tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf

Pablo Neira Ayuso says:

====================
Netfilter fixes for net

The following patchset contains Netfilter fixes for net:

1) Wait for rcu grace period after releasing netns in ctnetlink,
from Florian Westphal.

2) Incorrect command type in flowtable offload ndo invocation,
from wenxu.

3) Incorrect callback type in flowtable offload flow tuple
updates, also from wenxu.

4) Fix compile warning on flowtable offload infrastructure due to
possible reference to uninitialized variable, from Nathan Chancellor.

5) Do not inline nf_ct_resolve_clash(), this is called from slow
path / stress situations. From Florian Westphal.

6) Missing IPv6 flow selector description in flowtable offload.

7) Missing check for NETDEV_UNREGISTER in nf_tables offload
infrastructure, from wenxu.

8) Update NAT selftest to use randomized netns names, from
Florian Westphal.

9) Restore nfqueue bridge support, from Marco Oliverio.

10) Compilation warning in SCTP_CHUNKMAP_*() on xt_sctp header.
From Phil Sutter.

11) Fix bogus lookup/get match for non-anonymous rbtree sets.

12) Missing netlink validation for NFT_SET_ELEM_INTERVAL_END
elements.

13) Missing netlink validation for NFT_DATA_VALUE after
nft_data_init().

14) If rule specifies no actions, offload infrastructure returns
EOPNOTSUPP.

15) Module refcount leak in object updates.

16) Missing sanitization for ARP traffic from br_netfilter, from
Eric Dumazet.

17) Compilation breakage on big-endian due to incorrect memcpy()
size in the flowtable offload infrastructure.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>

