diff options
Diffstat (limited to 'tests/shell/testcases/packetpath')
-rw-r--r-- | tests/shell/testcases/packetpath/dumps/flowtables.nodump | 0 | ||||
-rw-r--r-- | tests/shell/testcases/packetpath/dumps/tcp_reset.json-nft | 168 | ||||
-rw-r--r-- | tests/shell/testcases/packetpath/dumps/tcp_reset.nft | 13 | ||||
-rw-r--r-- | tests/shell/testcases/packetpath/dumps/vlan_mangling.nodump | 0 | ||||
-rw-r--r-- | tests/shell/testcases/packetpath/dumps/vlan_qinq.nodump | 0 | ||||
-rwxr-xr-x | tests/shell/testcases/packetpath/flowtables | 4 | ||||
-rwxr-xr-x | tests/shell/testcases/packetpath/match_l4proto | 149 | ||||
-rwxr-xr-x | tests/shell/testcases/packetpath/payload | 169 | ||||
-rwxr-xr-x | tests/shell/testcases/packetpath/tcp_reset | 31 | ||||
-rwxr-xr-x | tests/shell/testcases/packetpath/vlan_mangling | 77 | ||||
-rwxr-xr-x | tests/shell/testcases/packetpath/vlan_qinq | 73 |
11 files changed, 633 insertions, 51 deletions
diff --git a/tests/shell/testcases/packetpath/dumps/flowtables.nodump b/tests/shell/testcases/packetpath/dumps/flowtables.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/packetpath/dumps/flowtables.nodump diff --git a/tests/shell/testcases/packetpath/dumps/tcp_reset.json-nft b/tests/shell/testcases/packetpath/dumps/tcp_reset.json-nft new file mode 100644 index 00000000..e1367cc1 --- /dev/null +++ b/tests/shell/testcases/packetpath/dumps/tcp_reset.json-nft @@ -0,0 +1,168 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "input", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "output", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 0, + "policy": "accept" + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "input", + "handle": 0, + "expr": [ + { + "mangle": { + "key": { + "meta": { + "key": "nftrace" + } + }, + "value": 1 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "right": "127.0.0.1" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 5555 + } + }, + { + "reject": { + "type": "tcp reset" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip6", + "field": "daddr" + } + }, + "right": "::1" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 5555 + } + }, + { + "reject": { + "type": "tcp reset" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 5555 + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/packetpath/dumps/tcp_reset.nft b/tests/shell/testcases/packetpath/dumps/tcp_reset.nft new file mode 100644 index 00000000..fb3df1af --- /dev/null +++ b/tests/shell/testcases/packetpath/dumps/tcp_reset.nft @@ -0,0 +1,13 @@ +table inet filter { + chain input { + type filter hook input priority filter; policy accept; + meta nftrace set 1 + ip daddr 127.0.0.1 tcp dport 5555 reject with tcp reset + ip6 daddr ::1 tcp dport 5555 reject with tcp reset + tcp dport 5555 counter packets 0 bytes 0 + } + + chain output { + type filter hook output priority filter; policy accept; + } +} diff --git a/tests/shell/testcases/packetpath/dumps/vlan_mangling.nodump b/tests/shell/testcases/packetpath/dumps/vlan_mangling.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/packetpath/dumps/vlan_mangling.nodump diff --git a/tests/shell/testcases/packetpath/dumps/vlan_qinq.nodump b/tests/shell/testcases/packetpath/dumps/vlan_qinq.