selftests: netfilter: add meta iif/oif match test

simple test case, but would have caught this: FAIL: iifgroupcount, want "packets 2", got table inet filter { counter iifgroupcount { packets 0 bytes 0 } } Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2020-08-02 03:26:21 +02:00 · 2020-08-02 03:26:21 +02:00 · 2ef740da4f
parent 78470d9d0d
commit 2ef740da4f
2 changed files with 125 additions and 1 deletions
--- a/tools/testing/selftests/netfilter/Makefile
+++ b/tools/testing/selftests/netfilter/Makefile
@ -4,7 +4,7 @@
 TEST_PROGS := nft_trans_stress.sh nft_nat.sh bridge_brouter.sh \
 	conntrack_icmp_related.sh nft_flowtable.sh ipvs.sh \
 	nft_concat_range.sh nft_conntrack_helper.sh \
-	nft_queue.sh
+	nft_queue.sh nft_meta.sh
 LDLIBS = -lmnl
 TEST_GEN_FILES =  nf-queue
--- a/tools/testing/selftests/netfilter/nft_meta.sh
+++ b/tools/testing/selftests/netfilter/nft_meta.sh
@ -0,0 +1,124 @@
 #!/bin/bash
 # check iif/iifname/oifgroup/iiftype match.
 # Kselftest framework requirement - SKIP code is 4.
 ksft_skip=4
 sfx=$(mktemp -u "XXXXXXXX")
 ns0="ns0-$sfx"
 nft --version > /dev/null 2>&1
 if [ $? -ne 0 ];then
 	echo "SKIP: Could not run test without nft tool"
 	exit $ksft_skip
 fi
 cleanup()
 {
 	ip netns del "$ns0"
 }
 ip netns add "$ns0"
 ip -net "$ns0" link set lo up
 ip -net "$ns0" addr add 127.0.0.1 dev lo
 trap cleanup EXIT
 ip netns exec "$ns0" nft -f /dev/stdin <<EOF
 table inet filter {
 	counter iifcount {}
 	counter iifnamecount {}
 	counter iifgroupcount {}
 	counter iiftypecount {}
 	counter infproto4count {}
 	counter il4protocounter {}
 	counter imarkcounter {}
 	counter oifcount {}
 	counter oifnamecount {}
 	counter oifgroupcount {}
 	counter oiftypecount {}
 	counter onfproto4count {}
 	counter ol4protocounter {}
 	counter oskuidcounter {}
 	counter oskgidcounter {}
 	counter omarkcounter {}
 	chain input {
 		type filter hook input priority 0; policy accept;
 		meta iif lo counter name "iifcount"
 		meta iifname "lo" counter name "iifnamecount"
 		meta iifgroup "default" counter name "iifgroupcount"
 		meta iiftype "loopback" counter name "iiftypecount"
 		meta nfproto ipv4 counter name "infproto4count"
 		meta l4proto icmp counter name "il4protocounter"
 		meta mark 42 counter name "imarkcounter"
 	}
 	chain output {
 		type filter hook output priority 0; policy accept;
 		meta oif lo counter name "oifcount" counter
 		meta oifname "lo" counter name "oifnamecount"
 		meta oifgroup "default" counter name "oifgroupcount"
 		meta oiftype "loopback" counter name "oiftypecount"
 		meta nfproto ipv4 counter name "onfproto4count"
 		meta l4proto icmp counter name "ol4protocounter"
 		meta skuid 0 counter name "oskuidcounter"
 		meta skgid 0 counter name "oskgidcounter"
 		meta mark 42 counter name "omarkcounter"
 	}
 }
 EOF
 if [ $? -ne 0 ]; then
 	echo "SKIP: Could not add test ruleset"
 	exit $ksft_skip
 fi
 ret=0
 check_one_counter()
 {
 	local cname="$1"
 	local want="packets $2"
 	local verbose="$3"
 	cnt=$(ip netns exec "$ns0" nft list counter inet filter $cname | grep -q "$want")
 	if [ $? -ne 0 ];then
 		echo "FAIL: $cname, want \"$want\", got"
 		ret=1
 		ip netns exec "$ns0" nft list counter inet filter $counter
 	fi
 }
 check_lo_counters()
 {
 	local want="$1"
 	local verbose="$2"
 	local counter
 	for counter in iifcount iifnamecount iifgroupcount iiftypecount infproto4count \
 		       oifcount oifnamecount oifgroupcount oiftypecount onfproto4count \
 		       il4protocounter \
 		       ol4protocounter \
 	     ; do
 		check_one_counter "$counter" "$want" "$verbose"
 	done
 }
 check_lo_counters "0" false
 ip netns exec "$ns0" ping -q -c 1 127.0.0.1 -m 42 > /dev/null
 check_lo_counters "2" true
 check_one_counter oskuidcounter "1" true
 check_one_counter oskgidcounter "1" true
 check_one_counter imarkcounter "1" true
 check_one_counter omarkcounter "1" true
 if [ $ret -eq 0 ];then
 	echo "OK: nftables meta iif/oif counters at expected values"
 fi
 exit $ret