David S. Miller 7da538c1 f8fc57e8

+288 -213
+3 -3
include/uapi/linux/netfilter/xt_sctp.h
··· 41 41 #define SCTP_CHUNKMAP_SET(chunkmap, type) \ 42 42 do { \ 43 43 (chunkmap)[type / bytes(__u32)] |= \ 44 - 1 << (type % bytes(__u32)); \ 44 + 1u << (type % bytes(__u32)); \ 45 45 } while (0) 46 46 47 47 #define SCTP_CHUNKMAP_CLEAR(chunkmap, type) \ 48 48 do { \ 49 49 (chunkmap)[type / bytes(__u32)] &= \ 50 - ~(1 << (type % bytes(__u32))); \ 50 + ~(1u << (type % bytes(__u32))); \ 51 51 } while (0) 52 52 53 53 #define SCTP_CHUNKMAP_IS_SET(chunkmap, type) \ 54 54 ({ \ 55 55 ((chunkmap)[type / bytes (__u32)] & \ 56 - (1 << (type % bytes (__u32)))) ? 1: 0; \ 56 + (1u << (type % bytes (__u32)))) ? 1: 0; \ 57 57 }) 58 58 59 59 #define SCTP_CHUNKMAP_RESET(chunkmap) \
+3
net/bridge/br_netfilter_hooks.c
··· 662 662 nf_bridge_pull_encap_header(skb); 663 663 } 664 664 665 + if (unlikely(!pskb_may_pull(skb, sizeof(struct arphdr)))) 666 + return NF_DROP; 667 + 665 668 if (arp_hdr(skb)->ar_pln != 4) { 666 669 if (is_vlan_arp(skb, state->net)) 667 670 nf_bridge_push_encap_header(skb);
+4 -3
net/netfilter/nf_conntrack_core.c
··· 895 895 } 896 896 897 897 /* Resolve race on insertion if this protocol allows this. */ 898 - static int nf_ct_resolve_clash(struct net *net, struct sk_buff *skb, 899 - enum ip_conntrack_info ctinfo, 900 - struct nf_conntrack_tuple_hash *h) 898 + static __cold noinline int 899 + nf_ct_resolve_clash(struct net *net, struct sk_buff *skb, 900 + enum ip_conntrack_info ctinfo, 901 + struct nf_conntrack_tuple_hash *h) 901 902 { 902 903 /* This is the conntrack entry already in hashes that won race. */ 903 904 struct nf_conn *ct = nf_ct_tuplehash_to_ctrack(h);
+3
net/netfilter/nf_conntrack_netlink.c
··· 3626 3626 3627 3627 list_for_each_entry(net, net_exit_list, exit_list) 3628 3628 ctnetlink_net_exit(net); 3629 + 3630 + /* wait for other cpus until they are done with ctnl_notifiers */ 3631 + synchronize_rcu(); 3629 3632 } 3630 3633 3631 3634 static struct pernet_operations ctnetlink_net_ops = {
+45 -38
net/netfilter/nf_flow_table_offload.c
··· 28 28 struct flow_dissector_key_basic basic; 29 29 union { 30 30 struct flow_dissector_key_ipv4_addrs ipv4; 31 + struct flow_dissector_key_ipv6_addrs ipv6; 31 32 }; 32 33 struct flow_dissector_key_tcp tcp; 33 34 struct flow_dissector_key_ports tp; ··· 58 57 NF_FLOW_DISSECTOR(match, FLOW_DISSECTOR_KEY_CONTROL, control); 59 58 NF_FLOW_DISSECTOR(match, FLOW_DISSECTOR_KEY_BASIC, basic); 60 59 NF_FLOW_DISSECTOR(match, FLOW_DISSECTOR_KEY_IPV4_ADDRS, ipv4); 60 + NF_FLOW_DISSECTOR(match, FLOW_DISSECTOR_KEY_IPV6_ADDRS, ipv6); 61 61 NF_FLOW_DISSECTOR(match, FLOW_DISSECTOR_KEY_TCP, tcp); 62 62 NF_FLOW_DISSECTOR(match, FLOW_DISSECTOR_KEY_PORTS, tp); 63 63 ··· 71 69 key->ipv4.dst = tuple->dst_v4.s_addr; 72 70 mask->ipv4.dst = 0xffffffff; 73 71 break; 72 + case AF_INET6: 73 + key->control.addr_type = FLOW_DISSECTOR_KEY_IPV6_ADDRS; 74 + key->basic.n_proto = htons(ETH_P_IPV6); 75 + key->ipv6.src = tuple->src_v6; 76 + memset(&mask->ipv6.src, 0xff, sizeof(mask->ipv6.src)); 77 + key->ipv6.dst = tuple->dst_v6; 78 + memset(&mask->ipv6.dst, 0xff, sizeof(mask->ipv6.dst)); 79 + break; 74 80 default: 75 81 return -EOPNOTSUPP; 76 82 } 83 + match->dissector.used_keys |= BIT(key->control.addr_type); 77 84 mask->basic.n_proto = 0xffff; 78 85 79 86 switch (tuple->l4proto) { ··· 107 96 108 97 match->dissector.used_keys |= BIT(FLOW_DISSECTOR_KEY_CONTROL) | 109 98 BIT(FLOW_DISSECTOR_KEY_BASIC) | 110 - BIT(FLOW_DISSECTOR_KEY_IPV4_ADDRS) | 111 99 BIT(FLOW_DISSECTOR_KEY_PORTS); 112 100 return 0; 113 101 } 114 102 115 103 static void flow_offload_mangle(struct flow_action_entry *entry, 116 - enum flow_action_mangle_base htype, 117 - u32 offset, u8 *value, u8 *mask) 104 + enum flow_action_mangle_base htype, u32 offset, 105 + const __be32 *value, const __be32 *mask) 118 106 { 119 107 entry->id = FLOW_ACTION_MANGLE; 120 108 entry->mangle.htype = htype; ··· 150 140 memcpy(&val16, dev->dev_addr, 2); 151 141 val = val16 << 16; 152 142 flow_offload_mangle(entry0, FLOW_ACT_MANGLE_HDR_TYPE_ETH, 4, 153 - (u8 *)&val, (u8 *)&mask); 143 + &val, &mask); 154 144 155 145 mask = ~0xffffffff; 156 146 memcpy(&val, dev->dev_addr + 2, 4); 157 147 flow_offload_mangle(entry1, FLOW_ACT_MANGLE_HDR_TYPE_ETH, 8, 158 - (u8 *)&val, (u8 *)&mask); 148 + &val, &mask); 159 149 dev_put(dev); 160 150 161 151 return 0; ··· 180 170 mask = ~0xffffffff; 181 171 memcpy(&val, n->ha, 4); 182 172 flow_offload_mangle(entry0, FLOW_ACT_MANGLE_HDR_TYPE_ETH, 0, 183 - (u8 *)&val, (u8 *)&mask); 173 + &val, &mask); 184 174 185 175 mask = ~0x0000ffff; 186 176 memcpy(&val16, n->ha + 4, 2); 187 177 val = val16; 188 178 flow_offload_mangle(entry1, FLOW_ACT_MANGLE_HDR_TYPE_ETH, 4, 189 - (u8 *)&val, (u8 *)&mask); 179 + &val, &mask); 190 180 neigh_release(n); 191 181 192 182 return 0; ··· 216 206 } 217 207 218 208 flow_offload_mangle(entry, FLOW_ACT_MANGLE_HDR_TYPE_IP4, offset, 219 - (u8 *)&addr, (u8 *)&mask); 209 + &addr, &mask); 220 210 } 221 211 222 212 static void flow_offload_ipv4_dnat(struct net *net, ··· 243 233 } 244 234 245 235 flow_offload_mangle(entry, FLOW_ACT_MANGLE_HDR_TYPE_IP4, offset, 246 - (u8 *)&addr, (u8 *)&mask); 236 + &addr, &mask); 247 237 } 248 238 249 239 static void flow_offload_ipv6_mangle(struct nf_flow_rule *flow_rule, 250 240 unsigned int offset, 251 - u8 *addr, u8 *mask) 241 + const __be32 *addr, const __be32 *mask) 252 242 { 253 243 struct flow_action_entry *entry; 254 244 int i; ··· 256 246 for (i = 0; i < sizeof(struct in6_addr) / sizeof(u32); i += sizeof(u32)) { 257 247 entry = flow_action_entry_next(flow_rule); 258 248 flow_offload_mangle(entry, FLOW_ACT_MANGLE_HDR_TYPE_IP6, 259 - offset + i, 260 - &addr[i], mask); 249 + offset + i, &addr[i], mask); 261 250 } 262 251 } 263 252 ··· 266 257 struct nf_flow_rule *flow_rule) 267 258 { 268 259 u32 mask = ~htonl(0xffffffff); 269 - const u8 *addr; 260 + const __be32 *addr; 270 261 u32 offset; 271 262 272 263 switch (dir) { 273 264 case FLOW_OFFLOAD_DIR_ORIGINAL: 274 - addr = flow->tuplehash[FLOW_OFFLOAD_DIR_REPLY].tuple.dst_v6.s6_addr; 265 + addr = flow->tuplehash[FLOW_OFFLOAD_DIR_REPLY].tuple.dst_v6.s6_addr32; 275 266 offset = offsetof(struct ipv6hdr, saddr); 276 267 break; 277 268 case FLOW_OFFLOAD_DIR_REPLY: 278 - addr = flow->tuplehash[FLOW_OFFLOAD_DIR_ORIGINAL].tuple.src_v6.s6_addr; 269 + addr = flow->tuplehash[FLOW_OFFLOAD_DIR_ORIGINAL].tuple.src_v6.s6_addr32; 279 270 offset = offsetof(struct ipv6hdr, daddr); 280 271 break; 281 272 default: 282 273 return; 283 274 } 284 275 285 - flow_offload_ipv6_mangle(flow_rule, offset, (u8 *)addr, (u8 *)&mask); 276 + flow_offload_ipv6_mangle(flow_rule, offset, addr, &mask); 286 277 } 287 278 288 279 static void flow_offload_ipv6_dnat(struct net *net, ··· 291 282 struct nf_flow_rule *flow_rule) 292 283 { 293 284 u32 mask = ~htonl(0xffffffff); 294 - const u8 *addr; 285 + const __be32 *addr; 295 286 u32 offset; 296 287 297 288 switch (dir) { 298 289 case FLOW_OFFLOAD_DIR_ORIGINAL: 299 - addr = flow->tuplehash[FLOW_OFFLOAD_DIR_REPLY].tuple.src_v6.s6_addr; 290 + addr = flow->tuplehash[FLOW_OFFLOAD_DIR_REPLY].tuple.src_v6.s6_addr32; 300 291 offset = offsetof(struct ipv6hdr, daddr); 301 292 break; 302 293 case FLOW_OFFLOAD_DIR_REPLY: 303 - addr = flow->tuplehash[FLOW_OFFLOAD_DIR_ORIGINAL].tuple.dst_v6.s6_addr; 294 + addr = flow->tuplehash[FLOW_OFFLOAD_DIR_ORIGINAL].tuple.dst_v6.s6_addr32; 304 295 offset = offsetof(struct ipv6hdr, saddr); 305 296 break; 306 297 default: 307 298 return; 308 299 } 309 300 310 - flow_offload_ipv6_mangle(flow_rule, offset, (u8 *)addr, (u8 *)&mask); 301 + flow_offload_ipv6_mangle(flow_rule, offset, addr, &mask); 311 302 } 312 303 313 304 static int flow_offload_l4proto(const struct flow_offload *flow) ··· 335 326 struct nf_flow_rule *flow_rule) 336 327 { 337 328 struct flow_action_entry *entry = flow_action_entry_next(flow_rule); 338 - u32 mask = ~htonl(0xffff0000); 339 - __be16 port; 329 + u32 mask = ~htonl(0xffff0000), port; 340 330 u32 offset; 341 331 342 332 switch (dir) { 343 333 case FLOW_OFFLOAD_DIR_ORIGINAL: 344 - port = flow->tuplehash[FLOW_OFFLOAD_DIR_REPLY].tuple.dst_port; 334 + port = ntohs(flow->tuplehash[FLOW_OFFLOAD_DIR_REPLY].tuple.dst_port); 345 335 offset = 0; /* offsetof(struct tcphdr, source); */ 346 336 break; 347 337 case FLOW_OFFLOAD_DIR_REPLY: 348 - port = flow->tuplehash[FLOW_OFFLOAD_DIR_ORIGINAL].tuple.src_port; 338 + port = ntohs(flow->tuplehash[FLOW_OFFLOAD_DIR_ORIGINAL].tuple.src_port); 349 339 offset = 0; /* offsetof(struct tcphdr, dest); */ 350 340 break; 351 341 default: 352 - break; 342 + return; 353 343 } 354 - 344 + port = htonl(port << 16); 355 345 flow_offload_mangle(entry, flow_offload_l4proto(flow), offset, 356 - (u8 *)&port, (u8 *)&mask); 346 + &port, &mask); 357 347 } 358 348 359 349 static void flow_offload_port_dnat(struct net *net, ··· 361 353 struct nf_flow_rule *flow_rule) 362 354 { 363 355 struct flow_action_entry *entry = flow_action_entry_next(flow_rule); 364 - u32 mask = ~htonl(0xffff); 365 - __be16 port; 356 + u32 mask = ~htonl(0xffff), port; 366 357 u32 offset; 367 358 368 359 switch (dir) { 369 360 case FLOW_OFFLOAD_DIR_ORIGINAL: 370 - port = flow->tuplehash[FLOW_OFFLOAD_DIR_REPLY].tuple.dst_port; 361 + port = ntohs(flow->tuplehash[FLOW_OFFLOAD_DIR_REPLY].tuple.dst_port); 371 362 offset = 0; /* offsetof(struct tcphdr, source); */ 372 363 break; 373 364 case FLOW_OFFLOAD_DIR_REPLY: 374 - port = flow->tuplehash[FLOW_OFFLOAD_DIR_ORIGINAL].tuple.src_port; 365 + port = ntohs(flow->tuplehash[FLOW_OFFLOAD_DIR_ORIGINAL].tuple.src_port); 375 366 offset = 0; /* offsetof(struct tcphdr, dest); */ 376 367 break; 377 368 default: 378 - break; 369 + return; 379 370 } 380 - 371 + port = htonl(port); 381 372 flow_offload_mangle(entry, flow_offload_l4proto(flow), offset, 382 - (u8 *)&port, (u8 *)&mask); 373 + &port, &mask); 383 374 } 384 375 385 376 static void flow_offload_ipv4_checksum(struct net *net, ··· 581 574 cls_flow.rule = flow_rule->rule; 582 575 583 576 list_for_each_entry(block_cb, &flowtable->flow_block.cb_list, list) { 584 - err = block_cb->cb(TC_SETUP_FT, &cls_flow, 577 + err = block_cb->cb(TC_SETUP_CLSFLOWER, &cls_flow, 585 578 block_cb->cb_priv); 586 579 if (err < 0) 587 580 continue; ··· 606 599 &offload->flow->tuplehash[dir].tuple, &extack); 607 600 608 601 list_for_each_entry(block_cb, &flowtable->flow_block.cb_list, list) 609 - block_cb->cb(TC_SETUP_FT, &cls_flow, block_cb->cb_priv); 602 + block_cb->cb(TC_SETUP_CLSFLOWER, &cls_flow, block_cb->cb_priv); 610 603 611 604 offload->flow->flags |= FLOW_OFFLOAD_HW_DEAD; 612 605 } ··· 663 656 &offload->flow->tuplehash[dir].tuple, &extack); 664 657 665 658 list_for_each_entry(block_cb, &flowtable->flow_block.cb_list, list) 666 - block_cb->cb(TC_SETUP_FT, &cls_flow, block_cb->cb_priv); 659 + block_cb->cb(TC_SETUP_CLSFLOWER, &cls_flow, block_cb->cb_priv); 667 660 memcpy(stats, &cls_flow.stats, sizeof(*stats)); 668 661 } 669 662 ··· 829 822 bo.extack = &extack; 830 823 INIT_LIST_HEAD(&bo.cb_list); 831 824 832 - err = dev->netdev_ops->ndo_setup_tc(dev, TC_SETUP_BLOCK, &bo); 825 + err = dev->netdev_ops->ndo_setup_tc(dev, TC_SETUP_FT, &bo); 833 826 if (err < 0) 834 827 return err; 835 828
+1 -1
net/netfilter/nf_queue.c
··· 189 189 goto err; 190 190 } 191 191 192 - if (!skb_dst_force(skb) && state->hook != NF_INET_PRE_ROUTING) { 192 + if (skb_dst(skb) && !skb_dst_force(skb)) { 193 193 status = -ENETDOWN; 194 194 goto err; 195 195 }
+13 -5
net/netfilter/nf_tables_api.c
··· 4519 4519 return err; 4520 4520 4521 4521 err = -EINVAL; 4522 - if (desc.type != NFT_DATA_VALUE || desc.len != set->klen) 4522 + if (desc.type != NFT_DATA_VALUE || desc.len != set->klen) { 4523 + nft_data_release(&elem.key.val, desc.type); 4523 4524 return err; 4525 + } 4524 4526 4525 4527 priv = set->ops->get(ctx->net, set, &elem, flags); 4526 4528 if (IS_ERR(priv)) ··· 4758 4756 if (nla[NFTA_SET_ELEM_DATA] == NULL && 4759 4757 !(flags & NFT_SET_ELEM_INTERVAL_END)) 4760 4758 return -EINVAL; 4761 - if (nla[NFTA_SET_ELEM_DATA] != NULL && 4762 - flags & NFT_SET_ELEM_INTERVAL_END) 4763 - return -EINVAL; 4764 4759 } else { 4765 4760 if (nla[NFTA_SET_ELEM_DATA] != NULL) 4766 4761 return -EINVAL; 4767 4762 } 4763 + 4764 + if ((flags & NFT_SET_ELEM_INTERVAL_END) && 4765 + (nla[NFTA_SET_ELEM_DATA] || 4766 + nla[NFTA_SET_ELEM_OBJREF] || 4767 + nla[NFTA_SET_ELEM_TIMEOUT] || 4768 + nla[NFTA_SET_ELEM_EXPIRATION] || 4769 + nla[NFTA_SET_ELEM_USERDATA] || 4770 + nla[NFTA_SET_ELEM_EXPR])) 4771 + return -EINVAL; 4768 4772 4769 4773 timeout = 0; 4770 4774 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) { ··· 5484 5476 if (nlh->nlmsg_flags & NLM_F_REPLACE) 5485 5477 return -EOPNOTSUPP; 5486 5478 5487 - type = nft_obj_type_get(net, objtype); 5479 + type = __nft_obj_type_get(objtype); 5488 5480 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla); 5489 5481 5490 5482 return nf_tables_updobj(&ctx, type, nla[NFTA_OBJ_DATA], obj);
+6
net/netfilter/nf_tables_offload.c
··· 44 44 expr = nft_expr_next(expr); 45 45 } 46 46 47 + if (num_actions == 0) 48 + return ERR_PTR(-EOPNOTSUPP); 49 + 47 50 flow = nft_flow_rule_alloc(num_actions); 48 51 if (!flow) 49 52 return ERR_PTR(-ENOMEM); ··· 579 576 struct net_device *dev = netdev_notifier_info_to_dev(ptr); 580 577 struct net *net = dev_net(dev); 581 578 struct nft_chain *chain; 579 + 580 + if (event != NETDEV_UNREGISTER) 581 + return NOTIFY_DONE; 582 582 583 583 mutex_lock(&net->nft.commit_mutex); 584 584 chain = __nft_offload_get_chain(dev);
+2 -2
net/netfilter/nft_bitwise.c
··· 80 80 tb[NFTA_BITWISE_MASK]); 81 81 if (err < 0) 82 82 return err; 83 - if (d1.len != priv->len) { 83 + if (d1.type != NFT_DATA_VALUE || d1.len != priv->len) { 84 84 err = -EINVAL; 85 85 goto err1; 86 86 } ··· 89 89 tb[NFTA_BITWISE_XOR]); 90 90 if (err < 0) 91 91 goto err1; 92 - if (d2.len != priv->len) { 92 + if (d2.type != NFT_DATA_VALUE || d2.len != priv->len) { 93 93 err = -EINVAL; 94 94 goto err2; 95 95 }
