1

selftests: netfilter: nft_queue.sh: sctp coverage

Test that nfqueue with and without GSO process SCTP packets correctly.

Joint work with Florian and Pablo.

Signed-off-by: Antonio Ojea <aojea@google.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
Antonio Ojea 2024-07-02 13:15:36 +02:00 committed by Pablo Neira Ayuso
parent 26a77d0289
commit 4e97d521c2
2 changed files with 86 additions and 1 deletions

View File

@ -87,3 +87,5 @@ CONFIG_XFRM_USER=m
CONFIG_XFRM_STATISTICS=y
CONFIG_NET_PKTGEN=m
CONFIG_TUN=m
CONFIG_INET_DIAG=m
CONFIG_SCTP_DIAG=m

View File

@ -25,6 +25,9 @@ cleanup()
}
checktool "nft --version" "test without nft tool"
checktool "socat -h" "run test without socat"
modprobe -q sctp
trap cleanup EXIT
@ -265,7 +268,6 @@ test_tcp_forward()
test_tcp_localhost()
{
dd conv=sparse status=none if=/dev/zero bs=1M count=200 of="$TMPINPUT"
timeout 5 ip netns exec "$nsrouter" socat -u TCP-LISTEN:12345 STDOUT >/dev/null &
local rpid=$!
@ -375,6 +377,82 @@ EOF
wait 2>/dev/null
}
sctp_listener_ready()
{
ss -S -N "$1" -ln -o "sport = :12345" | grep -q 12345
}
test_sctp_forward()
{
ip netns exec "$nsrouter" nft -f /dev/stdin <<EOF
flush ruleset
table inet sctpq {
chain forward {
type filter hook forward priority 0; policy accept;
sctp dport 12345 queue num 10
}
}
EOF
timeout 60 ip netns exec "$ns2" socat -u SCTP-LISTEN:12345 STDOUT > "$TMPFILE1" &
local rpid=$!
busywait "$BUSYWAIT_TIMEOUT" sctp_listener_ready "$ns2"
ip netns exec "$nsrouter" ./nf_queue -q 10 -G -t "$timeout" &
local nfqpid=$!
ip netns exec "$ns1" socat -u STDIN SCTP:10.0.2.99:12345 <"$TMPINPUT" >/dev/null
if ! ip netns exec "$nsrouter" nft delete table inet sctpq; then
echo "FAIL: Could not delete sctpq table"
exit 1
fi
wait "$rpid" && echo "PASS: sctp and nfqueue in forward chain"
if ! diff -u "$TMPINPUT" "$TMPFILE1" ; then
echo "FAIL: lost packets?!" 1>&2
exit 1
fi
}
test_sctp_output()
{
ip netns exec "$ns1" nft -f /dev/stdin <<EOF
table inet sctpq {
chain output {
type filter hook output priority 0; policy accept;
sctp dport 12345 queue num 11
}
}
EOF
# reduce test file size, software segmentation causes sk wmem increase.
dd conv=sparse status=none if=/dev/zero bs=1M count=50 of="$TMPINPUT"
timeout 60 ip netns exec "$ns2" socat -u SCTP-LISTEN:12345 STDOUT > "$TMPFILE1" &
local rpid=$!
busywait "$BUSYWAIT_TIMEOUT" sctp_listener_ready "$ns2"
ip netns exec "$ns1" ./nf_queue -q 11 -t "$timeout" &
local nfqpid=$!
ip netns exec "$ns1" socat -u STDIN SCTP:10.0.2.99:12345 <"$TMPINPUT" >/dev/null
if ! ip netns exec "$ns1" nft delete table inet sctpq; then
echo "FAIL: Could not delete sctpq table"
exit 1
fi
# must wait before checking completeness of output file.
wait "$rpid" && echo "PASS: sctp and nfqueue in output chain with GSO"
if ! diff -u "$TMPINPUT" "$TMPFILE1" ; then
echo "FAIL: lost packets?!" 1>&2
exit 1
fi
}
test_queue_removal()
{
read tainted_then < /proc/sys/kernel/tainted
@ -443,11 +521,16 @@ test_queue 10
# same. We queue to a second program as well.
load_ruleset "filter2" 20
test_queue 20
ip netns exec "$ns1" nft flush ruleset
test_tcp_forward
test_tcp_localhost
test_tcp_localhost_connectclose
test_tcp_localhost_requeue
test_sctp_forward
test_sctp_output
# should be last, adds vrf device in ns1 and changes routes
test_icmp_vrf
test_queue_removal