Commit 4e97d521 authored by Antonio Ojea's avatar Antonio Ojea Committed by Pablo Neira Ayuso
Browse files

selftests: netfilter: nft_queue.sh: sctp coverage 



Test that nfqueue with and without GSO process SCTP packets correctly.

Joint work with Florian and Pablo.

Signed-off-by: default avatarAntonio Ojea <aojea@google.com>
Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 26a77d02

tools/testing/selftests/net/netfilter/config

+2 −0
Original line number Diff line number Diff line
@@ -87,3 +87,5 @@ CONFIG_XFRM_USER=m 
CONFIG_XFRM_STATISTICS=y

CONFIG_NET_PKTGEN=m

CONFIG_TUN=m

CONFIG_INET_DIAG=m

CONFIG_SCTP_DIAG=m

tools/testing/selftests/net/netfilter/nft_queue.sh

+84 −1
Original line number Diff line number Diff line
@@ -25,6 +25,9 @@ cleanup() 
}



checktool "nft --version" "test without nft tool"

checktool "socat -h" "run test without socat"



modprobe -q sctp



trap cleanup EXIT
@@ -265,7 +268,6 @@ test_tcp_forward() 


test_tcp_localhost()

{

	dd conv=sparse status=none if=/dev/zero bs=1M count=200 of="$TMPINPUT"

	timeout 5 ip netns exec "$nsrouter" socat -u TCP-LISTEN:12345 STDOUT >/dev/null &

	local rpid=$!
@@ -375,6 +377,82 @@ EOF 
	wait 2>/dev/null

}



sctp_listener_ready()

{

	ss -S -N "$1" -ln -o "sport = :12345" | grep -q 12345

}



test_sctp_forward()

{

	ip netns exec "$nsrouter" nft -f /dev/stdin <<EOF

flush ruleset

table inet sctpq {

        chain forward {

        type filter hook forward priority 0; policy accept;

                sctp dport 12345 queue num 10

        }

}

EOF

	timeout 60 ip netns exec "$ns2" socat -u SCTP-LISTEN:12345 STDOUT > "$TMPFILE1" &

	local rpid=$!



	busywait "$BUSYWAIT_TIMEOUT" sctp_listener_ready "$ns2"



	ip netns exec "$nsrouter" ./nf_queue -q 10 -G -t "$timeout" &

	local nfqpid=$!



	ip netns exec "$ns1" socat -u STDIN SCTP:10.0.2.99:12345 <"$TMPINPUT" >/dev/null



	if ! ip netns exec "$nsrouter" nft delete table inet sctpq; then

		echo "FAIL:  Could not delete sctpq table"

		exit 1

	fi



	wait "$rpid" && echo "PASS: sctp and nfqueue in forward chain"



	if ! diff -u "$TMPINPUT" "$TMPFILE1" ; then

		echo "FAIL: lost packets?!" 1>&2

		exit 1

	fi

}



test_sctp_output()

{

        ip netns exec "$ns1" nft -f /dev/stdin <<EOF

table inet sctpq {

        chain output {

        type filter hook output priority 0; policy accept;

                sctp dport 12345 queue num 11

        }

}

EOF

	# reduce test file size, software segmentation causes sk wmem increase.

	dd conv=sparse status=none if=/dev/zero bs=1M count=50 of="$TMPINPUT"



	timeout 60 ip netns exec "$ns2" socat -u SCTP-LISTEN:12345 STDOUT > "$TMPFILE1" &

	local rpid=$!



	busywait "$BUSYWAIT_TIMEOUT" sctp_listener_ready "$ns2"



	ip netns exec "$ns1" ./nf_queue -q 11 -t "$timeout" &

	local nfqpid=$!



	ip netns exec "$ns1" socat -u STDIN SCTP:10.0.2.99:12345 <"$TMPINPUT" >/dev/null



	if ! ip netns exec "$ns1" nft delete table inet sctpq; then

		echo "FAIL:  Could not delete sctpq table"

		exit 1

	fi



	# must wait before checking completeness of output file.

	wait "$rpid" && echo "PASS: sctp and nfqueue in output chain with GSO"



	if ! diff -u "$TMPINPUT" "$TMPFILE1" ; then

		echo "FAIL: lost packets?!" 1>&2

		exit 1

	fi

}



test_queue_removal()

{

	read tainted_then < /proc/sys/kernel/tainted
@@ -443,11 +521,16 @@ test_queue 10 
# same.  We queue to a second program as well.

load_ruleset "filter2" 20

test_queue 20

ip netns exec "$ns1" nft flush ruleset



test_tcp_forward

test_tcp_localhost

test_tcp_localhost_connectclose

test_tcp_localhost_requeue

test_sctp_forward

test_sctp_output



# should be last, adds vrf device in ns1 and changes routes

test_icmp_vrf

test_queue_removal