From e1c35e6976c0f7b78b8797316a16fd6b310b4521 Mon Sep 17 00:00:00 2001 From: Arturo Borrero Date: Wed, 6 Apr 2016 13:00:10 +0200 Subject: tests/shell: add some tests for network namespaces A basic tests to check we can perform operations in different network namespaces. Signed-off-by: Arturo Borrero Gonzalez Signed-off-by: Pablo Neira Ayuso --- tests/shell/testcases/netns/0001nft-f_0 | 115 +++++++++++++++++++++ tests/shell/testcases/netns/0002loosecommands_0 | 62 ++++++++++++ tests/shell/testcases/netns/0003many_0 | 129 ++++++++++++++++++++++++ 3 files changed, 306 insertions(+) create mode 100755 tests/shell/testcases/netns/0001nft-f_0 create mode 100755 tests/shell/testcases/netns/0002loosecommands_0 create mode 100755 tests/shell/testcases/netns/0003many_0 (limited to 'tests/shell') diff --git a/tests/shell/testcases/netns/0001nft-f_0 b/tests/shell/testcases/netns/0001nft-f_0 new file mode 100755 index 00000000..721444a6 --- /dev/null +++ b/tests/shell/testcases/netns/0001nft-f_0 @@ -0,0 +1,115 @@ +#!/bin/bash + +# test a kernel netns loading a simple ruleset + +IP=$(which ip) +if [ ! -x "$IP" ] ; then + echo "E: no ip binary" >&2 + exit 1 +fi + +MKTEMP=$(which mktemp) +if [ -x $MKTEMP ] ; then + tmpfile=$(${MKTEMP}) +else + tmpfile=$(/tmp/${RANDOM}) +fi + +if [ ! -w $tmpfile ] ; then + echo "Failed to create tmp file" >&2 + exit 0 +fi + +trap "rm -rf $tmpfile" EXIT # cleanup if aborted + +RULESET="table ip t { + set s { + type ipv4_addr + elements = { 1.1.0.0} + } + + chain c { + ct state new + udp dport { 12345} + ip saddr @s drop + jump other + } + + chain other { + } +} +table ip6 t { + set s { + type ipv6_addr + elements = { fe00::1} + } + + chain c { + ct state new + udp dport { 12345} + ip6 saddr @s drop + jump other + } + + chain other { + } +} +table inet t { + set s { + type ipv6_addr + elements = { fe00::1} + } + + chain c { + ct state new + udp dport { 12345} + ip6 saddr @s drop + jump other + } + + chain other { + } +} +table bridge t { + chain c { + jump other + } + + chain other { + accept + } +} +table arp t { + chain c { + jump other + } + + chain other { + accept + } +}" + +# netns +NETNS_NAME=$(basename "$0") +$IP netns add $NETNS_NAME +if [ $? -ne 0 ] ; then + echo "E: unable to create netns" >&2 + exit 1 +fi + +echo "$RULESET" > $tmpfile +$IP netns exec $NETNS_NAME $NFT -f $tmpfile +if [ $? -ne 0 ] ; then + echo "E: unable to load ruleset in netns" >&2 + $IP netns del $NETNS_NAME + exit 1 +fi + +KERNEL_RULESET="$($IP netns exec $NETNS_NAME $NFT list ruleset)" +$IP netns del $NETNS_NAME +if [ "$RULESET" != "$KERNEL_RULESET" ] ; then + DIFF="$(which diff)" + [ -x $DIFF ] && $DIFF -u <(echo "$RULESET") <(echo "$KERNEL_RULESET") + exit 1 +fi +exit 0 diff --git a/tests/shell/testcases/netns/0002loosecommands_0 b/tests/shell/testcases/netns/0002loosecommands_0 new file mode 100755 index 00000000..1600d946 --- /dev/null +++ b/tests/shell/testcases/netns/0002loosecommands_0 @@ -0,0 +1,62 @@ +#!