selftests: netfilter: nft_fib.sh: add 'type' mode tests

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

fib can either lookup the interface id/name of the output interface that
would be used for the given address, or it can check for the type of the
address according to the fib, e.g. local, unicast, multicast and so on.

This can be used to e.g. make a locally configured address only reachable
through its interface.

Example: given eth0:10.1.1.1 and eth1:10.1.2.1 then 'fib daddr type' for
10.1.1.1 arriving on eth1 will be 'local', but 'fib daddr . iif type' is
expected to return 'unicast', whereas 'fib daddr' and 'fib daddr . iif'
are expected to indicate 'local' if such a packet arrives on eth0.

So far nft_fib.sh only covered oif/oifname, not type.

Repeat tests both with default and a policy (ip rule) based setup.

Also try to run all remaining tests even if a subtest has failed.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

authored by

Florian Westphal and committed by

Pablo Neira Ayuso 10 months ago 839340f7 c38eb297

+174 -10

1 changed file

expand all

tools

testing

selftests

net

netfilter

nft_fib.sh

+174 -10

tools/testing/selftests/net/netfilter/nft_fib.sh

··· 3 3 # This tests the fib expression. 4 4 # 5 5 # Kselftest framework requirement - SKIP code is 4. 6 + # 7 + # 10.0.1.99 10.0.1.1 10.0.2.1 10.0.2.99 8 + # dead:1::99 dead:1::1 dead:2::1 dead:2::99 9 + # ns1 <-------> [ veth0 ] nsrouter [veth1] <-------> ns2 6 10 7 11 source lib.sh 8 12 ··· 76 72 EOF 77 73 } 78 74 75 + load_type_ruleset() { 76 + local netns=$1 77 + 78 + for family in ip ip6;do 79 + ip netns exec "$netns" nft -f /dev/stdin <<EOF 80 + table $family filter { 81 + chain type_match_in { 82 + fib daddr type local counter comment "daddr configured on other iface" 83 + fib daddr . iif type local counter comment "daddr configured on iif" 84 + fib daddr type unicast counter comment "daddr not local" 85 + fib daddr . iif type unicast counter comment "daddr not configured on iif" 86 + } 87 + 88 + chain type_match_out { 89 + fib daddr type unicast counter 90 + fib daddr . oif type unicast counter 91 + fib daddr type local counter 92 + fib daddr . oif type local counter 93 + } 94 + 95 + chain prerouting { 96 + type filter hook prerouting priority 0; 97 + icmp type echo-request counter jump type_match_in 98 + icmpv6 type echo-request counter jump type_match_in 99 + } 100 + 101 + chain input { 102 + type filter hook input priority 0; 103 + icmp type echo-request counter jump type_match_in 104 + icmpv6 type echo-request counter jump type_match_in 105 + } 106 + 107 + chain forward { 108 + type filter hook forward priority 0; 109 + icmp type echo-request counter jump type_match_in 110 + icmpv6 type echo-request counter jump type_match_in 111 + } 112 + 113 + chain output { 114 + type filter hook output priority 0; 115 + icmp type echo-request counter jump type_match_out 116 + icmpv6 type echo-request counter jump type_match_out 117 + } 118 + 119 + chain postrouting { 120 + type filter hook postrouting priority 0; 121 + icmp type echo-request counter jump type_match_out 122 + icmpv6 type echo-request counter jump type_match_out 123 + } 124 + } 125 + EOF 126 + done 127 + } 128 + 129 + reload_type_ruleset() { 130 + ip netns exec "$1" nft flush table ip filter 131 + ip netns exec "$1" nft flush table ip6 filter 132 + load_type_ruleset "$1" 133 + } 134 + 135 + check_fib_type_counter_family() { 136 + local family="$1" 137 + local want="$2" 138 + local ns="$3" 139 + local chain="$4" 140 + local what="$5" 141 + local errmsg="$6" 142 + 143 + if ! ip netns exec "$ns" nft list chain "$family" filter "$chain" | grep "$what" | grep -q "packets $want";then 144 + echo "Netns $ns $family fib type counter doesn't match expected packet count of $want for $what $errmsg" 1>&2 145 + ip netns exec "$ns" nft list chain "$family" filter "$chain" 146 + ret=1 147 + return 1 148 + fi 149 + 150 + return 0 151 + } 152 + 153 + check_fib_type_counter() { 154 + check_fib_type_counter_family "ip" "$@" || return 1 155 + check_fib_type_counter_family "ip6" "$@" || return 1 156 + } 157 + 79 158 load_ruleset_count() { 80 159 local netns=$1 81 160 ··· 177 90 if dmesg | grep -q ' nft_rpfilter: ';then 178 91 dmesg | grep ' nft_rpfilter: ' 179 92 echo "FAIL: rpfilter did drop packets" 93 + ret=1 180 94 return 1 181 95 fi 182 96 ··· 252 164 return 0 253 165 } 254 166 167 + test_fib_type() { 168 + local notice="$1" 169 + local errmsg="addr-on-if" 170 + local lret=0 171 + 172 + if ! load_type_ruleset "$nsrouter";then 173 + echo "SKIP: Could not load fib type ruleset" 174 + [ $ret -eq 0 ] && ret=$ksft_skip 175 + return 176 + fi 177 + 178 + # makes router receive packet for addresses configured on incoming 179 + # interface. 