Commit e9d572d9 authored by David S. Miller's avatar David S. Miller

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf

Pablo Neira Ayuso says:

====================
Netfilter fixes for net

The following patchset contains Netfilter fixes for net:

1) Do not delete clash entries on reply, let them expire instead,
   from Florian Westphal.

2) Do not report EAGAIN to nfnetlink, otherwise this enters a busy loop.
   Update nfnetlink_unicast() to translate EAGAIN to ENOBUFS.

3) Remove repeated words in code comments, from Randy Dunlap.

4) Several patches for the flowtable selftests, from Fabian Frederick.
====================
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents bb8872a1 c4617214
...@@ -43,8 +43,7 @@ int nfnetlink_has_listeners(struct net *net, unsigned int group); ...@@ -43,8 +43,7 @@ int nfnetlink_has_listeners(struct net *net, unsigned int group);
int nfnetlink_send(struct sk_buff *skb, struct net *net, u32 portid, int nfnetlink_send(struct sk_buff *skb, struct net *net, u32 portid,
unsigned int group, int echo, gfp_t flags); unsigned int group, int echo, gfp_t flags);
int nfnetlink_set_err(struct net *net, u32 portid, u32 group, int error); int nfnetlink_set_err(struct net *net, u32 portid, u32 group, int error);
int nfnetlink_unicast(struct sk_buff *skb, struct net *net, u32 portid, int nfnetlink_unicast(struct sk_buff *skb, struct net *net, u32 portid);
int flags);
static inline u16 nfnl_msg_type(u8 subsys, u8 msg_type) static inline u16 nfnl_msg_type(u8 subsys, u8 msg_type)
{ {
......
...@@ -3,7 +3,7 @@ ...@@ -3,7 +3,7 @@
* nf_nat_pptp.c * nf_nat_pptp.c
* *
* NAT support for PPTP (Point to Point Tunneling Protocol). * NAT support for PPTP (Point to Point Tunneling Protocol).
* PPTP is a a protocol for creating virtual private networks. * PPTP is a protocol for creating virtual private networks.
* It is a specification defined by Microsoft and some vendors * It is a specification defined by Microsoft and some vendors
* working with Microsoft. PPTP is built on top of a modified * working with Microsoft. PPTP is built on top of a modified
* version of the Internet Generic Routing Encapsulation Protocol. * version of the Internet Generic Routing Encapsulation Protocol.
......
// SPDX-License-Identifier: GPL-2.0-only // SPDX-License-Identifier: GPL-2.0-only
/* /*
* Connection tracking support for PPTP (Point to Point Tunneling Protocol). * Connection tracking support for PPTP (Point to Point Tunneling Protocol).
* PPTP is a a protocol for creating virtual private networks. * PPTP is a protocol for creating virtual private networks.
* It is a specification defined by Microsoft and some vendors * It is a specification defined by Microsoft and some vendors
* working with Microsoft. PPTP is built on top of a modified * working with Microsoft. PPTP is built on top of a modified
* version of the Internet Generic Routing Encapsulation Protocol. * version of the Internet Generic Routing Encapsulation Protocol.
......
...@@ -1152,7 +1152,7 @@ int nf_conntrack_tcp_packet(struct nf_conn *ct, ...@@ -1152,7 +1152,7 @@ int nf_conntrack_tcp_packet(struct nf_conn *ct,
&& (old_state == TCP_CONNTRACK_SYN_RECV && (old_state == TCP_CONNTRACK_SYN_RECV
|| old_state == TCP_CONNTRACK_ESTABLISHED) || old_state == TCP_CONNTRACK_ESTABLISHED)
&& new_state == TCP_CONNTRACK_ESTABLISHED) { && new_state == TCP_CONNTRACK_ESTABLISHED) {
/* Set ASSURED if we see see valid ack in ESTABLISHED /* Set ASSURED if we see valid ack in ESTABLISHED
after SYN_RECV or a valid answer for a picked up after SYN_RECV or a valid answer for a picked up
connection. */ connection. */
set_bit(IPS_ASSURED_BIT, &ct->status); set_bit(IPS_ASSURED_BIT, &ct->status);
......
