $timeout > "$TMPFILE0" &
ip netns exec ${nsrouter} ./nf_queue -c -q 1 -t $timeout > "$TMPFILE1" &
sleep 1
test_ping
ret=$?
......@@ -259,7 +259,7 @@ test_queue()
test_tcp_forward()
{
ip netns exec ${nsrouter} ./nf-queue -q 2 -t $timeout &
ip netns exec ${nsrouter} ./nf_queue -q 2 -t $timeout &
local nfqpid=$!
tmpfile=$(mktemp) || exit 1
......@@ -285,7 +285,7 @@ test_tcp_localhost()
ip netns exec ${nsrouter} nc -w 5 -l -p 12345 <"$tmpfile" >/dev/null &
local rpid=$!
ip netns exec ${nsrouter} ./nf-queue -q 3 -t $timeout &
ip netns exec ${nsrouter} ./nf_queue -q 3 -t $timeout &
local nfqpid=$!
sleep 1
......@@ -303,7 +303,7 @@ test_tcp_localhost_connectclose()
ip netns exec ${nsrouter} ./connect_close -p 23456 -t $timeout &
ip netns exec ${nsrouter} ./nf-queue -q 3 -t $timeout &
ip netns exec ${nsrouter} ./nf_queue -q 3 -t $timeout &
local nfqpid=$!
sleep 1
......@@ -334,11 +334,11 @@ EOF
ip netns exec ${nsrouter} nc -w 5 -l -p 12345 <"$tmpfile" >/dev/null &
local rpid=$!
ip netns exec ${nsrouter} ./nf-queue -c -q 1 -t $timeout > "$TMPFILE2" &
ip netns exec ${nsrouter} ./nf_queue -c -q 1 -t $timeout > "$TMPFILE2" &
# nfqueue 1 will be called via output hook. But this time,
# re-queue the packet to nfqueue program on queue 2.
ip netns exec ${nsrouter} ./nf-queue -G -d 150 -c -q 0 -Q 1 -t $timeout > "$TMPFILE3" &
ip netns exec ${nsrouter} ./nf_queue -G -d 150 -c -q 0 -Q 1 -t $timeout > "$TMPFILE3" &
sleep 1
ip netns exec ${nsrouter} nc -w 5 127.0.0.1 12345 <"$tmpfile" > /dev/null
......@@ -380,7 +380,7 @@ table inet filter {
}
}
EOF
ip netns exec ${ns1} ./nf-queue -q 1 -t $timeout &
ip netns exec ${ns1} ./nf_queue -q 1 -t $timeout &
local nfqpid=$!
sleep 1
......
tools/testing/selftests/netfilter/Makefile deleted 100644 → 0
View file @ 982a73c7
# SPDX-License-Identifier: GPL-2.0
# Makefile for netfilter selftests
TEST_PROGS := nft_trans_stress.sh nft_fib.sh nft_nat.sh bridge_brouter.sh \
conntrack_icmp_related.sh nft_flowtable.sh ipvs.sh \
nft_concat_range.sh nft_conntrack_helper.sh \
nft_queue.sh nft_meta.sh nf_nat_edemux.sh \
ipip-conntrack-mtu.sh conntrack_tcp_unreplied.sh \
conntrack_vrf.sh nft_synproxy.sh rpath.sh nft_audit.sh \
conntrack_sctp_collision.sh xt_string.sh \
bridge_netfilter.sh
HOSTPKG_CONFIG := pkg-config
CFLAGS += $(shell $(HOSTPKG_CONFIG) --cflags libmnl 2>/dev/null)
LDLIBS += $(shell $(HOSTPKG_CONFIG) --libs libmnl 2>/dev/null || echo -lmnl)
