linux/tools/testing/selftests/netfilter, branch v5.8

selftests: netfilter: add test case for conntrack helper assignment

2020-06-24T22:50:31Z

check that 'nft ... ct helper set ' works: 1. configure ftp helper via nft and assign it to connections on port 2121 2. check with 'conntrack -L' that the next connection has the ftp helper attached to it. Also add a test for auto-assign (old behaviour). Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso

selftests: netfilter: add nfqueue test case

2020-03-24T19:00:12Z

Add a test case to check nf queue infrastructure. Could be extended in the future to also cover serialization of conntrack, uid and secctx attributes in nfqueue. For now, this checks that 'queue bypass' works, that a queue rule with no bypass option blocks traffic and that userspace receives the expected number of packets. For this we add two queues and hook all of prerouting/input/forward/output/postrouting. Packets get queued twice with a dummy base chain in between: This passes with current nf tree, but reverting commit 946c0d8e6ed4 ("netfilter: nf_queue: fix reinject verdict handling") makes this trip (it processes 30 instead of expected 20 packets). v2: update config file with queue and other options missing/needed for other tests. v3: also test with tcp, this reveals problem with commit 28f8bfd1ac94 ("netfilter: Support iif matches in POSTROUTING"), due to skb->dev pointing at another skb in the retransmit rbtree (skb->dev aliases to rbnode child). Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso

selftests: nft_concat_range: Add test for reported add/flush/add issue

2020-02-26T13:33:09Z

Add a specific test for the crash reported by Phil Sutter and addressed in the previous patch. The test cases that, in my intention, should have covered these cases, that is, the ones from the 'concurrency' section, don't run these sequences tightly enough and spectacularly failed to catch this. While at it, define a convenient way to add these kind of tests, by adding a "reported issues" test section. It's more convenient, for this particular test, to execute the set setup in its own function. However, future test cases like this one might need to call setup functions, and will typically need no tools other than nft, so allow for this in check_tools(). The original form of the reproducer used here was provided by Phil. Reported-by: Phil Sutter Signed-off-by: Stefano Brivio Signed-off-by: Pablo Neira Ayuso

selftests: nft_concat_range: Move option for 'list ruleset' before command

2020-02-25T12:01:07Z

Before nftables commit fb9cea50e8b3 ("main: enforce options before commands"), 'nft list ruleset -a' happened to work, but it's wrong and won't work anymore. Replace it by 'nft -a list ruleset'. Reported-by: Chen Yi Fixes: 611973c1e06f ("selftests: netfilter: Introduce tests for sets with range concatenation") Signed-off-by: Stefano Brivio Signed-off-by: Pablo Neira Ayuso

selftests: netfilter: Introduce tests for sets with range concatenation

2020-01-27T07:54:30Z

This test covers functionality and stability of the newly added nftables set implementation supporting concatenation of ranged fields. For some selected set expression types, test: - correctness, by checking that packets match or don't - concurrency, by attempting races between insertion, deletion, lookup - timeout feature, checking that packets don't match expired entries and (roughly) estimate matching rates, comparing to baselines for simple drop on netdev ingress hook and for hash and rbtrees sets. In order to send packets, this needs one of sendip, netcat or bash. To flood with traffic, iperf3, iperf and netperf are supported. For performance measurements, this relies on the sample pktgen script pktgen_bench_xmit_mode_netif_receive.sh. If none of the tools suitable for a given test are available, specific tests will be skipped. Signed-off-by: Stefano Brivio Signed-off-by: Pablo Neira Ayuso

selftests: netfilter: extend flowtable test script with dnat rule

2019-12-20T01:12:27Z

NAT test currently covers snat (masquerade) only. Also add a dnat rule and then check that a connecting to the to-be-dnated address will work. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso

selftests: netfilter: use randomized netns names

2019-12-07T18:50:39Z

Using ns0, ns1, etc. isn't a good idea, they might exist already. Use a random suffix. Also, older nft versions don't support "-" as alias for stdin, so use /dev/stdin instead. Signed-off-by: Florian Westphal Acked-by: Phil Sutter Signed-off-by: Pablo Neira Ayuso

selftests: netfilter: add ipvs tunnel test case

2019-10-11T08:05:27Z

Test virtual server via ipip tunnel. Tested: # selftests: netfilter: ipvs.sh # Testing DR mode... # Testing NAT mode... # Testing Tunnel mode... # ipvs.sh: PASS ok 6 selftests: netfilter: ipvs.sh Signed-off-by: Haishuang Yan Signed-off-by: Simon Horman

selftests: netfilter: add ipvs nat test case

2019-10-11T08:05:24Z

Test virtual server via NAT. Tested: # selftests: netfilter: ipvs.sh # Testing DR mode... # Testing NAT mode... # ipvs.sh: PASS Signed-off-by: Haishuang Yan Signed-off-by: Simon Horman

selftests: netfilter: add ipvs test script

2019-10-11T08:05:20Z

Test virutal server via directing routing for IPv4. Tested: # selftests: netfilter: ipvs.sh # Testing DR mode... # ipvs.sh: PASS ok 6 selftests: netfilter: ipvs.sh Signed-off-by: Haishuang Yan Signed-off-by: Simon Horman