diff options
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/shell/testcases/packetpath/dumps/tcp_reset.json-nft | 168 | ||||
| -rw-r--r-- | tests/shell/testcases/packetpath/dumps/tcp_reset.nft | 13 | ||||
| -rwxr-xr-x | tests/shell/testcases/packetpath/tcp_reset | 31 |
3 files changed, 212 insertions, 0 deletions
diff --git a/tests/shell/testcases/packetpath/dumps/tcp_reset.json-nft b/tests/shell/testcases/packetpath/dumps/tcp_reset.json-nft new file mode 100644 index 00000000..e1367cc1 --- /dev/null +++ b/tests/shell/testcases/packetpath/dumps/tcp_reset.json-nft @@ -0,0 +1,168 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "input", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "output", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 0, + "policy": "accept" + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "input", + "handle": 0, + "expr": [ + { + "mangle": { + "key": { + "meta": { + "key": "nftrace" + } + }, + "value": 1 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "right": "127.0.0.1" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 5555 + } + }, + { + "reject": { + "type": "tcp reset" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip6", + "field": "daddr" + } + }, + "right": "::1" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 5555 + } + }, + { + "reject": { + "type": "tcp reset" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 5555 + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/packetpath/dumps/tcp_reset.nft b/tests/shell/testcases/packetpath/dumps/tcp_reset.nft new file mode 100644 index 00000000..fb3df1af --- /dev/null +++ b/tests/shell/testcases/packetpath/dumps/tcp_reset.nft @@ -0,0 +1,13 @@ +table inet filter { + chain input { + type filter hook input priority filter; policy accept; + meta nftrace set 1 + ip daddr 127.0.0.1 tcp dport 5555 reject with tcp reset + ip6 daddr ::1 tcp dport 5555 reject with tcp reset + tcp dport 5555 counter packets 0 bytes 0 + } + + chain output { + type filter hook output priority filter; policy accept; + } +} diff --git a/tests/shell/testcases/packetpath/tcp_reset b/tests/shell/testcases/packetpath/tcp_reset new file mode 100755 index 00000000..3dfcdde4 --- /dev/null +++ b/tests/shell/testcases/packetpath/tcp_reset @@ -0,0 +1,31 @@ +#!/bin/bash + +# regression check for kernel commit +# netfilter: nf_reject: init skb->dev for reset packet + +socat -h > /dev/null || exit 77 + +ip link set lo up + +$NFT -f - <<EOF +table inet filter { + chain input { + type filter hook input priority filter; policy accept; + meta nftrace set 1 + ip daddr 127.0.0.1 tcp dport 5555 reject with tcp reset + ip6 daddr ::1 tcp dport 5555 reject with tcp reset + tcp dport 5555 counter + } + chain output { + type filter hook output priority filter; policy accept; + # empty chain, so nf_hook_slow is called from ip_local_out. + } +} +EOF +[ $? -ne 0 ] && exit 1 + +socat -u STDIN TCP:127.0.0.1:5555,connect-timeout=2 < /dev/null > /dev/null +socat -u STDIN TCP:[::1]:5555,connect-timeout=2 < /dev/null > /dev/null + +$NFT list ruleset |grep -q 'counter packets 0 bytes 0' || exit 1 +exit 0 |