+6
net/netfilter/nft_cmp.c
··· 81 81 if (err < 0) 82 82 return err; 83 83 84 + if (desc.type != NFT_DATA_VALUE) { 85 + err = -EINVAL; 86 + nft_data_release(&priv->data, desc.type); 87 + return err; 88 + } 89 + 84 90 priv->sreg = nft_parse_register(tb[NFTA_CMP_SREG]); 85 91 err = nft_validate_register_load(priv->sreg, desc.len); 86 92 if (err < 0)
+10
net/netfilter/nft_range.c
··· 66 66 if (err < 0) 67 67 return err; 68 68 69 + if (desc_from.type != NFT_DATA_VALUE) { 70 + err = -EINVAL; 71 + goto err1; 72 + } 73 + 69 74 err = nft_data_init(NULL, &priv->data_to, sizeof(priv->data_to), 70 75 &desc_to, tb[NFTA_RANGE_TO_DATA]); 71 76 if (err < 0) 72 77 goto err1; 78 + 79 + if (desc_to.type != NFT_DATA_VALUE) { 80 + err = -EINVAL; 81 + goto err2; 82 + } 73 83 74 84 if (desc_from.len != desc_to.len) { 75 85 err = -EINVAL;
+16 -5
net/netfilter/nft_set_rbtree.c
··· 74 74 parent = rcu_dereference_raw(parent->rb_left); 75 75 continue; 76 76 } 77 - if (nft_rbtree_interval_end(rbe)) 78 - goto out; 77 + if (nft_rbtree_interval_end(rbe)) { 78 + if (nft_set_is_anonymous(set)) 79 + return false; 80 + parent = rcu_dereference_raw(parent->rb_left); 81 + interval = NULL; 82 + continue; 83 + } 79 84 80 85 *ext = &rbe->ext; 81 86 return true; ··· 93 88 *ext = &interval->ext; 94 89 return true; 95 90 } 96 - out: 91 + 97 92 return false; 98 93 } 99 94 ··· 144 139 if (flags & NFT_SET_ELEM_INTERVAL_END) 145 140 interval = rbe; 146 141 } else { 147 - if (!nft_set_elem_active(&rbe->ext, genmask)) 142 + if (!nft_set_elem_active(&rbe->ext, genmask)) { 148 143 parent = rcu_dereference_raw(parent->rb_left); 144 + continue; 145 + } 149 146 150 147 if (!nft_set_ext_exists(&rbe->ext, NFT_SET_EXT_FLAGS) || 151 148 (*nft_set_ext_flags(&rbe->ext) & NFT_SET_ELEM_INTERVAL_END) == ··· 155 148 *elem = rbe; 156 149 return true; 157 150 } 158 - return false; 151 + 152 + if (nft_rbtree_interval_end(rbe)) 153 + interval = NULL; 154 + 155 + parent = rcu_dereference_raw(parent->rb_left); 159 156 } 160 157 } 161 158
+176 -156
tools/testing/selftests/netfilter/nft_nat.sh
··· 8 8 ret=0 9 9 test_inet_nat=true 10 10 11 + sfx=$(mktemp -u "XXXXXXXX") 12 + ns0="ns0-$sfx" 13 + ns1="ns1-$sfx" 14 + ns2="ns2-$sfx" 15 + 11 16 cleanup() 12 17 { 13 - for i in 0 1 2; do ip netns del ns$i;done 18 + for i in 0 1 2; do ip netns del ns$i-"$sfx";done 14 19 } 15 20 16 21 nft --version > /dev/null 2>&1 ··· 30 25 exit $ksft_skip 31 26 fi 32 27 33 - ip netns add ns0 28 + ip netns add "$ns0" 34 29 if [ $? -ne 0 ];then 35 - echo "SKIP: Could not create net namespace" 30 + echo "SKIP: Could not create net namespace $ns0" 36 31 exit $ksft_skip 37 32 fi 38 33 39 34 trap cleanup EXIT 40 35 41 - ip netns add ns1 42 - ip netns add ns2 36 + ip netns add "$ns1" 37 + if [ $? -ne 0 ];then 38 + echo "SKIP: Could not create net namespace $ns1" 39 + exit $ksft_skip 40 + fi 43 41 44 - ip link add veth0 netns ns0 type veth peer name eth0 netns ns1 > /dev/null 2>&1 42 + ip netns add "$ns2" 43 + if [ $? -ne 0 ];then 44 + echo "SKIP: Could not create net namespace $ns2" 45 + exit $ksft_skip 46 + fi 47 + 48 + ip link add veth0 netns "$ns0" type veth peer name eth0 netns "$ns1" > /dev/null 2>&1 45 49 if [ $? -ne 0 ];then 46 50 echo "SKIP: No virtual ethernet pair device support in kernel" 47 51 exit $ksft_skip 48 52 fi 49 - ip link add veth1 netns ns0 type veth peer name eth0 netns ns2 53 + ip link add veth1 netns "$ns0" type veth peer name eth0 netns "$ns2" 50 54 51 - ip -net ns0 link set lo up 52 - ip -net ns0 link set veth0 up 53 - ip -net ns0 addr add 10.0.1.1/24 dev veth0 54 - ip -net ns0 addr add dead:1::1/64 dev veth0 55 + ip -net "$ns0" link set lo up 56 + ip -net "$ns0" link set veth0 up 57 + ip -net "$ns0" addr add 10.0.1.1/24 dev veth0 58 + ip -net "$ns0" addr add dead:1::1/64 dev veth0 55 59 56 - ip -net ns0 link set veth1 up 57 - ip -net ns0 addr add 10.0.2.1/24 dev veth1 58 - ip -net ns0 addr add dead:2::1/64 dev veth1 60 + ip -net "$ns0" link set veth1 up 61 + ip -net "$ns0" addr add 10.0.2.1/24 dev veth1 62 + ip -net "$ns0" addr add dead:2::1/64 dev veth1 59 63 60 64 for i in 1 2; do 61 - ip -net ns$i link set lo up 62 - ip -net ns$i link set eth0 up 63 - ip -net ns$i addr add 10.0.$i.99/24 dev eth0 64 - ip -net ns$i route add default via 10.0.$i.1 65 - ip -net ns$i addr add dead:$i::99/64 dev eth0 66 - ip -net ns$i route add default via dead:$i::1 65 + ip -net ns$i-$sfx link set lo up 66 + ip -net ns$i-$sfx link set eth0 up 67 + ip -net ns$i-$sfx addr add 10.0.$i.99/24 dev eth0 68 + ip -net ns$i-$sfx route add default via 10.0.$i.1 69 + ip -net ns$i-$sfx addr add dead:$i::99/64 dev eth0 70 + ip -net ns$i-$sfx route add default via dead:$i::1 67 71 done 68 72 69 73 bad_counter() ··· 80 66 local ns=$1 81 67 local counter=$2 82 68 local expect=$3 69 + local tag=$4 83 70 84 - echo "ERROR: $counter counter in $ns has unexpected value (expected $expect)" 1>&2 71 + echo "ERROR: $counter counter in $ns has unexpected value (expected $expect) at $tag" 1>&2 85 72 ip netns exec $ns nft list counter inet filter $counter 1>&2 86 73 } 87 74 ··· 93 78 94 79 cnt=$(ip netns exec $ns nft list counter inet filter ns0in | grep -q "packets 1 bytes 84") 95 80 if [ $? -ne 0 ]; then 96 - bad_counter $ns ns0in "packets 1 bytes 84" 81 + bad_counter $ns ns0in "packets 1 bytes 84" "check_counters 1" 97 82 lret=1 98 83 fi 99 84 cnt=$(ip netns exec $ns nft list counter inet filter ns0out | grep -q "packets 1 bytes 84") 100 85 if [ $? -ne 0 ]; then 101 - bad_counter $ns ns0out "packets 1 bytes 84" 86 + bad_counter $ns ns0out "packets 1 bytes 84" "check_counters 2" 102 87 lret=1 103 88 fi 104 89 105 90 expect="packets 1 bytes 104" 106 91 cnt=$(ip netns exec $ns nft list counter inet filter ns0in6 | grep -q "$expect") 107 92 if [ $? -ne 0 ]; then 108 - bad_counter $ns ns0in6 "$expect" 93 + bad_counter $ns ns0in6 "$expect" "check_counters 3" 109 94 lret=1 110 95 fi 111 96 cnt=$(ip netns exec $ns nft list counter inet filter ns0out6 | grep -q "$expect") 112 97 if [ $? -ne 0 ]; then 113 - bad_counter $ns ns0out6 "$expect" 98 + bad_counter $ns ns0out6 "$expect" "check_counters 4" 114 99 lret=1 115 100 fi 116 101 ··· 122 107 local ns=$1 123 108 local lret=0 124 109 125 - cnt=$(ip netns exec ns0 nft list counter inet filter ns0in | grep -q "packets 0 bytes 0") 110 + cnt=$(ip netns exec "$ns0" nft list counter inet filter ns0in | grep -q "packets 0 bytes 0") 126 111 if [ $? -ne 0 ]; then 127 - bad_counter ns0 ns0in "packets 0 bytes 0" 112 + bad_counter "$ns0" ns0in "packets 0 bytes 0" "check_ns0_counters 1" 128 113 lret=1 129 114 fi 130 115 131 - cnt=$(ip netns exec ns0 nft list counter inet filter ns0in6 | grep -q "packets 0 bytes 0") 116 + cnt=$(ip