Commit 8442f8ba authored by Jakub Kicinski's avatar Jakub Kicinski
Browse files

Merge branch 'testing-make-netfilter-selftests-functional-in-vng-environment' 

Florian Westphal says:

====================
testing: make netfilter selftests functional in vng environment

This is the second batch of the netfilter selftest move.

Changes since v1:
- makefile and kernel config are updated to have all required features
- fix makefile with missing bits to make kselftest-install work
- test it via vng as per
   https://github.com/linux-netdev/nipa/wiki/How-to-run-netdev-selftests-CI-style
   (Thanks Jakub!)
- squash a few fixes, e.g. nft_queue.sh v1 had a race w. NFNETLINK_QUEUE=m
- add a settings file with 8m timeout, for nft_concat_range.sh sake.
  That script can be sped up a bit, I think, but its not contained in
  this batch yet.
- toss the first two bogus rebase artifacts (Matthieu Baerts)

scripts are moved to lib.sh infra. This allows to use busywait helper
and ditch various 'sleep 2' all over the place.

Tested on Fedora 39:

vng --build  --config tools/testing/selftests/net/netfilter/config
make -C tools/testing/selftests/ TARGETS=net/netfilter
vng -v --run . --user root --cpus 2 -- \
        make -C tools/testing/selftests TARGETS=net/netfilter run_tests

... all tests pass except nft_audit.sh which SKIPs due to nft version mismatch
(Fedora is on nft 1.0.7 which lacks reset keyword support).

Missing/WIP bits:
- speed up nf_concat_range.sh test
- extend flowtable selftest
- shellcheck fixups for remaining scripts
====================

Link: https://lore.kernel.org/r/20240418152744.15105-1-fw@strlen.de


Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parents 4cad4efa 0b2e1db9

tools/testing/selftests/net/netfilter/Makefile

+5 −0
Original line number Diff line number Diff line
@@ -42,3 +42,8 @@ $(OUTPUT)/nf_queue: LDLIBS += $(MNL_LDLIBS) 


$(OUTPUT)/conntrack_dump_flush: CFLAGS += $(MNL_CFLAGS)

$(OUTPUT)/conntrack_dump_flush: LDLIBS += $(MNL_LDLIBS)