180 + test_ping 10.0.1.1 dead:1::1 || return 1 181 + 182 + # expectation: triggers all 'local' in prerouting/input. 183 + check_fib_type_counter 2 "$nsrouter" "type_match_in" "fib daddr type local" "$errmsg" || lret=1 184 + check_fib_type_counter 2 "$nsrouter" "type_match_in" "fib daddr . iif type local" "$errmsg" || lret=1 185 + 186 + reload_type_ruleset "$nsrouter" 187 + # makes router receive packet for address configured on a different (but local) 188 + # interface. 189 + test_ping 10.0.2.1 dead:2::1 || return 1 190 + 191 + # expectation: triggers 'unicast' in prerouting/input for daddr . iif and local for 'daddr'. 192 + errmsg="addr-on-host" 193 + check_fib_type_counter 2 "$nsrouter" "type_match_in" "fib daddr type local" "$errmsg" || lret=1 194 + check_fib_type_counter 2 "$nsrouter" "type_match_in" "fib daddr . iif type unicast" "$errmsg" || lret=1 195 + 196 + reload_type_ruleset "$nsrouter" 197 + test_ping 10.0.2.99 dead:2::99 || return 1 198 + errmsg="addr-on-otherhost" 199 + check_fib_type_counter 2 "$nsrouter" "type_match_in" "fib daddr type unicast" "$errmsg" || lret=1 200 + check_fib_type_counter 2 "$nsrouter" "type_match_in" "fib daddr . iif type unicast" "$errmsg" || lret=1 201 + 202 + if [ $lret -eq 0 ];then 203 + echo "PASS: fib expression address types match ($notice)" 204 + else 205 + echo "FAIL: fib expression address types match ($notice)" 206 + ret=1 207 + fi 208 + } 209 + 255 210 ip netns exec "$nsrouter" sysctl net.ipv6.conf.all.forwarding=1 > /dev/null 256 211 ip netns exec "$nsrouter" sysctl net.ipv4.conf.veth0.forwarding=1 > /dev/null 257 212 ip netns exec "$nsrouter" sysctl net.ipv4.conf.veth1.forwarding=1 > /dev/null 258 213 259 214 test_ping 10.0.2.1 dead:2::1 || exit 1 260 - check_drops || exit 1 215 + check_drops 261 216 262 217 test_ping 10.0.2.99 dead:2::99 || exit 1 263 - check_drops || exit 1 218 + check_drops 264 219 265 - echo "PASS: fib expression did not cause unwanted packet drops" 220 + [ $ret -eq 0 ] && echo "PASS: fib expression did not cause unwanted packet drops" 221 + 222 + load_input_ruleset "$ns1" 223 + 224 + test_ping 127.0.0.1 ::1 225 + check_drops 226 + 227 + test_ping 10.0.1.99 dead:1::99 228 + check_drops 229 + 230 + [ $ret -eq 0 ] && echo "PASS: fib expression did not discard loopback packets" 266 231 267 232 load_input_ruleset "$ns1" 268 233 ··· 375 234 # ... pbr ruleset for the router, check iif+oif. 376 235 if ! load_pbr_ruleset "$nsrouter";then 377 236 echo "SKIP: Could not load fib forward ruleset" 378 - exit $ksft_skip 237 + [ "$ret" -eq 0 ] && ret=$ksft_skip 379 238 fi 380 239 381 240 ip -net "$nsrouter" rule add from all table 128 ··· 386 245 # drop main ipv4 table 387 246 ip -net "$nsrouter" -4 rule delete table main 388 247 389 - if ! test_ping 10.0.2.99 dead:2::99;then 390 - ip -net "$nsrouter" nft list ruleset 391 - echo "FAIL: fib mismatch in pbr setup" 392 - exit 1 248 + if test_ping 10.0.2.99 dead:2::99;then 249 + echo "PASS: fib expression forward check with policy based routing" 250 + else 251 + echo "FAIL: fib expression forward check with policy based routing" 252 + ret=1 393 253 fi 394 254 395 - echo "PASS: fib expression forward check with policy based routing" 396 - exit 0 255 + test_fib_type "policy routing" 256 + ip netns exec "$nsrouter" nft delete table ip filter 257 + ip netns exec "$nsrouter" nft delete table ip6 filter 258 + 259 + # Un-do policy routing changes 260 + ip -net "$nsrouter" rule del from all table 128 261 + ip -net "$nsrouter" rule del from all iif veth0 table 129 262 + 263 + ip -net "$nsrouter" route del table 128 to 10.0.1.0/24 dev veth0 264 + ip -net "$nsrouter" route del table 129 to 10.0.2.0/24 dev veth1 265 + 266 + ip -net "$ns1" -4 route del default 267 + ip -net "$ns1" -6 route del default 268 + 269 + ip -net "$ns1" -4 route add default via 10.0.1.1 270 + ip -net "$ns1" -6 route add default via dead:1::1 271 + 272 + ip -net "$nsrouter" -4 rule add from all table main priority 32766 273 + 274 + test_fib_type "default table" 275 + ip netns exec "$nsrouter" nft delete table ip filter 276 + ip netns exec "$nsrouter" nft delete table ip6 filter 277 + 278 + exit $ret