TWxSoftware/twx-linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'testing-make-netfilter-selftests-functional-in-vng-environment'

Browse Source 
Florian Westphal says:

====================
testing: make netfilter selftests functional in vng environment

This is the second batch of the netfilter selftest move.

Changes since v1:
- makefile and kernel config are updated to have all required features
- fix makefile with missing bits to make kselftest-install work
- test it via vng as per
   https://github.com/linux-netdev/nipa/wiki/How-to-run-netdev-selftests-CI-style
   (Thanks Jakub!)
- squash a few fixes, e.g. nft_queue.sh v1 had a race w. NFNETLINK_QUEUE=m
- add a settings file with 8m timeout, for nft_concat_range.sh sake.
  That script can be sped up a bit, I think, but its not contained in
  this batch yet.
- toss the first two bogus rebase artifacts (Matthieu Baerts)

scripts are moved to lib.sh infra. This allows to use busywait helper
and ditch various 'sleep 2' all over the place.

Tested on Fedora 39:

vng --build  --config tools/testing/selftests/net/netfilter/config
make -C tools/testing/selftests/ TARGETS=net/netfilter
vng -v --run . --user root --cpus 2 -- \
        make -C tools/testing/selftests TARGETS=net/netfilter run_tests

... all tests pass except nft_audit.sh which SKIPs due to nft version mismatch
(Fedora is on nft 1.0.7 which lacks reset keyword support).

Missing/WIP bits:
- speed up nf_concat_range.sh test
- extend flowtable selftest
- shellcheck fixups for remaining scripts
====================

Link: https://lore.kernel.org/r/20240418152744.15105-1-fw@strlen.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
This commit is contained in:
Jakub Kicinski
2024-04-19 20:10:52 -07:00
parent 4cad4efa6e 0b2e1db97b
commit 8442f8ba26
12 changed files with 496 additions and 518 deletions
Download Patch File Download Diff File Expand all files Collapse all files
tools/testing/selftests/net/netfilter/Makefile
+5
View File
@@ -42,3 +42,8 @@ $(OUTPUT)/nf_queue: LDLIBS += $(MNL_LDLIBS)
$(OUTPUT)/conntrack_dump_flush: CFLAGS += $(MNL_CFLAGS)
$(OUTPUT)/conntrack_dump_flush: LDLIBS += $(MNL_LDLIBS)
TEST_FILES := lib.sh
TEST_INCLUDES := \
../lib.sh
tools/testing/selftests/net/netfilter/config
+51 -1
View File
@@ -1,37 +1,87 @@
CONFIG_AUDIT=y
CONFIG_BPF_SYSCALL=y
CONFIG_BRIDGE=m
CONFIG_BRIDGE_EBT_BROUTE=m
CONFIG_BRIDGE_EBT_IP=m
CONFIG_BRIDGE_EBT_REDIRECT=m
CONFIG_BRIDGE_EBT_T_FILTER=m
CONFIG_BRIDGE_NETFILTER=m
CONFIG_BRIDGE_NF_EBTABLES=m
CONFIG_CGROUP_BPF=y
CONFIG_DUMMY=m
CONFIG_INET_ESP=m
CONFIG_IP_NF_MATCH_RPFILTER=m
CONFIG_IP6_NF_MATCH_RPFILTER=m
CONFIG_IP_NF_IPTABLES=m
CONFIG_IP6_NF_IPTABLES=m
CONFIG_IP_NF_FILTER=m
CONFIG_IP6_NF_FILTER=m
CONFIG_IP_NF_RAW=m
CONFIG_IP6_NF_RAW=m
CONFIG_IP_SCTP=m
CONFIG_IP_VS=m
CONFIG_IP_VS_PROTO_TCP=y
CONFIG_IP_VS_RR=m
CONFIG_IPV6=y
CONFIG_IPV6_MULTIPLE_TABLES=y
CONFIG_MACVLAN=m
CONFIG_NAMESPACES=y
CONFIG_NET_CLS_U32=m
CONFIG_NET_L3_MASTER_DEV=y
CONFIG_NET_NS=y
CONFIG_NET_SCH_NETEM=m
CONFIG_NET_SCH_HTB=m
CONFIG_NET_IPIP=m
CONFIG_NET_VRF=y
CONFIG_NETFILTER=y
CONFIG_NETFILTER_ADVANCED=y
CONFIG_NETFILTER_NETLINK=m
CONFIG_NETFILTER_NETLINK_QUEUE=m
CONFIG_NETFILTER_SYNPROXY=m
CONFIG_NETFILTER_XTABLES=m
CONFIG_NETFILTER_XT_NAT=m
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m
CONFIG_NETFILTER_XT_MATCH_STATE=m
CONFIG_NETFILTER_XT_MATCH_STRING=m
CONFIG_NETFILTER_XT_TARGET_REDIRECT=m
CONFIG_NF_CONNTRACK=m
CONFIG_NF_CONNTRACK_EVENTS=m
CONFIG_NF_CONNTRACK_EVENTS=y
CONFIG_NF_CONNTRACK_FTP=m
CONFIG_NF_CONNTRACK_MARK=y
CONFIG_NF_CONNTRACK_ZONES=y
CONFIG_NF_CT_NETLINK=m
CONFIG_NF_CT_PROTO_SCTP=y
CONFIG_NF_FLOW_TABLE=m
CONFIG_NF_LOG_IPV4=m
CONFIG_NF_LOG_IPV6=m
CONFIG_NF_NAT=m
CONFIG_NF_NAT_REDIRECT=y
CONFIG_NF_NAT_MASQUERADE=y
CONFIG_NF_TABLES=m
CONFIG_NF_TABLES_BRIDGE=m
CONFIG_NF_TABLES_INET=y
CONFIG_NF_TABLES_IPV4=y
CONFIG_NF_TABLES_IPV6=y
CONFIG_NF_TABLES_NETDEV=y
CONFIG_NF_FLOW_TABLE_INET=m
CONFIG_NFT_BRIDGE_META=m
CONFIG_NFT_COMPAT=m
CONFIG_NFT_CT=m
CONFIG_NFT_FIB=m
CONFIG_NFT_FIB_INET=m
CONFIG_NFT_FIB_IPV4=m
CONFIG_NFT_FIB_IPV6=m
CONFIG_NFT_FLOW_OFFLOAD=m
CONFIG_NFT_LIMIT=m
CONFIG_NFT_LOG=m
CONFIG_NFT_MASQ=m
CONFIG_NFT_NAT=m
CONFIG_NFT_NUMGEN=m
CONFIG_NFT_QUEUE=m
CONFIG_NFT_QUOTA=m
CONFIG_NFT_REDIR=m
CONFIG_NFT_SYNPROXY=m
CONFIG_VETH=m
CONFIG_VLAN_8021Q=m
CONFIG_XFRM_USER=m
CONFIG_XFRM_STATISTICS=y
tools/testing/selftests/net/netfilter/conntrack_ipip_mtu.sh
+37 -37
View File
@@ -31,7 +31,7 @@ setup_ns r_a r_b r_w c_a c_b
cleanup() {
cleanup_all_ns
rm -f ${rx}
rm -f "$rx"
}
trap cleanup EXIT
@@ -46,20 +46,20 @@ listener_ready()
test_path() {
msg="$1"
ip netns exec ${c_b} socat -t 3 - udp4-listen:5000,reuseaddr > ${rx} < /dev/null &
ip netns exec "$c_b" socat -t 3 - udp4-listen:5000,reuseaddr > "$rx" < /dev/null &
busywait $BUSYWAIT_TIMEOUT listener_ready "$c_b" 5000
for i in 1 2 3; do
head -c1400 /dev/zero | tr "\000" "a" | \
ip netns exec ${c_a} socat -t 1 -u STDIN UDP:192.168.20.2:5000
ip netns exec "$c_a" socat -t 1 -u STDIN UDP:192.168.20.2:5000
done
wait
bytes=$(wc -c < ${rx})
bytes=$(wc -c < "$rx")
if [ $bytes -eq 1400 ];then
if [ "$bytes" -eq 1400 ];then
echo "OK: PMTU $msg connection tracking"
else
echo "FAIL: PMTU $msg connection tracking: got $bytes, expected 1400"
@@ -78,24 +78,24 @@ test_path() {
# 10.4.4.1 via 10.2.2.254 (Router B via Wanrouter)
# No iptables rules at all.
ip link add veth0 netns ${r_a} type veth peer name veth0 netns ${r_w}
ip link add veth1 netns ${r_a} type veth peer name veth0 netns ${c_a}
ip link add veth0 netns "$r_a" type veth peer name veth0 netns "$r_w"
ip link add veth1 netns "$r_a" type veth peer name veth0 netns "$c_a"
l_addr="10.2.2.1"
r_addr="10.4.4.1"
ip netns exec ${r_a} ip link add ipip0 type ipip local ${l_addr} remote ${r_addr} mode ipip || exit $ksft_skip
ip netns exec "$r_a" ip link add ipip0 type ipip local "$l_addr" remote "$r_addr" mode ipip || exit $ksft_skip
for dev in lo veth0 veth1 ipip0; do
ip -net ${r_a} link set $dev up
ip -net "$r_a" link set "$dev" up
done
ip -net ${r_a} addr add 10.2.2.1/24 dev veth0
ip -net ${r_a} addr add 192.168.10.1/24 dev veth1
ip -net "$r_a" addr add 10.2.2.1/24 dev veth0
ip -net "$r_a" addr add 192.168.10.1/24 dev veth1
ip -net ${r_a} route add 192.168.20.0/24 dev ipip0
ip -net ${r_a} route add 10.4.4.0/24 via 10.2.2.254
ip -net "$r_a" route add 192.168.20.0/24 dev ipip0
ip -net "$r_a" route add 10.4.4.0/24 via 10.2.2.254
ip netns exec ${r_a} sysctl -q net.ipv4.conf.all.forwarding=1 > /dev/null
ip netns exec "$r_a" sysctl -q net.ipv4.conf.all.forwarding=1 > /dev/null
# Detailed setup for Router B
# ---------------------------
@@ -108,46 +108,46 @@ ip netns exec ${r_a} sysctl -q net.ipv4.conf.all.forwarding=1 > /dev/null