TEST_FILES := lib.sh



TEST_INCLUDES := \

	../lib.sh

tools/testing/selftests/net/netfilter/config

+51 −1
Original line number Diff line number Diff line 
CONFIG_AUDIT=y

CONFIG_BPF_SYSCALL=y

CONFIG_BRIDGE=m

CONFIG_BRIDGE_EBT_BROUTE=m

CONFIG_BRIDGE_EBT_IP=m

CONFIG_BRIDGE_EBT_REDIRECT=m

CONFIG_BRIDGE_EBT_T_FILTER=m

CONFIG_BRIDGE_NETFILTER=m

CONFIG_BRIDGE_NF_EBTABLES=m

CONFIG_CGROUP_BPF=y

CONFIG_DUMMY=m

CONFIG_INET_ESP=m

CONFIG_IP_NF_MATCH_RPFILTER=m

CONFIG_IP6_NF_MATCH_RPFILTER=m

CONFIG_IP_NF_IPTABLES=m

CONFIG_IP6_NF_IPTABLES=m

CONFIG_IP_NF_FILTER=m

CONFIG_IP6_NF_FILTER=m

CONFIG_IP_NF_RAW=m

CONFIG_IP6_NF_RAW=m

CONFIG_IP_SCTP=m

CONFIG_IP_VS=m

CONFIG_IP_VS_PROTO_TCP=y

CONFIG_IP_VS_RR=m

CONFIG_IPV6=y

CONFIG_IPV6_MULTIPLE_TABLES=y

CONFIG_MACVLAN=m

CONFIG_NAMESPACES=y

CONFIG_NET_CLS_U32=m

CONFIG_NET_L3_MASTER_DEV=y

CONFIG_NET_NS=y

CONFIG_NET_SCH_NETEM=m

CONFIG_NET_SCH_HTB=m

CONFIG_NET_IPIP=m

CONFIG_NET_VRF=y

CONFIG_NETFILTER=y

CONFIG_NETFILTER_ADVANCED=y

CONFIG_NETFILTER_NETLINK=m

CONFIG_NETFILTER_NETLINK_QUEUE=m

CONFIG_NETFILTER_SYNPROXY=m

CONFIG_NETFILTER_XTABLES=m

CONFIG_NETFILTER_XT_NAT=m

CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m

CONFIG_NETFILTER_XT_MATCH_STATE=m

CONFIG_NETFILTER_XT_MATCH_STRING=m

CONFIG_NETFILTER_XT_TARGET_REDIRECT=m

CONFIG_NF_CONNTRACK=m

CONFIG_NF_CONNTRACK_EVENTS=m

CONFIG_NF_CONNTRACK_EVENTS=y

CONFIG_NF_CONNTRACK_FTP=m

CONFIG_NF_CONNTRACK_MARK=y

CONFIG_NF_CONNTRACK_ZONES=y

CONFIG_NF_CT_NETLINK=m

CONFIG_NF_CT_PROTO_SCTP=y

CONFIG_NF_FLOW_TABLE=m

CONFIG_NF_LOG_IPV4=m

CONFIG_NF_LOG_IPV6=m

CONFIG_NF_NAT=m

CONFIG_NF_NAT_REDIRECT=y

CONFIG_NF_NAT_MASQUERADE=y

CONFIG_NF_TABLES=m

CONFIG_NF_TABLES_BRIDGE=m

CONFIG_NF_TABLES_INET=y

CONFIG_NF_TABLES_IPV4=y

CONFIG_NF_TABLES_IPV6=y

CONFIG_NF_TABLES_NETDEV=y

CONFIG_NF_FLOW_TABLE_INET=m

CONFIG_NFT_BRIDGE_META=m

CONFIG_NFT_COMPAT=m

CONFIG_NFT_CT=m

CONFIG_NFT_FIB=m

CONFIG_NFT_FIB_INET=m

CONFIG_NFT_FIB_IPV4=m

CONFIG_NFT_FIB_IPV6=m

CONFIG_NFT_FLOW_OFFLOAD=m

CONFIG_NFT_LIMIT=m

CONFIG_NFT_LOG=m

CONFIG_NFT_MASQ=m

CONFIG_NFT_NAT=m

CONFIG_NFT_NUMGEN=m

CONFIG_NFT_QUEUE=m

CONFIG_NFT_QUOTA=m

CONFIG_NFT_REDIR=m

CONFIG_NFT_SYNPROXY=m

CONFIG_VETH=m

CONFIG_VLAN_8021Q=m

CONFIG_XFRM_USER=m

CONFIG_XFRM_STATISTICS=y

tools/testing/selftests/net/netfilter/conntrack_ipip_mtu.sh

+37 −37
Original line number Diff line number Diff line
@@ -31,7 +31,7 @@ setup_ns r_a r_b r_w c_a c_b 


cleanup() {

	cleanup_all_ns

	rm -f ${rx}

	rm -f "$rx"

}



trap cleanup EXIT
@@ -46,20 +46,20 @@ listener_ready() 
test_path() {

	msg="$1"



	ip netns exec ${c_b} socat -t 3 - udp4-listen:5000,reuseaddr > ${rx} < /dev/null &

	ip netns exec "$c_b" socat -t 3 - udp4-listen:5000,reuseaddr > "$rx" < /dev/null &



	busywait $BUSYWAIT_TIMEOUT listener_ready "$c_b" 5000



	for i in 1 2 3; do

		head -c1400 /dev/zero | tr "\000" "a" | \

			ip netns exec ${c_a} socat -t 1 -u STDIN UDP:192.168.20.2:5000

			ip netns exec "$c_a" socat -t 1 -u STDIN UDP:192.168.20.2:5000

	done



	wait



	bytes=$(wc -c < ${rx})

	bytes=$(wc -c < "$rx")



	if [ $bytes -eq 1400 ];then

	if [ "$bytes" -eq 1400 ];then

		echo "OK: PMTU $msg connection tracking"

	else

		echo "FAIL: PMTU $msg connection tracking: got $bytes, expected 1400"
@@ -78,24 +78,24 @@ test_path() { 
# 10.4.4.1 via 10.2.2.254      (Router B via Wanrouter)

