Skip to content

Commit ea2306f

Browse files
Florian Westphalummakynes
Florian Westphal
authored and
ummakynes
committed
selftests: netfilter: add test for br_netfilter+conntrack+queue combination
Trigger cloned skbs leaving softirq protection. This triggers splat without the preceeding change ("netfilter: nf_queue: drop packets with cloned unconfirmed conntracks"): WARNING: at net/netfilter/nf_conntrack_core.c:1198 __nf_conntrack_confirm.. because local delivery and forwarding will race for confirmation. Based on a reproducer script from Yi Chen. Signed-off-by: Florian Westphal <[email protected]> Signed-off-by: Pablo Neira Ayuso <[email protected]>
1 parent 7d8dc1c commit ea2306f

File tree

2 files changed

+79
-0
lines changed

2 files changed

+79
-0
lines changed

tools/testing/selftests/net/netfilter/Makefile

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,7 @@ MNL_CFLAGS := $(shell $(HOSTPKG_CONFIG) --cflags libmnl 2>/dev/null)
77
MNL_LDLIBS := $(shell $(HOSTPKG_CONFIG) --libs libmnl 2>/dev/null || echo -lmnl)
88

99
TEST_PROGS := br_netfilter.sh bridge_brouter.sh
10+
TEST_PROGS += br_netfilter_queue.sh
1011
TEST_PROGS += conntrack_icmp_related.sh
1112
TEST_PROGS += conntrack_ipip_mtu.sh
1213
TEST_PROGS += conntrack_tcp_unreplied.sh

tools/testing/selftests/net/netfilter/br_netfilter_queue.sh

Lines changed: 78 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,78 @@
1+
#!/bin/bash
2+
3+
source lib.sh
4+
5+
checktool "nft --version" "run test without nft tool"
6+
7+
cleanup() {
8+
cleanup_all_ns
9+
}
10+
11+
setup_ns c1 c2 c3 sender
12+
13+
trap cleanup EXIT
14+
15+
nf_queue_wait()
16+
{
17+
grep -q "^ *$1 " "/proc/self/net/netfilter/nfnetlink_queue"
18+
}
19+
20+
port_add() {
21+
ns="$1"
22+
dev="$2"
23+
a="$3"
24+
25+
ip link add name "$dev" type veth peer name "$dev" netns "$ns"
26+
27+
ip -net "$ns" addr add 192.168.1."$a"/24 dev "$dev"
28+
ip -net "$ns" link set "$dev" up
29+
30+
ip link set "$dev" master br0
31+
ip link set "$dev" up
32+
}
33+
34+
[ "${1}" != "run" ] && { unshare -n "${0}" run; exit $?; }
35+
36+
ip link add br0 type bridge
37+
ip addr add 192.168.1.254/24 dev br0
38+
39+
port_add "$c1" "c1" 1
40+
port_add "$c2" "c2" 2
41+
port_add "$c3" "c3" 3
42+
port_add "$sender" "sender" 253
43+
44+
ip link set br0 up
45+
46+
modprobe -q br_netfilter
47+
48+
sysctl net.bridge.bridge-nf-call-iptables=1 || exit 1
49+
50+
ip netns exec "$sender" ping -I sender -c1 192.168.1.1 || exit 1
51+
ip netns exec "$sender" ping -I sender -c1 192.168.1.2 || exit 2
52+
ip netns exec "$sender" ping -I sender -c1 192.168.1.3 || exit 3
53+
54+
nft -f /dev/stdin <<EOF
55+
table ip filter {
56+
chain forward {
57+
type filter hook forward priority 0; policy accept;
58+
ct state new counter
59+
ip protocol icmp counter queue num 0 bypass
60+
}
61+
}
62+
EOF
63+
./nf_queue -t 5 > /dev/null &
64+
65+
busywait 5000 nf_queue_wait
66+
67+
for i in $(seq 1 5); do conntrack -F > /dev/null 2> /dev/null; sleep 0.1 ; done &
68+
ip netns exec "$sender" ping -I sender -f -c 50 -b 192.168.1.255
69+
70+
read t < /proc/sys/kernel/tainted
71+
if [ "$t" -eq 0 ];then
72+
echo PASS: kernel not tainted
73+
else
74+
echo ERROR: kernel is tainted
75+
exit 1
76+
fi
77+
78+
exit 0

0 commit comments

Comments
 (0)