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/packetpath/dumps/vlan_qinq.nodump diff --git a/tests/shell/testcases/packetpath/flowtables b/tests/shell/testcases/packetpath/flowtables index ec7dfeb7..2c4a7e1f 100755 --- a/tests/shell/testcases/packetpath/flowtables +++ b/tests/shell/testcases/packetpath/flowtables @@ -1,7 +1,9 @@ -#! /bin/bash -x +#!/bin/bash # NFT_TEST_SKIP(NFT_TEST_SKIP_slow) +set -x + rnd=$(mktemp -u XXXXXXXX) R="flowtable-router-$rnd" C="flowtable-client-$rnd" diff --git a/tests/shell/testcases/packetpath/match_l4proto b/tests/shell/testcases/packetpath/match_l4proto new file mode 100755 index 00000000..31fbe6c2 --- /dev/null +++ b/tests/shell/testcases/packetpath/match_l4proto @@ -0,0 +1,149 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_netdev_egress) + +rnd=$(mktemp -u XXXXXXXX) +ns1="nft1payload-$rnd" +ns2="nft2payload-$rnd" + +cleanup() +{ + ip netns del "$ns1" + ip netns del "$ns2" +} + +trap cleanup EXIT + +run_test() +{ + ns1_addr=$2 + ns2_addr=$3 + cidr=$4 + + # socat needs square brackets, ie. [abcd::2] + if [ $1 -eq 6 ]; then + nsx1_addr="["$ns1_addr"]" + nsx2_addr="["$ns2_addr"]" + else + nsx1_addr="$ns1_addr" + nsx2_addr="$ns2_addr" + fi + + ip netns add "$ns1" || exit 111 + ip netns add "$ns2" || exit 111 + + ip -net "$ns1" link set lo up + ip -net "$ns2" link set lo up + + ip link add veth0 netns $ns1 type veth peer name veth0 netns $ns2 + + ip -net "$ns1" link set veth0 up + ip -net "$ns2" link set veth0 up + ip -net "$ns1" addr add $ns1_addr/$cidr dev veth0 + ip -net "$ns2" addr add $ns2_addr/$cidr dev veth0 + + sleep 5 + +RULESET="table netdev payload_netdev { + counter ingress {} + counter ingress_2 {} + counter egress {} + counter egress_2 {} + + chain ingress { + type filter hook ingress device veth0 priority 0; + udp dport 7777 counter name ingress + meta l4proto udp counter name ingress_2 + } + + chain egress { + type filter hook egress device veth0 priority 0; + udp dport 7777 counter name egress + meta l4proto udp counter name egress_2 + } +}" + + ip netns exec "$ns1" $NFT -f - <<< "$RULESET" || exit 1 + + ip netns exec "$ns1" bash -c "echo 'A' | socat -u STDIN UDP:$nsx2_addr:7777 > /dev/null" + ip netns exec "$ns1" bash -c "echo 'AA' | socat -u STDIN UDP:$nsx2_addr:7777 > /dev/null" + ip netns exec "$ns1" bash -c "echo 'AAA' | socat -u STDIN UDP:$nsx2_addr:7777 > /dev/null" + ip netns exec "$ns1" bash -c "echo 'AAAA' | socat -u STDIN UDP:$nsx2_addr:7777 > /dev/null" + ip netns exec "$ns1" bash -c "echo 'AAAAA' | socat -u STDIN UDP:$nsx2_addr:7777 > /dev/null" + + ip netns exec "$ns2" bash -c "echo 'A' | socat -u STDIN UDP:$nsx1_addr:7777 > /dev/null" + ip netns exec "$ns2" bash -c "echo 'AA' | socat -u STDIN UDP:$nsx1_addr:7777 > /dev/null" + ip netns exec "$ns2" bash -c "echo 'AAA' | socat -u STDIN UDP:$nsx1_addr:7777 > /dev/null" + ip netns exec "$ns2" bash -c "echo 'AAAA' | socat -u STDIN UDP:$nsx1_addr:7777 > /dev/null" + ip netns exec "$ns2" bash -c "echo 'AAAAA' | socat -u STDIN UDP:$nsx1_addr:7777 > /dev/null" + + ip netns exec "$ns1" $NFT list ruleset + + ip netns exec "$ns1" $NFT list counter netdev payload_netdev ingress | grep "packets 5" > /dev/null || exit 1 + ip netns exec "$ns1" $NFT list counter netdev payload_netdev ingress_2 | grep "packets 5" > /dev/null || exit 1 + ip netns exec "$ns1" $NFT list counter netdev payload_netdev egress | grep "packets 5" > /dev/null || exit 1 + ip netns exec "$ns1" $NFT list counter netdev payload_netdev egress_2| grep "packets 5" > /dev/null || exit 1 + + # + # ... next stage + # + ip netns exec "$ns1" $NFT flush ruleset + + # + # bridge + # + + ip -net "$ns1" addr del $ns1_addr/$cidr dev veth0 + + ip -net "$ns1" link add name br0 type bridge + ip -net "$ns1" link set veth0 master br0 + ip -net "$ns1" addr add $ns1_addr/$cidr dev br0 + ip -net "$ns1" link set up dev br0 + + sleep 5 + +RULESET="table bridge payload_bridge { + counter input {} + counter output {} + counter input_2 {} + counter output_2 {} + + chain in { + type filter hook input priority 0; + udp dport 7777 counter name input + meta l4proto udp counter name input_2 + } + + chain out { + type filter hook output priority 0; + udp dport 7777 counter name output + meta l4proto udp counter name output_2 + } +}" + + ip netns exec "$ns1" $NFT -f - <<< "$RULESET" || exit 1 + + ip netns exec "$ns1" bash -c "echo 'A' | socat -u STDIN UDP:$nsx2_addr:7777 > /dev/null" + ip netns exec "$ns1" bash -c "echo 'AA' | socat -u STDIN UDP:$nsx2_addr:7777 > /dev/null" + ip netns exec "$ns1" bash -c "echo 'AAA' | socat -u STDIN UDP:$nsx2_addr:7777 > /dev/null" + ip netns exec "$ns1" bash -c "echo 'AAAA' | socat -u STDIN UDP:$nsx2_addr:7777 > /dev/null" + ip netns exec "$ns1" bash -c "echo 'AAAAA' | socat -u STDIN UDP:$nsx2_addr:7777 > /dev/null" + + ip netns exec "$ns2" bash -c "echo 'A' | socat -u STDIN UDP:$nsx1_addr:7777 > /dev/null" + ip netns exec "$ns2" bash -c "echo 'AA' | socat -u STDIN UDP:$nsx1_addr:7777 > /dev/null" + ip netns exec "$ns2" bash -c "echo 'AAA' | socat -u STDIN UDP:$nsx1_addr:7777 > /dev/null" + ip netns exec "$ns2" bash -c "echo 'AAAA' | socat -u STDIN UDP:$nsx1_addr:7777 > /dev/null" + ip netns exec "$ns2" bash -c "echo 'AAAAA' | socat -u STDIN UDP:$nsx1_addr:7777 > /dev/null" + + ip netns exec "$ns1" $NFT list ruleset + + ip netns exec "$ns1" $NFT list counter bridge payload_bridge input | grep "packets 5" > /dev/null || exit 1 + ip netns exec "$ns1" $NFT list counter bridge payload_bridge input_2 | grep "packets 5" > /dev/null || exit 1 + ip netns exec "$ns1" $NFT list counter bridge payload_bridge output | grep "packets 5" > /dev/null || exit 1 + ip netns exec "$ns1" $NFT list counter bridge payload_bridge output_2 | grep "packets 5" > /dev/null || exit 1 +} + +run_test "4" "10.141.10.2" "10.141.10.3" "24" +cleanup +run_test "6" "abcd::2" "abcd::3" "64" +# trap calls cleanup diff --git a/tests/shell/testcases/packetpath/payload b/tests/shell/testcases/packetpath/payload index 4c5c42da..83e0b7fc 100755 --- a/tests/shell/testcases/packetpath/payload +++ b/tests/shell/testcases/packetpath/payload @@ -19,6 +19,28 @@ run_test() ns1_addr=$2 ns2_addr=$3 cidr=$4 + mode=$5 + + case $mode in + "udp") + l4proto="udp" + udp_checksum="udp checksum != 0" + udp_zero_checksum="" + ;; + "udp-zero-checksum") + l4proto="udp" + udp_checksum="udp checksum 0" + udp_zero_checksum="udp checksum set 0" + ;; + "tcp") + l4proto="tcp" + udp_checksum="" + udp_zero_checksum="" + ;; + *) + echo "unexpected, incorrect mode" + exit 0 + esac # socat needs square brackets, ie. [abcd::2] if [ $1 -eq 6 ]; then @@ -42,6 +64,8 @@ run_test() ip -net "$ns1" addr add $ns1_addr/$cidr dev veth0 ip -net "$ns2" addr