1#!/bin/bash 2# 3# This tests connection tracking helper assignment: 4# 1. can attach ftp helper to a connection from nft ruleset. 5# 2. auto-assign still works. 6# 7# Kselftest framework requirement - SKIP code is 4. 8ksft_skip=4 9ret=0 10 11sfx=$(mktemp -u "XXXXXXXX") 12ns1="ns1-$sfx" 13ns2="ns2-$sfx" 14testipv6=1 15 16cleanup() 17{ 18 ip netns del ${ns1} 19 ip netns del ${ns2} 20} 21 22nft --version > /dev/null 2>&1 23if [ $? -ne 0 ];then 24 echo "SKIP: Could not run test without nft tool" 25 exit $ksft_skip 26fi 27 28ip -Version > /dev/null 2>&1 29if [ $? -ne 0 ];then 30 echo "SKIP: Could not run test without ip tool" 31 exit $ksft_skip 32fi 33 34conntrack -V > /dev/null 2>&1 35if [ $? -ne 0 ];then 36 echo "SKIP: Could not run test without conntrack tool" 37 exit $ksft_skip 38fi 39 40which nc >/dev/null 2>&1 41if [ $? -ne 0 ];then 42 echo "SKIP: Could not run test without netcat tool" 43 exit $ksft_skip 44fi 45 46trap cleanup EXIT 47 48ip netns add ${ns1} 49ip netns add ${ns2} 50 51ip link add veth0 netns ${ns1} type veth peer name veth0 netns ${ns2} > /dev/null 2>&1 52if [ $? -ne 0 ];then 53 echo "SKIP: No virtual ethernet pair device support in kernel" 54 exit $ksft_skip 55fi 56 57ip -net ${ns1} link set lo up 58ip -net ${ns1} link set veth0 up 59 60ip -net ${ns2} link set lo up 61ip -net ${ns2} link set veth0 up 62 63ip -net ${ns1} addr add 10.0.1.1/24 dev veth0 64ip -net ${ns1} addr add dead:1::1/64 dev veth0 65 66ip -net ${ns2} addr add 10.0.1.2/24 dev veth0 67ip -net ${ns2} addr add dead:1::2/64 dev veth0 68 69load_ruleset_family() { 70 local family=$1 71 local ns=$2 72 73ip netns exec ${ns} nft -f - <<EOF 74table $family raw { 75 ct helper ftp { 76 type "ftp" protocol tcp 77 } 78 chain pre { 79 type filter hook prerouting priority 0; policy accept; 80 tcp dport 2121 ct helper set "ftp" 81 } 82 chain output { 83 type filter hook output priority 0; policy accept; 84 tcp dport 2121 ct helper set "ftp" 85 } 86} 87EOF 88 return $? 89} 90 91check_for_helper() 92{ 93 local netns=$1 94 local message=$2 95 local port=$3 96 97 if echo $message |grep -q 'ipv6';then 98 local family="ipv6" 99 else 100 local family="ipv4" 101 fi 102 103 ip netns exec ${netns} conntrack -L -f $family -p tcp --dport $port 2> /dev/null |grep -q 'helper=ftp' 104 if [ $? -ne 0 ] ; then 105 echo "FAIL: ${netns} did not show attached helper $message" 1>&2 106 ret=1 107 fi 108 109 echo "PASS: ${netns} connection on port $port has ftp helper attached" 1>&2 110 return 0 111} 112 113test_helper() 114{ 115 local port=$1 116 local msg=$2 117 118 sleep 3 | ip netns exec ${ns2} nc -w 2 -l -p $port > /dev/null & 119 120 sleep 1 | ip netns exec ${ns1} nc -w 2 10.0.1.2 $port > /dev/null & 121 sleep 1 122 123 check_for_helper "$ns1" "ip $msg" $port 124 check_for_helper "$ns2" "ip $msg" $port 125 126 wait 127 128 if [ $testipv6 -eq 0 ] ;then 129 return 0 130 fi 131 132 ip netns exec ${ns1} conntrack -F 2> /dev/null 133 ip netns exec ${ns2} conntrack -F 2> /dev/null 134 135 sleep 3 | ip netns exec ${ns2} nc -w 2 -6 -l -p $port > /dev/null & 136 137 sleep 1 | ip netns exec ${ns1} nc -w 2 -6 dead:1::2 $port > /dev/null & 138 sleep 1 139 140 check_for_helper "$ns1" "ipv6 $msg" $port 141 check_for_helper "$ns2" "ipv6 $msg" $port 142 143 wait 144} 145 146load_ruleset_family ip ${ns1} 147if [ $? -ne 0 ];then 148 echo "FAIL: ${ns1} cannot load ip ruleset" 1>&2 149 exit 1 150fi 151 152load_ruleset_family ip6 ${ns1} 153if [ $? -ne 0 ];then 154 echo "SKIP: ${ns1} cannot load ip6 ruleset" 1>&2 155 testipv6=0 156fi 157 158load_ruleset_family inet ${ns2} 159if [ $? -ne 0 ];then 160 echo "SKIP: ${ns1} cannot load inet ruleset" 1>&2 161 load_ruleset_family ip ${ns2} 162 if [ $? -ne 0 ];then 163 echo "FAIL: ${ns2} cannot load ip ruleset" 1>&2 164 exit 1 165 fi 166 167 if [ $testipv6 -eq 1 ] ;then 168 load_ruleset_family ip6 ${ns2} 169 if [ $? -ne 0 ];then 170 echo "FAIL: ${ns2} cannot load ip6 ruleset" 1>&2 171 exit 1 172 fi 173 fi 174fi 175 176test_helper 2121 "set via ruleset" 177ip netns exec ${ns1} sysctl -q 'net.netfilter.nf_conntrack_helper=1' 178ip netns exec ${ns2} sysctl -q 'net.netfilter.nf_conntrack_helper=1' 179test_helper 21 "auto-assign" 180 181exit $ret 182