* [PATCH] tests: shell: add test to cover ct offload by using nft flowtables To cover kernel patch ("netfilter: nf_tables: set transport offset from mac header for netdev/egress").
@ 2024-01-22 16:26 yiche
2024-01-22 18:08 ` Pablo Neira Ayuso
0 siblings, 1 reply; 5+ messages in thread
From: yiche @ 2024-01-22 16:26 UTC (permalink / raw)
To: netfilter-devel; +Cc: fw, Yi Chen
From: Yi Chen <yiche@redhat.com>
Signed-off-by: Yi Chen <yiche@redhat.com>
---
tests/shell/testcases/packetpath/flowtables | 96 +++++++++++++++++++++
1 file changed, 96 insertions(+)
create mode 100755 tests/shell/testcases/packetpath/flowtables
diff --git a/tests/shell/testcases/packetpath/flowtables b/tests/shell/testcases/packetpath/flowtables
new file mode 100755
index 00000000..852a05c6
--- /dev/null
+++ b/tests/shell/testcases/packetpath/flowtables
@@ -0,0 +1,96 @@
+#! /bin/bash -x
+
+# NFT_TEST_SKIP(NFT_TEST_SKIP_slow)
+
+rnd=$(mktemp -u XXXXXXXX)
+R="flowtable-router-$rnd"
+C="flowtable-client-$rnd"
+S="flowtbale-server-$rnd"
+
+cleanup()
+{
+ for i in $R $C $S;do
+ kill $(ip netns pid $i) 2>/dev/null
+ ip netns del $i
+ done
+}
+
+trap cleanup EXIT
+
+ip netns add $R
+ip netns add $S
+ip netns add $C
+
+ip link add s_r netns $S type veth peer name r_s netns $R
+ip netns exec $S ip link set s_r up
+ip netns exec $R ip link set r_s up
+ip link add c_r netns $C type veth peer name r_c netns $R
+ip netns exec $R ip link set r_c up
+ip netns exec $C ip link set c_r up
+
+ip netns exec $S ip -6 addr add 2001:db8:ffff:22::1/64 dev s_r
+ip netns exec $C ip -6 addr add 2001:db8:ffff:21::2/64 dev c_r
+ip netns exec $R ip -6 addr add 2001:db8:ffff:22::fffe/64 dev r_s
+ip netns exec $R ip -6 addr add 2001:db8:ffff:21::fffe/64 dev r_c
+ip netns exec $R sysctl -w net.ipv6.conf.all.forwarding=1
+ip netns exec $C ip route add 2001:db8:ffff:22::/64 via 2001:db8:ffff:21::fffe dev c_r
+ip netns exec $S ip route add 2001:db8:ffff:21::/64 via 2001:db8:ffff:22::fffe dev s_r
+ip netns exec $S ethtool -K s_r tso off
+ip netns exec $C ethtool -K c_r tso off
+
+sleep 3
+ip netns exec $C ping -6 2001:db8:ffff:22::1 -c1 || exit 1
+
+ip netns exec $R nft -f - <<EOF
+table ip6 filter {
+ flowtable f1 {
+ hook ingress priority -100
+ devices = { r_c, r_s }
+ }
+
+ chain forward {
+ type filter hook forward priority filter; policy accept;
+ ip6 nexthdr tcp ct state established,related counter packets 0 bytes 0 flow add @f1 counter packets 0 bytes 0
+ ip6 nexthdr tcp ct state invalid counter packets 0 bytes 0 drop
+ tcp flags fin,rst counter packets 0 bytes 0 accept
+ meta l4proto tcp meta length < 100 counter packets 0 bytes 0 accept
+ ip6 nexthdr tcp counter packets 0 bytes 0 log drop
+ }
+}
+EOF
+
+if [ ! -r /proc/net/nf_conntrack ]
+then
+ echo "E: nf_conntrack unreadable, skipping" >&2
+ exit 77
+fi
+
+ip netns exec $R nft list ruleset
+ip netns exec $R sysctl -w net.netfilter.nf_flowtable_tcp_timeout=5 || {
+ echo "E: set net.netfilter.nf_flowtable_tcp_timeout fail, skipping" >&2
+ exit 77
+}
+ip netns exec $R sysctl -w net.netfilter.nf_conntrack_tcp_timeout_established=86400 || {
+ echo "E: set net.netfilter.nf_conntrack_tcp_timeout_established fail, skipping" >&2