TEST_GEN_FILES = nf-queue connect_close audit_logread sctp_collision \
conntrack_dump_flush
include ../lib.mk
tools/testing/selftests/netfilter/config deleted 100644 → 0
View file @ 982a73c7
CONFIG_NET_NS=y
CONFIG_NF_TABLES_INET=y
CONFIG_NFT_QUEUE=m
CONFIG_NFT_NAT=m
CONFIG_NFT_REDIR=m
CONFIG_NFT_MASQ=m
CONFIG_NFT_FLOW_OFFLOAD=m
CONFIG_NF_CT_NETLINK=m
CONFIG_AUDIT=y
tools/testing/selftests/netfilter/nft_trans_stress.sh deleted 100755 → 0
View file @ 982a73c7
#!/bin/bash
#
# This test is for stress-testing the nf_tables config plane path vs.
# packet path processing: Make sure we never release rules that are
# still visible to other cpus.
#
# set -e
# Kselftest framework requirement - SKIP code is 4.
ksft_skip=4
testns=testns-$(mktemp -u "XXXXXXXX")
tmp=""
tables="foo bar baz quux"
global_ret=0
eret=0
lret=0
cleanup() {
ip netns pids "$testns" | xargs kill 2>/dev/null
ip netns del "$testns"
rm -f "$tmp"
}
check_result()
{
local r=$1
local OK="PASS"
if [ $r -ne 0 ] ;then
OK="FAIL"
global_ret=$r
fi
echo "$OK: nft $2 test returned $r"
eret=0
}
nft --version > /dev/null 2>&1
if [ $? -ne 0 ];then
echo "SKIP: Could not run test without nft tool"
exit $ksft_skip
fi
ip -Version > /dev/null 2>&1
if [ $? -ne 0 ];then
echo "SKIP: Could not run test without ip tool"
exit $ksft_skip
fi
trap cleanup EXIT
tmp=$(mktemp)
for table in $tables; do
echo add table inet "$table" >> "$tmp"
echo flush table inet "$table" >> "$tmp"
echo "add chain inet $table INPUT { type filter hook input priority 0; }" >> "$tmp"
echo "add chain inet $table OUTPUT { type filter hook output priority 0; }" >> "$tmp"
for c in $(seq 1 400); do
chain=$(printf "chain%03u" "$c")
echo "add chain inet $table $chain" >> "$tmp"
done
for c in $(seq 1 400); do
chain=$(printf "chain%03u" "$c")
for BASE in INPUT OUTPUT; do
echo "add rule inet $table $BASE counter jump $chain" >> "$tmp"
done
echo "add rule inet $table $chain counter return" >> "$tmp"
done
done
ip netns add "$testns"
ip -netns "$testns" link set lo up
lscpu | grep ^CPU\(s\): | ( read cpu cpunum ;
cpunum=$((cpunum-1))
for i in $(seq 0 $cpunum);do
mask=$(printf 0x%x $((1<<$i)))
ip netns exec "$testns" taskset $mask ping -4 127.0.0.1 -fq > /dev/null &
ip netns exec "$testns" taskset $mask ping -6 ::1 -fq > /dev/null &
done)
sleep 1
ip netns exec "$testns" nft -f "$tmp"
for i in $(seq 1 10) ; do ip netns exec "$testns" nft -f "$tmp" & done
for table in $tables;do
randsleep=$((RANDOM%2))
sleep $randsleep
ip netns exec "$testns" nft delete table inet $table
lret=$?
if [ $lret -ne 0 ]; then
eret=$lret
fi
done
check_result $eret "add/delete"
for i in $(seq 1 10) ; do
(echo "flush ruleset"; cat "$tmp") | ip netns exec "$testns" nft -f /dev/stdin
lret=$?
if [ $lret -ne 0 ]; then
eret=$lret
fi
done
check_result $eret "reload"
for i in $(seq 1 10) ; do
(echo "flush ruleset"; cat "$tmp"
echo "insert rule inet foo INPUT meta nftrace set 1"
echo "insert rule inet foo OUTPUT meta nftrace set 1"
) | ip netns exec "$testns" nft -f /dev/stdin
lret=$?
if [ $lret -ne 0 ]; then
eret=$lret
fi
(echo "flush ruleset"; cat "$tmp"
) | ip netns exec "$testns" nft -f /dev/stdin
lret=$?
if [ $lret -ne 0 ]; then
eret=$lret
fi
done
check_result $eret "add/delete with nftrace enabled"
echo "insert rule inet foo INPUT meta nftrace set 1" >> $tmp
echo "insert rule inet foo OUTPUT meta nftrace set 1" >> $tmp
for i in $(seq 1 10) ; do
(echo "flush ruleset"; cat "$tmp") | ip netns exec "$testns" nft -f /dev/stdin
lret=$?
if [ $lret -ne 0 ]; then
eret=1
fi
done
check_result $lret "add/delete with nftrace enabled"
exit $global_ret
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7