add $ns2_addr/$cidr dev veth0 + sleep 3 + RULESET="table netdev payload_netdev { counter ingress {} counter egress {} @@ -52,16 +76,18 @@ RULESET="table netdev payload_netdev { chain ingress { type filter hook ingress device veth0 priority 0; - tcp dport 7777 counter name ingress - tcp dport 7778 tcp dport set 7779 counter name mangle_ingress - tcp dport 7779 counter name mangle_ingress_match + $udp_zero_checksum + $l4proto dport 7777 counter name ingress + $l4proto dport 7778 $l4proto dport set 7779 $udp_checksum counter name mangle_ingress + $l4proto dport 7779 counter name mangle_ingress_match } chain egress { type filter hook egress device veth0 priority 0; - tcp dport 8887 counter name egress - tcp dport 8888 tcp dport set 8889 counter name mangle_egress - tcp dport 8889 counter name mangle_egress_match + $udp_zero_checksum + $l4proto dport 8887 counter name egress + $l4proto dport 8888 $l4proto dport set 8889 $udp_checksum counter name mangle_egress + $l4proto dport 8889 counter name mangle_egress_match } } @@ -75,48 +101,67 @@ table inet payload_inet { chain in { type filter hook input priority 0; - tcp dport 7770 counter name input - tcp dport 7771 tcp dport set 7772 counter name mangle_input - tcp dport 7772 counter name mangle_input_match + $udp_zero_checksum + $l4proto dport 7770 counter name input + $l4proto dport 7771 $l4proto dport set 7772 $udp_checksum counter name mangle_input + $l4proto dport 7772 counter name mangle_input_match } chain out { type filter hook output priority 0; - tcp dport 8880 counter name output - tcp dport 8881 tcp dport set 8882 counter name mangle_output - tcp dport 8882 counter name mangle_output_match + $udp_zero_checksum + $l4proto dport 8880 counter name output + $l4proto dport 8881 $l4proto dport set 8882 $udp_checksum counter name mangle_output + $l4proto dport 8882 counter name mangle_output_match } }" ip netns exec "$ns1" $NFT -f - <<< "$RULESET" || exit 1 - ip netns exec "$ns1" socat -u STDIN TCP:$nsx2_addr:8887,connect-timeout=2 < /dev/null > /dev/null - ip netns exec "$ns1" socat -u STDIN TCP:$nsx2_addr:8888,connect-timeout=2 < /dev/null > /dev/null + case $l4proto in + "tcp") + ip netns exec "$ns1" socat -u STDIN TCP:$nsx2_addr:8887,connect-timeout=4 < /dev/null > /dev/null + ip netns exec "$ns1" socat -u STDIN TCP:$nsx2_addr:8888,connect-timeout=4 < /dev/null > /dev/null + + ip netns exec "$ns1" socat -u STDIN TCP:$nsx2_addr:8880,connect-timeout=4 < /dev/null > /dev/null + ip netns exec "$ns1" socat -u STDIN TCP:$nsx2_addr:8881,connect-timeout=4 < /dev/null > /dev/null + + ip netns exec "$ns2" socat -u STDIN TCP:$nsx1_addr:7777,connect-timeout=4 < /dev/null > /dev/null + ip netns exec "$ns2" socat -u STDIN TCP:$nsx1_addr:7778,connect-timeout=4 < /dev/null > /dev/null - ip netns exec "$ns1" socat -u STDIN TCP:$nsx2_addr:8880,connect-timeout=2 < /dev/null > /dev/null - ip netns exec "$ns1" socat -u STDIN TCP:$nsx2_addr:8881,connect-timeout=2 < /dev/null > /dev/null + ip netns exec "$ns2" socat -u STDIN TCP:$nsx1_addr:7770,connect-timeout=4 < /dev/null > /dev/null + ip netns exec "$ns2" socat -u STDIN TCP:$nsx1_addr:7771,connect-timeout=4 < /dev/null > /dev/null + ;; + "udp") + ip netns exec "$ns1" bash -c "echo 'AA' | socat -u STDIN UDP:$nsx2_addr:8887 > /dev/null" + ip netns exec "$ns1" bash -c "echo 'AA' | socat -u STDIN UDP:$nsx2_addr:8888 > /dev/null" - ip netns exec "$ns2" socat -u STDIN TCP:$nsx1_addr:7777,connect-timeout=2 < /dev/null > /dev/null - ip netns exec "$ns2" socat -u STDIN TCP:$nsx1_addr:7778,connect-timeout=2 < /dev/null > /dev/null + ip netns exec "$ns1" bash -c "echo 'AA' | socat -u STDIN UDP:$nsx2_addr:8880 > /dev/null" + ip netns exec "$ns1" bash -c "echo 'AA' | socat -u STDIN UDP:$nsx2_addr:8881 > /dev/null" - ip netns exec "$ns2" socat -u STDIN TCP:$nsx1_addr:7770,connect-timeout=2 < /dev/null > /dev/null - ip netns exec "$ns2" socat -u STDIN TCP:$nsx1_addr:7771,connect-timeout=2 < /dev/null > /dev/null + ip netns exec "$ns2" bash -c "echo 'AA' | socat -u STDIN UDP:$nsx1_addr:7777 > /dev/null" + ip netns exec "$ns2" bash -c "echo 'AA' | socat -u STDIN UDP:$nsx1_addr:7778 > /dev/null" + + ip netns exec "$ns2" bash -c "echo 'AA' | socat -u STDIN UDP:$nsx1_addr:7770 > /dev/null" + ip netns exec "$ns2" bash -c "echo 'AA' | socat -u STDIN UDP:$nsx1_addr:7771 > /dev/null" + ;; + esac ip netns exec "$ns1" $NFT list ruleset - ip netns exec "$ns1" $NFT list counter netdev payload_netdev ingress | grep -v "packets 0" > /dev/null || exit 1 - ip netns exec "$ns1" $NFT list counter netdev payload_netdev mangle_ingress | grep -v "packets 0" > /dev/null || exit 1 - ip netns exec "$ns1" $NFT list counter netdev payload_netdev mangle_ingress_match | grep -v "packets 0" > /dev/null || exit 1 - ip netns exec "$ns1" $NFT list counter netdev payload_netdev egress | grep -v "packets 0" > /dev/null || exit 1 - ip netns exec "$ns1" $NFT list counter netdev payload_netdev mangle_egress | grep -v "packets 0" > /dev/null || exit 1 - ip netns exec "$ns1" $NFT list counter netdev payload_netdev mangle_egress_match | grep -v "packets 0" > /dev/null || exit 1 + ip netns exec "$ns1" $NFT list counter netdev payload_netdev ingress | grep -q "packets 0" && exit 1 + ip netns exec "$ns1" $NFT list counter netdev payload_netdev mangle_ingress | grep -q "packets 0" && exit 1 + ip netns exec "$ns1" $NFT list counter netdev payload_netdev mangle_ingress_match | grep -q "packets 0" && exit 1 + ip netns exec "$ns1" $NFT list counter netdev payload_netdev egress | grep -q "packets 0" && exit 1 + ip netns exec "$ns1" $NFT list counter netdev payload_netdev mangle_egress | grep -q "packets 0" && exit 1 + ip netns exec "$ns1" $NFT list counter netdev payload_netdev mangle_egress_match | grep -q "packets 0" && exit 1 - ip netns exec "$ns1" $NFT list counter inet payload_inet input | grep -v "packets 0" > /dev/null || exit 1 - ip netns exec "$ns1" $NFT list counter inet payload_inet mangle_input | grep -v "packets 0" > /dev/null || exit 1 - ip netns exec "$ns1" $NFT list counter inet payload_inet mangle_input_match | grep -v "packets 0" > /dev/null || exit 1 - ip netns exec "$ns1" $NFT list counter inet payload_inet output | grep -v "packets 0" > /dev/null || exit 1 - ip netns exec "$ns1" $NFT list counter inet payload_inet mangle_output | grep -v "packets 0" > /dev/null || exit 1 - ip netns exec "$ns1" $NFT list counter inet payload_inet mangle_output_match | grep -v "packets 0" > /dev/null || exit 1 + ip netns exec "$ns1" $NFT list counter inet payload_inet input | grep -q "packets 0" && exit 1 + ip netns exec "$ns1" $NFT list counter