selftests: netfilter: nft_queue.sh: sctp coverage
Test that nfqueue with and without GSO process SCTP packets correctly. Joint work with Florian and Pablo. Signed-off-by: Antonio Ojea <aojea@google.com> Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
parent
26a77d0289
commit
4e97d521c2
@ -87,3 +87,5 @@ CONFIG_XFRM_USER=m
|
||||
CONFIG_XFRM_STATISTICS=y
|
||||
CONFIG_NET_PKTGEN=m
|
||||
CONFIG_TUN=m
|
||||
CONFIG_INET_DIAG=m
|
||||
CONFIG_SCTP_DIAG=m
|
||||
|
@ -25,6 +25,9 @@ cleanup()
|
||||
}
|
||||
|
||||
checktool "nft --version" "test without nft tool"
|
||||
checktool "socat -h" "run test without socat"
|
||||
|
||||
modprobe -q sctp
|
||||
|
||||
trap cleanup EXIT
|
||||
|
||||
@ -265,7 +268,6 @@ test_tcp_forward()
|
||||
|
||||
test_tcp_localhost()
|
||||
{
|
||||
dd conv=sparse status=none if=/dev/zero bs=1M count=200 of="$TMPINPUT"
|
||||
timeout 5 ip netns exec "$nsrouter" socat -u TCP-LISTEN:12345 STDOUT >/dev/null &
|
||||
local rpid=$!
|
||||
|
||||
@ -375,6 +377,82 @@ EOF
|
||||
wait 2>/dev/null
|
||||
}
|
||||
|
||||
sctp_listener_ready()
|
||||
{
|
||||
ss -S -N "$1" -ln -o "sport = :12345" | grep -q 12345
|
||||
}
|
||||
|
||||
test_sctp_forward()
|
||||
{
|
||||
ip netns exec "$nsrouter" nft -f /dev/stdin <<EOF
|
||||
flush ruleset
|
||||
table inet sctpq {
|
||||
chain forward {
|
||||
type filter hook forward priority 0; policy accept;
|
||||
sctp dport 12345 queue num 10
|
||||
}
|
||||
}
|
||||
EOF
|
||||
timeout 60 ip netns exec "$ns2" socat -u SCTP-LISTEN:12345 STDOUT > "$TMPFILE1" &
|
||||
local rpid=$!
|
||||
|
||||
busywait "$BUSYWAIT_TIMEOUT" sctp_listener_ready "$ns2"
|
||||
|
||||
ip netns exec "$nsrouter" ./nf_queue -q 10 -G -t "$timeout" &
|
||||
local nfqpid=$!
|
||||
|
||||
ip netns exec "$ns1" socat -u STDIN SCTP:10.0.2.99:12345 <"$TMPINPUT" >/dev/null
|
||||
|
||||
if ! ip netns exec "$nsrouter" nft delete table inet sctpq; then
|
||||
echo "FAIL: Could not delete sctpq table"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
wait "$rpid" && echo "PASS: sctp and nfqueue in forward chain"
|
||||
|
||||
if ! diff -u "$TMPINPUT" "$TMPFILE1" ; then
|
||||
echo "FAIL: lost packets?!" 1>&2
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
|
||||
test_sctp_output()
|
||||
{
|
||||
ip netns exec "$ns1" nft -f /dev/stdin <<EOF
|
||||
table inet sctpq {
|
||||
chain output {
|
||||
type filter hook output priority 0; policy accept;
|
||||
sctp dport 12345 queue num 11
|
||||
}
|
||||
}
|
||||
EOF
|
||||
# reduce test file size, software segmentation causes sk wmem increase.
|
||||
dd conv=sparse status=none if=/dev/zero bs=1M count=50 of="$TMPINPUT"
|
||||
|
||||
timeout 60 ip netns exec "$ns2" socat -u SCTP-LISTEN:12345 STDOUT > "$TMPFILE1" &
|
||||
local rpid=$!
|
||||
|
||||
busywait "$BUSYWAIT_TIMEOUT" sctp_listener_ready "$ns2"
|
||||
|
||||
ip netns exec "$ns1" ./nf_queue -q 11 -t "$timeout" &
|
||||
local nfqpid=$!
|
||||
|
||||
ip netns exec "$ns1" socat -u STDIN SCTP:10.0.2.99:12345 <"$TMPINPUT" >/dev/null
|
||||
|
||||
if ! ip netns exec "$ns1" nft delete table inet sctpq; then
|
||||
echo "FAIL: Could not delete sctpq table"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# must wait before checking completeness of output file.
|
||||
wait "$rpid" && echo "PASS: sctp and nfqueue in output chain with GSO"
|
||||
|
||||
if ! diff -u "$TMPINPUT" "$TMPFILE1" ; then
|
||||
echo "FAIL: lost packets?!" 1>&2
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
|
||||
test_queue_removal()
|
||||
{
|
||||
read tainted_then < /proc/sys/kernel/tainted
|
||||
@ -443,11 +521,16 @@ test_queue 10
|
||||
# same. We queue to a second program as well.
|
||||
load_ruleset "filter2" 20
|
||||
test_queue 20
|
||||
ip netns exec "$ns1" nft flush ruleset
|
||||
|
||||
test_tcp_forward
|
||||
test_tcp_localhost
|
||||
test_tcp_localhost_connectclose
|
||||
test_tcp_localhost_requeue
|
||||
test_sctp_forward
|
||||
test_sctp_output
|
||||
|
||||
# should be last, adds vrf device in ns1 and changes routes
|
||||
test_icmp_vrf
|
||||
test_queue_removal
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user