netns exec "$ns0" nft list counter inet filter ns0in6 | grep -q "packets 0 bytes 0") 132 117 if [ $? -ne 0 ]; then 133 - bad_counter ns0 ns0in6 "packets 0 bytes 0" 118 + bad_counter "$ns0" ns0in6 "packets 0 bytes 0" 134 119 lret=1 135 120 fi 136 121 137 - cnt=$(ip netns exec ns0 nft list counter inet filter ns0out | grep -q "packets 0 bytes 0") 122 + cnt=$(ip netns exec "$ns0" nft list counter inet filter ns0out | grep -q "packets 0 bytes 0") 138 123 if [ $? -ne 0 ]; then 139 - bad_counter ns0 ns0out "packets 0 bytes 0" 124 + bad_counter "$ns0" ns0out "packets 0 bytes 0" "check_ns0_counters 2" 140 125 lret=1 141 126 fi 142 - cnt=$(ip netns exec ns0 nft list counter inet filter ns0out6 | grep -q "packets 0 bytes 0") 127 + cnt=$(ip netns exec "$ns0" nft list counter inet filter ns0out6 | grep -q "packets 0 bytes 0") 143 128 if [ $? -ne 0 ]; then 144 - bad_counter ns0 ns0out6 "packets 0 bytes 0" 129 + bad_counter "$ns0" ns0out6 "packets 0 bytes 0" "check_ns0_counters3 " 145 130 lret=1 146 131 fi 147 132 148 133 for dir in "in" "out" ; do 149 134 expect="packets 1 bytes 84" 150 - cnt=$(ip netns exec ns0 nft list counter inet filter ${ns}${dir} | grep -q "$expect") 135 + cnt=$(ip netns exec "$ns0" nft list counter inet filter ${ns}${dir} | grep -q "$expect") 151 136 if [ $? -ne 0 ]; then 152 - bad_counter ns0 $ns$dir "$expect" 137 + bad_counter "$ns0" $ns$dir "$expect" "check_ns0_counters 4" 153 138 lret=1 154 139 fi 155 140 156 141 expect="packets 1 bytes 104" 157 - cnt=$(ip netns exec ns0 nft list counter inet filter ${ns}${dir}6 | grep -q "$expect") 142 + cnt=$(ip netns exec "$ns0" nft list counter inet filter ${ns}${dir}6 | grep -q "$expect") 158 143 if [ $? -ne 0 ]; then 159 - bad_counter ns0 $ns$dir6 "$expect" 144 + bad_counter "$ns0" $ns$dir6 "$expect" "check_ns0_counters 5" 160 145 lret=1 161 146 fi 162 147 done ··· 167 152 reset_counters() 168 153 { 169 154 for i in 0 1 2;do 170 - ip netns exec ns$i nft reset counters inet > /dev/null 155 + ip netns exec ns$i-$sfx nft reset counters inet > /dev/null 171 156 done 172 157 } 173 158 ··· 181 166 IPF="ip6" 182 167 fi 183 168 184 - ip netns exec ns0 nft -f - <<EOF 169 + ip netns exec "$ns0" nft -f /dev/stdin <<EOF 185 170 table $family nat { 186 171 chain output { 187 172 type nat hook output priority 0; policy accept; ··· 195 180 fi 196 181 197 182 # ping netns1, expect rewrite to netns2 198 - ip netns exec ns0 ping -q -c 1 dead:1::99 > /dev/null 183 + ip netns exec "$ns0" ping -q -c 1 dead:1::99 > /dev/null 199 184 if [ $? -ne 0 ]; then 200 185 lret=1 201 186 echo "ERROR: ping6 failed" ··· 204 189 205 190 expect="packets 0 bytes 0" 206 191 for dir in "in6" "out6" ; do 207 - cnt=$(ip netns exec ns0 nft list counter inet filter ns1${dir} | grep -q "$expect") 192 + cnt=$(ip netns exec "$ns0" nft list counter inet filter ns1${dir} | grep -q "$expect") 208 193 if [ $? -ne 0 ]; then 209 - bad_counter ns0 ns1$dir "$expect" 194 + bad_counter "$ns0" ns1$dir "$expect" "test_local_dnat6 1" 210 195 lret=1 211 196 fi 212 197 done 213 198 214 199 expect="packets 1 bytes 104" 215 200 for dir in "in6" "out6" ; do 216 - cnt=$(ip netns exec ns0 nft list counter inet filter ns2${dir} | grep -q "$expect") 201 + cnt=$(ip netns exec "$ns0" nft list counter inet filter ns2${dir} | grep -q "$expect") 217 202 if [ $? -ne 0 ]; then 218 - bad_counter ns0 ns2$dir "$expect" 203 + bad_counter "$ns0" ns2$dir "$expect" "test_local_dnat6 2" 219 204 lret=1 220 205 fi 221 206 done ··· 223 208 # expect 0 count in ns1 224 209 expect="packets 0 bytes 0" 225 210 for dir in "in6" "out6" ; do 226 - cnt=$(ip netns exec ns1 nft list counter inet filter ns0${dir} | grep -q "$expect") 211 + cnt=$(ip netns exec "$ns1" nft list counter inet filter ns0${dir} | grep -q "$expect") 227 212 if [ $? -ne 0 ]; then 228 - bad_counter ns1 ns0$dir "$expect" 213 + bad_counter "$ns1" ns0$dir "$expect" "test_local_dnat6 3" 229 214 lret=1 230 215 fi 231 216 done ··· 233 218 # expect 1 packet in ns2 234 219 expect="packets 1 bytes 104" 235 220 for dir in "in6" "out6" ; do 236 - cnt=$(ip netns exec ns2 nft list counter inet filter ns0${dir} | grep -q "$expect") 221 + cnt=$(ip netns exec "$ns2" nft list counter inet filter ns0${dir} | grep -q "$expect") 237 222 if [ $? -ne 0 ]; then 238 - bad_counter ns2 ns0$dir "$expect" 223 + bad_counter "$ns2" ns0$dir "$expect" "test_local_dnat6 4" 239 224 lret=1 240 225 fi 241 226 done 242 227 243 - test $lret -eq 0 && echo "PASS: ipv6 ping to ns1 was $family NATted to ns2" 244 - ip netns exec ns0 nft flush chain ip6 nat output 228 + test $lret -eq 0 && echo "PASS: ipv6 ping to $ns1 was $family NATted to $ns2" 229 + ip netns exec "$ns0" nft flush chain ip6 nat output 245 230 246 231 return $lret 247 232 } ··· 256 241 IPF="ip" 257 242 fi 258 243 259 - ip netns exec ns0 nft -f - <<EOF 2>/dev/null 244 + ip netns exec "$ns0" nft -f /dev/stdin <<EOF 2>/dev/null 260 245 table $family nat { 261 246 chain output { 262 247 type nat hook output priority 0; policy accept; ··· 275 260 fi 276 261 277 262 # ping netns1, expect rewrite to netns2 278 - ip netns exec ns0 ping -q -c 1 10.0.1.99 > /dev/null 263 + ip netns exec "$ns0" ping -q -c 1 10.0.1.99 > /dev/null 279 264 if [ $? -ne 0 ]; then 280 265 lret=1 281 266 echo "ERROR: ping failed" ··· 284 269 285 270 expect="packets 0 bytes 0" 286 271 for dir in "in" "out" ; do 287 - cnt=$(ip netns exec ns0 nft list counter inet filter ns1${dir} | grep -q "$expect") 272 + cnt=$(ip netns exec "$ns0" nft list counter inet filter ns1${dir} | grep -q "$expect") 288 273 if [ $? -ne 0 ]; then 289 - bad_counter ns0 ns1$dir "$expect" 274 + bad_counter "$ns0" ns1$dir "$expect" "test_local_dnat 1" 290 275 lret=1 291 276 fi 292 277 done 293 278 294 279 expect="packets 1 bytes 84" 295 280 for dir in "in" "out" ; do 296 - cnt=$(ip netns exec ns0 nft list counter inet filter ns2${dir} | grep -q "$expect") 281 + cnt=$(ip netns exec "$ns0" nft list counter inet filter ns2${dir} | grep -q "$expect") 297 282 if [ $? -ne 0 ]; then 298 - bad_counter ns0 ns2$dir "$expect" 283 + bad_counter "$ns0" ns2$dir "$expect" "test_local_dnat 2" 299 284 lret=1 300 285 fi 301 286 done ··· 303 288 # expect 0 count in ns1 304 289 expect="packets 0 bytes 0" 305 290 for dir in "in" "out" ; do 306 - cnt=$(ip netns exec ns1 nft list counter inet filter ns0${dir} | grep -q "$expect") 291 + cnt=$(ip netns exec "$ns1" nft list counter inet filter ns0${dir} | grep -q "$expect") 307 292 if [ $? -ne 0 ]; then 308 - bad_counter ns1 ns0$dir "$expect" 293 + bad_counter "$ns1" ns0$dir "$expect" "test_local_dnat 3" 309 294 lret=1 310 295 fi 311 296 done ··· 313 298 # expect 1 packet in ns2 314 299 expect="packets 1 bytes 84" 315 300 for dir in "in" "out" ; do 316 - cnt=$(ip netns exec ns2 nft list counter inet filter ns0${dir} | grep -q "$expect") 301 + cnt=$(ip netns exec "$ns2" nft list counter inet filter ns0${dir} | grep -q "$expect") 317 302 if [ $? -ne 0 ]; then 318 - bad_counter ns2 ns0$dir "$expect" 303 + bad_counter "$ns2" ns0$dir "$expect" "test_local_dnat 4" 319 304 lret=1 320 305 fi 321 306 done 322 307 323 - test $lret -eq 0 && echo "PASS: ping to ns1 was $family NATted to ns2" 308 + test $lret -eq 0 && echo "PASS: ping to $ns1 was $family NATted to $ns2" 324 309 325 - ip netns exec ns0 nft flush chain $family nat output 310 + ip netns exec "$ns0" nft flush chain $family nat output 326 311 327 312 reset_counters 328 - ip netns exec ns0 ping -q -c 1 10.0.1.99 > /dev/null 313 + ip netns exec "$ns0" ping -q -c 1 10.0.1.99 > /dev/null 329 314 if [ $? -ne 0 ]; then 330 315 lret=1 331 316 echo "ERROR: ping failed" ··· 334 319 335 320 expect="packets 1 bytes 84" 336 321 for dir in "in" "out" ; do 337 - cnt=$(ip netns exec ns0 nft list counter inet filter ns1${dir} | grep -q "$expect") 322 + cnt=$(ip netns exec "$ns0" nft list counter inet filter ns1${dir} | grep -q "$expect") 338 323 if [ $? -ne 0 ]; then 339 - bad_counter ns1 ns1$dir "$expect" 324 + bad_counter "$ns1" ns1$dir "$expect" "test_local_dnat 5" 340 325 lret=1 341 326 fi 342 327 done 343 328 expect="packets 0 bytes 0" 344 329 for dir in "in" "out" ; do 345 - cnt=$(ip netns exec ns0 nft list counter inet filter ns2${dir} | grep -q "$expect") 330 + cnt=$(ip netns exec "$ns0" nft list counter inet filter ns2${dir} | grep -q "$expect") 346 331 if [ $? -ne 0 ]; then 347 - bad_counter ns0 ns2$dir "$expect" 332 + bad_counter "$ns0" ns2$dir "$expect" "test_local_dnat 6" 348 333 lret=1 349 334 fi 350 335 done ··· 352 337 # expect 1 count in ns1 353 338 expect="packets 1 bytes 84" 354 339 for dir in "in" "out" ; do 355 - cnt=$(ip netns exec ns1 nft list counter inet filter ns0${dir} | grep -q "$expect") 340 + cnt=$(ip netns exec "$ns1" nft list counter inet filter ns0${dir} | grep -q "$expect") 356 341 if [ $? -ne 0 ]; then 357 - bad_counter ns0 ns0$dir "$expect" 342 + bad_counter "$ns0" ns0$dir "$expect" "test_local_dnat 7" 358 343 lret=1 359 344 fi 360 345 done ··· 362 347 # expect 0 packet in ns2 363 348 expect="packets 0 bytes 0" 364 349 for dir in "in" "out" ; do 365 - cnt=$(ip netns exec ns2 nft list counter inet filter ns0${dir} | grep -q "$expect") 350 + cnt=$(ip netns exec "$ns2" nft list counter inet filter ns0${dir} | grep -q "$expect") 366 351 if [ $? -ne 0 ]; then 367 - bad_counter ns2 ns2$dir "$expect" 352 + bad_counter "$ns2" ns0$dir "$expect" "test_local_dnat 8" 368 353 lret=1 369 354 fi 370 355 done 371 356 372 - test $lret -eq 0 && echo "PASS: ping to ns1 OK after $family nat output chain flush" 357 + test $lret -eq 0 && echo "PASS: ping to $ns1 OK after $family nat output chain flush" 373 358 374 359 return $lret 375 360 } ··· 381 366 local natflags=$2 382 367 local lret=0 383 368 384 - ip netns exec ns0 sysctl net.ipv6.conf.all.forwarding=1 > /dev/null 369 + ip netns exec "$ns0" sysctl net.ipv6.conf.all.forwarding=1 > /dev/null 385 370 386 - ip netns exec ns2 ping -q -c 1 dead:1::99 > /dev/null # ping ns2->ns1 371 + ip netns exec "$ns2" ping -q -c 1 dead:1::99 > /dev/null # ping ns2->ns1 387 372 if [ $? -ne 0 ] ; then 388 - echo "ERROR: cannot ping ns1 from ns2 via ipv6" 373 + echo "ERROR: cannot ping $ns1 from $ns2 via ipv6" 389 374 return 1 390 375 lret=1 391 376 fi 392 377 393 378 expect="packets 1 bytes 104" 394 379 for dir in "in6" "out6" ; do 395 - cnt=$(ip netns exec ns1 nft list counter inet filter ns2${dir} | grep -q "$expect") 380 + cnt=$(ip netns exec "$ns1" nft list counter inet filter ns2${dir} | grep -q "$expect") 396 381 if [ $? -ne 0 ]; then 397 - bad_counter ns1 ns2$dir "$expect" 382 + bad_counter "$ns1" ns2$dir "$expect" "test_masquerade6 1" 398 383 lret=1 399 384 fi 400 385 401 - cnt=$(ip netns exec ns2 nft list counter inet filter ns1${dir} | grep -q "$expect") 386 + cnt=$(ip netns exec "$ns2" nft list counter inet filter ns1${dir} | grep -q "$expect") 402 387 if [ $? -ne 0 ]; then 403 - bad_counter ns2 ns1$dir "$expect" 388 + bad_counter "$ns2" ns1$dir "$expect" "test_masquerade6 2" 404 389 lret=1 405 390 fi 406 391 done ··· 408 393 reset_counters 409 394 410 395 # add masquerading rule 411 - ip netns exec ns0 nft -f - <<EOF 396 + ip netns exec "$ns0" nft -f /dev/stdin <<EOF 412 397 table $family nat { 413 398 chain postrouting { 414 399 type nat hook postrouting priority 0; policy accept; ··· 421 406 return $ksft_skip 422 407 fi 423 408 424 - ip netns exec ns2 ping -q -c 1 dead:1::99 > /dev/null # ping ns2->ns1 409 + ip netns exec "$ns2" ping -q -c 1 dead:1::99 > /dev/null # ping ns2->ns1 425 410 if [ $? -ne 0 ] ; then 426 - echo "ERROR: cannot ping ns1 from ns2 with active $family masquerade $natflags" 411 + echo "ERROR: cannot ping $ns1 from $ns2 with active $family masquerade $natflags" 427 412 lret=1 428 413 fi 429 414 430 415 # ns1 should have seen packets from ns0, due to masquerade 431 416 expect="packets 1 bytes 104" 432 417 for dir in "in6" "out6" ; do 433 - cnt=$(ip netns exec ns1 nft list counter inet filter ns0${dir} | grep -q "$expect") 418 + cnt=$(ip netns exec "$ns1" nft list counter inet filter ns0${dir} | grep -q "$expect") 434 419 if [ $? -ne 0 ]; then 435 - bad_counter ns1 ns0$dir "$expect" 420 + bad_counter "$ns1" ns0$dir "$expect" "test_masquerade6 3" 436 421 lret=1 437 422 fi 438 423 439 - cnt=$(ip netns exec ns2 nft list counter inet filter ns1${dir} | grep -q "$expect") 424 + cnt=$(ip netns exec "$ns2" nft list counter inet filter ns1${dir} | grep -q "$expect") 440 425 if [ $? -ne 0 ]; then 441 - bad_counter ns2 ns1$dir "$expect" 426 + bad_counter "$ns2" ns1$dir "$expect" "test_masquerade6 4" 442 427 lret=1 443 428 fi 444 429 done ··· 446 431 # ns1 should not have seen packets from ns2, due to masquerade 447 432 expect="packets 0 bytes 0" 448 433 for dir in "in6" "out6" ; do 449 - cnt=$(ip netns exec ns1 nft list counter inet filter ns2${dir} | grep -q "$expect") 434 + cnt=$(ip netns exec "$ns1" nft list counter inet filter ns2${dir} | grep -q "$expect") 450 435 if [ $? -ne 0 ]; then 451 - bad_counter ns1 ns0$dir "$expect" 436 + bad_counter "$ns1" ns0$dir "$expect" "test_masquerade6 5" 452 437 lret=1 453 438 fi 454 439 455 - cnt=$(ip netns exec ns1 nft list counter inet filter ns2${dir} | grep -q "$expect") 440 + cnt=$(ip netns exec "$ns0" nft list counter inet filter ns1${dir} | grep -q "$expect") 456 441 if [ $? -ne 0 ]; then 457 - bad_counter ns2 ns1$dir "$expect" 442 + bad_counter "$ns0" ns1$dir "$expect" "test_masquerade6 6" 458 443 lret=1 459 444 fi 460 445 done 461 446 462 - ip netns exec ns2 ping -q -c 1 dead:1::99 > /dev/null # ping ns2->ns1 447 + ip netns exec "$ns2" ping -q -c 1 dead:1::99 > /dev/null # ping ns2->ns1 463 448 if [ $? -ne 0 ] ; then 464 - echo "ERROR: cannot ping ns1 from ns2 with active ipv6 masquerade $natflags (attempt 2)" 449 + echo "ERROR: cannot ping $ns1 from $ns2 with active ipv6 masquerade $natflags (attempt 2)" 465 450 lret=1 466 451 fi 467 452 468 - ip netns exec ns0 nft flush chain $family nat postrouting 453 + ip netns exec "$ns0" nft flush chain $family nat postrouting 469 454 if [ $? -ne 0 ]; then 470 455 echo "ERROR: Could not flush $family nat postrouting" 1>&2 471 456 lret=1 472 457 fi 473 458 474 - test $lret -eq 0 && echo "PASS: $family IPv6 masquerade $natflags for ns2" 459 + test $lret -eq 0 && echo "PASS: $family IPv6 masquerade $natflags for $ns2" 475 460 476 461 return $lret 477 462 } ··· 482 467 local natflags=$2 483 468 local lret=0 484 469 485 - ip netns exec ns0 sysctl net.ipv4.conf.veth0.forwarding=1 > /dev/null 486 - ip netns exec ns0 sysctl net.ipv4.conf.veth1.forwarding=1 > /dev/null 470 + ip netns exec "$ns0" sysctl net.ipv4.conf.veth0.forwarding=1 > /dev/null 471 + ip netns exec "$ns0" sysctl net.ipv4.conf.veth1.forwarding=1 > /dev/null 487 472 488 - ip netns exec ns2 ping -q -c 1 10.0.1.99 > /dev/null # ping ns2->ns1 473 + ip netns exec "$ns2" ping -q -c 1 10.0.1.99 > /dev/null # ping ns2->ns1 489 474 if [ $? -ne 0 ] ; then 490 - echo "ERROR: cannot ping ns1 from ns2 $natflags" 475 + echo "ERROR: cannot ping $ns1 from "$ns2" $natflags" 491 476 lret=1 492 477 fi 493 478 494 479 expect="packets 1 bytes 84" 495 480 for dir in "in" "out" ; do 496 - cnt=$(ip netns exec ns1 nft list counter inet filter ns2${dir} | grep -q "$expect") 481 + cnt=$(ip netns exec "$ns1" nft list counter inet filter ns2${dir} | grep -q "$expect") 497 482 if [ $? -ne 0 ]; then 498 - bad_counter ns1 ns2$dir "$expect" 483 + bad_counter "$ns1" ns2$dir "$expect" "test_masquerade 1" 499 484 lret=1 500 485 fi 501 486 502 - cnt=$(ip netns exec ns2 nft list counter inet filter ns1${dir} | grep -q "$expect") 487 + cnt=$(ip netns exec "$ns2" nft list counter inet filter ns1${dir} | grep -q "$expect") 503 488 if [ $? -ne 0 ]; then 504 - bad_counter ns2 ns1$dir "$expect" 489 + bad_counter "$ns2" ns1$dir "$expect" "test_masquerade 2" 505 490 lret=1 506 491 fi 507 492 done ··· 509 494 reset_counters 510 495 511 496 # add masquerading rule 512 - ip netns exec ns0 nft -f - <<EOF 497 + ip netns exec "$ns0" nft -f /dev/stdin <<EOF 513 498 table $family nat { 514 499 chain postrouting { 515 500 type nat hook postrouting priority 0; policy accept; ··· 522 507 return $ksft_skip 523 508 fi 524 509 525 - ip netns exec ns2 ping -q -c 1 10.0.1.99 > /dev/null # ping ns2->ns1 510 + ip netns exec "$ns2" ping -q -c 1 10.0.1.99 > /dev/null # ping ns2->ns1 526 511 if [ $? -ne 0 ] ; then 527 - echo "ERROR: cannot ping ns1 from ns2 with active $family masquerade $natflags" 512 + echo "ERROR: cannot ping $ns1 from $ns2 with active $family masquerade $natflags" 528 513 lret=1 529 514 fi 530 515 531 516 # ns1 should have seen packets from ns0, due to masquerade 532 517 expect="packets 1 bytes 84" 533 518 for dir in "in" "out" ; do 534 - cnt=$(ip netns exec ns1 nft list counter inet filter ns0${dir} | grep -q "$expect") 519 + cnt=$(ip netns exec "$ns1" nft list counter inet filter ns0${dir} | grep -q "$expect") 535 520 if [ $? -ne 0 ]; then 536 - bad_counter ns1 ns0$dir "$expect" 521 + bad_counter "$ns1" ns0$dir "$expect" "test_masquerade 3" 537 522 lret=1 538 523 fi 539 524 540 - cnt=$(ip netns exec ns2 nft list counter inet filter ns1${dir} | grep -q "$expect") 525 + cnt=$(ip netns exec "$ns2" nft list counter inet filter ns1${dir} | grep -q "$expect") 541 526 if [ $? -ne 0 ]; then 542 - bad_counter ns2 ns1$dir "$expect" 527 + bad_counter "$ns2" ns1$dir "$expect" "test_masquerade 4" 543 528 lret=1 544 529 fi 545 530 done ··· 547 532 # ns1 should not have seen packets from ns2, due to masquerade 548 533 expect="packets 0 bytes 0" 549 534 for dir in "in" "out" ; do 550 - cnt=$(ip netns exec ns1 nft list counter inet filter ns2${dir} | grep -q "$expect") 535 + cnt=$(ip netns exec "$ns1" nft list counter inet filter ns2${dir} | grep -q "$expect") 551 536 if [ $? -ne 0 ]; then 552 - bad_counter ns1 ns0$dir "$expect" 537 + bad_counter "$ns1" ns0$dir "$expect" "test_masquerade 5" 553 538 lret=1 554 539 fi 555 540 556 - cnt=$(ip netns exec ns1 nft list counter inet filter ns2${dir} | grep -q "$expect") 541 + cnt=$(ip netns exec "$ns0" nft list counter inet filter ns1${dir} | grep -q "$expect") 557 542 if [ $? -ne 0 ]; then 558 - bad_counter ns2 ns1$dir "$expect" 543 + bad_counter "$ns0" ns1$dir "$expect" "test_masquerade 6" 559 544 lret=1 560 545 fi 561 546 done 562 547 563 - ip netns exec ns2 ping -q -c 1 10.0.1.99 > /dev/null # ping ns2->ns1 548 + ip netns exec "$ns2" ping -q -c 1 10.0.1.99 > /dev/null # ping ns2->ns1 564 549 if [ $? -ne 0 ] ; then 565 - echo "ERROR: cannot ping ns1 from ns2 with active ip masquerade $natflags (attempt 2)" 550 + echo "ERROR: cannot ping $ns1 from $ns2 with active ip masquerade $natflags (attempt 2)" 566 551 lret=1 567 552 fi 568 553 569 - ip netns exec ns0 nft flush chain $family nat postrouting 554 + ip netns exec "$ns0" nft flush chain $family nat postrouting 570 555 if [ $? -ne 0 ]; then 571 556 echo "ERROR: Could not flush $family nat postrouting" 1>&2 572 557 lret=1 573 558 fi 574 559 575 - test $lret -eq 0 && echo "PASS: $family IP masquerade $natflags for ns2" 560 + test $lret -eq 0 && echo "PASS: $family IP masquerade $natflags for $ns2" 576 561 577 562 return $lret 578 563 } ··· 582 567 local family=$1 583 568 local lret=0 584 569 585 - ip netns exec ns0 sysctl net.ipv6.conf.all.forwarding=1 > /dev/null 570 + ip netns exec "$ns0" sysctl net.ipv6.conf.all.forwarding=1 > /dev/null 586 571 587 - ip netns exec ns2 ping -q -c 1 dead:1::99 > /dev/null # ping ns2->ns1 572 + ip netns exec "$ns2" ping -q -c 1 dead:1::99 > /dev/null # ping ns2->ns1 588 573 if [ $? -ne 0 ] ; then 589 - echo "ERROR: cannnot ping ns1 from ns2 via ipv6" 574 + echo "ERROR: cannnot ping $ns1 from $ns2 via ipv6" 590 575 lret=1 591 576 fi 592 577 593 578 expect="packets 1 bytes 104" 594 579 for dir in "in6" "out6" ; do 595 - cnt=$(ip netns exec ns1 nft list counter inet filter ns2${dir} | grep -q "$expect") 580 + cnt=$(ip netns exec "$ns1" nft list counter inet filter ns2${dir} | grep -q "$expect") 596 581 if [ $? -ne 0 ]; then 597 - bad_counter ns1 ns2$dir "$expect" 582 + bad_counter "$ns1" ns2$dir "$expect" "test_redirect6 1" 598 583 lret=1 599 584 fi 600 585 601 - cnt=$(ip netns exec ns2 nft list counter inet filter ns1${dir} | grep -q "$expect") 586 + cnt=$(ip netns exec "$ns2" nft list counter inet filter ns1${dir} | grep -q "$expect") 602 587 if [ $? -ne 0 ]; then 603 - bad_counter ns2 ns1$dir "$expect" 588 + bad_counter "$ns2" ns1$dir "$expect" "test_redirect6 2" 604 589 lret=1 605 590 fi 606 591 done ··· 608 593 reset_counters 609 594 610 595 # add redirect rule 611 - ip netns exec ns0 nft -f - <<EOF 596 + ip netns exec "$ns0" nft -f /dev/stdin <<EOF 612 597 table $family nat { 613 598 chain prerouting { 614 599 type nat hook prerouting priority 