linux/tools/testing/selftests/netfilter, branch v5.15

selftests: netfilter: remove stray bash debug line

2021-10-14T21:08:35Z

This should not be there. Fixes: 2de03b45236f ("selftests: netfilter: add flowtable test script") Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso

selftests: nft_nat: add udp hole punch test case

2021-10-11T23:42:39Z

Add a test case that demonstrates port shadowing via UDP. ns2 sends packet to ns1, from source port used by a udp service on the router, ns0. Then, ns1 sends packet to ns0:service, but that ends up getting forwarded to ns2. Also add three test cases that demonstrate mitigations: 1. disable use of $port as source from 'unstrusted' origin 2. make the service untracked. This prevents masquerade entries from having any effects. 3. add forced PAT via 'random' mode to translate the "wrong" sport into an acceptable range. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso

selftests: netfilter: add zone stress test with colliding tuples

2021-09-21T01:46:55Z

Add 20k entries to the connection tracking table, once from the data plane, once via ctnetlink. In both cases, each entry lives in a different conntrack zone and addresses/ports are identical. Expectation is that insertions work and occurs in constant time: PASS: added 10000 entries in 1215 ms (now 10000 total, loop 1) PASS: added 10000 entries in 1214 ms (now 20000 total, loop 2) PASS: inserted 20000 entries from packet path in 2434 ms total PASS: added 10000 entries in 57631 ms (now 10000 total) PASS: added 10000 entries in 58572 ms (now 20000 total) PASS: inserted 20000 entries via ctnetlink in 116205 ms Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso

selftests: netfilter: add selftest for directional zone support

2021-09-21T01:46:55Z

Add a script to exercise NAT port clash resolution with directional zones. Add net namespaces that use the same IP address and connect them to a gateway. Gateway uses policy routing based on iif/mark and conntrack zones to isolate the client namespaces. In server direction, same zone with NAT to single address is used. Then, connect to a server from each client netns, using identical connection id, i.e. saddr:sport -> daddr:dport. Expectation is for all connections to succeeed: NAT gatway is supposed to do port reallocation for each of the (clashing) connections. This is based on the description/use case provided in the commit message of deedb59039f111 ("netfilter: nf_conntrack: add direction support for zones"). Cc: Daniel Borkmann Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso

selftest: netfilter: add test case for unreplied tcp connections

2021-07-02T00:05:59Z

TCP connections in UNREPLIED state (only SYN seen) can be kept alive indefinitely, as each SYN re-sets the timeout. This means that even if a peer has closed its socket the entry never times out. This also prevents re-evaluation of configured NAT rules. Add a test case that sets SYN timeout to 10 seconds, then check that the nat redirection added later eventually takes effect. This is based off a repro script from Antonio Ojea. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso

selftests: netfilter: add fib test case

2021-06-09T19:06:35Z

There is a bug report on netfilter.org bugzilla pointing to fib expression dropping ipv6 DAD packets. Add a test case that demonstrates this problem. Next patch excludes icmpv6 packets coming from any to linklocal. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso

selftests: netfilter: flowtable bridge and vlan support

2021-03-24T19:48:39Z

This patch adds two new tests to cover bridge and vlan support: - Add a bridge device to the Router1 (nsr1) container and attach the veth0 device to the bridge. Set the IP address to the bridge device to exercise the bridge forwarding path. - Add vlan encapsulation between to the bridge device in the Router1 and one of the sender containers (ns1). Signed-off-by: Pablo Neira Ayuso Signed-off-by: David S. Miller

selftests: netfilter: test nat port clash resolution interaction with tcp early demux

2021-02-27T23:25:16Z

Convert Antonio Ojeas bug reproducer to a kselftest. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso

selftests: netfilter: fix current year

2021-02-03T23:33:09Z

use date %Y instead of %G to read current year Problem appeared when running lkp-tests on 01/01/2021 Fixes: 48d072c4e8cd ("selftests: netfilter: add time counter check") Reported-by: kernel test robot Signed-off-by: Fabian Frederick Signed-off-by: Pablo Neira Ayuso

selftests: netfilter: Pass family parameter "-f" to conntrack tool

2021-01-10T08:38:15Z

Fix nft_conntrack_helper.sh false fail report: 1) Conntrack tool need "-f ipv6" parameter to show out ipv6 traffic items. 2) Sleep 1 second after background nc send packet, to make sure check is after this statement executed. False report: FAIL: ns1-lkjUemYw did not show attached helper ip set via ruleset PASS: ns1-lkjUemYw connection on port 2121 has ftp helper attached ... After fix: PASS: ns1-2hUniwU2 connection on port 2121 has ftp helper attached PASS: ns2-2hUniwU2 connection on port 2121 has ftp helper attached ... Fixes: 619ae8e0697a6 ("selftests: netfilter: add test case for conntrack helper assignment") Signed-off-by: Chen Yi Signed-off-by: Pablo Neira Ayuso