4924fda494a6e067e3466c9918653099b1790816
[openwrt/staging/ldir.git] /
1 From: Pablo Neira Ayuso <pablo@netfilter.org>
2 Date: Wed, 24 Mar 2021 02:30:45 +0100
3 Subject: [PATCH] selftests: netfilter: flowtable bridge and vlan support
4
5 This patch adds two new tests to cover bridge and vlan support:
6
7 - Add a bridge device to the Router1 (nsr1) container and attach the
8 veth0 device to the bridge. Set the IP address to the bridge device
9 to exercise the bridge forwarding path.
10
11 - Add vlan encapsulation between to the bridge device in the Router1 and
12 one of the sender containers (ns1).
13
14 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
15 ---
16
17 --- a/tools/testing/selftests/netfilter/nft_flowtable.sh
18 +++ b/tools/testing/selftests/netfilter/nft_flowtable.sh
19 @@ -371,6 +371,88 @@ else
20 ip netns exec nsr1 nft list ruleset
21 fi
22
23 +# Another test:
24 +# Add bridge interface br0 to Router1, with NAT enabled.
25 +ip -net nsr1 link add name br0 type bridge
26 +ip -net nsr1 addr flush dev veth0
27 +ip -net nsr1 link set up dev veth0
28 +ip -net nsr1 link set veth0 master br0
29 +ip -net nsr1 addr add 10.0.1.1/24 dev br0
30 +ip -net nsr1 addr add dead:1::1/64 dev br0
31 +ip -net nsr1 link set up dev br0
32 +
33 +ip netns exec nsr1 sysctl net.ipv4.conf.br0.forwarding=1 > /dev/null
34 +
35 +# br0 with NAT enabled.
36 +ip netns exec nsr1 nft -f - <<EOF
37 +flush table ip nat
38 +table ip nat {
39 + chain prerouting {
40 + type nat hook prerouting priority 0; policy accept;
41 + meta iif "br0" ip daddr 10.6.6.6 tcp dport 1666 counter dnat ip to 10.0.2.99:12345
42 + }
43 +
44 + chain postrouting {
45 + type nat hook postrouting priority 0; policy accept;
46 + meta oifname "veth1" counter masquerade
47 + }
48 +}
49 +EOF
50 +
51 +if test_tcp_forwarding_nat ns1 ns2; then
52 + echo "PASS: flow offloaded for ns1/ns2 with bridge NAT"
53 +else
54 + echo "FAIL: flow offload for ns1/ns2 with bridge NAT" 1>&2
55 + ip netns exec nsr1 nft list ruleset
56 + ret=1
57 +fi
58 +
59 +# Another test:
60 +# Add bridge interface br0 to Router1, with NAT and VLAN.
61 +ip -net nsr1 link set veth0 nomaster
62 +ip -net nsr1 link set down dev veth0
63 +ip -net nsr1 link add link veth0 name veth0.10 type vlan id 10
64 +ip -net nsr1 link set up dev veth0
65 +ip -net nsr1 link set up dev veth0.10
66 +ip -net nsr1 link set veth0.10 master br0
67 +
68 +ip -net ns1 addr flush dev eth0
69 +ip -net ns1 link add link eth0 name eth0.10 type vlan id 10
70 +ip -net ns1 link set eth0 up
71 +ip -net ns1 link set eth0.10 up
72 +ip -net ns1 addr add 10.0.1.99/24 dev eth0.10
73 +ip -net ns1 route add default via 10.0.1.1
74 +ip -net ns1 addr add dead:1::99/64 dev eth0.10
75 +
76 +if test_tcp_forwarding_nat ns1 ns2; then
77 + echo "PASS: flow offloaded for ns1/ns2 with bridge NAT and VLAN"
78 +else
79 + echo "FAIL: flow offload for ns1/ns2 with bridge NAT and VLAN" 1>&2
80 + ip netns exec nsr1 nft list ruleset
81 + ret=1
82 +fi
83 +
84 +# restore test topology (remove bridge and VLAN)
85 +ip -net nsr1 link set veth0 nomaster
86 +ip -net nsr1 link set veth0 down
87 +ip -net nsr1 link set veth0.10 down
88 +ip -net nsr1 link delete veth0.10 type vlan
89 +ip -net nsr1 link delete br0 type bridge
90 +ip -net ns1 addr flush dev eth0.10
91 +ip -net ns1 link set eth0.10 down
92 +ip -net ns1 link set eth0 down
93 +ip -net ns1 link delete eth0.10 type vlan
94 +
95 +# restore address in ns1 and nsr1
96 +ip -net ns1 link set eth0 up
97 +ip -net ns1 addr add 10.0.1.99/24 dev eth0
98 +ip -net ns1 route add default via 10.0.1.1
99 +ip -net ns1 addr add dead:1::99/64 dev eth0
100 +ip -net ns1 route add default via dead:1::1
101 +ip -net nsr1 addr add 10.0.1.1/24 dev veth0
102 +ip -net nsr1 addr add dead:1::1/64 dev veth0
103 +ip -net nsr1 link set up dev veth0
104 +
105 KEY_SHA="0x"$(ps -xaf | sha1sum | cut -d " " -f 1)
106 KEY_AES="0x"$(ps -xaf | md5sum | cut -d " " -f 1)
107 SPI1=$RANDOM