+ exit 77
+
+}
+
+# A trick to control the timing to send a packet
+ip netns exec $S socat TCP6-LISTEN:10001 GOPEN:pipefile,ignoreeof &
+sleep 1
+ip netns exec $C socat -b 2048 PIPE:pipefile TCP:[2001:db8:ffff:22::1]:10001 &
+sleep 1
+ip netns exec $R grep 'OFFLOAD' /proc/net/nf_conntrack || { echo "check [OFFLOAD] tag (failed)"; exit 1; }
+ip netns exec $R cat /proc/net/nf_conntrack
+sleep 6
+ip netns exec $R grep 'OFFLOAD' /proc/net/nf_conntrack && { echo "CT OFFLOAD timeout, fail back to classical path (failed)"; exit 1; }
+ip netns exec $R grep '8639[0-9]' /proc/net/nf_conntrack || { echo "check nf_conntrack_tcp_timeout_established (failed)"; exit 1; }
+ip netns exec $C echo "send sth" >> pipefile
+ip netns exec $R grep 'OFFLOAD' /proc/net/nf_conntrack || { echo "traffic seen, back to OFFLOAD path (failed)"; exit 1; }
+ip netns exec $C sleep 3
+ip netns exec $C echo "send sth" >> pipefile
+ip netns exec $C sleep 3
+ip netns exec $R grep 'OFFLOAD' /proc/net/nf_conntrack || { echo "Traffic seen in 5s (nf_flowtable_tcp_timeout), so stay in OFFLOAD (failed)"; exit 1; }
+
+exit 0
--
2.43.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH] tests: shell: add test to cover ct offload by using nft flowtables To cover kernel patch ("netfilter: nf_tables: set transport offset from mac header for netdev/egress").
2024-01-22 16:26 [PATCH] tests: shell: add test to cover ct offload by using nft flowtables To cover kernel patch ("netfilter: nf_tables: set transport offset from mac header for netdev/egress") yiche
@ 2024-01-22 18:08 ` Pablo Neira Ayuso
2024-01-22 21:26 ` Florian Westphal
0 siblings, 1 reply; 5+ messages in thread
From: Pablo Neira Ayuso @ 2024-01-22 18:08 UTC (permalink / raw)
To: yiche; +Cc: netfilter-devel, fw
Hi,
This test reports:
I: [OK] 1/1 testcases/packetpath/flowtables
or did you see any issue on your end?
Thanks!
On Tue, Jan 23, 2024 at 12:26:40AM +0800, yiche@redhat.com wrote:
> From: Yi Chen <yiche@redhat.com>
>
> Signed-off-by: Yi Chen <yiche@redhat.com>
> ---
> tests/shell/testcases/packetpath/flowtables | 96 +++++++++++++++++++++
> 1 file changed, 96 insertions(+)
> create mode 100755 tests/shell/testcases/packetpath/flowtables
>
> diff --git a/tests/shell/testcases/packetpath/flowtables b/tests/shell/testcases/packetpath/flowtables
> new file mode 100755
> index 00000000..852a05c6
> --- /dev/null
> +++ b/tests/shell/testcases/packetpath/flowtables
> @@ -0,0 +1,96 @@
> +#! /bin/bash -x
> +
> +# NFT_TEST_SKIP(NFT_TEST_SKIP_slow)
> +
> +rnd=$(mktemp -u XXXXXXXX)
> +R="flowtable-router-$rnd"
> +C="flowtable-client-$rnd"
> +S="flowtbale-server-$rnd"
> +
> +cleanup()
> +{
> + for i in $R $C $S;do
> + kill $(ip netns pid $i) 2>/dev/null
> + ip netns del $i
> + done
> +}
> +
> +trap cleanup EXIT
> +
> +ip netns add $R
> +ip netns add $S
> +ip netns add $C
> +
> +ip link add s_r netns $S type veth peer name r_s netns $R
> +ip netns exec $S ip link set s_r up
> +ip netns exec $R ip link set r_s up
> +ip link add c_r netns $C type veth peer name r_c netns $R
> +ip netns exec $R ip link set r_c up
> +ip netns exec $C ip link set c_r up
> +
