]> git.ipfire.org Git - thirdparty/kernel/stable.git/blob - tools/testing/selftests/netfilter/nft_nat.sh
projects / thirdparty / kernel / stable.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
selftests: netfilter: add simple masq/redirect test cases
[thirdparty/kernel/stable.git] / tools / testing / selftests / netfilter / nft_nat.sh
1 #!/bin/bash
2 #
3 # This test is for basic NAT functionality: snat, dnat, redirect, masquerade.
4 #
5
6 # Kselftest framework requirement - SKIP code is 4.
7 ksft_skip=4
8 ret=0
9
10 nft --version > /dev/null 2>&1
11 if [ $? -ne 0 ];then
12 echo "SKIP: Could not run test without nft tool"
13 exit $ksft_skip
14 fi
15
16 ip -Version > /dev/null 2>&1
17 if [ $? -ne 0 ];then
18 echo "SKIP: Could not run test without ip tool"
19 exit $ksft_skip
20 fi
21
22 ip netns add ns0
23 ip netns add ns1
24 ip netns add ns2
25
26 ip link add veth0 netns ns0 type veth peer name eth0 netns ns1
27 ip link add veth1 netns ns0 type veth peer name eth0 netns ns2
28
29 ip -net ns0 link set lo up
30 ip -net ns0 link set veth0 up
31 ip -net ns0 addr add 10.0.1.1/24 dev veth0
32 ip -net ns0 addr add dead:1::1/64 dev veth0
33
34 ip -net ns0 link set veth1 up
35 ip -net ns0 addr add 10.0.2.1/24 dev veth1
36 ip -net ns0 addr add dead:2::1/64 dev veth1
37
38 for i in 1 2; do
39 ip -net ns$i link set lo up
40 ip -net ns$i link set eth0 up
41 ip -net ns$i addr add 10.0.$i.99/24 dev eth0
42 ip -net ns$i route add default via 10.0.$i.1
43 ip -net ns$i addr add dead:$i::99/64 dev eth0
44 ip -net ns$i route add default via dead:$i::1
45 done
46
47 bad_counter()
48 {
49 local ns=$1
50 local counter=$2
51 local expect=$3
52
53 echo "ERROR: $counter counter in $ns has unexpected value (expected $expect)" 1>&2
54 ip netns exec $ns nft list counter inet filter $counter 1>&2
55 }
56
57 check_counters()
58 {
59 ns=$1
60 local lret=0
61
62 cnt=$(ip netns exec $ns nft list counter inet filter ns0in | grep -q "packets 1 bytes 84")
63 if [ $? -ne 0 ]; then
64 bad_counter $ns ns0in "packets 1 bytes 84"
65 lret=1
66 fi
67 cnt=$(ip netns exec $ns nft list counter inet filter ns0out | grep -q "packets 1 bytes 84")
68 if [ $? -ne 0 ]; then
69 bad_counter $ns ns0out "packets 1 bytes 84"
70 lret=1
71 fi
72
73 expect="packets 1 bytes 104"
74 cnt=$(ip netns exec $ns nft list counter inet filter ns0in6 | grep -q "$expect")
75 if [ $? -ne 0 ]; then
76 bad_counter $ns ns0in6 "$expect"
77 lret=1
78 fi
79 cnt=$(ip netns exec $ns nft list counter inet filter ns0out6 | grep -q "$expect")
80 if [ $? -ne 0 ]; then
81 bad_counter $ns ns0out6 "$expect"
82 lret=1
83 fi
84
85 return $lret
86 }
87
88 check_ns0_counters()
89 {
90 local ns=$1
91 local lret=0
92
93 cnt=$(ip netns exec ns0 nft list counter inet filter ns0in | grep -q "packets 0 bytes 0")
94 if [ $? -ne 0 ]; then
95 bad_counter ns0 ns0in "packets 0 bytes 0"
96 lret=1
97 fi
98
