diff options
author | Yi Chen <yiche@redhat.com> | 2025-04-16 23:53:20 +0800 |
---|---|---|
committer | Florian Westphal <fw@strlen.de> | 2025-04-22 15:19:57 +0200 |
commit | 1e1dbd90a07d43ef27be04ed6d903f6abbbc57f5 (patch) | |
tree | 837f21fd555c449220d4713398c7868143c62301 | |
parent | 4431c70ca96c68a29fe141f2e7b60ba1287e5cc1 (diff) |
1. The socat receiver should not use the pipfile as output where the sender
reads data from, this could create an infinite data loop.
2. Sending a packet right after establishing the connection helped uncover
a new bug (see kernel commit
d2d31ea8cd80, "netfilter: conntrack: fix erronous removal of offload bit").
3. Optimize test log output
Signed-off-by: Yi Chen <yiche@redhat.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
-rwxr-xr-x | tests/shell/testcases/packetpath/flowtables | 77 |
1 files changed, 50 insertions, 27 deletions
diff --git a/tests/shell/testcases/packetpath/flowtables b/tests/shell/testcases/packetpath/flowtables index d4e0a5bd..b68c5dd4 100755 --- a/tests/shell/testcases/packetpath/flowtables +++ b/tests/shell/testcases/packetpath/flowtables @@ -3,8 +3,6 @@ # NFT_TEST_REQUIRES(NFT_TEST_HAVE_socat) # NFT_TEST_SKIP(NFT_TEST_SKIP_slow) -set -x - rnd=$(mktemp -u XXXXXXXX) R="flowtable-router-$rnd" C="flowtable-client-$rnd" @@ -17,9 +15,33 @@ cleanup() ip netns del $i done } - trap cleanup EXIT +assert_pass() +{ + local ret=$? + if [ $ret != 0 ] + then + echo "FAIL: ${@}" + ip netns exec $R cat /proc/net/nf_conntrack + exit 1 + else + echo "PASS: ${@}" + fi +} +assert_fail() +{ + local ret=$? + if [ $ret == 0 ] + then + echo "FAIL: ${@}" + ip netns exec $R cat /proc/net/nf_conntrack + exit 1 + else + echo "PASS: ${@}" + fi +} + ip netns add $R ip netns add $S ip netns add $C @@ -35,14 +57,15 @@ ip netns exec $S ip -6 addr add 2001:db8:ffff:22::1/64 dev s_r ip netns exec $C ip -6 addr add 2001:db8:ffff:21::2/64 dev c_r ip netns exec $R ip -6 addr add 2001:db8:ffff:22::fffe/64 dev r_s ip netns exec $R ip -6 addr add 2001:db8:ffff:21::fffe/64 dev r_c -ip netns exec $R sysctl -w net.ipv6.conf.all.forwarding=1 +ip netns exec $R sysctl -wq net.ipv6.conf.all.forwarding=1 ip netns exec $C ip route add 2001:db8:ffff:22::/64 via 2001:db8:ffff:21::fffe dev c_r ip netns exec $S ip route add 2001:db8:ffff:21::/64 via 2001:db8:ffff:22::fffe dev s_r ip netns exec $S ethtool -K s_r tso off ip netns exec $C ethtool -K c_r tso off - sleep 3 -ip netns exec $C ping -6 2001:db8:ffff:22::1 -c1 || exit 1 + +ip netns exec $C ping -q -6 2001:db8:ffff:22::1 -c1 +assert_pass "topo initialization" ip netns exec $R nft -f - <<EOF table ip6 filter { @@ -61,6 +84,7 @@ table ip6 filter { } } EOF +assert_pass "apply nft ruleset" if [ ! -r /proc/net/nf_conntrack ] then @@ -68,32 +92,31 @@ then exit 77 fi -ip netns exec $R nft list ruleset -ip netns exec $R sysctl -w net.netfilter.nf_flowtable_tcp_timeout=5 || { - echo "E: set net.netfilter.nf_flowtable_tcp_timeout fail, skipping" >&2 - exit 77 -} -ip netns exec $R sysctl -w net.netfilter.nf_conntrack_tcp_timeout_established=86400 || { - echo "E: set net.netfilter.nf_conntrack_tcp_timeout_established fail, skipping" >&2 - exit 77 +ip netns exec $R sysctl -wq net.netfilter.nf_flowtable_tcp_timeout=5 +assert_pass "set net.netfilter.nf_flowtable_tcp_timeout=5" -} +ip netns exec $R sysctl -wq net.netfilter.nf_conntrack_tcp_timeout_established=86400 +assert_pass "set net.netfilter.nf_conntrack_tcp_timeout_established=86400" # A trick to control the timing to send a packet -ip netns exec $S socat TCP6-LISTEN:10001 GOPEN:/tmp/pipefile-$rnd,ignoreeof & +ip netns exec $S socat TCP6-LISTEN:10001 GOPEN:/tmp/socat-$rnd,ignoreeof & sleep 1 ip netns exec $C socat -b 2048 PIPE:/tmp/pipefile-$rnd 'TCP:[2001:db8:ffff:22::1]:10001' & sleep 1 -ip netns exec $R grep 'OFFLOAD' /proc/net/nf_conntrack || { echo "check [OFFLOAD] tag (failed)"; exit 1; } -ip netns exec $R cat /proc/net/nf_conntrack +ip netns exec $C echo "send sth" >> /tmp/pipefile-$rnd ; assert_pass "send a packet" +ip netns exec $R grep -q 'OFFLOAD' /proc/net/nf_conntrack ; assert_pass "check [OFFLOAD] tag" sleep 6 -ip netns exec $R grep 'OFFLOAD' /proc/net/nf_conntrack && { echo "CT OFFLOAD timeout, fail back to classical path (failed)"; exit 1; } -ip netns exec $R grep '8639[0-9]' /proc/net/nf_conntrack || { echo "check nf_conntrack_tcp_timeout_established (failed)"; exit 1; } -ip netns exec $C echo "send sth" >> /tmp/pipefile-$rnd -ip netns exec $R grep 'OFFLOAD' /proc/net/nf_conntrack || { echo "traffic seen, back to OFFLOAD path (failed)"; exit 1; } -ip netns exec $C sleep 3 -ip netns exec $C echo "send sth" >> /tmp/pipefile-$rnd -ip netns exec $C sleep 3 -ip netns exec $R grep 'OFFLOAD' /proc/net/nf_conntrack || { echo "Traffic seen in 5s (nf_flowtable_tcp_timeout), so stay in OFFLOAD (failed)"; exit 1; } - +ip netns exec $R grep -q 'OFFLOAD' /proc/net/nf_conntrack ; assert_fail "CT OFFLOAD timeout, back to the classical path" +ip netns exec $R grep -q '863[89][0-9]' /proc/net/nf_conntrack; assert_pass "check timeout adopt nf_conntrack_tcp_timeout_established" +ip netns exec $C echo "send sth" >> /tmp/pipefile-$rnd ; assert_pass "send a packet" +ip netns exec $R grep -q 'OFFLOAD' /proc/net/nf_conntrack ; assert_pass "packet detected, back to the OFFLOAD path" + +i=3; while ((i--)) +do + sleep 3 + ip netns exec $C echo "send sth" >> /tmp/pipefile-$rnd; assert_pass "send a packet" + sleep 3 + ip netns exec $R grep -q 'OFFLOAD' /proc/net/nf_conntrack + assert_pass "Traffic seen in 5s (nf_flowtable_tcp_timeout), should stay in OFFLOAD" +done exit 0 |