# 10.2.2.1 via 10.4.4.254 (Router A via Wanrouter)
# No iptables rules at all.
ip link add veth0 netns ${r_b} type veth peer name veth1 netns ${r_w}
ip link add veth1 netns ${r_b} type veth peer name veth0 netns ${c_b}
ip link add veth0 netns "$r_b" type veth peer name veth1 netns "$r_w"
ip link add veth1 netns "$r_b" type veth peer name veth0 netns "$c_b"
l_addr="10.4.4.1"
r_addr="10.2.2.1"
ip netns exec ${r_b} ip link add ipip0 type ipip local ${l_addr} remote ${r_addr} mode ipip || exit $ksft_skip
ip netns exec "$r_b" ip link add ipip0 type ipip local "${l_addr}" remote "${r_addr}" mode ipip || exit $ksft_skip
for dev in veth0 veth1 ipip0; do
ip -net ${r_b} link set $dev up
ip -net "$r_b" link set $dev up
done
ip -net ${r_b} addr add 10.4.4.1/24 dev veth0
ip -net ${r_b} addr add 192.168.20.1/24 dev veth1
ip -net "$r_b" addr add 10.4.4.1/24 dev veth0
ip -net "$r_b" addr add 192.168.20.1/24 dev veth1
ip -net ${r_b} route add 192.168.10.0/24 dev ipip0
ip -net ${r_b} route add 10.2.2.0/24 via 10.4.4.254
ip netns exec ${r_b} sysctl -q net.ipv4.conf.all.forwarding=1 > /dev/null
ip -net "$r_b" route add 192.168.10.0/24 dev ipip0
ip -net "$r_b" route add 10.2.2.0/24 via 10.4.4.254
ip netns exec "$r_b" sysctl -q net.ipv4.conf.all.forwarding=1 > /dev/null
# Client A
ip -net ${c_a} addr add 192.168.10.2/24 dev veth0
ip -net ${c_a} link set dev veth0 up
ip -net ${c_a} route add default via 192.168.10.1
ip -net "$c_a" addr add 192.168.10.2/24 dev veth0
ip -net "$c_a" link set dev veth0 up
ip -net "$c_a" route add default via 192.168.10.1
# Client A
ip -net ${c_b} addr add 192.168.20.2/24 dev veth0
ip -net ${c_b} link set dev veth0 up
ip -net ${c_b} route add default via 192.168.20.1
ip -net "$c_b" addr add 192.168.20.2/24 dev veth0
ip -net "$c_b" link set dev veth0 up
ip -net "$c_b" route add default via 192.168.20.1
# Wan
ip -net ${r_w} addr add 10.2.2.254/24 dev veth0
ip -net ${r_w} addr add 10.4.4.254/24 dev veth1
ip -net "$r_w" addr add 10.2.2.254/24 dev veth0
ip -net "$r_w" addr add 10.4.4.254/24 dev veth1
ip -net ${r_w} link set dev veth0 up mtu 1400
ip -net ${r_w} link set dev veth1 up mtu 1400
ip -net "$r_w" link set dev veth0 up mtu 1400
ip -net "$r_w" link set dev veth1 up mtu 1400
ip -net ${r_a} link set dev veth0 mtu 1400
ip -net ${r_b} link set dev veth0 mtu 1400
ip -net "$r_a" link set dev veth0 mtu 1400
ip -net "$r_b" link set dev veth0 mtu 1400
ip netns exec ${r_w} sysctl -q net.ipv4.conf.all.forwarding=1 > /dev/null
ip netns exec "$r_w" sysctl -q net.ipv4.conf.all.forwarding=1 > /dev/null
# Path MTU discovery
# ------------------
@@ -187,5 +187,5 @@ test_path "without"
#packet is too big (1400) for the tunnel PMTU (1380) to Router B, it is
#dropped on Router A before sending.
ip netns exec ${r_a} iptables -A FORWARD -m conntrack --ctstate NEW
ip netns exec "$r_a" iptables -A FORWARD -m conntrack --ctstate NEW
test_path "with"
tools/testing/selftests/net/netfilter/nft_audit.sh
+26 -4
View File
@@ -6,11 +6,33 @@
SKIP_RC=4
RC=0
if [ -r /var/run/auditd.pid ];then
read pid < /var/run/auditd.pid
p=$(pgrep ^auditd$)
if [ "$pid" -eq "$p" ]; then
echo "SKIP: auditd is running"
exit $SKIP_RC
fi
fi
nft --version >/dev/null 2>&1 || {
echo "SKIP: missing nft tool"
exit $SKIP_RC
}
# nft must be recent enough to support "reset" keyword.
nft --check -f /dev/stdin >/dev/null 2>&1 <<EOF
add table t
add chain t c
reset rules t c
EOF
if [ "$?" -ne 0 ];then
echo "SKIP: nft reset feature test failed"
exit $SKIP_RC
fi
# Run everything in a separate network namespace
[ "${1}" != "run" ] && { unshare -n "${0}" run; exit $?; }
@@ -73,7 +95,7 @@ done
for ((i = 0; i < 500; i++)); do
echo "add rule t2 c3 counter accept comment \"rule $i\""
done >$rulefile
done > "$rulefile"
do_test "nft -f $rulefile" \
'table=t2 family=2 entries=500 op=nft_register_rule'
@@ -101,7 +123,7 @@ do_test 'nft add counter t2 c1; add counter t2 c2' \
for ((i = 3; i <= 500; i++)); do
echo "add counter t2 c$i"
done >$rulefile
done > "$rulefile"
do_test "nft -f $rulefile" \
'table=t2 family=2 entries=498 op=nft_register_obj'
@@ -115,7 +137,7 @@ do_test 'nft add quota t2 q1 { 10 bytes }; add quota t2 q2 { 10 bytes }' \
for ((i = 3; i <= 500; i++)); do
echo "add quota t2 q$i { 10 bytes }"
done >$rulefile
done > "$rulefile"
do_test "nft -f $rulefile" \
'table=t2 family=2 entries=498 op=nft_register_obj'
@@ -157,7 +179,7 @@ table=t2 family=2 entries=135 op=nft_reset_rule'
# resetting sets and elements
elem=(22 ,80 ,443)
elem=(22 ",80" ",443")
relem=""
for i in {1..3}; do
relem+="${elem[((i - 1))]}"
tools/testing/selftests/net/netfilter/nft_fib.sh
+61 -67
View File
@@ -16,7 +16,7 @@ cleanup()
{
cleanup_all_ns
[ $log_netns -eq 0 ] && sysctl -q net.netfilter.nf_log_all_netns=$log_netns
[ "$log_netns" -eq 0 ] && sysctl -q net.netfilter.nf_log_all_netns=$log_netns
}
checktool "nft --version" "run test without nft"
@@ -25,8 +25,7 @@ setup_ns nsrouter ns1 ns2
trap cleanup EXIT
dmesg | grep -q ' nft_rpfilter: '
if [ $? -eq 0 ]; then
if dmesg | grep -q ' nft_rpfilter: ';then
dmesg -c | grep ' nft_rpfilter: '
echo "WARN: a previous test run has failed" 1>&2
fi
@@ -36,7 +35,7 @@ sysctl -q net.netfilter.nf_log_all_netns=1
load_ruleset() {
local netns=$1
ip netns exec ${netns} nft -f /dev/stdin <<EOF
ip netns exec "$netns" nft -f /dev/stdin <<EOF
table inet filter {
chain prerouting {
type filter hook prerouting priority 0; policy accept;
@@ -49,7 +48,7 @@ EOF
load_pbr_ruleset() {
local netns=$1
ip netns exec ${netns} nft -f /dev/stdin <<EOF
ip netns exec "$netns" nft -f /dev/stdin <<EOF
table inet filter {
chain forward {
type filter hook forward priority raw;
@@ -63,7 +62,7 @@ EOF
load_ruleset_count() {
local netns=$1
ip netns exec ${netns} nft -f /dev/stdin <<EOF
ip netns exec "$netns" nft -f /dev/stdin <<EOF
table inet filter {
chain prerouting {
type filter hook prerouting priority 0; policy accept;
@@ -89,52 +88,49 @@ check_fib_counter() {
local ns=$2
local address=$3
line=$(ip netns exec ${ns} nft list table inet filter | grep 'fib saddr . iif' | grep $address | grep "packets $want" )
ret=$?