inet payload_inet mangle_input | grep -q "packets 0" && exit 1 + ip netns exec "$ns1" $NFT list counter inet payload_inet mangle_input_match | grep -q "packets 0" && exit 1 + ip netns exec "$ns1" $NFT list counter inet payload_inet output | grep -q "packets 0" && exit 1 + ip netns exec "$ns1" $NFT list counter inet payload_inet mangle_output | grep -q "packets 0" && exit 1 + ip netns exec "$ns1" $NFT list counter inet payload_inet mangle_output_match | grep -q "packets 0" && exit 1 # # ... next stage @@ -135,6 +180,8 @@ table inet payload_inet { ip -net "$ns1" addr add $ns1_addr/$cidr dev br0 ip -net "$ns1" link set up dev br0 + sleep 3 + RULESET="table bridge payload_bridge { counter input {} counter output {} @@ -145,38 +192,60 @@ RULESET="table bridge payload_bridge { chain in { type filter hook input priority 0; - tcp dport 7770 counter name input - tcp dport 7771 tcp dport set 7772 counter name mangle_input - tcp dport 7772 counter name mangle_input_match + $udp_zero_checksum + $l4proto dport 7770 counter name input + $l4proto dport 7771 $l4proto dport set 7772 $udp_checksum counter name mangle_input + $l4proto dport 7772 counter name mangle_input_match } chain out { type filter hook output priority 0; - tcp dport 8880 counter name output - tcp dport 8881 tcp dport set 8882 counter name mangle_output - tcp dport 8882 counter name mangle_output_match + $udp_zero_checksum + $l4proto dport 8880 counter name output + $l4proto dport 8881 $l4proto dport set 8882 $udp_checksum counter name mangle_output + $l4proto dport 8882 counter name mangle_output_match } }" ip netns exec "$ns1" $NFT -f - <<< "$RULESET" || exit 1 - ip netns exec "$ns1" socat -u STDIN TCP:$nsx2_addr:8880,connect-timeout=2 < /dev/null > /dev/null - ip netns exec "$ns1" socat -u STDIN TCP:$nsx2_addr:8881,connect-timeout=2 < /dev/null > /dev/null + case $l4proto in + "tcp") + ip netns exec "$ns1" socat -u STDIN TCP:$nsx2_addr:8880,connect-timeout=4 < /dev/null > /dev/null + ip netns exec "$ns1" socat -u STDIN TCP:$nsx2_addr:8881,connect-timeout=4 < /dev/null > /dev/null - ip netns exec "$ns2" socat -u STDIN TCP:$nsx1_addr:7770,connect-timeout=2 < /dev/null > /dev/null - ip netns exec "$ns2" socat -u STDIN TCP:$nsx1_addr:7771,connect-timeout=2 < /dev/null > /dev/null + ip netns exec "$ns2" socat -u STDIN TCP:$nsx1_addr:7770,connect-timeout=4 < /dev/null > /dev/null + ip netns exec "$ns2" socat -u STDIN TCP:$nsx1_addr:7771,connect-timeout=4 < /dev/null > /dev/null + ;; + "udp") + ip netns exec "$ns1" bash -c "echo 'AA' | socat -u STDIN UDP:$nsx2_addr:8880 > /dev/null" + ip netns exec "$ns1" bash -c "echo 'AA' | socat -u STDIN UDP:$nsx2_addr:8881 > /dev/null" + + ip netns exec "$ns2" bash -c "echo 'AA' | socat -u STDIN UDP:$nsx1_addr:7770 > /dev/null" + ip netns exec "$ns2" bash -c "echo 'AA' | socat -u STDIN UDP:$nsx1_addr:7771 > /dev/null" + ;; + esac ip netns exec "$ns1" $NFT list ruleset - ip netns exec "$ns1" $NFT list counter bridge payload_bridge input | grep -v "packets 0" > /dev/null || exit 1 - ip netns exec "$ns1" $NFT list counter bridge payload_bridge mangle_input | grep -v "packets 0" > /dev/null || exit 1 - ip netns exec "$ns1" $NFT list counter bridge payload_bridge mangle_input_match | grep -v "packets 0" > /dev/null || exit 1 - ip netns exec "$ns1" $NFT