Merge branch 'selftests-move-netfilter-tests-to-net'

+1

MAINTAINERS

··· 15264 15264 F: net/*/netfilter/ 15265 15265 F: net/bridge/br_netfilter*.c 15266 15266 F: net/netfilter/ 15267 + F: tools/testing/selftests/net/netfilter/ 15267 15268 15268 15269 NETROM NETWORK LAYER 15269 15270 M: Ralf Baechle <ralf@linux-mips.org>

+44

tools/testing/selftests/net/netfilter/Makefile

··· 1 + # SPDX-License-Identifier: GPL-2.0 2 + 3 + top_srcdir = ../../../../.. 4 + 5 + HOSTPKG_CONFIG := pkg-config 6 + MNL_CFLAGS := $(shell $(HOSTPKG_CONFIG) --cflags libmnl 2>/dev/null) 7 + MNL_LDLIBS := $(shell $(HOSTPKG_CONFIG) --libs libmnl 2>/dev/null || echo -lmnl) 8 + 9 + TEST_PROGS := br_netfilter.sh bridge_brouter.sh 10 + TEST_PROGS += conntrack_icmp_related.sh 11 + TEST_PROGS += conntrack_ipip_mtu.sh 12 + TEST_PROGS += conntrack_tcp_unreplied.sh 13 + TEST_PROGS += conntrack_sctp_collision.sh 14 + TEST_PROGS += conntrack_vrf.sh 15 + TEST_PROGS += ipvs.sh 16 + TEST_PROGS += nf_nat_edemux.sh 17 + TEST_PROGS += nft_audit.sh 18 + TEST_PROGS += nft_concat_range.sh 19 + TEST_PROGS += nft_conntrack_helper.sh 20 + TEST_PROGS += nft_fib.sh 21 + TEST_PROGS += nft_flowtable.sh 22 + TEST_PROGS += nft_meta.sh 23 + TEST_PROGS += nft_nat.sh 24 + TEST_PROGS += nft_nat_zones.sh 25 + TEST_PROGS += nft_queue.sh 26 + TEST_PROGS += nft_synproxy.sh 27 + TEST_PROGS += nft_zones_many.sh 28 + TEST_PROGS += rpath.sh 29 + TEST_PROGS += xt_string.sh 30 + 31 + TEST_CUSTOM_PROGS += conntrack_dump_flush 32 + 33 + TEST_GEN_FILES = audit_logread 34 + TEST_GEN_FILES += conntrack_dump_flush 35 + TEST_GEN_FILES += connect_close nf_queue 36 + TEST_GEN_FILES += sctp_collision 37 + 38 + include ../../lib.mk 39 + 40 + $(OUTPUT)/nf_queue: CFLAGS += $(MNL_CFLAGS) 41 + $(OUTPUT)/nf_queue: LDLIBS += $(MNL_LDLIBS) 42 + 43 + $(OUTPUT)/conntrack_dump_flush: CFLAGS += $(MNL_CFLAGS) 44 + $(OUTPUT)/conntrack_dump_flush: LDLIBS += $(MNL_LDLIBS)

+163

tools/testing/selftests/net/netfilter/br_netfilter.sh

··· 1 + #!/bin/bash 2 + # SPDX-License-Identifier: GPL-2.0 3 + # 4 + # Test for legacy br_netfilter module combined with connection tracking, 5 + # a combination that doesn't really work. 6 + # Multicast/broadcast packets race for hash table insertion. 7 + 8 + # eth0 br0 eth0 9 + # setup is: ns1 <->,ns0 <-> ns3 10 + # ns2 <-' `'-> ns4 11 + 12 + source lib.sh 13 + 14 + checktool "nft --version" "run test without nft tool" 15 + 16 + cleanup() { 17 + cleanup_all_ns 18 + } 19 + 20 + trap cleanup EXIT 21 + 22 + setup_ns ns0 ns1 ns2 ns3 ns4 23 + 24 + ret=0 25 + 26 + do_ping() 27 + { 28 + fromns="$1" 29 + dstip="$2" 30 + 31 + if ! ip netns exec "$fromns" ping -c 1 -q "$dstip" > /dev/null; then 32 + echo "ERROR: ping from $fromns to $dstip" 33 + ip netns exec "$ns0" nft list ruleset 34 + ret=1 35 + fi 36 + } 37 + 38 + bcast_ping() 39 + { 40 + fromns="$1" 41 + dstip="$2" 42 + 43 + for i in $(seq 1 500); do 44 + if ! ip netns exec "$fromns" ping -q -f -b -c 1 -q "$dstip" > /dev/null 2>&1; then 45 + echo "ERROR: ping -b from $fromns to $dstip" 46 + ip netns exec "$ns0" nft list ruleset 47 + ret=1 48 + break 49 + fi 50 + done 51 + } 52 + 53 + ip netns exec "$ns0" sysctl -q net.ipv4.conf.all.rp_filter=0 54 + ip netns exec "$ns0" sysctl -q net.ipv4.conf.default.rp_filter=0 55 + 56 + if ! ip link add veth1 netns "$ns0" type veth peer name eth0 netns "$ns1"; then 57 + echo "SKIP: Can't create veth device" 58 + exit $ksft_skip 59 + fi 60 + 61 + ip link add veth2 netns "$ns0" type veth peer name eth0 netns "$ns2" 62 + ip link add veth3 netns "$ns0" type veth peer name eth0 netns "$ns3" 63 + ip link add veth4 netns "$ns0" type veth peer name eth0 netns "$ns4" 64 + 65 + for i in $(seq 1 4); do 66 + ip -net "$ns0" link set "veth$i" up 67 + done 68 + 69 + if ! ip -net "$ns0" link add br0 type bridge stp_state 0 forward_delay 0 nf_call_iptables 1 nf_call_ip6tables 1 nf_call_arptables 1; then 70 + echo "SKIP: Can't create bridge br0" 71 + exit $ksft_skip 72 + fi 73 + 74 + # make veth0,1,2 part of bridge. 75 + for i in $(seq 1 3); do 76 + ip -net "$ns0" link set "veth$i" master br0 77 + done 78 + 79 + # add a macvlan on top of the bridge. 80 + MACVLAN_ADDR=ba:f3:13:37:42:23 81 + ip -net "$ns0" link add link br0 name macvlan0 type macvlan mode private 82 + ip -net "$ns0" link set macvlan0 address ${MACVLAN_ADDR} 83 + ip -net "$ns0" link set macvlan0 up 84 + ip -net "$ns0" addr add 10.23.0.1/24 dev macvlan0 85 + 86 + # add a macvlan on top of veth4. 87 + MACVLAN_ADDR=ba:f3:13:37:42:24 88 + ip -net "$ns0" link add link veth4 name macvlan4 type macvlan mode passthru 89 + ip -net "$ns0" link set macvlan4 address ${MACVLAN_ADDR} 90 + ip -net "$ns0" link set macvlan4 up 91 + 92 + # make the macvlan part of the bridge. 93 + # veth4 is not a bridge port, only the macvlan on top of it. 94 + ip -net "$ns0" link set macvlan4 master br0 95 + 96 + ip -net "$ns0" link set br0 up 97 + ip -net "$ns0" addr add 10.0.0.1/24 dev br0 98 + 99 + modprobe -q br_netfilter 100 + if ! ip netns exec "$ns0" sysctl -q net.bridge.bridge-nf-call-iptables=1; then 101 + echo "SKIP: bridge netfilter not available" 102 + ret=$ksft_skip 103 + fi 104 + 105 + # for testing, so namespaces will reply to ping -b probes. 106 + ip netns exec "$ns0" sysctl -q net.ipv4.icmp_echo_ignore_broadcasts=0 107 + 108 + # enable conntrack in ns0 and drop broadcast packets in forward to 109 + # avoid them from getting confirmed in the postrouting hook before 110 + # the cloned skb is passed up the stack. 111 + ip netns exec "$ns0" nft -f - <<EOF 112 + table ip filter { 113 + chain input { 114 + type filter hook input priority 1; policy accept 115 + iifname br0 counter 116 + ct state new accept 117 + } 118 + } 119 + 120 + table bridge filter { 121 + chain forward { 122 + type filter hook forward priority 0; policy accept 123 + meta pkttype broadcast ip protocol icmp counter drop 124 + } 125 + } 126 + EOF 127 + 128 + # place 1, 2 & 3 in same subnet, connected via ns0:br0. 129 + # ns4 is placed in same subnet as well, but its not 130 + # part of the bridge: the corresponding veth4 is not 131 + # part of the bridge, only its macvlan interface. 132 + for i in $(seq 1 4); do 133 + eval ip -net \$ns"$i" link set eth0 up 134 + done 135 + for i in $(seq 1 2); do 136 + eval ip -net \$ns"$i" addr add "10.0.0.1$i/24" dev eth0 137 + done 138 + 139 + ip -net "$ns3" addr add 10.23.0.13/24 dev eth0 140 + ip -net "$ns4" addr add 10.23.0.14/24 dev eth0 141 + 142 + # test basic connectivity 143 + do_ping "$ns1" 10.0.0.12 144 + do_ping "$ns3" 10.23.0.1 145 + do_ping "$ns4" 10.23.0.1 146 + 147 + bcast_ping "$ns1" 10.0.0.255 148 + 149 + # This should deliver broadcast to macvlan0, which is on top of ns0:br0. 150 + bcast_ping "$ns3" 10.23.0.255 151 + 152 + # same, this time via veth4:macvlan4. 153 + bcast_ping "$ns4" 10.23.0.255 154 + 155 + read t < /proc/sys/kernel/tainted 156 + if [ "$t" -eq 0 ];then 157 + echo PASS: kernel not tainted 158 + else 159 + echo ERROR: kernel is tainted 160 + ret=1 161 + fi 162 + 163 + exit $ret

+122

tools/testing/selftests/net/netfilter/bridge_brouter.sh

··· 1 + #!/bin/bash 2 + # 3 + # This test is for bridge 'brouting', i.e. make some packets being routed 4 + # rather than getting bridged even though they arrive on interface that is 5 + # part of a bridge. 6 + 7 + # eth0 br0 eth0 8 + # setup is: ns1 <-> nsbr <-> ns2 9 + 10 + source lib.sh 11 + 12 + if ! ebtables -V > /dev/null 2>&1;then 13 + echo "SKIP: Could not run test without ebtables" 14 + exit $ksft_skip 15 + fi 16 + 17 + cleanup() { 18 + cleanup_all_ns 19 + } 20 + 21 + trap cleanup EXIT 22 + 23 + setup_ns nsbr ns1 ns2 24 + 25 + ip netns exec "$nsbr" sysctl -q net.ipv4.conf.default.rp_filter=0 26 + ip netns exec "$nsbr" sysctl -q net.ipv4.conf.all.rp_filter=0 27 + if ! ip link add veth0 netns "$nsbr" type veth peer name eth0 netns "$ns1"; then 28 + echo "SKIP: Can't create veth device" 29 + exit $ksft_skip 30 + fi 31 + ip link add veth1 netns "$nsbr" type veth peer name eth0 netns "$ns2" 32 + 33 + if ! ip -net "$nsbr" link add br0 type bridge; then 34 + echo "SKIP: Can't create bridge br0" 35 + exit $ksft_skip 36 + fi 37 + 38 + ip -net "$nsbr" link set veth0 up 39 + ip -net "$nsbr" link set veth1 up 40 + 41 + ip -net "$nsbr" link set veth0 master br0 42 + ip -net "$nsbr" link set veth1 master br0 43 + ip -net "$nsbr" link set br0 up 44 + ip -net "$nsbr" addr add 10.0.0.1/24 dev br0 45 + 46 + # place both in same subnet, ${ns1} and ${ns2} connected via ${nsbr}:br0 47 + ip -net "$ns1" link set eth0 up 48 + ip -net "$ns2" link set eth0 up 49 + ip -net "$ns1" addr add 10.0.0.11/24 dev eth0 50 + ip -net "$ns2" addr add 10.0.0.12/24 dev eth0 51 + 52 + test_ebtables_broute() 53 + { 54 + # redirect is needed so the dstmac is rewritten to the bridge itself, 55 + # ip stack won't process OTHERHOST (foreign unicast mac) packets. 56 + if ! ip netns exec "$nsbr" ebtables -t broute -A BROUTING -p ipv4 --ip-protocol icmp -j redirect --redirect-target=DROP; then 57 + echo "SKIP: Could not add ebtables broute redirect rule" 58 + return $ksft_skip 59 + fi 60 + 61 + ip netns exec "$nsbr" sysctl -q net.ipv4.conf.veth0.forwarding=0 62 + 63 + # ping net${ns1}, expected to not work (ip forwarding is off) 64 + if ip netns exec "$ns1" ping -q -c 1 10.0.0.12 -W 0.5 > /dev/null 2>&1; then 65 + echo "ERROR: ping works, should have failed" 1>&2 66 + return 1 67 + fi 68 + 69 + # enable forwarding on both interfaces. 70 + # neither needs an ip address, but at least the bridge needs 71 + # an ip address in same network segment as ${ns1} and ${ns2} (${nsbr} 72 + # needs to be able to determine route for to-be-forwarded packet). 73 + ip netns exec "$nsbr" sysctl -q net.ipv4.conf.veth0.forwarding=1 74 + ip netns exec "$nsbr" sysctl -q net.ipv4.conf.veth1.forwarding=1 75 + 76 + if ! ip netns exec "$ns1" ping -q -c 1 10.0.0.12 > /dev/null; then 77 + echo "ERROR: ping did not work, but it should (broute+forward)" 1>&2 78 + return 1 79 + fi 80 + 81 + echo "PASS: ${ns1}/${ns2} connectivity with active broute rule" 82 + ip netns exec "$nsbr" ebtables -t broute -F 83 + 84 + # ping net${ns1}, expected to work (frames are bridged) 85 + if ! ip netns exec "$ns1" ping -q -c 1 10.0.0.12 > /dev/null; then 86 + echo "ERROR: ping did not work, but it should (bridged)" 1>&2 87 + return 1 88 + fi 89 + 90 + ip netns exec "$nsbr" ebtables -t filter -A FORWARD -p ipv4 --ip-protocol icmp -j DROP 91 + 92 + # ping net${ns1}, expected to not work (DROP in bridge forward) 93 + if ip netns exec "$ns1" ping -q -c 1 10.0.0.12 -W 0.5 > /dev/null 2>&1; then 94 + echo "ERROR: ping works, should have failed (icmp forward drop)" 1>&2 95 + return 1 96 + fi 97 + 98 + # re-activate brouter 99 + ip netns exec "$nsbr" ebtables -t broute -A BROUTING -p ipv4 --ip-protocol icmp -j redirect --redirect-target=DROP 100 + 101 + if ! ip netns exec "$ns2" ping -q -c 1 10.0.0.11 > /dev/null; then 102 + echo "ERROR: ping did not work, but it should (broute+forward 2)" 1>&2 103 + return 1 104 + fi 105 + 106 + echo "PASS: ${ns1}/${ns2} connectivity with active broute rule and bridge forward drop" 107 + return 0 108 + } 109 + 110 + # test basic connectivity 111 + if ! ip netns exec "$ns1" ping -c 1 -q 10.0.0.12 > /dev/null; then 112 + echo "ERROR: Could not reach ${ns2} from ${ns1}" 1>&2 113 + exit 1 114 + fi 115 + 116 + if ! ip netns exec "$ns2" ping -c 1 -q 10.0.0.11 > /dev/null; then 117 + echo "ERROR: Could not reach ${ns1} from ${ns2}" 1>&2 118 + exit 1 119 + fi 120 + 121 + test_ebtables_broute 122 + exit $?

+37

tools/testing/selftests/net/netfilter/config

··· 1 + CONFIG_AUDIT=y 2 + CONFIG_BRIDGE_EBT_BROUTE=m 3 + CONFIG_BRIDGE_EBT_REDIRECT=m 4 + CONFIG_BRIDGE_NETFILTER=m 5 + CONFIG_IP_NF_MATCH_RPFILTER=m 6 + CONFIG_IP6_NF_MATCH_RPFILTER=m 7 + CONFIG_IP_SCTP=m 8 + CONFIG_IP_VS=m 9 + CONFIG_IP_VS_PROTO_TCP=y 10 + CONFIG_NET_CLS_U32=m 11 + CONFIG_NET_SCH_NETEM=m 12 + CONFIG_NET_SCH_HTB=m 13 + CONFIG_NET_IPIP=m 14 + CONFIG_NET_VRF=y 15 + CONFIG_NETFILTER_NETLINK=m 16 + CONFIG_NETFILTER_SYNPROXY=m 17 + CONFIG_NETFILTER_XT_NAT=m 18 + CONFIG_NETFILTER_XT_TARGET_REDIRECT=m 19 + CONFIG_NF_CONNTRACK=m 20 + CONFIG_NF_CONNTRACK_EVENTS=m 21 + CONFIG_NF_CONNTRACK_ZONES=y 22 + CONFIG_NF_CT_NETLINK=m 23 + CONFIG_NF_CT_PROTO_SCTP=y 24 + CONFIG_NF_TABLES=m 25 + CONFIG_NF_TABLES_INET=y 26 + CONFIG_NF_TABLES_IPV4=y 27 + CONFIG_NF_TABLES_IPV6=y 28 + CONFIG_NFT_CT=m 29 + CONFIG_NFT_FIB=m 30 + CONFIG_NFT_FIB_INET=m 31 + CONFIG_NFT_FIB_IPV4=m 32 + CONFIG_NFT_FIB_IPV6=m 33 + CONFIG_NFT_MASQ=m 34 + CONFIG_NFT_NAT=m 35 + CONFIG_NFT_QUEUE=m 36 + CONFIG_NFT_REDIR=m 37 + CONFIG_NFT_SYNPROXY=m

+87

tools/testing/selftests/net/netfilter/conntrack_sctp_collision.sh

··· 1 + #!/bin/bash 2 + # SPDX-License-Identifier: GPL-2.0 3 + # 4 + # Testing For SCTP COLLISION SCENARIO as Below: 5 + # 6 + # 14:35:47.655279 IP CLIENT_IP.PORT > SERVER_IP.PORT: sctp (1) [INIT] [init tag: 2017837359] 7 + # 14:35:48.353250 IP SERVER_IP.PORT > CLIENT_IP.PORT: sctp (1) [INIT] [init tag: 1187206187] 8 + # 14:35:48.353275 IP CLIENT_IP.PORT > SERVER_IP.PORT: sctp (1) [INIT ACK] [init tag: 2017837359] 9 + # 14:35:48.353283 IP SERVER_IP.PORT > CLIENT_IP.PORT: sctp (1) [COOKIE ECHO] 10 + # 14:35:48.353977 IP CLIENT_IP.PORT > SERVER_IP.PORT: sctp (1) [COOKIE ACK] 11 + # 14:35:48.855335 IP SERVER_IP.PORT > CLIENT_IP.PORT: sctp (1) [INIT ACK] [init tag: 164579970] 12 + # 13 + # TOPO: SERVER_NS (link0)<--->(link1) ROUTER_NS (link2)<--->(link3) CLIENT_NS 14 + 15 + source lib.sh 16 + 17 + CLIENT_IP="198.51.200.1" 18 + CLIENT_PORT=1234 19 + 20 + SERVER_IP="198.51.100.1" 21 + SERVER_PORT=1234 22 + 23 + CLIENT_GW="198.51.200.2" 24 + SERVER_GW="198.51.100.2" 25 + 26 + # setup the topo 27 + setup() { 28 + setup_ns CLIENT_NS SERVER_NS ROUTER_NS 29 + ip -n "$SERVER_NS" link add link0 type veth peer name link1 netns "$ROUTER_NS" 30 + ip -n "$CLIENT_NS" link add link3 type veth peer name link2 netns "$ROUTER_NS" 31 + 32 + ip -n "$SERVER_NS" link set link0 up 33 + ip -n "$SERVER_NS" addr add $SERVER_IP/24 dev link0 34 + ip -n "$SERVER_NS" route add $CLIENT_IP dev link0 via $SERVER_GW 35 + 36 + ip -n "$ROUTER_NS" link set link1 up 37 + ip -n "$ROUTER_NS" link set link2 up 38 + ip -n "$ROUTER_NS" addr add $SERVER_GW/24 dev link1 39 + ip -n "$ROUTER_NS" addr add $CLIENT_GW/24 dev link2 40 + ip net exec "$ROUTER_NS" sysctl -wq net.ipv4.ip_forward=1 41 + 42 + ip -n "$CLIENT_NS" link set link3 up 43 + ip -n "$CLIENT_NS" addr add $CLIENT_IP/24 dev link3 44 + ip -n "$CLIENT_NS" route add $SERVER_IP dev link3 via $CLIENT_GW 45 + 46 + # simulate the delay on OVS upcall by setting up a delay for INIT_ACK with 47 + # tc on $SERVER_NS side 48 + tc -n "$SERVER_NS" qdisc add dev link0 root handle 1: htb r2q 64 49 + tc -n "$SERVER_NS" class add dev link0 parent 1: classid 1:1 htb rate 100mbit 50 + tc -n "$SERVER_NS" filter add dev link0 parent 1: protocol ip u32 match ip protocol 132 \ 51 + 0xff match u8 2 0xff at 32 flowid 1:1 52 + if ! tc -n "$SERVER_NS" qdisc add dev link0 parent 1:1 handle 10: netem delay 1200ms; then 53 + echo "SKIP: Cannot add netem qdisc" 54 + exit $ksft_skip 55 + fi 56 + 57 + # simulate the ctstate check on OVS nf_conntrack 58 + ip net exec "$ROUTER_NS" iptables -A FORWARD -m state --state INVALID,UNTRACKED -j DROP 59 + ip net exec "$ROUTER_NS" iptables -A INPUT -p sctp -j DROP 60 + 61 + # use a smaller number for assoc's max_retrans to reproduce the issue 62 + modprobe -q sctp 63 + ip net exec "$CLIENT_NS" sysctl -wq net.sctp.association_max_retrans=3 64 + } 65 + 66 + cleanup() { 67 + ip net exec "$CLIENT_NS" pkill sctp_collision >/dev/null 2>&1 68 + ip net exec "$SERVER_NS" pkill sctp_collision >/dev/null 2>&1 69 + cleanup_all_ns 70 + } 71 + 72 + do_test() { 73 + ip net exec "$SERVER_NS" ./sctp_collision server \ 74 + $SERVER_IP $SERVER_PORT $CLIENT_IP $CLIENT_PORT & 75 + ip net exec "$CLIENT_NS" ./sctp_collision client \ 76 + $CLIENT_IP $CLIENT_PORT $SERVER_IP $SERVER_PORT 77 + } 78 + 79 + # NOTE: one way to work around the issue is set a smaller hb_interval 80 + # ip net exec $CLIENT_NS sysctl -wq net.sctp.hb_interval=3500 81 + 82 + # run the test case 83 + trap cleanup EXIT 84 + setup && \ 85 + echo "Test for SCTP Collision in nf_conntrack:" && \ 86 + do_test && echo "PASS!" 87 + exit $?