if [ $ret -ne 0 ];then
if ! ip netns exec "$ns" nft list table inet filter | grep 'fib saddr . iif' | grep "$address" | grep -q "packets $want";then
echo "Netns $ns fib counter doesn't match expected packet count of $want for $address" 1>&2
ip netns exec ${ns} nft list table inet filter
ip netns exec "$ns" nft list table inet filter
return 1
fi
if [ $want -gt 0 ]; then
if [ "$want" -gt 0 ]; then
echo "PASS: fib expression did drop packets for $address"
fi
return 0
}
load_ruleset ${nsrouter}
load_ruleset ${ns1}
load_ruleset ${ns2}
load_ruleset "$nsrouter"
load_ruleset "$ns1"
load_ruleset "$ns2"
if ! ip link add veth0 netns "$nsrouter" type veth peer name eth0 netns "$ns1" > /dev/null 2>&1; then
echo "SKIP: No virtual ethernet pair device support in kernel"
exit $ksft_skip
fi
ip link add veth1 netns ${nsrouter} type veth peer name eth0 netns ${ns2}
ip link add veth1 netns "$nsrouter" type veth peer name eth0 netns "$ns2"
ip -net ${nsrouter} link set veth0 up
ip -net ${nsrouter} addr add 10.0.1.1/24 dev veth0
ip -net ${nsrouter} addr add dead:1::1/64 dev veth0 nodad
ip -net "$nsrouter" link set veth0 up
ip -net "$nsrouter" addr add 10.0.1.1/24 dev veth0
ip -net "$nsrouter" addr add dead:1::1/64 dev veth0 nodad
ip -net ${nsrouter} link set veth1 up
ip -net ${nsrouter} addr add 10.0.2.1/24 dev veth1
ip -net ${nsrouter} addr add dead:2::1/64 dev veth1 nodad
ip -net "$nsrouter" link set veth1 up
ip -net "$nsrouter" addr add 10.0.2.1/24 dev veth1
ip -net "$nsrouter" addr add dead:2::1/64 dev veth1 nodad
ip -net ${ns1} link set eth0 up
ip -net ${ns2} link set eth0 up
ip -net "$ns1" link set eth0 up
ip -net "$ns2" link set eth0 up
ip -net ${ns1} addr add 10.0.1.99/24 dev eth0
ip -net ${ns1} addr add dead:1::99/64 dev eth0 nodad
ip -net ${ns1} route add default via 10.0.1.1
ip -net ${ns1} route add default via dead:1::1
ip -net "$ns1" addr add 10.0.1.99/24 dev eth0
ip -net "$ns1" addr add dead:1::99/64 dev eth0 nodad
ip -net "$ns1" route add default via 10.0.1.1
ip -net "$ns1" route add default via dead:1::1
ip -net ${ns2} addr add 10.0.2.99/24 dev eth0
ip -net ${ns2} addr add dead:2::99/64 dev eth0 nodad
ip -net ${ns2} route add default via 10.0.2.1
ip -net ${ns2} route add default via dead:2::1
ip -net "$ns2" addr add 10.0.2.99/24 dev eth0
ip -net "$ns2" addr add dead:2::99/64 dev eth0 nodad
ip -net "$ns2" route add default via 10.0.2.1
ip -net "$ns2" route add default via dead:2::1
test_ping() {
local daddr4=$1
@@ -155,11 +151,11 @@ test_ping() {
return 0
}
ip netns exec ${nsrouter} sysctl net.ipv6.conf.all.forwarding=1 > /dev/null
ip netns exec ${nsrouter} sysctl net.ipv4.conf.veth0.forwarding=1 > /dev/null
ip netns exec ${nsrouter} sysctl net.ipv4.conf.veth1.forwarding=1 > /dev/null
ip netns exec ${nsrouter} sysctl net.ipv4.conf.all.rp_filter=0 > /dev/null
ip netns exec ${nsrouter} sysctl net.ipv4.conf.veth0.rp_filter=0 > /dev/null
ip netns exec "$nsrouter" sysctl net.ipv6.conf.all.forwarding=1 > /dev/null
ip netns exec "$nsrouter" sysctl net.ipv4.conf.veth0.forwarding=1 > /dev/null
ip netns exec "$nsrouter" sysctl net.ipv4.conf.veth1.forwarding=1 > /dev/null
ip netns exec "$nsrouter" sysctl net.ipv4.conf.all.rp_filter=0 > /dev/null
ip netns exec "$nsrouter" sysctl net.ipv4.conf.veth0.rp_filter=0 > /dev/null
test_ping 10.0.2.1 dead:2::1 || exit 1
check_drops || exit 1
@@ -169,69 +165,67 @@ check_drops || exit 1
echo "PASS: fib expression did not cause unwanted packet drops"
ip netns exec ${nsrouter} nft flush table inet filter
ip netns exec "$nsrouter" nft flush table inet filter
ip -net ${ns1} route del default
ip -net ${ns1} -6 route del default
ip -net "$ns1" route del default
ip -net "$ns1" -6 route del default
ip -net ${ns1} addr del 10.0.1.99/24 dev eth0
ip -net ${ns1} addr del dead:1::99/64 dev eth0
ip -net "$ns1" addr del 10.0.1.99/24 dev eth0
ip -net "$ns1" addr del dead:1::99/64 dev eth0
ip -net ${ns1} addr add 10.0.2.99/24 dev eth0
ip -net "$ns1" addr add 10.0.2.99/24 dev eth0
ip -net "$ns1" addr add dead:2::99/64 dev eth0 nodad
ip -net ${ns1} route add default via 10.0.2.1
ip -net ${ns1} -6 route add default via dead:2::1
ip -net "$ns1" route add default via 10.0.2.1
ip -net "$ns1" -6 route add default via dead:2::1
ip -net "$nsrouter" addr add dead:2::1/64 dev veth0 nodad
# switch to ruleset that doesn't log, this time
# its expected that this does drop the packets.
load_ruleset_count ${nsrouter}
load_ruleset_count "$nsrouter"
# ns1 has a default route, but nsrouter does not.
# must not check return value, ping to 1.1.1.1 will
# fail.
check_fib_counter 0 ${nsrouter} 1.1.1.1 || exit 1
check_fib_counter 0 ${nsrouter} 1c3::c01d || exit 1
check_fib_counter 0 "$nsrouter" 1.1.1.1 || exit 1
check_fib_counter 0 "$nsrouter" 1c3::c01d || exit 1
ip netns exec "$ns1" ping -W 0.5 -c 1 -q 1.1.1.1 > /dev/null
check_fib_counter 1 ${nsrouter} 1.1.1.1 || exit 1
check_fib_counter 1 "$nsrouter" 1.1.1.1 || exit 1
ip netns exec "$ns1" ping -W 0.5 -i 0.1 -c 3 -q 1c3::c01d > /dev/null
check_fib_counter 3 ${nsrouter} 1c3::c01d || exit 1
check_fib_counter 3 "$nsrouter" 1c3::c01d || exit 1
# delete all rules
ip netns exec ${ns1} nft flush ruleset
ip netns exec ${ns2} nft flush ruleset
ip netns exec ${nsrouter} nft flush ruleset
ip netns exec "$ns1" nft flush ruleset
ip netns exec "$ns2" nft flush ruleset
ip netns exec "$nsrouter" nft flush ruleset
ip -net ${ns1} addr add 10.0.1.99/24 dev eth0
ip -net "$ns1" addr add 10.0.1.99/24 dev eth0
ip -net "$ns1" addr add dead:1::99/64 dev eth0 nodad
ip -net ${ns1} addr del 10.0.2.99/24 dev eth0
ip -net ${ns1} addr del dead:2::99/64 dev eth0
ip -net "$ns1" addr del 10.0.2.99/24 dev eth0
ip -net "$ns1" addr del dead:2::99/64 dev eth0
ip -net ${nsrouter} addr del dead:2::1/64 dev veth0
ip -net "$nsrouter" addr del dead:2::1/64 dev veth0
# ... pbr ruleset for the router, check iif+oif.
load_pbr_ruleset ${nsrouter}
if [ $? -ne 0 ] ; then
if ! load_pbr_ruleset "$nsrouter";then
echo "SKIP: Could not load fib forward ruleset"
exit $ksft_skip
fi
ip -net ${nsrouter} rule add from all table 128
ip -net ${nsrouter} rule add from all iif veth0 table 129
ip -net ${nsrouter} route add table 128 to 10.0.1.0/24 dev veth0
ip -net ${nsrouter} route add table 129 to 10.0.2.0/24 dev veth1
ip -net "$nsrouter" rule add from all table 128
ip -net "$nsrouter" rule add from all iif veth0 table 129
ip -net "$nsrouter" route add table 128 to 10.0.1.0/24 dev veth0
ip -net "$nsrouter" route add table 129 to 10.0.2.0/24 dev veth1
# drop main ipv4 table
ip -net ${nsrouter} -4 rule delete table main
ip -net "$nsrouter" -4 rule delete table main
test_ping 10.0.2.99 dead:2::99
if [ $? -ne 0 ] ; then
ip -net ${nsrouter} nft list ruleset
if ! test_ping 10.0.2.99 dead:2::99;then
ip -net "$nsrouter" nft list ruleset
echo "FAIL: fib mismatch in pbr setup"
exit 1
fi
tools/testing/selftests/net/netfilter/nft_meta.sh
+2 -2
View File
@@ -91,10 +91,10 @@ check_one_counter()
local want="packets $2"
local verbose="$3"
if ! ip netns exec "$ns0" nft list counter inet filter $cname | grep -q "$want"; then
if ! ip netns exec "$ns0" nft list counter inet filter "$cname" | grep -q "$want"; then
echo "FAIL: $cname, want \"$want\", got"
ret=1
ip netns exec "$ns0" nft list counter inet filter $cname
ip netns exec "$ns0" nft list counter inet filter "$cname"