99 cnt=$(ip netns exec ns0 nft list counter inet filter ns0in6 | grep -q "packets 0 bytes 0")
100 if [ $? -ne 0 ]; then
101 bad_counter ns0 ns0in6 "packets 0 bytes 0"
102 lret=1
103 fi
104
105 cnt=$(ip netns exec ns0 nft list counter inet filter ns0out | grep -q "packets 0 bytes 0")
106 if [ $? -ne 0 ]; then
107 bad_counter ns0 ns0out "packets 0 bytes 0"
108 lret=1
109 fi
110 cnt=$(ip netns exec ns0 nft list counter inet filter ns0out6 | grep -q "packets 0 bytes 0")
111 if [ $? -ne 0 ]; then
112 bad_counter ns0 ns0out6 "packets 0 bytes 0"
113 lret=1
114 fi
115
116 for dir in "in" "out" ; do
117 expect="packets 1 bytes 84"
118 cnt=$(ip netns exec ns0 nft list counter inet filter ${ns}${dir} | grep -q "$expect")
119 if [ $? -ne 0 ]; then
120 bad_counter ns0 $ns$dir "$expect"
121 lret=1
122 fi
123
124 expect="packets 1 bytes 104"
125 cnt=$(ip netns exec ns0 nft list counter inet filter ${ns}${dir}6 | grep -q "$expect")
126 if [ $? -ne 0 ]; then
127 bad_counter ns0 $ns$dir6 "$expect"
128 lret=1
129 fi
130 done
131
132 return $lret
133 }
134
135 reset_counters()
136 {
137 for i in 0 1 2;do
138 ip netns exec ns$i nft reset counters inet > /dev/null
139 done
140 }
141
142 test_local_dnat6()
143 {
144 local lret=0
145 ip netns exec ns0 nft -f - <<EOF
146 table ip6 nat {
147 chain output {
148 type nat hook output priority 0; policy accept;
149 ip6 daddr dead:1::99 dnat to dead:2::99
150 }
151 }
152 EOF
153 if [ $? -ne 0 ]; then
154 echo "SKIP: Could not add add ip6 dnat hook"
155 return $ksft_skip
156 fi
157
158 # ping netns1, expect rewrite to netns2
159 ip netns exec ns0 ping -q -c 1 dead:1::99 > /dev/null
160 if [ $? -ne 0 ]; then
161 lret=1
162 echo "ERROR: ping6 failed"
163 return $lret
164 fi
165
166 expect="packets 0 bytes 0"
167 for dir in "in6" "out6" ; do
168 cnt=$(ip netns exec ns0 nft list counter inet filter ns1${dir} | grep -q "$expect")
169 if [ $? -ne 0 ]; then
170 bad_counter ns0 ns1$dir "$expect"
171 lret=1
172 fi
173 done
174
175 expect="packets 1 bytes 104"
176 for dir in "in6" "out6" ; do
177 cnt=$(ip netns exec ns0 nft list counter inet filter ns2${dir} | grep -q "$expect")
178 if [ $? -ne 0 ]; then
179 bad_counter ns0 ns2$dir "$expect"
180 lret=1
181 fi
182 done
183
184 # expect 0 count in ns1
185 expect="packets 0 bytes 0"
186 for dir in "in6" "out6" ; do
187 cnt=$(ip netns exec ns1 nft list counter inet filter ns0${dir} | grep -q "$expect")
188 if [ $? -ne 0 ]; then
189 bad_counter ns1 ns0$dir "$expect"
190 lret=1
191 fi
192 done
193
194 # expect 1 packet in ns2
195 expect="packets 1 bytes 104"
196 for dir in "in6" "out6" ; do
197 cnt=$(ip netns exec ns2 nft list counter inet filter ns0${dir} | grep -q "$expect")
198 if [ $? -ne 0 ]; then
199 bad_counter ns2 ns0$dir "$expect"
200 lret=1
201 fi
202 done
203
204 test $lret -eq 0 && echo "PASS: ipv6 ping to ns1 was NATted to ns2"
205 ip netns exec ns0 nft flush chain ip6 nat output
206
207 return $lret
208 }
209
210 test_local_dnat()
