diff options
Diffstat (limited to 'tests/shell/testcases/packetpath')
-rw-r--r-- | tests/shell/testcases/packetpath/dumps/policy.json-nft | 121 | ||||
-rw-r--r-- | tests/shell/testcases/packetpath/dumps/policy.nft | 11 | ||||
-rwxr-xr-x | tests/shell/testcases/packetpath/policy | 42 | ||||
-rwxr-xr-x | tests/shell/testcases/packetpath/vlan_mangling | 75 | ||||
-rwxr-xr-x | tests/shell/testcases/packetpath/vlan_qinq | 73 |
5 files changed, 322 insertions, 0 deletions
diff --git a/tests/shell/testcases/packetpath/dumps/policy.json-nft b/tests/shell/testcases/packetpath/dumps/policy.json-nft new file mode 100644 index 00000000..26e8a052 --- /dev/null +++ b/tests/shell/testcases/packetpath/dumps/policy.json-nft @@ -0,0 +1,121 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "underflow", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "input", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "drop" + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "icmp", + "field": "type" + } + }, + "right": "echo-reply" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": "127.0.0.1" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "right": "127.0.0.2" + } + }, + { + "counter": { + "packets": 3, + "bytes": 252 + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "input", + "handle": 0, + "expr": [ + { + "goto": { + "target": "underflow" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/packetpath/dumps/policy.nft b/tests/shell/testcases/packetpath/dumps/policy.nft new file mode 100644 index 00000000..e625ea6c --- /dev/null +++ b/tests/shell/testcases/packetpath/dumps/policy.nft @@ -0,0 +1,11 @@ +table inet filter { + chain underflow { + } + + chain input { + type filter hook input priority filter; policy drop; + icmp type echo-reply accept + ip saddr 127.0.0.1 ip daddr 127.0.0.2 counter packets 3 bytes 252 accept + goto underflow + } +} diff --git a/tests/shell/testcases/packetpath/policy b/tests/shell/testcases/packetpath/policy new file mode 100755 index 00000000..0bb42a54 --- /dev/null +++ b/tests/shell/testcases/packetpath/policy @@ -0,0 +1,42 @@ +#!/bin/bash + +ip link set lo up + +$NFT -f - <<EOF +table inet filter { + chain underflow { } + + chain input { + type filter hook input priority filter; policy accept; + icmp type echo-reply accept + ip saddr 127.0.0.1 ip daddr 127.0.0.2 counter accept + goto underflow + } +} +EOF +[ $? -ne 0 ] && exit 1 + +ping -q -c 1 127.0.0.2 >/dev/null || exit 2 + +# should work, polict is accept. +ping -q -c 1 127.0.0.1 >/dev/null || exit 1 + +$NFT -f - <<EOF +table inet filter { + chain input { + type filter hook input priority filter; policy drop; + } +} +EOF +[ $? -ne 0 ] && exit 1 + +$NFT list ruleset + +ping -W 1 -q -c 1 127.0.0.2 + +ping -q -c 1 127.0.0.2 >/dev/null || exit 2 + +# should fail, policy is set to drop +ping -W 1 -q -c 1 127.0.0.1 >/dev/null 2>&1 && exit 1 + +exit 0 diff --git a/tests/shell/testcases/packetpath/vlan_mangling b/tests/shell/testcases/packetpath/vlan_mangling new file mode 100755 index 00000000..b3f87c66 --- /dev/null +++ b/tests/shell/testcases/packetpath/vlan_mangling @@ -0,0 +1,75 @@ +#!