From patchwork Sun Apr 14 22:57:13 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Florian Westphal X-Patchwork-Id: 13629351 X-Patchwork-Delegate: kuba@kernel.org Received: from Chamillionaire.breakpoint.cc (Chamillionaire.breakpoint.cc [91.216.245.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 962381353FB; Sun, 14 Apr 2024 23:04:42 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=91.216.245.30 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713135884; cv=none; b=WldesqwJcRDOpSmsfNT+AU2XNZt9YLH2Hvo4BDZal2d/X4iri/rowNwC/9YfgNdF4WuIhIWTZ/4GRg2KixNHiTjWu1F3/hJD9pOF9rBp83uXJHTVYs/30lws/3eqoyttn1znpwx02BOmYGTSGLHr5nz+Q5vJg74d4tq3zv8n4X4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713135884; c=relaxed/simple; bh=hY/K7apEHIXleeXMJjk5vn6BueqzeOMCUYSQ4VUDRlE=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=sbGS8SRqcWltghIjSauRhRmktXUkTtzF0bmCbBSBdJtS72XEyon8NDQVeYX7hALXDwSpXZfNtQDYzm9U5R0WYcOwpDUDB0iMHE6cNXhn+kbh3ShsIDttdIxojzNY/rG2PD5A7et+xR6xfQJhXNp8MnZh3ExKFmPHGuhGkPME/Gw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=strlen.de; spf=pass smtp.mailfrom=breakpoint.cc; arc=none smtp.client-ip=91.216.245.30 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=strlen.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=breakpoint.cc Received: from fw by Chamillionaire.breakpoint.cc with local (Exim 4.92) (envelope-from ) id 1rw8tk-0002VK-AJ; Mon, 15 Apr 2024 01:04:32 +0200 From: Florian Westphal To: Cc: Paolo Abeni , "David S. Miller" , Eric Dumazet , Jakub Kicinski , , pablo@netfilter.org Subject: [PATCH net-next 01/12] selftests: netfilter: conntrack_icmp_related.sh: move to lib.sh infra Date: Mon, 15 Apr 2024 00:57:13 +0200 Message-ID: <20240414225729.18451-2-fw@strlen.de> X-Mailer: git-send-email 2.43.2 In-Reply-To: <20240414225729.18451-1-fw@strlen.de> References: <20240414225729.18451-1-fw@strlen.de> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org Only relevant change is that netns names have random suffix names, i.e. its safe to run this in parallel with other tests. Signed-off-by: Florian Westphal --- tools/testing/selftests/net/netfilter/config | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tools/testing/selftests/net/netfilter/config b/tools/testing/selftests/net/netfilter/config index 9df6a9f11384..a34c284242ec 100644 --- a/tools/testing/selftests/net/netfilter/config +++ b/tools/testing/selftests/net/netfilter/config @@ -2,6 +2,8 @@ CONFIG_AUDIT=y CONFIG_BRIDGE_EBT_BROUTE=m CONFIG_BRIDGE_EBT_REDIRECT=m CONFIG_BRIDGE_NETFILTER=m +CONFIG_NF_CONNTRACK=m +CONFIG_NF_CT_NETLINK=m CONFIG_IP_NF_MATCH_RPFILTER=m CONFIG_IP6_NF_MATCH_RPFILTER=m CONFIG_IP_SCTP=m From patchwork Sun Apr 14 22:57:14 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Florian Westphal X-Patchwork-Id: 13629353 X-Patchwork-Delegate: kuba@kernel.org Received: from Chamillionaire.breakpoint.cc (Chamillionaire.breakpoint.cc [91.216.245.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E98221353FB; Sun, 14 Apr 2024 23:04:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=91.216.245.30 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713135886; cv=none; b=Qpo2pb1BdyfoFH6IOK5PBv4J5XNJ9a3Oqg/NpscII35rYtWd3SDvjLZ+y8zGQRoOZJfFG9lzvM8YGzaxebslibpqqHPJliHX4dXTuzPt84TV31Gz/f044/uFq/Az/7DJD91a98PLsA39gikSjMqHKI8zkAtvWVuv3p4MbLO8pJs= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713135886; c=relaxed/simple; bh=y97KmOGqK7/F1/6SQpCuZNIapMaS3H4yjOpG0Os5suw=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=YI5jyj3zWX6palPrqftQ+lrSfYa81jOgv3yMsUSET98GhrP/6mStPbBZr6RxZ7cArO6rThXf1t7atD57FIwkabU+eOGuizlWYaHMlBIeHS182sba/lAwzQGu/lypQKKvisFQsBmrOzcDlwFTqit36E8ZxIomLnMoBi4WbTewxcg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=strlen.de; spf=pass smtp.mailfrom=breakpoint.cc; arc=none smtp.client-ip=91.216.245.30 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=strlen.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=breakpoint.cc Received: from fw by Chamillionaire.breakpoint.cc with local (Exim 4.92) (envelope-from ) id 1rw8tl-0002VV-DB; Mon, 15 Apr 2024 01:04:33 +0200 From: Florian Westphal To: Cc: Paolo Abeni , "David S. Miller" , Eric Dumazet , Jakub Kicinski , , pablo@netfilter.org Subject: [PATCH net-next 02/12] selftests: netfilter: conntrack_tcp_unreplied.sh: move to lib.sh infra Date: Mon, 15 Apr 2024 00:57:14 +0200 Message-ID: <20240414225729.18451-3-fw@strlen.de> X-Mailer: git-send-email 2.43.2 In-Reply-To: <20240414225729.18451-1-fw@strlen.de> References: <20240414225729.18451-1-fw@strlen.de> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org Replace nc with socat. Too many different implementations of nc are around with incompatible options ("nc: cannot use -p and -l"). Signed-off-by: Florian Westphal --- tools/testing/selftests/net/netfilter/config | 2 -- 1 file changed, 2 deletions(-) diff --git a/tools/testing/selftests/net/netfilter/config b/tools/testing/selftests/net/netfilter/config index a34c284242ec..9df6a9f11384 100644 --- a/tools/testing/selftests/net/netfilter/config +++ b/tools/testing/selftests/net/netfilter/config @@ -2,8 +2,6 @@ CONFIG_AUDIT=y CONFIG_BRIDGE_EBT_BROUTE=m CONFIG_BRIDGE_EBT_REDIRECT=m CONFIG_BRIDGE_NETFILTER=m -CONFIG_NF_CONNTRACK=m -CONFIG_NF_CT_NETLINK=m CONFIG_IP_NF_MATCH_RPFILTER=m CONFIG_IP6_NF_MATCH_RPFILTER=m CONFIG_IP_SCTP=m From patchwork Sun Apr 14 22:57:15 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Florian Westphal X-Patchwork-Id: 13629356 X-Patchwork-Delegate: kuba@kernel.org Received: from Chamillionaire.breakpoint.cc (Chamillionaire.breakpoint.cc [91.216.245.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2688313790F; Sun, 14 Apr 2024 23:04:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=91.216.245.30 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713135887; cv=none; b=W51KEKTyfBE9sZwGi2gRfebK0H/BoOaaLQCO4ZlQxcGA0cru6Ni2ZqbSXqCxojeY6UHKN1A9z90RSjc7Pv6WErmuepk3VB9BqPne736WEFFJNQgk850/rPT5ykP+SowrZJdPHDA1mNmpdAk5ifWmxWSuV8ljs5MkNUOeTUkayXU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713135887; c=relaxed/simple; bh=3h0NBWMzgto6BGm+sLI3ugtHWn7/B5pl7UTWSdf86Ro=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=rfpQaNtUfbq4V2P9JrKn5S+wfWTf4XJQqF31utLc3Ci2O/xqEX0ura7YbN7ascspjaZDHx4+T6irN6FRYqDXWujksjefpf86eUqKyJ5syAymQhhRv1kWDkuvOFb/u83GckwwwrfNDxMAQN4NyCi94WS4h8sDtkl+GDO3C8TO9Rc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=strlen.de; spf=pass smtp.mailfrom=breakpoint.cc; arc=none smtp.client-ip=91.216.245.30 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=strlen.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=breakpoint.cc Received: from fw by Chamillionaire.breakpoint.cc with local (Exim 4.92) (envelope-from ) id 1rw8tm-0002Vi-FX; Mon, 15 Apr 2024 01:04:34 +0200 From: Florian Westphal To: Cc: Paolo Abeni , "David S. Miller" , Eric Dumazet , Jakub Kicinski , , pablo@netfilter.org Subject: [PATCH net-next 03/12] selftests: netfilter: nft_queue.sh: move to lib.sh infra Date: Mon, 15 Apr 2024 00:57:15 +0200 Message-ID: <20240414225729.18451-4-fw@strlen.de> X-Mailer: git-send-email 2.43.2 In-Reply-To: <20240414225729.18451-1-fw@strlen.de> References: <20240414225729.18451-1-fw@strlen.de> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org - switch to socat, like other tests - use buswait helper to test once listener netns is ready - do not generate multiple input test files, only generate one and use cleanup hook to remove it, like other temporary files. Signed-off-by: Florian Westphal --- .../selftests/net/netfilter/nft_queue.sh | 95 +++++++------------ 1 file changed, 34 insertions(+), 61 deletions(-) diff --git a/tools/testing/selftests/net/netfilter/nft_queue.sh b/tools/testing/selftests/net/netfilter/nft_queue.sh index 2eb65887e570..9aee4169d198 100755 --- a/tools/testing/selftests/net/netfilter/nft_queue.sh +++ b/tools/testing/selftests/net/netfilter/nft_queue.sh @@ -3,16 +3,10 @@ # This tests nf_queue: # 1. can process packets from all hooks # 2. support running nfqueue from more than one base chain -# -# Kselftest framework requirement - SKIP code is 4. -ksft_skip=4 -ret=0 -sfx=$(mktemp -u "XXXXXXXX") -ns1="ns1-$sfx" -ns2="ns2-$sfx" -nsrouter="nsrouter-$sfx" -timeout=4 +source lib.sh +ret=0 +timeout=2 cleanup() { @@ -20,9 +14,9 @@ cleanup() ip netns pids ${ns2} | xargs kill 2>/dev/null ip netns pids ${nsrouter} | xargs kill 2>/dev/null - ip netns del ${ns1} - ip netns del ${ns2} - ip netns del ${nsrouter} + cleanup_all_ns + + rm -f "$TMPINPUT" rm -f "$TMPFILE0" rm -f "$TMPFILE1" rm -f "$TMPFILE2" "$TMPFILE3" @@ -34,26 +28,17 @@ if [ $? -ne 0 ];then exit $ksft_skip fi -ip -Version > /dev/null 2>&1 -if [ $? -ne 0 ];then - echo "SKIP: Could not run test without ip tool" - exit $ksft_skip -fi +trap cleanup EXIT -ip netns add ${nsrouter} -if [ $? -ne 0 ];then - echo "SKIP: Could not create net namespace" - exit $ksft_skip -fi +setup_ns ns1 ns2 nsrouter TMPFILE0=$(mktemp) TMPFILE1=$(mktemp) TMPFILE2=$(mktemp) TMPFILE3=$(mktemp) -trap cleanup EXIT -ip netns add ${ns1} -ip netns add ${ns2} +TMPINPUT=$(mktemp) +dd conv=sparse status=none if=/dev/zero bs=1M count=200 of=$TMPINPUT ip link add veth0 netns ${nsrouter} type veth peer name eth0 netns ${ns1} > /dev/null 2>&1 if [ $? -ne 0 ];then @@ -62,28 +47,24 @@ if [ $? -ne 0 ];then fi ip link add veth1 netns ${nsrouter} type veth peer name eth0 netns ${ns2} -ip -net ${nsrouter} link set lo up ip -net ${nsrouter} link set veth0 up ip -net ${nsrouter} addr add 10.0.1.1/24 dev veth0 -ip -net ${nsrouter} addr add dead:1::1/64 dev veth0 +ip -net ${nsrouter} addr add dead:1::1/64 dev veth0 nodad ip -net ${nsrouter} link set veth1 up ip -net ${nsrouter} addr add 10.0.2.1/24 dev veth1 -ip -net ${nsrouter} addr add dead:2::1/64 dev veth1 +ip -net ${nsrouter} addr add dead:2::1/64 dev veth1 nodad -ip -net ${ns1} link set lo up ip -net ${ns1} link set eth0 up - -ip -net ${ns2} link set lo up ip -net ${ns2} link set eth0 up ip -net ${ns1} addr add 10.0.1.99/24 dev eth0 -ip -net ${ns1} addr add dead:1::99/64 dev eth0 +ip -net ${ns1} addr add dead:1::99/64 dev eth0 nodad ip -net ${ns1} route add default via 10.0.1.1 ip -net ${ns1} route add default via dead:1::1 ip -net ${ns2} addr add 10.0.2.99/24 dev eth0 -ip -net ${ns2} addr add dead:2::99/64 dev eth0 +ip -net ${ns2} addr add dead:2::99/64 dev eth0 nodad ip -net ${ns2} route add default via 10.0.2.1 ip -net ${ns2} route add default via dead:2::1 @@ -161,7 +142,7 @@ test_ping() { ip netns exec ${ns1} ping -c 1 -q dead:2::99 > /dev/null if [ $? -ne 0 ];then - return 1 + return 2 fi return 0 @@ -170,12 +151,12 @@ test_ping() { test_ping_router() { ip netns exec ${ns1} ping -c 1 -q 10.0.2.1 > /dev/null if [ $? -ne 0 ];then - return 1 + return 3 fi ip netns exec ${ns1} ping -c 1 -q dead:2::1 > /dev/null if [ $? -ne 0 ];then - return 1 + return 4 fi return 0 @@ -257,40 +238,40 @@ test_queue() echo "PASS: Expected and received $last" } +listener_ready() +{ + ss -N "$1" -lnt -o "sport = :12345" | grep -q 12345 +} + test_tcp_forward() { ip netns exec ${nsrouter} ./nf_queue -q 2 -t $timeout & local nfqpid=$! - tmpfile=$(mktemp) || exit 1 - dd conv=sparse status=none if=/dev/zero bs=1M count=200 of=$tmpfile - ip netns exec ${ns2} nc -w 5 -l -p 12345 <"$tmpfile" >/dev/null & + timeout 5 ip netns exec ${ns2} socat -u TCP-LISTEN:12345 STDOUT >/dev/null & local rpid=$! - sleep 1 - ip netns exec ${ns1} nc -w 5 10.0.2.99 12345 <"$tmpfile" >/dev/null & + busywait $BUSYWAIT_TIMEOUT listener_ready ${ns2} - rm -f "$tmpfile" + ip netns exec ${ns1} socat -u STDIN TCP:10.0.2.99:12345 <"$TMPINPUT" >/dev/null wait $rpid - wait $lpid + [ $? -eq 0 ] && echo "PASS: tcp and nfqueue in forward chain" } test_tcp_localhost() { - tmpfile=$(mktemp) || exit 1 - - dd conv=sparse status=none if=/dev/zero bs=1M count=200 of=$tmpfile - ip netns exec ${nsrouter} nc -w 5 -l -p 12345 <"$tmpfile" >/dev/null & + dd conv=sparse status=none if=/dev/zero bs=1M count=200 of=$TMPINPUT + timeout 5 ip netns exec ${nsrouter} socat -u TCP-LISTEN:12345 STDOUT >/dev/null & local rpid=$! ip netns exec ${nsrouter} ./nf_queue -q 3 -t $timeout & local nfqpid=$! - sleep 1 - ip netns exec ${nsrouter} nc -w 5 127.0.0.1 12345 <"$tmpfile" > /dev/null - rm -f "$tmpfile" + busywait $BUSYWAIT_TIMEOUT listener_ready ${nsrouter} + + ip netns exec ${nsrouter} socat -u STDIN TCP:127.0.0.1:12345 <"$TMPINPUT" >/dev/null wait $rpid [ $? -eq 0 ] && echo "PASS: tcp via loopback" @@ -299,15 +280,12 @@ test_tcp_localhost() test_tcp_localhost_connectclose() { - tmpfile=$(mktemp) || exit 1 - ip netns exec ${nsrouter} ./connect_close -p 23456 -t $timeout & ip netns exec ${nsrouter} ./nf_queue -q 3 -t $timeout & local nfqpid=$! sleep 1 - rm -f "$tmpfile" wait $rpid [ $? -eq 0 ] && echo "PASS: tcp via loopback with connect/close" @@ -329,9 +307,7 @@ table inet filter { } } EOF - tmpfile=$(mktemp) || exit 1 - dd conv=sparse status=none if=/dev/zero bs=1M count=200 of=$tmpfile - ip netns exec ${nsrouter} nc -w 5 -l -p 12345 <"$tmpfile" >/dev/null & + timeout 5 ip netns exec ${nsrouter} socat -u TCP-LISTEN:12345 STDOUT >/dev/null & local rpid=$! ip netns exec ${nsrouter} ./nf_queue -c -q 1 -t $timeout > "$TMPFILE2" & @@ -340,9 +316,8 @@ EOF # re-queue the packet to nfqueue program on queue 2. ip netns exec ${nsrouter} ./nf_queue -G -d 150 -c -q 0 -Q 1 -t $timeout > "$TMPFILE3" & - sleep 1 - ip netns exec ${nsrouter} nc -w 5 127.0.0.1 12345 <"$tmpfile" > /dev/null - rm -f "$tmpfile" + busywait $BUSYWAIT_TIMEOUT listener_ready ${nsrouter} + ip netns exec ${nsrouter} socat -u STDIN TCP:127.0.0.1:12345 <"$TMPINPUT" > /dev/null wait @@ -409,8 +384,6 @@ ip netns exec ${nsrouter} sysctl net.ipv4.conf.veth1.forwarding=1 > /dev/null load_ruleset "filter" 0 -sleep 3 - test_ping ret=$? if [ $ret -eq 0 ];then From patchwork Sun Apr 14 22:57:16 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Florian Westphal X-Patchwork-Id: 13629354 X-Patchwork-Delegate: kuba@kernel.org Received: from Chamillionaire.breakpoint.cc (Chamillionaire.breakpoint.cc [91.216.245.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2683613790D; Sun, 14 Apr 2024 23:04:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=91.216.245.30 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713135886; cv=none; b=rFd3GBSCCMw2EbIwWfIgiS33syuDxTywfVCaY0z94RFojLgpoKBxeHzUAhlqvc2aors6Lk5bclAuJDAKs6I9zMhlXMcmaXbf/TvSc5t19OW6HF2J1aLuR72ZbxBaKqIRI1tt6wvJm0Koj177/dfONCD3azYq30FUvPez5Z98maM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713135886; c=relaxed/simple; bh=L8cERopWrokoDtv3ZKI1wfXYyTrjRt+5ft9/V5gGWS8=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=ebj4IJfigP4IDJGcNB2Pitw9679iO+Qj79bzhuJ81XZA6NsAVBk59qQAweB19FptvPfWJPYDHWhSRRAueAUDYgt2gPmywmNECC6Pn4NGgMFHLSEtcMJvnVwRNuUIpFOB8toLrGwFmTXMMO2bQ+RO6aLSWK2KDXWVZrFAq6fP7Jw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=strlen.de; spf=pass smtp.mailfrom=breakpoint.cc; arc=none smtp.client-ip=91.216.245.30 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=strlen.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=breakpoint.cc Received: from fw by Chamillionaire.breakpoint.cc with local (Exim 4.92) (envelope-from ) id 1rw8tn-0002Vx-Id; Mon, 15 Apr 2024 01:04:35 +0200 From: Florian Westphal To: Cc: Paolo Abeni , "David S. Miller" , Eric Dumazet , Jakub Kicinski , , pablo@netfilter.org Subject: [PATCH net-next 04/12] selftests: netfilter: nft_synproxy.sh: move to lib.sh infra Date: Mon, 15 Apr 2024 00:57:16 +0200 Message-ID: <20240414225729.18451-5-fw@strlen.de> X-Mailer: git-send-email 2.43.2 In-Reply-To: <20240414225729.18451-1-fw@strlen.de> References: <20240414225729.18451-1-fw@strlen.de> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org use checktool helper where applicable. Signed-off-by: Florian Westphal --- .../selftests/net/netfilter/nft_synproxy.sh | 77 +++++++------------ 1 file changed, 28 insertions(+), 49 deletions(-) diff --git a/tools/testing/selftests/net/netfilter/nft_synproxy.sh b/tools/testing/selftests/net/netfilter/nft_synproxy.sh index b62933b680d6..293f667a6aec 100755 --- a/tools/testing/selftests/net/netfilter/nft_synproxy.sh +++ b/tools/testing/selftests/net/netfilter/nft_synproxy.sh @@ -1,84 +1,65 @@ #!/bin/bash # SPDX-License-Identifier: GPL-2.0 -# -# Kselftest framework requirement - SKIP code is 4. -ksft_skip=4 -ret=0 - -rnd=$(mktemp -u XXXXXXXX) -nsr="nsr-$rnd" # synproxy machine -ns1="ns1-$rnd" # iperf client -ns2="ns2-$rnd" # iperf server +source lib.sh -checktool (){ - if ! $1 > /dev/null 2>&1; then - echo "SKIP: Could not $2" - exit $ksft_skip - fi -} +ret=0 checktool "nft --version" "run test without nft tool" -checktool "ip -Version" "run test without ip tool" checktool "iperf3 --version" "run test without iperf3" -checktool "ip netns add $nsr" "create net namespace" -modprobe -q nf_conntrack +setup_ns nsr ns1 ns2 -ip netns add $ns1 -ip netns add $ns2 +modprobe -q nf_conntrack cleanup() { - ip netns pids $ns1 | xargs kill 2>/dev/null - ip netns pids $ns2 | xargs kill 2>/dev/null - ip netns del $ns1 - ip netns del $ns2 + ip netns pids "$ns1" | xargs kill 2>/dev/null + ip netns pids "$ns2" | xargs kill 2>/dev/null - ip netns del $nsr + cleanup_all_ns } trap cleanup EXIT -ip link add veth0 netns $nsr type veth peer name eth0 netns $ns1 -ip link add veth1 netns $nsr type veth peer name eth0 netns $ns2 +ip link add veth0 netns "$nsr" type veth peer name eth0 netns "$ns1" +ip link add veth1 netns "$nsr" type veth peer name eth0 netns "$ns2" -for dev in lo veth0 veth1; do -ip -net $nsr link set $dev up +for dev in veth0 veth1; do + ip -net "$nsr" link set "$dev" up done -ip -net $nsr addr add 10.0.1.1/24 dev veth0 -ip -net $nsr addr add 10.0.2.1/24 dev veth1 +ip -net "$nsr" addr add 10.0.1.1/24 dev veth0 +ip -net "$nsr" addr add 10.0.2.1/24 dev veth1 -ip netns exec $nsr sysctl -q net.ipv4.conf.veth0.forwarding=1 -ip netns exec $nsr sysctl -q net.ipv4.conf.veth1.forwarding=1 -ip netns exec $nsr sysctl -q net.netfilter.nf_conntrack_tcp_loose=0 +ip netns exec "$nsr" sysctl -q net.ipv4.conf.veth0.forwarding=1 +ip netns exec "$nsr" sysctl -q net.ipv4.conf.veth1.forwarding=1 +ip netns exec "$nsr" sysctl -q net.netfilter.nf_conntrack_tcp_loose=0 for n in $ns1 $ns2; do - ip -net $n link set lo up - ip -net $n link set eth0 up + ip -net "$n" link set eth0 up done -ip -net $ns1 addr add 10.0.1.99/24 dev eth0 -ip -net $ns2 addr add 10.0.2.99/24 dev eth0 -ip -net $ns1 route add default via 10.0.1.1 -ip -net $ns2 route add default via 10.0.2.1 +ip -net "$ns1" addr add 10.0.1.99/24 dev eth0 +ip -net "$ns2" addr add 10.0.2.99/24 dev eth0 +ip -net "$ns1" route add default via 10.0.1.1 +ip -net "$ns2" route add default via 10.0.2.1 # test basic connectivity -if ! ip netns exec $ns1 ping -c 1 -q 10.0.2.99 > /dev/null; then +if ! ip netns exec "$ns1" ping -c 1 -q 10.0.2.99 > /dev/null; then echo "ERROR: $ns1 cannot reach $ns2" 1>&2 exit 1 fi -if ! ip netns exec $ns2 ping -c 1 -q 10.0.1.99 > /dev/null; then +if ! ip netns exec "$ns2" ping -c 1 -q 10.0.1.99 > /dev/null; then echo "ERROR: $ns2 cannot reach $ns1" 1>&2 exit 1 fi -ip netns exec $ns2 iperf3 -s > /dev/null 2>&1 & +ip netns exec "$ns2" iperf3 -s > /dev/null 2>&1 & # ip netns exec $nsr tcpdump -vvv -n -i veth1 tcp | head -n 10 & sleep 1 -ip netns exec $nsr nft -f - < /dev/null - -if [ $? -ne 0 ]; then +if ! ip netns exec "$ns1" timeout 5 iperf3 -c 10.0.2.99 -n $((1 * 1024 * 1024)) > /dev/null; then echo "FAIL: iperf3 returned an error" 1>&2 - ret=$? - ip netns exec $nsr nft list ruleset + ret=1 + ip netns exec "$nsr" nft list ruleset else echo "PASS: synproxy connection successful" fi From patchwork Sun Apr 14 22:57:17 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Florian Westphal X-Patchwork-Id: 13629350 X-Patchwork-Delegate: kuba@kernel.org Received: from Chamillionaire.breakpoint.cc (Chamillionaire.breakpoint.cc [91.216.245.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9EA9836AE0; Sun, 14 Apr 2024 23:04:40 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=91.216.245.30 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713135883; cv=none; b=YEwYjkwT2fAKBXBHR1ZiG5OVOUrdQkYF6QDh773ZgxM1aW3BmUcd0AkI8jJWNkGaRr4C0MdxeI2XPioG53us4KXGannwisv1r+pUkFtvv0gVZbtTe8aK8vAN6371p4JP+NNexY3WlVdJKT0Mn+K2pgKXLp8DHTDK5tSQnvwNr6Y= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713135883; c=relaxed/simple; bh=jS7/zEddjuoCo4cm17DnIUKIr4uisDX0jakqBRorNkg=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Rtb22XNrtJxwuieO0OI1WutvfxTyeq+sRMi5CpeXwyElubxJ8CiXblVazQXVE8FGuW5bCW9UiEiCqAfcwFm0qs0hbkzi0H+S6+YVCNTCG+AK5tBLwvWPpCot3FPGczg4GceIgbEqcJRIIaxrqdThq4/1fZgtDhjH1P4tHCCcqvs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=strlen.de; spf=pass smtp.mailfrom=breakpoint.cc; arc=none smtp.client-ip=91.216.245.30 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=strlen.