blob: 6caf6ac8c285f713c4a3e7b71e564566e1831624 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
|
#!/bin/bash
#
# This tests the fib expression.
#
# Kselftest framework requirement - SKIP code is 4.
ksft_skip=4
ret=0
sfx=$(mktemp -u "XXXXXXXX")
ns1="ns1-$sfx"
ns2="ns2-$sfx"
nsrouter="nsrouter-$sfx"
timeout=4
log_netns=$(sysctl -n net.netfilter.nf_log_all_netns)
cleanup()
{
ip netns del ${ns1}
ip netns del ${ns2}
ip netns del ${nsrouter}
[ $log_netns -eq 0 ] && sysctl -q net.netfilter.nf_log_all_netns=$log_netns
}
nft --version > /dev/null 2>&1
if [ $? -ne 0 ];then
echo "SKIP: Could not run test without nft tool"
exit $ksft_skip
fi
ip -Version > /dev/null 2>&1
if [ $? -ne 0 ];then
echo "SKIP: Could not run test without ip tool"
exit $ksft_skip
fi
ip netns add ${nsrouter}
if [ $? -ne 0 ];then
echo "SKIP: Could not create net namespace"
exit $ksft_skip
fi
trap cleanup EXIT
dmesg | grep -q ' nft_rpfilter: '
if [ $? -eq 0 ]; then
dmesg -c | grep ' nft_rpfilter: '
echo "WARN: a previous test run has failed" 1>&2
fi
sysctl -q net.netfilter.nf_log_all_netns=1
ip netns add ${ns1}
ip netns add ${ns2}
load_ruleset() {
local netns=$1
ip netns exec ${netns} nft -f /dev/stdin <<EOF
table inet filter {
chain prerouting {
type filter hook prerouting priority 0; policy accept;
fib saddr . iif oif missing counter log prefix "$netns nft_rpfilter: " drop
}
}
EOF
}
load_ruleset_count() {
local netns=$1
ip netns exec ${netns} nft -f /dev/stdin <<EOF
table inet filter {
chain prerouting {
type filter hook prerouting priority 0; policy accept;
ip daddr 1.1.1.1 fib saddr . iif oif missing counter drop
ip6 daddr 1c3::c01d fib saddr . iif oif missing counter drop
}
}
EOF
}
check_drops() {
dmesg | grep -q ' nft_rpfilter: '
if [ $? -eq 0 ]; then
dmesg | grep ' nft_rpfilter: '
echo "FAIL: rpfilter did drop packets"
return 1
fi
return 0
}
check_fib_counter() {
local want=$1
local ns=$2
local address=$3
line=$(ip netns exec ${ns} nft list table inet filter | grep 'fib saddr . iif' | grep $address | grep "packets $want" )
ret=$?
if [ $ret -ne 0 ];then
echo "Netns $ns fib counter doesn't match expected packet count of $want for $address" 1>&2
ip netns exec ${ns} nft list table inet filter
return 1
fi
if [ $want -gt 0 ]; then
echo "PASS: fib expression did drop packets for $address"
fi
return 0
}
load_ruleset ${nsrouter}
load_ruleset ${ns1}
load_ruleset ${ns2}
ip link add veth0 netns ${nsrouter} type veth peer name eth0 netns ${ns1} > /dev/null 2>&1
if [ $? -ne 0 ];then
echo "SKIP: No virtual ethernet pair device support in kernel"
exit $ksft_skip
fi
ip link add veth1 netns ${nsrouter} type veth peer name eth0 netns ${ns2}
ip -net ${nsrouter} link set lo up
ip -net ${nsrouter} link set veth0 up
ip -net ${nsrouter} addr add 10.0.1.1/24 dev veth0
ip -net ${nsrouter} addr add dead:1::1/64 dev veth0
ip -net ${nsrouter} link set veth1 up
ip -net ${nsrouter} addr add 10.0.2.1/24 dev veth1
ip -net ${nsrouter} addr add dead:2::1/64 dev veth1
ip -net ${ns1} link set lo up
ip -net ${ns1} link set eth0 up
ip -net ${ns2} link set lo up
ip -net ${ns2} link set eth0 up
ip -net ${ns1} addr add 10.0.1.99/24 dev eth0
ip -net ${ns1} addr add dead:1::99/64 dev eth0
ip -net ${ns1} route add default via 10.0.1.1
ip -net ${ns1} route add default via dead:1::1
ip -net ${ns2} addr add 10.0.2.99/24 dev eth0
ip -net ${ns2} addr add dead:2::99/64 dev eth0
ip -net ${ns2} route add default via 10.0.2.1
ip -net ${ns2} route add default via dead:2::1
test_ping() {
local daddr4=$1
local daddr6=$2
ip netns exec ${ns1} ping -c 1 -q $daddr4 > /dev/null
ret=$?
if [ $ret -ne 0 ];then
check_drops
echo "FAIL: ${ns1} cannot reach $daddr4, ret $ret" 1>&2
return 1
fi
ip netns exec ${ns1} ping -c 3 -q $daddr6 > /dev/null
ret=$?
if [ $ret -ne 0 ];then
check_drops
echo "FAIL: ${ns1} cannot reach $daddr6, ret $ret" 1>&2
return 1
fi
return 0
}
ip netns exec ${nsrouter} sysctl net.ipv6.conf.all.forwarding=1 > /dev/null
ip netns exec ${nsrouter} sysctl net.ipv4.conf.veth0.forwarding=1 > /dev/null
ip netns exec ${nsrouter} sysctl net.ipv4.conf.veth1.forwarding=1 > /dev/null
sleep 3
test_ping 10.0.2.1 dead:2::1 || exit 1
check_drops || exit 1
test_ping 10.0.2.99 dead:2::99 || exit 1
check_drops || exit 1
echo "PASS: fib expression did not cause unwanted packet drops"
ip netns exec ${nsrouter} nft flush table inet filter
ip -net ${ns1} route del default
ip -net ${ns1} -6 route del default
ip -net ${ns1} addr del 10.0.1.99/24 dev eth0
ip -net ${ns1} addr del dead:1::99/64 dev eth0
ip -net ${ns1} addr add 10.0.2.99/24 dev eth0
ip -net ${ns1} addr add dead:2::99/64 dev eth0
ip -net ${ns1} route add default via 10.0.2.1
ip -net ${ns1} -6 route add default via dead:2::1
ip -net ${nsrouter} addr add dead:2::1/64 dev veth0
# switch to ruleset that doesn't log, this time
# its expected that this does drop the packets.
load_ruleset_count ${nsrouter}
# ns1 has a default route, but nsrouter does not.
# must not check return value, ping to 1.1.1.1 will
# fail.
check_fib_counter 0 ${nsrouter} 1.1.1.1 || exit 1
check_fib_counter 0 ${nsrouter} 1c3::c01d || exit 1
ip netns exec ${ns1} ping -c 1 -W 1 -q 1.1.1.1 > /dev/null
check_fib_counter 1 ${nsrouter} 1.1.1.1 || exit 1
sleep 2
ip netns exec ${ns1} ping -c 3 -q 1c3::c01d > /dev/null
check_fib_counter 3 ${nsrouter} 1c3::c01d || exit 1
exit 0
|