211 {
212 local lret=0
213 ip netns exec ns0 nft -f - <<EOF
214 table ip nat {
215 chain output {
216 type nat hook output priority 0; policy accept;
217 ip daddr 10.0.1.99 dnat to 10.0.2.99
218 }
219 }
220 EOF
221 # ping netns1, expect rewrite to netns2
222 ip netns exec ns0 ping -q -c 1 10.0.1.99 > /dev/null
223 if [ $? -ne 0 ]; then
224 lret=1
225 echo "ERROR: ping failed"
226 return $lret
227 fi
228
229 expect="packets 0 bytes 0"
230 for dir in "in" "out" ; do
231 cnt=$(ip netns exec ns0 nft list counter inet filter ns1${dir} | grep -q "$expect")
232 if [ $? -ne 0 ]; then
233 bad_counter ns0 ns1$dir "$expect"
234 lret=1
235 fi
236 done
237
238 expect="packets 1 bytes 84"
239 for dir in "in" "out" ; do
240 cnt=$(ip netns exec ns0 nft list counter inet filter ns2${dir} | grep -q "$expect")
241 if [ $? -ne 0 ]; then
242 bad_counter ns0 ns2$dir "$expect"
243 lret=1
244 fi
245 done
246
247 # expect 0 count in ns1
248 expect="packets 0 bytes 0"
249 for dir in "in" "out" ; do
250 cnt=$(ip netns exec ns1 nft list counter inet filter ns0${dir} | grep -q "$expect")
251 if [ $? -ne 0 ]; then
252 bad_counter ns1 ns0$dir "$expect"
253 lret=1
254 fi
255 done
256
257 # expect 1 packet in ns2
258 expect="packets 1 bytes 84"
259 for dir in "in" "out" ; do
260 cnt=$(ip netns exec ns2 nft list counter inet filter ns0${dir} | grep -q "$expect")
261 if [ $? -ne 0 ]; then
262 bad_counter ns2 ns0$dir "$expect"
263 lret=1
264 fi
265 done
266
267 test $lret -eq 0 && echo "PASS: ping to ns1 was NATted to ns2"
268
269 ip netns exec ns0 nft flush chain ip nat output
270
271 reset_counters
272 ip netns exec ns0 ping -q -c 1 10.0.1.99 > /dev/null
273 if [ $? -ne 0 ]; then
274 lret=1
275 echo "ERROR: ping failed"
276 return $lret
277 fi
278
279 expect="packets 1 bytes 84"
280 for dir in "in" "out" ; do
281 cnt=$(ip netns exec ns0 nft list counter inet filter ns1${dir} | grep -q "$expect")
282 if [ $? -ne 0 ]; then
283 bad_counter ns1 ns1$dir "$expect"
284 lret=1
285 fi
286 done
287 expect="packets 0 bytes 0"
288 for dir in "in" "out" ; do
289 cnt=$(ip netns exec ns0 nft list counter inet filter ns2${dir} | grep -q "$expect")
290 if [ $? -ne 0 ]; then
291 bad_counter ns0 ns2$dir "$expect"
292 lret=1
293 fi
294 done
295
296 # expect 1 count in ns1
297 expect="packets 1 bytes 84"
298 for dir in "in" "out" ; do
299 cnt=$(ip netns exec ns1 nft list counter inet filter ns0${dir} | grep -q "$expect")
300 if [ $? -ne 0 ]; then
301 bad_counter ns0 ns0$dir "$expect"
302 lret=1
303 fi
304 done
305
306 # expect 0 packet in ns2
307 expect="packets 0 bytes 0"
308 for dir in "in" "out" ; do
309 cnt=$(ip netns exec ns2 nft list counter inet filter ns0${dir} | grep -q "$expect")
310 if [ $? -ne 0 ]; then
311 bad_counter ns2 ns2$dir "$expect"
312 lret=1
313 fi
314 done
315
316 test $lret -eq 0 && echo "PASS: ping to ns1 OK after nat output chain flush"
317
318 return $lret
319 }
320
321
