Skip to content

Commit c0bd216

Browse files
LorenzoBianconiummakynes
LorenzoBianconi
authored and
ummakynes
committed
selftests: netfilter: nft_flowtable.sh: Add the capability to send IPv6 TCP traffic
Introduce the capability to send TCP traffic over IPv6 to nft_flowtable netfilter selftest. Reviewed-by: Simon Horman <horms@kernel.org> Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
1 parent c4cbe4a commit c0bd216

1 file changed

Lines changed: 43 additions & 14 deletions

File tree

tools/testing/selftests/net/netfilter/nft_flowtable.sh

Lines changed: 43 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -127,6 +127,8 @@ ip -net "$nsr1" addr add fee1:2::1/64 dev veth1 nodad
127127
ip -net "$nsr2" addr add 192.168.10.2/24 dev veth0
128128
ip -net "$nsr2" addr add fee1:2::2/64 dev veth0 nodad
129129

130+
ip netns exec "$nsr1" sysctl net.ipv6.conf.all.forwarding=1 > /dev/null
131+
ip netns exec "$nsr2" sysctl net.ipv6.conf.all.forwarding=1 > /dev/null
130132
for i in 0 1; do
131133
ip netns exec "$nsr1" sysctl net.ipv4.conf.veth$i.forwarding=1 > /dev/null
132134
ip netns exec "$nsr2" sysctl net.ipv4.conf.veth$i.forwarding=1 > /dev/null
@@ -153,7 +155,9 @@ ip -net "$ns1" route add default via dead:1::1
153155
ip -net "$ns2" route add default via dead:2::1
154156

155157
ip -net "$nsr1" route add default via 192.168.10.2
158+
ip -6 -net "$nsr1" route add default via fee1:2::2
156159
ip -net "$nsr2" route add default via 192.168.10.1
160+
ip -6 -net "$nsr2" route add default via fee1:2::1
157161

158162
ip netns exec "$nsr1" nft -f - <<EOF
159163
table inet filter {
@@ -352,8 +356,9 @@ test_tcp_forwarding_ip()
352356
local nsa=$1
353357
local nsb=$2
354358
local pmtu=$3
355-
local dstip=$4
356-
local dstport=$5
359+
local proto=$4
360+
local dstip=$5
361+
local dstport=$6
357362
local lret=0
358363
local socatc
359364
local socatl
@@ -363,12 +368,14 @@ test_tcp_forwarding_ip()
363368
infile="$nsin_small"
364369
fi
365370

366-
timeout "$SOCAT_TIMEOUT" ip netns exec "$nsb" socat -4 TCP-LISTEN:12345,reuseaddr STDIO < "$infile" > "$ns2out" &
371+
timeout "$SOCAT_TIMEOUT" ip netns exec "$nsb" socat -${proto} \
372+
TCP"${proto}"-LISTEN:12345,reuseaddr STDIO < "$infile" > "$ns2out" &
367373
lpid=$!
368374

369375
busywait 1000 listener_ready
370376

371-
timeout "$SOCAT_TIMEOUT" ip netns exec "$nsa" socat -4 TCP:"$dstip":"$dstport" STDIO < "$infile" > "$ns1out"
377+
timeout "$SOCAT_TIMEOUT" ip netns exec "$nsa" socat -${proto} \
378+
TCP"${proto}":"$dstip":"$dstport" STDIO < "$infile" > "$ns1out"
372379
socatc=$?
373380

374381
wait $lpid
@@ -394,15 +401,21 @@ test_tcp_forwarding_ip()
394401
test_tcp_forwarding()
395402
{
396403
local pmtu="$3"
404+
local proto="$4"
405+
local dstip="$5"
406+
local dstport="$6"
397407

398-
test_tcp_forwarding_ip "$1" "$2" "$pmtu" 10.0.2.99 12345
408+
test_tcp_forwarding_ip "$1" "$2" "$pmtu" "$proto" "$dstip" "$dstport"
399409

400410
return $?
401411
}
402412

403413
test_tcp_forwarding_set_dscp()
404414
{
405415
local pmtu="$3"
416+
local proto="$4"
417+
local dstip="$5"
418+
local dstport="$6"
406419

407420
ip netns exec "$nsr1" nft -f - <<EOF
408421
table netdev dscpmangle {
@@ -413,7 +426,7 @@ table netdev dscpmangle {
413426
}
414427
EOF
415428
if [ $? -eq 0 ]; then
416-
test_tcp_forwarding_ip "$1" "$2" "$3" 10.0.2.99 12345
429+
test_tcp_forwarding_ip "$1" "$2" "$pmtu" "$proto" "$dstip" "$dstport"
417430
check_dscp "dscp_ingress" "$pmtu"
418431

419432
ip netns exec "$nsr1" nft delete table netdev dscpmangle
@@ -430,7 +443,7 @@ table netdev dscpmangle {
430443
}
431444
EOF
432445
if [ $? -eq 0 ]; then
433-
test_tcp_forwarding_ip "$1" "$2" "$pmtu" 10.0.2.99 12345
446+
test_tcp_forwarding_ip "$1" "$2" "$pmtu" "$proto" "$dstip" "$dstport"
434447
check_dscp "dscp_egress" "$pmtu"
435448