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=breakpoint.cc Received: from fw by Chamillionaire.breakpoint.cc with local (Exim 4.92) (envelope-from ) id 1rw8to-0002WA-L9; Mon, 15 Apr 2024 01:04:36 +0200 From: Florian Westphal To: Cc: Paolo Abeni , "David S. Miller" , Eric Dumazet , Jakub Kicinski , , pablo@netfilter.org Subject: [PATCH net-next 05/12] selftests: netfilter: nft_zones_many.sh: move to lib.sh infra Date: Mon, 15 Apr 2024 00:57:17 +0200 Message-ID: <20240414225729.18451-6-fw@strlen.de> X-Mailer: git-send-email 2.43.2 In-Reply-To: <20240414225729.18451-1-fw@strlen.de> References: <20240414225729.18451-1-fw@strlen.de> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org Also do shellcheck cleanups here, no functional changes intended. Signed-off-by: Florian Westphal --- .../selftests/net/netfilter/nft_zones_many.sh | 93 +++++++++---------- 1 file changed, 45 insertions(+), 48 deletions(-) diff --git a/tools/testing/selftests/net/netfilter/nft_zones_many.sh b/tools/testing/selftests/net/netfilter/nft_zones_many.sh index 5a8db0b48928..a1284bf13e96 100755 --- a/tools/testing/selftests/net/netfilter/nft_zones_many.sh +++ b/tools/testing/selftests/net/netfilter/nft_zones_many.sh @@ -3,11 +3,7 @@ # Test insertion speed for packets with identical addresses/ports # that are all placed in distinct conntrack zones. -sfx=$(mktemp -u "XXXXXXXX") -ns="ns-$sfx" - -# Kselftest framework requirement - SKIP code is 4. -ksft_skip=4 +source lib.sh zones=2000 have_ct_tool=0 @@ -15,35 +11,25 @@ ret=0 cleanup() { - ip netns del $ns -} - -checktool (){ - if ! $1 > /dev/null 2>&1; then - echo "SKIP: Could not $2" - exit $ksft_skip - fi + cleanup_all_ns } checktool "nft --version" "run test without nft tool" -checktool "ip -Version" "run test without ip tool" checktool "socat -V" "run test without socat tool" -checktool "ip netns add $ns" "create net namespace" + +setup_ns ns1 trap cleanup EXIT -conntrack -V > /dev/null 2>&1 -if [ $? -eq 0 ];then +if conntrack -V > /dev/null 2>&1; then have_ct_tool=1 fi -ip -net "$ns" link set lo up - test_zones() { local max_zones=$1 -ip netns exec $ns sysctl -q net.netfilter.nf_conntrack_udp_timeout=3600 -ip netns exec $ns nft -f /dev/stdin</dev/null | ip netns exec "$ns" socat STDIN UDP:127.0.0.1:12345,sourceport=12345 + dd if=/dev/zero of=/dev/stdout bs=8k count=1000 2>/dev/null | ip netns exec "$ns1" socat -u STDIN UDP:127.0.0.1:12345,sourceport=12345 if [ $? -ne 0 ] ;then ret=1 break @@ -89,14 +82,15 @@ EOF echo "PASS: added 1000 entries in $duration ms (now $i total, loop $j)" done - if [ $have_ct_tool -eq 1 ]; then - local count=$(ip netns exec "$ns" conntrack -C) - local duration=$((stop-outerstart)) + if [ "$have_ct_tool" -eq 1 ]; then + local count duration + count=$(ip netns exec "$ns1" conntrack -C) + duration=$((stop-outerstart)) - if [ $count -eq $max_zones ]; then + if [ "$count" -eq "$max_zones" ]; then echo "PASS: inserted $count entries from packet path in $duration ms total" else - ip netns exec $ns conntrack -S 1>&2 + ip netns exec "$ns1" conntrack -S 1>&2 echo "FAIL: inserted $count entries from packet path in $duration ms total, expected $max_zones entries" ret=1 fi @@ -110,18 +104,19 @@ EOF test_conntrack_tool() { local max_zones=$1 - ip netns exec $ns conntrack -F >/dev/null 2>/dev/null + ip netns exec "$ns1" conntrack -F >/dev/null 2>/dev/null - local outerstart=$(date +%s%3N) - local start=$(date +%s%3N) - local stop=$start - local i=0 - while [ $i -lt $max_zones ]; do + local outerstart start stop i + outerstart=$(date +%s%3N) + start=$(date +%s%3N) + stop="$start" + i=0 + while [ "$i" -lt "$max_zones" ]; do i=$((i + 1)) - ip netns exec "$ns" conntrack -I -s 1.1.1.1 -d 2.2.2.2 --protonum 6 \ + ip netns exec "$ns1" conntrack -I -s 1.1.1.1 -d 2.2.2.2 --protonum 6 \ --timeout 3600 --state ESTABLISHED --sport 12345 --dport 1000 --zone $i >/dev/null 2>&1 if [ $? -ne 0 ];then - ip netns exec "$ns" conntrack -I -s 1.1.1.1 -d 2.2.2.2 --protonum 6 \ + ip netns exec "$ns1" conntrack -I -s 1.1.1.1 -d 2.2.2.2 --protonum 6 \ --timeout 3600 --state ESTABLISHED --sport 12345 --dport 1000 --zone $i > /dev/null echo "FAIL: conntrack -I returned an error" ret=1 @@ -137,13 +132,15 @@ test_conntrack_tool() { fi done - local count=$(ip netns exec "$ns" conntrack -C) - local duration=$((stop-outerstart)) + local count + local duration + count=$(ip netns exec "$ns1" conntrack -C) + duration=$((stop-outerstart)) - if [ $count -eq $max_zones ]; then + if [ "$count" -eq "$max_zones" ]; then echo "PASS: inserted $count entries via ctnetlink in $duration ms" else - ip netns exec $ns conntrack -S 1>&2 + ip netns exec "$ns1" conntrack -S 1>&2 echo "FAIL: inserted $count entries via ctnetlink in $duration ms, expected $max_zones entries ($duration ms)" ret=1 fi @@ -151,7 +148,7 @@ test_conntrack_tool() { test_zones $zones -if [ $have_ct_tool -eq 1 ];then +if [ "$have_ct_tool" -eq 1 ];then test_conntrack_tool $zones else echo "SKIP: Could not run ctnetlink insertion test without conntrack tool" From patchwork Sun Apr 14 22:57:18 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Florian Westphal X-Patchwork-Id: 13629352 X-Patchwork-Delegate: kuba@kernel.org Received: from Chamillionaire.breakpoint.cc (Chamillionaire.breakpoint.cc [91.216.245.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id AFAB2137905; Sun, 14 Apr 2024 23:04:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=91.216.245.30 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713135886; cv=none; b=quqqSszXUIOlXHOeiRx4XnyV4PyMPVjQdbawD76gemZ7Ur/qe8CY4g5qe+r6RCo2i/MGoDkv9STgCUleBXfshJB1l0ju/IB4Mga6WNMGRmXnFt3hNC+bGGIfGraL8AQCgU4isQfRJHyT8UbO0JTiFRHxnOTlxV5/3sfkmewCrH4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713135886; c=relaxed/simple; bh=z6821y4fkGeBW4sfK6ErF1Uzf5GMRLmD5sThSz81oTE=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=sYa1mOkTgHw1b68L6RAJEVVjUwiLzHXXpq9C8g7wVs/U54mUiFfF711l/CVNPu7wp/plkAtusIUWmQuSAiKVUmcaYS3NUF2+6T8nlNo/rVMWIAxydABtS82K63ZR/1QrnyRFCSWk9IijaaO8BP+2i/g9GFVneUK76Hh44Inrv3E= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=strlen.de; spf=pass smtp.mailfrom=breakpoint.cc; arc=none smtp.client-ip=91.216.245.30 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=strlen.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=breakpoint.cc Received: from fw by Chamillionaire.breakpoint.cc with local (Exim 4.92) (envelope-from ) id 1rw8ts-0002Wb-NU; Mon, 15 Apr 2024 01:04:40 +0200 From: Florian Westphal To: Cc: Paolo Abeni , "David S. Miller" , Eric Dumazet , Jakub Kicinski , , pablo@netfilter.org Subject: [PATCH net-next 06/12] selftests: netfilter: xt_string.sh: move to lib.sh infra Date: Mon, 15 Apr 2024 00:57:18 +0200 Message-ID: <20240414225729.18451-7-fw@strlen.de> X-Mailer: git-send-email 2.43.2 In-Reply-To: <20240414225729.18451-1-fw@strlen.de> References: <20240414225729.18451-1-fw@strlen.de> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org Intentional changes: - Use socat instead of netcat - Use a temporary file instead of pipe, else packets do not match "-m string" rules, multiple writes to the pipe cause multiple packets, but this needs only one to work. Signed-off-by: Florian Westphal --- .../selftests/net/netfilter/xt_string.sh | 55 ++++++++++--------- 1 file changed, 30 insertions(+), 25 deletions(-) diff --git a/tools/testing/selftests/net/netfilter/xt_string.sh b/tools/testing/selftests/net/netfilter/xt_string.sh index 1802653a4728..ec7042b502e4 100755 --- a/tools/testing/selftests/net/netfilter/xt_string.sh +++ b/tools/testing/selftests/net/netfilter/xt_string.sh @@ -5,43 +5,45 @@ ksft_skip=4 rc=0 -if ! iptables --version >/dev/null 2>&1; then - echo "SKIP: Test needs iptables" - exit $ksft_skip -fi -if ! ip -V >/dev/null 2>&1; then - echo "SKIP: Test needs iproute2" - exit $ksft_skip -fi -if ! nc -h >/dev/null 2>&1; then - echo "SKIP: Test needs netcat" - exit $ksft_skip -fi +source lib.sh + +checktool "socat -h" "run test without socat" +checktool "iptables --version" "test needs iptables" + +infile=$(mktemp) + +cleanup() +{ + ip netns del "$netns" + rm -f "$infile" +} + +trap cleanup EXIT + +setup_ns netns + +ip -net "$netns" link add d0 type dummy +ip -net "$netns" link set d0 up +ip -net "$netns" addr add 10.1.2.1/24 dev d0 pattern="foo bar baz" patlen=11 hdrlen=$((20 + 8)) # IPv4 + UDP -ns="ns-$(mktemp -u XXXXXXXX)" -trap 'ip netns del $ns' EXIT -ip netns add "$ns" -ip -net "$ns" link add d0 type dummy -ip -net "$ns" link set d0 up -ip -net "$ns" addr add 10.1.2.1/24 dev d0 - -#ip netns exec "$ns" tcpdump -npXi d0 & + +#ip netns exec "$netns" tcpdump -npXi d0 & #tcpdump_pid=$! -#trap 'kill $tcpdump_pid; ip netns del $ns' EXIT +#trap 'kill $tcpdump_pid; ip netns del $netns' EXIT add_rule() { # (alg, from, to) - ip netns exec "$ns" \ + ip netns exec "$netns" \ iptables -A OUTPUT -o d0 -m string \ --string "$pattern" --algo $1 --from $2 --to $3 } showrules() { # () - ip netns exec "$ns" iptables -v -S OUTPUT | grep '^-A' + ip netns exec "$netns" iptables -v -S OUTPUT | grep '^-A' } zerorules() { - ip netns exec "$ns" iptables -Z OUTPUT + ip netns exec "$netns" iptables -Z OUTPUT } countrule() { # (pattern) showrules | grep -c -- "$*" @@ -51,7 +53,9 @@ send() { # (offset) printf " " done printf "$pattern" - ) | ip netns exec "$ns" nc -w 1 -u 10.1.2.2 27374 + ) > "$infile" + + ip netns exec "$netns" socat -t 1 -u STDIN UDP-SENDTO:10.1.2.2:27374 < "$infile" } add_rule bm 1000 1500 @@ -125,4 +129,5 @@ if [ $(countrule -c 1) -ne 0 ]; then ((rc--)) fi +[ $rc -eq 0 ] && echo "PASS: string match tests" exit $rc From patchwork Sun Apr 14 22:57:19 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Florian Westphal X-Patchwork-Id: 13629355 X-Patchwork-Delegate: kuba@kernel.org Received: from Chamillionaire.breakpoint.cc (Chamillionaire.breakpoint.cc [91.216.245.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D30C2137910; Sun, 14 Apr 2024 23:04:45 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=91.216.245.30 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713135887; cv=none; b=j4VfeaHj9+ngeKEnVuV2osZ3uY2xWvxTKjz7CRkMUeWMq1LlTyxw/mLDLkL+iLuMhWSqkCZDp9oGhZL5vX2EylwaJvPKKqK7R/8eYc15oAIe/YomymV/U80ADpvPmpeGl1wU1jKSe4F63qzHEqSxzBlrB0xexfmL4Q5kzekvC68= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713135887; c=relaxed/simple; bh=8TmnnmJzYrAEVHy0A2duQ8EUbQgKDllHOfZZ1Hr72fE=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=gudyPi4C5dPmVmEdbZUuRAS0/BkCEejTLrif5/tXEmyFuylNebDE/wBQxNI2mc28wygaBPMOyK/oSetUTpGXacBJ9Eo33DS8yPf2ex04k2kXm0LDGeJkFv4XOPc1zxqxFTiAwNPKPyBHgmNDF79Ikw4P6G6Dev9kHpQRhsvw6Ck= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=strlen.de; spf=pass smtp.mailfrom=breakpoint.cc; arc=none smtp.client-ip=91.216.245.30 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=strlen.