Skip to content

Commit 3acf8f6

Browse files
Florian Westphalummakynes
Florian Westphal
authored and
ummakynes
committed
selftests: nft_flowtable.sh: check ingress/egress chain too
Make sure flowtable interacts correctly with ingress and egress chains, i.e. those get handled before and after flow table respectively. Adds three more tests: 1. repeat flowtable test, but with 'ip dscp set cs3' done in inet forward chain. Expect that some packets have been mangled (before flowtable offload became effective) while some pass without mangling (after offload succeeds). 2. repeat flowtable test, but with 'ip dscp set cs3' done in veth0:ingress. Expect that all packets pass with cs3 dscp field. 3. same as 2, but use veth1:egress. Expect the same outcome. Signed-off-by: Florian Westphal <[email protected]> Signed-off-by: Pablo Neira Ayuso <[email protected]>
1 parent 90ab512 commit 3acf8f6

File tree

1 file changed

+124
-0
lines changed

1 file changed

+124
-0
lines changed

tools/testing/selftests/netfilter/nft_flowtable.sh

Lines changed: 124 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -188,6 +188,26 @@ if [ $? -ne 0 ]; then
188188
exit $ksft_skip
189189
fi
190190

191+
ip netns exec $ns2 nft -f - <<EOF
192+
table inet filter {
193+
counter ip4dscp0 { }
194+
counter ip4dscp3 { }
195+
196+
chain input {
197+
type filter hook input priority 0; policy accept;
198+
meta l4proto tcp goto {
199+
ip dscp cs3 counter name ip4dscp3 accept
200+
ip dscp 0 counter name ip4dscp0 accept
201+
}
202+
}
203+
}
204+
EOF
205+
206+
if [ $? -ne 0 ]; then
207+
echo "SKIP: Could not load nft ruleset"
208+
exit $ksft_skip
209+
fi
210+
191211
# test basic connectivity
192212
if ! ip netns exec $ns1 ping -c 1 -q 10.0.2.99 > /dev/null; then
193213
echo "ERROR: $ns1 cannot reach ns2" 1>&2
@@ -255,6 +275,60 @@ check_counters()
255275
fi
256276
}
257277

278+
check_dscp()
279+
{
280+
local what=$1
281+
local ok=1
282+
283+
local counter=$(ip netns exec $ns2 nft reset counter inet filter ip4dscp3 | grep packets)
284+
285+
local pc4=${counter%*bytes*}
286+
local pc4=${pc4#*packets}
287+
288+
local counter=$(ip netns exec $ns2 nft reset counter inet filter ip4dscp0 | grep packets)
289+
local pc4z=${counter%*bytes*}
290+
local pc4z=${pc4z#*packets}
291+
292+
case "$what" in
293+
"dscp_none")
294+
if [ $pc4 -gt 0 ] || [ $pc4z -eq 0 ]; then
295+
echo "FAIL: dscp counters do not match, expected dscp3 == 0, dscp0 > 0, but got $pc4,$pc4z" 1>&2
296+
ret=1
297+
ok=0
298+
fi
299+
;;
300+
"dscp_fwd")
301+
if [ $pc4 -eq 0 ] || [ $pc4z -eq 0 ]; then
302+
echo "FAIL: dscp counters do not match, expected dscp3 and dscp0 > 0 but got $pc4,$pc4z" 1>&2
303+
ret=1
304+
ok=0
305+
fi
306+
;;
307+
"dscp_ingress")
308+
if [ $pc4 -eq 0 ] || [ $pc4z -gt 0 ]; then
309+
echo "FAIL: dscp counters do not match, expected dscp3 > 0, dscp0 == 0 but got $pc4,$pc4z" 1>&2
310+
ret=1
311+
ok=0
312+
fi
313+
;;
314+
"dscp_egress")
315+
if [ $pc4 -eq 0 ] || [ $pc4z -gt 0 ]; then
316+
echo "FAIL: dscp counters do not match, expected dscp3 > 0, dscp0 == 0 but got $pc4,$pc4z" 1>&2
317+
ret=1
318+
ok=0
319+
fi
320+
;;
321+
*)
322+
echo "FAIL: Unknown DSCP check" 1>&2
323+
ret=1
324+
ok=0
325+
esac
326+
327+
if [ $ok -eq 1 ] ;then
328+
echo "PASS: $what: dscp packet counters match"
329+
fi
330+
}
331+
258332
check_transfer()
259333
{
260334
in=$1
@@ -325,6 +399,51 @@ test_tcp_forwarding()
325399
return $?
326400
}
327401

402+
test_tcp_forwarding_set_dscp()
403+
{
404+
check_dscp "dscp_none"
405+
406+
ip netns exec $nsr1 nft -f - <<EOF
407+
table netdev dscpmangle {
408+
chain setdscp0 {
409+
type filter hook ingress device "veth0" priority 0; policy accept
410+
ip dscp set cs3
411+
}
412+
}
413+
EOF
414+
if [ $? -eq 0 ]; then
415+
test_tcp_forwarding_ip "$1" "$2" 10.0.2.99 12345
416+
check_dscp "dscp_ingress"
417+
418+
ip netns exec $nsr1 nft delete table netdev dscpmangle
419+
else
420+
echo "SKIP: Could not load netdev:ingress for veth0"
421+
fi
422+
423+
ip netns exec $nsr1 nft -f - <<EOF
424+
table netdev dscpmangle {
425+
chain setdscp0 {
426+
type filter hook egress device "veth1" priority 0; policy accept
427+
ip dscp set cs3
428+
}
429+
}
430+
EOF
431+
if [ $? -eq 0 ]; then
432+
test_tcp_forwarding_ip "$1" "$2" 10.0.2.99 12345
433+
check_dscp "dscp_egress"
434+
435+
ip netns exec $nsr1 nft flush table netdev dscpmangle
436+
else
437+
echo "SKIP: Could not load netdev:egress for veth1"
438+
fi
439+
440+
# partial. If flowtable really works, then both dscp-is-0 and dscp-is-cs3
441+
# counters should have seen packets (before and after ft offload kicks in).
442+
ip netns exec $nsr1 nft -a insert rule inet filter forward ip dscp set cs3
443+
test_tcp_forwarding_ip "$1" "$2" 10.0.2.99 12345
444+
check_dscp "dscp_fwd"
445+
}
446+
328447
test_tcp_forwarding_nat()
329448
{
330449
local lret
@@ -394,6 +513,11 @@ table ip nat {
394513
}
395514
EOF
396515

516+
if ! test_tcp_forwarding_set_dscp $ns1 $ns2 0 ""; then
517+
echo "FAIL: flow offload for ns1/ns2 with dscp update" 1>&2
518+
exit 0
519+
fi
520+
397521
if ! test_tcp_forwarding_nat $ns1 $ns2 0 ""; then
398522
echo "FAIL: flow offload for ns1/ns2 with NAT" 1>&2
399523
ip netns exec $nsr1 nft list ruleset

0 commit comments

Comments
 (0)