/bin/bash + +rnd=$(mktemp -u XXXXXXXX) +ns1="nft1ifname-$rnd" +ns2="nft2ifname-$rnd" + +cleanup() +{ + ip netns del "$ns1" + ip netns del "$ns2" +} + +trap cleanup EXIT + +set -e + +ip netns add "$ns1" +ip netns add "$ns2" +ip -net "$ns1" link set lo up +ip -net "$ns2" link set lo up + +ip link add veth0 netns $ns1 type veth peer name veth0 netns $ns2 + +ip -net "$ns1" link set veth0 addr da:d3:00:01:02:03 + +ip -net "$ns1" link add vlan123 link veth0 type vlan id 123 +ip -net "$ns2" link add vlan321 link veth0 type vlan id 321 + + +for dev in veth0 ; do + ip -net "$ns1" link set $dev up + ip -net "$ns2" link set $dev up +done +ip -net "$ns1" link set vlan123 up +ip -net "$ns2" link set vlan321 up + +ip -net "$ns1" addr add 10.1.1.1/24 dev vlan123 +ip -net "$ns2" addr add 10.1.1.2/24 dev vlan321 + +ip netns exec "$ns2" $NFT -f /dev/stdin <<"EOF" +table netdev t { + chain in_update_vlan { + vlan type arp vlan id set 321 counter + ip saddr 10.1.1.1 icmp type echo-request vlan id set 321 counter + } + + chain in { + type filter hook ingress device veth0 priority filter; + ether saddr da:d3:00:01:02:03 vlan id 123 jump in_update_vlan + } + + chain out_update_vlan { + vlan type arp vlan id set 123 counter + ip daddr 10.1.1.1 icmp type echo-reply vlan id set 123 counter + } + + chain out { + type filter hook egress device veth0 priority filter; + ether daddr da:d3:00:01:02:03 vlan id 321 jump out_update_vlan + } +} +EOF + +ip netns exec "$ns1" ping -c 1 10.1.1.2 + +set +e + +ip netns exec "$ns2" $NFT list ruleset +ip netns exec "$ns2" $NFT list table netdev t | grep 'counter packets' | grep 'counter packets 0 bytes 0' +if [ $? -eq 1 ] +then + exit 0 +fi + +exit 1 diff --git a/tests/shell/testcases/packetpath/vlan_qinq b/tests/shell/testcases/packetpath/vlan_qinq new file mode 100755 index 00000000..28655766 --- /dev/null +++ b/tests/shell/testcases/packetpath/vlan_qinq @@ -0,0 +1,73 @@ +#!/bin/bash + +rnd=$(mktemp -u XXXXXXXX) +ns1="nft1ifname-$rnd" +ns2="nft2ifname-$rnd" + +cleanup() +{ + ip netns del "$ns1" + ip netns del "$ns2" +} + +trap cleanup EXIT + +set -e + +ip netns add "$ns1" +ip netns add "$ns2" +ip -net "$ns1" link set lo up +ip -net "$ns2" link set lo up + +ip link add veth0 netns $ns1 type veth peer name veth0 netns $ns2 + +ip -net "$ns1" link set veth0 addr da:d3:00:01:02:03 + +ip -net "$ns1" link add link veth0 name vlan10 type vlan proto 802.1ad id 10 +ip -net "$ns1" link add link vlan10 name vlan10.100 type vlan proto 802.1q id 100 + +ip -net "$ns2" link add link veth0 name vlan10 type vlan proto 802.1ad id 10 +ip -net "$ns2" link add link vlan10 name vlan10.100 type vlan proto 802.1q id 100 + +for dev in veth0 vlan10 vlan10.100; do + ip -net "$ns1" link set $dev up + ip -net "$ns2" link set $dev up +done + +ip -net "$ns1" addr add 10.1.1.1/24 dev vlan10.100 +ip -net "$ns2" addr add 10.1.1.2/24 dev vlan10.100 + +ip netns exec "$ns2" $NFT -f /dev/stdin <<"EOF" +table netdev t { + chain c1 { + type filter hook ingress device veth0 priority filter; + ether type 8021ad vlan id 10 vlan type 8021q vlan id 100 vlan type ip counter + } + + chain c2 { + type filter hook ingress device vlan10 priority filter; + vlan id 100 ip daddr 10.1.1.2 counter + } + + chain c3 { + type filter hook ingress device vlan10.100 priority filter; + ip daddr 10.1.1.2 counter + } +} +EOF + +ip netns exec "$ns1" ping -c 1 10.1.1.2 +ip netns exec "$ns2" $NFT list ruleset + +set +e + +ip netns exec "$ns2" $NFT list chain netdev t c1 | grep 'counter packets 0 bytes 0' +[[ $? -eq 0 ]] && exit 1 + +ip netns exec "$ns2" $NFT list chain netdev t c2 | grep 'counter packets 0 bytes 0' +[[ $? -eq 0 ]] && exit 1 + +ip netns exec "$ns2" $NFT list chain netdev t c3 | grep 'counter packets 0 bytes 0' +[[ $? -eq 0 ]] && exit 1 + +exit 0 |