fi
}
tools/testing/selftests/net/netfilter/nft_nat_zones.sh
+75 -118
View File
@@ -3,15 +3,14 @@
# Test connection tracking zone and NAT source port reallocation support.
#
# Kselftest framework requirement - SKIP code is 4.
ksft_skip=4
source lib.sh
# Don't increase too much, 2000 clients should work
# just fine but script can then take several minutes with
# KASAN/debug builds.
maxclients=100
have_iperf=1
have_socat=0
ret=0
# client1---.
@@ -31,12 +30,6 @@ ret=0
# NAT Gateway is supposed to do port reallocation for each of the
# connections.
sfx=$(mktemp -u "XXXXXXXX")
gw="ns-gw-$sfx"
cl1="ns-cl1-$sfx"
cl2="ns-cl2-$sfx"
srv="ns-srv-$sfx"
v4gc1=$(sysctl -n net.ipv4.neigh.default.gc_thresh1 2>/dev/null)
v4gc2=$(sysctl -n net.ipv4.neigh.default.gc_thresh2 2>/dev/null)
v4gc3=$(sysctl -n net.ipv4.neigh.default.gc_thresh3 2>/dev/null)
@@ -46,61 +39,29 @@ v6gc3=$(sysctl -n net.ipv6.neigh.default.gc_thresh3 2>/dev/null)
cleanup()
{
ip netns del $gw
ip netns del $srv
for i in $(seq 1 $maxclients); do
ip netns del ns-cl$i-$sfx 2>/dev/null
done
cleanup_all_ns
sysctl -q net.ipv4.neigh.default.gc_thresh1=$v4gc1 2>/dev/null
sysctl -q net.ipv4.neigh.default.gc_thresh2=$v4gc2 2>/dev/null
sysctl -q net.ipv4.neigh.default.gc_thresh3=$v4gc3 2>/dev/null
sysctl -q net.ipv6.neigh.default.gc_thresh1=$v6gc1 2>/dev/null
sysctl -q net.ipv6.neigh.default.gc_thresh2=$v6gc2 2>/dev/null
sysctl -q net.ipv6.neigh.default.gc_thresh3=$v6gc3 2>/dev/null
sysctl -q net.ipv4.neigh.default.gc_thresh1="$v4gc1" 2>/dev/null
sysctl -q net.ipv4.neigh.default.gc_thresh2="$v4gc2" 2>/dev/null
sysctl -q net.ipv4.neigh.default.gc_thresh3="$v4gc3" 2>/dev/null
sysctl -q net.ipv6.neigh.default.gc_thresh1="$v6gc1" 2>/dev/null
sysctl -q net.ipv6.neigh.default.gc_thresh2="$v6gc2" 2>/dev/null
sysctl -q net.ipv6.neigh.default.gc_thresh3="$v6gc3" 2>/dev/null
}
nft --version > /dev/null 2>&1
if [ $? -ne 0 ];then
echo "SKIP: Could not run test without nft tool"
exit $ksft_skip
checktool "nft --version" echo "run test without nft tool"
checktool "conntrack -V" "run test without conntrack tool"
if socat -h >/dev/null 2>&1; then
have_socat=1
fi
ip -Version > /dev/null 2>&1
if [ $? -ne 0 ];then
echo "SKIP: Could not run test without ip tool"
exit $ksft_skip
fi
conntrack -V > /dev/null 2>&1
if [ $? -ne 0 ];then
echo "SKIP: Could not run test without conntrack tool"
exit $ksft_skip
fi
iperf3 -v >/dev/null 2>&1
if [ $? -ne 0 ];then
have_iperf=0
fi
ip netns add "$gw"
if [ $? -ne 0 ];then
echo "SKIP: Could not create net namespace $gw"
exit $ksft_skip
fi
ip -net "$gw" link set lo up
setup_ns gw srv
trap cleanup EXIT
ip netns add "$srv"
if [ $? -ne 0 ];then
echo "SKIP: Could not create server netns $srv"
exit $ksft_skip
fi
ip link add veth0 netns "$gw" type veth peer name eth0 netns "$srv"
ip -net "$gw" link set veth0 up
ip -net "$srv" link set lo up
ip -net "$srv" link set eth0 up
sysctl -q net.ipv6.neigh.default.gc_thresh1=512 2>/dev/null
@@ -110,55 +71,49 @@ sysctl -q net.ipv4.neigh.default.gc_thresh1=512 2>/dev/null
sysctl -q net.ipv4.neigh.default.gc_thresh2=1024 2>/dev/null
sysctl -q net.ipv4.neigh.default.gc_thresh3=4096 2>/dev/null
for i in $(seq 1 $maxclients);do
cl="ns-cl$i-$sfx"
for i in $(seq 1 "$maxclients");do
setup_ns "cl$i"
ip netns add "$cl"
if [ $? -ne 0 ];then
echo "SKIP: Could not create client netns $cl"
exit $ksft_skip
fi
ip link add veth$i netns "$gw" type veth peer name eth0 netns "$cl" > /dev/null 2>&1
if [ $? -ne 0 ];then
cl=$(eval echo \$cl"$i")
if ! ip link add veth"$i" netns "$gw" type veth peer name eth0 netns "$cl" > /dev/null 2>&1;then
echo "SKIP: No virtual ethernet pair device support in kernel"
exit $ksft_skip
fi
done
for i in $(seq 1 $maxclients);do
cl="ns-cl$i-$sfx"
echo netns exec "$cl" ip link set lo up
for i in $(seq 1 "$maxclients");do
cl=$(eval echo \$cl"$i")
echo netns exec "$cl" ip link set eth0 up
echo netns exec "$cl" sysctl -q net.ipv4.tcp_syn_retries=2
echo netns exec "$gw" ip link set veth$i up
echo netns exec "$gw" sysctl -q net.ipv4.conf.veth$i.arp_ignore=2
echo netns exec "$gw" sysctl -q net.ipv4.conf.veth$i.rp_filter=0
echo netns exec "$gw" ip link set "veth$i" up
echo netns exec "$gw" sysctl -q net.ipv4.conf.veth"$i".arp_ignore=2
echo netns exec "$gw" sysctl -q net.ipv4.conf.veth"$i".rp_filter=0
# clients have same IP addresses.
echo netns exec "$cl" ip addr add 10.1.0.3/24 dev eth0
echo netns exec "$cl" ip addr add dead:1::3/64 dev eth0
echo netns exec "$cl" ip addr add dead:1::3/64 dev eth0 nodad
echo netns exec "$cl" ip route add default via 10.1.0.2 dev eth0
echo netns exec "$cl" ip route add default via dead:1::2 dev eth0
# NB: same addresses on client-facing interfaces.
echo netns exec "$gw" ip addr add 10.1.0.2/24 dev veth$i
echo netns exec "$gw" ip addr add dead:1::2/64 dev veth$i
echo netns exec "$gw" ip addr add 10.1.0.2/24 dev "veth$i"
echo netns exec "$gw" ip addr add dead:1::2/64 dev "veth$i" nodad
# gw: policy routing
echo netns exec "$gw" ip route add 10.1.0.0/24 dev veth$i table $((1000+i))
echo netns exec "$gw" ip route add dead:1::0/64 dev veth$i table $((1000+i))
echo netns exec "$gw" ip route add 10.1.0.0/24 dev "veth$i" table $((1000+i))
echo netns exec "$gw" ip route add dead:1::0/64 dev "veth$i" table $((1000+i))
echo netns exec "$gw" ip route add 10.3.0.0/24 dev veth0 table $((1000+i))
echo netns exec "$gw" ip route add dead:3::0/64 dev veth0 table $((1000+i))
echo netns exec "$gw" ip rule add fwmark $i lookup $((1000+i))
echo netns exec "$gw" ip rule add fwmark "$i" lookup $((1000+i))
done | ip -batch /dev/stdin
ip -net "$gw" addr add 10.3.0.1/24 dev veth0
ip -net "$gw" addr add dead:3::1/64 dev veth0
ip -net "$gw" addr add dead:3::1/64 dev veth0 nodad
ip -net "$srv" addr add 10.3.0.99/24 dev eth0
ip -net "$srv" addr add dead:3::99/64 dev eth0
ip -net "$srv" addr add dead:3::99/64 dev eth0 nodad
ip netns exec $gw nft -f /dev/stdin<<EOF
ip netns exec "$gw" nft -f /dev/stdin<<EOF
table inet raw {
map iiftomark {
type ifname : mark
@@ -203,18 +158,22 @@ table inet raw {
}
}
EOF
if [ "$?" -ne 0 ];then
echo "SKIP: Could not add nftables rules"
exit $ksft_skip
fi
( echo add element inet raw iiftomark \{
for i in $(seq 1 $((maxclients-1))); do
echo \"veth$i\" : $i,
echo \"veth"$i"\" : "$i",
done
echo \"veth$maxclients\" : $maxclients \}
echo \"veth"$maxclients"\" : "$maxclients" \}
echo add element inet raw iiftozone \{
for i in $(seq 1 $((maxclients-1))); do
echo \"veth$i\" : $i,
echo \"veth"$i"\" : "$i",
done
echo \"veth$maxclients\" : $maxclients \}
) | ip netns exec $gw nft -f /dev/stdin
) | ip netns exec "$gw" nft -f /dev/stdin
ip netns exec "$gw" sysctl -q net.ipv4.conf.all.forwarding=1 > /dev/null
ip netns exec "$gw" sysctl -q net.ipv6.conf.all.forwarding=1 > /dev/null
@@ -224,73 +183,72 @@ ip netns exec "$gw" sysctl -q net.ipv4.conf.all.rp_filter=0 >/dev/null
ip netns exec "$gw" sysctl -q net.ipv4.fwmark_reflect=1 > /dev/null
ip netns exec "$gw" sysctl -q net.ipv6.fwmark_reflect=1 > /dev/null
for i in $(seq 1 $maxclients); do
cl="ns-cl$i-$sfx"
ip netns exec $cl ping -i 0.5 -q -c 3 10.3.0.99 > /dev/null 2>&1 &
if [ $? -ne 0 ]; then
echo FAIL: Ping failure from $cl 1>&2
ret=1
break
fi
for i in $(seq 1 "$maxclients"); do
cl=$(eval echo \$cl"$i")
ip netns exec "$cl" ping -i 0.5 -q -c 3 10.3.0.99 > /dev/null 2>&1 &
done
wait
wait || ret=1
for i in $(seq 1 $maxclients); do
ip netns exec $gw nft get element inet raw inicmp "{ 10.1.0.3 . \"veth$i\" . 10.3.0.99 }" | grep -q "{ 10.1.0.3 . \"veth$i\" . 10.3.0.99 counter packets 3 bytes 252 }"
if [ $? -ne 0 ];then
[ "$ret" -ne 0 ] && "FAIL: Ping failure from $cl" 1>&2
for i in $(seq 1 "$maxclients"); do
if ! ip netns exec "$gw" nft get element inet raw inicmp "{ 10.1.0.3 . \"veth$i\" . 10.3.0.99 }" | grep -q "{ 10.1.0.3 . \"veth$i\" . 10.3.0.99 counter packets 3 bytes 252 }"; then
ret=1
echo "FAIL: counter icmp mismatch for veth$i" 1>&2
ip netns exec $gw nft get element inet raw inicmp "{ 10.1.0.3 . \"veth$i\" . 10.3.0.99 }" 1>&2
ip netns exec "$gw" nft get element inet raw inicmp "{ 10.1.0.3 . \"veth$i\" . 10.3.0.99 }" 1>&2
break
fi
done
ip netns exec $gw nft get element inet raw inicmp "{ 10.3.0.99 . \"veth0\" . 10.3.0.1 }" | grep -q "{ 10.3.0.99 . \"veth0\" . 10.3.0.1 counter packets $((3 * $maxclients)) bytes $((252 * $maxclients)) }"
if [ $? -ne 0 ];then
if ! ip netns exec "$gw" nft get element inet raw inicmp "{ 10.3.0.99 . \"veth0\" . 10.3.0.1 }" | grep -q "{ 10.3.0.99 . \"veth0\" . 10.3.0.1 counter packets $((3 * maxclients)) bytes $((252 * maxclients)) }"; then
ret=1
echo "FAIL: counter icmp mismatch for veth0: { 10.3.0.99 . \"veth0\" . 10.3.0.1 counter packets $((3 * $maxclients)) bytes $((252 * $maxclients)) }"
ip netns exec $gw nft get element inet raw inicmp "{ 10.3.99 . \"veth0\" . 10.3.0.1 }" 1>&2
echo "FAIL: counter icmp mismatch for veth0: { 10.3.0.99 . \"veth0\" . 10.3.0.1 counter packets $((3 * maxclients)) bytes $((252 * maxclients)) }"
ip netns exec "$gw" nft get element inet raw inicmp "{ 10.3.99 . \"veth0\" . 10.3.0.1 }" 1>&2
fi
if [ $ret -eq 0 ]; then
if [ $ret -eq 0 ]; then
echo "PASS: ping test from all $maxclients namespaces"
fi
if [ $have_iperf -eq 0 ];then
echo "SKIP: iperf3 not installed"
if [ $have_socat -eq 0 ];then
echo "SKIP: socat not installed"
if [ $ret -ne 0 ];then
exit $ret
fi
exit $ksft_skip
fi
ip netns exec $srv iperf3 -s > /dev/null 2>&1 &
iperfpid=$!