# No iptables rules at all.



ip link add veth0 netns ${r_a} type veth peer name veth0 netns ${r_w}

ip link add veth1 netns ${r_a} type veth peer name veth0 netns ${c_a}

ip link add veth0 netns "$r_a" type veth peer name veth0 netns "$r_w"

ip link add veth1 netns "$r_a" type veth peer name veth0 netns "$c_a"



l_addr="10.2.2.1"

r_addr="10.4.4.1"

ip netns exec ${r_a} ip link add ipip0 type ipip local ${l_addr} remote ${r_addr} mode ipip || exit $ksft_skip

ip netns exec "$r_a" ip link add ipip0 type ipip local "$l_addr" remote "$r_addr" mode ipip || exit $ksft_skip



for dev in lo veth0 veth1 ipip0; do

    ip -net ${r_a} link set $dev up

    ip -net "$r_a" link set "$dev" up

done



ip -net ${r_a} addr add 10.2.2.1/24 dev veth0

ip -net ${r_a} addr add 192.168.10.1/24 dev veth1

ip -net "$r_a" addr add 10.2.2.1/24 dev veth0

ip -net "$r_a" addr add 192.168.10.1/24 dev veth1



ip -net ${r_a} route add 192.168.20.0/24 dev ipip0

ip -net ${r_a} route add 10.4.4.0/24 via 10.2.2.254

ip -net "$r_a" route add 192.168.20.0/24 dev ipip0

ip -net "$r_a" route add 10.4.4.0/24 via 10.2.2.254



ip netns exec ${r_a} sysctl -q net.ipv4.conf.all.forwarding=1 > /dev/null

ip netns exec "$r_a" sysctl -q net.ipv4.conf.all.forwarding=1 > /dev/null



# Detailed setup for Router B

# ---------------------------
@@ -108,46 +108,46 @@ ip netns exec ${r_a} sysctl -q net.ipv4.conf.all.forwarding=1 > /dev/null 
# 10.2.2.1 via 10.4.4.254      (Router A via Wanrouter)

# No iptables rules at all.



ip link add veth0 netns ${r_b} type veth peer name veth1 netns ${r_w}

ip link add veth1 netns ${r_b} type veth peer name veth0 netns ${c_b}

ip link add veth0 netns "$r_b" type veth peer name veth1 netns "$r_w"

ip link add veth1 netns "$r_b" type veth peer name veth0 netns "$c_b"



l_addr="10.4.4.1"

r_addr="10.2.2.1"



ip netns exec ${r_b} ip link add ipip0 type ipip local ${l_addr} remote ${r_addr} mode ipip || exit $ksft_skip

ip netns exec "$r_b" ip link add ipip0 type ipip local "${l_addr}" remote "${r_addr}" mode ipip || exit $ksft_skip



