diff options
| author | Florian Westphal <fw@strlen.de> | 2024-06-04 14:01:49 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2024-06-25 17:20:12 +0200 |
| commit | 2274d8a32f40aa55b118a9de2d642342837867b7 (patch) | |
| tree | c960a1cfe28caea4ec35fb990aeb2cccebb42533 /tests | |
| parent | aa791a12cb2b23fb49c233e40b6e12e0e3ce6b9b (diff) | |
tests: shell: add test case for reset tcp warning
tcp reset rule + nftrace 1 triggers (harmless) splat from flow dissector:
WARNING: CPU: 2 PID: 145809 at net/core/flow_dissector.c:1104 __skb_flow_dissect+0x19d4/0x5cc0
__skb_get_hash+0xa8/0x220
nft_trace_init+0x2ff/0x3b0
nft_do_chain+0xb04/0x1370
nft_do_chain_inet+0xc5/0x2e0
nf_hook_slow+0xa0/0x1d0
ip_local_out+0x14/0x90
nf_send_reset+0x94e/0xbd0
nft_reject_inet_eval+0x45e/0x690
nft_do_chain+0x220/0x1370
nf_hook_slow+0xa0/0x1d0
ip_local_deliver+0x23f/0x2d0
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/shell/testcases/packetpath/dumps/tcp_reset.json-nft | 168 | ||||
| -rw-r--r-- | tests/shell/testcases/packetpath/dumps/tcp_reset.nft | 13 | ||||
| -rwxr-xr-x | tests/shell/testcases/packetpath/tcp_reset | 31 |
3 files changed, 212 insertions, 0 deletions
diff --git a/tests/shell/testcases/packetpath/dumps/tcp_reset.json-nft b/tests/shell/testcases/packetpath/dumps/tcp_reset.json-nft new file mode 100644 index 00000000..e1367cc1 --- /dev/null +++ b/tests/shell/testcases/packetpath/dumps/tcp_reset.json-nft @@ -0,0 +1,168 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "input", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "output", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 0, + "policy": "accept" + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "input", + "handle": 0, + "expr": [ + { + "mangle": { + "key": { + "meta": { + "key": "nftrace" + } + }, + "value": 1 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "right": "127.0.0.1" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 5555 + } + }, + { + "reject": { + "type": "tcp reset" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip6", + "field": "daddr" + } + }, + "right": "::1" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 5555 + } + }, + { + "reject": { + "type": "tcp reset" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 5555 + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/packetpath/dumps/tcp_reset.nft b/tests/shell/testcases/packetpath/dumps/tcp_reset.nft new file mode 100644 index 00000000..fb3df1af --- /dev/null +++ b/tests/shell/testcases/packetpath/dumps/tcp_reset.nft @@ -0,0 +1,13 @@ +table inet filter { + chain input { + type filter hook input priority filter; policy accept; + meta nftrace set 1 + ip daddr 127.0.0.1 tcp dport 5555 reject with tcp reset + ip6 daddr ::1 tcp dport 5555 reject with tcp reset + tcp dport 5555 counter packets 0 bytes 0 + } + + chain output { + type filter hook output priority filter; policy accept; + } +} diff --git a/tests/shell/testcases/packetpath/tcp_reset b/tests/shell/testcases/packetpath/tcp_reset new file mode 100755 index 00000000..3dfcdde4 --- /dev/null +++ b/tests/shell/testcases/packetpath/tcp_reset @@ -0,0 +1,31 @@ +#!/bin/bash + +# regression check for kernel commit +# netfilter: nf_reject: init skb->dev for reset packet + +socat -h > /dev/null || exit 77 + +ip link set lo up + +$NFT -f - <<EOF +table inet filter { + chain input { + type filter hook input priority filter; policy accept; + meta nftrace set 1 + ip daddr 127.0.0.1 tcp dport 5555 reject with tcp reset + ip6 daddr ::1 tcp dport 5555 reject with tcp reset + tcp dport 5555 counter + } + chain output { + type filter hook output priority filter; policy accept; + # empty chain, so nf_hook_slow is called from ip_local_out. + } +} +EOF +[ $? -ne 0 ] && exit 1 + +socat -u STDIN TCP:127.0.0.1:5555,connect-timeout=2 < /dev/null > /dev/null +socat -u STDIN TCP:[::1]:5555,connect-timeout=2 < /dev/null > /dev/null + +$NFT list ruleset |grep -q 'counter packets 0 bytes 0' || exit 1 +exit 0 |