selftests: netfilter: add meta iif/oif match test
simple test case, but would have caught this: FAIL: iifgroupcount, want "packets 2", got table inet filter { counter iifgroupcount { packets 0 bytes 0 } } Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
parent
78470d9d0d
commit
2ef740da4f
|
@ -4,7 +4,7 @@
|
|||
TEST_PROGS := nft_trans_stress.sh nft_nat.sh bridge_brouter.sh \
|
||||
conntrack_icmp_related.sh nft_flowtable.sh ipvs.sh \
|
||||
nft_concat_range.sh nft_conntrack_helper.sh \
|
||||
nft_queue.sh
|
||||
nft_queue.sh nft_meta.sh
|
||||
|
||||
LDLIBS = -lmnl
|
||||
TEST_GEN_FILES = nf-queue
|
||||
|
|
|
@ -0,0 +1,124 @@
|
|||
#!/bin/bash
|
||||
|
||||
# check iif/iifname/oifgroup/iiftype match.
|
||||
|
||||
# Kselftest framework requirement - SKIP code is 4.
|
||||
ksft_skip=4
|
||||
sfx=$(mktemp -u "XXXXXXXX")
|
||||
ns0="ns0-$sfx"
|
||||
|
||||
nft --version > /dev/null 2>&1
|
||||
if [ $? -ne 0 ];then
|
||||
echo "SKIP: Could not run test without nft tool"
|
||||
exit $ksft_skip
|
||||
fi
|
||||
|
||||
cleanup()
|
||||
{
|
||||
ip netns del "$ns0"
|
||||
}
|
||||
|
||||
ip netns add "$ns0"
|
||||
ip -net "$ns0" link set lo up
|
||||
ip -net "$ns0" addr add 127.0.0.1 dev lo
|
||||
|
||||
trap cleanup EXIT
|
||||
|
||||
ip netns exec "$ns0" nft -f /dev/stdin <<EOF
|
||||
table inet filter {
|
||||
counter iifcount {}
|
||||
counter iifnamecount {}
|
||||
counter iifgroupcount {}
|
||||
counter iiftypecount {}
|
||||
counter infproto4count {}
|
||||
counter il4protocounter {}
|
||||
counter imarkcounter {}
|
||||
|
||||
counter oifcount {}
|
||||
counter oifnamecount {}
|
||||
counter oifgroupcount {}
|
||||
counter oiftypecount {}
|
||||
counter onfproto4count {}
|
||||
counter ol4protocounter {}
|
||||
counter oskuidcounter {}
|
||||
counter oskgidcounter {}
|
||||
counter omarkcounter {}
|
||||
|
||||
chain input {
|
||||
type filter hook input priority 0; policy accept;
|
||||
|
||||
meta iif lo counter name "iifcount"
|
||||
meta iifname "lo" counter name "iifnamecount"
|
||||
meta iifgroup "default" counter name "iifgroupcount"
|
||||
meta iiftype "loopback" counter name "iiftypecount"
|
||||
meta nfproto ipv4 counter name "infproto4count"
|
||||
meta l4proto icmp counter name "il4protocounter"
|
||||
meta mark 42 counter name "imarkcounter"
|
||||
}
|
||||
|
||||
chain output {
|
||||
type filter hook output priority 0; policy accept;
|
||||
meta oif lo counter name "oifcount" counter
|
||||
meta oifname "lo" counter name "oifnamecount"
|
||||
meta oifgroup "default" counter name "oifgroupcount"
|
||||
meta oiftype "loopback" counter name "oiftypecount"
|
||||
meta nfproto ipv4 counter name "onfproto4count"
|
||||
meta l4proto icmp counter name "ol4protocounter"
|
||||
meta skuid 0 counter name "oskuidcounter"
|
||||
meta skgid 0 counter name "oskgidcounter"
|
||||
meta mark 42 counter name "omarkcounter"
|
||||
}
|
||||
}
|
||||
EOF
|
||||
|
||||
if [ $? -ne 0 ]; then
|
||||
echo "SKIP: Could not add test ruleset"
|
||||
exit $ksft_skip
|
||||
fi
|
||||
|
||||
ret=0
|
||||
|
||||
check_one_counter()
|
||||
{
|
||||
local cname="$1"
|
||||
local want="packets $2"
|
||||
local verbose="$3"
|
||||
|
||||
cnt=$(ip netns exec "$ns0" nft list counter inet filter $cname | grep -q "$want")
|
||||
if [ $? -ne 0 ];then
|
||||
echo "FAIL: $cname, want \"$want\", got"
|
||||
ret=1
|
||||
ip netns exec "$ns0" nft list counter inet filter $counter
|
||||
fi
|
||||
}
|
||||
|
||||
check_lo_counters()
|
||||
{
|
||||
local want="$1"
|
||||
local verbose="$2"
|
||||
local counter
|
||||
|
||||
for counter in iifcount iifnamecount iifgroupcount iiftypecount infproto4count \
|
||||
oifcount oifnamecount oifgroupcount oiftypecount onfproto4count \
|
||||
il4protocounter \
|
||||
ol4protocounter \
|
||||
; do
|
||||
check_one_counter "$counter" "$want" "$verbose"
|
||||
done
|
||||
}
|
||||
|
||||
check_lo_counters "0" false
|
||||
ip netns exec "$ns0" ping -q -c 1 127.0.0.1 -m 42 > /dev/null
|
||||
|
||||
check_lo_counters "2" true
|
||||
|
||||
check_one_counter oskuidcounter "1" true
|
||||
check_one_counter oskgidcounter "1" true
|
||||
check_one_counter imarkcounter "1" true
|
||||
check_one_counter omarkcounter "1" true
|
||||
|
||||
if [ $ret -eq 0 ];then
|
||||
echo "OK: nftables meta iif/oif counters at expected values"
|
||||
fi
|
||||
|
||||
exit $ret
|
Loading…
Reference in New Issue