diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2023-06-14 10:38:08 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2023-06-19 17:03:22 +0200 |
commit | cce0d7b174ff5412e8fc1db9614081fe314a87cd (patch) | |
tree | f11864229227856797c07acc497df85355889c38 /tests | |
parent | b6b2b0cc5103612c59546cc1fea7e33814eae220 (diff) |
tests: shell: bogus EBUSY errors in transactions
Make sure reference tracking during transaction update is correct by
checking for bogus EBUSY error. For example, when deleting map with
chain reference X, followed by a delete chain X command.
This test is covering the following paths:
- prepare + abort (via -c/--check option)
- prepare + commit
- release (when netns is destroyed)
Reported-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'tests')
-rwxr-xr-x | tests/shell/testcases/transactions/0051map_0 | 121 |
1 files changed, 121 insertions, 0 deletions
diff --git a/tests/shell/testcases/transactions/0051map_0 b/tests/shell/testcases/transactions/0051map_0 new file mode 100755 index 00000000..c4ea62cd --- /dev/null +++ b/tests/shell/testcases/transactions/0051map_0 @@ -0,0 +1,121 @@ +#!/bin/bash + +rnd=$(mktemp -u XXXXXXXX) +ns1="nft1trans-$rnd" + +# +# dependency tracking for implicit set +# +RULESET="table ip x { + chain w {} + chain m {} + + chain y { + ip saddr vmap { 1.1.1.1 : jump w, 2.2.2.2 : accept, 3.3.3.3 : goto m } + } +}" + +$NFT -c -f - <<< "$RULESET" >/dev/null || exit 0 +$NFT -f - <<< "$RULESET" >/dev/null || exit 0 +ip netns add $ns1 +ip netns exec $ns1 $NFT -f - <<< "$RULESET" >/dev/null || exit 0 +ip netns del $ns1 + +RULESET="flush chain ip x y +delete chain ip x w" + +$NFT -c -f - <<< "$RULESET" >/dev/null || exit 0 +$NFT -f - <<< "$RULESET" >/dev/null || exit 0 + +# +# dependency tracking for map in implicit chain +# +RULESET="table ip x { + chain w {} + chain m {} + + chain y { + meta iifname \"eno1\" jump { + ip saddr vmap { 1.1.1.1 : jump w, 3.3.3.3 : goto m } + } + } +}" + +$NFT -c -f - <<< "$RULESET" >/dev/null || exit 0 +$NFT -f - <<< "$RULESET" >/dev/null || exit 0 +ip netns add $ns1 +ip netns exec $ns1 $NFT -f - <<< "$RULESET" >/dev/null || exit 0 +ip netns del $ns1 + +RULESET="flush chain ip x y +delete chain ip x w" + +$NFT -c -f - <<< "$RULESET" >/dev/null || exit 0 +$NFT -f - <<< "$RULESET" >/dev/null || exit 0 + +# +# dependency tracking for explicit map +# +RULESET="table ip x { + chain w {} + chain m {} + + map y { + type ipv4_addr : verdict + elements = { 1.1.1.1 : jump w, 2.2.2.2 : accept, 3.3.3.3 : goto m } + } +}" + +$NFT -c -f - <<< "$RULESET" >/dev/null || exit 0 +$NFT -f - <<< "$RULESET" >/dev/null || exit 0 +ip netns add $ns1 +ip netns exec $ns1 $NFT -f - <<< "$RULESET" >/dev/null || exit 0 +ip netns del $ns1 + +RULESET="delete set ip x y +delete chain ip x w" + +$NFT -c -f - <<< "$RULESET" >/dev/null || exit 0 +$NFT -f - <<< "$RULESET" >/dev/null || exit 0 + +# +# error path for implicit set +# +RULESET="table inet filter { + chain w { + jump z + } + chain z { + jump w + } + + chain test { + ip protocol { tcp, udp } ip saddr vmap { 1.1.1.1 : jump z } counter flow add @nonexisting + ip6 nexthdr { tcp, udp } ct mark and 2 == 2 counter + } +}" + +$NFT -c -f - <<< "$RULESET" >/dev/null || exit 0 +$NFT -f - <<< "$RULESET" >/dev/null || exit 0 + +# +# error path for implicit set +# +RULESET="table inet filter { + chain w { + jump z + } + chain z { + jump w + } + + chain test { + ip protocol { tcp, udp } jump { + ip saddr vmap { 1.1.1.1 : jump z } + } + ip6 nexthdr { tcp, udp } ct mark and 2 == 2 counter + } +}" + +$NFT -c -f - <<< "$RULESET" >/dev/null || exit 0 +$NFT -f - <<< "$RULESET" >/dev/null || exit 0 |