sleep 1
listener_ready()
{
ss -N "$1" -lnt -o "sport = :5201" | grep -q 5201
}
for i in $(seq 1 $maxclients); do
ip netns exec "$srv" socat -u TCP-LISTEN:5201,fork STDOUT > /dev/null 2>/dev/null &
socatpid=$!
busywait 1000 listener_ready "$srv"
for i in $(seq 1 "$maxclients"); do
if [ $ret -ne 0 ]; then
break
fi
cl="ns-cl$i-$sfx"
ip netns exec $cl iperf3 -c 10.3.0.99 --cport 10000 -n 1 > /dev/null
if [ $? -ne 0 ]; then
echo FAIL: Failure to connect for $cl 1>&2
ip netns exec $gw conntrack -S 1>&2
cl=$(eval echo \$cl"$i")
if ! ip netns exec "$cl" socat -4 -u STDIN TCP:10.3.0.99:5201,sourceport=10000 < /dev/null > /dev/null; then
echo "FAIL: Failure to connect for $cl" 1>&2
ip netns exec "$gw" conntrack -S 1>&2
ret=1
fi
done
if [ $ret -eq 0 ];then
echo "PASS: iperf3 connections for all $maxclients net namespaces"
echo "PASS: socat connections for all $maxclients net namespaces"
fi
kill $iperfpid
kill $socatpid
wait
for i in $(seq 1 $maxclients); do
ip netns exec $gw nft get element inet raw inflows "{ 10.1.0.3 . 10000 . \"veth$i\" . 10.3.0.99 . 5201 }" > /dev/null
if [ $? -ne 0 ];then
for i in $(seq 1 "$maxclients"); do
if ! ip netns exec "$gw" nft get element inet raw inflows "{ 10.1.0.3 . 10000 . \"veth$i\" . 10.3.0.99 . 5201 }" > /dev/null;then
ret=1
echo "FAIL: can't find expected tcp entry for veth$i" 1>&2
break
@@ -300,8 +258,7 @@ if [ $ret -eq 0 ];then
echo "PASS: Found client connection for all $maxclients net namespaces"
fi
ip netns exec $gw nft get element inet raw inflows "{ 10.3.0.99 . 5201 . \"veth0\" . 10.3.0.1 . 10000 }" > /dev/null
if [ $? -ne 0 ];then
if ! ip netns exec "$gw" nft get element inet raw inflows "{ 10.3.0.99 . 5201 . \"veth0\" . 10.3.0.1 . 10000 }" > /dev/null;then
ret=1
echo "FAIL: cannot find return entry on veth0" 1>&2
fi
tools/testing/selftests/net/netfilter/nft_queue.sh
+120 -152
View File
@@ -4,94 +4,72 @@
# 1. can process packets from all hooks
# 2. support running nfqueue from more than one base chain
#
# Kselftest framework requirement - SKIP code is 4.
ksft_skip=4
ret=0
# shellcheck disable=SC2162,SC2317
sfx=$(mktemp -u "XXXXXXXX")
ns1="ns1-$sfx"
ns2="ns2-$sfx"
nsrouter="nsrouter-$sfx"
timeout=4
source lib.sh
ret=0
timeout=2
cleanup()
{
ip netns pids ${ns1} | xargs kill 2>/dev/null
ip netns pids ${ns2} | xargs kill 2>/dev/null
ip netns pids ${nsrouter} | xargs kill 2>/dev/null
ip netns pids "$ns1" | xargs kill 2>/dev/null
ip netns pids "$ns2" | xargs kill 2>/dev/null
ip netns pids "$nsrouter" | xargs kill 2>/dev/null
ip netns del ${ns1}
ip netns del ${ns2}
ip netns del ${nsrouter}
cleanup_all_ns
rm -f "$TMPINPUT"
rm -f "$TMPFILE0"
rm -f "$TMPFILE1"
rm -f "$TMPFILE2" "$TMPFILE3"
}
nft --version > /dev/null 2>&1
if [ $? -ne 0 ];then
echo "SKIP: Could not run test without nft tool"
exit $ksft_skip
fi
checktool "nft --version" "test without nft tool"
ip -Version > /dev/null 2>&1
if [ $? -ne 0 ];then
echo "SKIP: Could not run test without ip tool"
exit $ksft_skip
fi
trap cleanup EXIT
ip netns add ${nsrouter}
if [ $? -ne 0 ];then
echo "SKIP: Could not create net namespace"
exit $ksft_skip
fi
setup_ns ns1 ns2 nsrouter
TMPFILE0=$(mktemp)
TMPFILE1=$(mktemp)
TMPFILE2=$(mktemp)
TMPFILE3=$(mktemp)
trap cleanup EXIT
ip netns add ${ns1}
ip netns add ${ns2}
TMPINPUT=$(mktemp)
dd conv=sparse status=none if=/dev/zero bs=1M count=200 of="$TMPINPUT"
ip link add veth0 netns ${nsrouter} type veth peer name eth0 netns ${ns1} > /dev/null 2>&1
if [ $? -ne 0 ];then
if ! ip link add veth0 netns "$nsrouter" type veth peer name eth0 netns "$ns1" > /dev/null 2>&1; then
echo "SKIP: No virtual ethernet pair device support in kernel"
exit $ksft_skip
fi
ip link add veth1 netns ${nsrouter} type veth peer name eth0 netns ${ns2}
ip link add veth1 netns "$nsrouter" type veth peer name eth0 netns "$ns2"
ip -net ${nsrouter} link set lo up
ip -net ${nsrouter} link set veth0 up
ip -net ${nsrouter} addr add 10.0.1.1/24 dev veth0
ip -net ${nsrouter} addr add dead:1::1/64 dev veth0
ip -net "$nsrouter" link set veth0 up
ip -net "$nsrouter" addr add 10.0.1.1/24 dev veth0
ip -net "$nsrouter" addr add dead:1::1/64 dev veth0 nodad
ip -net ${nsrouter} link set veth1 up
ip -net ${nsrouter} addr add 10.0.2.1/24 dev veth1
ip -net ${nsrouter} addr add dead:2::1/64 dev veth1
ip -net "$nsrouter" link set veth1 up
ip -net "$nsrouter" addr add 10.0.2.1/24 dev veth1
ip -net "$nsrouter" addr add dead:2::1/64 dev veth1 nodad
ip -net ${ns1} link set lo up
ip -net ${ns1} link set eth0 up
ip -net "$ns1" link set eth0 up
ip -net "$ns2" link set eth0 up
ip -net ${ns2} link set lo up
ip -net ${ns2} link set eth0 up
ip -net "$ns1" addr add 10.0.1.99/24 dev eth0
ip -net "$ns1" addr add dead:1::99/64 dev eth0 nodad
ip -net "$ns1" route add default via 10.0.1.1
ip -net "$ns1" route add default via dead:1::1
ip -net ${ns1} addr add 10.0.1.99/24 dev eth0
ip -net ${ns1} addr add dead:1::99/64 dev eth0
ip -net ${ns1} route add default via 10.0.1.1
ip -net ${ns1} route add default via dead:1::1
ip -net ${ns2} addr add 10.0.2.99/24 dev eth0
ip -net ${ns2} addr add dead:2::99/64 dev eth0
ip -net ${ns2} route add default via 10.0.2.1
ip -net ${ns2} route add default via dead:2::1
ip -net "$ns2" addr add 10.0.2.99/24 dev eth0
ip -net "$ns2" addr add dead:2::99/64 dev eth0 nodad
ip -net "$ns2" route add default via 10.0.2.1
ip -net "$ns2" route add default via dead:2::1
load_ruleset() {
local name=$1
local prio=$2
ip netns exec ${nsrouter} nft -f /dev/stdin <<EOF
ip netns exec "$nsrouter" nft -f /dev/stdin <<EOF
table inet $name {
chain nfq {
ip protocol icmp queue bypass
@@ -127,7 +105,7 @@ EOF
load_counter_ruleset() {
local prio=$1
ip netns exec ${nsrouter} nft -f /dev/stdin <<EOF
ip netns exec "$nsrouter" nft -f /dev/stdin <<EOF
table inet countrules {
chain pre {
type filter hook prerouting priority $prio; policy accept;
@@ -154,28 +132,24 @@ EOF
}
test_ping() {
ip netns exec ${ns1} ping -c 1 -q 10.0.2.99 > /dev/null
if [ $? -ne 0 ];then
if ! ip netns exec "$ns1" ping -c 1 -q 10.0.2.99 > /dev/null; then
return 1
fi
ip netns exec ${ns1} ping -c 1 -q dead:2::99 > /dev/null
if [ $? -ne 0 ];then
return 1
if ! ip netns exec "$ns1" ping -c 1 -q dead:2::99 > /dev/null; then
return 2
fi
return 0
}
test_ping_router() {
ip netns exec ${ns1} ping -c 1 -q 10.0.2.1 > /dev/null
if [ $? -ne 0 ];then
return 1
if ! ip netns exec "$ns1" ping -c 1 -q 10.0.2.1 > /dev/null; then
return 3
fi
ip netns exec ${ns1} ping -c 1 -q dead:2::1 > /dev/null
if [ $? -ne 0 ];then
return 1
if ! ip netns exec "$ns1" ping -c 1 -q dead:2::1 > /dev/null; then
return 4
fi
return 0
@@ -184,7 +158,7 @@ test_ping_router() {
test_queue_blackhole() {
local proto=$1
ip netns exec ${nsrouter} nft -f /dev/stdin <<EOF
ip netns exec "$nsrouter" nft -f /dev/stdin <<EOF
table $proto blackh {
chain forward {
type filter hook forward priority 0; policy accept;
@@ -192,24 +166,23 @@ table $proto blackh {
}
}
EOF
if [ $proto = "ip" ] ;then
ip netns exec ${ns1} ping -W 2 -c 1 -q 10.0.2.99 > /dev/null
if [ "$proto" = "ip" ] ;then
ip netns exec "$ns1" ping -W 2 -c 1 -q 10.0.2.99 > /dev/null
lret=$?
