blob: 8534428ed3ebddf4a9a11ca8a45492cb3e25b2cf (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
|
#!/bin/bash
# SPDX-License-Identifier: GPL-2.0
# Copyright (C) 2020-2025 OpenVPN, Inc.
#
# Author: Ralf Lici <ralf@mandelbit.com>
# Antonio Quartulli <antonio@openvpn.net>
#set -x
set -e
MARK=1056
source ./common.sh
cleanup
modprobe -q ovpn || true
for p in $(seq 0 "${NUM_PEERS}"); do
create_ns "${p}"
done
for p in $(seq 0 3); do
setup_ns "${p}" 5.5.5.$((p + 1))/24
done
# add peer0 with mark
ip netns exec peer0 "${OVPN_CLI}" new_multi_peer tun0 1 ASYMM \
"${UDP_PEERS_FILE}" \
${MARK}
for p in $(seq 1 3); do
ip netns exec peer0 "${OVPN_CLI}" new_key tun0 "${p}" 1 0 "${ALG}" 0 \
data64.key
done
for p in $(seq 1 3); do
add_peer "${p}"
done
for p in $(seq 1 3); do
ip netns exec peer0 "${OVPN_CLI}" set_peer tun0 "${p}" 60 120
ip netns exec peer"${p}" "${OVPN_CLI}" set_peer tun"${p}" \
$((p + 9)) 60 120
done
sleep 1
for p in $(seq 1 3); do
ip netns exec peer0 ping -qfc 500 -w 3 5.5.5.$((p + 1))
done
echo "Adding an nftables drop rule based on mark value ${MARK}"
ip netns exec peer0 nft flush ruleset
ip netns exec peer0 nft 'add table inet filter'
ip netns exec peer0 nft 'add chain inet filter output {
type filter hook output priority 0;
policy accept;
}'
ip netns exec peer0 nft add rule inet filter output \
meta mark == ${MARK} \
counter drop
DROP_COUNTER=$(ip netns exec peer0 nft list chain inet filter output \
| sed -n 's/.*packets \([0-9]*\).*/\1/p')
sleep 1
# ping should fail
for p in $(seq 1 3); do
PING_OUTPUT=$(ip netns exec peer0 ping \
-qfc 500 -w 1 5.5.5.$((p + 1)) 2>&1) && exit 1
echo "${PING_OUTPUT}"
LOST_PACKETS=$(echo "$PING_OUTPUT" \
| awk '/packets transmitted/ { print $1 }')
# increment the drop counter by the amount of lost packets
DROP_COUNTER=$((DROP_COUNTER + LOST_PACKETS))
done
# check if the final nft counter matches our counter
TOTAL_COUNT=$(ip netns exec peer0 nft list chain inet filter output \
| sed -n 's/.*packets \([0-9]*\).*/\1/p')
if [ "${DROP_COUNTER}" -ne "${TOTAL_COUNT}" ]; then
echo "Expected ${TOTAL_COUNT} drops, got ${DROP_COUNTER}"
exit 1
fi
echo "Removing the drop rule"
ip netns exec peer0 nft flush ruleset
sleep 1
for p in $(seq 1 3); do
ip netns exec peer0 ping -qfc 500 -w 3 5.5.5.$((p + 1))
done
cleanup
modprobe -r ovpn || true
|
