diff options
Diffstat (limited to 'tests/shell/testcases/packetpath/flowtables')
| -rwxr-xr-x | tests/shell/testcases/packetpath/flowtables | 96 |
1 files changed, 96 insertions, 0 deletions
diff --git a/tests/shell/testcases/packetpath/flowtables b/tests/shell/testcases/packetpath/flowtables new file mode 100755 index 00000000..ec7dfeb7 --- /dev/null +++ b/tests/shell/testcases/packetpath/flowtables @@ -0,0 +1,96 @@ +#! /bin/bash -x + +# NFT_TEST_SKIP(NFT_TEST_SKIP_slow) + +rnd=$(mktemp -u XXXXXXXX) +R="flowtable-router-$rnd" +C="flowtable-client-$rnd" +S="flowtbale-server-$rnd" + +cleanup() +{ + for i in $R $C $S;do + kill $(ip netns pid $i) 2>/dev/null + ip netns del $i + done +} + +trap cleanup EXIT + +ip netns add $R +ip netns add $S +ip netns add $C + +ip link add s_r netns $S type veth peer name r_s netns $R +ip netns exec $S ip link set s_r up +ip netns exec $R ip link set r_s up +ip link add c_r netns $C type veth peer name r_c netns $R +ip netns exec $R ip link set r_c up +ip netns exec $C ip link set c_r up + +ip netns exec $S ip -6 addr add 2001:db8:ffff:22::1/64 dev s_r +ip netns exec $C ip -6 addr add 2001:db8:ffff:21::2/64 dev c_r +ip netns exec $R ip -6 addr add 2001:db8:ffff:22::fffe/64 dev r_s +ip netns exec $R ip -6 addr add 2001:db8:ffff:21::fffe/64 dev r_c +ip netns exec $R sysctl -w net.ipv6.conf.all.forwarding=1 +ip netns exec $C ip route add 2001:db8:ffff:22::/64 via 2001:db8:ffff:21::fffe dev c_r +ip netns exec $S ip route add 2001:db8:ffff:21::/64 via 2001:db8:ffff:22::fffe dev s_r +ip netns exec $S ethtool -K s_r tso off +ip netns exec $C ethtool -K c_r tso off + +sleep 3 +ip netns exec $C ping -6 2001:db8:ffff:22::1 -c1 || exit 1 + +ip netns exec $R nft -f - <<EOF +table ip6 filter { + flowtable f1 { + hook ingress priority -100 + devices = { r_c, r_s } + } + + chain forward { + type filter hook forward priority filter; policy accept; + ip6 nexthdr tcp ct state established,related counter packets 0 bytes 0 flow add @f1 counter packets 0 bytes 0 + ip6 nexthdr tcp ct state invalid counter packets 0 bytes 0 drop + tcp flags fin,rst counter packets 0 bytes 0 accept + meta l4proto tcp meta length < 100 counter packets 0 bytes 0 accept + ip6 nexthdr tcp counter packets 0 bytes 0 log drop + } +} +EOF + +if [ ! -r /proc/net/nf_conntrack ] +then + echo "E: nf_conntrack unreadable, skipping" >&2 + exit 77 +fi + +ip netns exec $R nft list ruleset +ip netns exec $R sysctl -w net.netfilter.nf_flowtable_tcp_timeout=5 || { + echo "E: set net.netfilter.nf_flowtable_tcp_timeout fail, skipping" >&2 + exit 77 +} +ip netns exec $R sysctl -w net.netfilter.nf_conntrack_tcp_timeout_established=86400 || { + echo "E: set net.netfilter.nf_conntrack_tcp_timeout_established fail, skipping" >&2 + exit 77 + +} + +# A trick to control the timing to send a packet +ip netns exec $S socat TCP6-LISTEN:10001 GOPEN:/tmp/pipefile-$rnd,ignoreeof & +sleep 1 +ip netns exec $C socat -b 2048 PIPE:/tmp/pipefile-$rnd 'TCP:[2001:db8:ffff:22::1]:10001' & +sleep 1 +ip netns exec $R grep 'OFFLOAD' /proc/net/nf_conntrack || { echo "check [OFFLOAD] tag (failed)"; exit 1; } +ip netns exec $R cat /proc/net/nf_conntrack +sleep 6 +ip netns exec $R grep 'OFFLOAD' /proc/net/nf_conntrack && { echo "CT OFFLOAD timeout, fail back to classical path (failed)"; exit 1; } +ip netns exec $R grep '8639[0-9]' /proc/net/nf_conntrack || { echo "check nf_conntrack_tcp_timeout_established (failed)"; exit 1; } +ip netns exec $C echo "send sth" >> /tmp/pipefile-$rnd +ip netns exec $R grep 'OFFLOAD' /proc/net/nf_conntrack || { echo "traffic seen, back to OFFLOAD path (failed)"; exit 1; } +ip netns exec $C sleep 3 +ip netns exec $C echo "send sth" >> /tmp/pipefile-$rnd +ip netns exec $C sleep 3 +ip netns exec $R grep 'OFFLOAD' /proc/net/nf_conntrack || { echo "Traffic seen in 5s (nf_flowtable_tcp_timeout), so stay in OFFLOAD (failed)"; exit 1; } + +exit 0 |