> +ip netns exec $S ip -6 addr add 2001:db8:ffff:22::1/64 dev s_r
> +ip netns exec $C ip -6 addr add 2001:db8:ffff:21::2/64 dev c_r
> +ip netns exec $R ip -6 addr add 2001:db8:ffff:22::fffe/64 dev r_s
> +ip netns exec $R ip -6 addr add 2001:db8:ffff:21::fffe/64 dev r_c
> +ip netns exec $R sysctl -w net.ipv6.conf.all.forwarding=1
> +ip netns exec $C ip route add 2001:db8:ffff:22::/64 via 2001:db8:ffff:21::fffe dev c_r
> +ip netns exec $S ip route add 2001:db8:ffff:21::/64 via 2001:db8:ffff:22::fffe dev s_r
> +ip netns exec $S ethtool -K s_r tso off
> +ip netns exec $C ethtool -K c_r tso off
> +
> +sleep 3
> +ip netns exec $C ping -6 2001:db8:ffff:22::1 -c1 || exit 1
> +
> +ip netns exec $R nft -f - <<EOF
> +table ip6 filter {
> + flowtable f1 {
> + hook ingress priority -100
> + devices = { r_c, r_s }
> + }
> +
> + chain forward {
> + type filter hook forward priority filter; policy accept;
> + ip6 nexthdr tcp ct state established,related counter packets 0 bytes 0 flow add @f1 counter packets 0 bytes 0
> + ip6 nexthdr tcp ct state invalid counter packets 0 bytes 0 drop
> + tcp flags fin,rst counter packets 0 bytes 0 accept
> + meta l4proto tcp meta length < 100 counter packets 0 bytes 0 accept
> + ip6 nexthdr tcp counter packets 0 bytes 0 log drop
> + }
> +}
> +EOF
> +
> +if [ ! -r /proc/net/nf_conntrack ]
> +then
> + echo "E: nf_conntrack unreadable, skipping" >&2
> + exit 77
> +fi
> +
> +ip netns exec $R nft list ruleset
> +ip netns exec $R sysctl -w net.netfilter.nf_flowtable_tcp_timeout=5 || {
> + echo "E: set net.netfilter.nf_flowtable_tcp_timeout fail, skipping" >&2
> + exit 77
> +}
> +ip netns exec $R sysctl -w net.netfilter.nf_conntrack_tcp_timeout_established=86400 || {
> + echo "E: set net.netfilter.nf_conntrack_tcp_timeout_established fail, skipping" >&2
> + exit 77
> +
> +}
> +
> +# A trick to control the timing to send a packet
> +ip netns exec $S socat TCP6-LISTEN:10001 GOPEN:pipefile,ignoreeof &
> +sleep 1
> +ip netns exec $C socat -b 2048 PIPE:pipefile TCP:[2001:db8:ffff:22::1]:10001 &
> +sleep 1
> +ip netns exec $R grep 'OFFLOAD' /proc/net/nf_conntrack || { echo "check [OFFLOAD] tag (failed)"; exit 1; }
> +ip netns exec $R cat /proc/net/nf_conntrack
> +sleep 6
> +ip netns exec $R grep 'OFFLOAD' /proc/net/nf_conntrack && { echo "CT OFFLOAD timeout, fail back to classical path (failed)"; exit 1; }
> +ip netns exec $R grep '8639[0-9]' /proc/net/nf_conntrack || { echo "check nf_conntrack_tcp_timeout_established (failed)"; exit 1; }
> +ip netns exec $C echo "send sth" >> pipefile
> +ip netns exec $R grep 'OFFLOAD' /proc/net/nf_conntrack || { echo "traffic seen, back to OFFLOAD path (failed)"; exit 1; }
> +ip netns exec $C sleep 3
> +ip netns exec $C echo "send sth" >> pipefile
> +ip netns exec $C sleep 3
> +ip netns exec $R grep 'OFFLOAD' /proc/net/nf_conntrack || { echo "Traffic seen in 5s (nf_flowtable_tcp_timeout), so stay in OFFLOAD (failed)"; exit 1; }
> +
> +exit 0
> --
> 2.43.0
>
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] tests: shell: add test to cover ct offload by using nft flowtables To cover kernel patch ("netfilter: nf_tables: set transport offset from mac header for netdev/egress").