322 test_masquerade6()
323 {
324 local lret=0
325
326 ip netns exec ns0 sysctl net.ipv6.conf.all.forwarding=1 > /dev/null
327
328 ip netns exec ns2 ping -q -c 1 dead:1::99 > /dev/null # ping ns2->ns1
329 if [ $? -ne 0 ] ; then
330 echo "ERROR: cannot ping ns1 from ns2 via ipv6"
331 return 1
332 lret=1
333 fi
334
335 expect="packets 1 bytes 104"
336 for dir in "in6" "out6" ; do
337 cnt=$(ip netns exec ns1 nft list counter inet filter ns2${dir} | grep -q "$expect")
338 if [ $? -ne 0 ]; then
339 bad_counter ns1 ns2$dir "$expect"
340 lret=1
341 fi
342
343 cnt=$(ip netns exec ns2 nft list counter inet filter ns1${dir} | grep -q "$expect")
344 if [ $? -ne 0 ]; then
345 bad_counter ns2 ns1$dir "$expect"
346 lret=1
347 fi
348 done
349
350 reset_counters
351
352 # add masquerading rule
353 ip netns exec ns0 nft -f - <<EOF
354 table ip6 nat {
355 chain postrouting {
356 type nat hook postrouting priority 0; policy accept;
357 meta oif veth0 masquerade
358 }
359 }
360 EOF
361 ip netns exec ns2 ping -q -c 1 dead:1::99 > /dev/null # ping ns2->ns1
362 if [ $? -ne 0 ] ; then
363 echo "ERROR: cannot ping ns1 from ns2 with active ipv6 masquerading"
364 lret=1
365 fi
366
367 # ns1 should have seen packets from ns0, due to masquerade
368 expect="packets 1 bytes 104"
369 for dir in "in6" "out6" ; do
370
371 cnt=$(ip netns exec ns1 nft list counter inet filter ns0${dir} | grep -q "$expect")
372 if [ $? -ne 0 ]; then
373 bad_counter ns1 ns0$dir "$expect"
374 lret=1
375 fi
376
377 cnt=$(ip netns exec ns2 nft list counter inet filter ns1${dir} | grep -q "$expect")
378 if [ $? -ne 0 ]; then
379 bad_counter ns2 ns1$dir "$expect"
380 lret=1
381 fi
382 done
383
384 # ns1 should not have seen packets from ns2, due to masquerade
385 expect="packets 0 bytes 0"
386 for dir in "in6" "out6" ; do
387 cnt=$(ip netns exec ns1 nft list counter inet filter ns2${dir} | grep -q "$expect")
388 if [ $? -ne 0 ]; then
389 bad_counter ns1 ns0$dir "$expect"
390 lret=1
391 fi
392
393 cnt=$(ip netns exec ns1 nft list counter inet filter ns2${dir} | grep -q "$expect")
394 if [ $? -ne 0 ]; then
395 bad_counter ns2 ns1$dir "$expect"
396 lret=1
397 fi
398 done
399
400 ip netns exec ns0 nft flush chain ip6 nat postrouting
401 if [ $? -ne 0 ]; then
402 echo "ERROR: Could not flush ip6 nat postrouting" 1>&2
403 lret=1
404 fi
405
406 test $lret -eq 0 && echo "PASS: IPv6 masquerade for ns2"
407
408 return $lret
409 }
410
411 test_masquerade()
412 {
413 local lret=0
414
415 ip netns exec ns0 sysctl net.ipv4.conf.veth0.forwarding=1 > /dev/null
416 ip netns exec ns0 sysctl net.ipv4.conf.veth1.forwarding=1 > /dev/null
417
418 ip netns exec ns2 ping -q -c 1 10.0.1.99 > /dev/null # ping ns2->ns1
419 if [ $? -ne 0 ] ; then
420 echo "ERROR: canot ping ns1 from ns2"
421 lret=1
422 fi
423
424 expect="packets 1 bytes 84"
425 for dir in "in" "out" ; do
426 cnt=$(ip netns exec ns1 nft list counter inet filter ns2${dir} | grep -q "$expect")
