1#!/bin/bash 2# 3# This tests connection tracking helper assignment: 4# 1. can attach ftp helper to a connection from nft ruleset. 5# 2. auto-assign still works. 6# 7# Kselftest framework requirement - SKIP code is 4. 8ksft_skip=4 9ret=0 10 11sfx=$(mktemp -u "XXXXXXXX") 12ns1="ns1-$sfx" 13ns2="ns2-$sfx" 14testipv6=1 15 16cleanup() 17{ 18 ip netns del ${ns1} 19 ip netns del ${ns2} 20} 21 22nft --version > /dev/null 2>&1 23if [ $? -ne 0 ];then 24 echo "SKIP: Could not run test without nft tool" 25 exit $ksft_skip 26fi 27 28ip -Version > /dev/null 2>&1 29if [ $? -ne 0 ];then 30 echo "SKIP: Could not run test without ip tool" 31 exit $ksft_skip 32fi 33 34conntrack -V > /dev/null 2>&1 35if [ $? -ne 0 ];then 36 echo "SKIP: Could not run test without conntrack tool" 37 exit $ksft_skip 38fi 39 40which nc >/dev/null 2>&1 41if [ $? -ne 0 ];then 42 echo "SKIP: Could not run test without netcat tool" 43 exit $ksft_skip 44fi 45 46trap cleanup EXIT 47 48ip netns add ${ns1} 49ip netns add ${ns2} 50 51ip link add veth0 netns ${ns1} type veth peer name veth0 netns ${ns2} > /dev/null 2>&1 52if [ $? -ne 0 ];then 53 echo "SKIP: No virtual ethernet pair device support in kernel" 54 exit $ksft_skip 55fi 56 57ip -net ${ns1} link set lo up 58ip -net ${ns1} link set veth0 up 59 60ip -net ${ns2} link set lo up 61ip -net ${ns2} link set veth0 up 62 63ip -net ${ns1} addr add 10.0.1.1/24 dev veth0 64ip -net ${ns1} addr add dead:1::1/64 dev veth0 65 66ip -net ${ns2} addr add 10.0.1.2/24 dev veth0 67ip -net ${ns2} addr add dead:1::2/64 dev veth0 68 69load_ruleset_family() { 70 local family=$1 71 local ns=$2 72 73ip netns exec ${ns} nft -f - <<EOF 74table $family raw { 75 ct helper ftp { 76 type "ftp" protocol tcp 77 } 78 chain pre { 79 type filter hook prerouting priority 0; policy accept; 80 tcp dport 2121 ct helper set "ftp" 81 } 82 chain output { 83 type filter hook output priority 0; policy accept; 84 tcp dport 2121 ct helper set "ftp" 85 } 86} 87EOF 88 return $? 89} 90 91check_for_helper() 92{ 93 local netns=$1 94 local message=$2 95 local port=$3 96 97 if echo $message |grep -q 'ipv6';then 98 local family="ipv6" 99 else 100 local family="ipv4" 101 fi 102 103 ip netns exec ${netns} conntrack -L -f $family -p tcp --dport $port 2> /dev/null |grep -q 'helper=ftp' 104 if [ $? -ne 0 ] ; then 105 if [ $autoassign -eq 0 ] ;then 106 echo "FAIL: ${netns} did not show attached helper $message" 1>&2 107 ret=1 108 else 109 echo "PASS: ${netns} did not show attached helper $message" 1>&2 110 fi 111 else 112 if [ $autoassign -eq 0 ] ;then 113 echo "PASS: ${netns} connection on port $port has ftp helper attached" 1>&2 114 else 115 echo "FAIL: ${netns} connection on port $port has ftp helper attached" 1>&2 116 ret=1 117 fi 118 fi 119 120 return 0 121} 122 123test_helper() 124{ 125 local port=$1 126 local autoassign=$2 127 128 if [ $autoassign -eq 0 ] ;then 129 msg="set via ruleset" 130 else 131 msg="auto-assign" 132 fi 133 134 sleep 3 | ip netns exec ${ns2} nc -w 2 -l -p $port > /dev/null & 135 136 sleep 1 | ip netns exec ${ns1} nc -w 2 10.0.1.2 $port > /dev/null & 137 sleep 1 138 139 check_for_helper "$ns1" "ip $msg" $port $autoassign 140 check_for_helper "$ns2" "ip $msg" $port $autoassign 141 142 wait 143 144 if [ $testipv6 -eq 0 ] ;then 145 return 0 146 fi 147 148 ip netns exec ${ns1} conntrack -F 2> /dev/null 149 ip netns exec ${ns2} conntrack -F 2> /dev/null 150 151 sleep 3 | ip netns exec ${ns2} nc -w 2 -6 -l -p $port > /dev/null & 152 153 sleep 1 | ip netns exec ${ns1} nc -w 2 -6 dead:1::2 $port > /dev/null & 154 sleep 1 155 156 check_for_helper "$ns1" "ipv6 $msg" $port 157 check_for_helper "$ns2" "ipv6 $msg" $port 158 159 wait 160} 161 162load_ruleset_family ip ${ns1} 163if [ $? -ne 0 ];then 164 echo "FAIL: ${ns1} cannot load ip ruleset" 1>&2 165 exit 1 166fi 167 168load_ruleset_family ip6 ${ns1} 169if [ $? -ne 0 ];then 170 echo "SKIP: ${ns1} cannot load ip6 ruleset" 1>&2 171 testipv6=0 172fi 173 174load_ruleset_family inet ${ns2} 175if [ $? -ne 0 ];then 176 echo "SKIP: ${ns1} cannot load inet ruleset" 1>&2 177 load_ruleset_family ip ${ns2} 178 if [ $? -ne 0 ];then 179 echo "FAIL: ${ns2} cannot load ip ruleset" 1>&2 180 exit 1 181 fi 182 183 if [ $testipv6 -eq 1 ] ;then 184 load_ruleset_family ip6 ${ns2} 185 if [ $? -ne 0 ];then 186 echo "FAIL: ${ns2} cannot load ip6 ruleset" 1>&2 187 exit 1 188 fi 189 fi 190fi 191 192test_helper 2121 0 193ip netns exec ${ns1} sysctl -qe 'net.netfilter.nf_conntrack_helper=1' 194ip netns exec ${ns2} sysctl -qe 'net.netfilter.nf_conntrack_helper=1' 195test_helper 21 1 196 197exit $ret 198