for dev in veth0 veth1 ipip0; do

	ip -net ${r_b} link set $dev up

	ip -net "$r_b" link set $dev up

done



ip -net ${r_b} addr add 10.4.4.1/24 dev veth0

ip -net ${r_b} addr add 192.168.20.1/24 dev veth1

ip -net "$r_b" addr add 10.4.4.1/24 dev veth0

ip -net "$r_b" addr add 192.168.20.1/24 dev veth1



ip -net ${r_b} route add 192.168.10.0/24 dev ipip0

ip -net ${r_b} route add 10.2.2.0/24 via 10.4.4.254

ip netns exec ${r_b} sysctl -q net.ipv4.conf.all.forwarding=1 > /dev/null

ip -net "$r_b" route add 192.168.10.0/24 dev ipip0

ip -net "$r_b" route add 10.2.2.0/24 via 10.4.4.254

ip netns exec "$r_b" sysctl -q net.ipv4.conf.all.forwarding=1 > /dev/null



# Client A

ip -net ${c_a} addr add 192.168.10.2/24 dev veth0

ip -net ${c_a} link set dev veth0 up

ip -net ${c_a} route add default via 192.168.10.1

ip -net "$c_a" addr add 192.168.10.2/24 dev veth0

ip -net "$c_a" link set dev veth0 up

ip -net "$c_a" route add default via 192.168.10.1



# Client A

ip -net ${c_b} addr add 192.168.20.2/24 dev veth0

ip -net ${c_b} link set dev veth0 up

ip -net ${c_b} route add default via 192.168.20.1

ip -net "$c_b" addr add 192.168.20.2/24 dev veth0

ip -net "$c_b" link set dev veth0 up

ip -net "$c_b" route add default via 192.168.20.1



# Wan

ip -net ${r_w} addr add 10.2.2.254/24 dev veth0

ip -net ${r_w} addr add 10.4.4.254/24 dev veth1

ip -net "$r_w" addr add 10.2.2.254/24 dev veth0

ip -net "$r_w" addr add 10.4.4.254/24 dev veth1



ip -net ${r_w} link set dev veth0 up mtu 1400

ip -net ${r_w} link set dev veth1 up mtu 1400

ip -net "$r_w" link set dev veth0 up mtu 1400

ip -net "$r_w" link set dev veth1 up mtu 1400



ip -net ${r_a} link set dev veth0 mtu 1400

ip -net ${r_b} link set dev veth0 mtu 1400

ip -net "$r_a" link set dev veth0 mtu 1400

ip -net "$r_b" link set dev veth0 mtu 1400



ip netns exec ${r_w} sysctl -q net.ipv4.conf.all.forwarding=1 > /dev/null

ip netns exec "$r_w" sysctl -q net.ipv4.conf.all.forwarding=1 > /dev/null



# Path MTU discovery

# ------------------
@@ -187,5 +187,5 @@ test_path "without" 
#packet is too big (1400) for the tunnel PMTU (1380) to Router B, it is

#dropped on Router A before sending.



ip netns exec ${r_a} iptables -A FORWARD -m conntrack --ctstate NEW

ip netns exec "$r_a" iptables -A FORWARD -m conntrack --ctstate NEW

test_path "with"

tools/testing/selftests/net/netfilter/nft_audit.sh

+26 −4
Original line number Diff line number Diff line
@@ -6,11 +6,33 @@ 
SKIP_RC=4

RC=0



if [ -r /var/run/auditd.pid ];then

	read pid < /var/run/auditd.pid

	p=$(pgrep ^auditd$)



	if [ "$pid" -eq "$p" ]; then

		echo "SKIP: auditd is running"

		exit $SKIP_RC

	fi

fi



nft --version >/dev/null 2>&1 || {

	echo "SKIP: missing nft tool"

	exit $SKIP_RC

}



# nft must be recent enough to support "reset" keyword.

nft --check -f /dev/stdin >/dev/null 2>&1 <<EOF

add table t

add chain t c

reset rules t c

EOF



if [ "$?" -ne 0 ];then

	echo "SKIP: nft reset feature test failed"

	exit $SKIP_RC

fi



# Run everything in a separate network namespace

[ "${1}" != "run" ] && { unshare -n "${0}" run; exit $?; }
@@ -73,7 +95,7 @@ done 


for ((i = 0; i < 500; i++)); do

	echo "add rule t2 c3 counter accept comment \"rule $i\""

done >$rulefile

done > "$rulefile"

do_test "nft -f $rulefile" \

'table=t2 family=2 entries=500 op=nft_register_rule'
@@ -101,7 +123,7 @@ do_test 'nft add counter t2 c1; add counter t2 c2' \ 


for ((i = 3; i <= 500; i++)); do

	echo "add counter t2 c$i"

done >$rulefile

done > "$rulefile"

do_test "nft -f $rulefile" \

'table=t2 family=2 entries=498 op=nft_register_obj'
@@ -115,7 +137,7 @@ do_test 'nft add quota t2 q1 { 10 bytes }; add quota t2 q2 { 10 bytes }' \ 


for ((i = 3; i <= 500; i++)); do

	echo "add quota t2 q$i { 10 bytes }"

done >$rulefile

done > "$rulefile"

do_test "nft -f $rulefile" \

'table=t2 family=2 entries=498 op=nft_register_obj'
@@ -157,7 +179,7 @@ table=t2 family=2 entries=135 op=nft_reset_rule' 


