tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

selftests: netfilter: move fib vrf test to nft_fib.sh

It was located in conntrack_vrf.sh because that already had the VRF bits.
Lets not add to this and move it to nft_fib.sh where this belongs.

No functional changes for the subtest intended.
The subtest is limited, it only covered 'fib oif'
(route output interface query) when the incoming interface is part
of a VRF.

Next we can extend it to cover 'fib type' for VRFs and also check fib
results when there is an unrelated VRF in same netns.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

authored by

Florian Westphal and committed by
Pablo Neira Ayuso 98287045 839340f7

+90 -34
-34
tools/testing/selftests/net/netfilter/conntrack_vrf.sh
··· 32 32 33 33 IP0=172.30.30.1 34 34 IP1=172.30.30.2 35 - DUMMYNET=10.9.9 36 35 PFXL=30 37 36 ret=0 38 37 ··· 51 52 52 53 setup_ns ns0 ns1 53 54 54 - ip netns exec "$ns0" sysctl -q -w net.ipv4.conf.all.forwarding=1 55 - 56 55 if ! ip link add veth0 netns "$ns0" type veth peer name veth0 netns "$ns1" > /dev/null 2>&1; then 57 56 echo "SKIP: Could not add veth device" 58 57 exit $ksft_skip ··· 61 64 exit $ksft_skip 62 65 fi 63 66 64 - ip -net "$ns0" link add dummy0 type dummy 65 - 66 67 ip -net "$ns0" li set veth0 master tvrf 67 - ip -net "$ns0" li set dummy0 master tvrf 68 68 ip -net "$ns0" li set tvrf up 69 69 ip -net "$ns0" li set veth0 up 70 - ip -net "$ns0" li set dummy0 up 71 70 ip -net "$ns1" li set veth0 up 72 71 73 72 ip -net "$ns0" addr add $IP0/$PFXL dev veth0 74 73 ip -net "$ns1" addr add $IP1/$PFXL dev veth0 75 - ip -net "$ns0" addr add $DUMMYNET.1/$PFXL dev dummy0 76 74 77 75 listener_ready() 78 76 { ··· 208 216 fi 209 217 } 210 218 211 - test_fib() 212 - { 213 - ip netns exec "$ns0" nft -f - <<EOF 214 - flush ruleset 215 - table ip t { 216 - counter fibcount { } 217 - 218 - chain prerouting { 219 - type filter hook prerouting priority 0; 220 - meta iifname veth0 ip daddr $DUMMYNET.2 fib daddr oif dummy0 counter name fibcount notrack 221 - } 222 - } 223 - EOF 224 - ip -net "$ns1" route add 10.9.9.0/24 via "$IP0" dev veth0 225 - ip netns exec "$ns1" ping -q -w 1 -c 1 "$DUMMYNET".2 > /dev/null 226 - 227 - if ip netns exec "$ns0" nft list counter t fibcount | grep -q "packets 1"; then 228 - echo "PASS: fib lookup returned exepected output interface" 229 - else 230 - echo "FAIL: fib lookup did not return exepected output interface" 231 - ret=1 232 - return 233 - fi 234 - } 235 - 236 219 test_ct_zone_in 237 220 test_masquerade_vrf "default" 238 221 test_masquerade_vrf "pfifo" 239 222 test_masquerade_veth 240 - test_fib 241 223 242 224 exit $ret
+90
tools/testing/selftests/net/netfilter/nft_fib.sh
