#!/bin/bash # NFT_TEST_REQUIRES(NFT_TEST_HAVE_socat) . $NFT_TEST_LIBRARY_FILE cleanup() { for i in $C $S;do kill $(ip netns pid $i) 2>/dev/null ip netns del $i done } trap cleanup EXIT rnd=$(mktemp -u XXXXXXXX) C="ratelimit-client-$rnd" S="ratelimit-server-$rnd" ip_sc=10.167.1.1 ip_cs=10.167.1.2 ip1_cs=10.167.1.3 ip netns add $S ip netns add $C ip link add s_c netns $S type veth peer name c_s netns $C ip -net $S link set s_c up ip -net $C link set c_s up ip -net $S link set lo up ip -net $C link set lo up ip -net $S addr add ${ip_sc}/24 dev s_c ip -net $C addr add ${ip_cs}/24 dev c_s ip -net $C addr add ${ip1_cs}/24 dev c_s ip netns exec $C ping ${ip_sc} -c1 assert_pass "topo initialization" ip netns exec $S $NFT -f - < /dev/null & wait_local_port_listen $S 80 tcp for port in {1..5};do ip netns exec $C socat -u - TCP:${ip_sc}:80,connect-timeout=1 <<< 'AAA' assert_pass "tcp connection burst 5 accept" done ip netns exec $C socat -u - TCP:${ip_sc}:80,reuseport,connect-timeout=1 <<< 'AAA' assert_fail "tcp connection burst 5 up to limit reject" ip netns exec $S $NFT flush chain filter in_tcp assert_pass result "flush chain" ip netns exec $S $NFT flush set filter http1 assert_pass result "flush set" ip netns exec $S $NFT add rule filter in_tcp iifname s_c tcp dport 80 ct state new add @http1 { tcp dport . ip saddr limit rate over 1/second burst 1 packets} counter reject assert_pass result "add rule limit rate over 1/second burst 1" ip netns exec $S $NFT add rule filter in_tcp iifname s_c tcp dport 80 counter accept sleep 1 ip netns exec $C socat -u - TCP:${ip_sc}:80,reuseport,connect-timeout=1 <<< 'AAA' assert_pass result "tcp connection limit rate 1/sec burst 1 accept" ip netns exec $C socat -u - TCP:${ip_sc}:80,reuseport,connect-timeout=1 <<< 'AAA' assert_fail result "tcp connection limit rate 1/sec burst 1 reject" sleep 1 ip netns exec $C socat -u - TCP:${ip_sc}:80,reuseport,connect-timeout=1 <<< 'AAA' assert_pass result "tcp connection limit rate 1/sec burst 1 accept"