+153

tools/testing/selftests/net/netfilter/conntrack_tcp_unreplied.sh

··· 1 + #!/bin/bash 2 + # SPDX-License-Identifier: GPL-2.0 3 + # 4 + # Check that UNREPLIED tcp conntrack will eventually timeout. 5 + # 6 + 7 + source lib.sh 8 + 9 + if ! nft --version > /dev/null 2>&1;then 10 + echo "SKIP: Could not run test without nft tool" 11 + exit $ksft_skip 12 + fi 13 + 14 + if ! conntrack --version > /dev/null 2>&1;then 15 + echo "SKIP: Could not run test without conntrack tool" 16 + exit $ksft_skip 17 + fi 18 + 19 + ret=0 20 + 21 + cleanup() { 22 + ip netns pids "$ns1" | xargs kill 2>/dev/null 23 + ip netns pids "$ns2" | xargs kill 2>/dev/null 24 + 25 + cleanup_all_ns 26 + } 27 + 28 + ipv4() { 29 + echo -n 192.168."$1".2 30 + } 31 + 32 + check_counter() 33 + { 34 + ns=$1 35 + name=$2 36 + expect=$3 37 + local lret=0 38 + 39 + if ! ip netns exec "$ns2" nft list counter inet filter "$name" | grep -q "$expect"; then 40 + echo "ERROR: counter $name in $ns2 has unexpected value (expected $expect)" 1>&2 41 + ip netns exec "$ns2" nft list counter inet filter "$name" 1>&2 42 + lret=1 43 + fi 44 + 45 + return $lret 46 + } 47 + 48 + trap cleanup EXIT 49 + 50 + # Create test namespaces 51 + setup_ns ns1 ns2 52 + 53 + # Connect the namespace to the host using a veth pair 54 + ip -net "$ns1" link add name veth1 type veth peer name veth2 55 + ip -net "$ns1" link set netns "$ns2" dev veth2 56 + 57 + ip -net "$ns1" link set up dev lo 58 + ip -net "$ns2" link set up dev lo 59 + ip -net "$ns1" link set up dev veth1 60 + ip -net "$ns2" link set up dev veth2 61 + 62 + ip -net "$ns2" addr add 10.11.11.2/24 dev veth2 63 + ip -net "$ns2" route add default via 10.11.11.1 64 + 65 + ip netns exec "$ns2" sysctl -q net.ipv4.conf.veth2.forwarding=1 66 + 67 + # add a rule inside NS so we enable conntrack 68 + ip netns exec "$ns1" nft -f - <<EOF 69 + table inet filter { 70 + chain input { 71 + type filter hook input priority 0; policy accept; 72 + ct state established accept 73 + } 74 + } 75 + EOF 76 + 77 + ip -net "$ns1" addr add 10.11.11.1/24 dev veth1 78 + ip -net "$ns1" route add 10.99.99.99 via 10.11.11.2 79 + 80 + # Check connectivity works 81 + ip netns exec "$ns1" ping -q -c 2 10.11.11.2 >/dev/null || exit 1 82 + 83 + ip netns exec "$ns2" socat -u -4 TCP-LISTEN:8080,reuseaddr STDOUT & 84 + 85 + ip netns exec "$ns2" nft -f - <<EOF 86 + table inet filter { 87 + counter connreq { } 88 + counter redir { } 89 + chain input { 90 + type filter hook input priority 0; policy accept; 91 + ct state new tcp flags syn ip daddr 10.99.99.99 tcp dport 80 counter name "connreq" accept 92 + ct state new ct status dnat tcp dport 8080 counter name "redir" accept 93 + } 94 + } 95 + EOF 96 + if [ $? -ne 0 ]; then 97 + echo "ERROR: Could not load nft rules" 98 + exit 1 99 + fi 100 + 101 + ip netns exec "$ns2" sysctl -q net.netfilter.nf_conntrack_tcp_timeout_syn_sent=10 102 + 103 + echo "INFO: connect $ns1 -> $ns2 to the virtual ip" 104 + ip netns exec "$ns1" bash -c 'for i in $(seq 1 $BUSYWAIT_TIMEOUT) ; do 105 + socat -u STDIN TCP:10.99.99.99:80 < /dev/null 106 + sleep 0.1 107 + done' & 108 + 109 + ip netns exec "$ns2" nft -f - <<EOF 110 + table inet nat { 111 + chain prerouting { 112 + type nat hook prerouting priority 0; policy accept; 113 + ip daddr 10.99.99.99 tcp dport 80 redirect to :8080 114 + } 115 + } 116 + EOF 117 + if [ $? -ne 0 ]; then 118 + echo "ERROR: Could not load nat redirect" 119 + exit 1 120 + fi 121 + 122 + count=$(ip netns exec "$ns2" conntrack -L -p tcp --dport 80 2>/dev/null | wc -l) 123 + if [ "$count" -eq 0 ]; then 124 + echo "ERROR: $ns2 did not pick up tcp connection from peer" 125 + exit 1 126 + fi 127 + 128 + wait_for_redirect() 129 + { 130 + count=$(ip netns exec "$ns2" conntrack -L -p tcp --reply-port-src 8080 2>/dev/null | wc -l) 131 + if [ "$count" -gt 0 ]; then 132 + return 0 133 + fi 134 + 135 + return 1 136 + } 137 + echo "INFO: NAT redirect added in ns $ns2, waiting for $BUSYWAIT_TIMEOUT ms for nat to take effect" 138 + 139 + busywait $BUSYWAIT_TIMEOUT wait_for_redirect 140 + ret=$? 141 + 142 + expect="packets 1 bytes 60" 143 + if ! check_counter "$ns2" "redir" "$expect"; then 144 + ret=1 145 + fi 146 + 147 + if [ $ret -eq 0 ];then 148 + echo "PASS: redirection counter has expected values" 149 + else 150 + echo "ERROR: no tcp connection was redirected" 151 + fi 152 + 153 + exit $ret

+211

tools/testing/selftests/net/netfilter/ipvs.sh

··· 1 + #!/bin/bash 2 + # SPDX-License-Identifier: GPL-2.0 3 + # 4 + # End-to-end ipvs test suite 5 + # Topology: 6 + #--------------------------------------------------------------+ 7 + # | | 8 + # ns0 | ns1 | 9 + # ----------- | ----------- ----------- | 10 + # | veth01 | --------- | veth10 | | veth12 | | 11 + # ----------- peer ----------- ----------- | 12 + # | | | | 13 + # ----------- | | | 14 + # | br0 | |----------------- peer |--------------| 15 + # ----------- | | | 16 + # | | | | 17 + # ---------- peer ---------- ----------- | 18 + # | veth02 | --------- | veth20 | | veth21 | | 19 + # ---------- | ---------- ----------- | 20 + # | ns2 | 21 + # | | 22 + #--------------------------------------------------------------+ 23 + # 24 + # We assume that all network driver are loaded 25 + # 26 + 27 + source lib.sh 28 + 29 + ret=0 30 + GREEN='\033[0;92m' 31 + RED='\033[0;31m' 32 + NC='\033[0m' # No Color 33 + 34 + readonly port=8080 35 + 36 + readonly vip_v4=207.175.44.110 37 + readonly cip_v4=10.0.0.2 38 + readonly gip_v4=10.0.0.1 39 + readonly dip_v4=172.16.0.1 40 + readonly rip_v4=172.16.0.2 41 + readonly sip_v4=10.0.0.3 42 + 43 + readonly infile="$(mktemp)" 44 + readonly outfile="$(mktemp)" 45 + readonly datalen=32 46 + 47 + sysipvsnet="/proc/sys/net/ipv4/vs/" 48 + if [ ! -d $sysipvsnet ]; then 49 + if ! modprobe -q ip_vs; then 50 + echo "skip: could not run test without ipvs module" 51 + exit $ksft_skip 52 + fi 53 + fi 54 + 55 + checktool "ipvsadm -v" "run test without ipvsadm" 56 + checktool "socat -h" "run test without socat" 57 + 58 + setup() { 59 + setup_ns ns0 ns1 ns2 60 + 61 + ip link add veth01 netns "${ns0}" type veth peer name veth10 netns "${ns1}" 62 + ip link add veth02 netns "${ns0}" type veth peer name veth20 netns "${ns2}" 63 + ip link add veth12 netns "${ns1}" type veth peer name veth21 netns "${ns2}" 64 + 65 + ip netns exec "${ns0}" ip link set veth01 up 66 + ip netns exec "${ns0}" ip link set veth02 up 67 + ip netns exec "${ns0}" ip link add br0 type bridge 68 + ip netns exec "${ns0}" ip link set veth01 master br0 69 + ip netns exec "${ns0}" ip link set veth02 master br0 70 + ip netns exec "${ns0}" ip link set br0 up 71 + ip netns exec "${ns0}" ip addr add "${cip_v4}/24" dev br0 72 + 73 + ip netns exec "${ns1}" ip link set veth10 up 74 + ip netns exec "${ns1}" ip addr add "${gip_v4}/24" dev veth10 75 + ip netns exec "${ns1}" ip link set veth12 up 76 + ip netns exec "${ns1}" ip addr add "${dip_v4}/24" dev veth12 77 + 78 + ip netns exec "${ns2}" ip link set veth21 up 79 + ip netns exec "${ns2}" ip addr add "${rip_v4}/24" dev veth21 80 + ip netns exec "${ns2}" ip link set veth20 up 81 + ip netns exec "${ns2}" ip addr add "${sip_v4}/24" dev veth20 82 + 83 + sleep 1 84 + 85 + dd if=/dev/urandom of="${infile}" bs="${datalen}" count=1 status=none 86 + } 87 + 88 + cleanup() { 89 + cleanup_all_ns 90 + 91 + if [ -f "${outfile}" ]; then 92 + rm "${outfile}" 93 + fi 94 + if [ -f "${infile}" ]; then 95 + rm "${infile}" 96 + fi 97 + } 98 + 99 + server_listen() { 100 + ip netns exec "$ns2" socat -u -4 TCP-LISTEN:8080,reuseaddr STDOUT > "${outfile}" & 101 + server_pid=$! 102 + sleep 0.2 103 + } 104 + 105 + client_connect() { 106 + ip netns exec "${ns0}" timeout 2 socat -u -4 STDIN TCP:"${vip_v4}":"${port}" < "${infile}" 107 + } 108 + 109 + verify_data() { 110 + wait "${server_pid}" 111 + cmp "$infile" "$outfile" 2>/dev/null 112 + } 113 + 114 + test_service() { 115 + server_listen 116 + client_connect 117 + verify_data 118 + } 119 + 120 + 121 + test_dr() { 122 + ip netns exec "${ns0}" ip route add "${vip_v4}" via "${gip_v4}" dev br0 123 + 124 + ip netns exec "${ns1}" sysctl -qw net.ipv4.ip_forward=1 125 + ip netns exec "${ns1}" ipvsadm -A -t "${vip_v4}:${port}" -s rr 126 + ip netns exec "${ns1}" ipvsadm -a -t "${vip_v4}:${port}" -r "${rip_v4}:${port}" 127 + ip netns exec "${ns1}" ip addr add "${vip_v4}/32" dev lo:1 128 + 129 + # avoid incorrect arp response 130 + ip netns exec "${ns2}" sysctl -qw net.ipv4.conf.all.arp_ignore=1 131 + ip netns exec "${ns2}" sysctl -qw net.ipv4.conf.all.arp_announce=2 132 + # avoid reverse route lookup 133 + ip netns exec "${ns2}" sysctl -qw net.ipv4.conf.all.rp_filter=0 134 + ip netns exec "${ns2}" sysctl -qw net.ipv4.conf.veth21.rp_filter=0 135 + ip netns exec "${ns2}" ip addr add "${vip_v4}/32" dev lo:1 136 + 137 + test_service 138 + } 139 + 140 + test_nat() { 141 + ip netns exec "${ns0}" ip route add "${vip_v4}" via "${gip_v4}" dev br0 142 + 143 + ip netns exec "${ns1}" sysctl -qw net.ipv4.ip_forward=1 144 + ip netns exec "${ns1}" ipvsadm -A -t "${vip_v4}:${port}" -s rr 145 + ip netns exec "${ns1}" ipvsadm -a -m -t "${vip_v4}:${port}" -r "${rip_v4}:${port}" 146 + ip netns exec "${ns1}" ip addr add "${vip_v4}/32" dev lo:1 147 + 148 + ip netns exec "${ns2}" ip link del veth20 149 + ip netns exec "${ns2}" ip route add default via "${dip_v4}" dev veth21 150 + 151 + test_service 152 + } 153 + 154 + test_tun() { 155 + ip netns exec "${ns0}" ip route add "${vip_v4}" via "${gip_v4}" dev br0 156 + 157 + ip netns exec "${ns1}" modprobe -q ipip 158 + ip netns exec "${ns1}" ip link set tunl0 up 159 + ip netns exec "${ns1}" sysctl -qw net.ipv4.ip_forward=0 160 + ip netns exec "${ns1}" sysctl -qw net.ipv4.conf.all.send_redirects=0 161 + ip netns exec "${ns1}" sysctl -qw net.ipv4.conf.default.send_redirects=0 162 + ip netns exec "${ns1}" ipvsadm -A -t "${vip_v4}:${port}" -s rr 163 + ip netns exec "${ns1}" ipvsadm -a -i -t "${vip_v4}:${port}" -r ${rip_v4}:${port} 164 + ip netns exec "${ns1}" ip addr add ${vip_v4}/32 dev lo:1 165 + 166 + ip netns exec "${ns2}" modprobe -q ipip 167 + ip netns exec "${ns2}" ip link set tunl0 up 168 + ip netns exec "${ns2}" sysctl -qw net.ipv4.conf.all.arp_ignore=1 169 + ip netns exec "${ns2}" sysctl -qw net.ipv4.conf.all.arp_announce=2 170 + ip netns exec "${ns2}" sysctl -qw net.ipv4.conf.all.rp_filter=0 171 + ip netns exec "${ns2}" sysctl -qw net.ipv4.conf.tunl0.rp_filter=0 172 + ip netns exec "${ns2}" sysctl -qw net.ipv4.conf.veth21.rp_filter=0 173 + ip netns exec "${ns2}" ip addr add "${vip_v4}/32" dev lo:1 174 + 175 + test_service 176 + } 177 + 178 + run_tests() { 179 + local errors= 180 + 181 + echo "Testing DR mode..." 182 + cleanup 183 + setup 184 + test_dr 185 + errors=$(( $errors + $? )) 186 + 187 + echo "Testing NAT mode..." 188 + cleanup 189 + setup 190 + test_nat 191 + errors=$(( $errors + $? )) 192 + 193 + echo "Testing Tunnel mode..." 194 + cleanup 195 + setup 196 + test_tun 197 + errors=$(( $errors + $? )) 198 + 199 + return $errors 200 + } 201 + 202 + trap cleanup EXIT 203 + 204 + run_tests 205 + 206 + if [ $? -ne 0 ]; then 207 + echo -e "$(basename $0): ${RED}FAIL${NC}" 208 + exit 1 209 + fi 210 + echo -e "$(basename $0): ${GREEN}PASS${NC}" 211 + exit 0

+10

tools/testing/selftests/net/netfilter/lib.sh

··· 1 + net_netfilter_dir=$(dirname "$(readlink -e "${BASH_SOURCE[0]}")") 2 + 3 + source "$net_netfilter_dir/../lib.sh" 4 + 5 + checktool (){ 6 + if ! $1 > /dev/null 2>&1; then 7 + echo "SKIP: Could not $2" 8 + exit $ksft_skip 9 + fi 10 + }

+97

tools/testing/selftests/net/netfilter/nf_nat_edemux.sh

··· 1 + #!/bin/bash 2 + # SPDX-License-Identifier: GPL-2.0 3 + # 4 + # Test NAT source port clash resolution 5 + # 6 + 7 + source lib.sh 8 + ret=0 9 + socatpid=0 10 + 11 + cleanup() 12 + { 13 + [ "$socatpid" -gt 0 ] && kill "$socatpid" 14 + 15 + cleanup_all_ns 16 + } 17 + 18 + checktool "socat -h" "run test without socat" 19 + checktool "iptables --version" "run test without iptables" 20 + 21 + trap cleanup EXIT 22 + 23 + setup_ns ns1 ns2 24 + 25 + # Connect the namespaces using a veth pair 26 + ip link add name veth2 type veth peer name veth1 27 + ip link set netns "$ns1" dev veth1 28 + ip link set netns "$ns2" dev veth2 29 + 30 + ip netns exec "$ns1" ip link set up dev lo 31 + ip netns exec "$ns1" ip link set up dev veth1 32 + ip netns exec "$ns1" ip addr add 192.168.1.1/24 dev veth1 33 + 34 + ip netns exec "$ns2" ip link set up dev lo 35 + ip netns exec "$ns2" ip link set up dev veth2 36 + ip netns exec "$ns2" ip addr add 192.168.1.2/24 dev veth2 37 + 38 + # Create a server in one namespace 39 + ip netns exec "$ns1" socat -u TCP-LISTEN:5201,fork OPEN:/dev/null,wronly=1 & 40 + socatpid=$! 41 + 42 + # Restrict source port to just one so we don't have to exhaust 43 + # all others. 44 + ip netns exec "$ns2" sysctl -q net.ipv4.ip_local_port_range="10000 10000" 45 + 46 + # add a virtual IP using DNAT 47 + ip netns exec "$ns2" iptables -t nat -A OUTPUT -d 10.96.0.1/32 -p tcp --dport 443 -j DNAT --to-destination 192.168.1.1:5201 48 + 49 + # ... and route it to the other namespace 50 + ip netns exec "$ns2" ip route add 10.96.0.1 via 192.168.1.1 51 + 52 + # add a persistent connection from the other namespace 53 + ip netns exec "$ns2" socat -t 10 - TCP:192.168.1.1:5201 > /dev/null & 54 + 55 + sleep 1 56 + 57 + # ip daddr:dport will be rewritten to 192.168.1.1 5201 58 + # NAT must reallocate source port 10000 because 59 + # 192.168.1.2:10000 -> 192.168.1.1:5201 is already in use 60 + echo test | ip netns exec "$ns2" socat -t 3 -u STDIN TCP:10.96.0.1:443,connect-timeout=3 >/dev/null 61 + ret=$? 62 + 63 + # Check socat can connect to 10.96.0.1:443 (aka 192.168.1.1:5201). 64 + if [ $ret -eq 0 ]; then 65 + echo "PASS: socat can connect via NAT'd address" 66 + else 67 + echo "FAIL: socat cannot connect via NAT'd address" 68 + fi 69 + 70 + # check sport clashres. 71 + ip netns exec "$ns1" iptables -t nat -A PREROUTING -p tcp --dport 5202 -j REDIRECT --to-ports 5201 72 + ip netns exec "$ns1" iptables -t nat -A PREROUTING -p tcp --dport 5203 -j REDIRECT --to-ports 5201 73 + 74 + sleep 5 | ip netns exec "$ns2" socat -t 5 -u STDIN TCP:192.168.1.1:5202,connect-timeout=5 >/dev/null & 75 + 76 + # if connect succeeds, client closes instantly due to EOF on stdin. 77 + # if connect hangs, it will time out after 5s. 78 + echo | ip netns exec "$ns2" socat -t 3 -u STDIN TCP:192.168.1.1:5203,connect-timeout=5 >/dev/null & 79 + cpid2=$! 80 + 81 + time_then=$(date +%s) 82 + wait $cpid2 83 + rv=$? 84 + time_now=$(date +%s) 85 + 86 + # Check how much time has elapsed, expectation is for 87 + # 'cpid2' to connect and then exit (and no connect delay). 88 + delta=$((time_now - time_then)) 89 + 90 + if [ $delta -lt 2 ] && [ $rv -eq 0 ]; then 91 + echo "PASS: could connect to service via redirected ports" 92 + else 93 + echo "FAIL: socat cannot connect to service via redirect ($delta seconds elapsed, returned $rv)" 94 + ret=1 95 + fi 96 + 97 + exit $ret

+171

tools/testing/selftests/net/netfilter/nft_conntrack_helper.sh

··· 1 + #!/bin/bash 2 + # 3 + # This tests connection tracking helper assignment: 4 + # 1. can attach ftp helper to a connection from nft ruleset. 5 + # 2. auto-assign still works. 6 + # 7 + # Kselftest framework requirement - SKIP code is 4. 8 + 9 + source lib.sh 10 + 11 + ret=0 12 + 13 + testipv6=1 14 + 15 + checktool "socat -h" "run test without socat" 16 + checktool "conntrack --version" "run test without conntrack" 17 + checktool "nft --version" "run test without nft" 18 + 19 + cleanup() 20 + { 21 + ip netns pids "$ns1" | xargs kill 2>/dev/null 22 + 23 + ip netns del "$ns1" 24 + ip netns del "$ns2" 25 + } 26 + 27 + trap cleanup EXIT 28 + 29 + setup_ns ns1 ns2 30 + 31 + if ! ip link add veth0 netns "$ns1" type veth peer name veth0 netns "$ns2" > /dev/null 2>&1;then 32 + echo "SKIP: No virtual ethernet pair device support in kernel" 33 + exit $ksft_skip 34 + fi 35 + 36 + ip -net "$ns1" link set veth0 up 37 + ip -net "$ns2" link set veth0 up 38 + 39 + ip -net "$ns1" addr add 10.0.1.1/24 dev veth0 40 + ip -net "$ns1" addr add dead:1::1/64 dev veth0 nodad 41 + 42 + ip -net "$ns2" addr add 10.0.1.2/24 dev veth0 43 + ip -net "$ns2" addr add dead:1::2/64 dev veth0 nodad 44 + 45 + load_ruleset_family() { 46 + local family=$1 47 + local ns=$2 48 + 49 + ip netns exec "$ns" nft -f - <<EOF 50 + table $family raw { 51 + ct helper ftp { 52 + type "ftp" protocol tcp 53 + } 54 + chain pre { 55 + type filter hook prerouting priority 0; policy accept; 56 + tcp dport 2121 ct helper set "ftp" 57 + } 58 + chain output { 59 + type filter hook output priority 0; policy accept; 60 + tcp dport 2121 ct helper set "ftp" 61 + } 62 + } 63 + EOF 64 + return $? 65 + } 66 + 67 + check_for_helper() 68 + { 69 + local netns=$1 70 + local message=$2 71 + local port=$3 72 + 73 + if echo "$message" |grep -q 'ipv6';then 74 + local family="ipv6" 75 + else 76 + local family="ipv4" 77 + fi 78 + 79 + if ! ip netns exec "$netns" conntrack -L -f $family -p tcp --dport "$port" 2> /dev/null |grep -q 'helper=ftp';then 80 + if [ "$autoassign" -eq 0 ] ;then 81 + echo "FAIL: ${netns} did not show attached helper $message" 1>&2 82 + ret=1 83 + else 84 + echo "PASS: ${netns} did not show attached helper $message" 1>&2 85 + fi 86 + else 87 + if [ "$autoassign" -eq 0 ] ;then 88 + echo "PASS: ${netns} connection on port $port has ftp helper attached" 1>&2 89 + else 90 + echo "FAIL: ${netns} connection on port $port has ftp helper attached" 1>&2 91 + ret=1 92 + fi 93 + fi 94 + 95 + return 0 96 + } 97 + 98 + listener_ready() 99 + { 100 + ns="$1" 101 + port="$2" 102 + proto="$3" 103 + ss -N "$ns" -lnt -o "sport = :$port" | grep -q "$port" 104 + } 105 + 106 + test_helper() 107 + { 108 + local port=$1 109 + local autoassign=$2 110 + 111 + if [ "$autoassign" -eq 0 ] ;then 112 + msg="set via ruleset" 113 + else 114 + msg="auto-assign" 115 + fi 116 + 117 + ip netns exec "$ns2" socat -t 3 -u -4 TCP-LISTEN:"$port",reuseaddr STDOUT > /dev/null & 118 + busywait "$BUSYWAIT_TIMEOUT" listener_ready "$ns2" "$port" "-4" 119 + 120 + ip netns exec "$ns1" socat -u -4 STDIN TCP:10.0.1.2:"$port" < /dev/null > /dev/null 121 + 122 + check_for_helper "$ns1" "ip $msg" "$port" "$autoassign" 123 + check_for_helper "$ns2" "ip $msg" "$port" "$autoassign" 124 + 125 + if [ $testipv6 -eq 0 ] ;then 126 + return 0 127 + fi 128 + 129 + ip netns exec "$ns1" conntrack -F 2> /dev/null 130 + ip netns exec "$ns2" conntrack -F 2> /dev/null 131 + 132 + ip netns exec "$ns2" socat -t 3 -u -6 TCP-LISTEN:"$port",reuseaddr STDOUT > /dev/null & 133 + busywait $BUSYWAIT_TIMEOUT listener_ready "$ns2" "$port" "-6" 134 + 135 + ip netns exec "$ns1" socat -t 3 -u -6 STDIN TCP:"[dead:1::2]":"$port" < /dev/null > /dev/null 136 + 137 + check_for_helper "$ns1" "ipv6 $msg" "$port" 138 + check_for_helper "$ns2" "ipv6 $msg" "$port" 139 + } 140 + 141 + if ! load_ruleset_family ip "$ns1"; then 142 + echo "FAIL: ${ns1} cannot load ip ruleset" 1>&2 143 + exit 1 144 + fi 145 + 146 + if ! load_ruleset_family ip6 "$ns1"; then 147 + echo "SKIP: ${ns1} cannot load ip6 ruleset" 1>&2 148 + testipv6=0 149 + fi 150 + 151 + if ! load_ruleset_family inet "${ns2}"; then 152 + echo "SKIP: ${ns1} cannot load inet ruleset" 1>&2 153 + if ! load_ruleset_family ip "${ns2}"; then 154 + echo "FAIL: ${ns2} cannot load ip ruleset" 1>&2 155 + exit 1 156 + fi 157 + 158 + if [ "$testipv6" -eq 1 ] ;then 159 + if ! load_ruleset_family ip6 "$ns2"; then 160 + echo "FAIL: ${ns2} cannot load ip6 ruleset" 1>&2 161 + exit 1 162 + fi 163 + fi 164 + fi 165 + 166 + test_helper 2121 0 167 + ip netns exec "$ns1" sysctl -qe 'net.netfilter.nf_conntrack_helper=1' 168 + ip netns exec "$ns2" sysctl -qe 'net.netfilter.nf_conntrack_helper=1' 169 + test_helper 21 1 170 + 171 + exit $ret

+2 -2

tools/testing/selftests/netfilter/.gitignore tools/testing/selftests/net/netfilter/.gitignore

··· 1 1 # SPDX-License-Identifier: GPL-2.0-only 2 - nf-queue 3 - connect_close 4 2 audit_logread 3 + connect_close 5 4 conntrack_dump_flush 6 5 sctp_collision 6 + nf_queue

-21

tools/testing/selftests/netfilter/Makefile

··· 1 - # SPDX-License-Identifier: GPL-2.0 2 - # Makefile for netfilter selftests 3 - 4 - TEST_PROGS := nft_trans_stress.sh nft_fib.sh nft_nat.sh bridge_brouter.sh \ 5 - conntrack_icmp_related.sh nft_flowtable.sh ipvs.sh \ 6 - nft_concat_range.sh nft_conntrack_helper.sh \ 7 - nft_queue.sh nft_meta.sh nf_nat_edemux.sh \ 8 - ipip-conntrack-mtu.sh conntrack_tcp_unreplied.sh \ 9 - conntrack_vrf.sh nft_synproxy.sh rpath.sh nft_audit.sh \ 10 - conntrack_sctp_collision.sh xt_string.sh \ 11 - bridge_netfilter.sh 12 - 13 - HOSTPKG_CONFIG := pkg-config 14 - 15 - CFLAGS += $(shell $(HOSTPKG_CONFIG) --cflags libmnl 2>/dev/null) 16 - LDLIBS += $(shell $(HOSTPKG_CONFIG) --libs libmnl 2>/dev/null || echo -lmnl) 17 - 18 - TEST_GEN_FILES = nf-queue connect_close audit_logread sctp_collision \ 19 - conntrack_dump_flush 20 - 21 - include ../lib.mk

tools/testing/selftests/netfilter/audit_logread.c tools/testing/selftests/net/netfilter/audit_logread.c

