Skip to content

Commit

Permalink
test/nfconntrack: use nft or iptables-legacy
Browse files Browse the repository at this point in the history
nft does not support xtables compat expressions
https://git.netfilter.org/nftables/commit/?id=79195a8cc9e9d9cf2d17165bf07ac4cc9d55539f

Signed-off-by: Radostin Stoyanov <rstoyanov@fedoraproject.org>
  • Loading branch information
rst0git committed Jan 8, 2024
1 parent 333fca2 commit e6300b8
Show file tree
Hide file tree
Showing 8 changed files with 283 additions and 7 deletions.
1 change: 1 addition & 0 deletions scripts/build/Dockerfile.alpine
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@ RUN make mrproper && date && make -j $(nproc) CC="$CC" && date
RUN apk add \
ip6tables \
iptables \
iptables-legacy \
nftables \
iproute2 \
tar \
Expand Down
8 changes: 5 additions & 3 deletions test/zdtm/static/Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -85,7 +85,8 @@ TST_NOFILE := \
socket-tcp4v6 \
socket-tcp-local \
socket-tcp-reuseport \
socket-tcp-nfconntrack \
socket-tcp-ipt-nfconntrack \
socket-tcp-nft-nfconntrack \
socket-tcp6-local \
socket-tcp4v6-local \
socket-tcpbuf \
Expand Down Expand Up @@ -277,7 +278,7 @@ pkg-config-check = $(shell sh -c '$(PKG_CONFIG) $(1) && echo y')
ifeq ($(call pkg-config-check,libbpf),y)
TST_NOFILE += \
bpf_hash \
bpf_array
bpf_array
endif

ifneq ($(ARCH),arm)
Expand Down Expand Up @@ -598,7 +599,8 @@ socket-tcpbuf6-local: CFLAGS += -D ZDTM_TCP_LOCAL -D ZDTM_IPV6
socket-tcp6-local: CFLAGS += -D ZDTM_TCP_LOCAL -D ZDTM_IPV6
socket-tcp4v6-local: CFLAGS += -D ZDTM_TCP_LOCAL -D ZDTM_IPV4V6
socket-tcp-local: CFLAGS += -D ZDTM_TCP_LOCAL
socket-tcp-nfconntrack: CFLAGS += -D ZDTM_TCP_LOCAL -DZDTM_CONNTRACK
socket-tcp-ipt-nfconntrack: CFLAGS += -D ZDTM_TCP_LOCAL -DZDTM_IPT_CONNTRACK
socket-tcp-nft-nfconntrack: CFLAGS += -D ZDTM_TCP_LOCAL -DZDTM_NFT_CONNTRACK
socket_listen6: CFLAGS += -D ZDTM_IPV6
socket_listen4v6: CFLAGS += -D ZDTM_IPV4V6
socket-tcp6-closed: CFLAGS += -D ZDTM_IPV6
Expand Down
File renamed without changes.
6 changes: 6 additions & 0 deletions test/zdtm/static/socket-tcp-ipt-nfconntrack.desc
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
{
'feature': 'has_ipt_legacy',
'flavor': 'h',
'opts': '--tcp-established',
'flags': 'suid'
}
1 change: 0 additions & 1 deletion test/zdtm/static/socket-tcp-nfconntrack.desc

This file was deleted.

240 changes: 240 additions & 0 deletions test/zdtm/static/socket-tcp-nft-nfconntrack.c
Original file line number Diff line number Diff line change
@@ -0,0 +1,240 @@
#include "zdtmtst.h"

#ifdef ZDTM_IPV4V6
#define ZDTM_FAMILY AF_INET
#define ZDTM_SRV_FAMILY AF_INET6
#elif defined(ZDTM_IPV6)
#define ZDTM_FAMILY AF_INET6
#define ZDTM_SRV_FAMILY AF_INET6
#else
#define ZDTM_FAMILY AF_INET
#define ZDTM_SRV_FAMILY AF_INET
#endif

const char *test_doc = "Check, that a TCP connection can be restored\n";
const char *test_author = "Andrey Vagin <avagin@parallels.com";

#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
#include <string.h>
#include <errno.h>
#include <stdlib.h>
#include <signal.h>
#include <sched.h>
#include <netinet/tcp.h>

static int port = 8880;

#define BUF_SIZE 4096

int read_data(int fd, unsigned char *buf, int size)
{
int cur = 0;
int ret;
while (cur != size) {
ret = read(fd, buf + cur, size - cur);
if (ret <= 0)
return -1;
cur += ret;
}

return 0;
}

int write_data(int fd, const unsigned char *buf, int size)
{
int cur = 0;
int ret;

while (cur != size) {
ret = write(fd, buf + cur, size - cur);
if (ret <= 0)
return -1;
cur += ret;
}

return 0;
}

int main(int argc, char **argv)
{
unsigned char buf[BUF_SIZE];
int fd, fd_s;
pid_t extpid;
uint32_t crc;
int pfd[2];
int val;
socklen_t optlen;

#ifdef ZDTM_IPT_CONNTRACK
if (unshare(CLONE_NEWNET)) {
pr_perror("unshare");
return 1;
}
if (system("ip link set up dev lo"))
return 1;

if (system("iptables-legacy -w -A INPUT -i lo -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT"))
return 1;
if (system("iptables-legacy -w -A INPUT -j DROP"))
return 1;