# resetting sets and elements



elem=(22 ,80 ,443)

elem=(22 ",80" ",443")

relem=""

for i in {1..3}; do

	relem+="${elem[((i - 1))]}"

tools/testing/selftests/net/netfilter/nft_fib.sh

+61 −67
Original line number Diff line number Diff line
@@ -16,7 +16,7 @@ cleanup() 
{

	cleanup_all_ns



	[ $log_netns -eq 0 ] && sysctl -q net.netfilter.nf_log_all_netns=$log_netns

	[ "$log_netns" -eq 0 ] && sysctl -q net.netfilter.nf_log_all_netns=$log_netns

}



checktool "nft --version" "run test without nft"
@@ -25,8 +25,7 @@ setup_ns nsrouter ns1 ns2 


trap cleanup EXIT



dmesg | grep -q ' nft_rpfilter: '

if [ $? -eq 0 ]; then

if dmesg | grep -q ' nft_rpfilter: ';then

	dmesg -c | grep ' nft_rpfilter: '

	echo "WARN: a previous test run has failed" 1>&2

fi
@@ -36,7 +35,7 @@ sysctl -q net.netfilter.nf_log_all_netns=1 
load_ruleset() {

	local netns=$1



ip netns exec ${netns} nft -f /dev/stdin <<EOF

ip netns exec "$netns" nft -f /dev/stdin <<EOF

table inet filter {

	chain prerouting {

		type filter hook prerouting priority 0; policy accept;
@@ -49,7 +48,7 @@ EOF 
load_pbr_ruleset() {

	local netns=$1



ip netns exec ${netns} nft -f /dev/stdin <<EOF

ip netns exec "$netns" nft -f /dev/stdin <<EOF

table inet filter {

	chain forward {

		type filter hook forward priority raw;
@@ -63,7 +62,7 @@ EOF 
load_ruleset_count() {

	local netns=$1



ip netns exec ${netns} nft -f /dev/stdin <<EOF

ip netns exec "$netns" nft -f /dev/stdin <<EOF

table inet filter {

	chain prerouting {

		type filter hook prerouting priority 0; policy accept;
@@ -89,52 +88,49 @@ check_fib_counter() { 
	local ns=$2

	local address=$3



	line=$(ip netns exec ${ns} nft list table inet filter | grep 'fib saddr . iif' | grep $address | grep "packets $want" )

	ret=$?



	if [ $ret -ne 0 ];then

	if ! ip netns exec "$ns" nft list table inet filter | grep 'fib saddr . iif' | grep "$address" | grep -q "packets $want";then

		echo "Netns $ns fib counter doesn't match expected packet count of $want for $address" 1>&2

		ip netns exec ${ns} nft list table inet filter

		ip netns exec "$ns" nft list table inet filter

		return 1

	fi



	if [ $want -gt 0 ]; then

	if [ "$want" -gt 0 ]; then

		echo "PASS: fib expression did drop packets for $address"

	fi



	return 0

}



load_ruleset ${nsrouter}

load_ruleset ${ns1}

load_ruleset ${ns2}

load_ruleset "$nsrouter"

load_ruleset "$ns1"

load_ruleset "$ns2"



if ! ip link add veth0 netns "$nsrouter" type veth peer name eth0 netns "$ns1" > /dev/null 2>&1; then

    echo "SKIP: No virtual ethernet pair device support in kernel"

    exit $ksft_skip

fi

ip link add veth1 netns ${nsrouter} type veth peer name eth0 netns ${ns2}

ip link add veth1 netns "$nsrouter" type veth peer name eth0 netns "$ns2"