elif [ $proto = "ip6" ]; then
ip netns exec ${ns1} ping -W 2 -c 1 -q dead:2::99 > /dev/null
elif [ "$proto" = "ip6" ]; then
ip netns exec "$ns1" ping -W 2 -c 1 -q dead:2::99 > /dev/null
lret=$?
else
lret=111
fi
# queue without bypass keyword should drop traffic if no listener exists.
if [ $lret -eq 0 ];then
if [ "$lret" -eq 0 ];then
echo "FAIL: $proto expected failure, got $lret" 1>&2
exit 1
fi
ip netns exec ${nsrouter} nft delete table $proto blackh
if [ $? -ne 0 ] ;then
if ! ip netns exec "$nsrouter" nft delete table "$proto" blackh; then
echo "FAIL: $proto: Could not delete blackh table"
exit 1
fi
@@ -217,26 +190,41 @@ EOF
echo "PASS: $proto: statement with no listener results in packet drop"
}
nf_queue_wait()
{
local procfile="/proc/self/net/netfilter/nfnetlink_queue"
local netns id
netns="$1"
id="$2"
# if this file doesn't exist, nfnetlink_module isn't loaded.
# rather than loading it ourselves, wait for kernel module autoload
# completion, nfnetlink should do so automatically because nf_queue
# helper program, spawned in the background, asked for this functionality.
test -f "$procfile" &&
ip netns exec "$netns" cat "$procfile" | grep -q "^ *$id "
}
test_queue()
{
local expected=$1
local expected="$1"
local last=""
# spawn nf_queue listeners
ip netns exec ${nsrouter} ./nf_queue -c -q 0 -t $timeout > "$TMPFILE0" &
ip netns exec ${nsrouter} ./nf_queue -c -q 1 -t $timeout > "$TMPFILE1" &
sleep 1
test_ping
ret=$?
if [ $ret -ne 0 ];then
echo "FAIL: netns routing/connectivity with active listener on queue $queue: $ret" 1>&2
ip netns exec "$nsrouter" ./nf_queue -c -q 0 -t $timeout > "$TMPFILE0" &
ip netns exec "$nsrouter" ./nf_queue -c -q 1 -t $timeout > "$TMPFILE1" &
busywait "$BUSYWAIT_TIMEOUT" nf_queue_wait "$nsrouter" 0
busywait "$BUSYWAIT_TIMEOUT" nf_queue_wait "$nsrouter" 1
if ! test_ping;then
echo "FAIL: netns routing/connectivity with active listener on queues 0 and 1: $ret" 1>&2
exit $ret
fi
test_ping_router
ret=$?
if [ $ret -ne 0 ];then
echo "FAIL: netns router unreachable listener on queue $queue: $ret" 1>&2
if ! test_ping_router;then
echo "FAIL: netns router unreachable listener on queue 0 and 1: $ret" 1>&2
exit $ret
fi
@@ -247,9 +235,7 @@ test_queue()
last=$(tail -n1 "$file")
if [ x"$last" != x"$expected packets total" ]; then
echo "FAIL: Expected $expected packets total, but got $last" 1>&2
cat "$file" 1>&2
ip netns exec ${nsrouter} nft list ruleset
ip netns exec "$nsrouter" nft list ruleset
exit 1
fi
done
@@ -257,66 +243,57 @@ test_queue()
echo "PASS: Expected and received $last"
}
listener_ready()
{
ss -N "$1" -lnt -o "sport = :12345" | grep -q 12345
}
test_tcp_forward()
{
ip netns exec ${nsrouter} ./nf_queue -q 2 -t $timeout &
ip netns exec "$nsrouter" ./nf_queue -q 2 -t "$timeout" &
local nfqpid=$!
tmpfile=$(mktemp) || exit 1
dd conv=sparse status=none if=/dev/zero bs=1M count=200 of=$tmpfile
ip netns exec ${ns2} nc -w 5 -l -p 12345 <"$tmpfile" >/dev/null &
timeout 5 ip netns exec "$ns2" socat -u TCP-LISTEN:12345 STDOUT >/dev/null &
local rpid=$!
sleep 1
ip netns exec ${ns1} nc -w 5 10.0.2.99 12345 <"$tmpfile" >/dev/null &
busywait "$BUSYWAIT_TIMEOUT" listener_ready "$ns2"
rm -f "$tmpfile"
ip netns exec "$ns1" socat -u STDIN TCP:10.0.2.99:12345 <"$TMPINPUT" >/dev/null
wait $rpid
wait $lpid
[ $? -eq 0 ] && echo "PASS: tcp and nfqueue in forward chain"
wait "$rpid" && echo "PASS: tcp and nfqueue in forward chain"
}
test_tcp_localhost()
{
tmpfile=$(mktemp) || exit 1
dd conv=sparse status=none if=/dev/zero bs=1M count=200 of=$tmpfile
ip netns exec ${nsrouter} nc -w 5 -l -p 12345 <"$tmpfile" >/dev/null &
dd conv=sparse status=none if=/dev/zero bs=1M count=200 of="$TMPINPUT"
timeout 5 ip netns exec "$nsrouter" socat -u TCP-LISTEN:12345 STDOUT >/dev/null &
local rpid=$!
ip netns exec ${nsrouter} ./nf_queue -q 3 -t $timeout &
ip netns exec "$nsrouter" ./nf_queue -q 3 -t "$timeout" &
local nfqpid=$!
sleep 1
ip netns exec ${nsrouter} nc -w 5 127.0.0.1 12345 <"$tmpfile" > /dev/null
rm -f "$tmpfile"
busywait "$BUSYWAIT_TIMEOUT" listener_ready "$nsrouter"
wait $rpid
[ $? -eq 0 ] && echo "PASS: tcp via loopback"
ip netns exec "$nsrouter" socat -u STDIN TCP:127.0.0.1:12345 <"$TMPINPUT" >/dev/null
wait "$rpid" && echo "PASS: tcp via loopback"
wait 2>/dev/null
}
test_tcp_localhost_connectclose()
{
tmpfile=$(mktemp) || exit 1
ip netns exec "$nsrouter" ./connect_close -p 23456 -t "$timeout" &
ip netns exec "$nsrouter" ./nf_queue -q 3 -t "$timeout" &
ip netns exec ${nsrouter} ./connect_close -p 23456 -t $timeout &
busywait "$BUSYWAIT_TIMEOUT" nf_queue_wait "$nsrouter" 3
ip netns exec ${nsrouter} ./nf_queue -q 3 -t $timeout &
local nfqpid=$!
sleep 1
rm -f "$tmpfile"
wait $rpid
[ $? -eq 0 ] && echo "PASS: tcp via loopback with connect/close"
wait && echo "PASS: tcp via loopback with connect/close"
wait 2>/dev/null
}
test_tcp_localhost_requeue()
{
ip netns exec ${nsrouter} nft -f /dev/stdin <<EOF
ip netns exec "$nsrouter" nft -f /dev/stdin <<EOF
flush ruleset
table inet filter {
chain output {
@@ -329,20 +306,17 @@ table inet filter {
}
}
EOF
tmpfile=$(mktemp) || exit 1
dd conv=sparse status=none if=/dev/zero bs=1M count=200 of=$tmpfile
ip netns exec ${nsrouter} nc -w 5 -l -p 12345 <"$tmpfile" >/dev/null &
timeout 5 ip netns exec "$nsrouter" socat -u TCP-LISTEN:12345 STDOUT >/dev/null &
local rpid=$!
ip netns exec ${nsrouter} ./nf_queue -c -q 1 -t $timeout > "$TMPFILE2" &
ip netns exec "$nsrouter" ./nf_queue -c -q 1 -t "$timeout" > "$TMPFILE2" &
# nfqueue 1 will be called via output hook. But this time,
# re-queue the packet to nfqueue program on queue 2.
ip netns exec ${nsrouter} ./nf_queue -G -d 150 -c -q 0 -Q 1 -t $timeout > "$TMPFILE3" &
ip netns exec "$nsrouter" ./nf_queue -G -d 150 -c -q 0 -Q 1 -t "$timeout" > "$TMPFILE3" &
sleep 1
ip netns exec ${nsrouter} nc -w 5 127.0.0.1 12345 <"$tmpfile" > /dev/null
rm -f "$tmpfile"
busywait "$BUSYWAIT_TIMEOUT" listener_ready "$nsrouter"
ip netns exec "$nsrouter" socat -u STDIN TCP:127.0.0.1:12345 <"$TMPINPUT" > /dev/null
wait
@@ -355,17 +329,16 @@ EOF
}
test_icmp_vrf() {
ip -net $ns1 link add tvrf type vrf table 9876
if [ $? -ne 0 ];then
if ! ip -net "$ns1" link add tvrf type vrf table 9876;then
echo "SKIP: Could not add vrf device"
return
fi
ip -net $ns1 li set eth0 master tvrf
ip -net $ns1 li set tvrf up
ip -net "$ns1" li set eth0 master tvrf
ip -net "$ns1" li set tvrf up
ip -net $ns1 route add 10.0.2.0/24 via 10.0.1.1 dev eth0 table 9876
ip netns exec ${ns1} nft -f /dev/stdin <<EOF
ip -net "$ns1" route add 10.0.2.0/24 via 10.0.1.1 dev eth0 table 9876
ip netns exec "$ns1" nft -f /dev/stdin <<EOF
flush ruleset
table inet filter {
chain output {
@@ -380,40 +353,35 @@ table inet filter {
}
}
EOF
ip netns exec ${ns1} ./nf_queue -q 1 -t $timeout &
ip netns exec "$ns1" ./nf_queue -q 1 -t "$timeout" &
local nfqpid=$!