-146

tools/testing/selftests/netfilter/bridge_brouter.sh

··· 1 - #!/bin/bash 2 - # 3 - # This test is for bridge 'brouting', i.e. make some packets being routed 4 - # rather than getting bridged even though they arrive on interface that is 5 - # part of a bridge. 6 - 7 - # eth0 br0 eth0 8 - # setup is: ns1 <-> ns0 <-> ns2 9 - 10 - # Kselftest framework requirement - SKIP code is 4. 11 - ksft_skip=4 12 - ret=0 13 - 14 - ebtables -V > /dev/null 2>&1 15 - if [ $? -ne 0 ];then 16 - echo "SKIP: Could not run test without ebtables" 17 - exit $ksft_skip 18 - fi 19 - 20 - ip -Version > /dev/null 2>&1 21 - if [ $? -ne 0 ];then 22 - echo "SKIP: Could not run test without ip tool" 23 - exit $ksft_skip 24 - fi 25 - 26 - ip netns add ns0 27 - ip netns add ns1 28 - ip netns add ns2 29 - 30 - ip link add veth0 netns ns0 type veth peer name eth0 netns ns1 31 - if [ $? -ne 0 ]; then 32 - echo "SKIP: Can't create veth device" 33 - exit $ksft_skip 34 - fi 35 - ip link add veth1 netns ns0 type veth peer name eth0 netns ns2 36 - 37 - ip -net ns0 link set lo up 38 - ip -net ns0 link set veth0 up 39 - ip -net ns0 link set veth1 up 40 - 41 - ip -net ns0 link add br0 type bridge 42 - if [ $? -ne 0 ]; then 43 - echo "SKIP: Can't create bridge br0" 44 - exit $ksft_skip 45 - fi 46 - 47 - ip -net ns0 link set veth0 master br0 48 - ip -net ns0 link set veth1 master br0 49 - ip -net ns0 link set br0 up 50 - ip -net ns0 addr add 10.0.0.1/24 dev br0 51 - 52 - # place both in same subnet, ns1 and ns2 connected via ns0:br0 53 - for i in 1 2; do 54 - ip -net ns$i link set lo up 55 - ip -net ns$i link set eth0 up 56 - ip -net ns$i addr add 10.0.0.1$i/24 dev eth0 57 - done 58 - 59 - test_ebtables_broute() 60 - { 61 - local cipt 62 - 63 - # redirect is needed so the dstmac is rewritten to the bridge itself, 64 - # ip stack won't process OTHERHOST (foreign unicast mac) packets. 65 - ip netns exec ns0 ebtables -t broute -A BROUTING -p ipv4 --ip-protocol icmp -j redirect --redirect-target=DROP 66 - if [ $? -ne 0 ]; then 67 - echo "SKIP: Could not add ebtables broute redirect rule" 68 - return $ksft_skip 69 - fi 70 - 71 - # ping netns1, expected to not work (ip forwarding is off) 72 - ip netns exec ns1 ping -q -c 1 10.0.0.12 > /dev/null 2>&1 73 - if [ $? -eq 0 ]; then 74 - echo "ERROR: ping works, should have failed" 1>&2 75 - return 1 76 - fi 77 - 78 - # enable forwarding on both interfaces. 79 - # neither needs an ip address, but at least the bridge needs 80 - # an ip address in same network segment as ns1 and ns2 (ns0 81 - # needs to be able to determine route for to-be-forwarded packet). 82 - ip netns exec ns0 sysctl -q net.ipv4.conf.veth0.forwarding=1 83 - ip netns exec ns0 sysctl -q net.ipv4.conf.veth1.forwarding=1 84 - 85 - sleep 1 86 - 87 - ip netns exec ns1 ping -q -c 1 10.0.0.12 > /dev/null 88 - if [ $? -ne 0 ]; then 89 - echo "ERROR: ping did not work, but it should (broute+forward)" 1>&2 90 - return 1 91 - fi 92 - 93 - echo "PASS: ns1/ns2 connectivity with active broute rule" 94 - ip netns exec ns0 ebtables -t broute -F 95 - 96 - # ping netns1, expected to work (frames are bridged) 97 - ip netns exec ns1 ping -q -c 1 10.0.0.12 > /dev/null 98 - if [ $? -ne 0 ]; then 99 - echo "ERROR: ping did not work, but it should (bridged)" 1>&2 100 - return 1 101 - fi 102 - 103 - ip netns exec ns0 ebtables -t filter -A FORWARD -p ipv4 --ip-protocol icmp -j DROP 104 - 105 - # ping netns1, expected to not work (DROP in bridge forward) 106 - ip netns exec ns1 ping -q -c 1 10.0.0.12 > /dev/null 2>&1 107 - if [ $? -eq 0 ]; then 108 - echo "ERROR: ping works, should have failed (icmp forward drop)" 1>&2 109 - return 1 110 - fi 111 - 112 - # re-activate brouter 113 - ip netns exec ns0 ebtables -t broute -A BROUTING -p ipv4 --ip-protocol icmp -j redirect --redirect-target=DROP 114 - 115 - ip netns exec ns2 ping -q -c 1 10.0.0.11 > /dev/null 116 - if [ $? -ne 0 ]; then 117 - echo "ERROR: ping did not work, but it should (broute+forward 2)" 1>&2 118 - return 1 119 - fi 120 - 121 - echo "PASS: ns1/ns2 connectivity with active broute rule and bridge forward drop" 122 - return 0 123 - } 124 - 125 - # test basic connectivity 126 - ip netns exec ns1 ping -c 1 -q 10.0.0.12 > /dev/null 127 - if [ $? -ne 0 ]; then 128 - echo "ERROR: Could not reach ns2 from ns1" 1>&2 129 - ret=1 130 - fi 131 - 132 - ip netns exec ns2 ping -c 1 -q 10.0.0.11 > /dev/null 133 - if [ $? -ne 0 ]; then 134 - echo "ERROR: Could not reach ns1 from ns2" 1>&2 135 - ret=1 136 - fi 137 - 138 - if [ $ret -eq 0 ];then 139 - echo "PASS: netns connectivity: ns1 and ns2 can reach each other" 140 - fi 141 - 142 - test_ebtables_broute 143 - ret=$? 144 - for i in 0 1 2; do ip netns del ns$i;done 145 - 146 - exit $ret

-188

tools/testing/selftests/netfilter/bridge_netfilter.sh

··· 1 - #!/bin/bash 2 - # SPDX-License-Identifier: GPL-2.0 3 - # 4 - # Test bridge netfilter + conntrack, a combination that doesn't really work, 5 - # with multicast/broadcast packets racing for hash table insertion. 6 - 7 - # eth0 br0 eth0 8 - # setup is: ns1 <->,ns0 <-> ns3 9 - # ns2 <-' `'-> ns4 10 - 11 - # Kselftest framework requirement - SKIP code is 4. 12 - ksft_skip=4 13 - ret=0 14 - 15 - sfx=$(mktemp -u "XXXXXXXX") 16 - ns0="ns0-$sfx" 17 - ns1="ns1-$sfx" 18 - ns2="ns2-$sfx" 19 - ns3="ns3-$sfx" 20 - ns4="ns4-$sfx" 21 - 22 - ebtables -V > /dev/null 2>&1 23 - if [ $? -ne 0 ];then 24 - echo "SKIP: Could not run test without ebtables" 25 - exit $ksft_skip 26 - fi 27 - 28 - ip -Version > /dev/null 2>&1 29 - if [ $? -ne 0 ];then 30 - echo "SKIP: Could not run test without ip tool" 31 - exit $ksft_skip 32 - fi 33 - 34 - for i in $(seq 0 4); do 35 - eval ip netns add \$ns$i 36 - done 37 - 38 - cleanup() { 39 - for i in $(seq 0 4); do eval ip netns del \$ns$i;done 40 - } 41 - 42 - trap cleanup EXIT 43 - 44 - do_ping() 45 - { 46 - fromns="$1" 47 - dstip="$2" 48 - 49 - ip netns exec $fromns ping -c 1 -q $dstip > /dev/null 50 - if [ $? -ne 0 ]; then 51 - echo "ERROR: ping from $fromns to $dstip" 52 - ip netns exec ${ns0} nft list ruleset 53 - ret=1 54 - fi 55 - } 56 - 57 - bcast_ping() 58 - { 59 - fromns="$1" 60 - dstip="$2" 61 - 62 - for i in $(seq 1 1000); do 63 - ip netns exec $fromns ping -q -f -b -c 1 -q $dstip > /dev/null 2>&1 64 - if [ $? -ne 0 ]; then 65 - echo "ERROR: ping -b from $fromns to $dstip" 66 - ip netns exec ${ns0} nft list ruleset 67 - fi 68 - done 69 - } 70 - 71 - ip link add veth1 netns ${ns0} type veth peer name eth0 netns ${ns1} 72 - if [ $? -ne 0 ]; then 73 - echo "SKIP: Can't create veth device" 74 - exit $ksft_skip 75 - fi 76 - 77 - ip link add veth2 netns ${ns0} type veth peer name eth0 netns $ns2 78 - ip link add veth3 netns ${ns0} type veth peer name eth0 netns $ns3 79 - ip link add veth4 netns ${ns0} type veth peer name eth0 netns $ns4 80 - 81 - ip -net ${ns0} link set lo up 82 - 83 - for i in $(seq 1 4); do 84 - ip -net ${ns0} link set veth$i up 85 - done 86 - 87 - ip -net ${ns0} link add br0 type bridge stp_state 0 forward_delay 0 nf_call_iptables 1 nf_call_ip6tables 1 nf_call_arptables 1 88 - if [ $? -ne 0 ]; then 89 - echo "SKIP: Can't create bridge br0" 90 - exit $ksft_skip 91 - fi 92 - 93 - # make veth0,1,2 part of bridge. 94 - for i in $(seq 1 3); do 95 - ip -net ${ns0} link set veth$i master br0 96 - done 97 - 98 - # add a macvlan on top of the bridge. 99 - MACVLAN_ADDR=ba:f3:13:37:42:23 100 - ip -net ${ns0} link add link br0 name macvlan0 type macvlan mode private 101 - ip -net ${ns0} link set macvlan0 address ${MACVLAN_ADDR} 102 - ip -net ${ns0} link set macvlan0 up 103 - ip -net ${ns0} addr add 10.23.0.1/24 dev macvlan0 104 - 105 - # add a macvlan on top of veth4. 106 - MACVLAN_ADDR=ba:f3:13:37:42:24 107 - ip -net ${ns0} link add link veth4 name macvlan4 type macvlan mode vepa 108 - ip -net ${ns0} link set macvlan4 address ${MACVLAN_ADDR} 109 - ip -net ${ns0} link set macvlan4 up 110 - 111 - # make the macvlan part of the bridge. 112 - # veth4 is not a bridge port, only the macvlan on top of it. 113 - ip -net ${ns0} link set macvlan4 master br0 114 - 115 - ip -net ${ns0} link set br0 up 116 - ip -net ${ns0} addr add 10.0.0.1/24 dev br0 117 - ip netns exec ${ns0} sysctl -q net.bridge.bridge-nf-call-iptables=1 118 - ret=$? 119 - if [ $ret -ne 0 ] ; then 120 - echo "SKIP: bridge netfilter not available" 121 - ret=$ksft_skip 122 - fi 123 - 124 - # for testing, so namespaces will reply to ping -b probes. 125 - ip netns exec ${ns0} sysctl -q net.ipv4.icmp_echo_ignore_broadcasts=0 126 - 127 - # enable conntrack in ns0 and drop broadcast packets in forward to 128 - # avoid them from getting confirmed in the postrouting hook before 129 - # the cloned skb is passed up the stack. 130 - ip netns exec ${ns0} nft -f - <<EOF 131 - table ip filter { 132 - chain input { 133 - type filter hook input priority 1; policy accept 134 - iifname br0 counter 135 - ct state new accept 136 - } 137 - } 138 - 139 - table bridge filter { 140 - chain forward { 141 - type filter hook forward priority 0; policy accept 142 - meta pkttype broadcast ip protocol icmp counter drop 143 - } 144 - } 145 - EOF 146 - 147 - # place 1, 2 & 3 in same subnet, connected via ns0:br0. 148 - # ns4 is placed in same subnet as well, but its not 149 - # part of the bridge: the corresponding veth4 is not 150 - # part of the bridge, only its macvlan interface. 151 - for i in $(seq 1 4); do 152 - eval ip -net \$ns$i link set lo up 153 - eval ip -net \$ns$i link set eth0 up 154 - done 155 - for i in $(seq 1 2); do 156 - eval ip -net \$ns$i addr add 10.0.0.1$i/24 dev eth0 157 - done 158 - 159 - ip -net ${ns3} addr add 10.23.0.13/24 dev eth0 160 - ip -net ${ns4} addr add 10.23.0.14/24 dev eth0 161 - 162 - # test basic connectivity 163 - do_ping ${ns1} 10.0.0.12 164 - do_ping ${ns3} 10.23.0.1 165 - do_ping ${ns4} 10.23.0.1 166 - 167 - if [ $ret -eq 0 ];then 168 - echo "PASS: netns connectivity: ns1 can reach ns2, ns3 and ns4 can reach ns0" 169 - fi 170 - 171 - bcast_ping ${ns1} 10.0.0.255 172 - 173 - # This should deliver broadcast to macvlan0, which is on top of ns0:br0. 174 - bcast_ping ${ns3} 10.23.0.255 175 - 176 - # same, this time via veth4:macvlan4. 177 - bcast_ping ${ns4} 10.23.0.255 178 - 179 - read t < /proc/sys/kernel/tainted 180 - 181 - if [ $t -eq 0 ];then 182 - echo PASS: kernel not tainted 183 - else 184 - echo ERROR: kernel is tainted 185 - ret=1 186 - fi 187 - 188 - exit $ret

-9

tools/testing/selftests/netfilter/config

··· 1 - CONFIG_NET_NS=y 2 - CONFIG_NF_TABLES_INET=y 3 - CONFIG_NFT_QUEUE=m 4 - CONFIG_NFT_NAT=m 5 - CONFIG_NFT_REDIR=m 6 - CONFIG_NFT_MASQ=m 7 - CONFIG_NFT_FLOW_OFFLOAD=m 8 - CONFIG_NF_CT_NETLINK=m 9 - CONFIG_AUDIT=y

tools/testing/selftests/netfilter/connect_close.c tools/testing/selftests/net/netfilter/connect_close.c

+1 -1

tools/testing/selftests/netfilter/conntrack_dump_flush.c tools/testing/selftests/net/netfilter/conntrack_dump_flush.c

··· 10 10 #include <linux/netfilter/nfnetlink.h> 11 11 #include <linux/netfilter/nfnetlink_conntrack.h> 12 12 #include <linux/netfilter/nf_conntrack_tcp.h> 13 - #include "../kselftest_harness.h" 13 + #include "../../kselftest_harness.h" 14 14 15 15 #define TEST_ZONE_ID 123 16 16 #define NF_CT_DEFAULT_ZONE_ID 0

+71 -108

tools/testing/selftests/netfilter/conntrack_icmp_related.sh tools/testing/selftests/net/netfilter/conntrack_icmp_related.sh

··· 14 14 # check the icmp errors are propagated to the correct host as per 15 15 # nat of "established" icmp-echo "connection". 16 16 17 - # Kselftest framework requirement - SKIP code is 4. 18 - ksft_skip=4 19 - ret=0 17 + source lib.sh 20 18 21 - nft --version > /dev/null 2>&1 22 - if [ $? -ne 0 ];then 19 + if ! nft --version > /dev/null 2>&1;then 23 20 echo "SKIP: Could not run test without nft tool" 24 21 exit $ksft_skip 25 22 fi 26 23 27 - ip -Version > /dev/null 2>&1 28 - if [ $? -ne 0 ];then 29 - echo "SKIP: Could not run test without ip tool" 30 - exit $ksft_skip 31 - fi 32 - 33 24 cleanup() { 34 - for i in 1 2;do ip netns del nsclient$i;done 35 - for i in 1 2;do ip netns del nsrouter$i;done 25 + cleanup_all_ns 36 26 } 37 27 38 28 trap cleanup EXIT 39 29 40 - ipv4() { 41 - echo -n 192.168.$1.2 42 - } 30 + setup_ns nsclient1 nsclient2 nsrouter1 nsrouter2 43 31 44 - ipv6 () { 45 - echo -n dead:$1::2 32 + ret=0 33 + 34 + add_addr() 35 + { 36 + ns=$1 37 + dev=$2 38 + i=$3 39 + 40 + ip -net "$ns" link set "$dev" up 41 + ip -net "$ns" addr add "192.168.$i.2/24" dev "$dev" 42 + ip -net "$ns" addr add "dead:$i::2/64" dev "$dev" nodad 46 43 } 47 44 48 45 check_counter() ··· 49 52 expect=$3 50 53 local lret=0 51 54 52 - cnt=$(ip netns exec $ns nft list counter inet filter "$name" | grep -q "$expect") 53 - if [ $? -ne 0 ]; then 55 + if ! ip netns exec "$ns" nft list counter inet filter "$name" | grep -q "$expect"; then 54 56 echo "ERROR: counter $name in $ns has unexpected value (expected $expect)" 1>&2 55 - ip netns exec $ns nft list counter inet filter "$name" 1>&2 57 + ip netns exec "$ns" nft list counter inet filter "$name" 1>&2 56 58 lret=1 57 59 fi 58 60 ··· 61 65 check_unknown() 62 66 { 63 67 expect="packets 0 bytes 0" 64 - for n in nsclient1 nsclient2 nsrouter1 nsrouter2; do 65 - check_counter $n "unknown" "$expect" 66 - if [ $? -ne 0 ] ;then 68 + for n in ${nsclient1} ${nsclient2} ${nsrouter1} ${nsrouter2}; do 69 + if ! check_counter "$n" "unknown" "$expect"; then 67 70 return 1 68 71 fi 69 72 done ··· 70 75 return 0 71 76 } 72 77 73 - for n in nsclient1 nsclient2 nsrouter1 nsrouter2; do 74 - ip netns add $n 75 - ip -net $n link set lo up 76 - done 77 - 78 78 DEV=veth0 79 - ip link add $DEV netns nsclient1 type veth peer name eth1 netns nsrouter1 80 - DEV=veth0 81 - ip link add $DEV netns nsclient2 type veth peer name eth1 netns nsrouter2 79 + ip link add "$DEV" netns "$nsclient1" type veth peer name eth1 netns "$nsrouter1" 80 + ip link add "$DEV" netns "$nsclient2" type veth peer name eth1 netns "$nsrouter2" 81 + ip link add "$DEV" netns "$nsrouter1" type veth peer name eth2 netns "$nsrouter2" 82 82 83 - DEV=veth0 84 - ip link add $DEV netns nsrouter1 type veth peer name eth2 netns nsrouter2 83 + add_addr "$nsclient1" $DEV 1 84 + add_addr "$nsclient2" $DEV 2 85 85 86 - DEV=veth0 87 - for i in 1 2; do 88 - ip -net nsclient$i link set $DEV up 89 - ip -net nsclient$i addr add $(ipv4 $i)/24 dev $DEV 90 - ip -net nsclient$i addr add $(ipv6 $i)/64 dev $DEV 91 - done 86 + ip -net "$nsrouter1" link set eth1 up 87 + ip -net "$nsrouter1" link set $DEV up 92 88 93 - ip -net nsrouter1 link set eth1 up 94 - ip -net nsrouter1 link set veth0 up 89 + ip -net "$nsrouter2" link set eth1 mtu 1280 up 90 + ip -net "$nsrouter2" link set eth2 up 95 91 96 - ip -net nsrouter2 link set eth1 up 97 - ip -net nsrouter2 link set eth2 up 92 + ip -net "$nsclient1" route add default via 192.168.1.1 93 + ip -net "$nsclient1" -6 route add default via dead:1::1 98 94 99 - ip -net nsclient1 route add default via 192.168.1.1 100 - ip -net nsclient1 -6 route add default via dead:1::1 95 + ip -net "$nsclient2" route add default via 192.168.2.1 96 + ip -net "$nsclient2" route add default via dead:2::1 97 + ip -net "$nsclient2" link set veth0 mtu 1280 101 98 102 - ip -net nsclient2 route add default via 192.168.2.1 103 - ip -net nsclient2 route add default via dead:2::1 99 + ip -net "$nsrouter1" addr add 192.168.1.1/24 dev eth1 100 + ip -net "$nsrouter1" addr add 192.168.3.1/24 dev veth0 101 + ip -net "$nsrouter1" addr add dead:1::1/64 dev eth1 nodad 102 + ip -net "$nsrouter1" addr add dead:3::1/64 dev veth0 nodad 103 + ip -net "$nsrouter1" route add default via 192.168.3.10 104 + ip -net "$nsrouter1" -6 route add default via dead:3::10 104 105 105 - i=3 106 - ip -net nsrouter1 addr add 192.168.1.1/24 dev eth1 107 - ip -net nsrouter1 addr add 192.168.3.1/24 dev veth0 108 - ip -net nsrouter1 addr add dead:1::1/64 dev eth1 109 - ip -net nsrouter1 addr add dead:3::1/64 dev veth0 110 - ip -net nsrouter1 route add default via 192.168.3.10 111 - ip -net nsrouter1 -6 route add default via dead:3::10 106 + ip -net "$nsrouter2" addr add 192.168.2.1/24 dev eth1 107 + ip -net "$nsrouter2" addr add 192.168.3.10/24 dev eth2 108 + ip -net "$nsrouter2" addr add dead:2::1/64 dev eth1 nodad 109 + ip -net "$nsrouter2" addr add dead:3::10/64 dev eth2 nodad 110 + ip -net "$nsrouter2" route add default via 192.168.3.1 111 + ip -net "$nsrouter2" route add default via dead:3::1 112 112 113 - ip -net nsrouter2 addr add 192.168.2.1/24 dev eth1 114 - ip -net nsrouter2 addr add 192.168.3.10/24 dev eth2 115 - ip -net nsrouter2 addr add dead:2::1/64 dev eth1 116 - ip -net nsrouter2 addr add dead:3::10/64 dev eth2 117 - ip -net nsrouter2 route add default via 192.168.3.1 118 - ip -net nsrouter2 route add default via dead:3::1 119 - 120 - sleep 2 121 113 for i in 4 6; do 122 - ip netns exec nsrouter1 sysctl -q net.ipv$i.conf.all.forwarding=1 123 - ip netns exec nsrouter2 sysctl -q net.ipv$i.conf.all.forwarding=1 114 + ip netns exec "$nsrouter1" sysctl -q net.ipv$i.conf.all.forwarding=1 115 + ip netns exec "$nsrouter2" sysctl -q net.ipv$i.conf.all.forwarding=1 124 116 done 125 117 126 - for netns in nsrouter1 nsrouter2; do 127 - ip netns exec $netns nft -f - <<EOF 118 + for netns in "$nsrouter1" "$nsrouter2"; do 119 + ip netns exec "$netns" nft -f - <<EOF 128 120 table inet filter { 129 121 counter unknown { } 130 122 counter related { } ··· 126 144 EOF 127 145 done 128 146 129 - ip netns exec nsclient1 nft -f - <<EOF 147 + ip netns exec "$nsclient1" nft -f - <<EOF 130 148 table inet filter { 131 149 counter unknown { } 132 150 counter related { } ··· 146 164 } 147 165 EOF 148 166 149 - ip netns exec nsclient2 nft -f - <<EOF 167 + ip netns exec "$nsclient2" nft -f - <<EOF 150 168 table inet filter { 151 169 counter unknown { } 152 170 counter new { } ··· 171 189 } 172 190 EOF 173 191 174 - 175 192 # make sure NAT core rewrites adress of icmp error if nat is used according to 176 193 # conntrack nat information (icmp error will be directed at nsrouter1 address, 177 194 # but it needs to be routed to nsclient1 address). 178 - ip netns exec nsrouter1 nft -f - <<EOF 195 + ip netns exec "$nsrouter1" nft -f - <<EOF 179 196 table ip nat { 180 197 chain postrouting { 181 198 type nat hook postrouting priority 0; policy accept; ··· 189 208 } 190 209 EOF 191 210 192 - ip netns exec nsrouter2 ip link set eth1 mtu 1280 193 - ip netns exec nsclient2 ip link set veth0 mtu 1280 194 - sleep 1 195 - 196 - ip netns exec nsclient1 ping -c 1 -s 1000 -q -M do 192.168.2.2 >/dev/null 197 - if [ $? -ne 0 ]; then 211 + if ! ip netns exec "$nsclient1" ping -c 1 -s 1000 -q -M "do" 192.168.2.2 >/dev/null; then 198 212 echo "ERROR: netns ip routing/connectivity broken" 1>&2 199 - cleanup 200 213 exit 1 201 214 fi 202 - ip netns exec nsclient1 ping6 -q -c 1 -s 1000 dead:2::2 >/dev/null 203 - if [ $? -ne 0 ]; then 215 + if ! ip netns exec "$nsclient1" ping -c 1 -s 1000 -q dead:2::2 >/dev/null; then 204 216 echo "ERROR: netns ipv6 routing/connectivity broken" 1>&2 205 - cleanup 206 217 exit 1 207 218 fi 208 219 209 - check_unknown 210 - if [ $? -ne 0 ]; then 220 + if ! check_unknown; then 211 221 ret=1 212 222 fi 213 223 214 224 expect="packets 0 bytes 0" 215 - for netns in nsrouter1 nsrouter2 nsclient1;do 216 - check_counter "$netns" "related" "$expect" 217 - if [ $? -ne 0 ]; then 225 + for netns in "$nsrouter1" "$nsrouter2" "$nsclient1";do 226 + if ! check_counter "$netns" "related" "$expect"; then 218 227 ret=1 219 228 fi 220 229 done 221 230 222 231 expect="packets 2 bytes 2076" 223 - check_counter nsclient2 "new" "$expect" 224 - if [ $? -ne 0 ]; then 232 + if ! check_counter "$nsclient2" "new" "$expect"; then 225 233 ret=1 226 234 fi 227 235 228 - ip netns exec nsclient1 ping -q -c 1 -s 1300 -M do 192.168.2.2 > /dev/null 229 - if [ $? -eq 0 ]; then 236 + if ip netns exec "$nsclient1" ping -W 0.5 -q -c 1 -s 1300 -M "do" 192.168.2.2 > /dev/null; then 230 237 echo "ERROR: ping should have failed with PMTU too big error" 1>&2 231 238 ret=1 232 239 fi ··· 222 253 # nsrouter2 should have generated the icmp error, so 223 254 # related counter should be 0 (its in forward). 224 255 expect="packets 0 bytes 0" 225 - check_counter "nsrouter2" "related" "$expect" 226 - if [ $? -ne 0 ]; then 256 + if ! check_counter "$nsrouter2" "related" "$expect"; then 227 257 ret=1 228 258 fi 229 259 230 260 # but nsrouter1 should have seen it, same for nsclient1. 231 261 expect="packets 1 bytes 576" 232 - for netns in nsrouter1 nsclient1;do 233 - check_counter "$netns" "related" "$expect" 234 - if [ $? -ne 0 ]; then 262 + for netns in ${nsrouter1} ${nsclient1};do 263 + if ! check_counter "$netns" "related" "$expect"; then 235 264 ret=1 236 265 fi 237 266 done 238 267 239 - ip netns exec nsclient1 ping6 -c 1 -s 1300 dead:2::2 > /dev/null 240 - if [ $? -eq 0 ]; then 268 + if ip netns exec "${nsclient1}" ping6 -W 0.5 -c 1 -s 1300 dead:2::2 > /dev/null; then 241 269 echo "ERROR: ping6 should have failed with PMTU too big error" 1>&2 242 270 ret=1 243 271 fi 244 272 245 273 expect="packets 2 bytes 1856" 246 - for netns in nsrouter1 nsclient1;do 247 - check_counter "$netns" "related" "$expect" 248 - if [ $? -ne 0 ]; then 274 + for netns in "${nsrouter1}" "${nsclient1}";do 275 + if ! check_counter "$netns" "related" "$expect"; then 249 276 ret=1 250 277 fi 251 278 done ··· 253 288 fi 254 289 255 290 # add 'bad' route, expect icmp REDIRECT to be generated 256 - ip netns exec nsclient1 ip route add 192.168.1.42 via 192.168.1.1 257 - ip netns exec nsclient1 ip route add dead:1::42 via dead:1::1 291 + ip netns exec "${nsclient1}" ip route add 192.168.1.42 via 192.168.1.1 292 + ip netns exec "${nsclient1}" ip route add dead:1::42 via dead:1::1 258 293 259 - ip netns exec "nsclient1" ping -q -c 2 192.168.1.42 > /dev/null 294 + ip netns exec "$nsclient1" ping -W 1 -q -i 0.5 -c 2 192.168.1.42 > /dev/null 260 295 261 296 expect="packets 1 bytes 112" 262 - check_counter nsclient1 "redir4" "$expect" 263 - if [ $? -ne 0 ];then 297 + if ! check_counter "$nsclient1" "redir4" "$expect"; then 264 298 ret=1 265 299 fi 266 300 267 - ip netns exec "nsclient1" ping -c 1 dead:1::42 > /dev/null 301 + ip netns exec "$nsclient1" ping -W 1 -c 1 dead:1::42 > /dev/null 268 302 expect="packets 1 bytes 192" 269 - check_counter nsclient1 "redir6" "$expect" 270 - if [ $? -ne 0 ];then 303 + if ! check_counter "$nsclient1" "redir6" "$expect"; then 271 304 ret=1 272 305 fi 273 306