436449
ip netns exec "$nsr1" nft delete table netdev dscpmangle
@@ -441,7 +454,7 @@ fi
441454
# partial. If flowtable really works, then both dscp-is-0 and dscp-is-cs3
442455
# counters should have seen packets (before and after ft offload kicks in).
443456
ip netns exec "$nsr1" nft -a insert rule inet filter forward ip dscp set cs3
444-
test_tcp_forwarding_ip "$1" "$2" "$pmtu" 10.0.2.99 12345
457+
test_tcp_forwarding_ip "$1" "$2" "$pmtu" "$proto" "$dstip" "$dstport"
445458
check_dscp "dscp_fwd" "$pmtu"
446459
}
447460

@@ -455,7 +468,7 @@ test_tcp_forwarding_nat()
455468

456469
[ "$pmtu" -eq 0 ] && what="$what (pmtu disabled)"
457470

458-
test_tcp_forwarding_ip "$nsa" "$nsb" "$pmtu" 10.0.2.99 12345
471+
test_tcp_forwarding_ip "$nsa" "$nsb" "$pmtu" 4 10.0.2.99 12345
459472
lret=$?
460473

461474
if [ "$lret" -eq 0 ] ; then
@@ -465,7 +478,7 @@ test_tcp_forwarding_nat()
465478
echo "PASS: flow offload for ns1/ns2 with masquerade $what"
466479
fi
467480

468-
test_tcp_forwarding_ip "$1" "$2" "$pmtu" 10.6.6.6 1666
481+
test_tcp_forwarding_ip "$1" "$2" "$pmtu" 4 10.6.6.6 1666
469482
lret=$?
470483
if [ "$pmtu" -eq 1 ] ;then
471484
check_counters "flow offload for ns1/ns2 with dnat $what"
@@ -487,14 +500,22 @@ make_file "$nsin_small" "$filesize_small"
487500
# Due to MTU mismatch in both directions, all packets (except small packets like pure
488501
# acks) have to be handled by normal forwarding path. Therefore, packet counters
489502
# are not checked.
490-
if test_tcp_forwarding "$ns1" "$ns2" 0; then
503+
if test_tcp_forwarding "$ns1" "$ns2" 0 4 10.0.2.99 12345; then
491504
echo "PASS: flow offloaded for ns1/ns2"
492505
else
493506
echo "FAIL: flow offload for ns1/ns2:" 1>&2
494507
ip netns exec "$nsr1" nft list ruleset
495508
ret=1
496509
fi
497510

511+
if test_tcp_forwarding "$ns1" "$ns2" 0 6 "[dead:2::99]" 12345; then
512+
echo "PASS: IPv6 flow offloaded for ns1/ns2"
513+
else
514+
echo "FAIL: IPv6 flow offload for ns1/ns2:" 1>&2
515+
ip netns exec "$nsr1" nft list ruleset
516+
ret=1
517+
fi
518+
498519
# delete default route, i.e. ns2 won't be able to reach ns1 and
499520
# will depend on ns1 being masqueraded in nsr1.
500521
# expect ns1 has nsr1 address.
@@ -520,7 +541,7 @@ table ip nat {
520541
EOF
521542

522543
check_dscp "dscp_none" "0"
523-
if ! test_tcp_forwarding_set_dscp "$ns1" "$ns2" 0 ""; then
544+
if ! test_tcp_forwarding_set_dscp "$ns1" "$ns2" 0 4 10.0.2.99 12345; then
524545
echo "FAIL: flow offload for ns1/ns2 with dscp update and no pmtu discovery" 1>&2
525546
exit 0
526547
fi
@@ -546,7 +567,7 @@ ip netns exec "$ns2" sysctl net.ipv4.ip_no_pmtu_disc=0 > /dev/null
546567
ip netns exec "$nsr1" nft reset counters table inet filter >/dev/null
547568
ip netns exec "$ns2" nft reset counters table inet filter >/dev/null
548569

549-
if ! test_tcp_forwarding_set_dscp "$ns1" "$ns2" 1 ""; then
570+
if ! test_tcp_forwarding_set_dscp "$ns1" "$ns2" 1 4 10.0.2.99 12345; then
550571
echo "FAIL: flow offload for ns1/ns2 with dscp update and pmtu discovery" 1>&2
551572
exit 0
552573
fi
@@ -752,14 +773,22 @@ ip -net "$ns2" route del 192.168.10.1 via 10.0.2.1
752773
ip -net "$ns2" route add default via 10.0.2.1
753774
ip -net "$ns2" route add default via dead:2::1
754775

755-
if test_tcp_forwarding "$ns1" "$ns2" 1; then
776+
if test_tcp_forwarding "$ns1" "$ns2" 1 4 10.0.2.99 12345; then
756777
check_counters "ipsec tunnel mode for ns1/ns2"
757778
else
758779
echo "FAIL: ipsec tunnel mode for ns1/ns2"
759780
ip netns exec "$nsr1" nft list ruleset 1>&2
760781
ip netns exec "$nsr1" cat /proc/net/xfrm_stat 1>&2
761782
fi
762783

784+
if test_tcp_forwarding "$ns1" "$ns2" 1 6 "[dead:2::99]" 12345; then
785+
check_counters "IPv6 ipsec tunnel mode for ns1/ns2"
786+
else
787+
echo "FAIL: IPv6 ipsec tunnel mode for ns1/ns2"
788+
ip netns exec "$nsr1" nft list ruleset 1>&2
789+
ip netns exec "$nsr1" cat /proc/net/xfrm_stat 1>&2
790+
fi
791+
763792
if [ "$1" = "" ]; then
764793
low=1280
765794
mtu=$((65536 - low))

0 commit comments

Comments
 (0)