sleep 1
ip netns exec ${ns1} ip vrf exec tvrf ping -c 1 10.0.2.99 > /dev/null
busywait "$BUSYWAIT_TIMEOUT" nf_queue_wait "$ns1" 1
ip netns exec "$ns1" ip vrf exec tvrf ping -c 1 10.0.2.99 > /dev/null
for n in output post; do
for d in tvrf eth0; do
ip netns exec ${ns1} nft list chain inet filter $n | grep -q "oifname \"$d\" icmp type echo-request counter packets 1"
if [ $? -ne 0 ] ; then
if ! ip netns exec "$ns1" nft list chain inet filter "$n" | grep -q "oifname \"$d\" icmp type echo-request counter packets 1"; then
echo "FAIL: chain $n: icmp packet counter mismatch for device $d" 1>&2
ip netns exec ${ns1} nft list ruleset
ip netns exec "$ns1" nft list ruleset
ret=1
return
fi
done
done
wait $nfqpid
[ $? -eq 0 ] && echo "PASS: icmp+nfqueue via vrf"
wait "$nfqpid" && echo "PASS: icmp+nfqueue via vrf"
wait 2>/dev/null
}
ip netns exec ${nsrouter} sysctl net.ipv6.conf.all.forwarding=1 > /dev/null
ip netns exec ${nsrouter} sysctl net.ipv4.conf.veth0.forwarding=1 > /dev/null
ip netns exec ${nsrouter} sysctl net.ipv4.conf.veth1.forwarding=1 > /dev/null
ip netns exec "$nsrouter" sysctl net.ipv6.conf.all.forwarding=1 > /dev/null
ip netns exec "$nsrouter" sysctl net.ipv4.conf.veth0.forwarding=1 > /dev/null
ip netns exec "$nsrouter" sysctl net.ipv4.conf.veth1.forwarding=1 > /dev/null
load_ruleset "filter" 0
sleep 3
test_ping
ret=$?
if [ $ret -eq 0 ];then
if test_ping; then
# queue bypass works (rules were skipped, no listener)
echo "PASS: ${ns1} can reach ${ns2}"
else
tools/testing/selftests/net/netfilter/nft_synproxy.sh
+28 -49
View File
@@ -1,84 +1,65 @@
#!/bin/bash
# SPDX-License-Identifier: GPL-2.0
#
# Kselftest framework requirement - SKIP code is 4.
ksft_skip=4
source lib.sh
ret=0
rnd=$(mktemp -u XXXXXXXX)
nsr="nsr-$rnd" # synproxy machine
ns1="ns1-$rnd" # iperf client
ns2="ns2-$rnd" # iperf server
checktool (){
if ! $1 > /dev/null 2>&1; then
echo "SKIP: Could not $2"
exit $ksft_skip
fi
}
checktool "nft --version" "run test without nft tool"
checktool "ip -Version" "run test without ip tool"
checktool "iperf3 --version" "run test without iperf3"
checktool "ip netns add $nsr" "create net namespace"
setup_ns nsr ns1 ns2
modprobe -q nf_conntrack
ip netns add $ns1
ip netns add $ns2
cleanup() {
ip netns pids $ns1 | xargs kill 2>/dev/null
ip netns pids $ns2 | xargs kill 2>/dev/null
ip netns del $ns1
ip netns del $ns2
ip netns pids "$ns1" | xargs kill 2>/dev/null
ip netns pids "$ns2" | xargs kill 2>/dev/null
ip netns del $nsr
cleanup_all_ns
}
trap cleanup EXIT
ip link add veth0 netns $nsr type veth peer name eth0 netns $ns1
ip link add veth1 netns $nsr type veth peer name eth0 netns $ns2
ip link add veth0 netns "$nsr" type veth peer name eth0 netns "$ns1"
ip link add veth1 netns "$nsr" type veth peer name eth0 netns "$ns2"
for dev in lo veth0 veth1; do
ip -net $nsr link set $dev up
for dev in veth0 veth1; do
ip -net "$nsr" link set "$dev" up
done
ip -net $nsr addr add 10.0.1.1/24 dev veth0
ip -net $nsr addr add 10.0.2.1/24 dev veth1
ip -net "$nsr" addr add 10.0.1.1/24 dev veth0
ip -net "$nsr" addr add 10.0.2.1/24 dev veth1
ip netns exec $nsr sysctl -q net.ipv4.conf.veth0.forwarding=1
ip netns exec $nsr sysctl -q net.ipv4.conf.veth1.forwarding=1
ip netns exec $nsr sysctl -q net.netfilter.nf_conntrack_tcp_loose=0
ip netns exec "$nsr" sysctl -q net.ipv4.conf.veth0.forwarding=1
ip netns exec "$nsr" sysctl -q net.ipv4.conf.veth1.forwarding=1
ip netns exec "$nsr" sysctl -q net.netfilter.nf_conntrack_tcp_loose=0
for n in $ns1 $ns2; do
ip -net $n link set lo up
ip -net $n link set eth0 up
ip -net "$n" link set eth0 up
done
ip -net $ns1 addr add 10.0.1.99/24 dev eth0
ip -net $ns2 addr add 10.0.2.99/24 dev eth0
ip -net $ns1 route add default via 10.0.1.1
ip -net $ns2 route add default via 10.0.2.1
ip -net "$ns1" addr add 10.0.1.99/24 dev eth0
ip -net "$ns2" addr add 10.0.2.99/24 dev eth0
ip -net "$ns1" route add default via 10.0.1.1
ip -net "$ns2" route add default via 10.0.2.1
# test basic connectivity
if ! ip netns exec $ns1 ping -c 1 -q 10.0.2.99 > /dev/null; then
if ! ip netns exec "$ns1" ping -c 1 -q 10.0.2.99 > /dev/null; then
echo "ERROR: $ns1 cannot reach $ns2" 1>&2
exit 1
fi
if ! ip netns exec $ns2 ping -c 1 -q 10.0.1.99 > /dev/null; then
if ! ip netns exec "$ns2" ping -c 1 -q 10.0.1.99 > /dev/null; then
echo "ERROR: $ns2 cannot reach $ns1" 1>&2
exit 1
fi
ip netns exec $ns2 iperf3 -s > /dev/null 2>&1 &
ip netns exec "$ns2" iperf3 -s > /dev/null 2>&1 &
# ip netns exec $nsr tcpdump -vvv -n -i veth1 tcp | head -n 10 &
sleep 1
ip netns exec $nsr nft -f - <<EOF
ip netns exec "$nsr" nft -f - <<EOF
table inet filter {
chain prerouting {
type filter hook prerouting priority -300; policy accept;
@@ -104,12 +85,10 @@ if [ $? -ne 0 ]; then
exit $ksft_skip
fi
ip netns exec $ns1 timeout 5 iperf3 -c 10.0.2.99 -n $((1 * 1024 * 1024)) > /dev/null
if [ $? -ne 0 ]; then
if ! ip netns exec "$ns1" timeout 5 iperf3 -c 10.0.2.99 -n $((1 * 1024 * 1024)) > /dev/null; then
echo "FAIL: iperf3 returned an error" 1>&2
ret=$?
ip netns exec $nsr nft list ruleset
ret=1
ip netns exec "$nsr" nft list ruleset
else
echo "PASS: synproxy connection successful"
fi
tools/testing/selftests/net/netfilter/nft_zones_many.sh
+44 -47
View File
@@ -3,11 +3,7 @@
# Test insertion speed for packets with identical addresses/ports
# that are all placed in distinct conntrack zones.
sfx=$(mktemp -u "XXXXXXXX")
ns="ns-$sfx"
# Kselftest framework requirement - SKIP code is 4.
ksft_skip=4
source lib.sh
zones=2000
have_ct_tool=0
@@ -15,35 +11,25 @@ ret=0
cleanup()
{
ip netns del $ns
}
checktool (){
if ! $1 > /dev/null 2>&1; then
echo "SKIP: Could not $2"
exit $ksft_skip
fi
cleanup_all_ns
}
checktool "nft --version" "run test without nft tool"
checktool "ip -Version" "run test without ip tool"
checktool "socat -V" "run test without socat tool"
checktool "ip netns add $ns" "create net namespace"
setup_ns ns1
trap cleanup EXIT
conntrack -V > /dev/null 2>&1
if [ $? -eq 0 ];then
if conntrack -V > /dev/null 2>&1; then
have_ct_tool=1
fi
ip -net "$ns" link set lo up
test_zones() {
local max_zones=$1
ip netns exec $ns sysctl -q net.netfilter.nf_conntrack_udp_timeout=3600
ip netns exec $ns nft -f /dev/stdin<<EOF
ip netns exec "$ns1" sysctl -q net.netfilter.nf_conntrack_udp_timeout=3600
ip netns exec "$ns1" nft -f /dev/stdin<<EOF
flush ruleset
table inet raw {
map rndzone {
@@ -56,29 +42,36 @@ table inet raw {
}
}
EOF
if [ "$?" -ne 0 ];then
echo "SKIP: Cannot add nftables rules"
exit $ksft_skip
fi
(
echo "add element inet raw rndzone {"
for i in $(seq 1 $max_zones);do
for i in $(seq 1 "$max_zones");do
echo -n "$i : $i"
if [ $i -lt $max_zones ]; then
if [ "$i" -lt "$max_zones" ]; then
echo ","
else
echo "}"
fi
done
) | ip netns exec $ns nft -f /dev/stdin
) | ip netns exec "$ns1" nft -f /dev/stdin
local i=0
local j=0
local outerstart=$(date +%s%3N)
local stop=$outerstart
local outerstart
local stop
outerstart=$(date +%s%3N)
stop=$outerstart
while [ $i -lt $max_zones ]; do
local start=$(date +%s%3N)
while [ "$i" -lt "$max_zones" ]; do
local start
start=$(date +%s%3N)
i=$((i + 1000))
j=$((j + 1))