-89

tools/testing/selftests/netfilter/conntrack_sctp_collision.sh

··· 1 - #!/bin/bash 2 - # SPDX-License-Identifier: GPL-2.0 3 - # 4 - # Testing For SCTP COLLISION SCENARIO as Below: 5 - # 6 - # 14:35:47.655279 IP CLIENT_IP.PORT > SERVER_IP.PORT: sctp (1) [INIT] [init tag: 2017837359] 7 - # 14:35:48.353250 IP SERVER_IP.PORT > CLIENT_IP.PORT: sctp (1) [INIT] [init tag: 1187206187] 8 - # 14:35:48.353275 IP CLIENT_IP.PORT > SERVER_IP.PORT: sctp (1) [INIT ACK] [init tag: 2017837359] 9 - # 14:35:48.353283 IP SERVER_IP.PORT > CLIENT_IP.PORT: sctp (1) [COOKIE ECHO] 10 - # 14:35:48.353977 IP CLIENT_IP.PORT > SERVER_IP.PORT: sctp (1) [COOKIE ACK] 11 - # 14:35:48.855335 IP SERVER_IP.PORT > CLIENT_IP.PORT: sctp (1) [INIT ACK] [init tag: 164579970] 12 - # 13 - # TOPO: SERVER_NS (link0)<--->(link1) ROUTER_NS (link2)<--->(link3) CLIENT_NS 14 - 15 - CLIENT_NS=$(mktemp -u client-XXXXXXXX) 16 - CLIENT_IP="198.51.200.1" 17 - CLIENT_PORT=1234 18 - 19 - SERVER_NS=$(mktemp -u server-XXXXXXXX) 20 - SERVER_IP="198.51.100.1" 21 - SERVER_PORT=1234 22 - 23 - ROUTER_NS=$(mktemp -u router-XXXXXXXX) 24 - CLIENT_GW="198.51.200.2" 25 - SERVER_GW="198.51.100.2" 26 - 27 - # setup the topo 28 - setup() { 29 - ip net add $CLIENT_NS 30 - ip net add $SERVER_NS 31 - ip net add $ROUTER_NS 32 - ip -n $SERVER_NS link add link0 type veth peer name link1 netns $ROUTER_NS 33 - ip -n $CLIENT_NS link add link3 type veth peer name link2 netns $ROUTER_NS 34 - 35 - ip -n $SERVER_NS link set link0 up 36 - ip -n $SERVER_NS addr add $SERVER_IP/24 dev link0 37 - ip -n $SERVER_NS route add $CLIENT_IP dev link0 via $SERVER_GW 38 - 39 - ip -n $ROUTER_NS link set link1 up 40 - ip -n $ROUTER_NS link set link2 up 41 - ip -n $ROUTER_NS addr add $SERVER_GW/24 dev link1 42 - ip -n $ROUTER_NS addr add $CLIENT_GW/24 dev link2 43 - ip net exec $ROUTER_NS sysctl -wq net.ipv4.ip_forward=1 44 - 45 - ip -n $CLIENT_NS link set link3 up 46 - ip -n $CLIENT_NS addr add $CLIENT_IP/24 dev link3 47 - ip -n $CLIENT_NS route add $SERVER_IP dev link3 via $CLIENT_GW 48 - 49 - # simulate the delay on OVS upcall by setting up a delay for INIT_ACK with 50 - # tc on $SERVER_NS side 51 - tc -n $SERVER_NS qdisc add dev link0 root handle 1: htb 52 - tc -n $SERVER_NS class add dev link0 parent 1: classid 1:1 htb rate 100mbit 53 - tc -n $SERVER_NS filter add dev link0 parent 1: protocol ip u32 match ip protocol 132 \ 54 - 0xff match u8 2 0xff at 32 flowid 1:1 55 - tc -n $SERVER_NS qdisc add dev link0 parent 1:1 handle 10: netem delay 1200ms 56 - 57 - # simulate the ctstate check on OVS nf_conntrack 58 - ip net exec $ROUTER_NS iptables -A FORWARD -m state --state INVALID,UNTRACKED -j DROP 59 - ip net exec $ROUTER_NS iptables -A INPUT -p sctp -j DROP 60 - 61 - # use a smaller number for assoc's max_retrans to reproduce the issue 62 - modprobe sctp 63 - ip net exec $CLIENT_NS sysctl -wq net.sctp.association_max_retrans=3 64 - } 65 - 66 - cleanup() { 67 - ip net exec $CLIENT_NS pkill sctp_collision 2>&1 >/dev/null 68 - ip net exec $SERVER_NS pkill sctp_collision 2>&1 >/dev/null 69 - ip net del "$CLIENT_NS" 70 - ip net del "$SERVER_NS" 71 - ip net del "$ROUTER_NS" 72 - } 73 - 74 - do_test() { 75 - ip net exec $SERVER_NS ./sctp_collision server \ 76 - $SERVER_IP $SERVER_PORT $CLIENT_IP $CLIENT_PORT & 77 - ip net exec $CLIENT_NS ./sctp_collision client \ 78 - $CLIENT_IP $CLIENT_PORT $SERVER_IP $SERVER_PORT 79 - } 80 - 81 - # NOTE: one way to work around the issue is set a smaller hb_interval 82 - # ip net exec $CLIENT_NS sysctl -wq net.sctp.hb_interval=3500 83 - 84 - # run the test case 85 - trap cleanup EXIT 86 - setup && \ 87 - echo "Test for SCTP Collision in nf_conntrack:" && \ 88 - do_test && echo "PASS!" 89 - exit $?

-167

tools/testing/selftests/netfilter/conntrack_tcp_unreplied.sh

··· 1 - #!/bin/bash 2 - # SPDX-License-Identifier: GPL-2.0 3 - # 4 - # Check that UNREPLIED tcp conntrack will eventually timeout. 5 - # 6 - 7 - # Kselftest framework requirement - SKIP code is 4. 8 - ksft_skip=4 9 - ret=0 10 - 11 - waittime=20 12 - sfx=$(mktemp -u "XXXXXXXX") 13 - ns1="ns1-$sfx" 14 - ns2="ns2-$sfx" 15 - 16 - nft --version > /dev/null 2>&1 17 - if [ $? -ne 0 ];then 18 - echo "SKIP: Could not run test without nft tool" 19 - exit $ksft_skip 20 - fi 21 - 22 - ip -Version > /dev/null 2>&1 23 - if [ $? -ne 0 ];then 24 - echo "SKIP: Could not run test without ip tool" 25 - exit $ksft_skip 26 - fi 27 - 28 - cleanup() { 29 - ip netns pids $ns1 | xargs kill 2>/dev/null 30 - ip netns pids $ns2 | xargs kill 2>/dev/null 31 - 32 - ip netns del $ns1 33 - ip netns del $ns2 34 - } 35 - 36 - ipv4() { 37 - echo -n 192.168.$1.2 38 - } 39 - 40 - check_counter() 41 - { 42 - ns=$1 43 - name=$2 44 - expect=$3 45 - local lret=0 46 - 47 - cnt=$(ip netns exec $ns2 nft list counter inet filter "$name" | grep -q "$expect") 48 - if [ $? -ne 0 ]; then 49 - echo "ERROR: counter $name in $ns2 has unexpected value (expected $expect)" 1>&2 50 - ip netns exec $ns2 nft list counter inet filter "$name" 1>&2 51 - lret=1 52 - fi 53 - 54 - return $lret 55 - } 56 - 57 - # Create test namespaces 58 - ip netns add $ns1 || exit 1 59 - 60 - trap cleanup EXIT 61 - 62 - ip netns add $ns2 || exit 1 63 - 64 - # Connect the namespace to the host using a veth pair 65 - ip -net $ns1 link add name veth1 type veth peer name veth2 66 - ip -net $ns1 link set netns $ns2 dev veth2 67 - 68 - ip -net $ns1 link set up dev lo 69 - ip -net $ns2 link set up dev lo 70 - ip -net $ns1 link set up dev veth1 71 - ip -net $ns2 link set up dev veth2 72 - 73 - ip -net $ns2 addr add 10.11.11.2/24 dev veth2 74 - ip -net $ns2 route add default via 10.11.11.1 75 - 76 - ip netns exec $ns2 sysctl -q net.ipv4.conf.veth2.forwarding=1 77 - 78 - # add a rule inside NS so we enable conntrack 79 - ip netns exec $ns1 iptables -A INPUT -m state --state established,related -j ACCEPT 80 - 81 - ip -net $ns1 addr add 10.11.11.1/24 dev veth1 82 - ip -net $ns1 route add 10.99.99.99 via 10.11.11.2 83 - 84 - # Check connectivity works 85 - ip netns exec $ns1 ping -q -c 2 10.11.11.2 >/dev/null || exit 1 86 - 87 - ip netns exec $ns2 nc -l -p 8080 < /dev/null & 88 - 89 - # however, conntrack entries are there 90 - 91 - ip netns exec $ns2 nft -f - <<EOF 92 - table inet filter { 93 - counter connreq { } 94 - counter redir { } 95 - chain input { 96 - type filter hook input priority 0; policy accept; 97 - ct state new tcp flags syn ip daddr 10.99.99.99 tcp dport 80 counter name "connreq" accept 98 - ct state new ct status dnat tcp dport 8080 counter name "redir" accept 99 - } 100 - } 101 - EOF 102 - if [ $? -ne 0 ]; then 103 - echo "ERROR: Could not load nft rules" 104 - exit 1 105 - fi 106 - 107 - ip netns exec $ns2 sysctl -q net.netfilter.nf_conntrack_tcp_timeout_syn_sent=10 108 - 109 - echo "INFO: connect $ns1 -> $ns2 to the virtual ip" 110 - ip netns exec $ns1 bash -c 'while true ; do 111 - nc -p 60000 10.99.99.99 80 112 - sleep 1 113 - done' & 114 - 115 - sleep 1 116 - 117 - ip netns exec $ns2 nft -f - <<EOF 118 - table inet nat { 119 - chain prerouting { 120 - type nat hook prerouting priority 0; policy accept; 121 - ip daddr 10.99.99.99 tcp dport 80 redirect to :8080 122 - } 123 - } 124 - EOF 125 - if [ $? -ne 0 ]; then 126 - echo "ERROR: Could not load nat redirect" 127 - exit 1 128 - fi 129 - 130 - count=$(ip netns exec $ns2 conntrack -L -p tcp --dport 80 2>/dev/null | wc -l) 131 - if [ $count -eq 0 ]; then 132 - echo "ERROR: $ns2 did not pick up tcp connection from peer" 133 - exit 1 134 - fi 135 - 136 - echo "INFO: NAT redirect added in ns $ns2, waiting for $waittime seconds for nat to take effect" 137 - for i in $(seq 1 $waittime); do 138 - echo -n "." 139 - 140 - sleep 1 141 - 142 - count=$(ip netns exec $ns2 conntrack -L -p tcp --reply-port-src 8080 2>/dev/null | wc -l) 143 - if [ $count -gt 0 ]; then 144 - echo 145 - echo "PASS: redirection took effect after $i seconds" 146 - break 147 - fi 148 - 149 - m=$((i%20)) 150 - if [ $m -eq 0 ]; then 151 - echo " waited for $i seconds" 152 - fi 153 - done 154 - 155 - expect="packets 1 bytes 60" 156 - check_counter "$ns2" "redir" "$expect" 157 - if [ $? -ne 0 ]; then 158 - ret=1 159 - fi 160 - 161 - if [ $ret -eq 0 ];then 162 - echo "PASS: redirection counter has expected values" 163 - else 164 - echo "ERROR: no tcp connection was redirected" 165 - fi 166 - 167 - exit $ret

+39 -62

tools/testing/selftests/netfilter/conntrack_vrf.sh tools/testing/selftests/net/netfilter/conntrack_vrf.sh

··· 1 - #!/bin/sh 1 + #!/bin/bash 2 2 3 3 # This script demonstrates interaction of conntrack and vrf. 4 4 # The vrf driver calls the netfilter hooks again, with oif/iif ··· 28 28 # that was supposed to be fixed by the commit mentioned above to make sure 29 29 # that any fix to test case 1 won't break masquerade again. 30 30 31 - ksft_skip=4 31 + source lib.sh 32 32 33 33 IP0=172.30.30.1 34 34 IP1=172.30.30.2 35 35 PFXL=30 36 36 ret=0 37 37 38 - sfx=$(mktemp -u "XXXXXXXX") 39 - ns0="ns0-$sfx" 40 - ns1="ns1-$sfx" 41 - 42 38 cleanup() 43 39 { 44 40 ip netns pids $ns0 | xargs kill 2>/dev/null 45 41 ip netns pids $ns1 | xargs kill 2>/dev/null 46 42 47 - ip netns del $ns0 $ns1 43 + cleanup_all_ns 48 44 } 49 45 50 - nft --version > /dev/null 2>&1 51 - if [ $? -ne 0 ];then 46 + if ! nft --version > /dev/null 2>&1;then 52 47 echo "SKIP: Could not run test without nft tool" 53 48 exit $ksft_skip 54 49 fi 55 50 56 - ip -Version > /dev/null 2>&1 57 - if [ $? -ne 0 ];then 58 - echo "SKIP: Could not run test without ip tool" 51 + if ! conntrack --version > /dev/null 2>&1;then 52 + echo "SKIP: Could not run test without conntrack tool" 59 53 exit $ksft_skip 60 54 fi 61 - 62 - ip netns add "$ns0" 63 - if [ $? -ne 0 ];then 64 - echo "SKIP: Could not create net namespace $ns0" 65 - exit $ksft_skip 66 - fi 67 - ip netns add "$ns1" 68 55 69 56 trap cleanup EXIT 70 57 71 - ip netns exec $ns0 sysctl -q -w net.ipv4.conf.default.rp_filter=0 72 - ip netns exec $ns0 sysctl -q -w net.ipv4.conf.all.rp_filter=0 73 - ip netns exec $ns0 sysctl -q -w net.ipv4.conf.all.rp_filter=0 58 + setup_ns ns0 ns1 74 59 75 - ip link add veth0 netns "$ns0" type veth peer name veth0 netns "$ns1" > /dev/null 2>&1 76 - if [ $? -ne 0 ];then 60 + ip netns exec "$ns0" sysctl -q -w net.ipv4.conf.default.rp_filter=0 61 + ip netns exec "$ns0" sysctl -q -w net.ipv4.conf.all.rp_filter=0 62 + ip netns exec "$ns0" sysctl -q -w net.ipv4.conf.all.rp_filter=0 63 + 64 + if ! ip link add veth0 netns "$ns0" type veth peer name veth0 netns "$ns1" > /dev/null 2>&1; then 77 65 echo "SKIP: Could not add veth device" 78 66 exit $ksft_skip 79 67 fi 80 68 81 - ip -net $ns0 li add tvrf type vrf table 9876 82 - if [ $? -ne 0 ];then 69 + if ! ip -net "$ns0" li add tvrf type vrf table 9876; then 83 70 echo "SKIP: Could not add vrf device" 84 71 exit $ksft_skip 85 72 fi 86 73 87 - ip -net $ns0 li set lo up 74 + ip -net "$ns0" li set veth0 master tvrf 75 + ip -net "$ns0" li set tvrf up 76 + ip -net "$ns0" li set veth0 up 77 + ip -net "$ns1" li set veth0 up 88 78 89 - ip -net $ns0 li set veth0 master tvrf 90 - ip -net $ns0 li set tvrf up 91 - ip -net $ns0 li set veth0 up 92 - ip -net $ns1 li set veth0 up 79 + ip -net "$ns0" addr add $IP0/$PFXL dev veth0 80 + ip -net "$ns1" addr add $IP1/$PFXL dev veth0 93 81 94 - ip -net $ns0 addr add $IP0/$PFXL dev veth0 95 - ip -net $ns1 addr add $IP1/$PFXL dev veth0 96 - 97 - ip netns exec $ns1 iperf3 -s > /dev/null 2>&1& 98 - if [ $? -ne 0 ];then 99 - echo "SKIP: Could not start iperf3" 100 - exit $ksft_skip 101 - fi 82 + ip netns exec "$ns1" iperf3 -s > /dev/null 2>&1 & 102 83 103 84 # test vrf ingress handling. 104 85 # The incoming connection should be placed in conntrack zone 1, 105 86 # as decided by the first iteration of the ruleset. 106 87 test_ct_zone_in() 107 88 { 108 - ip netns exec $ns0 nft -f - <<EOF 89 + ip netns exec "$ns0" nft -f - <<EOF 109 90 table testct { 110 91 chain rawpre { 111 92 type filter hook prerouting priority raw; ··· 107 126 } 108 127 } 109 128 EOF 110 - ip netns exec $ns1 ping -W 1 -c 1 -I veth0 $IP0 > /dev/null 129 + ip netns exec "$ns1" ping -W 1 -c 1 -I veth0 "$IP0" > /dev/null 111 130 112 131 # should be in zone 1, not zone 2 113 - count=$(ip netns exec $ns0 conntrack -L -s $IP1 -d $IP0 -p icmp --zone 1 2>/dev/null | wc -l) 114 - if [ $count -eq 1 ]; then 132 + count=$(ip netns exec "$ns0" conntrack -L -s $IP1 -d $IP0 -p icmp --zone 1 2>/dev/null | wc -l) 133 + if [ "$count" -eq 1 ]; then 115 134 echo "PASS: entry found in conntrack zone 1" 116 135 else 117 136 echo "FAIL: entry not found in conntrack zone 1" 118 - count=$(ip netns exec $ns0 conntrack -L -s $IP1 -d $IP0 -p icmp --zone 2 2> /dev/null | wc -l) 119 - if [ $count -eq 1 ]; then 137 + count=$(ip netns exec "$ns0" conntrack -L -s $IP1 -d $IP0 -p icmp --zone 2 2> /dev/null | wc -l) 138 + if [ "$count" -eq 1 ]; then 120 139 echo "FAIL: entry found in zone 2 instead" 121 140 else 122 141 echo "FAIL: entry not in zone 1 or 2, dumping table" 123 - ip netns exec $ns0 conntrack -L 124 - ip netns exec $ns0 nft list ruleset 142 + ip netns exec "$ns0" conntrack -L 143 + ip netns exec "$ns0" nft list ruleset 125 144 fi 126 145 fi 127 146 } ··· 134 153 local qdisc=$1 135 154 136 155 if [ "$qdisc" != "default" ]; then 137 - tc -net $ns0 qdisc add dev tvrf root $qdisc 156 + tc -net "$ns0" qdisc add dev tvrf root "$qdisc" 138 157 fi 139 158 140 - ip netns exec $ns0 conntrack -F 2>/dev/null 159 + ip netns exec "$ns0" conntrack -F 2>/dev/null 141 160 142 - ip netns exec $ns0 nft -f - <<EOF 161 + ip netns exec "$ns0" nft -f - <<EOF 143 162 flush ruleset 144 163 table ip nat { 145 164 chain rawout { ··· 160 179 } 161 180 } 162 181 EOF 163 - ip netns exec $ns0 ip vrf exec tvrf iperf3 -t 1 -c $IP1 >/dev/null 164 - if [ $? -ne 0 ]; then 182 + if ! ip netns exec "$ns0" ip vrf exec tvrf iperf3 -t 1 -c $IP1 >/dev/null; then 165 183 echo "FAIL: iperf3 connect failure with masquerade + sport rewrite on vrf device" 166 184 ret=1 167 185 return 168 186 fi 169 187 170 188 # must also check that nat table was evaluated on second (lower device) iteration. 171 - ip netns exec $ns0 nft list table ip nat |grep -q 'counter packets 2' && 172 - ip netns exec $ns0 nft list table ip nat |grep -q 'untracked counter packets [1-9]' 173 - if [ $? -eq 0 ]; then 189 + ip netns exec "$ns0" nft list table ip nat |grep -q 'counter packets 2' && 190 + if ip netns exec "$ns0" nft list table ip nat |grep -q 'untracked counter packets [1-9]'; then 174 191 echo "PASS: iperf3 connect with masquerade + sport rewrite on vrf device ($qdisc qdisc)" 175 192 else 176 193 echo "FAIL: vrf rules have unexpected counter value" ··· 176 197 fi 177 198 178 199 if [ "$qdisc" != "default" ]; then 179 - tc -net $ns0 qdisc del dev tvrf root 200 + tc -net "$ns0" qdisc del dev tvrf root 180 201 fi 181 202 } 182 203 ··· 185 206 # oifname is the lower device (veth0 in this case). 186 207 test_masquerade_veth() 187 208 { 188 - ip netns exec $ns0 conntrack -F 2>/dev/null 189 - ip netns exec $ns0 nft -f - <<EOF 209 + ip netns exec "$ns0" conntrack -F 2>/dev/null 210 + ip netns exec "$ns0" nft -f - <<EOF 190 211 flush ruleset 191 212 table ip nat { 192 213 chain postrouting { ··· 195 216 } 196 217 } 197 218 EOF 198 - ip netns exec $ns0 ip vrf exec tvrf iperf3 -t 1 -c $IP1 > /dev/null 199 - if [ $? -ne 0 ]; then 219 + if ! ip netns exec "$ns0" ip vrf exec tvrf iperf3 -t 1 -c $IP1 > /dev/null; then 200 220 echo "FAIL: iperf3 connect failure with masquerade + sport rewrite on veth device" 201 221 ret=1 202 222 return 203 223 fi 204 224 205 225 # must also check that nat table was evaluated on second (lower device) iteration. 206 - ip netns exec $ns0 nft list table ip nat |grep -q 'counter packets 2' 207 - if [ $? -eq 0 ]; then 226 + if ip netns exec "$ns0" nft list table ip nat |grep -q 'counter packets 2'; then 208 227 echo "PASS: iperf3 connect with masquerade + sport rewrite on veth device" 209 228 else 210 229 echo "FAIL: vrf masq rule has unexpected counter value"

+14 -30

tools/testing/selftests/netfilter/ipip-conntrack-mtu.sh tools/testing/selftests/net/netfilter/conntrack_ipip_mtu.sh