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=breakpoint.cc Received: from fw by Chamillionaire.breakpoint.cc with local (Exim 4.92) (envelope-from ) id 1rw8tt-0002Wk-Pg; Mon, 15 Apr 2024 01:04:41 +0200 From: Florian Westphal To: Cc: Paolo Abeni , "David S. Miller" , Eric Dumazet , Jakub Kicinski , , pablo@netfilter.org Subject: [PATCH net-next 07/12] selftests: netfilter: nft_nat_zones.sh: shellcheck cleanups Date: Mon, 15 Apr 2024 00:57:19 +0200 Message-ID: <20240414225729.18451-8-fw@strlen.de> X-Mailer: git-send-email 2.43.2 In-Reply-To: <20240414225729.18451-1-fw@strlen.de> References: <20240414225729.18451-1-fw@strlen.de> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org While at it: No need for iperf here, use socat. This also reduces the script runtime. Signed-off-by: Florian Westphal --- .../selftests/net/netfilter/nft_nat_zones.sh | 193 +++++++----------- 1 file changed, 75 insertions(+), 118 deletions(-) diff --git a/tools/testing/selftests/net/netfilter/nft_nat_zones.sh b/tools/testing/selftests/net/netfilter/nft_nat_zones.sh index b9ab37380f33..549f264b41f3 100755 --- a/tools/testing/selftests/net/netfilter/nft_nat_zones.sh +++ b/tools/testing/selftests/net/netfilter/nft_nat_zones.sh @@ -3,15 +3,14 @@ # Test connection tracking zone and NAT source port reallocation support. # -# Kselftest framework requirement - SKIP code is 4. -ksft_skip=4 +source lib.sh # Don't increase too much, 2000 clients should work # just fine but script can then take several minutes with # KASAN/debug builds. maxclients=100 -have_iperf=1 +have_socat=0 ret=0 # client1---. @@ -31,12 +30,6 @@ ret=0 # NAT Gateway is supposed to do port reallocation for each of the # connections. -sfx=$(mktemp -u "XXXXXXXX") -gw="ns-gw-$sfx" -cl1="ns-cl1-$sfx" -cl2="ns-cl2-$sfx" -srv="ns-srv-$sfx" - v4gc1=$(sysctl -n net.ipv4.neigh.default.gc_thresh1 2>/dev/null) v4gc2=$(sysctl -n net.ipv4.neigh.default.gc_thresh2 2>/dev/null) v4gc3=$(sysctl -n net.ipv4.neigh.default.gc_thresh3 2>/dev/null) @@ -46,61 +39,29 @@ v6gc3=$(sysctl -n net.ipv6.neigh.default.gc_thresh3 2>/dev/null) cleanup() { - ip netns del $gw - ip netns del $srv - for i in $(seq 1 $maxclients); do - ip netns del ns-cl$i-$sfx 2>/dev/null - done - - sysctl -q net.ipv4.neigh.default.gc_thresh1=$v4gc1 2>/dev/null - sysctl -q net.ipv4.neigh.default.gc_thresh2=$v4gc2 2>/dev/null - sysctl -q net.ipv4.neigh.default.gc_thresh3=$v4gc3 2>/dev/null - sysctl -q net.ipv6.neigh.default.gc_thresh1=$v6gc1 2>/dev/null - sysctl -q net.ipv6.neigh.default.gc_thresh2=$v6gc2 2>/dev/null - sysctl -q net.ipv6.neigh.default.gc_thresh3=$v6gc3 2>/dev/null + cleanup_all_ns + + sysctl -q net.ipv4.neigh.default.gc_thresh1="$v4gc1" 2>/dev/null + sysctl -q net.ipv4.neigh.default.gc_thresh2="$v4gc2" 2>/dev/null + sysctl -q net.ipv4.neigh.default.gc_thresh3="$v4gc3" 2>/dev/null + sysctl -q net.ipv6.neigh.default.gc_thresh1="$v6gc1" 2>/dev/null + sysctl -q net.ipv6.neigh.default.gc_thresh2="$v6gc2" 2>/dev/null + sysctl -q net.ipv6.neigh.default.gc_thresh3="$v6gc3" 2>/dev/null } -nft --version > /dev/null 2>&1 -if [ $? -ne 0 ];then - echo "SKIP: Could not run test without nft tool" - exit $ksft_skip -fi +checktool "nft --version" echo "run test without nft tool" +checktool "conntrack -V" "run test without conntrack tool" -ip -Version > /dev/null 2>&1 -if [ $? -ne 0 ];then - echo "SKIP: Could not run test without ip tool" - exit $ksft_skip +if socat -h >/dev/null 2>&1; then + have_socat=1 fi -conntrack -V > /dev/null 2>&1 -if [ $? -ne 0 ];then - echo "SKIP: Could not run test without conntrack tool" - exit $ksft_skip -fi - -iperf3 -v >/dev/null 2>&1 -if [ $? -ne 0 ];then - have_iperf=0 -fi - -ip netns add "$gw" -if [ $? -ne 0 ];then - echo "SKIP: Could not create net namespace $gw" - exit $ksft_skip -fi -ip -net "$gw" link set lo up +setup_ns gw srv trap cleanup EXIT -ip netns add "$srv" -if [ $? -ne 0 ];then - echo "SKIP: Could not create server netns $srv" - exit $ksft_skip -fi - ip link add veth0 netns "$gw" type veth peer name eth0 netns "$srv" ip -net "$gw" link set veth0 up -ip -net "$srv" link set lo up ip -net "$srv" link set eth0 up sysctl -q net.ipv6.neigh.default.gc_thresh1=512 2>/dev/null @@ -110,55 +71,49 @@ sysctl -q net.ipv4.neigh.default.gc_thresh1=512 2>/dev/null sysctl -q net.ipv4.neigh.default.gc_thresh2=1024 2>/dev/null sysctl -q net.ipv4.neigh.default.gc_thresh3=4096 2>/dev/null -for i in $(seq 1 $maxclients);do - cl="ns-cl$i-$sfx" +for i in $(seq 1 "$maxclients");do + setup_ns "cl$i" - ip netns add "$cl" - if [ $? -ne 0 ];then - echo "SKIP: Could not create client netns $cl" - exit $ksft_skip - fi - ip link add veth$i netns "$gw" type veth peer name eth0 netns "$cl" > /dev/null 2>&1 - if [ $? -ne 0 ];then + cl=$(eval echo \$cl"$i") + if ! ip link add veth"$i" netns "$gw" type veth peer name eth0 netns "$cl" > /dev/null 2>&1;then echo "SKIP: No virtual ethernet pair device support in kernel" exit $ksft_skip fi done -for i in $(seq 1 $maxclients);do - cl="ns-cl$i-$sfx" - echo netns exec "$cl" ip link set lo up +for i in $(seq 1 "$maxclients");do + cl=$(eval echo \$cl"$i") echo netns exec "$cl" ip link set eth0 up echo netns exec "$cl" sysctl -q net.ipv4.tcp_syn_retries=2 - echo netns exec "$gw" ip link set veth$i up - echo netns exec "$gw" sysctl -q net.ipv4.conf.veth$i.arp_ignore=2 - echo netns exec "$gw" sysctl -q net.ipv4.conf.veth$i.rp_filter=0 + echo netns exec "$gw" ip link set "veth$i" up + echo netns exec "$gw" sysctl -q net.ipv4.conf.veth"$i".arp_ignore=2 + echo netns exec "$gw" sysctl -q net.ipv4.conf.veth"$i".rp_filter=0 # clients have same IP addresses. echo netns exec "$cl" ip addr add 10.1.0.3/24 dev eth0 - echo netns exec "$cl" ip addr add dead:1::3/64 dev eth0 + echo netns exec "$cl" ip addr add dead:1::3/64 dev eth0 nodad echo netns exec "$cl" ip route add default via 10.1.0.2 dev eth0 echo netns exec "$cl" ip route add default via dead:1::2 dev eth0 # NB: same addresses on client-facing interfaces. - echo netns exec "$gw" ip addr add 10.1.0.2/24 dev veth$i - echo netns exec "$gw" ip addr add dead:1::2/64 dev veth$i + echo netns exec "$gw" ip addr add 10.1.0.2/24 dev "veth$i" + echo netns exec "$gw" ip addr add dead:1::2/64 dev "veth$i" nodad # gw: policy routing - echo netns exec "$gw" ip route add 10.1.0.0/24 dev veth$i table $((1000+i)) - echo netns exec "$gw" ip route add dead:1::0/64 dev veth$i table $((1000+i)) + echo netns exec "$gw" ip route add 10.1.0.0/24 dev "veth$i" table $((1000+i)) + echo netns exec "$gw" ip route add dead:1::0/64 dev "veth$i" table $((1000+i)) echo netns exec "$gw" ip route add 10.3.0.0/24 dev veth0 table $((1000+i)) echo netns exec "$gw" ip route add dead:3::0/64 dev veth0 table $((1000+i)) - echo netns exec "$gw" ip rule add fwmark $i lookup $((1000+i)) + echo netns exec "$gw" ip rule add fwmark "$i" lookup $((1000+i)) done | ip -batch /dev/stdin ip -net "$gw" addr add 10.3.0.1/24 dev veth0 -ip -net "$gw" addr add dead:3::1/64 dev veth0 +ip -net "$gw" addr add dead:3::1/64 dev veth0 nodad ip -net "$srv" addr add 10.3.0.99/24 dev eth0 -ip -net "$srv" addr add dead:3::99/64 dev eth0 +ip -net "$srv" addr add dead:3::99/64 dev eth0 nodad -ip netns exec $gw nft -f /dev/stdin< /dev/null ip netns exec "$gw" sysctl -q net.ipv6.conf.all.forwarding=1 > /dev/null @@ -224,73 +183,72 @@ ip netns exec "$gw" sysctl -q net.ipv4.conf.all.rp_filter=0 >/dev/null ip netns exec "$gw" sysctl -q net.ipv4.fwmark_reflect=1 > /dev/null ip netns exec "$gw" sysctl -q net.ipv6.fwmark_reflect=1 > /dev/null -for i in $(seq 1 $maxclients); do - cl="ns-cl$i-$sfx" - ip netns exec $cl ping -i 0.5 -q -c 3 10.3.0.99 > /dev/null 2>&1 & - if [ $? -ne 0 ]; then - echo FAIL: Ping failure from $cl 1>&2 - ret=1 - break - fi +for i in $(seq 1 "$maxclients"); do + cl=$(eval echo \$cl"$i") + ip netns exec "$cl" ping -i 0.5 -q -c 3 10.3.0.99 > /dev/null 2>&1 & done -wait +wait || ret=1 -for i in $(seq 1 $maxclients); do - ip netns exec $gw nft get element inet raw inicmp "{ 10.1.0.3 . \"veth$i\" . 10.3.0.99 }" | grep -q "{ 10.1.0.3 . \"veth$i\" . 10.3.0.99 counter packets 3 bytes 252 }" - if [ $? -ne 0 ];then +[ "$ret" -ne 0 ] && "FAIL: Ping failure from $cl" 1>&2 + +for i in $(seq 1 "$maxclients"); do + if ! ip netns exec "$gw" nft get element inet raw inicmp "{ 10.1.0.3 . \"veth$i\" . 10.3.0.99 }" | grep -q "{ 10.1.0.3 . \"veth$i\" . 10.3.0.99 counter packets 3 bytes 252 }"; then ret=1 echo "FAIL: counter icmp mismatch for veth$i" 1>&2 - ip netns exec $gw nft get element inet raw inicmp "{ 10.1.0.3 . \"veth$i\" . 10.3.0.99 }" 1>&2 + ip netns exec "$gw" nft get element inet raw inicmp "{ 10.1.0.3 . \"veth$i\" . 10.3.0.99 }" 1>&2 break fi done -ip netns exec $gw nft get element inet raw inicmp "{ 10.3.0.99 . \"veth0\" . 10.3.0.1 }" | grep -q "{ 10.3.0.99 . \"veth0\" . 10.3.0.1 counter packets $((3 * $maxclients)) bytes $((252 * $maxclients)) }" -if [ $? -ne 0 ];then +if ! ip netns exec "$gw" nft get element inet raw inicmp "{ 10.3.0.99 . \"veth0\" . 10.3.0.1 }" | grep -q "{ 10.3.0.99 . \"veth0\" . 10.3.0.1 counter packets $((3 * maxclients)) bytes $((252 * maxclients)) }"; then ret=1 - echo "FAIL: counter icmp mismatch for veth0: { 10.3.0.99 . \"veth0\" . 10.3.0.1 counter packets $((3 * $maxclients)) bytes $((252 * $maxclients)) }" - ip netns exec $gw nft get element inet raw inicmp "{ 10.3.99 . \"veth0\" . 10.3.0.1 }" 1>&2 + echo "FAIL: counter icmp mismatch for veth0: { 10.3.0.99 . \"veth0\" . 10.3.0.1 counter packets $((3 * maxclients)) bytes $((252 * maxclients)) }" + ip netns exec "$gw" nft get element inet raw inicmp "{ 10.3.99 . \"veth0\" . 10.3.0.1 }" 1>&2 fi -if [ $ret -eq 0 ]; then +if [ $ret -eq 0 ]; then echo "PASS: ping test from all $maxclients namespaces" fi -if [ $have_iperf -eq 0 ];then - echo "SKIP: iperf3 not installed" +if [ $have_socat -eq 0 ];then + echo "SKIP: socat not installed" if [ $ret -ne 0 ];then exit $ret fi exit $ksft_skip fi -ip netns exec $srv iperf3 -s > /dev/null 2>&1 & -iperfpid=$! -sleep 1 +listener_ready() +{ + ss -N "$1" -lnt -o "sport = :5201" | grep -q 5201 +} + +ip netns exec "$srv" socat -u TCP-LISTEN:5201,fork STDOUT > /dev/null 2>/dev/null & +socatpid=$! + +busywait 1000 listener_ready "$srv" -for i in $(seq 1 $maxclients); do +for i in $(seq 1 "$maxclients"); do if [ $ret -ne 0 ]; then break fi - cl="ns-cl$i-$sfx" - ip netns exec $cl iperf3 -c 10.3.0.99 --cport 10000 -n 1 > /dev/null - if [ $? -ne 0 ]; then - echo FAIL: Failure to connect for $cl 1>&2 - ip netns exec $gw conntrack -S 1>&2 + cl=$(eval echo \$cl"$i") + if ! ip netns exec "$cl" socat -4 -u STDIN TCP:10.3.0.99:5201,sourceport=10000 < /dev/null > /dev/null; then + echo "FAIL: Failure to connect for $cl" 1>&2 + ip netns exec "$gw" conntrack -S 1>&2 ret=1 fi done if [ $ret -eq 0 ];then - echo "PASS: iperf3 connections for all $maxclients net namespaces" + echo "PASS: socat connections for all $maxclients net namespaces" fi -kill $iperfpid +kill $socatpid wait -for i in $(seq 1 $maxclients); do - ip netns exec $gw nft get element inet raw inflows "{ 10.1.0.3 . 