From: Florian Westphal <fw@strlen.de>
Date: Wed, 23 Apr 2025 09:57:29 +0000 (+0200)
Subject: selftests: netfilter: nft_fib.sh: check lo packets bypass fib lookup
X-Git-Tag: v6.16-rc1~132^2~161^2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=fc91d5e6d948733773af35ef3b95504d8e588e4f;p=thirdparty%2Flinux.git

selftests: netfilter: nft_fib.sh: check lo packets bypass fib lookup

With reverted fix:
PASS: fib expression did not cause unwanted packet drops
[   37.285169] ns1-KK76Kt nft_rpfilter: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=32287 DF PROTO=ICMP TYPE=8 CODE=0 ID=1818 SEQ=1
FAIL: rpfilter did drop packets
FAIL: ns1-KK76Kt cannot reach 127.0.0.1, ret 0

Check for this.

Link: https://lore.kernel.org/netfilter/20250422114352.GA2092@breakpoint.cc/
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---

diff --git a/tools/testing/selftests/net/netfilter/nft_fib.sh b/tools/testing/selftests/net/netfilter/nft_fib.sh
index ce1451c275fd1..ea47dd246a083 100755
--- a/tools/testing/selftests/net/netfilter/nft_fib.sh
+++ b/tools/testing/selftests/net/netfilter/nft_fib.sh
@@ -45,6 +45,19 @@ table inet filter {
 EOF
 }
 
+load_input_ruleset() {
+	local netns=$1
+
+ip netns exec "$netns" nft -f /dev/stdin <<EOF
+table inet filter {
+	chain input {
+		type filter hook input priority 0; policy accept;
+	        fib saddr . iif oif missing counter log prefix "$netns nft_rpfilter: " drop
+	}
+}
+EOF
+}
+
 load_pbr_ruleset() {
 	local netns=$1
 
@@ -165,6 +178,16 @@ check_drops || exit 1
 
 echo "PASS: fib expression did not cause unwanted packet drops"
 
+load_input_ruleset "$ns1"
+
+test_ping 127.0.0.1 ::1 || exit 1
+check_drops || exit 1
+
+test_ping 10.0.1.99 dead:1::99 || exit 1
+check_drops || exit 1
+
+echo "PASS: fib expression did not discard loopback packets"
+
 ip netns exec "$nsrouter" nft flush table inet filter
 
 ip -net "$ns1" route del default