··· 1 1 #!/bin/bash 2 2 # SPDX-License-Identifier: GPL-2.0 3 3 4 - # Kselftest framework requirement - SKIP code is 4. 5 - ksft_skip=4 4 + source lib.sh 6 5 7 6 # Conntrack needs to reassemble fragments in order to have complete 8 7 # packets for rule matching. Reassembly can lead to packet loss. ··· 22 23 # between Client A and Client B over WAN. Wanrouter has MTU 1400 set 23 24 # on its interfaces. 24 25 25 - rnd=$(mktemp -u XXXXXXXX) 26 26 rx=$(mktemp) 27 27 28 - r_a="ns-ra-$rnd" 29 - r_b="ns-rb-$rnd" 30 - r_w="ns-rw-$rnd" 31 - c_a="ns-ca-$rnd" 32 - c_b="ns-cb-$rnd" 33 - 34 - checktool (){ 35 - if ! $1 > /dev/null 2>&1; then 36 - echo "SKIP: Could not $2" 37 - exit $ksft_skip 38 - fi 39 - } 40 - 41 28 checktool "iptables --version" "run test without iptables" 42 - checktool "ip -Version" "run test without ip tool" 43 - checktool "which socat" "run test without socat" 44 - checktool "ip netns add ${r_a}" "create net namespace" 29 + checktool "socat -h" "run test without socat" 45 30 46 - for n in ${r_b} ${r_w} ${c_a} ${c_b};do 47 - ip netns add ${n} 48 - done 31 + setup_ns r_a r_b r_w c_a c_b 49 32 50 33 cleanup() { 51 - for n in ${r_a} ${r_b} ${r_w} ${c_a} ${c_b};do 52 - ip netns del ${n} 53 - done 34 + cleanup_all_ns 54 35 rm -f ${rx} 55 36 } 56 37 57 38 trap cleanup EXIT 39 + 40 + listener_ready() 41 + { 42 + ns="$1" 43 + port="$2" 44 + ss -N "$ns" -lnu -o "sport = :$port" | grep -q "$port" 45 + } 58 46 59 47 test_path() { 60 48 msg="$1" 61 49 62 50 ip netns exec ${c_b} socat -t 3 - udp4-listen:5000,reuseaddr > ${rx} < /dev/null & 63 51 64 - sleep 1 52 + busywait $BUSYWAIT_TIMEOUT listener_ready "$c_b" 5000 53 + 65 54 for i in 1 2 3; do 66 55 head -c1400 /dev/zero | tr "\000" "a" | \ 67 56 ip netns exec ${c_a} socat -t 1 -u STDIN UDP:192.168.20.2:5000 ··· 116 129 117 130 ip netns exec ${r_b} ip link add ipip0 type ipip local ${l_addr} remote ${r_addr} mode ipip || exit $ksft_skip 118 131 119 - for dev in lo veth0 veth1 ipip0; do 132 + for dev in veth0 veth1 ipip0; do 120 133 ip -net ${r_b} link set $dev up 121 134 done 122 135 ··· 129 142 130 143 # Client A 131 144 ip -net ${c_a} addr add 192.168.10.2/24 dev veth0 132 - ip -net ${c_a} link set dev lo up 133 145 ip -net ${c_a} link set dev veth0 up 134 146 ip -net ${c_a} route add default via 192.168.10.1 135 147 136 148 # Client A 137 149 ip -net ${c_b} addr add 192.168.20.2/24 dev veth0 138 150 ip -net ${c_b} link set dev veth0 up 139 - ip -net ${c_b} link set dev lo up 140 151 ip -net ${c_b} route add default via 192.168.20.1 141 152 142 153 # Wan 143 154 ip -net ${r_w} addr add 10.2.2.254/24 dev veth0 144 155 ip -net ${r_w} addr add 10.4.4.254/24 dev veth1 145 156 146 - ip -net ${r_w} link set dev lo up 147 157 ip -net ${r_w} link set dev veth0 up mtu 1400 148 158 ip -net ${r_w} link set dev veth1 up mtu 1400 149 159

-228

tools/testing/selftests/netfilter/ipvs.sh

··· 1 - #!/bin/sh 2 - # SPDX-License-Identifier: GPL-2.0 3 - # 4 - # End-to-end ipvs test suite 5 - # Topology: 6 - #--------------------------------------------------------------+ 7 - # | | 8 - # ns0 | ns1 | 9 - # ----------- | ----------- ----------- | 10 - # | veth01 | --------- | veth10 | | veth12 | | 11 - # ----------- peer ----------- ----------- | 12 - # | | | | 13 - # ----------- | | | 14 - # | br0 | |----------------- peer |--------------| 15 - # ----------- | | | 16 - # | | | | 17 - # ---------- peer ---------- ----------- | 18 - # | veth02 | --------- | veth20 | | veth21 | | 19 - # ---------- | ---------- ----------- | 20 - # | ns2 | 21 - # | | 22 - #--------------------------------------------------------------+ 23 - # 24 - # We assume that all network driver are loaded 25 - # 26 - 27 - # Kselftest framework requirement - SKIP code is 4. 28 - ksft_skip=4 29 - ret=0 30 - GREEN='\033[0;92m' 31 - RED='\033[0;31m' 32 - NC='\033[0m' # No Color 33 - 34 - readonly port=8080 35 - 36 - readonly vip_v4=207.175.44.110 37 - readonly cip_v4=10.0.0.2 38 - readonly gip_v4=10.0.0.1 39 - readonly dip_v4=172.16.0.1 40 - readonly rip_v4=172.16.0.2 41 - readonly sip_v4=10.0.0.3 42 - 43 - readonly infile="$(mktemp)" 44 - readonly outfile="$(mktemp)" 45 - readonly datalen=32 46 - 47 - sysipvsnet="/proc/sys/net/ipv4/vs/" 48 - if [ ! -d $sysipvsnet ]; then 49 - modprobe -q ip_vs 50 - if [ $? -ne 0 ]; then 51 - echo "skip: could not run test without ipvs module" 52 - exit $ksft_skip 53 - fi 54 - fi 55 - 56 - ip -Version > /dev/null 2>&1 57 - if [ $? -ne 0 ]; then 58 - echo "SKIP: Could not run test without ip tool" 59 - exit $ksft_skip 60 - fi 61 - 62 - ipvsadm -v > /dev/null 2>&1 63 - if [ $? -ne 0 ]; then 64 - echo "SKIP: Could not run test without ipvsadm" 65 - exit $ksft_skip 66 - fi 67 - 68 - setup() { 69 - ip netns add ns0 70 - ip netns add ns1 71 - ip netns add ns2 72 - 73 - ip link add veth01 netns ns0 type veth peer name veth10 netns ns1 74 - ip link add veth02 netns ns0 type veth peer name veth20 netns ns2 75 - ip link add veth12 netns ns1 type veth peer name veth21 netns ns2 76 - 77 - ip netns exec ns0 ip link set veth01 up 78 - ip netns exec ns0 ip link set veth02 up 79 - ip netns exec ns0 ip link add br0 type bridge 80 - ip netns exec ns0 ip link set veth01 master br0 81 - ip netns exec ns0 ip link set veth02 master br0 82 - ip netns exec ns0 ip link set br0 up 83 - ip netns exec ns0 ip addr add ${cip_v4}/24 dev br0 84 - 85 - ip netns exec ns1 ip link set lo up 86 - ip netns exec ns1 ip link set veth10 up 87 - ip netns exec ns1 ip addr add ${gip_v4}/24 dev veth10 88 - ip netns exec ns1 ip link set veth12 up 89 - ip netns exec ns1 ip addr add ${dip_v4}/24 dev veth12 90 - 91 - ip netns exec ns2 ip link set lo up 92 - ip netns exec ns2 ip link set veth21 up 93 - ip netns exec ns2 ip addr add ${rip_v4}/24 dev veth21 94 - ip netns exec ns2 ip link set veth20 up 95 - ip netns exec ns2 ip addr add ${sip_v4}/24 dev veth20 96 - 97 - sleep 1 98 - 99 - dd if=/dev/urandom of="${infile}" bs="${datalen}" count=1 status=none 100 - } 101 - 102 - cleanup() { 103 - for i in 0 1 2 104 - do 105 - ip netns del ns$i > /dev/null 2>&1 106 - done 107 - 108 - if [ -f "${outfile}" ]; then 109 - rm "${outfile}" 110 - fi 111 - if [ -f "${infile}" ]; then 112 - rm "${infile}" 113 - fi 114 - } 115 - 116 - server_listen() { 117 - ip netns exec ns2 nc -l -p 8080 > "${outfile}" & 118 - server_pid=$! 119 - sleep 0.2 120 - } 121 - 122 - client_connect() { 123 - ip netns exec ns0 timeout 2 nc -w 1 ${vip_v4} ${port} < "${infile}" 124 - } 125 - 126 - verify_data() { 127 - wait "${server_pid}" 128 - cmp "$infile" "$outfile" 2>/dev/null 129 - } 130 - 131 - test_service() { 132 - server_listen 133 - client_connect 134 - verify_data 135 - } 136 - 137 - 138 - test_dr() { 139 - ip netns exec ns0 ip route add ${vip_v4} via ${gip_v4} dev br0 140 - 141 - ip netns exec ns1 sysctl -qw net.ipv4.ip_forward=1 142 - ip netns exec ns1 ipvsadm -A -t ${vip_v4}:${port} -s rr 143 - ip netns exec ns1 ipvsadm -a -t ${vip_v4}:${port} -r ${rip_v4}:${port} 144 - ip netns exec ns1 ip addr add ${vip_v4}/32 dev lo:1 145 - 146 - # avoid incorrect arp response 147 - ip netns exec ns2 sysctl -qw net.ipv4.conf.all.arp_ignore=1 148 - ip netns exec ns2 sysctl -qw net.ipv4.conf.all.arp_announce=2 149 - # avoid reverse route lookup 150 - ip netns exec ns2 sysctl -qw net.ipv4.conf.all.rp_filter=0 151 - ip netns exec ns2 sysctl -qw net.ipv4.conf.veth21.rp_filter=0 152 - ip netns exec ns2 ip addr add ${vip_v4}/32 dev lo:1 153 - 154 - test_service 155 - } 156 - 157 - test_nat() { 158 - ip netns exec ns0 ip route add ${vip_v4} via ${gip_v4} dev br0 159 - 160 - ip netns exec ns1 sysctl -qw net.ipv4.ip_forward=1 161 - ip netns exec ns1 ipvsadm -A -t ${vip_v4}:${port} -s rr 162 - ip netns exec ns1 ipvsadm -a -m -t ${vip_v4}:${port} -r ${rip_v4}:${port} 163 - ip netns exec ns1 ip addr add ${vip_v4}/32 dev lo:1 164 - 165 - ip netns exec ns2 ip link del veth20 166 - ip netns exec ns2 ip route add default via ${dip_v4} dev veth21 167 - 168 - test_service 169 - } 170 - 171 - test_tun() { 172 - ip netns exec ns0 ip route add ${vip_v4} via ${gip_v4} dev br0 173 - 174 - ip netns exec ns1 modprobe ipip 175 - ip netns exec ns1 ip link set tunl0 up 176 - ip netns exec ns1 sysctl -qw net.ipv4.ip_forward=0 177 - ip netns exec ns1 sysctl -qw net.ipv4.conf.all.send_redirects=0 178 - ip netns exec ns1 sysctl -qw net.ipv4.conf.default.send_redirects=0 179 - ip netns exec ns1 ipvsadm -A -t ${vip_v4}:${port} -s rr 180 - ip netns exec ns1 ipvsadm -a -i -t ${vip_v4}:${port} -r ${rip_v4}:${port} 181 - ip netns exec ns1 ip addr add ${vip_v4}/32 dev lo:1 182 - 183 - ip netns exec ns2 modprobe ipip 184 - ip netns exec ns2 ip link set tunl0 up 185 - ip netns exec ns2 sysctl -qw net.ipv4.conf.all.arp_ignore=1 186 - ip netns exec ns2 sysctl -qw net.ipv4.conf.all.arp_announce=2 187 - ip netns exec ns2 sysctl -qw net.ipv4.conf.all.rp_filter=0 188 - ip netns exec ns2 sysctl -qw net.ipv4.conf.tunl0.rp_filter=0 189 - ip netns exec ns2 sysctl -qw net.ipv4.conf.veth21.rp_filter=0 190 - ip netns exec ns2 ip addr add ${vip_v4}/32 dev lo:1 191 - 192 - test_service 193 - } 194 - 195 - run_tests() { 196 - local errors= 197 - 198 - echo "Testing DR mode..." 199 - cleanup 200 - setup 201 - test_dr 202 - errors=$(( $errors + $? )) 203 - 204 - echo "Testing NAT mode..." 205 - cleanup 206 - setup 207 - test_nat 208 - errors=$(( $errors + $? )) 209 - 210 - echo "Testing Tunnel mode..." 211 - cleanup 212 - setup 213 - test_tun 214 - errors=$(( $errors + $? )) 215 - 216 - return $errors 217 - } 218 - 219 - trap cleanup EXIT 220 - 221 - run_tests 222 - 223 - if [ $? -ne 0 ]; then 224 - echo -e "$(basename $0): ${RED}FAIL${NC}" 225 - exit 1 226 - fi 227 - echo -e "$(basename $0): ${GREEN}PASS${NC}" 228 - exit 0

tools/testing/selftests/netfilter/nf-queue.c tools/testing/selftests/net/netfilter/nf_queue.c

-127

tools/testing/selftests/netfilter/nf_nat_edemux.sh

··· 1 - #!/bin/bash 2 - # SPDX-License-Identifier: GPL-2.0 3 - # 4 - # Test NAT source port clash resolution 5 - # 6 - 7 - # Kselftest framework requirement - SKIP code is 4. 8 - ksft_skip=4 9 - ret=0 10 - 11 - sfx=$(mktemp -u "XXXXXXXX") 12 - ns1="ns1-$sfx" 13 - ns2="ns2-$sfx" 14 - socatpid=0 15 - 16 - cleanup() 17 - { 18 - [ $socatpid -gt 0 ] && kill $socatpid 19 - ip netns del $ns1 20 - ip netns del $ns2 21 - } 22 - 23 - socat -h > /dev/null 2>&1 24 - if [ $? -ne 0 ];then 25 - echo "SKIP: Could not run test without socat" 26 - exit $ksft_skip 27 - fi 28 - 29 - iptables --version > /dev/null 2>&1 30 - if [ $? -ne 0 ];then 31 - echo "SKIP: Could not run test without iptables" 32 - exit $ksft_skip 33 - fi 34 - 35 - ip -Version > /dev/null 2>&1 36 - if [ $? -ne 0 ];then 37 - echo "SKIP: Could not run test without ip tool" 38 - exit $ksft_skip 39 - fi 40 - 41 - ip netns add "$ns1" 42 - if [ $? -ne 0 ];then 43 - echo "SKIP: Could not create net namespace $ns1" 44 - exit $ksft_skip 45 - fi 46 - 47 - trap cleanup EXIT 48 - 49 - ip netns add $ns2 50 - 51 - # Connect the namespaces using a veth pair 52 - ip link add name veth2 type veth peer name veth1 53 - ip link set netns $ns1 dev veth1 54 - ip link set netns $ns2 dev veth2 55 - 56 - ip netns exec $ns1 ip link set up dev lo 57 - ip netns exec $ns1 ip link set up dev veth1 58 - ip netns exec $ns1 ip addr add 192.168.1.1/24 dev veth1 59 - 60 - ip netns exec $ns2 ip link set up dev lo 61 - ip netns exec $ns2 ip link set up dev veth2 62 - ip netns exec $ns2 ip addr add 192.168.1.2/24 dev veth2 63 - 64 - # Create a server in one namespace 65 - ip netns exec $ns1 socat -u TCP-LISTEN:5201,fork OPEN:/dev/null,wronly=1 & 66 - socatpid=$! 67 - 68 - # Restrict source port to just one so we don't have to exhaust 69 - # all others. 70 - ip netns exec $ns2 sysctl -q net.ipv4.ip_local_port_range="10000 10000" 71 - 72 - # add a virtual IP using DNAT 73 - ip netns exec $ns2 iptables -t nat -A OUTPUT -d 10.96.0.1/32 -p tcp --dport 443 -j DNAT --to-destination 192.168.1.1:5201 74 - 75 - # ... and route it to the other namespace 76 - ip netns exec $ns2 ip route add 10.96.0.1 via 192.168.1.1 77 - 78 - sleep 1 79 - 80 - # add a persistent connection from the other namespace 81 - ip netns exec $ns2 socat -t 10 - TCP:192.168.1.1:5201 > /dev/null & 82 - 83 - sleep 1 84 - 85 - # ip daddr:dport will be rewritten to 192.168.1.1 5201 86 - # NAT must reallocate source port 10000 because 87 - # 192.168.1.2:10000 -> 192.168.1.1:5201 is already in use 88 - echo test | ip netns exec $ns2 socat -t 3 -u STDIN TCP:10.96.0.1:443,connect-timeout=3 >/dev/null 89 - ret=$? 90 - 91 - # Check socat can connect to 10.96.0.1:443 (aka 192.168.1.1:5201). 92 - if [ $ret -eq 0 ]; then 93 - echo "PASS: socat can connect via NAT'd address" 94 - else 95 - echo "FAIL: socat cannot connect via NAT'd address" 96 - fi 97 - 98 - # check sport clashres. 99 - ip netns exec $ns1 iptables -t nat -A PREROUTING -p tcp --dport 5202 -j REDIRECT --to-ports 5201 100 - ip netns exec $ns1 iptables -t nat -A PREROUTING -p tcp --dport 5203 -j REDIRECT --to-ports 5201 101 - 102 - sleep 5 | ip netns exec $ns2 socat -t 5 -u STDIN TCP:192.168.1.1:5202,connect-timeout=5 >/dev/null & 103 - cpid1=$! 104 - sleep 1 105 - 106 - # if connect succeeds, client closes instantly due to EOF on stdin. 107 - # if connect hangs, it will time out after 5s. 108 - echo | ip netns exec $ns2 socat -t 3 -u STDIN TCP:192.168.1.1:5203,connect-timeout=5 >/dev/null & 109 - cpid2=$! 110 - 111 - time_then=$(date +%s) 112 - wait $cpid2 113 - rv=$? 114 - time_now=$(date +%s) 115 - 116 - # Check how much time has elapsed, expectation is for 117 - # 'cpid2' to connect and then exit (and no connect delay). 118 - delta=$((time_now - time_then)) 119 - 120 - if [ $delta -lt 2 -a $rv -eq 0 ]; then 121 - echo "PASS: could connect to service via redirected ports" 122 - else 123 - echo "FAIL: socat cannot connect to service via redirect ($delta seconds elapsed, returned $rv)" 124 - ret=1 125 - fi 126 - 127 - exit $ret

tools/testing/selftests/netfilter/nft_audit.sh tools/testing/selftests/net/netfilter/nft_audit.sh

tools/testing/selftests/netfilter/nft_concat_range.sh tools/testing/selftests/net/netfilter/nft_concat_range.sh

-197

tools/testing/selftests/netfilter/nft_conntrack_helper.sh

··· 1 - #!/bin/bash 2 - # 3 - # This tests connection tracking helper assignment: 4 - # 1. can attach ftp helper to a connection from nft ruleset. 5 - # 2. auto-assign still works. 6 - # 7 - # Kselftest framework requirement - SKIP code is 4. 8 - ksft_skip=4 9 - ret=0 10 - 11 - sfx=$(mktemp -u "XXXXXXXX") 12 - ns1="ns1-$sfx" 13 - ns2="ns2-$sfx" 14 - testipv6=1 15 - 16 - cleanup() 17 - { 18 - ip netns del ${ns1} 19 - ip netns del ${ns2} 20 - } 21 - 22 - nft --version > /dev/null 2>&1 23 - if [ $? -ne 0 ];then 24 - echo "SKIP: Could not run test without nft tool" 25 - exit $ksft_skip 26 - fi 27 - 28 - ip -Version > /dev/null 2>&1 29 - if [ $? -ne 0 ];then 30 - echo "SKIP: Could not run test without ip tool" 31 - exit $ksft_skip 32 - fi 33 - 34 - conntrack -V > /dev/null 2>&1 35 - if [ $? -ne 0 ];then 36 - echo "SKIP: Could not run test without conntrack tool" 37 - exit $ksft_skip 38 - fi 39 - 40 - which nc >/dev/null 2>&1 41 - if [ $? -ne 0 ];then 42 - echo "SKIP: Could not run test without netcat tool" 43 - exit $ksft_skip 44 - fi 45 - 46 - trap cleanup EXIT 47 - 48 - ip netns add ${ns1} 49 - ip netns add ${ns2} 50 - 51 - ip link add veth0 netns ${ns1} type veth peer name veth0 netns ${ns2} > /dev/null 2>&1 52 - if [ $? -ne 0 ];then 53 - echo "SKIP: No virtual ethernet pair device support in kernel" 54 - exit $ksft_skip 55 - fi 56 - 57 - ip -net ${ns1} link set lo up 58 - ip -net ${ns1} link set veth0 up 59 - 60 - ip -net ${ns2} link set lo up 61 - ip -net ${ns2} link set veth0 up 62 - 63 - ip -net ${ns1} addr add 10.0.1.1/24 dev veth0 64 - ip -net ${ns1} addr add dead:1::1/64 dev veth0 65 - 66 - ip -net ${ns2} addr add 10.0.1.2/24 dev veth0 67 - ip -net ${ns2} addr add dead:1::2/64 dev veth0 68 - 69 - load_ruleset_family() { 70 - local family=$1 71 - local ns=$2 72 - 73 - ip netns exec ${ns} nft -f - <<EOF 74 - table $family raw { 75 - ct helper ftp { 76 - type "ftp" protocol tcp 77 - } 78 - chain pre { 79 - type filter hook prerouting priority 0; policy accept; 80 - tcp dport 2121 ct helper set "ftp" 81 - } 82 - chain output { 83 - type filter hook output priority 0; policy accept; 84 - tcp dport 2121 ct helper set "ftp" 85 - } 86 - } 87 - EOF 88 - return $? 89 - } 90 - 91 - check_for_helper() 92 - { 93 - local netns=$1 94 - local message=$2 95 - local port=$3 96 - 97 - if echo $message |grep -q 'ipv6';then 98 - local family="ipv6" 99 - else 100 - local family="ipv4" 101 - fi 102 - 103 - ip netns exec ${netns} conntrack -L -f $family -p tcp --dport $port 2> /dev/null |grep -q 'helper=ftp' 104 - if [ $? -ne 0 ] ; then 105 - if [ $autoassign -eq 0 ] ;then 106 - echo "FAIL: ${netns} did not show attached helper $message" 1>&2 107 - ret=1 108 - else 109 - echo "PASS: ${netns} did not show attached helper $message" 1>&2 110 - fi 111 - else 112 - if [ $autoassign -eq 0 ] ;then 113 - echo "PASS: ${netns} connection on port $port has ftp helper attached" 1>&2 114 - else 115 - echo "FAIL: ${netns} connection on port $port has ftp helper attached" 1>&2 116 - ret=1 117 - fi 118 - fi 119 - 120 - return 0 121 - } 122 - 123 - test_helper() 124 - { 125 - local port=$1 126 - local autoassign=$2 127 - 128 - if [ $autoassign -eq 0 ] ;then 129 - msg="set via ruleset" 130 - else 131 - msg="auto-assign" 132 - fi 133 - 134 - sleep 3 | ip netns exec ${ns2} nc -w 2 -l -p $port > /dev/null & 135 - 136 - sleep 1 | ip netns exec ${ns1} nc -w 2 10.0.1.2 $port > /dev/null & 137 - sleep 1 138 - 139 - check_for_helper "$ns1" "ip $msg" $port $autoassign 140 - check_for_helper "$ns2" "ip $msg" $port $autoassign 141 - 142 - wait 143 - 144 - if [ $testipv6 -eq 0 ] ;then 145 - return 0 146 - fi 147 - 148 - ip netns exec ${ns1} conntrack -F 2> /dev/null 149 - ip netns exec ${ns2} conntrack -F 2> /dev/null 150 - 151 - sleep 3 | ip netns exec ${ns2} nc -w 2 -6 -l -p $port > /dev/null & 152 - 153 - sleep 1 | ip netns exec ${ns1} nc -w 2 -6 dead:1::2 $port > /dev/null & 154 - sleep 1 155 - 156 - check_for_helper "$ns1" "ipv6 $msg" $port 157 - check_for_helper "$ns2" "ipv6 $msg" $port 158 - 159 - wait 160 - } 161 - 162 - load_ruleset_family ip ${ns1} 163 - if [ $? -ne 0 ];then 164 - echo "FAIL: ${ns1} cannot load ip ruleset" 1>&2 165 - exit 1 166 - fi 167 - 168 - load_ruleset_family ip6 ${ns1} 169 - if [ $? -ne 0 ];then 170 - echo "SKIP: ${ns1} cannot load ip6 ruleset" 1>&2 171 - testipv6=0 172 - fi 173 - 174 - load_ruleset_family inet ${ns2} 175 - if [ $? -ne 0 ];then 176 - echo "SKIP: ${ns1} cannot load inet ruleset" 1>&2 177 - load_ruleset_family ip ${ns2} 178 - if [ $? -ne 0 ];then 179 - echo "FAIL: ${ns2} cannot load ip ruleset" 1>&2 180 - exit 1 181 - fi 182 - 183 - if [ $testipv6 -eq 1 ] ;then 184 - load_ruleset_family ip6 ${ns2} 185 - if [ $? -ne 0 ];then 186 - echo "FAIL: ${ns2} cannot load ip6 ruleset" 1>&2 187 - exit 1 188 - fi 189 - fi 190 - fi 191 - 192 - test_helper 2121 0 193 - ip netns exec ${ns1} sysctl -qe 'net.netfilter.nf_conntrack_helper=1' 194 - ip netns exec ${ns2} sysctl -qe 'net.netfilter.nf_conntrack_helper=1' 195 - test_helper 21 1 196 - 197 - exit $ret

+19 -52

tools/testing/selftests/netfilter/nft_fib.sh tools/testing/selftests/net/netfilter/nft_fib.sh