10000 . \"veth$i\" . 10.3.0.99 . 5201 }" > /dev/null - if [ $? -ne 0 ];then +for i in $(seq 1 "$maxclients"); do + if ! ip netns exec "$gw" nft get element inet raw inflows "{ 10.1.0.3 . 10000 . \"veth$i\" . 10.3.0.99 . 5201 }" > /dev/null;then ret=1 echo "FAIL: can't find expected tcp entry for veth$i" 1>&2 break @@ -300,8 +258,7 @@ if [ $ret -eq 0 ];then echo "PASS: Found client connection for all $maxclients net namespaces" fi -ip netns exec $gw nft get element inet raw inflows "{ 10.3.0.99 . 5201 . \"veth0\" . 10.3.0.1 . 10000 }" > /dev/null -if [ $? -ne 0 ];then +if ! ip netns exec "$gw" nft get element inet raw inflows "{ 10.3.0.99 . 5201 . \"veth0\" . 10.3.0.1 . 10000 }" > /dev/null;then ret=1 echo "FAIL: cannot find return entry on veth0" 1>&2 fi From patchwork Sun Apr 14 22:57:20 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Florian Westphal X-Patchwork-Id: 13629357 X-Patchwork-Delegate: kuba@kernel.org Received: from Chamillionaire.breakpoint.cc (Chamillionaire.breakpoint.cc [91.216.245.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 15F46134426; Sun, 14 Apr 2024 23:04:49 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=91.216.245.30 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713135891; cv=none; b=Q1zHHgNM5u8yldY4bbeXXYhVKizGoc7QvbS1qHblxXGeNC6szXm/swLI60j0oZx0TFPySMFNJymPHIErEn/kk4La9BzyUf5Zp30dURJcHCjD7NuWKoGa/fxtGTQTWRd97sukJRh0jovpmLpKv91IyRknvedsoEKY3AyljtDN3Fs= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713135891; c=relaxed/simple; bh=A1agEwlE8amFzSXgtVEylYwMSikLnfGv+gVJkLg1sEA=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=rAEDzULTdhuJvbtLebigwZBe+E4v7avCeoTiQtnJQi/mrSiQTLP9Dhi9e2nlTIpfX/5reZP1FMEuKGxQE+OW519F+akuTlR1IsizjZDJj30dyqMUkI86Xl4+6vukRKdw4pUAQlc2ZNzaMMHfo3wUYpdvjgAgqCtFHUHm6zM3Zgg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=strlen.de; spf=pass smtp.mailfrom=breakpoint.cc; arc=none smtp.client-ip=91.216.245.30 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=strlen.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=breakpoint.cc Received: from fw by Chamillionaire.breakpoint.cc with local (Exim 4.92) (envelope-from ) id 1rw8tx-0002XT-T5; Mon, 15 Apr 2024 01:04:45 +0200 From: Florian Westphal To: Cc: Paolo Abeni , "David S. Miller" , Eric Dumazet , Jakub Kicinski , , pablo@netfilter.org Subject: [PATCH net-next 08/12] selftests: netfilter: nft_queue.sh: shellcheck cleanups Date: Mon, 15 Apr 2024 00:57:20 +0200 Message-ID: <20240414225729.18451-9-fw@strlen.de> X-Mailer: git-send-email 2.43.2 In-Reply-To: <20240414225729.18451-1-fw@strlen.de> References: <20240414225729.18451-1-fw@strlen.de> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org No functional change intended. Disable frequent shellcheck warnings wrt. "unreachable" code, those helpers get called indirectly from busywait helper. Signed-off-by: Florian Westphal --- .../selftests/net/netfilter/nft_queue.sh | 212 +++++++++--------- 1 file changed, 104 insertions(+), 108 deletions(-) diff --git a/tools/testing/selftests/net/netfilter/nft_queue.sh b/tools/testing/selftests/net/netfilter/nft_queue.sh index 9aee4169d198..a8596113a3bc 100755 --- a/tools/testing/selftests/net/netfilter/nft_queue.sh +++ b/tools/testing/selftests/net/netfilter/nft_queue.sh @@ -3,6 +3,8 @@ # This tests nf_queue: # 1. can process packets from all hooks # 2. support running nfqueue from more than one base chain +# +# shellcheck disable=SC2162,SC2317 source lib.sh ret=0 @@ -10,9 +12,9 @@ timeout=2 cleanup() { - ip netns pids ${ns1} | xargs kill 2>/dev/null - ip netns pids ${ns2} | xargs kill 2>/dev/null - ip netns pids ${nsrouter} | xargs kill 2>/dev/null + ip netns pids "$ns1" | xargs kill 2>/dev/null + ip netns pids "$ns2" | xargs kill 2>/dev/null + ip netns pids "$nsrouter" | xargs kill 2>/dev/null cleanup_all_ns @@ -22,11 +24,7 @@ cleanup() rm -f "$TMPFILE2" "$TMPFILE3" } -nft --version > /dev/null 2>&1 -if [ $? -ne 0 ];then - echo "SKIP: Could not run test without nft tool" - exit $ksft_skip -fi +checktool "nft --version" "test without nft tool" trap cleanup EXIT @@ -38,41 +36,40 @@ TMPFILE2=$(mktemp) TMPFILE3=$(mktemp) TMPINPUT=$(mktemp) -dd conv=sparse status=none if=/dev/zero bs=1M count=200 of=$TMPINPUT +dd conv=sparse status=none if=/dev/zero bs=1M count=200 of="$TMPINPUT" -ip link add veth0 netns ${nsrouter} type veth peer name eth0 netns ${ns1} > /dev/null 2>&1 -if [ $? -ne 0 ];then +if ! ip link add veth0 netns "$nsrouter" type veth peer name eth0 netns "$ns1" > /dev/null 2>&1; then echo "SKIP: No virtual ethernet pair device support in kernel" exit $ksft_skip fi -ip link add veth1 netns ${nsrouter} type veth peer name eth0 netns ${ns2} +ip link add veth1 netns "$nsrouter" type veth peer name eth0 netns "$ns2" -ip -net ${nsrouter} link set veth0 up -ip -net ${nsrouter} addr add 10.0.1.1/24 dev veth0 -ip -net ${nsrouter} addr add dead:1::1/64 dev veth0 nodad +ip -net "$nsrouter" link set veth0 up +ip -net "$nsrouter" addr add 10.0.1.1/24 dev veth0 +ip -net "$nsrouter" addr add dead:1::1/64 dev veth0 nodad -ip -net ${nsrouter} link set veth1 up -ip -net ${nsrouter} addr add 10.0.2.1/24 dev veth1 -ip -net ${nsrouter} addr add dead:2::1/64 dev veth1 nodad +ip -net "$nsrouter" link set veth1 up +ip -net "$nsrouter" addr add 10.0.2.1/24 dev veth1 +ip -net "$nsrouter" addr add dead:2::1/64 dev veth1 nodad -ip -net ${ns1} link set eth0 up -ip -net ${ns2} link set eth0 up +ip -net "$ns1" link set eth0 up +ip -net "$ns2" link set eth0 up -ip -net ${ns1} addr add 10.0.1.99/24 dev eth0 -ip -net ${ns1} addr add dead:1::99/64 dev eth0 nodad -ip -net ${ns1} route add default via 10.0.1.1 -ip -net ${ns1} route add default via dead:1::1 +ip -net "$ns1" addr add 10.0.1.99/24 dev eth0 +ip -net "$ns1" addr add dead:1::99/64 dev eth0 nodad +ip -net "$ns1" route add default via 10.0.1.1 +ip -net "$ns1" route add default via dead:1::1 -ip -net ${ns2} addr add 10.0.2.99/24 dev eth0 -ip -net ${ns2} addr add dead:2::99/64 dev eth0 nodad -ip -net ${ns2} route add default via 10.0.2.1 -ip -net ${ns2} route add default via dead:2::1 +ip -net "$ns2" addr add 10.0.2.99/24 dev eth0 +ip -net "$ns2" addr add dead:2::99/64 dev eth0 nodad +ip -net "$ns2" route add default via 10.0.2.1 +ip -net "$ns2" route add default via dead:2::1 load_ruleset() { local name=$1 local prio=$2 -ip netns exec ${nsrouter} nft -f /dev/stdin < /dev/null - if [ $? -ne 0 ];then + if ! ip netns exec "$ns1" ping -c 1 -q 10.0.2.99 > /dev/null; then return 1 fi - ip netns exec ${ns1} ping -c 1 -q dead:2::99 > /dev/null - if [ $? -ne 0 ];then + if ! ip netns exec "$ns1" ping -c 1 -q dead:2::99 > /dev/null; then return 2 fi @@ -149,13 +144,11 @@ test_ping() { } test_ping_router() { - ip netns exec ${ns1} ping -c 1 -q 10.0.2.1 > /dev/null - if [ $? -ne 0 ];then + if ! ip netns exec "$ns1" ping -c 1 -q 10.0.2.1 > /dev/null; then return 3 fi - ip netns exec ${ns1} ping -c 1 -q dead:2::1 > /dev/null - if [ $? -ne 0 ];then + if ! ip netns exec "$ns1" ping -c 1 -q dead:2::1 > /dev/null; then return 4 fi @@ -165,7 +158,7 @@ test_ping_router() { test_queue_blackhole() { local proto=$1 -ip netns exec ${nsrouter} nft -f /dev/stdin < /dev/null + if [ "$proto" = "ip" ] ;then + ip netns exec "$ns1" ping -W 2 -c 1 -q 10.0.2.99 > /dev/null lret=$? - elif [ $proto = "ip6" ]; then - ip netns exec ${ns1} ping -W 2 -c 1 -q dead:2::99 > /dev/null + elif [ "$proto" = "ip6" ]; then + ip netns exec "$ns1" ping -W 2 -c 1 -q dead:2::99 > /dev/null lret=$? else lret=111 fi # queue without bypass keyword should drop traffic if no listener exists. - if [ $lret -eq 0 ];then + if [ "$lret" -eq 0 ];then echo "FAIL: $proto expected failure, got $lret" 1>&2 exit 1 fi - ip netns exec ${nsrouter} nft delete table $proto blackh - if [ $? -ne 0 ] ;then + if ! ip netns exec "$nsrouter" nft delete table "$proto" blackh; then echo "FAIL: $proto: Could not delete blackh table" exit 1 fi @@ -198,26 +190,42 @@ EOF echo "PASS: $proto: statement with no listener results in packet drop" } +nf_queue_wait() +{ + local netns id + + netns="$1" + id="$2" + + ip netns exec "$netns" cat /proc/self/net/netfilter/nfnetlink_queue | \ + while read qid rest;do + if [ "$id" -lt "$qid" ]; then + return 1 + elif [ "$id" -eq "$qid" ]; then + return 0 + fi + done +} + test_queue() { - local expected=$1 + local expected="$1" local last="" # spawn nf_queue listeners - ip netns exec ${nsrouter} ./nf_queue -c -q 0 -t $timeout > "$TMPFILE0" & - ip netns exec ${nsrouter} ./nf_queue -c -q 1 -t $timeout > "$TMPFILE1" & - sleep 1 - test_ping - ret=$? - if [ $ret -ne 0 ];then - echo "FAIL: netns routing/connectivity with active listener on queue $queue: $ret" 1>&2 + ip netns exec "$nsrouter" ./nf_queue -c -q 0 -t $timeout > "$TMPFILE0" & + ip netns exec "$nsrouter" ./nf_queue -c -q 1 -t $timeout > "$TMPFILE1" & + + busywait "$BUSYWAIT_TIMEOUT" nf_queue_wait "$nsrouter" 0 + busywait "$BUSYWAIT_TIMEOUT" nf_queue_wait "$nsrouter" 1 + + if ! test_ping;then + echo "FAIL: netns routing/connectivity with active listener on queues 0 and 1: $ret" 1>&2 exit $ret fi - test_ping_router - ret=$? - if [ $ret -ne 0 ];then - echo "FAIL: netns router unreachable listener on queue $queue: $ret" 1>&2 + if ! test_ping_router;then + echo "FAIL: netns router unreachable listener on queue 0 and 1: $ret" 1>&2 exit $ret fi @@ -228,9 +236,7 @@ test_queue() last=$(tail -n1 "$file") if [ x"$last" != x"$expected packets total" ]; then echo "FAIL: Expected $expected packets total, but got $last" 1>&2 - cat "$file" 1>&2 - - ip netns exec ${nsrouter} nft list ruleset + ip netns exec "$nsrouter" nft list ruleset exit 1 fi done @@ -245,56 +251,50 @@ listener_ready() test_tcp_forward() { - ip netns exec ${nsrouter} ./nf_queue -q 2 -t $timeout & + ip netns exec "$nsrouter" ./nf_queue -q 2 -t "$timeout" & local nfqpid=$! - timeout 5 ip netns exec ${ns2} socat -u TCP-LISTEN:12345 STDOUT >/dev/null & + timeout 5 ip netns