summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorYi Chen <yiche@redhat.com>2025-04-16 23:53:20 +0800
committerFlorian Westphal <fw@strlen.de>2025-04-22 15:19:57 +0200
commit1e1dbd90a07d43ef27be04ed6d903f6abbbc57f5 (patch)
tree837f21fd555c449220d4713398c7868143c62301
parent4431c70ca96c68a29fe141f2e7b60ba1287e5cc1 (diff)
tests: shell: Update packetpath/flowtablesHEADmaster
1. The socat receiver should not use the pipfile as output where the sender reads data from, this could create an infinite data loop. 2. Sending a packet right after establishing the connection helped uncover a new bug (see kernel commit d2d31ea8cd80, "netfilter: conntrack: fix erronous removal of offload bit"). 3. Optimize test log output Signed-off-by: Yi Chen <yiche@redhat.com> Signed-off-by: Florian Westphal <fw@strlen.de>
-rwxr-xr-xtests/shell/testcases/packetpath/flowtables77
1 files changed, 50 insertions, 27 deletions
diff --git a/tests/shell/testcases/packetpath/flowtables b/tests/shell/testcases/packetpath/flowtables
index d4e0a5bd..b68c5dd4 100755
--- a/tests/shell/testcases/packetpath/flowtables
+++ b/tests/shell/testcases/packetpath/flowtables
@@ -3,8 +3,6 @@
# NFT_TEST_REQUIRES(NFT_TEST_HAVE_socat)
# NFT_TEST_SKIP(NFT_TEST_SKIP_slow)
-set -x
-
rnd=$(mktemp -u XXXXXXXX)
R="flowtable-router-$rnd"
C="flowtable-client-$rnd"
@@ -17,9 +15,33 @@ cleanup()
ip netns del $i
done
}
-
trap cleanup EXIT
+assert_pass()
+{
+ local ret=$?
+ if [ $ret != 0 ]
+ then
+ echo "FAIL: ${@}"
+ ip netns exec $R cat /proc/net/nf_conntrack
+ exit 1
+ else
+ echo "PASS: ${@}"
+ fi
+}
+assert_fail()
+{
+ local ret=$?
+ if [ $ret == 0 ]
+ then
+ echo "FAIL: ${@}"
+ ip netns exec $R cat /proc/net/nf_conntrack
+ exit 1
+ else
+ echo "PASS: ${@}"
+ fi
+}
+
ip netns add $R
ip netns add $S
ip netns add $C
@@ -35,14 +57,15 @@ ip netns exec $S ip -6 addr add 2001:db8:ffff:22::1/64 dev s_r
ip netns exec $C ip -6 addr add 2001:db8:ffff:21::2/64 dev c_r
ip netns exec $R ip -6 addr add 2001:db8:ffff:22::fffe/64 dev r_s
ip netns exec $R ip -6 addr add 2001:db8:ffff:21::fffe/64 dev r_c
-ip netns exec $R sysctl -w net.ipv6.conf.all.forwarding=1
+ip netns exec $R sysctl -wq net.ipv6.conf.all.forwarding=1
ip netns exec $C ip route add 2001:db8:ffff:22::/64 via 2001:db8:ffff:21::fffe dev c_r
ip netns exec $S ip route add 2001:db8:ffff:21::/64 via 2001:db8:ffff:22::fffe dev s_r
ip netns exec $S ethtool -K s_r tso off
ip netns exec $C ethtool -K c_r tso off
-
sleep 3
-ip netns exec $C ping -6 2001:db8:ffff:22::1 -c1 || exit 1
+
+ip netns exec $C ping -q -6 2001:db8:ffff:22::1 -c1
+assert_pass "topo initialization"
ip netns exec $R nft -f - <<EOF
table ip6 filter {
@@ -61,6 +84,7 @@ table ip6 filter {
}
}
EOF
+assert_pass "apply nft ruleset"
if [ ! -r /proc/net/nf_conntrack ]
then
@@ -68,32 +92,31 @@ then