··· 3 3 # This tests the fib expression. 4 4 # 5 5 # Kselftest framework requirement - SKIP code is 4. 6 - ksft_skip=4 6 + 7 + source lib.sh 8 + 7 9 ret=0 8 10 9 - sfx=$(mktemp -u "XXXXXXXX") 10 - ns1="ns1-$sfx" 11 - ns2="ns2-$sfx" 12 - nsrouter="nsrouter-$sfx" 13 11 timeout=4 14 12 15 13 log_netns=$(sysctl -n net.netfilter.nf_log_all_netns) 16 14 17 15 cleanup() 18 16 { 19 - ip netns del ${ns1} 20 - ip netns del ${ns2} 21 - ip netns del ${nsrouter} 17 + cleanup_all_ns 22 18 23 19 [ $log_netns -eq 0 ] && sysctl -q net.netfilter.nf_log_all_netns=$log_netns 24 20 } 25 21 26 - nft --version > /dev/null 2>&1 27 - if [ $? -ne 0 ];then 28 - echo "SKIP: Could not run test without nft tool" 29 - exit $ksft_skip 30 - fi 22 + checktool "nft --version" "run test without nft" 31 23 32 - ip -Version > /dev/null 2>&1 33 - if [ $? -ne 0 ];then 34 - echo "SKIP: Could not run test without ip tool" 35 - exit $ksft_skip 36 - fi 37 - 38 - ip netns add ${nsrouter} 39 - if [ $? -ne 0 ];then 40 - echo "SKIP: Could not create net namespace" 41 - exit $ksft_skip 42 - fi 24 + setup_ns nsrouter ns1 ns2 43 25 44 26 trap cleanup EXIT 45 27 ··· 32 50 fi 33 51 34 52 sysctl -q net.netfilter.nf_log_all_netns=1 35 - ip netns add ${ns1} 36 - ip netns add ${ns2} 37 53 38 54 load_ruleset() { 39 55 local netns=$1 ··· 75 95 } 76 96 77 97 check_drops() { 78 - dmesg | grep -q ' nft_rpfilter: ' 79 - if [ $? -eq 0 ]; then 98 + if dmesg | grep -q ' nft_rpfilter: ';then 80 99 dmesg | grep ' nft_rpfilter: ' 81 100 echo "FAIL: rpfilter did drop packets" 82 101 return 1 ··· 109 130 load_ruleset ${ns1} 110 131 load_ruleset ${ns2} 111 132 112 - ip link add veth0 netns ${nsrouter} type veth peer name eth0 netns ${ns1} > /dev/null 2>&1 113 - if [ $? -ne 0 ];then 133 + if ! ip link add veth0 netns "$nsrouter" type veth peer name eth0 netns "$ns1" > /dev/null 2>&1; then 114 134 echo "SKIP: No virtual ethernet pair device support in kernel" 115 135 exit $ksft_skip 116 136 fi 117 137 ip link add veth1 netns ${nsrouter} type veth peer name eth0 netns ${ns2} 118 138 119 - ip -net ${nsrouter} link set lo up 120 139 ip -net ${nsrouter} link set veth0 up 121 140 ip -net ${nsrouter} addr add 10.0.1.1/24 dev veth0 122 - ip -net ${nsrouter} addr add dead:1::1/64 dev veth0 141 + ip -net ${nsrouter} addr add dead:1::1/64 dev veth0 nodad 123 142 124 143 ip -net ${nsrouter} link set veth1 up 125 144 ip -net ${nsrouter} addr add 10.0.2.1/24 dev veth1 126 - ip -net ${nsrouter} addr add dead:2::1/64 dev veth1 145 + ip -net ${nsrouter} addr add dead:2::1/64 dev veth1 nodad 127 146 128 - ip -net ${ns1} link set lo up 129 147 ip -net ${ns1} link set eth0 up 130 - 131 - ip -net ${ns2} link set lo up 132 148 ip -net ${ns2} link set eth0 up 133 149 134 150 ip -net ${ns1} addr add 10.0.1.99/24 dev eth0 135 - ip -net ${ns1} addr add dead:1::99/64 dev eth0 151 + ip -net ${ns1} addr add dead:1::99/64 dev eth0 nodad 136 152 ip -net ${ns1} route add default via 10.0.1.1 137 153 ip -net ${ns1} route add default via dead:1::1 138 154 139 155 ip -net ${ns2} addr add 10.0.2.99/24 dev eth0 140 - ip -net ${ns2} addr add dead:2::99/64 dev eth0 156 + ip -net ${ns2} addr add dead:2::99/64 dev eth0 nodad 141 157 ip -net ${ns2} route add default via 10.0.2.1 142 158 ip -net ${ns2} route add default via dead:2::1 143 159 ··· 140 166 local daddr4=$1 141 167 local daddr6=$2 142 168 143 - ip netns exec ${ns1} ping -c 1 -q $daddr4 > /dev/null 144 - ret=$? 145 - if [ $ret -ne 0 ];then 169 + if ! ip netns exec "$ns1" ping -c 1 -q "$daddr4" > /dev/null; then 146 170 check_drops 147 171 echo "FAIL: ${ns1} cannot reach $daddr4, ret $ret" 1>&2 148 172 return 1 149 173 fi 150 174 151 - ip netns exec ${ns1} ping -c 3 -q $daddr6 > /dev/null 152 - ret=$? 153 - if [ $ret -ne 0 ];then 175 + if ! ip netns exec "$ns1" ping -c 1 -q "$daddr6" > /dev/null; then 154 176 check_drops 155 177 echo "FAIL: ${ns1} cannot reach $daddr6, ret $ret" 1>&2 156 178 return 1 ··· 160 190 ip netns exec ${nsrouter} sysctl net.ipv4.conf.veth1.forwarding=1 > /dev/null 161 191 ip netns exec ${nsrouter} sysctl net.ipv4.conf.all.rp_filter=0 > /dev/null 162 192 ip netns exec ${nsrouter} sysctl net.ipv4.conf.veth0.rp_filter=0 > /dev/null 163 - 164 - sleep 3 165 193 166 194 test_ping 10.0.2.1 dead:2::1 || exit 1 167 195 check_drops || exit 1 ··· 178 210 ip -net ${ns1} addr del dead:1::99/64 dev eth0 179 211 180 212 ip -net ${ns1} addr add 10.0.2.99/24 dev eth0 181 - ip -net ${ns1} addr add dead:2::99/64 dev eth0 213 + ip -net "$ns1" addr add dead:2::99/64 dev eth0 nodad 182 214 183 215 ip -net ${ns1} route add default via 10.0.2.1 184 216 ip -net ${ns1} -6 route add default via dead:2::1 185 217 186 - ip -net ${nsrouter} addr add dead:2::1/64 dev veth0 218 + ip -net "$nsrouter" addr add dead:2::1/64 dev veth0 nodad 187 219 188 220 # switch to ruleset that doesn't log, this time 189 221 # its expected that this does drop the packets. ··· 195 227 check_fib_counter 0 ${nsrouter} 1.1.1.1 || exit 1 196 228 check_fib_counter 0 ${nsrouter} 1c3::c01d || exit 1 197 229 198 - ip netns exec ${ns1} ping -c 1 -W 1 -q 1.1.1.1 > /dev/null 230 + ip netns exec "$ns1" ping -W 0.5 -c 1 -q 1.1.1.1 > /dev/null 199 231 check_fib_counter 1 ${nsrouter} 1.1.1.1 || exit 1 200 232 201 - sleep 2 202 - ip netns exec ${ns1} ping -c 3 -q 1c3::c01d > /dev/null 233 + ip netns exec "$ns1" ping -W 0.5 -i 0.1 -c 3 -q 1c3::c01d > /dev/null 203 234 check_fib_counter 3 ${nsrouter} 1c3::c01d || exit 1 204 235 205 236 # delete all rules ··· 207 240 ip netns exec ${nsrouter} nft flush ruleset 208 241 209 242 ip -net ${ns1} addr add 10.0.1.99/24 dev eth0 210 - ip -net ${ns1} addr add dead:1::99/64 dev eth0 243 + ip -net "$ns1" addr add dead:1::99/64 dev eth0 nodad 211 244 212 245 ip -net ${ns1} addr del 10.0.2.99/24 dev eth0 213 246 ip -net ${ns1} addr del dead:2::99/64 dev eth0

+35 -71

tools/testing/selftests/netfilter/nft_flowtable.sh tools/testing/selftests/net/netfilter/nft_flowtable.sh

··· 14 14 # nft_flowtable.sh -o8000 -l1500 -r2000 15 15 # 16 16 17 - sfx=$(mktemp -u "XXXXXXXX") 18 - ns1="ns1-$sfx" 19 - ns2="ns2-$sfx" 20 - nsr1="nsr1-$sfx" 21 - nsr2="nsr2-$sfx" 17 + source lib.sh 22 18 23 - # Kselftest framework requirement - SKIP code is 4. 24 - ksft_skip=4 25 19 ret=0 26 20 27 21 nsin="" ··· 24 30 25 31 log_netns=$(sysctl -n net.netfilter.nf_log_all_netns) 26 32 27 - checktool (){ 28 - if ! $1 > /dev/null 2>&1; then 29 - echo "SKIP: Could not $2" 30 - exit $ksft_skip 31 - fi 32 - } 33 - 34 33 checktool "nft --version" "run test without nft tool" 35 - checktool "ip -Version" "run test without ip tool" 36 - checktool "which nc" "run test without nc (netcat)" 37 - checktool "ip netns add $nsr1" "create net namespace $nsr1" 34 + checktool "socat -h" "run test without socat" 38 35 39 - ip netns add $ns1 40 - ip netns add $ns2 41 - ip netns add $nsr2 36 + setup_ns ns1 ns2 nsr1 nsr2 42 37 43 38 cleanup() { 44 - ip netns del $ns1 45 - ip netns del $ns2 46 - ip netns del $nsr1 47 - ip netns del $nsr2 39 + ip netns pids "$ns1" | xargs kill 2>/dev/null 40 + ip netns pids "$ns2" | xargs kill 2>/dev/null 41 + 42 + cleanup_all_ns 48 43 49 44 rm -f "$nsin" "$ns1out" "$ns2out" 50 45 ··· 49 66 50 67 ip link add veth1 netns $nsr2 type veth peer name eth0 netns $ns2 51 68 52 - for dev in lo veth0 veth1; do 53 - ip -net $nsr1 link set $dev up 54 - ip -net $nsr2 link set $dev up 69 + for dev in veth0 veth1; do 70 + ip -net "$nsr1" link set "$dev" up 71 + ip -net "$nsr2" link set "$dev" up 55 72 done 56 73 57 - ip -net $nsr1 addr add 10.0.1.1/24 dev veth0 58 - ip -net $nsr1 addr add dead:1::1/64 dev veth0 74 + ip -net "$nsr1" addr add 10.0.1.1/24 dev veth0 75 + ip -net "$nsr1" addr add dead:1::1/64 dev veth0 nodad 59 76 60 - ip -net $nsr2 addr add 10.0.2.1/24 dev veth1 61 - ip -net $nsr2 addr add dead:2::1/64 dev veth1 77 + ip -net "$nsr2" addr add 10.0.2.1/24 dev veth1 78 + ip -net "$nsr2" addr add dead:2::1/64 dev veth1 nodad 62 79 63 80 # set different MTUs so we need to push packets coming from ns1 (large MTU) 64 81 # to ns2 (smaller MTU) to stack either to perform fragmentation (ip_no_pmtu_disc=1), ··· 104 121 105 122 # transfer-net between nsr1 and nsr2. 106 123 # these addresses are not used for connections. 107 - ip -net $nsr1 addr add 192.168.10.1/24 dev veth1 108 - ip -net $nsr1 addr add fee1:2::1/64 dev veth1 124 + ip -net "$nsr1" addr add 192.168.10.1/24 dev veth1 125 + ip -net "$nsr1" addr add fee1:2::1/64 dev veth1 nodad 109 126 110 - ip -net $nsr2 addr add 192.168.10.2/24 dev veth0 111 - ip -net $nsr2 addr add fee1:2::2/64 dev veth0 127 + ip -net "$nsr2" addr add 192.168.10.2/24 dev veth0 128 + ip -net "$nsr2" addr add fee1:2::2/64 dev veth0 nodad 112 129 113 130 for i in 0 1; do 114 131 ip netns exec $nsr1 sysctl net.ipv4.conf.veth$i.forwarding=1 > /dev/null ··· 131 148 ip -net $ns2 addr add 10.0.2.99/24 dev eth0 132 149 ip -net $ns1 route add default via 10.0.1.1 133 150 ip -net $ns2 route add default via 10.0.2.1 134 - ip -net $ns1 addr add dead:1::99/64 dev eth0 135 - ip -net $ns2 addr add dead:2::99/64 dev eth0 151 + ip -net $ns1 addr add dead:1::99/64 dev eth0 nodad 152 + ip -net $ns2 addr add dead:2::99/64 dev eth0 nodad 136 153 ip -net $ns1 route add default via dead:1::1 137 154 ip -net $ns2 route add default via dead:2::1 138 155 ··· 200 217 if ! ip netns exec $ns2 ping -c 1 -q 10.0.1.99 > /dev/null; then 201 218 echo "ERROR: $ns2 cannot reach $ns1" 1>&2 202 219 exit 1 203 - fi 204 - 205 - if [ $ret -eq 0 ];then 206 - echo "PASS: netns routing/connectivity: $ns1 can reach $ns2" 207 220 fi 208 221 209 222 nsin=$(mktemp) ··· 324 345 return 0 325 346 } 326 347 348 + listener_ready() 349 + { 350 + ss -N "$nsb" -lnt -o "sport = :12345" | grep -q 12345 351 + } 352 + 327 353 test_tcp_forwarding_ip() 328 354 { 329 355 local nsa=$1 ··· 337 353 local dstport=$4 338 354 local lret=0 339 355 340 - ip netns exec $nsb nc -w 5 -l -p 12345 < "$nsin" > "$ns2out" & 356 + timeout 10 ip netns exec "$nsb" socat -4 TCP-LISTEN:12345,reuseaddr STDIO < "$nsin" > "$ns2out" & 341 357 lpid=$! 342 358 343 - sleep 1 344 - ip netns exec $nsa nc -w 4 "$dstip" "$dstport" < "$nsin" > "$ns1out" & 345 - cpid=$! 359 + busywait 1000 listener_ready 346 360 347 - sleep 1 348 - 349 - prev="$(ls -l $ns1out $ns2out)" 350 - sleep 1 351 - 352 - while [[ "$prev" != "$(ls -l $ns1out $ns2out)" ]]; do 353 - sleep 1; 354 - prev="$(ls -l $ns1out $ns2out)" 355 - done 356 - 357 - if test -d /proc/"$lpid"/; then 358 - kill $lpid 359 - fi 360 - 361 - if test -d /proc/"$cpid"/; then 362 - kill $cpid 363 - fi 361 + timeout 10 ip netns exec "$nsa" socat -4 TCP:"$dstip":"$dstport" STDIO < "$nsin" > "$ns1out" 364 362 365 363 wait $lpid 366 - wait $cpid 367 364 368 365 if ! check_transfer "$nsin" "$ns2out" "ns1 -> ns2"; then 369 366 lret=1 ··· 515 550 ip -net $nsr1 link set up dev veth0 516 551 ip -net $nsr1 link set veth0 master br0 517 552 ip -net $nsr1 addr add 10.0.1.1/24 dev br0 518 - ip -net $nsr1 addr add dead:1::1/64 dev br0 553 + ip -net $nsr1 addr add dead:1::1/64 dev br0 nodad 519 554 ip -net $nsr1 link set up dev br0 520 555 521 556 ip netns exec $nsr1 sysctl net.ipv4.conf.br0.forwarding=1 > /dev/null ··· 558 593 ip -net $ns1 link set eth0.10 up 559 594 ip -net $ns1 addr add 10.0.1.99/24 dev eth0.10 560 595 ip -net $ns1 route add default via 10.0.1.1 561 - ip -net $ns1 addr add dead:1::99/64 dev eth0.10 596 + ip -net $ns1 addr add dead:1::99/64 dev eth0.10 nodad 562 597 563 598 if ! test_tcp_forwarding_nat $ns1 $ns2 1 "bridge and VLAN"; then 564 599 echo "FAIL: flow offload for ns1/ns2 with bridge NAT and VLAN" 1>&2 ··· 581 616 ip -net $ns1 link set eth0 up 582 617 ip -net $ns1 addr add 10.0.1.99/24 dev eth0 583 618 ip -net $ns1 route add default via 10.0.1.1 584 - ip -net $ns1 addr add dead:1::99/64 dev eth0 619 + ip -net $ns1 addr add dead:1::99/64 dev eth0 nodad 585 620 ip -net $ns1 route add default via dead:1::1 586 621 ip -net $nsr1 addr add 10.0.1.1/24 dev veth0 587 - ip -net $nsr1 addr add dead:1::1/64 dev veth0 622 + ip -net $nsr1 addr add dead:1::1/64 dev veth0 nodad 588 623 ip -net $nsr1 link set up dev veth0 589 624 590 625 KEY_SHA="0x"$(ps -af | sha1sum | cut -d " " -f 1) ··· 612 647 ip -net $ns xfrm policy add src $lnet dst $rnet dir out tmpl src $me dst $remote proto esp mode tunnel priority 1 action allow 613 648 # to fwd decrypted packets after esp processing: 614 649 ip -net $ns xfrm policy add src $rnet dst $lnet dir fwd tmpl src $remote dst $me proto esp mode tunnel priority 1 action allow 615 - 616 650 } 617 651 618 652 do_esp $nsr1 192.168.10.1 192.168.10.2 10.0.1.0/24 10.0.2.0/24 $SPI1 $SPI2 ··· 625 661 ip -net $ns2 route add default via 10.0.2.1 626 662 ip -net $ns2 route add default via dead:2::1 627 663 628 - if test_tcp_forwarding $ns1 $ns2; then 664 + if test_tcp_forwarding "$ns1" "$ns2"; then 629 665 check_counters "ipsec tunnel mode for ns1/ns2" 630 666 else 631 667 echo "FAIL: ipsec tunnel mode for ns1/ns2" 632 - ip netns exec $nsr1 nft list ruleset 1>&2 633 - ip netns exec $nsr1 cat /proc/net/xfrm_stat 1>&2 668 + ip netns exec "$nsr1" nft list ruleset 1>&2 669 + ip netns exec "$nsr1" cat /proc/net/xfrm_stat 1>&2 634 670 fi 635 671 636 672 exit $ret

tools/testing/selftests/netfilter/nft_meta.sh tools/testing/selftests/net/netfilter/nft_meta.sh

+204 -272

tools/testing/selftests/netfilter/nft_nat.sh tools/testing/selftests/net/netfilter/nft_nat.sh

