diff options
| -rw-r--r-- | tests/conntrackd/scenarios.yaml | 101 | ||||
| -rw-r--r-- | tests/conntrackd/tests.yaml | 11 |
2 files changed, 112 insertions, 0 deletions
diff --git a/tests/conntrackd/scenarios.yaml b/tests/conntrackd/scenarios.yaml index a47e1a1..798d9eb 100644 --- a/tests/conntrackd/scenarios.yaml +++ b/tests/conntrackd/scenarios.yaml @@ -17,3 +17,104 @@ - $CONNTRACKD -C /tmp/conntrackd_test_simple_stats -k - rm -f /var/lock/conntrack.lock - rm -f /tmp/conntrackd_test_simple_stats + +- name: basic_2_peer_network_tcp_notrack + start: + - ip netns add ns1 + - ip netns add ns2 + - ip netns add nsr1 + - ip netns add nsr2 + - ip link add veth0 netns ns1 type veth peer name veth1 netns nsr1 + - ip link add veth0 netns nsr1 type veth peer name veth0 netns ns2 + - ip link add veth2 netns nsr1 type veth peer name veth0 netns nsr2 + - ip -net ns1 addr add 192.168.10.2/24 dev veth0 + - ip -net ns1 link set up dev veth0 + - ip -net ns1 ro add 10.0.1.0/24 via 192.168.10.1 dev veth0 + - ip -net nsr1 addr add 10.0.1.1/24 dev veth0 + - ip -net nsr1 addr add 192.168.10.1/24 dev veth1 + - ip -net nsr1 link set up dev veth0 + - ip -net nsr1 link set up dev veth1 + - ip -net nsr1 route add default via 192.168.10.2 + - ip netns exec nsr1 sysctl -q net.ipv4.ip_forward=1 + - ip -net nsr1 addr add 192.168.100.2/24 dev veth2 + - ip -net nsr1 link set up dev veth2 + - ip -net nsr2 addr add 192.168.100.3/24 dev veth0 + - ip -net nsr2 link set up dev veth0 + - ip -net ns2 addr add 10.0.1.2/24 dev veth0 + - ip -net ns2 link set up dev veth0 + - ip -net ns2 route add default via 10.0.1.1 + - | + cat << EOF > /tmp/ruleset.nft + table ip filter { + chain postrouting { + type nat hook postrouting priority srcnat; policy accept; + oif veth0 masquerade + } + } + EOF + - ip netns exec nsr1 nft -f /tmp/ruleset.nft + - | + cat << EOF > /tmp/nsr1.conf + Sync { + Mode NOTRACK { + DisableExternalCache on + DisableInternalCache on + } + TCP { + IPv4_address 192.168.100.2 + IPv4_Destination_Address 192.168.100.3 + Interface veth2 + Port 3780 + } + } + General { + LogFile on + LockFile /var/lock/conntrack-nsr1.lock + UNIX { Path /var/run/conntrackd-nsr1.ctl } + } + EOF + - | + cat << EOF > /tmp/nsr2.conf + Sync { + Mode NOTRACK { + DisableExternalCache on + DisableInternalCache on + } + TCP { + IPv4_address 192.168.100.3 + IPv4_Destination_Address 192.168.100.2 + Interface veth0 + Port 3780 + } + } + General { + LogFile on + LockFile /var/lock/conntrack-nsr2.lock + UNIX { Path /var/run/conntrackd-nsr2.ctl } + } + EOF + # finally run the daemons + - ip netns exec nsr1 $CONNTRACKD -C /tmp/nsr1.conf -d + - ip netns exec nsr2 $CONNTRACKD -C /tmp/nsr2.conf -d + # make sure they are alive and connected before considering the scenario started + - timeout 5 bash -c -- ' + while ! ip netns exec nsr1 $CONNTRACKD -C /tmp/nsr1.conf -s | grep -q "server=connected" + ; do sleep 0.5 ; done' + - timeout 5 bash -c -- ' + while ! ip netns exec nsr1 $CONNTRACKD -C /tmp/nsr1.conf -s | grep -q "client=connected" + ; do sleep 0.5 ; done' + - timeout 5 bash -c -- ' + while ! ip netns exec nsr2 $CONNTRACKD -C /tmp/nsr2.conf -s | grep -q "server=connected" + ; do sleep 0.5 ; done' + - timeout 5 bash -c -- ' + while ! ip netns exec nsr2 $CONNTRACKD -C /tmp/nsr2.conf -s | grep -q "client=connected" + ; do sleep 0.5 ; done' + stop: + - $CONNTRACKD -C /tmp/nsr1.conf -k 2>/dev/null + - $CONNTRACKD -C /tmp/nsr2.conf -k 2>/dev/null + - rm -f /tmp/ruleset.nft /tmp/nsr2.conf /tmp/nsr1.conf + - rm -f /var/lock/conntrack-nsr1.lock /var/lock/conntrack-nsr2.lock + - ip netns del ns1 || true + - ip netns del ns2 || true + - ip netns del nsr1 || true + - ip netns del nsr2 || true diff --git a/tests/conntrackd/tests.yaml b/tests/conntrackd/tests.yaml index 8324dbe..872269d 100644 --- a/tests/conntrackd/tests.yaml +++ b/tests/conntrackd/tests.yaml @@ -39,3 +39,14 @@ # check that we can obtain stats via unix socket: expect (no output) test: - $CONNTRACKD -C /tmp/conntrackd_test_simple_stats -s expect + +- name: tcp_notrack_replicate_icmp + scenario: basic_2_peer_network_tcp_notrack + # check that we can replicate a ICMP conntrack entry in a 2 conntrackd TCP/NOTRACK setup + test: + # PING should inject an ICMP conntrack entry in nsr1 + - ip netns exec ns1 ping -c1 10.0.1.2 >/dev/null + # verify conntrack entry is then replicated to nsr2, wait up to 5 seconds + - timeout 5 bash -c -- ' + while ! ip netns exec nsr2 $CONNTRACK -L -p icmp 2>/dev/null | grep -q icmp + ; do sleep 0.5 ; done' |