diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2020-12-24 13:03:21 +0100 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2020-12-27 11:46:01 +0100 |
commit | 7f1fb5dad90f04caa94f4fcefd1340aeb2c2f0e3 (patch) | |
tree | 24ffd73b49c176c57e88c9bb311b84dd944b2610 /tests | |
parent | b031cd2102d9bc2b6ce20a880068022fac9e2d87 (diff) |
conntrackd: add ip netns test script
This patch adds a script that creates a ip netns testbed. The network
topology looks like this:
veth0---veth0
host nsr1 ns2
veth0----veth0
ns1 veth2
|
veth0
nsr2
* ns1 and ns2 are clients to generate traffic
* nsr1 and nsr2 run conntrackd to synchronize states
* nsr1 is the primary gateway
- veth2 is used to synchronize states
* nsr2 is the backup gateway
- veth0 is used to synchronize states
To set up the testbed:
% sudo ./conntrackd-netns-test.sh start
To test your testbed works, from ns2:
% sudo ip netns exec ns2 nc -l -p 8080
From ns1:
% sudo ip netns exec ns1 nc -vvv 10.0.1.2 8080
From nsr1:
% sudo ip netns exec nsr1 conntrackd -s -C conntrackd-nsr1.conf
cache internal:
current active connections: 1
[...]
cache external:
current active connections: 0
From nsr2:
% sudo ip netns exec nsr1 conntrackd -s -C conntrackd-nsr2.conf
cache internal:
current active connections: 0
[...]
cache external:
current active connections: 1
To stop it:
% sudo ./conntrackd-netns-test.sh stop
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'tests')
-rwxr-xr-x | tests/conntrackd/netns/conntrackd-netns-test.sh | 66 | ||||
-rw-r--r-- | tests/conntrackd/netns/conntrackd-nsr1.conf | 37 | ||||
-rw-r--r-- | tests/conntrackd/netns/conntrackd-nsr2.conf | 37 | ||||
-rw-r--r-- | tests/conntrackd/netns/ruleset-nsr1.nft | 6 |
4 files changed, 146 insertions, 0 deletions
diff --git a/tests/conntrackd/netns/conntrackd-netns-test.sh b/tests/conntrackd/netns/conntrackd-netns-test.sh new file mode 100755 index 0000000..6f16587 --- /dev/null +++ b/tests/conntrackd/netns/conntrackd-netns-test.sh @@ -0,0 +1,66 @@ +#!/bin/bash + +if [ $UID -ne 0 ] +then + echo "You must be root to run this test script" + exit 0 +fi + +start () { + ip netns add ns1 + ip netns add ns2 + ip netns add nsr1 + ip netns add nsr2 + + ip link add veth0 netns ns1 type veth peer name veth1 netns nsr1 + ip link add veth0 netns nsr1 type veth peer name veth0 netns ns2 + ip link add veth2 netns nsr1 type veth peer name veth0 netns nsr2 + + ip -net ns1 addr add 192.168.10.2/24 dev veth0 + ip -net ns1 link set up dev veth0 + ip -net ns1 ro add 10.0.1.0/24 via 192.168.10.1 dev veth0 + + ip -net nsr1 addr add 10.0.1.1/24 dev veth0 + ip -net nsr1 addr add 192.168.10.1/24 dev veth1 + ip -net nsr1 link set up dev veth0 + ip -net nsr1 link set up dev veth1 + ip -net nsr1 route add default via 192.168.10.2 + ip netns exec nsr1 sysctl net.ipv4.ip_forward=1 + + ip -net nsr1 addr add 192.168.100.2/24 dev veth2 + ip -net nsr1 link set up dev veth2 + ip -net nsr2 addr add 192.168.100.3/24 dev veth0 + ip -net nsr2 link set up dev veth0 + + ip -net ns2 addr add 10.0.1.2/24 dev veth0 + ip -net ns2 link set up dev veth0 + ip -net ns2 route add default via 10.0.1.1 + + echo 1 > /proc/sys/net/netfilter/nf_log_all_netns + + ip netns exec nsr1 nft -f ruleset-nsr1.nft + ip netns exec nsr1 conntrackd -C conntrackd-nsr1.conf -d + ip netns exec nsr2 conntrackd -C conntrackd-nsr2.conf -d +} + +stop () { + ip netns del ns1 + ip netns del ns2 + ip netns del nsr1 + ip netns del nsr2 + killall -15 conntrackd +} + +case $1 in +start) + start + ;; +stop) + stop + ;; +*) + echo "$0 [start|stop]" + ;; +esac + +exit 0 diff --git a/tests/conntrackd/netns/conntrackd-nsr1.conf b/tests/conntrackd/netns/conntrackd-nsr1.conf new file mode 100644 index 0000000..c79eff5 --- /dev/null +++ b/tests/conntrackd/netns/conntrackd-nsr1.conf @@ -0,0 +1,37 @@ +Sync { + Mode FTFW { + } + Multicast { + IPv4_address 225.0.0.50 + Group 3780 + IPv4_interface 192.168.100.2 + Interface veth2 + SndSocketBuffer 1249280 + RcvSocketBuffer 1249280 + Checksum on + } +} +General { + HashSize 32768 + HashLimit 131072 + LogFile on + LockFile /var/lock/conntrack-nsr1.lock + UNIX { + Path /var/run/conntrackd-nsr1.ctl + } + NetlinkBufferSize 2097152 + NetlinkBufferSizeMaxGrowth 8388608 + Filter From Userspace { + Protocol Accept { + TCP + SCTP + DCCP + } + Address Ignore { + IPv4_address 127.0.0.1 + IPv4_address 192.168.10.1 + IPv4_address 10.0.10.1 + IPv4_address 192.168.100.2 + } + } +} diff --git a/tests/conntrackd/netns/conntrackd-nsr2.conf b/tests/conntrackd/netns/conntrackd-nsr2.conf new file mode 100644 index 0000000..65fa0d6 --- /dev/null +++ b/tests/conntrackd/netns/conntrackd-nsr2.conf @@ -0,0 +1,37 @@ +Sync { + Mode FTFW { + } + Multicast { + IPv4_address 225.0.0.50 + Group 3780 + IPv4_interface 192.168.100.3 + Interface veth0 + SndSocketBuffer 1249280 + RcvSocketBuffer 1249280 + Checksum on + } +} +General { + HashSize 32768 + HashLimit 131072 + LogFile on + LockFile /var/lock/conntrack-nsr2.lock + UNIX { + Path /var/run/conntrackd-nsr2.ctl + } + NetlinkBufferSize 2097152 + NetlinkBufferSizeMaxGrowth 8388608 + Filter From Userspace { + Protocol Accept { + TCP + SCTP + DCCP + } + Address Ignore { + IPv4_address 127.0.0.1 + IPv4_address 192.168.10.1 + IPv4_address 10.0.10.1 + IPv4_address 192.168.100.2 + } + } +} diff --git a/tests/conntrackd/netns/ruleset-nsr1.nft b/tests/conntrackd/netns/ruleset-nsr1.nft new file mode 100644 index 0000000..bd6f1b4 --- /dev/null +++ b/tests/conntrackd/netns/ruleset-nsr1.nft @@ -0,0 +1,6 @@ +table ip filter { + chain postrouting { + type nat hook postrouting priority srcnat; policy accept; + oif veth0 masquerade + } +} |