From: Pablo Neira Ayuso <pablo@netfilter.org>
To: yiche@redhat.com
Cc: netfilter-devel@vger.kernel.org, fw@netfilter.org
Subject: Re: [PATCH] tests: shell: add test to cover ct offload by using nft flowtables To cover kernel patch ("netfilter: nf_tables: set transport offset from mac header for netdev/egress").
Date: Mon, 22 Jan 2024 19:08:22 +0100 [thread overview]
Message-ID: <Za6vFpJZCHVw1LrV@calendula> (raw)
In-Reply-To: <20240122162640.6374-1-yiche@redhat.com>
Hi,
This test reports:
I: [OK] 1/1 testcases/packetpath/flowtables
or did you see any issue on your end?
Thanks!
On Tue, Jan 23, 2024 at 12:26:40AM +0800, yiche@redhat.com wrote:
> From: Yi Chen <yiche@redhat.com>
>
> Signed-off-by: Yi Chen <yiche@redhat.com>
> ---
> tests/shell/testcases/packetpath/flowtables | 96 +++++++++++++++++++++
> 1 file changed, 96 insertions(+)
> create mode 100755 tests/shell/testcases/packetpath/flowtables
>
> diff --git a/tests/shell/testcases/packetpath/flowtables b/tests/shell/testcases/packetpath/flowtables
> new file mode 100755
> index 00000000..852a05c6
> --- /dev/null
> +++ b/tests/shell/testcases/packetpath/flowtables
> @@ -0,0 +1,96 @@
> +#! /bin/bash -x
> +
> +# NFT_TEST_SKIP(NFT_TEST_SKIP_slow)
> +
> +rnd=$(mktemp -u XXXXXXXX)
> +R="flowtable-router-$rnd"
> +C="flowtable-client-$rnd"
> +S="flowtbale-server-$rnd"
> +
> +cleanup()
> +{
> + for i in $R $C $S;do
> + kill $(ip netns pid $i) 2>/dev/null
> + ip netns del $i
> + done
> +}
> +
> +trap cleanup EXIT
> +
> +ip netns add $R
> +ip netns add $S
> +ip netns add $C
> +
> +ip link add s_r netns $S type veth peer name r_s netns $R
> +ip netns exec $S ip link set s_r up
> +ip netns exec $R ip link set r_s up
> +ip link add c_r netns $C type veth peer name r_c netns $R
> +ip netns exec $R ip link set r_c up
> +ip netns exec $C ip link set c_r up
> +
> +ip netns exec $S ip -6 addr add 2001:db8:ffff:22::1/64 dev s_r
> +ip netns exec $C ip -6 addr add 2001:db8:ffff:21::2/64 dev c_r
> +ip netns exec $R ip -6 addr add 2001:db8:ffff:22::fffe/64 dev r_s
> +ip netns exec $R ip -6 addr add 2001:db8:ffff:21::fffe/64 dev r_c
> +ip netns exec $R sysctl -w net.ipv6.conf.all.forwarding=1
> +ip netns exec $C ip route add 2001:db8:ffff:22::/64 via 2001:db8:ffff:21::fffe dev c_r
> +ip netns exec $S ip route add 2001:db8:ffff:21::/64 via 2001:db8:ffff:22::fffe dev s_r
> +ip netns exec $S ethtool -K s_r tso off
> +ip netns exec $C ethtool -K c_r tso off
> +
> +sleep 3
> +ip netns exec $C ping -6 2001:db8:ffff:22::1 -c1 || exit 1
> +
> +ip netns exec $R nft -f - <<EOF
> +table ip6 filter {
> + flowtable f1 {
> + hook ingress priority -100
> + devices = { r_c, r_s }
> + }
> +
> + chain forward {
> + type filter hook forward priority filter; policy accept;
> + ip6 nexthdr tcp ct state established,related counter packets 0 bytes 0 flow add @f1 counter packets 0 bytes 0
> + ip6 nexthdr tcp ct state invalid counter packets 0 bytes 0 drop
> + tcp flags fin,rst counter packets 0 bytes 0 accept
> + meta l4proto tcp meta length < 100 counter packets 0 bytes 0 accept
> + ip6 nexthdr tcp counter packets 0 bytes 0 log drop
> + }
> +}
> +EOF
> +
> +if [ ! -r /proc/net/nf_conntrack ]
> +then
> + echo "E: nf_conntrack unreadable, skipping" >&2
> + exit 77
> +fi
> +
> +ip netns exec $R nft list ruleset
> +ip netns exec $R sysctl -w net.netfilter.nf_flowtable_tcp_timeout=5 || {
> + echo "E: set net.netfilter.nf_flowtable_tcp_timeout fail, skipping" >&2
> + exit 77
> +}
> +ip netns exec $R sysctl -w net.netfilter.nf_conntrack_tcp_timeout_established=86400 || {
> + echo "E: set net.netfilter.nf_conntrack_tcp_timeout_established fail, skipping" >&2
> + exit 77
> +
> +}
> +
> +# A trick to control the timing to send a packet
> +ip netns exec $S socat TCP6-LISTEN:10001 GOPEN:pipefile,ignoreeof &
> +sleep 1
> +ip netns exec $C socat -b 2048 PIPE:pipefile TCP:[2001:db8:ffff:22::1]:10001 &
> +sleep 1
> +ip netns exec $R grep 'OFFLOAD' /proc/net/nf_conntrack || { echo "check [OFFLOAD] tag (failed)"; exit 1; }
> +ip netns exec $R cat /proc/net/nf_conntrack
> +sleep 6
> +ip netns exec $R grep 'OFFLOAD' /proc/net/nf_conntrack && { echo "CT OFFLOAD timeout, fail back to classical path (failed)"; exit 1; }
> +ip netns exec $R grep '8639[0-9]' /proc/net/nf_conntrack || { echo "check nf_conntrack_tcp_timeout_established (failed)"; exit 1; }
> +ip netns exec $C echo "send sth" >> pipefile
> +ip netns exec $R grep 'OFFLOAD' /proc/net/nf_conntrack || { echo "traffic seen, back to OFFLOAD path (failed)"; exit 1; }
> +ip netns exec $C sleep 3
> +ip netns exec $C echo "send sth" >> pipefile
> +ip netns exec $C sleep 3
> +ip netns exec $R grep 'OFFLOAD' /proc/net/nf_conntrack || { echo "Traffic seen in 5s (nf_flowtable_tcp_timeout), so stay in OFFLOAD (failed)"; exit 1; }
> +
> +exit 0
> --
> 2.43.0
>
>
next prev parent reply other threads:[~2024-01-22 18:08 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-22 16:26 [PATCH] tests: shell: add test to cover ct offload by using nft flowtables To cover kernel patch ("netfilter: nf_tables: set transport offset from mac header for netdev/egress") yiche
2024-01-22 18:08 ` Pablo Neira Ayuso [this message]
2024-01-22 21:26 ` Florian Westphal
[not found] ` <CAJsUoE34NyBPm=bBOhsvDh80g6L1BzHOm-m2nLNQDWDsMY8V4g@mail.gmail.com>
2024-01-23 3:26 ` Yi Chen
2024-01-23 8:20 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Za6vFpJZCHVw1LrV@calendula \
--to=pablo@netfilter.org \
--cc=fw@netfilter.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=yiche@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.