0; policy accept; ··· 621 606 return $ksft_skip 622 607 fi 623 608 624 - ip netns exec ns2 ping -q -c 1 dead:1::99 > /dev/null # ping ns2->ns1 609 + ip netns exec "$ns2" ping -q -c 1 dead:1::99 > /dev/null # ping ns2->ns1 625 610 if [ $? -ne 0 ] ; then 626 - echo "ERROR: cannot ping ns1 from ns2 via ipv6 with active $family redirect" 611 + echo "ERROR: cannot ping $ns1 from $ns2 via ipv6 with active $family redirect" 627 612 lret=1 628 613 fi 629 614 630 615 # ns1 should have seen no packets from ns2, due to redirection 631 616 expect="packets 0 bytes 0" 632 617 for dir in "in6" "out6" ; do 633 - cnt=$(ip netns exec ns1 nft list counter inet filter ns2${dir} | grep -q "$expect") 618 + cnt=$(ip netns exec "$ns1" nft list counter inet filter ns2${dir} | grep -q "$expect") 634 619 if [ $? -ne 0 ]; then 635 - bad_counter ns1 ns0$dir "$expect" 620 + bad_counter "$ns1" ns0$dir "$expect" "test_redirect6 3" 636 621 lret=1 637 622 fi 638 623 done ··· 640 625 # ns0 should have seen packets from ns2, due to masquerade 641 626 expect="packets 1 bytes 104" 642 627 for dir in "in6" "out6" ; do 643 - cnt=$(ip netns exec ns0 nft list counter inet filter ns2${dir} | grep -q "$expect") 628 + cnt=$(ip netns exec "$ns0" nft list counter inet filter ns2${dir} | grep -q "$expect") 644 629 if [ $? -ne 0 ]; then 645 - bad_counter ns1 ns0$dir "$expect" 630 + bad_counter "$ns1" ns0$dir "$expect" "test_redirect6 4" 646 631 lret=1 647 632 fi 648 633 done 649 634 650 - ip netns exec ns0 nft delete table $family nat 635 + ip netns exec "$ns0" nft delete table $family nat 651 636 if [ $? -ne 0 ]; then 652 637 echo "ERROR: Could not delete $family nat table" 1>&2 653 638 lret=1 654 639 fi 655 640 656 - test $lret -eq 0 && echo "PASS: $family IPv6 redirection for ns2" 641 + test $lret -eq 0 && echo "PASS: $family IPv6 redirection for $ns2" 657 642 658 643 return $lret 659 644 } ··· 663 648 local family=$1 664 649 local lret=0 665 650 666 - ip netns exec ns0 sysctl net.ipv4.conf.veth0.forwarding=1 > /dev/null 667 - ip netns exec ns0 sysctl net.ipv4.conf.veth1.forwarding=1 > /dev/null 651 + ip netns exec "$ns0" sysctl net.ipv4.conf.veth0.forwarding=1 > /dev/null 652 + ip netns exec "$ns0" sysctl net.ipv4.conf.veth1.forwarding=1 > /dev/null 668 653 669 - ip netns exec ns2 ping -q -c 1 10.0.1.99 > /dev/null # ping ns2->ns1 654 + ip netns exec "$ns2" ping -q -c 1 10.0.1.99 > /dev/null # ping ns2->ns1 670 655 if [ $? -ne 0 ] ; then 671 - echo "ERROR: cannot ping ns1 from ns2" 656 + echo "ERROR: cannot ping $ns1 from $ns2" 672 657 lret=1 673 658 fi 674 659 675 660 expect="packets 1 bytes 84" 676 661 for dir in "in" "out" ; do 677 - cnt=$(ip netns exec ns1 nft list counter inet filter ns2${dir} | grep -q "$expect") 662 + cnt=$(ip netns exec "$ns1" nft list counter inet filter ns2${dir} | grep -q "$expect") 678 663 if [ $? -ne 0 ]; then 679 - bad_counter ns1 ns2$dir "$expect" 664 + bad_counter "$ns1" $ns2$dir "$expect" "test_redirect 1" 680 665 lret=1 681 666 fi 682 667 683 - cnt=$(ip netns exec ns2 nft list counter inet filter ns1${dir} | grep -q "$expect") 668 + cnt=$(ip netns exec "$ns2" nft list counter inet filter ns1${dir} | grep -q "$expect") 684 669 if [ $? -ne 0 ]; then 685 - bad_counter ns2 ns1$dir "$expect" 670 + bad_counter "$ns2" ns1$dir "$expect" "test_redirect 2" 686 671 lret=1 687 672 fi 688 673 done ··· 690 675 reset_counters 691 676 692 677 # add redirect rule 693 - ip netns exec ns0 nft -f - <<EOF 678 + ip netns exec "$ns0" nft -f /dev/stdin <<EOF 694 679 table $family nat { 695 680 chain prerouting { 696 681 type nat hook prerouting priority 0; policy accept; ··· 703 688 return $ksft_skip 704 689 fi 705 690 706 - ip netns exec ns2 ping -q -c 1 10.0.1.99 > /dev/null # ping ns2->ns1 691 + ip netns exec "$ns2" ping -q -c 1 10.0.1.99 > /dev/null # ping ns2->ns1 707 692 if [ $? -ne 0 ] ; then 708 - echo "ERROR: cannot ping ns1 from ns2 with active $family ip redirect" 693 + echo "ERROR: cannot ping $ns1 from $ns2 with active $family ip redirect" 709 694 lret=1 710 695 fi 711 696 ··· 713 698 expect="packets 0 bytes 0" 714 699 for dir in "in" "out" ; do 715 700 716 - cnt=$(ip netns exec ns1 nft list counter inet filter ns2${dir} | grep -q "$expect") 701 + cnt=$(ip netns exec "$ns1" nft list counter inet filter ns2${dir} | grep -q "$expect") 717 702 if [ $? -ne 0 ]; then 718 - bad_counter ns1 ns0$dir "$expect" 703 + bad_counter "$ns1" ns0$dir "$expect" "test_redirect 3" 719 704 lret=1 720 705 fi 721 706 done ··· 723 708 # ns0 should have seen packets from ns2, due to masquerade 724 709 expect="packets 1 bytes 84" 725 710 for dir in "in" "out" ; do 726 - cnt=$(ip netns exec ns0 nft list counter inet filter ns2${dir} | grep -q "$expect") 711 + cnt=$(ip netns exec "$ns0" nft list counter inet filter ns2${dir} | grep -q "$expect") 727 712 if [ $? -ne 0 ]; then 728 - bad_counter ns1 ns0$dir "$expect" 713 + bad_counter "$ns0" ns0$dir "$expect" "test_redirect 4" 729 714 lret=1 730 715 fi 731 716 done 732 717 733 - ip netns exec ns0 nft delete table $family nat 718 + ip netns exec "$ns0" nft delete table $family nat 734 719 if [ $? -ne 0 ]; then 735 720 echo "ERROR: Could not delete $family nat table" 1>&2 736 721 lret=1 737 722 fi 738 723 739 - test $lret -eq 0 && echo "PASS: $family IP redirection for ns2" 724 + test $lret -eq 0 && echo "PASS: $family IP redirection for $ns2" 740 725 741 726 return $lret 742 727 } 743 728 744 729 745 - # ip netns exec ns0 ping -c 1 -q 10.0.$i.99 730 + # ip netns exec "$ns0" ping -c 1 -q 10.0.$i.99 746 731 for i in 0 1 2; do 747 - ip netns exec ns$i nft -f - <<EOF 732 + ip netns exec ns$i-$sfx nft -f /dev/stdin <<EOF 748 733 table inet filter { 749 734 counter ns0in {} 750 735 counter ns1in {} ··· 811 796 sleep 3 812 797 # test basic connectivity 813 798 for i in 1 2; do 814 - ip netns exec ns0 ping -c 1 -q 10.0.$i.99 > /dev/null 799 + ip netns exec "$ns0" ping -c 1 -q 10.0.$i.99 > /dev/null 815 800 if [ $? -ne 0 ];then 816 801 echo "ERROR: Could not reach other namespace(s)" 1>&2 817 802 ret=1 818 803 fi 819 804 820 - ip netns exec ns0 ping -c 1 -q dead:$i::99 > /dev/null 805 + ip netns exec "$ns0" ping -c 1 -q dead:$i::99 > /dev/null 821 806 if [ $? -ne 0 ];then 822 807 echo "ERROR: Could not reach other namespace(s) via ipv6" 1>&2 823 808 ret=1 824 809 fi 825 - check_counters ns$i 810 + check_counters ns$i-$sfx 826 811 if [ $? -ne 0 ]; then 827 812 ret=1 828 813 fi ··· 835 820 done 836 821 837 822 if [ $ret -eq 0 ];then 838 - echo "PASS: netns routing/connectivity: ns0 can reach ns1 and ns2" 823 + echo "PASS: netns routing/connectivity: $ns0 can reach $ns1 and $ns2" 839 824 fi 840 825 841 826 reset_counters ··· 860 845 reset_counters 861 846 $test_inet_nat && test_redirect inet 862 847 $test_inet_nat && test_redirect6 inet 848 + 849 + if [ $ret -ne 0 ];then 850 + echo -n "FAIL: " 851 + nft --version 852 + fi 863 853 864 854 exit $ret