··· 3 3 # This test is for basic NAT functionality: snat, dnat, redirect, masquerade. 4 4 # 5 5 6 - # Kselftest framework requirement - SKIP code is 4. 7 - ksft_skip=4 6 + source lib.sh 7 + 8 8 ret=0 9 9 test_inet_nat=true 10 10 11 - sfx=$(mktemp -u "XXXXXXXX") 12 - ns0="ns0-$sfx" 13 - ns1="ns1-$sfx" 14 - ns2="ns2-$sfx" 11 + checktool "nft --version" "run test without nft tool" 12 + checktool "socat -h" "run test without socat" 15 13 16 14 cleanup() 17 15 { 18 - for i in 0 1 2; do ip netns del ns$i-"$sfx";done 16 + ip netns pids "$ns0" | xargs kill 2>/dev/null 17 + ip netns pids "$ns1" | xargs kill 2>/dev/null 18 + ip netns pids "$ns2" | xargs kill 2>/dev/null 19 + 20 + rm -f "$INFILE" "$OUTFILE" 21 + 22 + cleanup_all_ns 19 23 } 20 - 21 - nft --version > /dev/null 2>&1 22 - if [ $? -ne 0 ];then 23 - echo "SKIP: Could not run test without nft tool" 24 - exit $ksft_skip 25 - fi 26 - 27 - ip -Version > /dev/null 2>&1 28 - if [ $? -ne 0 ];then 29 - echo "SKIP: Could not run test without ip tool" 30 - exit $ksft_skip 31 - fi 32 - 33 - ip netns add "$ns0" 34 - if [ $? -ne 0 ];then 35 - echo "SKIP: Could not create net namespace $ns0" 36 - exit $ksft_skip 37 - fi 38 24 39 25 trap cleanup EXIT 40 26 41 - ip netns add "$ns1" 42 - if [ $? -ne 0 ];then 43 - echo "SKIP: Could not create net namespace $ns1" 44 - exit $ksft_skip 45 - fi 27 + INFILE=$(mktemp) 28 + OUTFILE=$(mktemp) 46 29 47 - ip netns add "$ns2" 48 - if [ $? -ne 0 ];then 49 - echo "SKIP: Could not create net namespace $ns2" 50 - exit $ksft_skip 51 - fi 30 + setup_ns ns0 ns1 ns2 52 31 53 - ip link add veth0 netns "$ns0" type veth peer name eth0 netns "$ns1" > /dev/null 2>&1 54 - if [ $? -ne 0 ];then 32 + if ! ip link add veth0 netns "$ns0" type veth peer name eth0 netns "$ns1" > /dev/null 2>&1;then 55 33 echo "SKIP: No virtual ethernet pair device support in kernel" 56 34 exit $ksft_skip 57 35 fi 58 36 ip link add veth1 netns "$ns0" type veth peer name eth0 netns "$ns2" 59 37 60 - ip -net "$ns0" link set lo up 61 38 ip -net "$ns0" link set veth0 up 62 39 ip -net "$ns0" addr add 10.0.1.1/24 dev veth0 63 - ip -net "$ns0" addr add dead:1::1/64 dev veth0 40 + ip -net "$ns0" addr add dead:1::1/64 dev veth0 nodad 64 41 65 42 ip -net "$ns0" link set veth1 up 66 43 ip -net "$ns0" addr add 10.0.2.1/24 dev veth1 67 - ip -net "$ns0" addr add dead:2::1/64 dev veth1 44 + ip -net "$ns0" addr add dead:2::1/64 dev veth1 nodad 68 45 69 - for i in 1 2; do 70 - ip -net ns$i-$sfx link set lo up 71 - ip -net ns$i-$sfx link set eth0 up 72 - ip -net ns$i-$sfx addr add 10.0.$i.99/24 dev eth0 73 - ip -net ns$i-$sfx route add default via 10.0.$i.1 74 - ip -net ns$i-$sfx addr add dead:$i::99/64 dev eth0 75 - ip -net ns$i-$sfx route add default via dead:$i::1 76 - done 46 + do_config() 47 + { 48 + ns="$1" 49 + subnet="$2" 50 + 51 + ip -net "$ns" link set eth0 up 52 + ip -net "$ns" addr add "10.0.$subnet.99/24" dev eth0 53 + ip -net "$ns" route add default via "10.0.$subnet.1" 54 + ip -net "$ns" addr add "dead:$subnet::99/64" dev eth0 nodad 55 + ip -net "$ns" route add default via "dead:$subnet::1" 56 + } 57 + 58 + do_config "$ns1" 1 59 + do_config "$ns2" 2 77 60 78 61 bad_counter() 79 62 { ··· 66 83 local tag=$4 67 84 68 85 echo "ERROR: $counter counter in $ns has unexpected value (expected $expect) at $tag" 1>&2 69 - ip netns exec $ns nft list counter inet filter $counter 1>&2 86 + ip netns exec "$ns" nft list counter inet filter "$counter" 1>&2 70 87 } 71 88 72 89 check_counters() ··· 74 91 ns=$1 75 92 local lret=0 76 93 77 - cnt=$(ip netns exec $ns nft list counter inet filter ns0in | grep -q "packets 1 bytes 84") 78 - if [ $? -ne 0 ]; then 79 - bad_counter $ns ns0in "packets 1 bytes 84" "check_counters 1" 94 + if ! ip netns exec "$ns" nft list counter inet filter ns0in | grep -q "packets 1 bytes 84";then 95 + bad_counter "$ns" ns0in "packets 1 bytes 84" "check_counters 1" 80 96 lret=1 81 97 fi 82 - cnt=$(ip netns exec $ns nft list counter inet filter ns0out | grep -q "packets 1 bytes 84") 83 - if [ $? -ne 0 ]; then 84 - bad_counter $ns ns0out "packets 1 bytes 84" "check_counters 2" 98 + 99 + if ! ip netns exec "$ns" nft list counter inet filter ns0out | grep -q "packets 1 bytes 84";then 100 + bad_counter "$ns" ns0out "packets 1 bytes 84" "check_counters 2" 85 101 lret=1 86 102 fi 87 103 88 104 expect="packets 1 bytes 104" 89 - cnt=$(ip netns exec $ns nft list counter inet filter ns0in6 | grep -q "$expect") 90 - if [ $? -ne 0 ]; then 91 - bad_counter $ns ns0in6 "$expect" "check_counters 3" 105 + if ! ip netns exec "$ns" nft list counter inet filter ns0in6 | grep -q "$expect";then 106 + bad_counter "$ns" ns0in6 "$expect" "check_counters 3" 92 107 lret=1 93 108 fi 94 - cnt=$(ip netns exec $ns nft list counter inet filter ns0out6 | grep -q "$expect") 95 - if [ $? -ne 0 ]; then 96 - bad_counter $ns ns0out6 "$expect" "check_counters 4" 109 + if ! ip netns exec "$ns" nft list counter inet filter ns0out6 | grep -q "$expect";then 110 + bad_counter "$ns" ns0out6 "$expect" "check_counters 4" 97 111 lret=1 98 112 fi 99 113 ··· 102 122 local ns=$1 103 123 local lret=0 104 124 105 - cnt=$(ip netns exec "$ns0" nft list counter inet filter ns0in | grep -q "packets 0 bytes 0") 106 - if [ $? -ne 0 ]; then 125 + if ! ip netns exec "$ns0" nft list counter inet filter ns0in | grep -q "packets 0 bytes 0";then 107 126 bad_counter "$ns0" ns0in "packets 0 bytes 0" "check_ns0_counters 1" 108 127 lret=1 109 128 fi 110 129 111 - cnt=$(ip netns exec "$ns0" nft list counter inet filter ns0in6 | grep -q "packets 0 bytes 0") 112 - if [ $? -ne 0 ]; then 130 + if ! ip netns exec "$ns0" nft list counter inet filter ns0in6 | grep -q "packets 0 bytes 0";then 113 131 bad_counter "$ns0" ns0in6 "packets 0 bytes 0" 114 132 lret=1 115 133 fi 116 134 117 - cnt=$(ip netns exec "$ns0" nft list counter inet filter ns0out | grep -q "packets 0 bytes 0") 118 - if [ $? -ne 0 ]; then 135 + if ! ip netns exec "$ns0" nft list counter inet filter ns0out | grep -q "packets 0 bytes 0";then 119 136 bad_counter "$ns0" ns0out "packets 0 bytes 0" "check_ns0_counters 2" 120 137 lret=1 121 138 fi 122 - cnt=$(ip netns exec "$ns0" nft list counter inet filter ns0out6 | grep -q "packets 0 bytes 0") 123 - if [ $? -ne 0 ]; then 139 + if ! ip netns exec "$ns0" nft list counter inet filter ns0out6 | grep -q "packets 0 bytes 0";then 124 140 bad_counter "$ns0" ns0out6 "packets 0 bytes 0" "check_ns0_counters3 " 125 141 lret=1 126 142 fi 127 143 128 144 for dir in "in" "out" ; do 129 145 expect="packets 1 bytes 84" 130 - cnt=$(ip netns exec "$ns0" nft list counter inet filter ${ns}${dir} | grep -q "$expect") 131 - if [ $? -ne 0 ]; then 132 - bad_counter "$ns0" $ns$dir "$expect" "check_ns0_counters 4" 146 + if ! ip netns exec "$ns0" nft list counter inet filter "${ns}${dir}" | grep -q "$expect";then 147 + bad_counter "$ns0" "$ns${dir}" "$expect" "check_ns0_counters 4" 133 148 lret=1 134 149 fi 135 150 136 151 expect="packets 1 bytes 104" 137 - cnt=$(ip netns exec "$ns0" nft list counter inet filter ${ns}${dir}6 | grep -q "$expect") 138 - if [ $? -ne 0 ]; then 139 - bad_counter "$ns0" $ns$dir6 "$expect" "check_ns0_counters 5" 152 + if ! ip netns exec "$ns0" nft list counter inet filter "${ns}${dir}6" | grep -q "$expect";then 153 + bad_counter "$ns0" "$ns${dir}6" "$expect" "check_ns0_counters 5" 140 154 lret=1 141 155 fi 142 156 done ··· 140 166 141 167 reset_counters() 142 168 { 143 - for i in 0 1 2;do 144 - ip netns exec ns$i-$sfx nft reset counters inet > /dev/null 169 + for i in "$ns0" "$ns1" "$ns2" ;do 170 + ip netns exec "$i" nft reset counters inet > /dev/null 145 171 done 146 172 } 147 173 ··· 151 177 local lret=0 152 178 local IPF="" 153 179 154 - if [ $family = "inet" ];then 180 + if [ "$family" = "inet" ];then 155 181 IPF="ip6" 156 182 fi 157 183 ··· 169 195 fi 170 196 171 197 # ping netns1, expect rewrite to netns2 172 - ip netns exec "$ns0" ping -q -c 1 dead:1::99 > /dev/null 173 - if [ $? -ne 0 ]; then 198 + if ! ip netns exec "$ns0" ping -q -c 1 dead:1::99 > /dev/null;then 174 199 lret=1 175 200 echo "ERROR: ping6 failed" 176 201 return $lret ··· 177 204 178 205 expect="packets 0 bytes 0" 179 206 for dir in "in6" "out6" ; do 180 - cnt=$(ip netns exec "$ns0" nft list counter inet filter ns1${dir} | grep -q "$expect") 181 - if [ $? -ne 0 ]; then 207 + if ! ip netns exec "$ns0" nft list counter inet filter "ns1${dir}" | grep -q "$expect";then 182 208 bad_counter "$ns0" ns1$dir "$expect" "test_local_dnat6 1" 183 209 lret=1 184 210 fi ··· 185 213 186 214 expect="packets 1 bytes 104" 187 215 for dir in "in6" "out6" ; do 188 - cnt=$(ip netns exec "$ns0" nft list counter inet filter ns2${dir} | grep -q "$expect") 189 - if [ $? -ne 0 ]; then 216 + if ! ip netns exec "$ns0" nft list counter inet filter "ns2${dir}" | grep -q "$expect";then 190 217 bad_counter "$ns0" ns2$dir "$expect" "test_local_dnat6 2" 191 218 lret=1 192 219 fi ··· 194 223 # expect 0 count in ns1 195 224 expect="packets 0 bytes 0" 196 225 for dir in "in6" "out6" ; do 197 - cnt=$(ip netns exec "$ns1" nft list counter inet filter ns0${dir} | grep -q "$expect") 198 - if [ $? -ne 0 ]; then 226 + if ! ip netns exec "$ns1" nft list counter inet filter "ns0${dir}" | grep -q "$expect";then 199 227 bad_counter "$ns1" ns0$dir "$expect" "test_local_dnat6 3" 200 228 lret=1 201 229 fi ··· 203 233 # expect 1 packet in ns2 204 234 expect="packets 1 bytes 104" 205 235 for dir in "in6" "out6" ; do 206 - cnt=$(ip netns exec "$ns2" nft list counter inet filter ns0${dir} | grep -q "$expect") 207 - if [ $? -ne 0 ]; then 236 + if ! ip netns exec "$ns2" nft list counter inet filter "ns0${dir}" | grep -q "$expect";then 208 237 bad_counter "$ns2" ns0$dir "$expect" "test_local_dnat6 4" 209 238 lret=1 210 239 fi ··· 221 252 local lret=0 222 253 local IPF="" 223 254 224 - if [ $family = "inet" ];then 255 + if [ "$family" = "inet" ];then 225 256 IPF="ip" 226 257 fi 227 258 ··· 234 265 } 235 266 EOF 236 267 if [ $? -ne 0 ]; then 237 - if [ $family = "inet" ];then 268 + if [ "$family" = "inet" ];then 238 269 echo "SKIP: inet nat tests" 239 270 test_inet_nat=false 240 271 return $ksft_skip ··· 244 275 fi 245 276 246 277 # ping netns1, expect rewrite to netns2 247 - ip netns exec "$ns0" ping -q -c 1 10.0.1.99 > /dev/null 248 - if [ $? -ne 0 ]; then 278 + if ! ip netns exec "$ns0" ping -q -c 1 10.0.1.99 > /dev/null;then 249 279 lret=1 250 280 echo "ERROR: ping failed" 251 281 return $lret ··· 252 284 253 285 expect="packets 0 bytes 0" 254 286 for dir in "in" "out" ; do 255 - cnt=$(ip netns exec "$ns0" nft list counter inet filter ns1${dir} | grep -q "$expect") 256 - if [ $? -ne 0 ]; then 257 - bad_counter "$ns0" ns1$dir "$expect" "test_local_dnat 1" 287 + if ! ip netns exec "$ns0" nft list counter inet filter "ns1${dir}" | grep -q "$expect";then 288 + bad_counter "$ns0" "ns1$dir" "$expect" "test_local_dnat 1" 258 289 lret=1 259 290 fi 260 291 done 261 292 262 293 expect="packets 1 bytes 84" 263 294 for dir in "in" "out" ; do 264 - cnt=$(ip netns exec "$ns0" nft list counter inet filter ns2${dir} | grep -q "$expect") 265 - if [ $? -ne 0 ]; then 266 - bad_counter "$ns0" ns2$dir "$expect" "test_local_dnat 2" 295 + if ! ip netns exec "$ns0" nft list counter inet filter "ns2${dir}" | grep -q "$expect";then 296 + bad_counter "$ns0" "ns2$dir" "$expect" "test_local_dnat 2" 267 297 lret=1 268 298 fi 269 299 done ··· 269 303 # expect 0 count in ns1 270 304 expect="packets 0 bytes 0" 271 305 for dir in "in" "out" ; do 272 - cnt=$(ip netns exec "$ns1" nft list counter inet filter ns0${dir} | grep -q "$expect") 273 - if [ $? -ne 0 ]; then 274 - bad_counter "$ns1" ns0$dir "$expect" "test_local_dnat 3" 306 + if ! ip netns exec "$ns1" nft list counter inet filter ns0${dir} | grep -q "$expect";then 307 + bad_counter "$ns1" "ns0$dir" "$expect" "test_local_dnat 3" 275 308 lret=1 276 309 fi 277 310 done ··· 278 313 # expect 1 packet in ns2 279 314 expect="packets 1 bytes 84" 280 315 for dir in "in" "out" ; do 281 - cnt=$(ip netns exec "$ns2" nft list counter inet filter ns0${dir} | grep -q "$expect") 282 - if [ $? -ne 0 ]; then 283 - bad_counter "$ns2" ns0$dir "$expect" "test_local_dnat 4" 316 + if ! ip netns exec "$ns2" nft list counter inet filter ns0${dir} | grep -q "$expect";then 317 + bad_counter "$ns2" "ns0$dir" "$expect" "test_local_dnat 4" 284 318 lret=1 285 319 fi 286 320 done 287 321 288 322 test $lret -eq 0 && echo "PASS: ping to $ns1 was $family NATted to $ns2" 289 323 290 - ip netns exec "$ns0" nft flush chain $family nat output 324 + ip netns exec "$ns0" nft flush chain "$family" nat output 291 325 292 326 reset_counters 293 - ip netns exec "$ns0" ping -q -c 1 10.0.1.99 > /dev/null 294 - if [ $? -ne 0 ]; then 327 + if ! ip netns exec "$ns0" ping -q -c 1 10.0.1.99 > /dev/null;then 295 328 lret=1 296 329 echo "ERROR: ping failed" 297 330 return $lret ··· 297 334 298 335 expect="packets 1 bytes 84" 299 336 for dir in "in" "out" ; do 300 - cnt=$(ip netns exec "$ns0" nft list counter inet filter ns1${dir} | grep -q "$expect") 301 - if [ $? -ne 0 ]; then 337 + if ! ip netns exec "$ns0" nft list counter inet filter "ns1${dir}" | grep -q "$expect";then 302 338 bad_counter "$ns1" ns1$dir "$expect" "test_local_dnat 5" 303 339 lret=1 304 340 fi 305 341 done 306 342 expect="packets 0 bytes 0" 307 343 for dir in "in" "out" ; do 308 - cnt=$(ip netns exec "$ns0" nft list counter inet filter ns2${dir} | grep -q "$expect") 309 - if [ $? -ne 0 ]; then 344 + if ! ip netns exec "$ns0" nft list counter inet filter "ns2${dir}" | grep -q "$expect";then 310 345 bad_counter "$ns0" ns2$dir "$expect" "test_local_dnat 6" 311 346 lret=1 312 347 fi ··· 313 352 # expect 1 count in ns1 314 353 expect="packets 1 bytes 84" 315 354 for dir in "in" "out" ; do 316 - cnt=$(ip netns exec "$ns1" nft list counter inet filter ns0${dir} | grep -q "$expect") 317 - if [ $? -ne 0 ]; then 355 + if ! ip netns exec "$ns1" nft list counter inet filter "ns0${dir}" | grep -q "$expect";then 318 356 bad_counter "$ns0" ns0$dir "$expect" "test_local_dnat 7" 319 357 lret=1 320 358 fi ··· 322 362 # expect 0 packet in ns2 323 363 expect="packets 0 bytes 0" 324 364 for dir in "in" "out" ; do 325 - cnt=$(ip netns exec "$ns2" nft list counter inet filter ns0${dir} | grep -q "$expect") 326 - if [ $? -ne 0 ]; then 365 + if ! ip netns exec "$ns2" nft list counter inet filter "ns0${dir}" | grep -q "$expect";then 327 366 bad_counter "$ns2" ns0$dir "$expect" "test_local_dnat 8" 328 367 lret=1 329 368 fi ··· 333 374 return $lret 334 375 } 335 376 377 + listener_ready() 378 + { 379 + local ns="$1" 380 + local port="$2" 381 + local proto="$3" 382 + ss -N "$ns" -ln "$proto" -o "sport = :$port" | grep -q "$port" 383 + } 384 + 336 385 test_local_dnat_portonly() 337 386 { 338 387 local family=$1 339 388 local daddr=$2 340 389 local lret=0 341 - local sr_s 342 - local sr_r 343 390 344 391 ip netns exec "$ns0" nft -f /dev/stdin <<EOF 345 392 table $family nat { ··· 357 392 } 358 393 EOF 359 394 if [ $? -ne 0 ]; then 360 - if [ $family = "inet" ];then 395 + if [ "$family" = "inet" ];then 361 396 echo "SKIP: inet port test" 362 397 test_inet_nat=false 363 398 return ··· 366 401 return 367 402 fi 368 403 369 - echo SERVER-$family | ip netns exec "$ns1" timeout 5 socat -u STDIN TCP-LISTEN:2000 & 370 - sc_s=$! 404 + echo "SERVER-$family" | ip netns exec "$ns1" timeout 3 socat -u STDIN TCP-LISTEN:2000 & 371 405 372 - sleep 1 406 + busywait $BUSYWAIT_TIMEOUT listener_ready "$ns1" 2000 "-t" 373 407 374 - result=$(ip netns exec "$ns0" timeout 1 socat TCP:$daddr:2000 STDOUT) 408 + result=$(ip netns exec "$ns0" timeout 1 socat -u TCP:"$daddr":2000 STDOUT) 375 409 376 410 if [ "$result" = "SERVER-inet" ];then 377 411 echo "PASS: inet port rewrite without l3 address" 378 412 else 379 - echo "ERROR: inet port rewrite" 413 + echo "ERROR: inet port rewrite without l3 address, got $result" 380 414 ret=1 381 415 fi 382 416 } ··· 388 424 389 425 ip netns exec "$ns0" sysctl net.ipv6.conf.all.forwarding=1 > /dev/null 390 426 391 - ip netns exec "$ns2" ping -q -c 1 dead:1::99 > /dev/null # ping ns2->ns1 392 - if [ $? -ne 0 ] ; then 427 + if ! ip netns exec "$ns2" ping -q -c 1 dead:1::99 > /dev/null;then 393 428 echo "ERROR: cannot ping $ns1 from $ns2 via ipv6" 394 429 return 1 395 - lret=1 396 430 fi 397 431 398 432 expect="packets 1 bytes 104" 399 433 for dir in "in6" "out6" ; do 400 - cnt=$(ip netns exec "$ns1" nft list counter inet filter ns2${dir} | grep -q "$expect") 401 - if [ $? -ne 0 ]; then 402 - bad_counter "$ns1" ns2$dir "$expect" "test_masquerade6 1" 434 + if ! ip netns exec "$ns1" nft list counter inet filter "ns2${dir}" | grep -q "$expect";then 435 + bad_counter "$ns1" "ns2$dir" "$expect" "test_masquerade6 1" 403 436 lret=1 404 437 fi 405 438 406 - cnt=$(ip netns exec "$ns2" nft list counter inet filter ns1${dir} | grep -q "$expect") 407 - if [ $? -ne 0 ]; then 408 - bad_counter "$ns2" ns1$dir "$expect" "test_masquerade6 2" 439 + if ! ip netns exec "$ns2" nft list counter inet filter "ns1${dir}" | grep -q "$expect";then 440 + bad_counter "$ns2" "ns1$dir" "$expect" "test_masquerade6 2" 409 441 lret=1 410 442 fi 411 443 done ··· 422 462 return $ksft_skip 423 463 fi 424 464 425 - ip netns exec "$ns2" ping -q -c 1 dead:1::99 > /dev/null # ping ns2->ns1 426 - if [ $? -ne 0 ] ; then 465 + if ! ip netns exec "$ns2" ping -q -c 1 dead:1::99 > /dev/null;then 427 466 echo "ERROR: cannot ping $ns1 from $ns2 with active $family masquerade $natflags" 428 467 lret=1 429 468 fi ··· 430 471 # ns1 should have seen packets from ns0, due to masquerade 431 472 expect="packets 1 bytes 104" 432 473 for dir in "in6" "out6" ; do 433 - cnt=$(ip netns exec "$ns1" nft list counter inet filter ns0${dir} | grep -q "$expect") 434 - if [ $? -ne 0 ]; then 474 + if ! ip netns exec "$ns1" nft list counter inet filter "ns0${dir}" | grep -q "$expect";then 435 475 bad_counter "$ns1" ns0$dir "$expect" "test_masquerade6 3" 436 476 lret=1 437 477 fi 438 478 439 - cnt=$(ip netns exec "$ns2" nft list counter inet filter ns1${dir} | grep -q "$expect") 440 - if [ $? -ne 0 ]; then 479 + if ! ip netns exec "$ns2" nft list counter inet filter "ns1${dir}" | grep -q "$expect";then 441 480 bad_counter "$ns2" ns1$dir "$expect" "test_masquerade6 4" 442 481 lret=1 443 482 fi ··· 444 487 # ns1 should not have seen packets from ns2, due to masquerade 445 488 expect="packets 0 bytes 0" 446 489 for dir in "in6" "out6" ; do 447 - cnt=$(ip netns exec "$ns1" nft list counter inet filter ns2${dir} | grep -q "$expect") 448 - if [ $? -ne 0 ]; then 490 + if ! ip netns exec "$ns1" nft list counter inet filter "ns2${dir}" | grep -q "$expect";then 449 491 bad_counter "$ns1" ns0$dir "$expect" "test_masquerade6 5" 450 492 lret=1 451 493 fi 452 494 453 - cnt=$(ip netns exec "$ns0" nft list counter inet filter ns1${dir} | grep -q "$expect") 454 - if [ $? -ne 0 ]; then 455 - bad_counter "$ns0" ns1$dir "$expect" "test_masquerade6 6" 495 + if ! ip netns exec "$ns0" nft list counter inet filter "ns1${dir}" | grep -q "$expect";then 496 + bad_counter "$ns0" "ns1$dir" "$expect" "test_masquerade6 6" 456 497 lret=1 457 498 fi 458 499 done 459 500 460 - ip netns exec "$ns2" ping -q -c 1 dead:1::99 > /dev/null # ping ns2->ns1 461 - if [ $? -ne 0 ] ; then 501 + if ! ip netns exec "$ns2" ping -q -c 1 dead:1::99 > /dev/null;then 462 502 echo "ERROR: cannot ping $ns1 from $ns2 with active ipv6 masquerade $natflags (attempt 2)" 463 503 lret=1 464 504 fi 465 505 466 - ip netns exec "$ns0" nft flush chain $family nat postrouting 467 - if [ $? -ne 0 ]; then 506 + if ! ip netns exec "$ns0" nft flush chain "$family" nat postrouting;then 468 507 echo "ERROR: Could not flush $family nat postrouting" 1>&2 469 508 lret=1 470 509 fi ··· 479 526 ip netns exec "$ns0" sysctl net.ipv4.conf.veth0.forwarding=1 > /dev/null 480 527 ip netns exec "$ns0" sysctl net.ipv4.conf.veth1.forwarding=1 > /dev/null 481 528 482 - ip netns exec "$ns2" ping -q -c 1 10.0.1.99 > /dev/null # ping ns2->ns1 483 - if [ $? -ne 0 ] ; then 484 - echo "ERROR: cannot ping $ns1 from "$ns2" $natflags" 529 + if ! ip netns exec "$ns2" ping -q -c 1 10.0.1.99 > /dev/null;then 530 + echo "ERROR: cannot ping $ns1 from $ns2 $natflags" 485 531 lret=1 486 532 fi 487 533 488 534 expect="packets 1 bytes 84" 489 535 for dir in "in" "out" ; do 490 - cnt=$(ip netns exec "$ns1" nft list counter inet filter ns2${dir} | grep -q "$expect") 491 - if [ $? -ne 0 ]; then 492 - bad_counter "$ns1" ns2$dir "$expect" "test_masquerade 1" 536 + if ! ip netns exec "$ns1" nft list counter inet filter "ns2${dir}" | grep -q "$expect";then 537 + bad_counter "$ns1" "ns2$dir" "$expect" "test_masquerade 1" 493 538 lret=1 494 539 fi 495 540 496 - cnt=$(ip netns exec "$ns2" nft list counter inet filter ns1${dir} | grep -q "$expect") 497 - if [ $? -ne 0 ]; then 498 - bad_counter "$ns2" ns1$dir "$expect" "test_masquerade 2" 541 + if ! ip netns exec "$ns2" nft list counter inet filter "ns1${dir}" | grep -q "$expect";then 542 + bad_counter "$ns2" "ns1$dir" "$expect" "test_masquerade 2" 499 543 lret=1 500 544 fi 501 545 done ··· 513 563 return $ksft_skip 514 564 fi 515 565 516 - ip netns exec "$ns2" ping -q -c 1 10.0.1.99 > /dev/null # ping ns2->ns1 517 - if [ $? -ne 0 ] ; then 566 + if ! ip netns exec "$ns2" ping -q -c 1 10.0.1.99 > /dev/null;then 518 567 echo "ERROR: cannot ping $ns1 from $ns2 with active $family masquerade $natflags" 519 568 lret=1 520 569 fi ··· 521 572 # ns1 should have seen packets from ns0, due to masquerade 522 573 expect="packets 1 bytes 84" 523 574 for dir in "in" "out" ; do 524 - cnt=$(ip netns exec "$ns1" nft list counter inet filter ns0${dir} | grep -q "$expect") 525 - if [ $? -ne 0 ]; then 526 - bad_counter "$ns1" ns0$dir "$expect" "test_masquerade 3" 575 + if ! ip netns exec "$ns1" nft list counter inet filter "ns0${dir}" | grep -q "$expect";then 576 + bad_counter "$ns1" "ns0$dir" "$expect" "test_masquerade 3" 527 577 lret=1 528 578 fi 529 579 530 - cnt=$(ip netns exec "$ns2" nft list counter inet filter ns1${dir} | grep -q "$expect") 531 - if [ $? -ne 0 ]; then 532 - bad_counter "$ns2" ns1$dir "$expect" "test_masquerade 4" 580 + if ! ip netns exec "$ns2" nft list counter inet filter "ns1${dir}" | grep -q "$expect";then 581 + bad_counter "$ns2" "ns1$dir" "$expect" "test_masquerade 4" 533 582 lret=1 534 583 fi 535 584 done ··· 535 588 # ns1 should not have seen packets from ns2, due to masquerade 536 589 expect="packets 0 bytes 0" 537 590 for dir in "in" "out" ; do 538 - cnt=$(ip netns exec "$ns1" nft list counter inet filter ns2${dir} | grep -q "$expect") 539 - if [ $? -ne 0 ]; then 540 - bad_counter "$ns1" ns0$dir "$expect" "test_masquerade 5" 591 + if ! ip netns exec "$ns1" nft list counter inet filter "ns2${dir}" | grep -q "$expect";then 592 + bad_counter "$ns1" "ns0$dir" "$expect" "test_masquerade 5" 541 593 lret=1 542 594 fi 543 595 544 - cnt=$(ip netns exec "$ns0" nft list counter inet filter ns1${dir} | grep -q "$expect") 545 - if [ $? -ne 0 ]; then 546 - bad_counter "$ns0" ns1$dir "$expect" "test_masquerade 6" 596 + if ! ip netns exec "$ns0" nft list counter inet filter "ns1${dir}" | grep -q "$expect";then 597 + bad_counter "$ns0" "ns1$dir" "$expect" "test_masquerade 6" 547 598 lret=1 548 599 fi 549 600 done 550 601 551 - ip netns exec "$ns2" ping -q -c 1 10.0.1.99 > /dev/null # ping ns2->ns1 552 - if [ $? -ne 0 ] ; then 602 + if ! ip netns exec "$ns2" ping -q -c 1 10.0.1.99 > /dev/null;then 553 603 echo "ERROR: cannot ping $ns1 from $ns2 with active ip masquerade $natflags (attempt 2)" 554 604 lret=1 555 605 fi 556 606 557 - ip netns exec "$ns0" nft flush chain $family nat postrouting 558 - if [ $? -ne 0 ]; then 607 + if ! ip netns exec "$ns0" nft flush chain "$family" nat postrouting; then 559 608 echo "ERROR: Could not flush $family nat postrouting" 1>&2 560 609 lret=1 561 610 fi ··· 568 625 569 626 ip netns exec "$ns0" sysctl net.ipv6.conf.all.forwarding=1 > /dev/null 570 627 571 - ip netns exec "$ns2" ping -q -c 1 dead:1::99 > /dev/null # ping ns2->ns1 572 - if [ $? -ne 0 ] ; then 628 + if ! ip netns exec "$ns2" ping -q -c 1 dead:1::99 > /dev/null;then 573 629 echo "ERROR: cannnot ping $ns1 from $ns2 via ipv6" 574 630 lret=1 575 631 fi 576 632 577 633 expect="packets 1 bytes 104" 578 634 for dir in "in6" "out6" ; do 579 - cnt=$(ip netns exec "$ns1" nft list counter inet filter ns2${dir} | grep -q "$expect") 580 - if [ $? -ne 0 ]; then 635 + if ! ip netns exec "$ns1" nft list counter inet filter "ns2${dir}" | grep -q "$expect";then 581 636 bad_counter "$ns1" ns2$dir "$expect" "test_redirect6 1" 582 637 lret=1 583 638 fi 584 639 585 - cnt=$(ip netns exec "$ns2" nft list counter inet filter ns1${dir} | grep -q "$expect") 586 - if [ $? -ne 0 ]; then 640 + if ! ip netns exec "$ns2" nft list counter inet filter "ns1${dir}" | grep -q "$expect";then 587 641 bad_counter "$ns2" ns1$dir "$expect" "test_redirect6 2" 588 642 lret=1 589 643 fi ··· 602 662 return $ksft_skip 603 663 fi 604 664 605 - ip netns exec "$ns2" ping -q -c 1 dead:1::99 > /dev/null # ping ns2->ns1 606 - if [ $? -ne 0 ] ; then 665 + if ! ip netns exec "$ns2" ping -q -c 1 dead:1::99 > /dev/null;then 607 666 echo "ERROR: cannot ping $ns1 from $ns2 via ipv6 with active $family redirect" 608 667 lret=1 609 668 fi ··· 610 671 # ns1 should have seen no packets from ns2, due to redirection 611 672 expect="packets 0 bytes 0" 612 673 for dir in "in6" "out6" ; do 613 - cnt=$(ip netns exec "$ns1" nft list counter inet filter ns2${dir} | grep -q "$expect") 614 - if [ $? -ne 0 ]; then 674 + if ! ip netns exec "$ns1" nft list counter inet filter "ns2${dir}" | grep -q "$expect";then 615 675 bad_counter "$ns1" ns0$dir "$expect" "test_redirect6 3" 616 676 lret=1 617 677 fi ··· 619 681 # ns0 should have seen packets from ns2, due to masquerade 620 682 expect="packets 1 bytes 104" 621 683 for dir in "in6" "out6" ; do 622 - cnt=$(ip netns exec "$ns0" nft list counter inet filter ns2${dir} | grep -q "$expect") 623 - if [ $? -ne 0 ]; then 684 + if ! ip netns exec "$ns0" nft list counter inet filter "ns2${dir}" | grep -q "$expect";then 624 685 bad_counter "$ns1" ns0$dir "$expect" "test_redirect6 4" 625 686 lret=1 626 687 fi 627 688 done 628 689 629 - ip netns exec "$ns0" nft delete table $family nat 630 - if [ $? -ne 0 ]; then 690 + if ! ip netns exec "$ns0" nft delete table "$family" nat;then 631 691 echo "ERROR: Could not delete $family nat table" 1>&2 632 692 lret=1 633 693 fi ··· 643 707 ip netns exec "$ns0" sysctl net.ipv4.conf.veth0.forwarding=1 > /dev/null 644 708 ip netns exec "$ns0" sysctl net.ipv4.conf.veth1.forwarding=1 > /dev/null 645 709 646 - ip netns exec "$ns2" ping -q -c 1 10.0.1.99 > /dev/null # ping ns2->ns1 647 - if [ $? -ne 0 ] ; then 710 + if ! ip netns exec "$ns2" ping -q -c 1 10.0.1.99 > /dev/null;then 648 711 echo "ERROR: cannot ping $ns1 from $ns2" 649 712 lret=1 650 713 fi 651 714 652 715 expect="packets 1 bytes 84" 653 716 for dir in "in" "out" ; do 654 - cnt=$(ip netns exec "$ns1" nft list counter inet filter ns2${dir} | grep -q "$expect") 655 - if [ $? -ne 0 ]; then 656 - bad_counter "$ns1" $ns2$dir "$expect" "test_redirect 1" 717 + if ! ip netns exec "$ns1" nft list counter inet filter "ns2${dir}" | grep -q "$expect";then 718 + bad_counter "$ns1" "$ns2$dir" "$expect" "test_redirect 1" 657 719 lret=1 658 720 fi 659 721 660 - cnt=$(ip netns exec "$ns2" nft list counter inet filter ns1${dir} | grep -q "$expect") 661 - if [ $? -ne 0 ]; then 722 + if ! ip netns exec "$ns2" nft list counter inet filter ns1${dir} | grep -q "$expect";then 662 723 bad_counter "$ns2" ns1$dir "$expect" "test_redirect 2" 663 724 lret=1 664 725 fi ··· 677 744 return $ksft_skip 678 745 fi 679 746 680 - ip netns exec "$ns2" ping -q -c 1 10.0.1.99 > /dev/null # ping ns2->ns1 681 - if [ $? -ne 0 ] ; then 747 + if ! ip netns exec "$ns2" ping -q -c 1 10.0.1.99 > /dev/null;then 682 748 echo "ERROR: cannot ping $ns1 from $ns2 with active $family ip redirect" 683 749 lret=1 684 750 fi ··· 686 754 expect="packets 0 bytes 0" 687 755 for dir in "in" "out" ; do 688 756 689 - cnt=$(ip netns exec "$ns1" nft list counter inet filter ns2${dir} | grep -q "$expect") 690 - if [ $? -ne 0 ]; then 757 + if ! ip netns exec "$ns1" nft list counter inet filter "ns2${dir}" | grep -q "$expect";then 691 758 bad_counter "$ns1" ns0$dir "$expect" "test_redirect 3" 692 759 lret=1 693 760 fi ··· 695 764 # ns0 should have seen packets from ns2, due to masquerade 696 765 expect="packets 1 bytes 84" 697 766 for dir in "in" "out" ; do 698 - cnt=$(ip netns exec "$ns0" nft list counter inet filter ns2${dir} | grep -q "$expect") 699 - if [ $? -ne 0 ]; then 767 + if ! ip netns exec "$ns0" nft list counter inet filter "ns2${dir}" | grep -q "$expect";then 700 768 bad_counter "$ns0" ns0$dir "$expect" "test_redirect 4" 701 769 lret=1 702 770 fi 703 771 done 704 772 705 - ip netns exec "$ns0" nft delete table $family nat 706 - if [ $? -ne 0 ]; then 773 + if ! ip netns exec "$ns0" nft delete table "$family" nat;then 707 774 echo "ERROR: Could not delete $family nat table" 1>&2 708 775 lret=1 709 776 fi ··· 732 803 # make shadow entry, from client (ns2), going to (ns1), port 41404, sport 1405. 733 804 echo "fake-entry" | ip netns exec "$ns2" timeout 1 socat -u STDIN UDP:"$daddrc":41404,sourceport=1405 734 805 735 - echo ROUTER | ip netns exec "$ns0" timeout 5 socat -u STDIN UDP4-LISTEN:1405 & 736 - sc_r=$! 806 + echo ROUTER | ip netns exec "$ns0" timeout 3 socat -T 3 -u STDIN UDP4-LISTEN:1405 2>/dev/null & 807 + local sc_r=$! 808 + echo CLIENT | ip netns exec "$ns2" timeout 3 socat -T 3 -u STDIN UDP4-LISTEN:1405,reuseport 2>/dev/null & 809 + local sc_c=$! 737 810 738 - echo CLIENT | ip netns exec "$ns2" timeout 5 socat -u STDIN UDP4-LISTEN:1405,reuseport & 739 - sc_c=$! 740 - 741 - sleep 0.3 811 + busywait $BUSYWAIT_TIMEOUT listener_ready "$ns0" 1405 "-u" 812 + busywait $BUSYWAIT_TIMEOUT listener_ready "$ns2" 1405 "-u" 742 813 743 814 # ns1 tries to connect to ns0:1405. With default settings this should connect 744 815 # to client, it matches the conntrack entry created above. ··· 775 846 EOF 776 847 test_port_shadow "port-filter" "ROUTER" 777 848 778 - ip netns exec "$ns0" nft delete table $family filter 849 + ip netns exec "$ns0" nft delete table "$family" filter 779 850 } 780 851 781 852 # This prevents port shadow of router service via notrack. ··· 797 868 EOF 798 869 test_port_shadow "port-notrack" "ROUTER" 799 870 800 - ip netns exec "$ns0" nft delete table $family raw 871 + ip netns exec "$ns0" nft delete table "$family" raw 801 872 } 802 873 803 874 # This prevents port shadow of router service via sport remap. ··· 815 886 EOF 816 887 test_port_shadow "pat" "ROUTER" 817 888 818 - ip netns exec "$ns0" nft delete table $family pat 889 + ip netns exec "$ns0" nft delete table "$family" pat 819 890 } 820 891 821 892 test_port_shadowing() 822 893 { 823 894 local family="ip" 824 895 825 - conntrack -h >/dev/null 2>&1 826 - if [ $? -ne 0 ];then 896 + if ! conntrack -h >/dev/null 2>&1;then 827 897 echo "SKIP: Could not run nat port shadowing test without conntrack tool" 828 898 return 829 899 fi 830 900 831 - socat -h > /dev/null 2>&1 832 - if [ $? -ne 0 ];then 901 + if ! socat -h > /dev/null 2>&1;then 833 902 echo "SKIP: Could not run nat port shadowing test without socat tool" 834 903 return 835 904 fi ··· 873 946 ip netns exec "$ns0" sysctl net.ipv4.conf.veth0.forwarding=1 > /dev/null 874 947 ip netns exec "$ns0" sysctl net.ipv4.conf.veth1.forwarding=1 > /dev/null 875 948 876 - ip netns exec "$ns2" ping -q -c 1 10.0.1.99 > /dev/null # ping ns2->ns1 877 - if [ $? -ne 0 ] ; then 949 + if ! ip netns exec "$ns2" ping -q -c 1 10.0.1.99 > /dev/null;then 878 950 echo "ERROR: cannot ping $ns1 from $ns2 before loading stateless rules" 879 951 return 1 880 952 fi ··· 907 981 908 982 reset_counters 909 983 910 - ip netns exec "$ns2" ping -q -c 1 10.0.1.99 > /dev/null # ping ns2->ns1 911 - if [ $? -ne 0 ] ; then 984 + if ! ip netns exec "$ns2" ping -q -c 1 10.0.1.99 > /dev/null; then 912 985 echo "ERROR: cannot ping $ns1 from $ns2 with stateless rules" 913 986 lret=1 914 987 fi 915 988 916 989 # ns1 should have seen packets from .2.2, due to stateless rewrite. 917 990 expect="packets 1 bytes 84" 918 - cnt=$(ip netns exec "$ns1" nft list counter inet filter ns0insl | grep -q "$expect") 919 - if [ $? -ne 0 ]; then 991 + if ! ip netns exec "$ns1" nft list counter inet filter ns0insl | grep -q "$expect";then 920 992 bad_counter "$ns1" ns0insl "$expect" "test_stateless 1" 921 993 lret=1 922 994 fi 923 995 924 996 for dir in "in" "out" ; do 925 - cnt=$(ip netns exec "$ns2" nft list counter inet filter ns1${dir} | grep -q "$expect") 926 - if [ $? -ne 0 ]; then 997 + if ! ip netns exec "$ns2" nft list counter inet filter ns1${dir} | grep -q "$expect";then 927 998 bad_counter "$ns2" ns1$dir "$expect" "test_stateless 2" 928 999 lret=1 929 1000 fi ··· 929 1006 # ns1 should not have seen packets from ns2, due to masquerade 930 1007 expect="packets 0 bytes 0" 931 1008 for dir in "in" "out" ; do 932 - cnt=$(ip netns exec "$ns1" nft list counter inet filter ns2${dir} | grep -q "$expect") 933 - if [ $? -ne 0 ]; then 1009 + if ! ip netns exec "$ns1" nft list counter inet filter ns2${dir} | grep -q "$expect";then 934 1010 bad_counter "$ns1" ns0$dir "$expect" "test_stateless 3" 935 1011 lret=1 936 1012 fi 937 1013 938 - cnt=$(ip netns exec "$ns0" nft list counter inet filter ns1${dir} | grep -q "$expect") 939 - if [ $? -ne 0 ]; then 1014 + if ! ip netns exec "$ns0" nft list counter inet filter ns1${dir} | grep -q "$expect";then 940 1015 bad_counter "$ns0" ns1$dir "$expect" "test_stateless 4" 941 1016 lret=1 942 1017 fi ··· 942 1021 943 1022 reset_counters 944 1023 945 - socat -h > /dev/null 2>&1 946 - if [ $? -ne 0 ];then 1024 + if ! socat -h > /dev/null 2>&1;then 947 1025 echo "SKIP: Could not run stateless nat frag test without socat tool" 948 1026 if [ $lret -eq 0 ]; then 949 1027 return $ksft_skip ··· 952 1032 return $lret 953 1033 fi 954 1034 955 - local tmpfile=$(mktemp) 956 - dd if=/dev/urandom of=$tmpfile bs=4096 count=1 2>/dev/null 1035 + dd if=/dev/urandom of="$INFILE" bs=4096 count=1 2>/dev/null 957 1036 958 - local outfile=$(mktemp) 959 - ip netns exec "$ns1" timeout 3 socat -u UDP4-RECV:4233 OPEN:$outfile < /dev/null & 960 - sc_r=$! 1037 + ip netns exec "$ns1" timeout 3 socat -u UDP4-RECV:4233 OPEN:"$OUTFILE" < /dev/null 2>/dev/null & 961 1038 962 - sleep 1 1039 + busywait $BUSYWAIT_TIMEOUT listener_ready "$ns1" 4233 "-u" 1040 + 963 1041 # re-do with large ping -> ip fragmentation 964 - ip netns exec "$ns2" timeout 3 socat - UDP4-SENDTO:"10.0.1.99:4233" < "$tmpfile" > /dev/null 965 - if [ $? -ne 0 ] ; then 1042 + if ! ip netns exec "$ns2" timeout 3 socat -u STDIN UDP4-SENDTO:"10.0.1.99:4233" < "$INFILE" > /dev/null;then 966 1043 echo "ERROR: failed to test udp $ns1 to $ns2 with stateless ip nat" 1>&2 967 1044 lret=1 968 1045 fi 969 1046 970 1047 wait 971 1048 972 - cmp "$tmpfile" "$outfile" 973 - if [ $? -ne 0 ]; then 974 - ls -l "$tmpfile" "$outfile" 1049 + if ! cmp "$INFILE" "$OUTFILE";then 1050 + ls -l "$INFILE" "$OUTFILE" 975 1051 echo "ERROR: in and output file mismatch when checking udp with stateless nat" 1>&2 976 1052 lret=1 977 1053 fi 978 1054 979 - rm -f "$tmpfile" "$outfile" 1055 + :> "$OUTFILE" 980 1056 981 1057 # ns1 should have seen packets from 2.2, due to stateless rewrite. 982 1058 expect="packets 3 bytes 4164" 983 - cnt=$(ip netns exec "$ns1" nft list counter inet filter ns0insl | grep -q "$expect") 984 - if [ $? -ne 0 ]; then 1059 + if ! ip netns exec "$ns1" nft list counter inet filter ns0insl | grep -q "$expect";then 985 1060 bad_counter "$ns1" ns0insl "$expect" "test_stateless 5" 986 1061 lret=1 987 1062 fi 988 1063 989 - ip netns exec "$ns0" nft delete table ip stateless 990 - if [ $? -ne 0 ]; then 1064 + if ! ip netns exec "$ns0" nft delete table ip stateless; then 991 1065 echo "ERROR: Could not delete table ip stateless" 1>&2 992 1066 lret=1 993 1067 fi ··· 992 1078 } 993 1079 994 1080 # ip netns exec "$ns0" ping -c 1 -q 10.0.$i.99 995 - for i in 0 1 2; do 996 - ip netns exec ns$i-$sfx nft -f /dev/stdin <<EOF 1081 + for i in "$ns0" "$ns1" "$ns2" ;do 1082 + ip netns exec "$i" nft -f /dev/stdin <<EOF 997 1083 table inet filter { 998 1084 counter ns0in {} 999 1085 counter ns1in {} ··· 1059 1145 1060 1146 # special case for stateless nat check, counter needs to 1061 1147 # be done before (input) ip defragmentation 1062 - ip netns exec ns1-$sfx nft -f /dev/stdin <<EOF 1148 + ip netns exec "$ns1" nft -f /dev/stdin <<EOF 1063 1149 table inet filter { 1064 1150 counter ns0insl {} 1065 1151 ··· 1070 1156 } 1071 1157 EOF 1072 1158 1073 - sleep 3 1074 - # test basic connectivity 1075 - for i in 1 2; do 1076 - ip netns exec "$ns0" ping -c 1 -q 10.0.$i.99 > /dev/null 1077 - if [ $? -ne 0 ];then 1078 - echo "ERROR: Could not reach other namespace(s)" 1>&2 1079 - ret=1 1080 - fi 1159 + ping_basic() 1160 + { 1161 + i="$1" 1162 + if ! ip netns exec "$ns0" ping -c 1 -q 10.0."$i".99 > /dev/null;then 1163 + echo "ERROR: Could not reach other namespace(s)" 1>&2 1164 + ret=1 1165 + fi 1081 1166 1082 - ip netns exec "$ns0" ping -c 1 -q dead:$i::99 > /dev/null 1083 - if [ $? -ne 0 ];then 1084 - echo "ERROR: Could not reach other namespace(s) via ipv6" 1>&2 1085 - ret=1 1086 - fi 1087 - check_counters ns$i-$sfx 1088 - if [ $? -ne 0 ]; then 1089 - ret=1 1090 - fi 1167 + if ! ip netns exec "$ns0" ping -c 1 -q dead:"$i"::99 > /dev/null;then 1168 + echo "ERROR: Could not reach other namespace(s) via ipv6" 1>&2 1169 + ret=1 1170 + fi 1171 + } 1091 1172 1092 - check_ns0_counters ns$i 1093 - if [ $? -ne 0 ]; then 1094 - ret=1 1095 - fi 1096 - reset_counters 1097 - done 1173 + test_basic_conn() 1174 + { 1175 + local nsexec 1176 + name="$1" 1177 + 1178 + nsexec=$(eval echo \$"$1") 1179 + 1180 + ping_basic 1 1181 + ping_basic 2 1182 + 1183 + if ! check_counters "$nsexec";then 1184 + return 1 1185 + fi 1186 + 1187 + if ! check_ns0_counters "$name";then 1188 + return 1 1189 + fi 1190 + 1191 + reset_counters 1192 + return 0 1193 + } 1194 + 1195 + if ! test_basic_conn "ns1" ; then 1196 + echo "ERROR: basic test for ns1 failed" 1>&2 1197 + exit 1 1198 + fi 1199 + if ! test_basic_conn "ns2"; then 1200 + echo "ERROR: basic test for ns1 failed" 1>&2 1201 + fi 1098 1202 1099 1203 if [ $ret -eq 0 ];then 1100 1204 echo "PASS: netns routing/connectivity: $ns0 can reach $ns1 and $ns2"

