From 1e1dbd90a07d43ef27be04ed6d903f6abbbc57f5 Mon Sep 17 00:00:00 2001
From: Yi Chen <yiche@redhat.com>
Date: Wed, 16 Apr 2025 23:53:20 +0800
Subject: [PATCH] tests: shell: Update packetpath/flowtables

1. The socat receiver should not use the pipfile as output where the sender
   reads data from, this could create an infinite data loop.
2. Sending a packet right after establishing the connection helped uncover
   a new bug (see kernel commit
   d2d31ea8cd80, "netfilter: conntrack: fix erronous removal of offload bit").
3. Optimize test log output

Signed-off-by: Yi Chen <yiche@redhat.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
 tests/shell/testcases/packetpath/flowtables | 77 +++++++++++++--------
 1 file changed, 50 insertions(+), 27 deletions(-)

diff --git a/tests/shell/testcases/packetpath/flowtables b/tests/shell/testcases/packetpath/flowtables
index d4e0a5bd..b68c5dd4 100755
--- a/tests/shell/testcases/packetpath/flowtables
+++ b/tests/shell/testcases/packetpath/flowtables
@@ -3,8 +3,6 @@
 # NFT_TEST_REQUIRES(NFT_TEST_HAVE_socat)
 # NFT_TEST_SKIP(NFT_TEST_SKIP_slow)
 
-set -x
-
 rnd=$(mktemp -u XXXXXXXX)
 R="flowtable-router-$rnd"
 C="flowtable-client-$rnd"
@@ -17,9 +15,33 @@ cleanup()
 		ip netns del $i
 	done
 }
-
 trap cleanup EXIT
 
+assert_pass()
+{
+	local ret=$?
+	if [ $ret != 0 ]
+	then
+		echo "FAIL: ${@}"
+		ip netns exec $R cat /proc/net/nf_conntrack
+		exit 1
+	else
+		echo "PASS: ${@}"
+	fi
+}
+assert_fail()
+{
+	local ret=$?
+	if [ $ret == 0 ]
+	then
+		echo "FAIL: ${@}"
+		ip netns exec $R cat /proc/net/nf_conntrack
+		exit 1
+	else
+		echo "PASS: ${@}"
+	fi
+}
+
 ip netns add $R
 ip netns add $S
 ip netns add $C
@@ -35,14 +57,15 @@ ip netns exec $S ip -6 addr add 2001:db8:ffff:22::1/64 dev s_r
 ip netns exec $C ip -6 addr add 2001:db8:ffff:21::2/64 dev c_r
 ip netns exec $R ip -6 addr add 2001:db8:ffff:22::fffe/64 dev r_s
 ip netns exec $R ip -6 addr add 2001:db8:ffff:21::fffe/64 dev r_c
-ip netns exec $R sysctl -w net.ipv6.conf.all.forwarding=1
+ip netns exec $R sysctl -wq net.ipv6.conf.all.forwarding=1
 ip netns exec $C ip route add 2001:db8:ffff:22::/64 via 2001:db8:ffff:21::fffe dev c_r
 ip netns exec $S ip route add 2001:db8:ffff:21::/64 via 2001:db8:ffff:22::fffe dev s_r
 ip netns exec $S ethtool -K s_r tso off
 ip netns exec $C ethtool -K c_r tso off
-
 sleep 3
-ip netns exec $C ping -6 2001:db8:ffff:22::1 -c1 || exit 1
+
+ip netns exec $C ping -q -6 2001:db8:ffff:22::1 -c1
+assert_pass "topo initialization"
 
 ip netns exec $R nft -f - <<EOF
 table ip6 filter {
@@ -61,6 +84,7 @@ table ip6 filter {
         }
 }
 EOF
+assert_pass "apply nft ruleset"
 