...@@ -81,18 +81,6 @@ static bool udp_error(struct sk_buff *skb, ...@@ -81,18 +81,6 @@ static bool udp_error(struct sk_buff *skb,
return false; return false;
} }
static void nf_conntrack_udp_refresh_unreplied(struct nf_conn *ct,
struct sk_buff *skb,
enum ip_conntrack_info ctinfo,
u32 extra_jiffies)
{
if (unlikely(ctinfo == IP_CT_ESTABLISHED_REPLY &&
ct->status & IPS_NAT_CLASH))
nf_ct_kill(ct);
else
nf_ct_refresh_acct(ct, ctinfo, skb, extra_jiffies);
}
/* Returns verdict for packet, and may modify conntracktype */ /* Returns verdict for packet, and may modify conntracktype */
int nf_conntrack_udp_packet(struct nf_conn *ct, int nf_conntrack_udp_packet(struct nf_conn *ct,
struct sk_buff *skb, struct sk_buff *skb,
...@@ -124,12 +112,15 @@ int nf_conntrack_udp_packet(struct nf_conn *ct, ...@@ -124,12 +112,15 @@ int nf_conntrack_udp_packet(struct nf_conn *ct,
nf_ct_refresh_acct(ct, ctinfo, skb, extra); nf_ct_refresh_acct(ct, ctinfo, skb, extra);
/* never set ASSURED for IPS_NAT_CLASH, they time out soon */
if (unlikely((ct->status & IPS_NAT_CLASH)))
return NF_ACCEPT;
/* Also, more likely to be important, and not a probe */ /* Also, more likely to be important, and not a probe */
if (!test_and_set_bit(IPS_ASSURED_BIT, &ct->status)) if (!test_and_set_bit(IPS_ASSURED_BIT, &ct->status))
nf_conntrack_event_cache(IPCT_ASSURED, ct); nf_conntrack_event_cache(IPCT_ASSURED, ct);
} else { } else {
nf_conntrack_udp_refresh_unreplied(ct, skb, ctinfo, nf_ct_refresh_acct(ct, ctinfo, skb, timeouts[UDP_CT_UNREPLIED]);
timeouts[UDP_CT_UNREPLIED]);
} }
return NF_ACCEPT; return NF_ACCEPT;
} }
...@@ -206,12 +197,15 @@ int nf_conntrack_udplite_packet(struct nf_conn *ct, ...@@ -206,12 +197,15 @@ int nf_conntrack_udplite_packet(struct nf_conn *ct,
if (test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) { if (test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) {
nf_ct_refresh_acct(ct, ctinfo, skb, nf_ct_refresh_acct(ct, ctinfo, skb,
timeouts[UDP_CT_REPLIED]); timeouts[UDP_CT_REPLIED]);
if (unlikely((ct->status & IPS_NAT_CLASH)))
return NF_ACCEPT;
/* Also, more likely to be important, and not a probe */ /* Also, more likely to be important, and not a probe */
if (!test_and_set_bit(IPS_ASSURED_BIT, &ct->status)) if (!test_and_set_bit(IPS_ASSURED_BIT, &ct->status))
nf_conntrack_event_cache(IPCT_ASSURED, ct); nf_conntrack_event_cache(IPCT_ASSURED, ct);
} else { } else {
nf_conntrack_udp_refresh_unreplied(ct, skb, ctinfo, nf_ct_refresh_acct(ct, ctinfo, skb, timeouts[UDP_CT_UNREPLIED]);
timeouts[UDP_CT_UNREPLIED]);
} }
return NF_ACCEPT; return NF_ACCEPT;
} }
......