ip -net ${nsrouter} link set veth0 up

ip -net ${nsrouter} addr add 10.0.1.1/24 dev veth0

ip -net ${nsrouter} addr add dead:1::1/64 dev veth0 nodad

ip -net "$nsrouter" link set veth0 up

ip -net "$nsrouter" addr add 10.0.1.1/24 dev veth0

ip -net "$nsrouter" addr add dead:1::1/64 dev veth0 nodad



ip -net ${nsrouter} link set veth1 up

ip -net ${nsrouter} addr add 10.0.2.1/24 dev veth1

ip -net ${nsrouter} addr add dead:2::1/64 dev veth1 nodad

ip -net "$nsrouter" link set veth1 up

ip -net "$nsrouter" addr add 10.0.2.1/24 dev veth1

ip -net "$nsrouter" addr add dead:2::1/64 dev veth1 nodad



ip -net ${ns1} link set eth0 up

ip -net ${ns2} link set eth0 up

ip -net "$ns1" link set eth0 up

ip -net "$ns2" link set eth0 up



ip -net ${ns1} addr add 10.0.1.99/24 dev eth0

ip -net ${ns1} addr add dead:1::99/64 dev eth0 nodad

ip -net ${ns1} route add default via 10.0.1.1

ip -net ${ns1} route add default via dead:1::1

ip -net "$ns1" addr add 10.0.1.99/24 dev eth0

ip -net "$ns1" addr add dead:1::99/64 dev eth0 nodad

ip -net "$ns1" route add default via 10.0.1.1

ip -net "$ns1" route add default via dead:1::1



ip -net ${ns2} addr add 10.0.2.99/24 dev eth0

ip -net ${ns2} addr add dead:2::99/64 dev eth0 nodad

ip -net ${ns2} route add default via 10.0.2.1

ip -net ${ns2} route add default via dead:2::1

ip -net "$ns2" addr add 10.0.2.99/24 dev eth0

ip -net "$ns2" addr add dead:2::99/64 dev eth0 nodad

ip -net "$ns2" route add default via 10.0.2.1

ip -net "$ns2" route add default via dead:2::1



test_ping() {

  local daddr4=$1
@@ -155,11 +151,11 @@ test_ping() { 
  return 0

}



ip netns exec ${nsrouter} sysctl net.ipv6.conf.all.forwarding=1 > /dev/null

ip netns exec ${nsrouter} sysctl net.ipv4.conf.veth0.forwarding=1 > /dev/null

ip netns exec ${nsrouter} sysctl net.ipv4.conf.veth1.forwarding=1 > /dev/null

ip netns exec ${nsrouter} sysctl net.ipv4.conf.all.rp_filter=0 > /dev/null

ip netns exec ${nsrouter} sysctl net.ipv4.conf.veth0.rp_filter=0 > /dev/null

ip netns exec "$nsrouter" sysctl net.ipv6.conf.all.forwarding=1 > /dev/null

ip netns exec "$nsrouter" sysctl net.ipv4.conf.veth0.forwarding=1 > /dev/null

ip netns exec "$nsrouter" sysctl net.ipv4.conf.veth1.forwarding=1 > /dev/null

ip netns exec "$nsrouter" sysctl net.ipv4.conf.all.rp_filter=0 > /dev/null

ip netns exec "$nsrouter" sysctl net.ipv4.conf.veth0.rp_filter=0 > /dev/null



test_ping 10.0.2.1 dead:2::1 || exit 1

check_drops || exit 1
@@ -169,69 +165,67 @@ check_drops || exit 1 


echo "PASS: fib expression did not cause unwanted packet drops"



