selftests: netfilter: test nat source port clash resolution interaction with tcp early demux

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Test that nat engine resolves the source port clash and tcp packet
is passed to the correct socket.

While at it, get rid of the iperf3 dependency, just use socat for
listener side too.

Signed-off-by: Florian Westphal <fw@strlen.de>

Florian Westphal 2 years ago 117e149e e27c3295

+37 -9

1 changed file

expand all

tools

testing

selftests

netfilter

nf_nat_edemux.sh

+37 -9

tools/testing/selftests/netfilter/nf_nat_edemux.sh

··· 11 11 sfx=$(mktemp -u "XXXXXXXX") 12 12 ns1="ns1-$sfx" 13 13 ns2="ns2-$sfx" 14 + socatpid=0 14 15 15 16 cleanup() 16 17 { 18 + [ $socatpid -gt 0 ] && kill $socatpid 17 19 ip netns del $ns1 18 20 ip netns del $ns2 19 21 } 20 22 21 - iperf3 -v > /dev/null 2>&1 23 + socat -h > /dev/null 2>&1 22 24 if [ $? -ne 0 ];then 23 - echo "SKIP: Could not run test without iperf3" 25 + echo "SKIP: Could not run test without socat" 24 26 exit $ksft_skip 25 27 fi 26 28 ··· 62 60 ip netns exec $ns2 ip addr add 192.168.1.2/24 dev veth2 63 61 64 62 # Create a server in one namespace 65 - ip netns exec $ns1 iperf3 -s > /dev/null 2>&1 & 66 - iperfs=$! 63 + ip netns exec $ns1 socat -u TCP-LISTEN:5201,fork OPEN:/dev/null,wronly=1 & 64 + socatpid=$! 67 65 68 66 # Restrict source port to just one so we don't have to exhaust 69 67 # all others. ··· 85 83 # ip daddr:dport will be rewritten to 192.168.1.1 5201 86 84 # NAT must reallocate source port 10000 because 87 85 # 192.168.1.2:10000 -> 192.168.1.1:5201 is already in use 88 - echo test | ip netns exec $ns2 socat -t 3 -u STDIN TCP:10.96.0.1:443 >/dev/null 86 + echo test | ip netns exec $ns2 socat -t 3 -u STDIN TCP:10.96.0.1:443,connect-timeout=3 >/dev/null 89 87 ret=$? 90 - 91 - kill $iperfs 92 88 93 89 # Check socat can connect to 10.96.0.1:443 (aka 192.168.1.1:5201). 94 90 if [ $ret -eq 0 ]; then 95 91 echo "PASS: socat can connect via NAT'd address" 96 92 else 97 93 echo "FAIL: socat cannot connect via NAT'd address" 98 - exit 1 99 94 fi 100 95 101 - exit 0 96 + # check sport clashres. 97 + ip netns exec $ns1 iptables -t nat -A PREROUTING -p tcp --dport 5202 -j REDIRECT --to-ports 5201 98 + ip netns exec $ns1 iptables -t nat -A PREROUTING -p tcp --dport 5203 -j REDIRECT --to-ports 5201 99 + 100 + sleep 5 | ip netns exec $ns2 socat -t 5 -u STDIN TCP:192.168.1.1:5202,connect-timeout=5 >/dev/null & 101 + cpid1=$! 102 + sleep 1 103 + 104 + # if connect succeeds, client closes instantly due to EOF on stdin. 105 + # if connect hangs, it will time out after 5s. 106 + echo | ip netns exec $ns2 socat -t 3 -u STDIN TCP:192.168.1.1:5203,connect-timeout=5 >/dev/null & 107 + cpid2=$! 108 + 109 + time_then=$(date +%s) 110 + wait $cpid2 111 + rv=$? 112 + time_now=$(date +%s) 113 + 114 + # Check how much time has elapsed, expectation is for 115 + # 'cpid2' to connect and then exit (and no connect delay). 116 + delta=$((time_now - time_then)) 117 + 118 + if [ $delta -lt 2 -a $rv -eq 0 ]; then 119 + echo "PASS: could connect to service via redirected ports" 120 + else 121 + echo "FAIL: socat cannot connect to service via redirect ($delta seconds elapsed, returned $rv)" 122 + ret=1 123 + fi 124 + 125 + exit $ret