exit 77
fi
-ip netns exec $R nft list ruleset
-ip netns exec $R sysctl -w net.netfilter.nf_flowtable_tcp_timeout=5 || {
- echo "E: set net.netfilter.nf_flowtable_tcp_timeout fail, skipping" >&2
- exit 77
-}
-ip netns exec $R sysctl -w net.netfilter.nf_conntrack_tcp_timeout_established=86400 || {
- echo "E: set net.netfilter.nf_conntrack_tcp_timeout_established fail, skipping" >&2
- exit 77
+ip netns exec $R sysctl -wq net.netfilter.nf_flowtable_tcp_timeout=5
+assert_pass "set net.netfilter.nf_flowtable_tcp_timeout=5"
-}
+ip netns exec $R sysctl -wq net.netfilter.nf_conntrack_tcp_timeout_established=86400
+assert_pass "set net.netfilter.nf_conntrack_tcp_timeout_established=86400"
# A trick to control the timing to send a packet
-ip netns exec $S socat TCP6-LISTEN:10001 GOPEN:/tmp/pipefile-$rnd,ignoreeof &
+ip netns exec $S socat TCP6-LISTEN:10001 GOPEN:/tmp/socat-$rnd,ignoreeof &
sleep 1
ip netns exec $C socat -b 2048 PIPE:/tmp/pipefile-$rnd 'TCP:[2001:db8:ffff:22::1]:10001' &
sleep 1
-ip netns exec $R grep 'OFFLOAD' /proc/net/nf_conntrack || { echo "check [OFFLOAD] tag (failed)"; exit 1; }
-ip netns exec $R cat /proc/net/nf_conntrack
+ip netns exec $C echo "send sth" >> /tmp/pipefile-$rnd ; assert_pass "send a packet"
+ip netns exec $R grep -q 'OFFLOAD' /proc/net/nf_conntrack ; assert_pass "check [OFFLOAD] tag"
sleep 6
-ip netns exec $R grep 'OFFLOAD' /proc/net/nf_conntrack && { echo "CT OFFLOAD timeout, fail back to classical path (failed)"; exit 1; }
-ip netns exec $R grep '8639[0-9]' /proc/net/nf_conntrack || { echo "check nf_conntrack_tcp_timeout_established (failed)"; exit 1; }
-ip netns exec $C echo "send sth" >> /tmp/pipefile-$rnd
-ip netns exec $R grep 'OFFLOAD' /proc/net/nf_conntrack || { echo "traffic seen, back to OFFLOAD path (failed)"; exit 1; }
-ip netns exec $C sleep 3
-ip netns exec $C echo "send sth" >> /tmp/pipefile-$rnd
-ip netns exec $C sleep 3
-ip netns exec $R grep 'OFFLOAD' /proc/net/nf_conntrack || { echo "Traffic seen in 5s (nf_flowtable_tcp_timeout), so stay in OFFLOAD (failed)"; exit 1; }
-
+ip netns exec $R grep -q 'OFFLOAD' /proc/net/nf_conntrack ; assert_fail "CT OFFLOAD timeout, back to the classical path"
+ip netns exec $R grep -q '863[89][0-9]' /proc/net/nf_conntrack; assert_pass "check timeout adopt nf_conntrack_tcp_timeout_established"
+ip netns exec $C echo "send sth" >> /tmp/pipefile-$rnd ; assert_pass "send a packet"
+ip netns exec $R grep -q 'OFFLOAD' /proc/net/nf_conntrack ; assert_pass "packet detected, back to the OFFLOAD path"
+
+i=3; while ((i--))
+do
+ sleep 3
+ ip netns exec $C echo "send sth" >> /tmp/pipefile-$rnd; assert_pass "send a packet"
+ sleep 3
+ ip netns exec $R grep -q 'OFFLOAD' /proc/net/nf_conntrack
+ assert_pass "Traffic seen in 5s (nf_flowtable_tcp_timeout), should stay in OFFLOAD"
+done
exit 0