ip netns exec ${nsrouter} nft flush table inet filter

ip netns exec "$nsrouter" nft flush table inet filter



ip -net ${ns1} route del default

ip -net ${ns1} -6 route del default

ip -net "$ns1" route del default

ip -net "$ns1" -6 route del default



ip -net ${ns1} addr del 10.0.1.99/24 dev eth0

ip -net ${ns1} addr del dead:1::99/64 dev eth0

ip -net "$ns1" addr del 10.0.1.99/24 dev eth0

ip -net "$ns1" addr del dead:1::99/64 dev eth0



ip -net ${ns1} addr add 10.0.2.99/24 dev eth0

ip -net "$ns1" addr add 10.0.2.99/24 dev eth0

ip -net "$ns1" addr add dead:2::99/64 dev eth0 nodad



ip -net ${ns1} route add default via 10.0.2.1

ip -net ${ns1} -6 route add default via dead:2::1

ip -net "$ns1" route add default via 10.0.2.1

ip -net "$ns1" -6 route add default via dead:2::1



ip -net "$nsrouter" addr add dead:2::1/64 dev veth0 nodad



# switch to ruleset that doesn't log, this time

# its expected that this does drop the packets.

load_ruleset_count ${nsrouter}

load_ruleset_count "$nsrouter"



# ns1 has a default route, but nsrouter does not.

# must not check return value, ping to 1.1.1.1 will

# fail.

check_fib_counter 0 ${nsrouter} 1.1.1.1 || exit 1

check_fib_counter 0 ${nsrouter} 1c3::c01d || exit 1

check_fib_counter 0 "$nsrouter" 1.1.1.1 || exit 1

check_fib_counter 0 "$nsrouter" 1c3::c01d || exit 1



ip netns exec "$ns1" ping -W 0.5 -c 1 -q 1.1.1.1 > /dev/null

check_fib_counter 1 ${nsrouter} 1.1.1.1 || exit 1

check_fib_counter 1 "$nsrouter" 1.1.1.1 || exit 1



ip netns exec "$ns1" ping -W 0.5 -i 0.1 -c 3 -q 1c3::c01d > /dev/null

check_fib_counter 3 ${nsrouter} 1c3::c01d || exit 1

check_fib_counter 3 "$nsrouter" 1c3::c01d || exit 1



# delete all rules

ip netns exec ${ns1} nft flush ruleset

ip netns exec ${ns2} nft flush ruleset

ip netns exec ${nsrouter} nft flush ruleset

ip netns exec "$ns1" nft flush ruleset

ip netns exec "$ns2" nft flush ruleset

ip netns exec "$nsrouter" nft flush ruleset



ip -net ${ns1} addr add 10.0.1.99/24 dev eth0

ip -net "$ns1" addr add 10.0.1.99/24 dev eth0

ip -net "$ns1" addr add dead:1::99/64 dev eth0 nodad



ip -net ${ns1} addr del 10.0.2.99/24 dev eth0

ip -net ${ns1} addr del dead:2::99/64 dev eth0

ip -net "$ns1" addr del 10.0.2.99/24 dev eth0

ip -net "$ns1" addr del dead:2::99/64 dev eth0



ip -net ${nsrouter} addr del dead:2::1/64 dev veth0

ip -net "$nsrouter" addr del dead:2::1/64 dev veth0



# ... pbr ruleset for the router, check iif+oif.

load_pbr_ruleset ${nsrouter}

if [ $? -ne 0 ] ; then

if ! load_pbr_ruleset "$nsrouter";then

	echo "SKIP: Could not load fib forward ruleset"

	exit $ksft_skip

fi



ip -net ${nsrouter} rule add from all table 128

ip -net ${nsrouter} rule add from all iif veth0 table 129

ip -net ${nsrouter} route add table 128 to 10.0.1.0/24 dev veth0

ip -net ${nsrouter} route add table 129 to 10.0.2.0/24 dev veth1

ip -net "$nsrouter" rule add from all table 128

ip -net "$nsrouter" rule add from all iif veth0 table 129

ip -net "$nsrouter" route add table 128 to 10.0.1.0/24 dev veth0

ip -net "$nsrouter" route add table 129 to 10.0.2.0/24 dev veth1



# drop main ipv4 table

ip -net ${nsrouter} -4 rule delete table main

ip -net "$nsrouter" -4 rule delete table main



test_ping 10.0.2.99 dead:2::99

if [ $? -ne 0 ] ; then

	ip -net ${nsrouter} nft list ruleset

if ! test_ping 10.0.2.99 dead:2::99;then

	ip -net "$nsrouter" nft list ruleset

	echo "FAIL: fib mismatch in pbr setup"

	exit 1

fi