summaryrefslogtreecommitdiffstats
path: root/tests/shell/testcases/packetpath/match_l4proto
blob: e61524e9cbdb80de8ba675fafbed3f77ac49c023 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150

#!/bin/bash

# NFT_TEST_REQUIRES(NFT_TEST_HAVE_netdev_egress)
# NFT_TEST_REQUIRES(NFT_TEST_HAVE_socat)

rnd=$(mktemp -u XXXXXXXX)
ns1="nft1payload-$rnd"
ns2="nft2payload-$rnd"

cleanup()
{
	ip netns del "$ns1"
	ip netns del "$ns2"
}

trap cleanup EXIT

run_test()
{
	ns1_addr=$2
	ns2_addr=$3
	cidr=$4

	# socat needs square brackets, ie. [abcd::2]
	if [ $1 -eq 6 ]; then
		nsx1_addr="["$ns1_addr"]"
		nsx2_addr="["$ns2_addr"]"
	else
		nsx1_addr="$ns1_addr"
		nsx2_addr="$ns2_addr"
	fi

	ip netns add "$ns1" || exit 111
	ip netns add "$ns2" || exit 111

	ip -net "$ns1" link set lo up
	ip -net "$ns2" link set lo up

	ip link add veth0 netns $ns1 type veth peer name veth0 netns $ns2

	ip -net "$ns1" link set veth0 up
	ip -net "$ns2" link set veth0 up
	ip -net "$ns1" addr add $ns1_addr/$cidr dev veth0
	ip -net "$ns2" addr add $ns2_addr/$cidr dev veth0

	sleep 5

RULESET="table netdev payload_netdev {
       counter ingress {}
       counter ingress_2 {}
       counter egress {}
       counter egress_2 {}

       chain ingress {
               type filter hook ingress device veth0 priority 0;
               udp dport 7777 counter name ingress
               meta l4proto udp counter name ingress_2
       }

       chain egress {
               type filter hook egress device veth0 priority 0;
               udp dport 7777 counter name egress
               meta l4proto udp counter name egress_2
       }
}"

	ip netns exec "$ns1" $NFT -f - <<< "$RULESET" || exit 1

	ip netns exec "$ns1" bash -c "echo 'A' | socat -u STDIN UDP:$nsx2_addr:7777 > /dev/null"
	ip netns exec "$ns1" bash -c "echo 'AA' | socat -u STDIN UDP:$nsx2_addr:7777 > /dev/null"
	ip netns exec "$ns1" bash -c "echo 'AAA' | socat -u STDIN UDP:$nsx2_addr:7777 > /dev/null"
	ip netns exec "$ns1" bash -c "echo 'AAAA' | socat -u STDIN UDP:$nsx2_addr:7777 > /dev/null"
	ip netns exec "$ns1" bash -c "echo 'AAAAA' | socat -u STDIN UDP:$nsx2_addr:7777 > /dev/null"

	ip netns exec "$ns2" bash -c "echo 'A' | socat -u STDIN UDP:$nsx1_addr:7777 > /dev/null"
	ip netns exec "$ns2" bash -c "echo 'AA' | socat -u STDIN UDP:$nsx1_addr:7777 > /dev/null"
	ip netns exec "$ns2" bash -c "echo 'AAA' | socat -u STDIN UDP:$nsx1_addr:7777 > /dev/null"
	ip netns exec "$ns2" bash -c "echo 'AAAA' | socat -u STDIN UDP:$nsx1_addr:7777 > /dev/null"
	ip netns exec "$ns2" bash -c "echo 'AAAAA' | socat -u STDIN UDP:$nsx1_addr:7777 > /dev/null"

	ip netns exec "$ns1" $NFT list ruleset

	ip netns exec "$ns1" $NFT list counter netdev payload_netdev ingress | grep "packets 5" > /dev/null || exit 1
	ip netns exec "$ns1" $NFT list counter netdev payload_netdev ingress_2 | grep "packets 5" > /dev/null || exit 1
	ip netns exec "$ns1" $NFT list counter netdev payload_netdev egress | grep "packets 5" > /dev/null || exit 1
	ip netns exec "$ns1" $NFT list counter netdev payload_netdev egress_2| grep "packets 5" > /dev/null || exit 1

	#
	# ... next stage
	#
	ip netns exec "$ns1" $NFT flush ruleset

	#
	# bridge
	#

	ip -net "$ns1" addr del $ns1_addr/$cidr dev veth0

	ip -net "$ns1" link add name br0 type bridge
	ip -net "$ns1" link set veth0 master br0
	ip -net "$ns1" addr add $ns1_addr/$cidr dev br0
	ip -net "$ns1" link set up dev br0

	sleep 5

RULESET="table bridge payload_bridge {
       counter input {}
       counter output {}
       counter input_2 {}
       counter output_2 {}

       chain in {
               type filter hook input priority 0;
               udp dport 7777 counter name input
               meta l4proto udp counter name input_2
       }

       chain out {
               type filter hook output priority 0;
               udp dport 7777 counter name output
               meta l4proto udp counter name output_2
        }
}"

	ip netns exec "$ns1" $NFT -f - <<< "$RULESET" || exit 1

	ip netns exec "$ns1" bash -c "echo 'A' | socat -u STDIN UDP:$nsx2_addr:7777 > /dev/null"
	ip netns exec "$ns1" bash -c "echo 'AA' | socat -u STDIN UDP:$nsx2_addr:7777 > /dev/null"
	ip netns exec "$ns1" bash -c "echo 'AAA' | socat -u STDIN UDP:$nsx2_addr:7777 > /dev/null"
	ip netns exec "$ns1" bash -c "echo 'AAAA' | socat -u STDIN UDP:$nsx2_addr:7777 > /dev/null"
	ip netns exec "$ns1" bash -c "echo 'AAAAA' | socat -u STDIN UDP:$nsx2_addr:7777 > /dev/null"

	ip netns exec "$ns2" bash -c "echo 'A' | socat -u STDIN UDP:$nsx1_addr:7777 > /dev/null"
	ip netns exec "$ns2" bash -c "echo 'AA' | socat -u STDIN UDP:$nsx1_addr:7777 > /dev/null"
	ip netns exec "$ns2" bash -c "echo 'AAA' | socat -u STDIN UDP:$nsx1_addr:7777 > /dev/null"
	ip netns exec "$ns2" bash -c "echo 'AAAA' | socat -u STDIN UDP:$nsx1_addr:7777 > /dev/null"
	ip netns exec "$ns2" bash -c "echo 'AAAAA' | socat -u STDIN UDP:$nsx1_addr:7777 > /dev/null"

	ip netns exec "$ns1" $NFT list ruleset

	ip netns exec "$ns1" $NFT list counter bridge payload_bridge input | grep "packets 5" > /dev/null || exit 1
	ip netns exec "$ns1" $NFT list counter bridge payload_bridge input_2 | grep "packets 5" > /dev/null || exit 1
	ip netns exec "$ns1" $NFT list counter bridge payload_bridge output | grep "packets 5" > /dev/null || exit 1
	ip netns exec "$ns1" $NFT list counter bridge payload_bridge output_2 | grep "packets 5" > /dev/null || exit 1
}

run_test "4" "10.141.10.2" "10.141.10.3" "24"
cleanup
run_test "6" "abcd::2" "abcd::3" "64"
# trap calls cleanup
generated by cgit v1.2.3 (git 2.25.0) at 2025-06-30 05:28:24 +0000