exec "$ns2" socat -u TCP-LISTEN:12345 STDOUT >/dev/null & local rpid=$! - busywait $BUSYWAIT_TIMEOUT listener_ready ${ns2} + busywait "$BUSYWAIT_TIMEOUT" listener_ready "$ns2" - ip netns exec ${ns1} socat -u STDIN TCP:10.0.2.99:12345 <"$TMPINPUT" >/dev/null + ip netns exec "$ns1" socat -u STDIN TCP:10.0.2.99:12345 <"$TMPINPUT" >/dev/null - wait $rpid - - [ $? -eq 0 ] && echo "PASS: tcp and nfqueue in forward chain" + wait "$rpid" && echo "PASS: tcp and nfqueue in forward chain" } test_tcp_localhost() { - dd conv=sparse status=none if=/dev/zero bs=1M count=200 of=$TMPINPUT - timeout 5 ip netns exec ${nsrouter} socat -u TCP-LISTEN:12345 STDOUT >/dev/null & + dd conv=sparse status=none if=/dev/zero bs=1M count=200 of="$TMPINPUT" + timeout 5 ip netns exec "$nsrouter" socat -u TCP-LISTEN:12345 STDOUT >/dev/null & local rpid=$! - ip netns exec ${nsrouter} ./nf_queue -q 3 -t $timeout & + ip netns exec "$nsrouter" ./nf_queue -q 3 -t "$timeout" & local nfqpid=$! - busywait $BUSYWAIT_TIMEOUT listener_ready ${nsrouter} + busywait "$BUSYWAIT_TIMEOUT" listener_ready "$nsrouter" - ip netns exec ${nsrouter} socat -u STDIN TCP:127.0.0.1:12345 <"$TMPINPUT" >/dev/null + ip netns exec "$nsrouter" socat -u STDIN TCP:127.0.0.1:12345 <"$TMPINPUT" >/dev/null - wait $rpid - [ $? -eq 0 ] && echo "PASS: tcp via loopback" + wait "$rpid" && echo "PASS: tcp via loopback" wait 2>/dev/null } test_tcp_localhost_connectclose() { - ip netns exec ${nsrouter} ./connect_close -p 23456 -t $timeout & - - ip netns exec ${nsrouter} ./nf_queue -q 3 -t $timeout & - local nfqpid=$! + ip netns exec "$nsrouter" ./connect_close -p 23456 -t "$timeout" & + ip netns exec "$nsrouter" ./nf_queue -q 3 -t "$timeout" & - sleep 1 + busywait "$BUSYWAIT_TIMEOUT" nf_queue_wait "$nsrouter" 3 - wait $rpid - [ $? -eq 0 ] && echo "PASS: tcp via loopback with connect/close" + wait && echo "PASS: tcp via loopback with connect/close" wait 2>/dev/null } test_tcp_localhost_requeue() { -ip netns exec ${nsrouter} nft -f /dev/stdin </dev/null & + timeout 5 ip netns exec "$nsrouter" socat -u TCP-LISTEN:12345 STDOUT >/dev/null & local rpid=$! - ip netns exec ${nsrouter} ./nf_queue -c -q 1 -t $timeout > "$TMPFILE2" & + ip netns exec "$nsrouter" ./nf_queue -c -q 1 -t "$timeout" > "$TMPFILE2" & # nfqueue 1 will be called via output hook. But this time, # re-queue the packet to nfqueue program on queue 2. - ip netns exec ${nsrouter} ./nf_queue -G -d 150 -c -q 0 -Q 1 -t $timeout > "$TMPFILE3" & + ip netns exec "$nsrouter" ./nf_queue -G -d 150 -c -q 0 -Q 1 -t "$timeout" > "$TMPFILE3" & - busywait $BUSYWAIT_TIMEOUT listener_ready ${nsrouter} - ip netns exec ${nsrouter} socat -u STDIN TCP:127.0.0.1:12345 <"$TMPINPUT" > /dev/null + busywait "$BUSYWAIT_TIMEOUT" listener_ready "$nsrouter" + ip netns exec "$nsrouter" socat -u STDIN TCP:127.0.0.1:12345 <"$TMPINPUT" > /dev/null wait @@ -330,17 +330,16 @@ EOF } test_icmp_vrf() { - ip -net $ns1 link add tvrf type vrf table 9876 - if [ $? -ne 0 ];then + if ! ip -net "$ns1" link add tvrf type vrf table 9876;then echo "SKIP: Could not add vrf device" return fi - ip -net $ns1 li set eth0 master tvrf - ip -net $ns1 li set tvrf up + ip -net "$ns1" li set eth0 master tvrf + ip -net "$ns1" li set tvrf up - ip -net $ns1 route add 10.0.2.0/24 via 10.0.1.1 dev eth0 table 9876 -ip netns exec ${ns1} nft -f /dev/stdin < /dev/null + busywait "$BUSYWAIT_TIMEOUT" nf_queue_wait "$ns1" 1 + + ip netns exec "$ns1" ip vrf exec tvrf ping -c 1 10.0.2.99 > /dev/null for n in output post; do for d in tvrf eth0; do - ip netns exec ${ns1} nft list chain inet filter $n | grep -q "oifname \"$d\" icmp type echo-request counter packets 1" - if [ $? -ne 0 ] ; then + if ! ip netns exec "$ns1" nft list chain inet filter "$n" | grep -q "oifname \"$d\" icmp type echo-request counter packets 1"; then echo "FAIL: chain $n: icmp packet counter mismatch for device $d" 1>&2 - ip netns exec ${ns1} nft list ruleset + ip netns exec "$ns1" nft list ruleset ret=1 return fi done done - wait $nfqpid - [ $? -eq 0 ] && echo "PASS: icmp+nfqueue via vrf" + wait "$nfqpid" && echo "PASS: icmp+nfqueue via vrf" wait 2>/dev/null } -ip netns exec ${nsrouter} sysctl net.ipv6.conf.all.forwarding=1 > /dev/null -ip netns exec ${nsrouter} sysctl net.ipv4.conf.veth0.forwarding=1 > /dev/null -ip netns exec ${nsrouter} sysctl net.ipv4.conf.veth1.forwarding=1 > /dev/null +ip netns exec "$nsrouter" sysctl net.ipv6.conf.all.forwarding=1 > /dev/null +ip netns exec "$nsrouter" sysctl net.ipv4.conf.veth0.forwarding=1 > /dev/null +ip netns exec "$nsrouter" sysctl net.ipv4.conf.veth1.forwarding=1 > /dev/null load_ruleset "filter" 0 -test_ping -ret=$? -if [ $ret -eq 0 ];then +if test_ping; then # queue bypass works (rules were skipped, no listener) echo "PASS: ${ns1} can reach ${ns2}" else From patchwork Sun Apr 14 22:57:21 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Florian Westphal X-Patchwork-Id: 13629358 X-Patchwork-Delegate: kuba@kernel.org Received: from Chamillionaire.breakpoint.cc (Chamillionaire.breakpoint.cc [91.216.245.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C4D02134433; Sun, 14 Apr 2024 23:04:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=91.216.245.30 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713135892; cv=none; b=HJEb7U4z6y9xbn2Rvf+h69S1WykXWyNdHmKxmxKaEJDEzMHMAPZkl+ZpRoNzmVR5qAGSOWu9Dgo3mVBC/RDIxJxZ0FGscqlmQ6hF99lJnrtioDj4dHq9GARKtoHeVwsTO64wwBwqd6j4Zl9JyLmdzdvzYdrDpVM68EZeHsUlsTo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713135892; c=relaxed/simple; bh=DhyOTEcJ2UDkO/wV834FM+vNAjq1WNMIUJkVEDvTfEY=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=SPxnYpg7pN6DrSvUszEYCUJynmhW71JeDFJdoZAsBkOYTRmAVgx5zrCCzzmZqLqfYKIJjFeFTIIfwWtoU5sk0X8PewGcRnapMYsmqAZSt2zjuLvVweF3gzFLQmSgBpnG4BZsMs5swZHWBT4o/EmFcxVZz4eb3xkftoZbqCtHukU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=strlen.de; spf=pass smtp.mailfrom=breakpoint.cc; arc=none smtp.client-ip=91.216.245.30 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=strlen.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=breakpoint.cc Received: from fw by Chamillionaire.breakpoint.cc with local (Exim 4.92) (envelope-from ) id 1rw8ty-0002Xm-WB; Mon, 15 Apr 2024 01:04:47 +0200 From: Florian Westphal To: Cc: Paolo Abeni , "David S. Miller" , Eric Dumazet , Jakub Kicinski , , pablo@netfilter.org Subject: [PATCH net-next 09/12] selftests: netfilter: conntrack_ipip_mtu.sh: shellcheck cleanups Date: Mon, 15 Apr 2024 00:57:21 +0200 Message-ID: <20240414225729.18451-10-fw@strlen.de> X-Mailer: git-send-email 2.43.2 In-Reply-To: <20240414225729.18451-1-fw@strlen.de> References: <20240414225729.18451-1-fw@strlen.de> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org No functional change intended. Signed-off-by: Florian Westphal --- .../net/netfilter/conntrack_ipip_mtu.sh | 74 +++++++++---------- 1 file changed, 37 insertions(+), 37 deletions(-) diff --git a/tools/testing/selftests/net/netfilter/conntrack_ipip_mtu.sh b/tools/testing/selftests/net/netfilter/conntrack_ipip_mtu.sh index ac0dff0f80d7..9832a5d0198a 100755 --- a/tools/testing/selftests/net/netfilter/conntrack_ipip_mtu.sh +++ b/tools/testing/selftests/net/netfilter/conntrack_ipip_mtu.sh @@ -31,7 +31,7 @@ setup_ns r_a r_b r_w c_a c_b cleanup() { cleanup_all_ns - rm -f ${rx} + rm -f "$rx" } trap cleanup EXIT @@ -46,20 +46,20 @@ listener_ready() test_path() { msg="$1" - ip netns exec ${c_b} socat -t 3 - udp4-listen:5000,reuseaddr > ${rx} < /dev/null & + ip netns exec "$c_b" socat -t 3 - udp4-listen:5000,reuseaddr > "$rx" < /dev/null & busywait $BUSYWAIT_TIMEOUT listener_ready "$c_b" 5000 for i in 1 2 3; do head -c1400 /dev/zero | tr "\000" "a" | \ - ip netns exec ${c_a} socat -t 1 -u STDIN UDP:192.168.20.2:5000 + ip netns exec "$c_a" socat -t 1 -u STDIN UDP:192.168.20.2:5000 done wait - bytes=$(wc -c < ${rx}) + bytes=$(wc -c < "$rx") - if [ $bytes -eq 1400 ];then + if [ "$bytes" -eq 1400 ];then echo "OK: PMTU $msg connection tracking" else echo "FAIL: PMTU $msg connection tracking: got $bytes, expected 1400" @@ -78,24 +78,24 @@ test_path() { # 10.4.4.1 via 10.2.2.254 (Router B via Wanrouter) # No iptables rules at all. -ip link add veth0 netns ${r_a} type veth peer name veth0 netns ${r_w} -ip link add veth1 netns ${r_a} type veth peer name veth0 netns ${c_a} +ip link add veth0 netns "$r_a" type veth peer name veth0 netns "$r_w" +ip link add veth1 netns "$r_a" type veth peer name veth0 netns "$c_a" l_addr="10.2.2.1" r_addr="10.4.4.1" -ip netns exec ${r_a} ip link add ipip0 type ipip local ${l_addr} remote ${r_addr} mode ipip || exit $ksft_skip +ip netns exec "$r_a" ip link add ipip0 type ipip local "$l_addr" remote "$r_addr" mode ipip || exit $ksft_skip for dev in lo veth0 veth1 ipip0; do - ip -net ${r_a} link set $dev up + ip -net "$r_a" link set "$dev" up done -ip -net ${r_a} addr add 10.2.2.1/24 dev veth0 -ip -net ${r_a} addr add 192.168.10.1/24 dev veth1 +ip -net "$r_a" addr add 10.2.2.1/24 dev veth0 +ip -net "$r_a" addr add 192.168.10.1/24 dev veth1 -ip -net ${r_a} route add 192.168.20.0/24 dev ipip0 -ip -net ${r_a} route add 10.4.4.0/24 via 10.2.2.254 +ip -net "$r_a" route add 192.168.20.0/24 dev ipip0 +ip -net "$r_a" route add 10.4.4.0/24 via 10.2.2.254 -ip netns exec ${r_a} sysctl -q net.ipv4.conf.all.forwarding=1 > /dev/null +ip netns exec "$r_a" sysctl -q net.ipv4.conf.all.forwarding=1 > /dev/null # Detailed setup for Router B # --------------------------- @@ -108,46 +108,46 @@ ip netns exec ${r_a} sysctl -q net.ipv4.conf.all.forwarding=1 > /dev/null # 10.2.2.1 via 10.4.4.254 (Router A via Wanrouter) # No iptables rules at all. -ip link add veth0 netns ${r_b} type veth peer name veth1 netns ${r_w} -ip link add veth1 netns ${r_b} type veth peer name veth0 netns ${c_b} +ip link add veth0 netns "$r_b" type veth peer name veth1 netns "$r_w" +ip link add veth1 netns "$r_b" type veth peer name veth0 netns "$c_b" l_addr="10.4.4.1" r_addr="10.2.2.1" -ip netns exec ${r_b} ip link add ipip0 type ipip local ${l_addr} remote ${r_addr} mode ipip || exit $ksft_skip +ip netns exec "$r_b" ip link add ipip0 type ipip local "${l_addr}" remote "${r_addr}" mode ipip || exit $ksft_skip for dev in veth0 veth1 ipip0; do - ip -net ${r_b} link set $dev up + ip -net "$r_b" link set $dev up done -ip -net ${r_b} addr add 10.4.4.1/24 dev veth0 -ip -net ${r_b} addr add 192.168.20.1/24 dev veth1 +ip -net "$r_b" addr add 10.4.4.1/24 dev veth0 +ip -net "$r_b" addr add 192.168.20.1/24 dev veth1 -ip -net ${r_b} route add 192.168.10.0/24 dev ipip0 -ip -net ${r_b} route add 10.2.2.0/24 via 10.4.4.254 -ip netns exec ${r_b} sysctl -q net.ipv4.conf.all.forwarding=1 > /dev/null +ip -net "$r_b" route add 192.168.10.0/24 dev ipip0 +ip -net "$r_b" route add 10.2.2.0/24 via 10.4.4.254 +ip netns exec "$r_b" sysctl -q net.ipv4.conf.all.forwarding=1 > /dev/null # Client A -ip -net ${c_a} addr add 192.168.10.2/24 dev veth0 -ip -net ${c_a} link set dev veth0 up -ip -net ${c_a} route add default via 192.168.10.1 +ip -net "$c_a" addr add 192.168.10.2/24 dev veth0 +ip -net "$c_a" link set dev veth0 up +ip -net "$c_a" route add default via 192.168.10.1 # Client A -ip -net ${c_b} addr add 192.168.20.2/24 dev veth0 -ip -net ${c_b} link set dev veth0 up -ip -net ${c_b} route add default via 192.168.20.1 +ip -net "$c_b" addr add 192.168.20.2/24 dev veth0 +ip -net "$c_b" link set dev veth0 up +ip -net "$c_b" route add default via 192.168.20.1 # Wan -ip -net ${r_w} addr add 10.2.2.254/24 dev veth0 -ip -net ${r_w} addr add 10.4.4.254/24 dev veth1 +ip -net "$r_w" addr add 10.2.2.254/24 dev veth0 +ip -net "$r_w" addr add 10.4.4.254/24 dev veth1 -ip -net ${r_w} link set dev veth0 up mtu 1400 -ip -net ${r_w} link set dev veth1 up mtu 1400 +ip -net "$r_w" link set dev veth0 up mtu 1400 +ip -net "$r_w" link set dev veth1 up mtu 1400 -ip -net ${r_a} link set dev veth0 mtu 1400 -ip -net ${r_b} link set dev veth0 mtu 1400 +ip -net "$r_a" link set dev veth0 mtu 1400 +ip -net "$r_b" link set dev veth0 mtu 1400 -ip netns exec ${r_w} sysctl -q net.ipv4.conf.all.forwarding=1 > /dev/null +ip netns exec "$r_w" sysctl -q net.ipv4.conf.all.forwarding=1 > /dev/null # Path MTU discovery # ------------------ @@ -187,5 +187,5 @@ test_path "without" #packet is too big (1400) for the tunnel PMTU (1380) to Router B, it is #dropped on Router A before sending. -ip netns exec ${r_a} iptables -A FORWARD -m conntrack --ctstate NEW +ip netns exec "$r_a" iptables -A FORWARD -m conntrack --ctstate NEW test_path "with" From patchwork Sun Apr 14 22:57:22 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Florian Westphal X-Patchwork-Id: 13629359 X-Patchwork-Delegate: kuba@kernel.org Received: from Chamillionaire.breakpoint.cc (Chamillionaire.breakpoint.cc [91.216.245.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DFCE7134433; Sun, 14 Apr 2024 23:04:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=91.216.245.30 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713135896; cv=none; b=JF6tf26Rr5yFwOIJpHSTARRs0YjtczPVvxWj/l7iBuibF2WOWJtGbxeVdffz3GTbTUdByoknxrfF45wsudfOG/ciq0vtBKqdCwl6EFfFlGAgQ5mQgnEi3Tdv7CX44pr3d8tLyO/Qbzx5Uhpv1biM8rxngqI8yEuUTkncbKECQeg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713135896; c=relaxed/simple; bh=UIBG++aMXdWyyIukRkVB0NgtM+pw22owy8C5ip8p+oI=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=smy0n6uI8RhCvWrshSMpXBMAs9Bol2CIo1QTU1CVZsdeLHoklWba9dpTE+JKmdlZIYX5V7kYKyE1yeFMS99uXyGT0GNpPgCs9H4mPY0BP0MABgy/l3eMs+q/08rtOPLWQGZbeOcq9Sbyw/+CVrFwG5OntfZVla7LxBMeLWnLG4o= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=strlen.de; spf=pass smtp.mailfrom=breakpoint.cc; arc=none smtp.client-ip=91.216.245.30 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=strlen.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=breakpoint.cc Received: from fw by Chamillionaire.breakpoint.cc with local (Exim 4.92) (envelope-from ) id 1rw8u3-0002YG-3l; Mon, 15 Apr 2024 01:04:51 +0200 From: Florian Westphal To: Cc: Paolo Abeni , "David S. Miller" , Eric Dumazet , Jakub Kicinski , , pablo@netfilter.org Subject: [PATCH net-next 10/12] selftests: netfilter: nft_fib.sh: shellcheck cleanups Date: Mon, 15 Apr 2024 00:57:22 +0200 Message-ID: <20240414225729.18451-11-fw@strlen.de> X-Mailer: git-send-email 2.43.2 In-Reply-To: <20240414225729.18451-1-fw@strlen.de> References: <20240414225729.18451-1-fw@strlen.de> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org no functional change intended. Signed-off-by: Florian Westphal --- .../selftests/net/netfilter/nft_fib.sh | 128 +++++++++--------- 1 file changed, 61 insertions(+), 67 deletions(-) diff --git a/tools/testing/selftests/net/netfilter/nft_fib.sh b/tools/testing/selftests/net/netfilter/nft_fib.sh index 04d6dc886b8a..ce1451c275fd 100755 --- a/tools/testing/selftests/net/netfilter/nft_fib.sh +++ b/tools/testing/selftests/net/netfilter/nft_fib.sh @@ -16,7 +16,7 @@ cleanup() { cleanup_all_ns - [ $log_netns -eq 0 ] && sysctl -q net.netfilter.nf_log_all_netns=$log_netns + [ "$log_netns" -eq 0 ] && sysctl -q net.netfilter.nf_log_all_netns=$log_netns } checktool "nft --version" "run test without nft" @@ -25,8 +25,7 @@ setup_ns nsrouter ns1 ns2 trap cleanup EXIT -dmesg | grep -q ' nft_rpfilter: ' -if [ $? -eq 0 ]; then +if dmesg | grep -q ' nft_rpfilter: ';then dmesg -c | grep ' nft_rpfilter: ' echo "WARN: a previous test run has failed" 1>&2 fi @@ -36,7 +35,7 @@ sysctl -q net.netfilter.nf_log_all_netns=1 load_ruleset() { local netns=$1 -ip netns exec ${netns} nft -f /dev/stdin <&2 - ip netns exec ${ns} nft list table inet filter + ip netns exec "$ns" nft list table inet filter return 1 fi - if [ $want -gt 0 ]; then + if [ "$want" -gt 0 ]; then echo "PASS: fib expression did drop packets for $address" fi return 0 } -load_ruleset ${nsrouter} -load_ruleset ${ns1} -load_ruleset ${ns2} +load_ruleset "$nsrouter" +load_ruleset "$ns1" +load_ruleset "$ns2" if ! ip link add veth0 netns "$nsrouter" type veth peer name eth0 netns "$ns1" > /dev/null 2>&1; then echo "SKIP: No virtual ethernet pair device support in kernel" exit $ksft_skip fi -ip link add veth1 netns ${nsrouter} type veth peer name eth0 netns ${ns2} +ip link add veth1 netns "$nsrouter" type veth peer name eth0 netns "$ns2" -ip -net ${nsrouter} link set veth0 up -ip -net ${nsrouter} addr add 10.0.1.1/24 dev veth0 -ip -net ${nsrouter} addr add dead:1::1/64 dev veth0 nodad +ip -net "$nsrouter" link set veth0 up +ip -net "$nsrouter" addr add 10.0.1.1/24 dev veth0 +ip -net "$nsrouter" addr add dead:1::1/64 dev veth0 nodad -ip -net ${nsrouter} link set veth1 up -ip -net ${nsrouter} addr add 10.0.2.1/24 dev veth1 -ip -net ${nsrouter} addr add dead:2::1/64 dev veth1 nodad +ip -net "$nsrouter" link set veth1 up +ip -net "$nsrouter" addr add 10.0.2.1/24 dev veth1 +ip -net "$nsrouter" addr add dead:2::1/64 dev veth1 nodad -ip -net ${ns1} link set eth0 up -ip -net ${ns2} link set eth0 up +ip -net "$ns1" link set eth0 up +ip -net "$ns2" link set eth0 up -ip -net ${ns1} addr add 10.0.1.99/24 dev eth0 -ip -net ${ns1} addr add dead:1::99/64 dev eth0 nodad -ip -net ${ns1} route add default via 10.0.1.1 -ip -net ${ns1} route add default via dead:1::1 +ip -net "$ns1" addr add 10.0.1.99/24 dev eth0 +ip -net "$ns1" addr add dead:1::99/64 dev eth0 nodad +ip -net "$ns1" route add default via 10.0.1.1 +ip -net "$ns1" route add default via dead:1::1 -ip -net ${ns2} addr add 10.0.2.99/24 dev eth0 -ip -net ${ns2} addr add dead:2::99/64 dev eth0 nodad -ip -net ${ns2} route add default via 10.0.2.1 -ip -net ${ns2} route add default via dead:2::1 +ip -net "$ns2" addr add 10.0.2.99/24 dev eth0 +ip -net "$ns2" addr add dead:2::99/64 dev eth0 nodad +ip -net "$ns2" route add default via 10.0.2.1 +ip -net "$ns2" route add default via dead:2::1 test_ping() { local daddr4=$1 @@ -155,11 +151,11 @@ test_ping() { return 0 } -ip netns exec ${nsrouter} sysctl net.ipv6.conf.all.forwarding=1 > /dev/null -ip netns exec ${nsrouter} sysctl net.ipv4.conf.veth0.forwarding=1 > /dev/null -ip netns exec ${nsrouter} sysctl net.ipv4.conf.veth1.forwarding=1 > /dev/null -ip netns exec ${nsrouter} sysctl net.ipv4.conf.all.rp_filter=0 > /dev/null -ip netns exec ${nsrouter} sysctl net.ipv4.conf.veth0.rp_filter=0 > /dev/null +ip netns exec "$nsrouter" sysctl net.ipv6.conf.all.forwarding=1 > /dev/null +ip netns exec "$nsrouter" sysctl net.ipv4.conf.veth0.forwarding=1 > /dev/null +ip netns exec "$nsrouter" sysctl net.ipv4.conf.veth1.forwarding=1 > /dev/null +ip netns exec "$nsrouter" sysctl net.ipv4.conf.all.rp_filter=0 > /dev/null +ip netns exec "$nsrouter" sysctl net.ipv4.conf.veth0.rp_filter=0 > /dev/null test_ping 10.0.2.1 dead:2::1 || exit 1 check_drops || exit 1 @@ -169,69 +165,67 @@ check_drops || exit 1 echo "PASS: fib expression did not cause unwanted packet drops" -ip netns exec ${nsrouter} nft flush table inet filter +ip netns exec "$nsrouter" nft flush table inet filter -ip -net ${ns1} route del default -ip -net ${ns1} -6 route del default +ip -net "$ns1" route del default +ip -net "$ns1" -6 route del default -ip -net ${ns1} addr del 10.0.1.99/24 dev eth0 -ip -net ${ns1} addr del dead:1::99/64 dev eth0 +ip -net "$ns1" addr del 10.0.1.99/24 dev eth0 +ip -net "$ns1" addr del dead:1::99/64 dev eth0 -ip -net ${ns1} addr add 10.0.2.99/24 dev eth0 +ip -net "$ns1" addr add 10.0.2.99/24 dev eth0 ip -net "$ns1" addr add dead:2::99/64 dev eth0 nodad -ip -net ${ns1} route add default via 10.0.2.1 -ip -net ${ns1} -6 route add default via dead:2::1 +ip -net "$ns1" route add default via 10.0.2.1 +ip -net "$ns1" -6 route add default via dead:2::1 ip -net "$nsrouter" addr add dead:2::1/64 dev veth0 nodad # switch to ruleset that doesn't log, this time # its expected that this does drop the packets. -load_ruleset_count ${nsrouter} +load_ruleset_count "$nsrouter" # ns1 has a default route, but nsrouter does not. # must not check return value, ping to 1.1.1.1 will # fail. -check_fib_counter 0 ${nsrouter} 1.1.1.1 || exit 1 -check_fib_counter 0 ${nsrouter} 1c3::c01d || exit 1 +check_fib_counter 0 "$nsrouter" 1.1.1.1 || exit 1 +check_fib_counter 0 "$nsrouter" 1c3::c01d || exit 1 ip netns exec "$ns1" ping -W 0.5 -c 1 -q 1.1.1.1 > /dev/null -check_fib_counter 1 ${nsrouter} 1.1.1.1 || exit 1 +check_fib_counter 1 "$nsrouter" 1.1.1.1 || exit 1 ip netns exec "$ns1" ping -W 0.5 -i 0.1 -c 3 -q 1c3::c01d > /dev/null -check_fib_counter 3 ${nsrouter} 1c3::c01d || exit 1 +check_fib_counter 3 "$nsrouter" 1c3::c01d || exit 1 # delete all rules -ip netns exec ${ns1} nft flush ruleset -ip netns exec ${ns2} nft flush ruleset -ip netns exec ${nsrouter} nft flush ruleset +ip netns exec "$ns1" nft flush ruleset +ip netns exec "$ns2" nft flush ruleset +ip netns exec "$nsrouter" nft flush ruleset -ip -net ${ns1} addr add 10.0.1.99/24 dev eth0 +ip -net "$ns1" addr add 10.0.1.99/24 dev eth0 ip -net "$ns1" addr add dead:1::99/64 dev eth0 nodad -ip -net ${ns1} addr del 10.0.2.99/24 dev eth0 -ip -net ${ns1} addr del dead:2::99/64 dev eth0 +ip -net "$ns1" addr del 10.0.2.99/24 dev eth0 +ip -net "$ns1" addr del dead:2::99/64 dev eth0 -ip -net ${nsrouter} addr del dead:2::1/64 dev veth0 +ip -net "$nsrouter" addr del dead:2::1/64 dev veth0 # ... pbr ruleset for the router, check iif+oif. -load_pbr_ruleset ${nsrouter} -if [ $? -ne 0 ] ; then +if ! load_pbr_ruleset "$nsrouter";then echo "SKIP: Could not load fib forward ruleset" exit $ksft_skip fi -ip -net ${nsrouter} rule add from all table 128 -ip -net ${nsrouter} rule add from all iif veth0 table 129 -ip -net ${nsrouter} route add table 128 to 10.0.1.0/24 dev veth0 -ip -net ${nsrouter} route add table 129 to 10.0.2.0/24 dev veth1 +ip -net "$nsrouter" rule add from all table 128 +ip -net "$nsrouter" rule add from all iif veth0 table 129 +ip -net "$nsrouter" route add table 128 to 10.0.1.0/24 dev veth0 +ip -net "$nsrouter" route add table 129 to 10.0.2.0/24 dev veth1 # drop main ipv4 table -ip -net ${nsrouter} -4 rule delete table main +ip -net "$nsrouter" -4 rule delete table main -test_ping 10.0.2.99 dead:2::99 -if [ $? -ne 0 ] ; then - ip -net ${nsrouter} nft list ruleset +if ! test_ping 10.0.2.99 dead:2::99;then + ip -net "$nsrouter" nft list ruleset echo "FAIL: fib mismatch in pbr setup" exit 1 fi From patchwork Sun Apr 14 22:57:23 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Florian Westphal X-Patchwork-Id: 13629360 X-Patchwork-Delegate: kuba@kernel.org Received: from Chamillionaire.breakpoint.cc (Chamillionaire.breakpoint.cc [91.216.245.