...@@ -815,11 +815,11 @@ static int nf_tables_gettable(struct net *net, struct sock *nlsk, ...@@ -815,11 +815,11 @@ static int nf_tables_gettable(struct net *net, struct sock *nlsk,
nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0, nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
family, table); family, table);
if (err < 0) if (err < 0)
goto err; goto err_fill_table_info;
return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid); return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
err: err_fill_table_info:
kfree_skb(skb2); kfree_skb(skb2);
return err; return err;
} }
...@@ -1563,11 +1563,11 @@ static int nf_tables_getchain(struct net *net, struct sock *nlsk, ...@@ -1563,11 +1563,11 @@ static int nf_tables_getchain(struct net *net, struct sock *nlsk,
nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0, nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
family, table, chain); family, table, chain);
if (err < 0) if (err < 0)
goto err; goto err_fill_chain_info;
return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid); return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
err: err_fill_chain_info:
kfree_skb(skb2); kfree_skb(skb2);
return err; return err;
} }
...@@ -3008,11 +3008,11 @@ static int nf_tables_getrule(struct net *net, struct sock *nlsk, ...@@ -3008,11 +3008,11 @@ static int nf_tables_getrule(struct net *net, struct sock *nlsk,
nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0, nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
family, table, chain, rule, NULL); family, table, chain, rule, NULL);
if (err < 0) if (err < 0)
goto err; goto err_fill_rule_info;
return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid); return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
err: err_fill_rule_info:
kfree_skb(skb2); kfree_skb(skb2);
return err; return err;
} }
...@@ -3968,11 +3968,11 @@ static int nf_tables_getset(struct net *net, struct sock *nlsk, ...@@ -3968,11 +3968,11 @@ static int nf_tables_getset(struct net *net, struct sock *nlsk,
err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0); err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
if (err < 0) if (err < 0)
goto err; goto err_fill_set_info;
return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid); return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
err: err_fill_set_info:
kfree_skb(skb2); kfree_skb(skb2);
return err; return err;
} }
...@@ -4860,24 +4860,18 @@ static int nft_get_set_elem(struct nft_ctx *ctx, struct nft_set *set, ...@@ -4860,24 +4860,18 @@ static int nft_get_set_elem(struct nft_ctx *ctx, struct nft_set *set,
err = -ENOMEM; err = -ENOMEM;
skb = nlmsg_new(NLMSG_GOODSIZE, GFP_ATOMIC); skb = nlmsg_new(NLMSG_GOODSIZE, GFP_ATOMIC);
if (skb == NULL) if (skb == NULL)
goto err1; return err;
err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid, err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid,
NFT_MSG_NEWSETELEM, 0, set, &elem); NFT_MSG_NEWSETELEM, 0, set, &elem);
if (err < 0) if (err < 0)
goto err2; goto err_fill_setelem;
err = nfnetlink_unicast(skb, ctx->net, ctx->portid, MSG_DONTWAIT); return nfnetlink_unicast(skb, ctx->net, ctx->portid);
/* This avoids a loop in nfnetlink. */
if (err < 0)
goto err1;
return 0; err_fill_setelem:
err2:
kfree_skb(skb); kfree_skb(skb);
err1: return err;
/* this avoids a loop in nfnetlink. */
return err == -EAGAIN ? -ENOBUFS : err;
} }
/* called with rcu_read_lock held */ /* called with rcu_read_lock held */
...@@ -6182,10 +6176,11 @@ static int nf_tables_getobj(struct net *net, struct sock *nlsk, ...@@ -6182,10 +6176,11 @@ static int nf_tables_getobj(struct net *net, struct sock *nlsk,
nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0, nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0,
family, table, obj, reset); family, table, obj, reset);
if (err < 0) if (err < 0)
goto err; goto err_fill_obj_info;
return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid); return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
err:
err_fill_obj_info:
kfree_skb(skb2); kfree_skb(skb2);
return err; return err;
} }
...@@ -7045,10 +7040,11 @@ static int nf_tables_getflowtable(struct net *net, struct sock *nlsk, ...@@ -7045,10 +7040,11 @@ static int nf_tables_getflowtable(struct net *net, struct sock *nlsk,
NFT_MSG_NEWFLOWTABLE, 0, family, NFT_MSG_NEWFLOWTABLE, 0, family,
flowtable, &flowtable->hook_list); flowtable, &flowtable->hook_list);
if (err < 0) if (err < 0)
goto err; goto err_fill_flowtable_info;
return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid); return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
err:
err_fill_flowtable_info:
kfree_skb(skb2); kfree_skb(skb2);
return err; return err;
} }
...@@ -7234,10 +7230,11 @@ static int nf_tables_getgen(struct net *net, struct sock *nlsk, ...@@ -7234,10 +7230,11 @@ static int nf_tables_getgen(struct net *net, struct sock *nlsk,
err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid, err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
nlh->nlmsg_seq); nlh->nlmsg_seq);
if (err < 0) if (err < 0)
goto err; goto err_fill_gen_info;
return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid); return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
err:
err_fill_gen_info:
kfree_skb(skb2); kfree_skb(skb2);
return err; return err;
} }
......
...@@ -149,10 +149,15 @@ int nfnetlink_set_err(struct net *net, u32 portid, u32 group, int error) ...@@ -149,10 +149,15 @@ int nfnetlink_set_err(struct net *net, u32 portid, u32 group, int error)
} }
EXPORT_SYMBOL_GPL(nfnetlink_set_err); EXPORT_SYMBOL_GPL(nfnetlink_set_err);
int nfnetlink_unicast(struct sk_buff *skb, struct net *net, u32 portid, int nfnetlink_unicast(struct sk_buff *skb, struct net *net, u32 portid)
int flags)
{ {
return netlink_unicast(net->nfnl, skb, portid, flags); int err;
err = nlmsg_unicast(net->nfnl, skb, portid);
if (err == -EAGAIN)
err = -ENOBUFS;
return err;
} }
EXPORT_SYMBOL_GPL(nfnetlink_unicast); EXPORT_SYMBOL_GPL(nfnetlink_unicast);
......