427 if [ $? -ne 0 ]; then
428 bad_counter ns1 ns2$dir "$expect"
429 lret=1
430 fi
431
432 cnt=$(ip netns exec ns2 nft list counter inet filter ns1${dir} | grep -q "$expect")
433 if [ $? -ne 0 ]; then
434 bad_counter ns2 ns1$dir "$expect"
435 lret=1
436 fi
437 done
438
439 reset_counters
440
441 # add masquerading rule
442 ip netns exec ns0 nft -f - <<EOF
443 table ip nat {
444 chain postrouting {
445 type nat hook postrouting priority 0; policy accept;
446 meta oif veth0 masquerade
447 }
448 }
449 EOF
450 ip netns exec ns2 ping -q -c 1 10.0.1.99 > /dev/null # ping ns2->ns1
451 if [ $? -ne 0 ] ; then
452 echo "ERROR: cannot ping ns1 from ns2 with active ip masquerading"
453 lret=1
454 fi
455
456 # ns1 should have seen packets from ns0, due to masquerade
457 expect="packets 1 bytes 84"
458 for dir in "in" "out" ; do
459 cnt=$(ip netns exec ns1 nft list counter inet filter ns0${dir} | grep -q "$expect")
460 if [ $? -ne 0 ]; then
461 bad_counter ns1 ns0$dir "$expect"
462 lret=1
463 fi
464
465 cnt=$(ip netns exec ns2 nft list counter inet filter ns1${dir} | grep -q "$expect")
466 if [ $? -ne 0 ]; then
467 bad_counter ns2 ns1$dir "$expect"
468 lret=1
469 fi
470 done
471
472 # ns1 should not have seen packets from ns2, due to masquerade
473 expect="packets 0 bytes 0"
474 for dir in "in" "out" ; do
475 cnt=$(ip netns exec ns1 nft list counter inet filter ns2${dir} | grep -q "$expect")
476 if [ $? -ne 0 ]; then
477 bad_counter ns1 ns0$dir "$expect"
478 lret=1
479 fi
480
481 cnt=$(ip netns exec ns1 nft list counter inet filter ns2${dir} | grep -q "$expect")
482 if [ $? -ne 0 ]; then
483 bad_counter ns2 ns1$dir "$expect"
484 lret=1
485 fi
486 done
487
488 ip netns exec ns0 nft flush chain ip nat postrouting
489 if [ $? -ne 0 ]; then
490 echo "ERROR: Could not flush nat postrouting" 1>&2
491 lret=1
492 fi
493
494 test $lret -eq 0 && echo "PASS: IP masquerade for ns2"
495
496 return $lret
497 }
498
499 test_redirect6()
500 {
501 local lret=0
502
503 ip netns exec ns0 sysctl net.ipv6.conf.all.forwarding=1 > /dev/null
504
505 ip netns exec ns2 ping -q -c 1 dead:1::99 > /dev/null # ping ns2->ns1
506 if [ $? -ne 0 ] ; then
507 echo "ERROR: cannnot ping ns1 from ns2 via ipv6"
508 lret=1
509 fi
510
511 expect="packets 1 bytes 104"
512 for dir in "in6" "out6" ; do
513 cnt=$(ip netns exec ns1 nft list counter inet filter ns2${dir} | grep -q "$expect")
514 if [ $? -ne 0 ]; then
515 bad_counter ns1 ns2$dir "$expect"
516 lret=1
517 fi
518
519 cnt=$(ip netns exec ns2 nft list counter inet filter ns1${dir} | grep -q "$expect")
520 if [ $? -ne 0 ]; then
521 bad_counter ns2 ns1$dir "$expect"
522 lret=1
523 fi
524 done
525
526 reset_counters
527
528 # add redirect rule
529 ip netns exec ns0 nft -f - <<EOF
530 table ip6 nat {
531 chain prerouting {
532 type nat hook prerouting priority 0; policy accept;
533 meta iif veth1 meta l4proto icmpv6 ip6 saddr dead:2::99 ip6 daddr dead:1::99 redirect
