tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

selftests: netfilter: flowtable bridge and vlan support

This patch adds two new tests to cover bridge and vlan support:

- Add a bridge device to the Router1 (nsr1) container and attach the
veth0 device to the bridge. Set the IP address to the bridge device
to exercise the bridge forwarding path.

- Add vlan encapsulation between to the bridge device in the Router1 and
one of the sender containers (ns1).

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

authored by

Pablo Neira Ayuso and committed by
David S. Miller 79d4071e a11e7973

+82
+82
tools/testing/selftests/netfilter/nft_flowtable.sh
··· 371 371 ip netns exec nsr1 nft list ruleset 372 372 fi 373 373 374 + # Another test: 375 + # Add bridge interface br0 to Router1, with NAT enabled. 376 + ip -net nsr1 link add name br0 type bridge 377 + ip -net nsr1 addr flush dev veth0 378 + ip -net nsr1 link set up dev veth0 379 + ip -net nsr1 link set veth0 master br0 380 + ip -net nsr1 addr add 10.0.1.1/24 dev br0 381 + ip -net nsr1 addr add dead:1::1/64 dev br0 382 + ip -net nsr1 link set up dev br0 383 + 384 + ip netns exec nsr1 sysctl net.ipv4.conf.br0.forwarding=1 > /dev/null 385 + 386 + # br0 with NAT enabled. 387 + ip netns exec nsr1 nft -f - <<EOF 388 + flush table ip nat 389 + table ip nat { 390 + chain prerouting { 391 + type nat hook prerouting priority 0; policy accept; 392 + meta iif "br0" ip daddr 10.6.6.6 tcp dport 1666 counter dnat ip to 10.0.2.99:12345 393 + } 394 + 395 + chain postrouting { 396 + type nat hook postrouting priority 0; policy accept; 397 + meta oifname "veth1" counter masquerade 398 + } 399 + } 400 + EOF 401 + 402 + if test_tcp_forwarding_nat ns1 ns2; then 403 + echo "PASS: flow offloaded for ns1/ns2 with bridge NAT" 404 + else 405 + echo "FAIL: flow offload for ns1/ns2 with bridge NAT" 1>&2 406 + ip netns exec nsr1 nft list ruleset 407 + ret=1 408 + fi 409 + 410 + # Another test: 411 + # Add bridge interface br0 to Router1, with NAT and VLAN. 412 + ip -net nsr1 link set veth0 nomaster 413 + ip -net nsr1 link set down dev veth0 414 + ip -net nsr1 link add link veth0 name veth0.10 type vlan id 10 415 + ip -net nsr1 link set up dev veth0 416 + ip -net nsr1 link set up dev veth0.10 417 + ip -net nsr1 link set veth0.10 master br0 418 + 419 + ip -net ns1 addr flush dev eth0 420 + ip -net ns1 link add link eth0 name eth0.10 type vlan id 10 421 + ip -net ns1 link set eth0 up 422 + ip -net ns1 link set eth0.10 up 423 + ip -net ns1 addr add 10.0.1.99/24 dev eth0.10 424 + ip -net ns1 route add default via 10.0.1.1 425 + ip -net ns1 addr add dead:1::99/64 dev eth0.10 426 + 427 + if test_tcp_forwarding_nat ns1 ns2; then 428 + echo "PASS: flow offloaded for ns1/ns2 with bridge NAT and VLAN" 429 + else 430 + echo "FAIL: flow offload for ns1/ns2 with bridge NAT and VLAN" 1>&2 431 + ip netns exec nsr1 nft list ruleset 432 + ret=1 433 + fi 434 + 435 + # restore test topology (remove bridge and VLAN) 436 + ip -net nsr1 link set veth0 nomaster 437 + ip -net nsr1 link set veth0 down 438 + ip -net nsr1 link set veth0.10 down 439 + ip -net nsr1 link delete veth0.10 type vlan 440 + ip -net nsr1 link delete br0 type bridge 441 + ip -net ns1 addr flush dev eth0.10 442 + ip -net ns1 link set eth0.10 down 443 + ip -net ns1 link set eth0 down 444 + ip -net ns1 link delete eth0.10 type vlan 445 + 446 + # restore address in ns1 and nsr1 447 + ip -net ns1 link set eth0 up 448 + ip -net ns1 addr add 10.0.1.99/24 dev eth0 449 + ip -net ns1 route add default via 10.0.1.1 450 + ip -net ns1 addr add dead:1::99/64 dev eth0 451 + ip -net ns1 route add default via dead:1::1 452 + ip -net nsr1 addr add 10.0.1.1/24 dev veth0 453 + ip -net nsr1 addr add dead:1::1/64 dev veth0 454 + ip -net nsr1 link set up dev veth0 455 + 374 456 KEY_SHA="0x"$(ps -xaf | sha1sum | cut -d " " -f 1) 375 457 KEY_AES="0x"$(ps -xaf | md5sum | cut -d " " -f 1) 376 458 SPI1=$RANDOM