/bin/bash + +# test a kernel netns loading a simple ruleset + +IP=$(which ip) +if [ ! -x "$IP" ] ; then + echo "E: no ip binary" >&2 + exit 1 +fi + +function netns_exec() +{ + # $1: netns_name $2: command + $IP netns exec $1 $2 + if [ $? -ne 0 ] ; then + echo "E: failed to execute command in netns $1: $2" >&2 + $IP netns del $1 + exit 1 + fi +} + +NETNS_NAME=$(basename "$0") +$IP netns add $NETNS_NAME +if [ $? -ne 0 ] ; then + echo "E: unable to create netns" >&2 + exit 1 +fi + +netns_exec $NETNS_NAME "$NFT add table ip t" +netns_exec $NETNS_NAME "$NFT add chain ip t c" +netns_exec $NETNS_NAME "$NFT add chain ip t other" +netns_exec $NETNS_NAME "$NFT add set ip t s { type ipv4_addr; }" +netns_exec $NETNS_NAME "$NFT add element ip t s {1.1.0.0 }" +netns_exec $NETNS_NAME "$NFT add rule ip t c ct state new" +netns_exec $NETNS_NAME "$NFT add rule ip t c udp dport { 12345 }" +netns_exec $NETNS_NAME "$NFT add rule ip t c ip saddr @s drop" +netns_exec $NETNS_NAME "$NFT add rule ip t c jump other" + +RULESET="table ip t { + set s { + type ipv4_addr + elements = { 1.1.0.0} + } + + chain c { + ct state new + udp dport { 12345} + ip saddr @s drop + jump other + } + + chain other { + } +}" + +KERNEL_RULESET="$($IP netns exec $NETNS_NAME $NFT list ruleset)" +$IP netns del $NETNS_NAME +if [ "$RULESET" != "$KERNEL_RULESET" ] ; then + DIFF="$(which diff)" + [ -x $DIFF ] && $DIFF -u <(echo "$RULESET") <(echo "$KERNEL_RULESET") + exit 1 +fi diff --git a/tests/shell/testcases/netns/0003many_0 b/tests/shell/testcases/netns/0003many_0 new file mode 100755 index 00000000..b6706ffa --- /dev/null +++ b/tests/shell/testcases/netns/0003many_0 @@ -0,0 +1,129 @@ +#!/bin/bash + +# test using many netns + +# arbitry value of 'many' +HOWMANY=20 + +IP=$(which ip) +if [ ! -x "$IP" ] ; then + echo "E: no ip binary" >&2 + exit 1 +fi + +MKTEMP=$(which mktemp) +if [ -x $MKTEMP ] ; then + tmpfile=$(${MKTEMP}) +else + tmpfile=$(/tmp/${RANDOM}) +fi + +if [ ! -w $tmpfile ] ; then + echo "Failed to create tmp file" >&2 + exit 0 +fi + +trap "rm -rf $tmpfile" EXIT # cleanup if aborted + +RULESET="table ip t { + set s { + type ipv4_addr + elements = { 1.1.0.0} + } + + chain c { + ct state new + udp dport { 12345} + ip saddr @s drop + jump other + } + + chain other { + } +} +table ip6 t { + set s { + type ipv6_addr + elements = { fe00::1} + } + + chain c { + ct state new + udp dport { 12345} + ip6 saddr @s drop + jump other + } + + chain other { + } +} +table inet t { + set s { + type ipv6_addr + elements = { fe00::1} + } + + chain c { + ct state new + udp dport { 12345} + ip6 saddr @s drop + jump other + } + + chain other { + } +} +table bridge t { + chain c { + jump other + } + + chain other { + accept + } +} +table arp t { + chain c { + jump other + } + + chain other { + accept + } +}" + +echo "$RULESET" > $tmpfile + +function test_netns() +{ + local NETNS_NAME=$1 + $IP netns add $NETNS_NAME + if [ $? -ne 0 ] ; then + echo "E: unable to create netns" >&2 + exit 1 + fi + + $IP netns exec $NETNS_NAME $NFT -f $tmpfile + if [ $? -ne 0 ] ; then + echo "E: unable to load ruleset in netns" >&2 + $IP netns del $NETNS_NAME + exit 1 + fi + + KERNEL_RULESET="$($IP netns exec $NETNS_NAME $NFT list ruleset)" + if [ "$RULESET" != "$KERNEL_RULESET" ] ; then + echo "E: ruleset in netns $NETNS_NAME differs from the loaded" >&2 + DIFF="$(which diff)" + [ -x $DIFF ] && $DIFF -u <(echo "$RULESET") <(echo "$KERNEL_RULESET") + exit 1 + fi + + $IP netns del $NETNS_NAME +} + +for i in $(seq 1 $HOWMANY) ; do + NETNS_NAME="$netns${i}_$(basename "$0")" + test_netns $NETNS_NAME +done + +exit 0 -- cgit v1.2.3