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A2A201369BF; Sun, 14 Apr 2024 23:04:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=91.216.245.30 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713135896; cv=none; b=Pan9PES96+G0UL7ES0jA/u+43nR5r5nYhAOBclWy1A5Ee8ym9v8A0ixkJVm/pQNKER4QsRWKr5hm9K++QF3x26pdgk1geAX/PvoxKYOmUnr6xgK9iSby4IyUBylsc2CnVX4sK3wU7Nc8kldkV+y4u6e2emsRR+RiuBNQLXGGbMY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713135896; c=relaxed/simple; bh=CYMECbFjAP6fMd+pxWOaX4ssSIUxkUnXd0x+d9YNe5Y=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=iPH0SqCUOYgIMLSSho2jx/IE9x14ddTOamfAjEg3z9FqnZn/Aq+IdpiC1ULQ+6VpKUMwkXoUmcWzrKo/2OXTkRuvKP5s9OucDrFcFuCwRrch1dhfshpyjyulNw2Fxc+KSc6B+P+ttn0Dfo11mcRqndkZX8OOCeeaXsURGdLS+PM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=strlen.de; spf=pass smtp.mailfrom=breakpoint.cc; arc=none smtp.client-ip=91.216.245.30 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=strlen.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=breakpoint.cc Received: from fw by Chamillionaire.breakpoint.cc with local (Exim 4.92) (envelope-from ) id 1rw8u4-0002Yb-5s; Mon, 15 Apr 2024 01:04:52 +0200 From: Florian Westphal To: Cc: Paolo Abeni , "David S. Miller" , Eric Dumazet , Jakub Kicinski , , pablo@netfilter.org Subject: [PATCH net-next 11/12] selftests: netfilter: nft_audit.sh: skip if auditd is running Date: Mon, 15 Apr 2024 00:57:23 +0200 Message-ID: <20240414225729.18451-12-fw@strlen.de> X-Mailer: git-send-email 2.43.2 In-Reply-To: <20240414225729.18451-1-fw@strlen.de> References: <20240414225729.18451-1-fw@strlen.de> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org This testcase doesn't work if auditd is running, audit_logread will not receive any data in that case. Skip if auditd is already running. While at it, do a few minor shellcheck cleanups. Signed-off-by: Florian Westphal --- .../selftests/net/netfilter/nft_audit.sh | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/tools/testing/selftests/net/netfilter/nft_audit.sh b/tools/testing/selftests/net/netfilter/nft_audit.sh index 99ed5bd6e840..80936d70fcf6 100755 --- a/tools/testing/selftests/net/netfilter/nft_audit.sh +++ b/tools/testing/selftests/net/netfilter/nft_audit.sh @@ -6,6 +6,16 @@ SKIP_RC=4 RC=0 +if [ -r /var/run/auditd.pid ];then + read pid < /var/run/auditd.pid + p=$(pgrep ^auditd$) + + if [ "$pid" -eq "$p" ]; then + echo "SKIP: auditd is running" + exit $SKIP_RC + fi +fi + nft --version >/dev/null 2>&1 || { echo "SKIP: missing nft tool" exit $SKIP_RC @@ -73,7 +83,7 @@ done for ((i = 0; i < 500; i++)); do echo "add rule t2 c3 counter accept comment \"rule $i\"" -done >$rulefile +done > "$rulefile" do_test "nft -f $rulefile" \ 'table=t2 family=2 entries=500 op=nft_register_rule' @@ -101,7 +111,7 @@ do_test 'nft add counter t2 c1; add counter t2 c2' \ for ((i = 3; i <= 500; i++)); do echo "add counter t2 c$i" -done >$rulefile +done > "$rulefile" do_test "nft -f $rulefile" \ 'table=t2 family=2 entries=498 op=nft_register_obj' @@ -115,7 +125,7 @@ do_test 'nft add quota t2 q1 { 10 bytes }; add quota t2 q2 { 10 bytes }' \ for ((i = 3; i <= 500; i++)); do echo "add quota t2 q$i { 10 bytes }" -done >$rulefile +done > "$rulefile" do_test "nft -f $rulefile" \ 'table=t2 family=2 entries=498 op=nft_register_obj' @@ -157,7 +167,7 @@ table=t2 family=2 entries=135 op=nft_reset_rule' # resetting sets and elements -elem=(22 ,80 ,443) +elem=(22 ",80" ",443") relem="" for i in {1..3}; do relem+="${elem[((i - 1))]}" From patchwork Sun Apr 14 22:57:24 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Florian Westphal X-Patchwork-Id: 13629361 X-Patchwork-Delegate: kuba@kernel.org Received: from Chamillionaire.breakpoint.cc (Chamillionaire.breakpoint.cc [91.216.245.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B78F71386A6; Sun, 14 Apr 2024 23:04:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=91.216.245.30 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713135898; cv=none; b=CKd/QKuMQ1qYWbF4AZIzqT45raXxzHt6MBMTuz2XEXqL3cDh/UbxmsOh5ZcIDE5l/6yKMJfUuaXpnm9E+GtuuUVHuP9zfmJLlkfhs9FApcD0x3xZWTAB5lAuUvD1sLz0E5KJlMiF/r8bId+snFpbVHopnwZ9vjyutP3evzx9oRg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713135898; c=relaxed/simple; bh=28f0Cz3BZU/Fl9+2aGLxUC11Jjp7cOSx0nqRrRMDHdQ=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=a/So3ZiP6oqoMuDGhTSTjOvWfAwLNXTG9sofjFIKkIGlzGiSHXXRmCPMePQB097rJ/7RQlfhpTmvvFGB2Gp3kL9KIOUelxQxeA8+zYuIJ9QyE2sODAFNfztdcb5MivXVmr3pSVUrzGMYv/VdD5skubGJ3XztoAVCF8IhIqTcdIs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=strlen.de; spf=pass smtp.mailfrom=breakpoint.cc; arc=none smtp.client-ip=91.216.245.30 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=strlen.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=breakpoint.cc Received: from fw by Chamillionaire.breakpoint.cc with local (Exim 4.92) (envelope-from ) id 1rw8u5-0002Yp-7s; Mon, 15 Apr 2024 01:04:53 +0200 From: Florian Westphal To: Cc: Paolo Abeni , "David S. Miller" , Eric Dumazet , Jakub Kicinski , , pablo@netfilter.org Subject: [PATCH net-next 12/12] selftests: netfilter: update makefiles and kernel config Date: Mon, 15 Apr 2024 00:57:24 +0200 Message-ID: <20240414225729.18451-13-fw@strlen.de> X-Mailer: git-send-email 2.43.2 In-Reply-To: <20240414225729.18451-1-fw@strlen.de> References: <20240414225729.18451-1-fw@strlen.de> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org Jakub reports the Makefile missed a few updates to make kselftest-install work for the netfilter tests (they are not there, forgot to adjust directory path). Also extend the config file, needs a lot more options. Fixes: 3f189349e52a ("selftests: netfilter: move to net subdir") Reported-by: Jakub Kicinski Closes: https://lore.kernel.org/all/20240412175413.04e5e616@kernel.org/ Signed-off-by: Florian Westphal --- tools/testing/selftests/Makefile | 2 +- .../testing/selftests/net/netfilter/Makefile | 5 +++ tools/testing/selftests/net/netfilter/config | 42 ++++++++++++++++++- 3 files changed, 47 insertions(+), 2 deletions(-) diff --git a/tools/testing/selftests/Makefile b/tools/testing/selftests/Makefile index 6dab886d6f7a..bac463453225 100644 --- a/tools/testing/selftests/Makefile +++ b/tools/testing/selftests/Makefile @@ -62,9 +62,9 @@ TARGETS += net/af_unix TARGETS += net/forwarding TARGETS += net/hsr TARGETS += net/mptcp +TARGETS += net/netfilter TARGETS += net/openvswitch TARGETS += net/tcp_ao -TARGETS += netfilter TARGETS += nsfs TARGETS += perf_events TARGETS += pidfd diff --git a/tools/testing/selftests/net/netfilter/Makefile b/tools/testing/selftests/net/netfilter/Makefile index dd9a75a33d28..68e4780edfdc 100644 --- a/tools/testing/selftests/net/netfilter/Makefile +++ b/tools/testing/selftests/net/netfilter/Makefile @@ -42,3 +42,8 @@ $(OUTPUT)/nf_queue: LDLIBS += $(MNL_LDLIBS) $(OUTPUT)/conntrack_dump_flush: CFLAGS += $(MNL_CFLAGS) $(OUTPUT)/conntrack_dump_flush: LDLIBS += $(MNL_LDLIBS) + +TEST_FILES := lib.sh + +TEST_INCLUDES := \ + ../lib.sh diff --git a/tools/testing/selftests/net/netfilter/config b/tools/testing/selftests/net/netfilter/config index 9df6a9f11384..e803156fa75d 100644 --- a/tools/testing/selftests/net/netfilter/config +++ b/tools/testing/selftests/net/netfilter/config @@ -1,37 +1,77 @@ CONFIG_AUDIT=y +CONFIG_BPF_SYSCALL=y +CONFIG_BRIDGE=m CONFIG_BRIDGE_EBT_BROUTE=m +CONFIG_BRIDGE_EBT_IP=m CONFIG_BRIDGE_EBT_REDIRECT=m CONFIG_BRIDGE_NETFILTER=m +CONFIG_BRIDGE_NF_EBTABLES=m +CONFIG_CGROUP_BPF=y CONFIG_IP_NF_MATCH_RPFILTER=m CONFIG_IP6_NF_MATCH_RPFILTER=m +CONFIG_IP_NF_IPTABLES=m +CONFIG_IP6_NF_IPTABLES=m +CONFIG_IP_NF_FILTER=m +CONFIG_IP6_NF_FILTER=m +CONFIG_IP_NF_RAW=m +CONFIG_IP6_NF_RAW=m CONFIG_IP_SCTP=m CONFIG_IP_VS=m CONFIG_IP_VS_PROTO_TCP=y +CONFIG_IP_VS_RR=m +CONFIG_IPV6=y +CONFIG_MACVLAN=m +CONFIG_NAMESPACES=y CONFIG_NET_CLS_U32=m +CONFIG_NET_NS=y CONFIG_NET_SCH_NETEM=m CONFIG_NET_SCH_HTB=m CONFIG_NET_IPIP=m CONFIG_NET_VRF=y +CONFIG_NETFILTER=y CONFIG_NETFILTER_NETLINK=m +CONFIG_NETFILTER_NETLINK_QUEUE=m CONFIG_NETFILTER_SYNPROXY=m +CONFIG_NETFILTER_XTABLES=m CONFIG_NETFILTER_XT_NAT=m +CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m +CONFIG_NETFILTER_XT_MATCH_STATE=m +CONFIG_NETFILTER_XT_MATCH_STRING=m CONFIG_NETFILTER_XT_TARGET_REDIRECT=m CONFIG_NF_CONNTRACK=m -CONFIG_NF_CONNTRACK_EVENTS=m +CONFIG_NF_CONNTRACK_EVENTS=y +CONFIG_NF_CONNTRACK_FTP=m +CONFIG_NF_CONNTRACK_MARK=y CONFIG_NF_CONNTRACK_ZONES=y CONFIG_NF_CT_NETLINK=m CONFIG_NF_CT_PROTO_SCTP=y +CONFIG_NF_FLOW_TABLE=m +CONFIG_NF_LOG_IPV4=m +CONFIG_NF_LOG_IPV6=y +CONFIG_NF_NAT=m +CONFIG_NF_NAT_REDIRECT=y +CONFIG_NF_NAT_MASQUERADE=y CONFIG_NF_TABLES=m +CONFIG_NF_TABLES_BRIDGE=m CONFIG_NF_TABLES_INET=y CONFIG_NF_TABLES_IPV4=y CONFIG_NF_TABLES_IPV6=y +CONFIG_NF_TABLES_NETDEV=y +CONFIG_NF_FLOW_TABLE_INET=m +CONFIG_NFT_COMPAT=m CONFIG_NFT_CT=m CONFIG_NFT_FIB=m CONFIG_NFT_FIB_INET=m CONFIG_NFT_FIB_IPV4=m CONFIG_NFT_FIB_IPV6=m +CONFIG_NFT_FLOW_OFFLOAD=m +CONFIG_NFT_LIMIT=m +CONFIG_NFT_LOG=m CONFIG_NFT_MASQ=m CONFIG_NFT_NAT=m +CONFIG_NFT_NUMGEN=m CONFIG_NFT_QUEUE=m +CONFIG_NFT_QUOTA=m CONFIG_NFT_REDIR=m CONFIG_NFT_SYNPROXY=m +CONFIG_XFRM_USER=m