534 }
535 }
536 EOF
537 ip netns exec ns2 ping -q -c 1 dead:1::99 > /dev/null # ping ns2->ns1
538 if [ $? -ne 0 ] ; then
539 echo "ERROR: cannot ping ns1 from ns2 with active ip6 redirect"
540 lret=1
541 fi
542
543 # ns1 should have seen no packets from ns2, due to redirection
544 expect="packets 0 bytes 0"
545 for dir in "in6" "out6" ; do
546 cnt=$(ip netns exec ns1 nft list counter inet filter ns2${dir} | grep -q "$expect")
547 if [ $? -ne 0 ]; then
548 bad_counter ns1 ns0$dir "$expect"
549 lret=1
550 fi
551 done
552
553 # ns0 should have seen packets from ns2, due to masquerade
554 expect="packets 1 bytes 104"
555 for dir in "in6" "out6" ; do
556 cnt=$(ip netns exec ns0 nft list counter inet filter ns2${dir} | grep -q "$expect")
557 if [ $? -ne 0 ]; then
558 bad_counter ns1 ns0$dir "$expect"
559 lret=1
560 fi
561 done
562
563 ip netns exec ns0 nft delete table ip6 nat
564 if [ $? -ne 0 ]; then
565 echo "ERROR: Could not delete ip6 nat table" 1>&2
566 lret=1
567 fi
568
569 test $lret -eq 0 && echo "PASS: IPv6 redirection for ns2"
570
571 return $lret
572 }
573
574 test_redirect()
575 {
576 local lret=0
577
578 ip netns exec ns0 sysctl net.ipv4.conf.veth0.forwarding=1 > /dev/null
579 ip netns exec ns0 sysctl net.ipv4.conf.veth1.forwarding=1 > /dev/null
580
581 ip netns exec ns2 ping -q -c 1 10.0.1.99 > /dev/null # ping ns2->ns1
582 if [ $? -ne 0 ] ; then
583 echo "ERROR: cannot ping ns1 from ns2"
584 lret=1
585 fi
586
587 expect="packets 1 bytes 84"
588 for dir in "in" "out" ; do
589 cnt=$(ip netns exec ns1 nft list counter inet filter ns2${dir} | grep -q "$expect")
590 if [ $? -ne 0 ]; then
591 bad_counter ns1 ns2$dir "$expect"
592 lret=1
593 fi
594
595 cnt=$(ip netns exec ns2 nft list counter inet filter ns1${dir} | grep -q "$expect")
596 if [ $? -ne 0 ]; then
597 bad_counter ns2 ns1$dir "$expect"
598 lret=1
599 fi
600 done
601
602 reset_counters
603
604 # add redirect rule
605 ip netns exec ns0 nft -f - <<EOF
606 table ip nat {
607 chain prerouting {
608 type nat hook prerouting priority 0; policy accept;
609 meta iif veth1 ip protocol icmp ip saddr 10.0.2.99 ip daddr 10.0.1.99 redirect
610 }
611 }
612 EOF
613 ip netns exec ns2 ping -q -c 1 10.0.1.99 > /dev/null # ping ns2->ns1
614 if [ $? -ne 0 ] ; then
615 echo "ERROR: cannot ping ns1 from ns2 with active ip redirect"
616 lret=1
617 fi
618
619 # ns1 should have seen no packets from ns2, due to redirection
620 expect="packets 0 bytes 0"
621 for dir in "in" "out" ; do
622
623 cnt=$(ip netns exec ns1 nft list counter inet filter ns2${dir} | grep -q "$expect")
624 if [ $? -ne 0 ]; then
625 bad_counter ns1 ns0$dir "$expect"
626 lret=1
627 fi
628 done
629
630 # ns0 should have seen packets from ns2, due to masquerade
631 expect="packets 1 bytes 84"
632 for dir in "in" "out" ; do
633 cnt=$(ip netns exec ns0 nft list counter inet filter ns2${dir} | grep -q "$expect")