tools/testing/selftests/netfilter/nft_nat_zones.sh tools/testing/selftests/net/netfilter/nft_nat_zones.sh

+9 -9

tools/testing/selftests/netfilter/nft_queue.sh tools/testing/selftests/net/netfilter/nft_queue.sh

··· 222 222 local expected=$1 223 223 local last="" 224 224 225 - # spawn nf-queue listeners 226 - ip netns exec ${nsrouter} ./nf-queue -c -q 0 -t $timeout > "$TMPFILE0" & 227 - ip netns exec ${nsrouter} ./nf-queue -c -q 1 -t $timeout > "$TMPFILE1" & 225 + # spawn nf_queue listeners 226 + ip netns exec ${nsrouter} ./nf_queue -c -q 0 -t $timeout > "$TMPFILE0" & 227 + ip netns exec ${nsrouter} ./nf_queue -c -q 1 -t $timeout > "$TMPFILE1" & 228 228 sleep 1 229 229 test_ping 230 230 ret=$? ··· 259 259 260 260 test_tcp_forward() 261 261 { 262 - ip netns exec ${nsrouter} ./nf-queue -q 2 -t $timeout & 262 + ip netns exec ${nsrouter} ./nf_queue -q 2 -t $timeout & 263 263 local nfqpid=$! 264 264 265 265 tmpfile=$(mktemp) || exit 1 ··· 285 285 ip netns exec ${nsrouter} nc -w 5 -l -p 12345 <"$tmpfile" >/dev/null & 286 286 local rpid=$! 287 287 288 - ip netns exec ${nsrouter} ./nf-queue -q 3 -t $timeout & 288 + ip netns exec ${nsrouter} ./nf_queue -q 3 -t $timeout & 289 289 local nfqpid=$! 290 290 291 291 sleep 1 ··· 303 303 304 304 ip netns exec ${nsrouter} ./connect_close -p 23456 -t $timeout & 305 305 306 - ip netns exec ${nsrouter} ./nf-queue -q 3 -t $timeout & 306 + ip netns exec ${nsrouter} ./nf_queue -q 3 -t $timeout & 307 307 local nfqpid=$! 308 308 309 309 sleep 1 ··· 334 334 ip netns exec ${nsrouter} nc -w 5 -l -p 12345 <"$tmpfile" >/dev/null & 335 335 local rpid=$! 336 336 337 - ip netns exec ${nsrouter} ./nf-queue -c -q 1 -t $timeout > "$TMPFILE2" & 337 + ip netns exec ${nsrouter} ./nf_queue -c -q 1 -t $timeout > "$TMPFILE2" & 338 338 339 339 # nfqueue 1 will be called via output hook. But this time, 340 340 # re-queue the packet to nfqueue program on queue 2. 341 - ip netns exec ${nsrouter} ./nf-queue -G -d 150 -c -q 0 -Q 1 -t $timeout > "$TMPFILE3" & 341 + ip netns exec ${nsrouter} ./nf_queue -G -d 150 -c -q 0 -Q 1 -t $timeout > "$TMPFILE3" & 342 342 343 343 sleep 1 344 344 ip netns exec ${nsrouter} nc -w 5 127.0.0.1 12345 <"$tmpfile" > /dev/null ··· 380 380 } 381 381 } 382 382 EOF 383 - ip netns exec ${ns1} ./nf-queue -q 1 -t $timeout & 383 + ip netns exec ${ns1} ./nf_queue -q 1 -t $timeout & 384 384 local nfqpid=$! 385 385 386 386 sleep 1

tools/testing/selftests/netfilter/nft_synproxy.sh tools/testing/selftests/net/netfilter/nft_synproxy.sh

-151

tools/testing/selftests/netfilter/nft_trans_stress.sh

··· 1 - #!/bin/bash 2 - # 3 - # This test is for stress-testing the nf_tables config plane path vs. 4 - # packet path processing: Make sure we never release rules that are 5 - # still visible to other cpus. 6 - # 7 - # set -e 8 - 9 - # Kselftest framework requirement - SKIP code is 4. 10 - ksft_skip=4 11 - 12 - testns=testns-$(mktemp -u "XXXXXXXX") 13 - tmp="" 14 - 15 - tables="foo bar baz quux" 16 - global_ret=0 17 - eret=0 18 - lret=0 19 - 20 - cleanup() { 21 - ip netns pids "$testns" | xargs kill 2>/dev/null 22 - ip netns del "$testns" 23 - 24 - rm -f "$tmp" 25 - } 26 - 27 - check_result() 28 - { 29 - local r=$1 30 - local OK="PASS" 31 - 32 - if [ $r -ne 0 ] ;then 33 - OK="FAIL" 34 - global_ret=$r 35 - fi 36 - 37 - echo "$OK: nft $2 test returned $r" 38 - 39 - eret=0 40 - } 41 - 42 - nft --version > /dev/null 2>&1 43 - if [ $? -ne 0 ];then 44 - echo "SKIP: Could not run test without nft tool" 45 - exit $ksft_skip 46 - fi 47 - 48 - ip -Version > /dev/null 2>&1 49 - if [ $? -ne 0 ];then 50 - echo "SKIP: Could not run test without ip tool" 51 - exit $ksft_skip 52 - fi 53 - 54 - trap cleanup EXIT 55 - tmp=$(mktemp) 56 - 57 - for table in $tables; do 58 - echo add table inet "$table" >> "$tmp" 59 - echo flush table inet "$table" >> "$tmp" 60 - 61 - echo "add chain inet $table INPUT { type filter hook input priority 0; }" >> "$tmp" 62 - echo "add chain inet $table OUTPUT { type filter hook output priority 0; }" >> "$tmp" 63 - for c in $(seq 1 400); do 64 - chain=$(printf "chain%03u" "$c") 65 - echo "add chain inet $table $chain" >> "$tmp" 66 - done 67 - 68 - for c in $(seq 1 400); do 69 - chain=$(printf "chain%03u" "$c") 70 - for BASE in INPUT OUTPUT; do 71 - echo "add rule inet $table $BASE counter jump $chain" >> "$tmp" 72 - done 73 - echo "add rule inet $table $chain counter return" >> "$tmp" 74 - done 75 - done 76 - 77 - ip netns add "$testns" 78 - ip -netns "$testns" link set lo up 79 - 80 - lscpu | grep ^CPU$s$: | ( read cpu cpunum ; 81 - cpunum=$((cpunum-1)) 82 - for i in $(seq 0 $cpunum);do 83 - mask=$(printf 0x%x $((1<<$i))) 84 - ip netns exec "$testns" taskset $mask ping -4 127.0.0.1 -fq > /dev/null & 85 - ip netns exec "$testns" taskset $mask ping -6 ::1 -fq > /dev/null & 86 - done) 87 - 88 - sleep 1 89 - 90 - ip netns exec "$testns" nft -f "$tmp" 91 - for i in $(seq 1 10) ; do ip netns exec "$testns" nft -f "$tmp" & done 92 - 93 - for table in $tables;do 94 - randsleep=$((RANDOM%2)) 95 - sleep $randsleep 96 - ip netns exec "$testns" nft delete table inet $table 97 - lret=$? 98 - if [ $lret -ne 0 ]; then 99 - eret=$lret 100 - fi 101 - done 102 - 103 - check_result $eret "add/delete" 104 - 105 - for i in $(seq 1 10) ; do 106 - (echo "flush ruleset"; cat "$tmp") | ip netns exec "$testns" nft -f /dev/stdin 107 - 108 - lret=$? 109 - if [ $lret -ne 0 ]; then 110 - eret=$lret 111 - fi 112 - done 113 - 114 - check_result $eret "reload" 115 - 116 - for i in $(seq 1 10) ; do 117 - (echo "flush ruleset"; cat "$tmp" 118 - echo "insert rule inet foo INPUT meta nftrace set 1" 119 - echo "insert rule inet foo OUTPUT meta nftrace set 1" 120 - ) | ip netns exec "$testns" nft -f /dev/stdin 121 - lret=$? 122 - if [ $lret -ne 0 ]; then 123 - eret=$lret 124 - fi 125 - 126 - (echo "flush ruleset"; cat "$tmp" 127 - ) | ip netns exec "$testns" nft -f /dev/stdin 128 - 129 - lret=$? 130 - if [ $lret -ne 0 ]; then 131 - eret=$lret 132 - fi 133 - done 134 - 135 - check_result $eret "add/delete with nftrace enabled" 136 - 137 - echo "insert rule inet foo INPUT meta nftrace set 1" >> $tmp 138 - echo "insert rule inet foo OUTPUT meta nftrace set 1" >> $tmp 139 - 140 - for i in $(seq 1 10) ; do 141 - (echo "flush ruleset"; cat "$tmp") | ip netns exec "$testns" nft -f /dev/stdin 142 - 143 - lret=$? 144 - if [ $lret -ne 0 ]; then 145 - eret=1 146 - fi 147 - done 148 - 149 - check_result $lret "add/delete with nftrace enabled" 150 - 151 - exit $global_ret

tools/testing/selftests/netfilter/nft_zones_many.sh tools/testing/selftests/net/netfilter/nft_zones_many.sh

tools/testing/selftests/netfilter/rpath.sh tools/testing/selftests/net/netfilter/rpath.sh

tools/testing/selftests/netfilter/sctp_collision.c tools/testing/selftests/net/netfilter/sctp_collision.c

-1

tools/testing/selftests/netfilter/settings

··· 1 - timeout=120

tools/testing/selftests/netfilter/xt_string.sh tools/testing/selftests/net/netfilter/xt_string.sh