# nft rule in output places each packet in a different zone.
dd if=/dev/zero of=/dev/stdout bs=8k count=1000 2>/dev/null | ip netns exec "$ns" socat STDIN UDP:127.0.0.1:12345,sourceport=12345
dd if=/dev/zero bs=8k count=1000 2>/dev/null | ip netns exec "$ns1" socat -u STDIN UDP:127.0.0.1:12345,sourceport=12345
if [ $? -ne 0 ] ;then
ret=1
break
@@ -89,14 +82,15 @@ EOF
echo "PASS: added 1000 entries in $duration ms (now $i total, loop $j)"
done
if [ $have_ct_tool -eq 1 ]; then
local count=$(ip netns exec "$ns" conntrack -C)
local duration=$((stop-outerstart))
if [ "$have_ct_tool" -eq 1 ]; then
local count duration
count=$(ip netns exec "$ns1" conntrack -C)
duration=$((stop-outerstart))
if [ $count -eq $max_zones ]; then
if [ "$count" -eq "$max_zones" ]; then
echo "PASS: inserted $count entries from packet path in $duration ms total"
else
ip netns exec $ns conntrack -S 1>&2
ip netns exec "$ns1" conntrack -S 1>&2
echo "FAIL: inserted $count entries from packet path in $duration ms total, expected $max_zones entries"
ret=1
fi
@@ -110,18 +104,19 @@ EOF
test_conntrack_tool() {
local max_zones=$1
ip netns exec $ns conntrack -F >/dev/null 2>/dev/null
ip netns exec "$ns1" conntrack -F >/dev/null 2>/dev/null
local outerstart=$(date +%s%3N)
local start=$(date +%s%3N)
local stop=$start
local i=0
while [ $i -lt $max_zones ]; do
local outerstart start stop i
outerstart=$(date +%s%3N)
start=$(date +%s%3N)
stop="$start"
i=0
while [ "$i" -lt "$max_zones" ]; do
i=$((i + 1))
ip netns exec "$ns" conntrack -I -s 1.1.1.1 -d 2.2.2.2 --protonum 6 \
ip netns exec "$ns1" conntrack -I -s 1.1.1.1 -d 2.2.2.2 --protonum 6 \
--timeout 3600 --state ESTABLISHED --sport 12345 --dport 1000 --zone $i >/dev/null 2>&1
if [ $? -ne 0 ];then
ip netns exec "$ns" conntrack -I -s 1.1.1.1 -d 2.2.2.2 --protonum 6 \
ip netns exec "$ns1" conntrack -I -s 1.1.1.1 -d 2.2.2.2 --protonum 6 \
--timeout 3600 --state ESTABLISHED --sport 12345 --dport 1000 --zone $i > /dev/null
echo "FAIL: conntrack -I returned an error"
ret=1
@@ -137,13 +132,15 @@ test_conntrack_tool() {
fi
done
local count=$(ip netns exec "$ns" conntrack -C)
local duration=$((stop-outerstart))
local count
local duration
count=$(ip netns exec "$ns1" conntrack -C)
duration=$((stop-outerstart))
if [ $count -eq $max_zones ]; then
if [ "$count" -eq "$max_zones" ]; then
echo "PASS: inserted $count entries via ctnetlink in $duration ms"
else
ip netns exec $ns conntrack -S 1>&2
ip netns exec "$ns1" conntrack -S 1>&2
echo "FAIL: inserted $count entries via ctnetlink in $duration ms, expected $max_zones entries ($duration ms)"
ret=1
fi
@@ -151,7 +148,7 @@ test_conntrack_tool() {
test_zones $zones
if [ $have_ct_tool -eq 1 ];then
if [ "$have_ct_tool" -eq 1 ];then
test_conntrack_tool $zones
else
echo "SKIP: Could not run ctnetlink insertion test without conntrack tool"
tools/testing/selftests/net/netfilter/settings
+1
View File
@@ -0,0 +1 @@
timeout=500
tools/testing/selftests/net/netfilter/xt_string.sh
+46 -41
View File
@@ -5,53 +5,57 @@
ksft_skip=4
rc=0
if ! iptables --version >/dev/null 2>&1; then
echo "SKIP: Test needs iptables"
exit $ksft_skip
fi
if ! ip -V >/dev/null 2>&1; then
echo "SKIP: Test needs iproute2"
exit $ksft_skip
fi
if ! nc -h >/dev/null 2>&1; then
echo "SKIP: Test needs netcat"
exit $ksft_skip
fi
source lib.sh
checktool "socat -h" "run test without socat"
checktool "iptables --version" "test needs iptables"
infile=$(mktemp)
cleanup()
{
ip netns del "$netns"
rm -f "$infile"
}
trap cleanup EXIT
setup_ns netns
ip -net "$netns" link add d0 type dummy
ip -net "$netns" link set d0 up
ip -net "$netns" addr add 10.1.2.1/24 dev d0
pattern="foo bar baz"
patlen=11
hdrlen=$((20 + 8)) # IPv4 + UDP
ns="ns-$(mktemp -u XXXXXXXX)"
trap 'ip netns del $ns' EXIT
ip netns add "$ns"
ip -net "$ns" link add d0 type dummy
ip -net "$ns" link set d0 up
ip -net "$ns" addr add 10.1.2.1/24 dev d0
#ip netns exec "$ns" tcpdump -npXi d0 &
#ip netns exec "$netns" tcpdump -npXi d0 &
#tcpdump_pid=$!
#trap 'kill $tcpdump_pid; ip netns del $ns' EXIT
#trap 'kill $tcpdump_pid; ip netns del $netns' EXIT
add_rule() { # (alg, from, to)
ip netns exec "$ns" \
ip netns exec "$netns" \
iptables -A OUTPUT -o d0 -m string \
--string "$pattern" --algo $1 --from $2 --to $3
--string "$pattern" --algo "$1" --from "$2" --to "$3"
}
showrules() { # ()
ip netns exec "$ns" iptables -v -S OUTPUT | grep '^-A'
ip netns exec "$netns" iptables -v -S OUTPUT | grep '^-A'
}
zerorules() {
ip netns exec "$ns" iptables -Z OUTPUT
ip netns exec "$netns" iptables -Z OUTPUT
}
countrule() { # (pattern)
showrules | grep -c -- "$*"
}
send() { # (offset)
( for ((i = 0; i < $1 - $hdrlen; i++)); do
printf " "
( for ((i = 0; i < $1 - hdrlen; i++)); do
echo -n " "
done
printf "$pattern"
) | ip netns exec "$ns" nc -w 1 -u 10.1.2.2 27374
echo -n "$pattern"
) > "$infile"
ip netns exec "$netns" socat -t 1 -u STDIN UDP-SENDTO:10.1.2.2:27374 < "$infile"
}
add_rule bm 1000 1500
@@ -61,8 +65,8 @@ add_rule kmp 1400 1600
zerorules
send 0
send $((1000 - $patlen))
if [ $(countrule -c 0 0) -ne 4 ]; then
send $((1000 - patlen))
if [ "$(countrule -c 0 0)" -ne 4 ]; then
echo "FAIL: rules match data before --from"
showrules
((rc--))
@@ -70,16 +74,16 @@ fi
zerorules
send 1000
send $((1400 - $patlen))
if [ $(countrule -c 2) -ne 2 ]; then
send $((1400 - patlen))
if [ "$(countrule -c 2)" -ne 2 ]; then
echo "FAIL: only two rules should match at low offset"
showrules
((rc--))
fi
zerorules
send $((1500 - $patlen))
if [ $(countrule -c 1) -ne 4 ]; then
send $((1500 - patlen))
if [ "$(countrule -c 1)" -ne 4 ]; then
echo "FAIL: all rules should match at end of packet"
showrules
((rc--))
@@ -87,7 +91,7 @@ fi
zerorules
send 1495
if [ $(countrule -c 1) -ne 1 ]; then
if [ "$(countrule -c 1)" -ne 1 ]; then
echo "FAIL: only kmp with proper --to should match pattern spanning fragments"
showrules
((rc--))
@@ -95,23 +99,23 @@ fi
zerorules
send 1500
if [ $(countrule -c 1) -ne 2 ]; then
if [ "$(countrule -c 1)" -ne 2 ]; then
echo "FAIL: two rules should match pattern at start of second fragment"
showrules
((rc--))
fi
zerorules
send $((1600 - $patlen))
if [ $(countrule -c 1) -ne 2 ]; then
send $((1600 - patlen))
if [ "$(countrule -c 1)" -ne 2 ]; then
echo "FAIL: two rules should match pattern at end of largest --to"
showrules
((rc--))
fi
zerorules
send $((1600 - $patlen + 1))
if [ $(countrule -c 1) -ne 0 ]; then
send $((1600 - patlen + 1))
if [ "$(countrule -c 1)" -ne 0 ]; then
echo "FAIL: no rules should match pattern extending largest --to"
showrules
((rc--))
@@ -119,10 +123,11 @@ fi
zerorules
send 1600
if [ $(countrule -c 1) -ne 0 ]; then
if [ "$(countrule -c 1)" -ne 0 ]; then
echo "FAIL: no rule should match pattern past largest --to"
showrules
((rc--))
fi
[ $rc -eq 0 ] && echo "PASS: string match tests"
exit $rc