list counter bridge payload_bridge output | grep -v "packets 0" > /dev/null || exit 1 - ip netns exec "$ns1" $NFT list counter bridge payload_bridge mangle_output | grep -v "packets 0" > /dev/null || exit 1 - ip netns exec "$ns1" $NFT list counter bridge payload_bridge mangle_output_match | grep -v "packets 0" > /dev/null || exit 1 + ip netns exec "$ns1" $NFT list counter bridge payload_bridge input | grep -q "packets 0" && exit 1 + ip netns exec "$ns1" $NFT list counter bridge payload_bridge mangle_input | grep -q "packets 0" && exit 1 + ip netns exec "$ns1" $NFT list counter bridge payload_bridge mangle_input_match | grep -q "packets 0" && exit 1 + ip netns exec "$ns1" $NFT list counter bridge payload_bridge output | grep -q "packets 0" && exit 1 + ip netns exec "$ns1" $NFT list counter bridge payload_bridge mangle_output | grep -q "packets 0" && exit 1 + ip netns exec "$ns1" $NFT list counter bridge payload_bridge mangle_output_match | grep -q "packets 0" && exit 1 } -run_test "4" "10.141.10.2" "10.141.10.3" "24" +run_test "4" "10.141.10.2" "10.141.10.3" "24" "tcp" +cleanup +run_test 6 "abcd::2" "abcd::3" "64" "tcp" +cleanup +run_test "4" "10.141.10.2" "10.141.10.3" "24" "udp" +cleanup +run_test 6 "abcd::2" "abcd::3" "64" "udp" +cleanup +run_test "4" "10.141.10.2" "10.141.10.3" "24" "udp-zero-checksum" cleanup -run_test 6 "abcd::2" "abcd::3" "64" +run_test 6 "abcd::2" "abcd::3" "64" "udp-zero-checksum" # trap calls cleanup +exit 0 diff --git a/tests/shell/testcases/packetpath/tcp_reset b/tests/shell/testcases/packetpath/tcp_reset new file mode 100755 index 00000000..3dfcdde4 --- /dev/null +++ b/tests/shell/testcases/packetpath/tcp_reset @@ -0,0 +1,31 @@ +#!/bin/bash + +# regression check for kernel commit +# netfilter: nf_reject: init skb->dev for reset packet + +socat -h > /dev/null || exit 77 + +ip link set lo up + +$NFT -f - <<EOF +table inet filter { + chain input { + type filter hook input priority filter; policy accept; + meta nftrace set 1 + ip daddr 127.0.0.1 tcp dport 5555 reject with tcp reset + ip6 daddr ::1 tcp dport 5555 reject with tcp reset + tcp dport 5555 counter + } + chain output { + type filter hook output priority filter; policy accept; + # empty chain, so nf_hook_slow is called from ip_local_out. + } +} +EOF +[ $? -ne 0 ] && exit 1 + +socat -u STDIN TCP:127.0.0.1:5555,connect-timeout=2 < /dev/null > /dev/null +socat -u STDIN TCP:[::1]:5555,connect-timeout=2 < /dev/null > /dev/null + +$NFT list ruleset |grep -q 'counter packets 0 bytes 0' || exit 1 +exit 0 diff --git a/tests/shell/testcases/packetpath/vlan_mangling b/tests/shell/testcases/packetpath/vlan_mangling new file mode 100755 index 00000000..e3fd443e --- /dev/null +++ b/tests/shell/testcases/packetpath/vlan_mangling @@ -0,0 +1,77 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_netdev_egress) + +rnd=$(mktemp -u XXXXXXXX) +ns1="nft1ifname-$rnd" +ns2="nft2ifname-$rnd" + +cleanup() +{ + ip netns del "$ns1" + ip netns del "$ns2" +} + +trap cleanup EXIT + +set -e + +ip netns add "$ns1" +ip netns add "$ns2" +ip -net "$ns1" link set lo up +ip -net "$ns2" link set lo up + +ip link add veth0 netns $ns1 type veth peer name veth0 netns $ns2 + +ip -net "$ns1" link set veth0 addr da:d3:00:01:02:03 + +ip -net "$ns1" link add vlan123 link veth0 type vlan id 123 +ip -net "$ns2" link add vlan321 link veth0 type vlan id 321 + + +for dev in veth0 ; do + ip -net "$ns1" link set $dev up + ip -net "$ns2" link set $dev up +done +ip -net "$ns1" link set vlan123 up +ip -net "$ns2" link set vlan321 up + +ip -net "$ns1" addr add 10.1.1.1/24 dev vlan123 +ip -net "$ns2" addr add 10.1.1.2/24 dev vlan321 + +ip netns exec "$ns2" $NFT -f /dev/stdin <<"EOF" +table netdev t { + chain in_update_vlan { + vlan type arp vlan id set 321 counter + ip saddr 10.1.1.1 icmp type echo-request vlan id set 321 counter + } + + chain in { + type filter hook ingress device veth0 priority filter; + ether saddr da:d3:00:01:02:03 vlan id 123 jump in_update_vlan + } + + chain out_update_vlan { + vlan type arp vlan id set 123 counter + ip daddr 10.1.1.1 icmp type echo-reply vlan id set 123 counter + } + + chain out { + type filter hook egress device veth0 priority filter; + ether daddr da:d3:00:01:02:03 vlan id 321 jump out_update_vlan + } +} +EOF + +ip netns exec "$ns1" ping -c 1 10.1.1.2 + +set +e + +ip netns exec "$ns2" $NFT list ruleset +ip netns exec "$ns2" $NFT list table netdev t | grep 'counter packets' | grep 'counter packets 0 bytes 0' +if [ $? -eq 1 ] +then + exit 0 +fi + +exit 1 diff --git a/tests/shell/testcases/packetpath/vlan_qinq b/tests/shell/testcases/packetpath/vlan_qinq new file mode 100755 index 00000000..28655766 --- /dev/null +++ b/tests/shell/testcases/packetpath/vlan_qinq @@ -0,0 +1,73 @@ +#!/bin/bash + +rnd=$(mktemp -u XXXXXXXX) +ns1="nft1ifname-$rnd" +ns2="nft2ifname-$rnd" + +cleanup() +{ + ip netns del "$ns1" + ip netns del "$ns2" +} + +trap cleanup EXIT + +set -e + +ip netns add "$ns1" +ip netns add "$ns2" +ip -net "$ns1" link set lo up +ip -net "$ns2" link set lo up + +ip link add veth0 netns $ns1 type veth peer name veth0 netns $ns2 + +ip -net "$ns1" link set veth0 addr da:d3:00:01:02:03 + +ip -net "$ns1" link add link veth0 name vlan10 type vlan proto 802.1ad id 10 +ip -net "$ns1" link add link vlan10 name vlan10.100 type vlan proto 802.1q id 100 + +ip -net "$ns2" link add link veth0 name vlan10 type vlan proto 802.1ad id 10 +ip -net "$ns2" link add link vlan10 name vlan10.100 type vlan proto 802.1q id 100 + +for dev in veth0 vlan10 vlan10.100; do + ip -net "$ns1" link set $dev up + ip -net "$ns2" link set $dev up +done + +ip -net "$ns1" addr add 10.1.1.1/24 dev vlan10.100 +ip -net "$ns2" addr add 10.1.1.2/24 dev vlan10.100 + +ip netns exec "$ns2" $NFT -f /dev/stdin <<"EOF" +table netdev t { + chain c1 { + type filter hook ingress device veth0 priority filter; + ether type 8021ad vlan id 10 vlan type 8021q vlan id 100 vlan type ip counter + } + + chain c2 { + type filter hook ingress device vlan10 priority filter; + vlan id 100 ip daddr 10.1.1.2 counter + } + + chain c3 { + type filter hook ingress device vlan10.100 priority filter; + ip daddr 10.1.1.2 counter + } +} +EOF + +ip netns exec "$ns1" ping -c 1 10.1.1.2 +ip netns exec "$ns2" $NFT list ruleset + +set +e + +ip netns exec "$ns2" $NFT list chain netdev t c1 | grep 'counter packets 0 bytes 0' +[[ $? -eq 0 ]] && exit 1 + +ip netns exec "$ns2" $NFT list chain netdev t c2 | grep 'counter packets 0 bytes 0' +[[ $? -eq 0 ]] && exit 1 + +ip netns exec "$ns2" $NFT list chain netdev t c3 | grep 'counter packets 0 bytes 0' +[[ $? -eq 0 ]] && exit 1 + +exit 0 |