...@@ -356,8 +356,7 @@ __nfulnl_send(struct nfulnl_instance *inst) ...@@ -356,8 +356,7 @@ __nfulnl_send(struct nfulnl_instance *inst)
goto out; goto out;
} }
} }
nfnetlink_unicast(inst->skb, inst->net, inst->peer_portid, nfnetlink_unicast(inst->skb, inst->net, inst->peer_portid);
MSG_DONTWAIT);
out: out:
inst->qlen = 0; inst->qlen = 0;
inst->skb = NULL; inst->skb = NULL;
......
...@@ -681,7 +681,7 @@ __nfqnl_enqueue_packet(struct net *net, struct nfqnl_instance *queue, ...@@ -681,7 +681,7 @@ __nfqnl_enqueue_packet(struct net *net, struct nfqnl_instance *queue,
*packet_id_ptr = htonl(entry->id); *packet_id_ptr = htonl(entry->id);
/* nfnetlink_unicast will either free the nskb or add it to a socket */ /* nfnetlink_unicast will either free the nskb or add it to a socket */
err = nfnetlink_unicast(nskb, net, queue->peer_portid, MSG_DONTWAIT); err = nfnetlink_unicast(nskb, net, queue->peer_portid);
if (err < 0) { if (err < 0) {
if (queue->flags & NFQA_CFG_F_FAIL_OPEN) { if (queue->flags & NFQA_CFG_F_FAIL_OPEN) {
failopen = 1; failopen = 1;
......
...@@ -102,7 +102,7 @@ static void nft_flow_offload_eval(const struct nft_expr *expr, ...@@ -102,7 +102,7 @@ static void nft_flow_offload_eval(const struct nft_expr *expr,
} }
if (nf_ct_ext_exist(ct, NF_CT_EXT_HELPER) || if (nf_ct_ext_exist(ct, NF_CT_EXT_HELPER) ||
ct->status & IPS_SEQ_ADJUST) ct->status & (IPS_SEQ_ADJUST | IPS_NAT_CLASH))
goto out; goto out;
if (!nf_ct_is_confirmed(ct)) if (!nf_ct_is_confirmed(ct))
......
...@@ -640,7 +640,7 @@ static void __net_exit recent_proc_net_exit(struct net *net) ...@@ -640,7 +640,7 @@ static void __net_exit recent_proc_net_exit(struct net *net)
struct recent_table *t; struct recent_table *t;
/* recent_net_exit() is called before recent_mt_destroy(). Make sure /* recent_net_exit() is called before recent_mt_destroy(). Make sure
* that the parent xt_recent proc entry is is empty before trying to * that the parent xt_recent proc entry is empty before trying to
* remove it. * remove it.
*/ */
spin_lock_bh(&recent_lock); spin_lock_bh(&recent_lock);
......
...@@ -11,7 +11,7 @@ ...@@ -11,7 +11,7 @@
# result in fragmentation and/or PMTU discovery. # result in fragmentation and/or PMTU discovery.
# #
# You can check with different Orgininator/Link/Responder MTU eg: # You can check with different Orgininator/Link/Responder MTU eg:
# sh nft_flowtable.sh -o1000 -l500 -r100 # nft_flowtable.sh -o8000 -l1500 -r2000
# #
...@@ -27,8 +27,7 @@ ns2out="" ...@@ -27,8 +27,7 @@ ns2out=""
log_netns=$(sysctl -n net.netfilter.nf_log_all_netns) log_netns=$(sysctl -n net.netfilter.nf_log_all_netns)
checktool (){ checktool (){
$1 > /dev/null 2>&1 if ! $1 > /dev/null 2>&1; then
if [ $? -ne 0 ];then
echo "SKIP: Could not $2" echo "SKIP: Could not $2"
exit $ksft_skip exit $ksft_skip
fi fi
...@@ -87,19 +86,36 @@ omtu=9000 ...@@ -87,19 +86,36 @@ omtu=9000
lmtu=1500 lmtu=1500
rmtu=2000 rmtu=2000
usage(){
echo "nft_flowtable.sh [OPTIONS]"
echo
echo "MTU options"
echo " -o originator"
echo " -l link"
echo " -r responder"
exit 1
}
while getopts "o:l:r:" o while getopts "o:l:r:" o
do do
case $o in case $o in
o) omtu=$OPTARG;; o) omtu=$OPTARG;;
l) lmtu=$OPTARG;; l) lmtu=$OPTARG;;
r) rmtu=$OPTARG;; r) rmtu=$OPTARG;;
*) usage;;
esac esac
done done
ip -net nsr1 link set veth0 mtu $omtu if ! ip -net nsr1 link set veth0 mtu $omtu; then
exit 1
fi
ip -net ns1 link set eth0 mtu $omtu ip -net ns1 link set eth0 mtu $omtu
ip -net nsr2 link set veth1 mtu $rmtu if ! ip -net nsr2 link set veth1 mtu $rmtu; then