2024-01-22 18:08 ` Pablo Neira Ayuso
@ 2024-01-22 21:26 ` Florian Westphal
[not found] ` <CAJsUoE34NyBPm=bBOhsvDh80g6L1BzHOm-m2nLNQDWDsMY8V4g@mail.gmail.com>
0 siblings, 1 reply; 5+ messages in thread
From: Florian Westphal @ 2024-01-22 21:26 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: yiche, netfilter-devel, fw
Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> Hi,
>
> This test reports:
>
> I: [OK] 1/1 testcases/packetpath/flowtables
>
> or did you see any issue on your end?
Yes, this scenario got broken in the past, e.g.
via 41f2c7c342d3 ("net/sched: act_ct: Fix promotion of offloaded
unreplied tuple").
nf.git is fine, but I think its good to have a test case to prevent
obvious breakage in the future.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] tests: shell: add test to cover ct offload by using nft flowtables To cover kernel patch ("netfilter: nf_tables: set transport offset from mac header for netdev/egress").
[not found] ` <CAJsUoE34NyBPm=bBOhsvDh80g6L1BzHOm-m2nLNQDWDsMY8V4g@mail.gmail.com>
@ 2024-01-23 3:26 ` Yi Chen
2024-01-23 8:20 ` Pablo Neira Ayuso
0 siblings, 1 reply; 5+ messages in thread
From: Yi Chen @ 2024-01-23 3:26 UTC (permalink / raw)
To: Florian Westphal; +Cc: Pablo Neira Ayuso, netfilter-devel, fw
> Hi,
>
> This test reports:
>
> I: [OK] 1/1 testcases/packetpath/flowtables
>
> or did you see any issue on your end?
Yes, on the latest rhel-9 kernel 5.14.0-408.el9 which hasn't involved
this patch:
a67db600fd38e08 netfilter: nf_tables: set transport offset from mac
header for netdev/egress
it report:
W: [FAILED] 1/1 testcases/packetpath/flowtables
This test case existed before and caught this issue.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] tests: shell: add test to cover ct offload by using nft flowtables To cover kernel patch ("netfilter: nf_tables: set transport offset from mac header for netdev/egress").
2024-01-23 3:26 ` Yi Chen
@ 2024-01-23 8:20 ` Pablo Neira Ayuso
0 siblings, 0 replies; 5+ messages in thread
From: Pablo Neira Ayuso @ 2024-01-23 8:20 UTC (permalink / raw)
To: Yi Chen; +Cc: Florian Westphal, netfilter-devel, fw
On Tue, Jan 23, 2024 at 11:26:47AM +0800, Yi Chen wrote:
> > Hi,
> >
> > This test reports:
> >
> > I: [OK] 1/1 testcases/packetpath/flowtables
> >
> > or did you see any issue on your end?
>
> Yes, on the latest rhel-9 kernel 5.14.0-408.el9 which hasn't involved
> this patch:
> a67db600fd38e08 netfilter: nf_tables: set transport offset from mac
> header for netdev/egress
>
> it report:
> W: [FAILED] 1/1 testcases/packetpath/flowtables
>
> This test case existed before and caught this issue.
Great, thanks for submitting this
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2024-01-23 8:20 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-01-22 16:26 [PATCH] tests: shell: add test to cover ct offload by using nft flowtables To cover kernel patch ("netfilter: nf_tables: set transport offset from mac header for netdev/egress") yiche
2024-01-22 18:08 ` Pablo Neira Ayuso
2024-01-22 21:26 ` Florian Westphal
[not found] ` <CAJsUoE34NyBPm=bBOhsvDh80g6L1BzHOm-m2nLNQDWDsMY8V4g@mail.gmail.com>
2024-01-23 3:26 ` Yi Chen
2024-01-23 8:20 ` Pablo Neira Ayuso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).