 if [ ! -r /proc/net/nf_conntrack ]
 then
@@ -68,32 +92,31 @@ then
 	exit 77
 fi
 
-ip netns exec $R nft list ruleset
-ip netns exec $R sysctl -w net.netfilter.nf_flowtable_tcp_timeout=5 || {
-	echo "E: set net.netfilter.nf_flowtable_tcp_timeout fail, skipping" >&2
-        exit 77
-}
-ip netns exec $R sysctl -w net.netfilter.nf_conntrack_tcp_timeout_established=86400 || {
-        echo "E: set net.netfilter.nf_conntrack_tcp_timeout_established fail, skipping" >&2
-        exit 77
+ip netns exec $R sysctl -wq net.netfilter.nf_flowtable_tcp_timeout=5
+assert_pass "set net.netfilter.nf_flowtable_tcp_timeout=5"
 
-}
+ip netns exec $R sysctl -wq net.netfilter.nf_conntrack_tcp_timeout_established=86400
+assert_pass "set net.netfilter.nf_conntrack_tcp_timeout_established=86400"
 
 # A trick to control the timing to send a packet
-ip netns exec $S socat TCP6-LISTEN:10001 GOPEN:/tmp/pipefile-$rnd,ignoreeof &
+ip netns exec $S socat TCP6-LISTEN:10001 GOPEN:/tmp/socat-$rnd,ignoreeof &
 sleep 1
 ip netns exec $C socat -b 2048 PIPE:/tmp/pipefile-$rnd 'TCP:[2001:db8:ffff:22::1]:10001' &
 sleep 1
-ip netns exec $R grep 'OFFLOAD' /proc/net/nf_conntrack   || { echo "check [OFFLOAD] tag (failed)"; exit 1; }
-ip netns exec $R cat /proc/net/nf_conntrack
+ip netns exec $C echo "send sth" >> /tmp/pipefile-$rnd        ; assert_pass "send a packet"
+ip netns exec $R grep -q 'OFFLOAD' /proc/net/nf_conntrack     ; assert_pass "check [OFFLOAD] tag"
 sleep 6
-ip netns exec $R grep 'OFFLOAD' /proc/net/nf_conntrack   && { echo "CT OFFLOAD timeout, fail back to classical path (failed)"; exit 1; }
-ip netns exec $R grep '8639[0-9]' /proc/net/nf_conntrack || { echo "check nf_conntrack_tcp_timeout_established (failed)"; exit 1; }
-ip netns exec $C echo "send sth" >> /tmp/pipefile-$rnd
-ip netns exec $R grep 'OFFLOAD' /proc/net/nf_conntrack   || { echo "traffic seen, back to OFFLOAD path (failed)"; exit 1; }
-ip netns exec $C sleep 3
-ip netns exec $C echo "send sth" >> /tmp/pipefile-$rnd
-ip netns exec $C sleep 3
-ip netns exec $R grep 'OFFLOAD' /proc/net/nf_conntrack   || { echo "Traffic seen in 5s (nf_flowtable_tcp_timeout), so stay in OFFLOAD (failed)"; exit 1; }
-
+ip netns exec $R grep -q 'OFFLOAD' /proc/net/nf_conntrack     ; assert_fail "CT OFFLOAD timeout, back to the classical path"
+ip netns exec $R grep -q '863[89][0-9]' /proc/net/nf_conntrack; assert_pass "check timeout adopt nf_conntrack_tcp_timeout_established"
+ip netns exec $C echo "send sth" >> /tmp/pipefile-$rnd        ; assert_pass "send a packet"
+ip netns exec $R grep -q 'OFFLOAD' /proc/net/nf_conntrack     ; assert_pass "packet detected, back to the OFFLOAD path"
+
+i=3; while ((i--))
+do
+	sleep 3
+	ip netns exec $C echo "send sth" >> /tmp/pipefile-$rnd; assert_pass "send a packet"
+	sleep 3
+	ip netns exec $R grep -q 'OFFLOAD' /proc/net/nf_conntrack
+	assert_pass "Traffic seen in 5s (nf_flowtable_tcp_timeout), should stay in OFFLOAD"
+done
 exit 0
-- 
2.47.2