From: Andrii Melnychenko <a.melnychenko@vyos.io>
To: netfilter-devel@vger.kernel.org, fw@strlen.de
Subject: [PATCH v2 1/2] tests: shell: Refactored nat_ftp, added rulesets and testcase functions
Date: Tue, 28 Oct 2025 17:56:06 +0100 [thread overview]
Message-ID: <20251028165607.1074310-2-a.melnychenko@vyos.io> (raw)
In-Reply-To: <20251028165607.1074310-1-a.melnychenko@vyos.io>
Refactored the setup of nft rulesets, now it is possible to set up an
SNAT or DNAT-only ruleset for future tests.
Presented the testcase function to test passive or active modes.
Signed-off-by: Andrii Melnychenko <a.melnychenko@vyos.io>
---
tests/shell/testcases/packetpath/nat_ftp | 86 +++++++++++++++---------
1 file changed, 53 insertions(+), 33 deletions(-)
diff --git a/tests/shell/testcases/packetpath/nat_ftp b/tests/shell/testcases/packetpath/nat_ftp
index d0faf2ef..bc116f6e 100755
--- a/tests/shell/testcases/packetpath/nat_ftp
+++ b/tests/shell/testcases/packetpath/nat_ftp
@@ -77,7 +77,7 @@ ip -net $S route add ${ip_rc}/64 via ${ip_rs} dev s_r
ip netns exec $C ping -q -6 ${ip_sr} -c1 > /dev/null
assert_pass "topo initialization"
-reload_ruleset()
+reload_ruleset_base()
{
ip netns exec $R conntrack -F 2> /dev/null
ip netns exec $R $NFT -f - <<-EOF
@@ -87,12 +87,6 @@ reload_ruleset()
type "ftp" protocol tcp;
}
- chain PRE-dnat {
- type nat hook prerouting priority dstnat; policy accept;
- # Dnat the control connection, data connection will be automaticly NATed.
- ip6 daddr ${ip_rc} counter ip6 nexthdr tcp tcp dport 2121 counter dnat ip6 to [${ip_sr}]:21
- }
-
chain PRE-aftnat {
type filter hook prerouting priority 350; policy drop;
iifname r_c tcp dport 21 ct state new ct helper set "ftp-standard" counter accept
@@ -111,14 +105,43 @@ reload_ruleset()
ip6 nexthdr tcp ct state established counter accept
ip6 nexthdr tcp ct state related counter log accept
}
+ }
+ EOF
+ assert_pass "apply ftp helper base ruleset"
+}
+
+load_dnat()
+{
+ ip netns exec $R $NFT -f - <<-EOF
+ table ip6 ftp_helper_nat_test {
+ chain PRE-dnat {
+ type nat hook prerouting priority dstnat; policy accept;
+ # Dnat the control connection, data connection will be automaticly NATed.
+ ip6 daddr ${ip_rc} counter ip6 nexthdr tcp tcp dport 2121 counter dnat ip6 to [${ip_sr}]:21
+ }
+ }
+ EOF
+ assert_pass "apply ftp helper DNAT ruleset"
+}
+load_snat()
+{
+ ip netns exec $R $NFT -f - <<-EOF
+ table ip6 ftp_helper_nat_test {
chain POST-srcnat {
type nat hook postrouting priority srcnat; policy accept;
ip6 daddr ${ip_sr} ip6 nexthdr tcp tcp dport 21 counter snat ip6 to [${ip_rs}]:16500
}
}
EOF
- assert_pass "apply ftp helper ruleset"
+ assert_pass "apply ftp helper SNAT ruleset"
+}
+
+reload_ruleset()
+{
+ reload_ruleset_base
+ load_dnat
+ load_snat
}
dd if=/dev/urandom of="$INFILE" bs=4096 count=1 2>/dev/null
@@ -141,38 +164,35 @@ wait_local_port_listen $S 21 tcp
ip netns exec $S ss -6ltnp | grep -q '*:21'
assert_pass "start vsftpd server"
+test_case()
+{
+ tag=$1
+ ftp_ip_and_port=$2
+ client_ip_to_check=$3
+ additional_curl_options=$4
+
+ ip netns exec $S tcpdump -q --immediate-mode -Ui s_r -w ${PCAP} 2> /dev/null &
+ pid=$!
+ sleep 0.5
+ ip netns exec $C curl ${additional_curl_options} --no-progress-meter --connect-timeout 5 ftp://${ftp_ip_and_port}/$(basename $INFILE) -o $OUTFILE
+ assert_pass "curl ftp "${tag}
+
+ cmp "$INFILE" "$OUTFILE"
+ assert_pass "FTP "${tag}": The input and output files remain the same when traffic passes through NAT."
+
+ kill $pid; sync
+ tcpdump -nnr ${PCAP} src ${client_ip_to_check} and dst ${ip_sr} 2>&1 |grep -q FTP
+ assert_pass "assert FTP traffic NATed"
+}
# test passive mode
reload_ruleset
-ip netns exec $S tcpdump -q --immediate-mode -Ui s_r -w ${PCAP} 2> /dev/null &
-pid=$!
-sleep 0.5
-ip netns exec $C curl --no-progress-meter --connect-timeout 5 ftp://[${ip_rc}]:2121/$(basename $INFILE) -o $OUTFILE
-assert_pass "curl ftp passive mode "
-
-cmp "$INFILE" "$OUTFILE"
-assert_pass "FTP Passive mode: The input and output files remain the same when traffic passes through NAT."
-
-kill $pid; sync
-tcpdump -nnr ${PCAP} src ${ip_rs} and dst ${ip_sr} 2>&1 |grep -q FTP
-assert_pass "assert FTP traffic NATed"
+test_case "Passive mode" [${ip_rc}]:2121 ${ip_rs}
# test active mode
reload_ruleset
-
-ip netns exec $S tcpdump -q --immediate-mode -Ui s_r -w ${PCAP} 2> /dev/null &
-pid=$!
-sleep 0.5
-ip netns exec $C curl --no-progress-meter -P - --connect-timeout 5 ftp://[${ip_rc}]:2121/$(basename $INFILE) -o $OUTFILE
-assert_pass "curl ftp active mode "
-
-cmp "$INFILE" "$OUTFILE"
-assert_pass "FTP Active mode: in and output files remain the same when FTP traffic passes through NAT."
-
-kill $pid; sync
-tcpdump -nnr ${PCAP} src ${ip_rs} and dst ${ip_sr} 2>&1 |grep -q FTP
-assert_pass "assert FTP traffic NATed"
+test_case "Active mode" [${ip_rc}]:2121 ${ip_rs} "-P -"
# trap calls cleanup
exit 0
--
2.43.0
next prev parent reply other threads:[~2025-10-28 16:56 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-28 16:56 [PATCH v2 0/2] tests: shell: nat_ftp SNAT/DNAT only testcases Andrii Melnychenko
2025-10-28 16:56 ` Andrii Melnychenko [this message]
2025-10-29 17:43 ` [PATCH v2 1/2] tests: shell: Refactored nat_ftp, added rulesets and testcase functions Phil Sutter
2025-10-28 16:56 ` [PATCH v2 2/2] tests: shell: Added SNAT/DNAT only cases for nat_ftp Andrii Melnychenko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251028165607.1074310-2-a.melnychenko@vyos.io \
--to=a.melnychenko@vyos.io \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).