#endif

#ifdef ZDTM_NFT_CONNTRACK
if (unshare(CLONE_NEWNET)) {
pr_perror("unshare");
return 1;
}
if (system("ip link set up dev lo"))
return 1;

if (system("nft add table ip filter"))
return 1;
if (system("nft add chain ip filter INPUT"))
return 1;
if (system("nft add rule ip filter INPUT iifname \"lo\" ip protocol tcp ct state new,established counter accept"))
return 1;
if (system("nft add rule ip filter INPUT counter drop"))
return 1;

#endif

#ifdef ZDTM_TCP_LOCAL
test_init(argc, argv);
#endif

if (pipe(pfd)) {
pr_perror("pipe() failed");
return 1;
}

extpid = fork();
if (extpid < 0) {
pr_perror("fork() failed");
return 1;
} else if (extpid == 0) {
#ifndef ZDTM_TCP_LOCAL
test_ext_init(argc, argv);
#endif

close(pfd[1]);
if (read(pfd[0], &port, sizeof(port)) != sizeof(port)) {
pr_perror("Can't read port");
return 1;
}

fd = tcp_init_client(ZDTM_FAMILY, "localhost", port);
if (fd < 0)
return 1;

#ifdef STREAM
while (1) {
if (read_data(fd, buf, BUF_SIZE)) {
pr_perror("read less then have to");
return 1;
}
if (datachk(buf, BUF_SIZE, &crc))
return 2;

datagen(buf, BUF_SIZE, &crc);
if (write_data(fd, buf, BUF_SIZE)) {
pr_perror("can't write");
return 1;
}
}
#else
if (read_data(fd, buf, BUF_SIZE)) {
pr_perror("read less then have to");
return 1;
}
if (datachk(buf, BUF_SIZE, &crc))
return 2;

datagen(buf, BUF_SIZE, &crc);
if (write_data(fd, buf, BUF_SIZE)) {
pr_perror("can't write");
return 1;
}
#endif
return 0;
}

#ifndef ZDTM_TCP_LOCAL
test_init(argc, argv);
#endif

if ((fd_s = tcp_init_server(ZDTM_SRV_FAMILY, &port)) < 0) {
pr_err("initializing server failed\n");
return 1;
}

close(pfd[0]);
if (write(pfd[1], &port, sizeof(port)) != sizeof(port)) {
pr_perror("Can't send port");
return 1;
}
close(pfd[1]);

/*
* parent is server of TCP connection
*/
fd = tcp_accept_server(fd_s);
if (fd < 0) {
pr_err("can't accept client connection\n");
return 1;
}

val = 1;
if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &val, sizeof(val))) {
pr_perror("setsockopt");
return 1;
}

test_daemon();
#ifdef STREAM
while (test_go()) {
datagen(buf, BUF_SIZE, &crc);
if (write_data(fd, buf, BUF_SIZE)) {
pr_perror("can't write");
return 1;
}

if (read_data(fd, buf, BUF_SIZE)) {
pr_perror("read less then have to");
return 1;
}
if (datachk(buf, BUF_SIZE, &crc))
return 2;
}
kill(extpid, SIGKILL);
#else
test_waitsig();

datagen(buf, BUF_SIZE, &crc);
if (write_data(fd, buf, BUF_SIZE)) {
pr_perror("can't write");
return 1;
}

if (read_data(fd, buf, BUF_SIZE)) {
pr_perror("read less then have to");
return 1;
}
if (datachk(buf, BUF_SIZE, &crc))
return 2;
#endif
optlen = sizeof(val);
if (getsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &val, &optlen)) {
pr_perror("getsockopt");
return 1;
}
if (val != 1) {
fail("SO_REUSEADDR are not set for %d", fd);
return 1;
}

pass();
return 0;
}
7 changes: 7 additions & 0 deletions test/zdtm/static/socket-tcp-nft-nfconntrack.desc
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
{
'flavor': 'h',
'feature': 'network_lock_nftables',
'opts': '--tcp-established',
'dopts': '--network-lock nftables',
'flags': 'suid'
}
27 changes: 24 additions & 3 deletions test/zdtm/static/socket-tcp.c
Original file line number Diff line number Diff line change
Expand Up @@ -67,17 +67,38 @@ int main(int argc, char **argv)
int val;
socklen_t optlen;

#ifdef ZDTM_CONNTRACK
#ifdef ZDTM_IPT_CONNTRACK
if (unshare(CLONE_NEWNET)) {
pr_perror("unshare");
return 1;
}
if (system("ip link set up dev lo"))
return 1;
if (system("iptables -w -A INPUT -i lo -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT"))

if (system("iptables-legacy -w -A INPUT -i lo -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT"))
return 1;
if (system("iptables-legacy -w -A INPUT -j DROP"))
return 1;

#endif

#ifdef ZDTM_NFT_CONNTRACK
if (unshare(CLONE_NEWNET)) {
pr_perror("unshare");
return 1;
if (system("iptables -w -A INPUT -j DROP"))
}
if (system("ip link set up dev lo"))
return 1;

if (system("nft add table ip filter"))
return 1;
if (system("nft add chain ip filter INPUT"))
return 1;
if (system("nft add rule ip filter INPUT iifname \"lo\" ip protocol tcp ct state new,established counter accept"))
return 1;
if (system("nft add rule ip filter INPUT counter drop"))
return 1;

#endif

#ifdef ZDTM_TCP_LOCAL
Expand Down

0 comments on commit e6300b8

Please sign in to comment.