··· 252 252 return 0 253 253 } 254 254 255 + test_ping_unreachable() { 256 + local daddr4=$1 257 + local daddr6=$2 258 + 259 + if ip netns exec "$ns1" ping -c 1 -w 1 -q "$daddr4" > /dev/null; then 260 + echo "FAIL: ${ns1} could reach $daddr4" 1>&2 261 + return 1 262 + fi 263 + 264 + if ip netns exec "$ns1" ping -c 1 -w 1 -q "$daddr6" > /dev/null; then 265 + echo "FAIL: ${ns1} could reach $daddr6" 1>&2 266 + return 1 267 + fi 268 + 269 + return 0 270 + } 271 + 255 272 test_fib_type() { 256 273 local notice="$1" 257 274 local errmsg="addr-on-if" ··· 310 293 echo "FAIL: fib expression address types match ($notice)" 311 294 ret=1 312 295 fi 296 + } 297 + 298 + test_fib_vrf_dev_add_dummy() 299 + { 300 + if ! ip -net "$nsrouter" link add dummy0 type dummy ;then 301 + echo "SKIP: VRF tests: dummy device type not supported" 302 + return 1 303 + fi 304 + 305 + if ! ip -net "$nsrouter" link add tvrf type vrf table 9876;then 306 + echo "SKIP: VRF tests: vrf device type not supported" 307 + return 1 308 + fi 309 + 310 + ip -net "$nsrouter" link set veth0 master tvrf 311 + ip -net "$nsrouter" link set dummy0 master tvrf 312 + ip -net "$nsrouter" link set dummy0 up 313 + ip -net "$nsrouter" link set tvrf up 314 + } 315 + 316 + # Extends nsrouter config by adding dummy0+vrf. 317 + # 318 + # 10.0.1.99 10.0.1.1 10.0.2.1 10.0.2.99 319 + # dead:1::99 dead:1::1 dead:2::1 dead:2::99 320 + # ns1 <-------> [ veth0 ] nsrouter [veth1] <-------> ns2 321 + # [dummy0] 322 + # 10.9.9.1 323 + # dead:9::1 324 + # [tvrf] 325 + test_fib_vrf() 326 + { 327 + local dummynet="10.9.9" 328 + local dummynet6="dead:9" 329 + local cntname="" 330 + 331 + if ! test_fib_vrf_dev_add_dummy; then 332 + [ $ret -eq 0 ] && ret=$ksft_skip 333 + return 334 + fi 335 + 336 + ip -net "$nsrouter" addr add "$dummynet.1"/24 dev dummy0 337 + ip -net "$nsrouter" addr add "${dummynet6}::1"/64 dev dummy0 nodad 338 + 339 + 340 + ip netns exec "$nsrouter" nft -f - <<EOF 341 + flush ruleset 342 + table inet t { 343 + counter fibcount4 { } 344 + counter fibcount6 { } 345 + 346 + chain prerouting { 347 + type filter hook prerouting priority 0; 348 + meta iifname veth0 ip daddr ${dummynet}.2 fib daddr oif dummy0 counter name fibcount4 349 + meta iifname veth0 ip6 daddr ${dummynet6}::2 fib daddr oif dummy0 counter name fibcount6 350 + } 351 + } 352 + EOF 353 + # no echo reply for these addresses: The dummy interface is part of tvrf, 354 + test_ping_unreachable "$dummynet.2" "${dummynet6}::2" & 355 + 356 + wait 357 + 358 + for cntname in fibcount4 fibcount6;do 359 + if ip netns exec "$nsrouter" nft list counter inet t "$cntname" | grep -q "packets 1"; then 360 + echo "PASS: vrf fib lookup did return expected output interface for $cntname" 361 + else 362 + ip netns exec "$nsrouter" nft list counter inet t "$cntname" 363 + echo "FAIL: vrf fib lookup did not return expected output interface for $cntname" 364 + ret=1 365 + fi 366 + done 313 367 } 314 368 315 369 ip netns exec "$nsrouter" sysctl net.ipv6.conf.all.forwarding=1 > /dev/null ··· 503 415 test_fib_type "default table" 504 416 ip netns exec "$nsrouter" nft delete table ip filter 505 417 ip netns exec "$nsrouter" nft delete table ip6 filter 418 + 419 + test_fib_vrf 506 420 507 421 exit $ret