exit 1
fi
ip -net ns2 link set eth0 mtu $rmtu ip -net ns2 link set eth0 mtu $rmtu
# transfer-net between nsr1 and nsr2. # transfer-net between nsr1 and nsr2.
...@@ -120,7 +136,10 @@ for i in 1 2; do ...@@ -120,7 +136,10 @@ for i in 1 2; do
ip -net ns$i route add default via 10.0.$i.1 ip -net ns$i route add default via 10.0.$i.1
ip -net ns$i addr add dead:$i::99/64 dev eth0 ip -net ns$i addr add dead:$i::99/64 dev eth0
ip -net ns$i route add default via dead:$i::1 ip -net ns$i route add default via dead:$i::1
ip netns exec ns$i sysctl net.ipv4.tcp_no_metrics_save=1 > /dev/null if ! ip netns exec ns$i sysctl net.ipv4.tcp_no_metrics_save=1 > /dev/null; then
echo "ERROR: Check Originator/Responder values (problem during address addition)"
exit 1
fi
# don't set ip DF bit for first two tests # don't set ip DF bit for first two tests
ip netns exec ns$i sysctl net.ipv4.ip_no_pmtu_disc=1 > /dev/null ip netns exec ns$i sysctl net.ipv4.ip_no_pmtu_disc=1 > /dev/null
...@@ -178,15 +197,13 @@ if [ $? -ne 0 ]; then ...@@ -178,15 +197,13 @@ if [ $? -ne 0 ]; then
fi fi
# test basic connectivity # test basic connectivity
ip netns exec ns1 ping -c 1 -q 10.0.2.99 > /dev/null if ! ip netns exec ns1 ping -c 1 -q 10.0.2.99 > /dev/null; then
if [ $? -ne 0 ];then
echo "ERROR: ns1 cannot reach ns2" 1>&2 echo "ERROR: ns1 cannot reach ns2" 1>&2
bash bash
exit 1 exit 1
fi fi
ip netns exec ns2 ping -c 1 -q 10.0.1.99 > /dev/null if ! ip netns exec ns2 ping -c 1 -q 10.0.1.99 > /dev/null; then
if [ $? -ne 0 ];then
echo "ERROR: ns2 cannot reach ns1" 1>&2 echo "ERROR: ns2 cannot reach ns1" 1>&2
exit 1 exit 1
fi fi
...@@ -203,7 +220,6 @@ ns2out=$(mktemp) ...@@ -203,7 +220,6 @@ ns2out=$(mktemp)
make_file() make_file()
{ {
name=$1 name=$1
who=$2
SIZE=$((RANDOM % (1024 * 8))) SIZE=$((RANDOM % (1024 * 8)))
TSIZE=$((SIZE * 1024)) TSIZE=$((SIZE * 1024))
...@@ -222,8 +238,7 @@ check_transfer() ...@@ -222,8 +238,7 @@ check_transfer()
out=$2 out=$2
what=$3 what=$3
cmp "$in" "$out" > /dev/null 2>&1 if ! cmp "$in" "$out" > /dev/null 2>&1; then
if [ $? -ne 0 ] ;then
echo "FAIL: file mismatch for $what" 1>&2 echo "FAIL: file mismatch for $what" 1>&2
ls -l "$in" ls -l "$in"
ls -l "$out" ls -l "$out"
...@@ -260,13 +275,11 @@ test_tcp_forwarding_ip() ...@@ -260,13 +275,11 @@ test_tcp_forwarding_ip()
wait wait
check_transfer "$ns1in" "$ns2out" "ns1 -> ns2" if ! check_transfer "$ns1in" "$ns2out" "ns1 -> ns2"; then
if [ $? -ne 0 ];then
lret=1 lret=1
fi fi
check_transfer "$ns2in" "$ns1out" "ns1 <- ns2" if ! check_transfer "$ns2in" "$ns1out" "ns1 <- ns2"; then
if [ $? -ne 0 ];then
lret=1 lret=1
fi fi
...@@ -295,13 +308,12 @@ test_tcp_forwarding_nat() ...@@ -295,13 +308,12 @@ test_tcp_forwarding_nat()
return $lret return $lret
} }
make_file "$ns1in" "ns1" make_file "$ns1in"
make_file "$ns2in" "ns2" make_file "$ns2in"
# First test: # First test:
# No PMTU discovery, nsr1 is expected to fragment packets from ns1 to ns2 as needed. # No PMTU discovery, nsr1 is expected to fragment packets from ns1 to ns2 as needed.
