Skip to content

Commit 38399f2

Browse files
Florian Westphalummakynes
Florian Westphal
authored and
ummakynes
committed
selftests: netfilter: nft_concat_range.sh: add datapath check for map fill bug
commit 0935ee6 ("selftests: netfilter: add test case for recent mismatch bug") added a regression check for incorrect initial fill of the result map that was fixed with 791a615 ("netfilter: nf_set_pipapo: fix initial map fill"). The test used 'nft get element', i.e., control plane checks for match/nomatch results. The control plane however doesn't use avx2 version, so we need to send+match packets. As the additional packet match/nomatch is slow, don't do this for every element added/removed: add and use maybe_send_(no)match helpers and use them. Signed-off-by: Florian Westphal <[email protected]> Reviewed-by: Stefano Brivio <[email protected]> Signed-off-by: Pablo Neira Ayuso <[email protected]>
1 parent febe7ed commit 38399f2

File tree

1 file changed

+58
-4
lines changed

1 file changed

+58
-4
lines changed

tools/testing/selftests/net/netfilter/nft_concat_range.sh

Lines changed: 58 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -378,7 +378,7 @@ display net,port,proto
378378
type_spec ipv4_addr . inet_service . inet_proto
379379
chain_spec ip daddr . udp dport . meta l4proto
380380
dst addr4 port proto
381-
src
381+
src
382382
start 1
383383
count 9
384384
src_delta 9
@@ -1269,6 +1269,42 @@ send_nomatch() {
12691269
fi
12701270
}
12711271

1272+
maybe_send_nomatch() {
1273+
local elem="$1"
1274+
local what="$4"
1275+
1276+
[ $((RANDOM%20)) -gt 0 ] && return
1277+
1278+
dst_addr4="$2"
1279+
dst_port="$3"
1280+
send_udp
1281+
1282+
if [ "$(count_packets_nomatch)" != "0" ]; then
1283+
err "Packet to $dst_addr4:$dst_port did match $what"
1284+
err "$(nft -a list ruleset)"
1285+
return 1
1286+
fi
1287+
}
1288+
1289+
maybe_send_match() {
1290+
local elem="$1"
1291+
local what="$4"
1292+
1293+
[ $((RANDOM%20)) -gt 0 ] && return
1294+
1295+
dst_addr4="$2"
1296+
dst_port="$3"
1297+
send_udp
1298+
1299+
if [ "$(count_packets "{ $elem }")" != "1" ]; then
1300+
err "Packet to $dst_addr4:$dst_port did not match $what"
1301+
err "$(nft -a list ruleset)"
1302+
return 1
1303+
fi
1304+
nft reset counter inet filter test >/dev/null
1305+
nft reset element inet filter test "{ $elem }" >/dev/null
1306+
}
1307+
12721308
# Correctness test template:
12731309
# - add ranged element, check that packets match it
12741310
# - check that packets outside range don't match it
@@ -1776,39 +1812,55 @@ test_bug_net_port_proto_match() {
17761812
range_size=1
17771813
for i in $(seq 1 10); do
17781814
for j in $(seq 1 20) ; do
1779-
elem=$(printf "10.%d.%d.0/24 . %d1-%d0 . 6-17 " ${i} ${j} ${i} "$((i+1))")
1815+
local dport=$j
1816+
1817+
elem=$(printf "10.%d.%d.0/24 . %d-%d0 . 6-17 " ${i} ${j} ${dport} "$((dport+1))")
1818+
1819+
# too slow, do not test all addresses
1820+
maybe_send_nomatch "$elem" $(printf "10.%d.%d.1" $i $j) $(printf "%d1" $((dport+1))) "before add" || return 1
17801821

17811822
nft "add element inet filter test { $elem }" || return 1
1823+
1824+
maybe_send_match "$elem" $(printf "10.%d.%d.1" $i $j) $(printf "%d" $dport) "after add" || return 1
1825+
17821826
nft "get element inet filter test { $elem }" | grep -q "$elem"
17831827
if [ $? -ne 0 ];then
17841828
local got=$(nft "get element inet filter test { $elem }")
17851829
err "post-add: should have returned $elem but got $got"
17861830
return 1
17871831
fi
1832+
1833+
maybe_send_nomatch "$elem" $(printf "10.%d.%d.1" $i $j) $(printf "%d1" $((dport+1))) "out-of-range" || return 1
17881834
done
17891835
done
17901836

17911837
# recheck after set was filled
17921838
for i in $(seq 1 10); do
17931839
for j in $(seq 1 20) ; do
1794-
elem=$(printf "10.%d.%d.0/24 . %d1-%d0 . 6-17 " ${i} ${j} ${i} "$((i+1))")
1840+
local dport=$j
1841+
1842+
elem=$(printf "10.%d.%d.0/24 . %d-%d0 . 6-17 " ${i} ${j} ${dport} "$((dport+1))")
17951843

17961844
nft "get element inet filter test { $elem }" | grep -q "$elem"
17971845
if [ $? -ne 0 ];then
17981846
local got=$(nft "get element inet filter test { $elem }")
17991847
err "post-fill: should have returned $elem but got $got"
18001848
return 1
18011849
fi
1850+
1851+
maybe_send_match "$elem" $(printf "10.%d.%d.1" $i $j) $(printf "%d" $dport) "recheck" || return 1
1852+
maybe_send_nomatch "$elem" $(printf "10.%d.%d.1" $i $j) $(printf "%d1" $((dport+1))) "recheck out-of-range" || return 1
18021853
done
18031854
done
18041855

18051856
# random del and re-fetch
18061857
for i in $(seq 1 10); do
18071858
for j in $(seq 1 20) ; do
18081859
local rnd=$((RANDOM%10))
1860+
local dport=$j
18091861
local got=""
18101862

1811-
elem=$(printf "10.%d.%d.0/24 . %d1-%d0 . 6-17 " ${i} ${j} ${i} "$((i+1))")
1863+
elem=$(printf "10.%d.%d.0/24 . %d-%d0 . 6-17 " ${i} ${j} ${dport} "$((dport+1))")
18121864
if [ $rnd -gt 0 ];then
18131865
continue
18141866
fi
@@ -1819,6 +1871,8 @@ test_bug_net_port_proto_match() {
18191871
err "post-delete: query for $elem returned $got instead of error."
18201872
return 1
18211873
fi
1874+
1875+
maybe_send_nomatch "$elem" $(printf "10.%d.%d.1" $i $j) $(printf "%d" $dport) "match after deletion" || return 1
18221876
done
18231877
done
18241878

0 commit comments

Comments
 (0)