634 if [ $? -ne 0 ]; then
635 bad_counter ns1 ns0$dir "$expect"
636 lret=1
637 fi
638 done
639
640 ip netns exec ns0 nft delete table ip nat
641 if [ $? -ne 0 ]; then
642 echo "ERROR: Could not delete nat table" 1>&2
643 lret=1
644 fi
645
646 test $lret -eq 0 && echo "PASS: IP redirection for ns2"
647
648 return $lret
649 }
650
651
652 # ip netns exec ns0 ping -c 1 -q 10.0.$i.99
653 for i in 0 1 2; do
654 ip netns exec ns$i nft -f - <<EOF
655 table inet filter {
656 counter ns0in {}
657 counter ns1in {}
658 counter ns2in {}
659
660 counter ns0out {}
661 counter ns1out {}
662 counter ns2out {}
663
664 counter ns0in6 {}
665 counter ns1in6 {}
666 counter ns2in6 {}
667
668 counter ns0out6 {}
669 counter ns1out6 {}
670 counter ns2out6 {}
671
672 map nsincounter {
673 type ipv4_addr : counter
674 elements = { 10.0.1.1 : "ns0in",
675 10.0.2.1 : "ns0in",
676 10.0.1.99 : "ns1in",
677 10.0.2.99 : "ns2in" }
678 }
679
680 map nsincounter6 {
681 type ipv6_addr : counter
682 elements = { dead:1::1 : "ns0in6",
683 dead:2::1 : "ns0in6",
684 dead:1::99 : "ns1in6",
685 dead:2::99 : "ns2in6" }
686 }
687
688 map nsoutcounter {
689 type ipv4_addr : counter
690 elements = { 10.0.1.1 : "ns0out",
691 10.0.2.1 : "ns0out",
692 10.0.1.99: "ns1out",
693 10.0.2.99: "ns2out" }
694 }
695
696 map nsoutcounter6 {
697 type ipv6_addr : counter
698 elements = { dead:1::1 : "ns0out6",
699 dead:2::1 : "ns0out6",
700 dead:1::99 : "ns1out6",
701 dead:2::99 : "ns2out6" }
702 }
703
704 chain input {
705 type filter hook input priority 0; policy accept;
706 counter name ip saddr map @nsincounter
707 icmpv6 type { "echo-request", "echo-reply" } counter name ip6 saddr map @nsincounter6
708 }
709 chain output {
710 type filter hook output priority 0; policy accept;
711 counter name ip daddr map @nsoutcounter
712 icmpv6 type { "echo-request", "echo-reply" } counter name ip6 daddr map @nsoutcounter6
713 }
714 }
715 EOF
716 done
717
718 sleep 3
719 # test basic connectivity
720 for i in 1 2; do
721 ip netns exec ns0 ping -c 1 -q 10.0.$i.99 > /dev/null
722 if [ $? -ne 0 ];then
723 echo "ERROR: Could not reach other namespace(s)" 1>&2
724 ret=1
725 fi
726
727 ip netns exec ns0 ping -c 1 -q dead:$i::99 > /dev/null
728 if [ $? -ne 0 ];then
729 echo "ERROR: Could not reach other namespace(s) via ipv6" 1>&2
730 ret=1
731 fi
732 check_counters ns$i
733 if [ $? -ne 0 ]; then
734 ret=1
735 fi
736
737 check_ns0_counters ns$i
738 if [ $? -ne 0 ]; then
739 ret=1
740 fi
741 reset_counters
742 done
743
744 if [ $ret -eq 0 ];then
745 echo "PASS: netns routing/connectivity: ns0 can reach ns1 and ns2"
746 fi
747
748 reset_counters
749 test_local_dnat
750 test_local_dnat6
751
752 reset_counters
753 test_masquerade
754 test_masquerade6
755
756 reset_counters
757 test_redirect
758 test_redirect6
759
760 for i in 0 1 2; do ip netns del ns$i;done
761
762 exit $ret
Mirror https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git