test_tcp_forwarding ns1 ns2 if test_tcp_forwarding ns1 ns2; then
if [ $? -eq 0 ] ;then
echo "PASS: flow offloaded for ns1/ns2" echo "PASS: flow offloaded for ns1/ns2"
else else
echo "FAIL: flow offload for ns1/ns2:" 1>&2 echo "FAIL: flow offload for ns1/ns2:" 1>&2
...@@ -332,9 +344,7 @@ table ip nat { ...@@ -332,9 +344,7 @@ table ip nat {
} }
EOF EOF
test_tcp_forwarding_nat ns1 ns2 if test_tcp_forwarding_nat ns1 ns2; then
if [ $? -eq 0 ] ;then
echo "PASS: flow offloaded for ns1/ns2 with NAT" echo "PASS: flow offloaded for ns1/ns2 with NAT"
else else
echo "FAIL: flow offload for ns1/ns2 with NAT" 1>&2 echo "FAIL: flow offload for ns1/ns2 with NAT" 1>&2
...@@ -346,8 +356,7 @@ fi ...@@ -346,8 +356,7 @@ fi
# Same as second test, but with PMTU discovery enabled. # Same as second test, but with PMTU discovery enabled.
handle=$(ip netns exec nsr1 nft -a list table inet filter | grep something-to-grep-for | cut -d \# -f 2) handle=$(ip netns exec nsr1 nft -a list table inet filter | grep something-to-grep-for | cut -d \# -f 2)
ip netns exec nsr1 nft delete rule inet filter forward $handle if ! ip netns exec nsr1 nft delete rule inet filter forward $handle; then
if [ $? -ne 0 ] ;then
echo "FAIL: Could not delete large-packet accept rule" echo "FAIL: Could not delete large-packet accept rule"
exit 1 exit 1
fi fi
...@@ -355,8 +364,7 @@ fi ...@@ -355,8 +364,7 @@ fi
ip netns exec ns1 sysctl net.ipv4.ip_no_pmtu_disc=0 > /dev/null ip netns exec ns1 sysctl net.ipv4.ip_no_pmtu_disc=0 > /dev/null
ip netns exec ns2 sysctl net.ipv4.ip_no_pmtu_disc=0 > /dev/null ip netns exec ns2 sysctl net.ipv4.ip_no_pmtu_disc=0 > /dev/null
test_tcp_forwarding_nat ns1 ns2 if test_tcp_forwarding_nat ns1 ns2; then
if [ $? -eq 0 ] ;then
echo "PASS: flow offloaded for ns1/ns2 with NAT and pmtu discovery" echo "PASS: flow offloaded for ns1/ns2 with NAT and pmtu discovery"
else else
echo "FAIL: flow offload for ns1/ns2 with NAT and pmtu discovery" 1>&2 echo "FAIL: flow offload for ns1/ns2 with NAT and pmtu discovery" 1>&2
...@@ -402,8 +410,7 @@ ip -net ns2 route del 192.168.10.1 via 10.0.2.1 ...@@ -402,8 +410,7 @@ ip -net ns2 route del 192.168.10.1 via 10.0.2.1
ip -net ns2 route add default via 10.0.2.1 ip -net ns2 route add default via 10.0.2.1
ip -net ns2 route add default via dead:2::1 ip -net ns2 route add default via dead:2::1
test_tcp_forwarding ns1 ns2 if test_tcp_forwarding ns1 ns2; then
if [ $? -eq 0 ] ;then
echo "PASS: ipsec tunnel mode for ns1/ns2" echo "PASS: ipsec tunnel mode for ns1/ns2"
else else
echo "FAIL: ipsec tunnel mode for ns1/ns2" echo "FAIL: ipsec tunnel mode for ns1/ns2"
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment