diff options
Diffstat (limited to 'tests/shell')
-rw-r--r-- | tests/shell/testcases/packetpath/dumps/tcp_options.nodump | 0 | ||||
-rwxr-xr-x | tests/shell/testcases/packetpath/tcp_options | 55 |
2 files changed, 55 insertions, 0 deletions
diff --git a/tests/shell/testcases/packetpath/dumps/tcp_options.nodump b/tests/shell/testcases/packetpath/dumps/tcp_options.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/packetpath/dumps/tcp_options.nodump diff --git a/tests/shell/testcases/packetpath/tcp_options b/tests/shell/testcases/packetpath/tcp_options new file mode 100755 index 00000000..1c9ee532 --- /dev/null +++ b/tests/shell/testcases/packetpath/tcp_options @@ -0,0 +1,55 @@ +#!/bin/bash + +have_socat="no" +socat -h > /dev/null && have_socat="yes" + +ip link set lo up + +$NFT -f /dev/stdin <<EOF +table inet t { + counter nomatchc {} + counter sackpermc {} + counter maxsegc {} + counter nopc {} + + chain c { + type filter hook output priority 0; + tcp dport != 22345 accept + tcp flags syn / fin,syn,rst,ack tcp option 254 length ge 4 counter name nomatchc drop + tcp flags syn / fin,syn,rst,ack tcp option fastopen length ge 2 reset tcp option fastopen counter name nomatchc + tcp flags syn / fin,syn,rst,ack tcp option sack-perm missing counter name nomatchc + tcp flags syn / fin,syn,rst,ack tcp option sack-perm exists counter name sackpermc + tcp flags syn / fin,syn,rst,ack tcp option maxseg size gt 1400 counter name maxsegc + tcp flags syn / fin,syn,rst,ack tcp option nop missing counter name nomatchc + tcp flags syn / fin,syn,rst,ack tcp option nop exists counter name nopc + tcp flags syn / fin,syn,rst,ack drop + } +} +EOF + +if [ $? -ne 0 ]; then + exit 1 +fi + +if [ $have_socat != "yes" ]; then + echo "Ran partial test, socat not available (skipped)" + exit 77 +fi + +# This will fail (drop in output -> connect fails with eperm) +socat -u STDIN TCP:127.0.0.1:22345,connect-timeout=1 < /dev/null > /dev/null + +# can't validate via dump file, syn rexmit can cause counters to be > 1 in rare cases. + +$NFT list counter inet t nomatchc + +# nomatchc must be 0. +$NFT list counter inet t nomatchc | grep -q "packets 0" || exit 1 + +# these counters must not be 0. +for nz in sackpermc maxsegc nopc; do + $NFT list counter inet t $nz + $NFT list counter inet t $nz | grep -q "packets 0" && exit 1 +done + +exit 0 |