Re: [PATCH mptcp-next v2 2/2] selftests: mptcp: add tproxy test case

[Mat Martineau <mathew.j.martineau@linux.intel.com>]

[-- Attachment #1: Type: text/plain, Size: 3508 bytes --]

On Thu, 28 Oct 2021, Florian Westphal wrote:

> No hard dependencies here, just skip if test environ lacks
> nft binary or the needed kernel config options.
>
> The test case spawns listener in ns2 but ns1 will connect
> to the ip address of ns4.
>
> policy routing + tproxy rule will redirect packets to ns2 instead
> of forward.
>
> v2: update mptcp/config (Mat Martineau)
>
> Signed-off-by: Florian Westphal <fw@strlen.de>
> ---
> tools/testing/selftests/net/mptcp/config      |  7 +-
> .../selftests/net/mptcp/mptcp_connect.c       | 51 +++++++++++-
> .../selftests/net/mptcp/mptcp_connect.sh      | 80 +++++++++++++++++++
> 3 files changed, 135 insertions(+), 3 deletions(-)
>

...

> diff --git a/tools/testing/selftests/net/mptcp/mptcp_connect.sh b/tools/testing/selftests/net/mptcp/mptcp_connect.sh
> index 559173a8e387..205e9f0c4296 100755
> --- a/tools/testing/selftests/net/mptcp/mptcp_connect.sh
> +++ b/tools/testing/selftests/net/mptcp/mptcp_connect.sh
> @@ -671,6 +671,82 @@ run_tests()
> 	run_tests_lo $1 $2 $3 0
> }
>
> +run_test_transparent()
> +{
> +	local connect_addr="$1"
> +	local msg="$2"
> +
> +	local connector_ns="$ns1"
> +	local listener_ns="$ns2"
> +	local lret=0
> +	local r6flag=""
> +
> +	# skip if we don't want v6
> +	if ! $ipv6 && is_v6 "${connect_addr}"; then
> +		return 0
> +	fi
> +
> +ip netns exec "$listener_ns" nft -f /dev/stdin <<"EOF"
> +flush ruleset
> +table inet mangle {
> +	chain divert {
> +		type filter hook prerouting priority -150;
> +
> +		meta l4proto tcp socket transparent 1 meta mark set 1 accept
> +		tcp dport 20000 tproxy to :20000 meta mark set 1 accept
> +	}
> +}
> +EOF
> +	if [ $? -ne 0 ]; then
> +		echo "SKIP: $msg"
> +		return
> +	fi
> +
> +	local local_addr
> +	if is_v6 "${connect_addr}"; then
> +		local_addr="::"
> +		r6flag="-6"
> +	else
> +		local_addr="0.0.0.0"
> +	fi
> +
> +	ip -net "$listener_ns" $r6flag rule add fwmark 1 lookup 100

Something's still missing from the kernel config - this works with ipv4 
but with ipv6 I get:

Error: Rule family not supported.

I experimented with a couple of extra CONFIG_IP6_NF* options but didn't 
find the right ones, here are the ipv6/netfilter options I tried 
unsuccessfully:

#
# IPv6: Netfilter Configuration
#
CONFIG_NF_SOCKET_IPV6=y
CONFIG_NF_TPROXY_IPV6=y
CONFIG_NF_TABLES_IPV6=y
# CONFIG_NFT_DUP_IPV6 is not set
# CONFIG_NFT_FIB_IPV6 is not set
# CONFIG_NF_DUP_IPV6 is not set
CONFIG_NF_REJECT_IPV6=y
CONFIG_NF_LOG_IPV6=m
CONFIG_IP6_NF_IPTABLES=y
# CONFIG_IP6_NF_MATCH_AH is not set
# CONFIG_IP6_NF_MATCH_EUI64 is not set
# CONFIG_IP6_NF_MATCH_FRAG is not set
# CONFIG_IP6_NF_MATCH_OPTS is not set
# CONFIG_IP6_NF_MATCH_HL is not set
# CONFIG_IP6_NF_MATCH_IPV6HEADER is not set
# CONFIG_IP6_NF_MATCH_MH is not set
# CONFIG_IP6_NF_MATCH_RPFILTER is not set
# CONFIG_IP6_NF_MATCH_RT is not set
# CONFIG_IP6_NF_MATCH_SRH is not set
# CONFIG_IP6_NF_TARGET_HL is not set
CONFIG_IP6_NF_FILTER=y
CONFIG_IP6_NF_TARGET_REJECT=y
# CONFIG_IP6_NF_TARGET_SYNPROXY is not set
CONFIG_IP6_NF_MANGLE=y
# CONFIG_IP6_NF_RAW is not set
# CONFIG_IP6_NF_SECURITY is not set
CONFIG_IP6_NF_NAT=y
# CONFIG_IP6_NF_TARGET_MASQUERADE is not set
# CONFIG_IP6_NF_TARGET_NPT is not set
# end of IPv6: Netfilter Configuration


I generate the config for my MPTCP tests with:

make defconfig
make kvm_guest.config

... and then the options in the selftest config file plus some extra debug 
features like KASAN and such. I'm attaching the full config in case you 
want to reference that.


--
Mat Martineau
Intel

[-- Attachment #2: Type: application/x-gzip, Size: 31173 bytes --]