#!/bin/bash # # This tests connection tracking helper assignment: # 1. can attach ftp helper to a connection from nft ruleset. # 2. auto-assign still works. # # Kselftest framework requirement - SKIP code is 4. ksft_skip=4 ret=0 sfx=$(mktemp -u "XXXXXXXX") ns1="ns1-$sfx" ns2="ns2-$sfx" testipv6=1 cleanup() { ip netns del ${ns1} ip netns del ${ns2} } nft --version > /dev/null 2>&1 if [ $? -ne 0 ];then echo "SKIP: Could not run test without nft tool" exit $ksft_skip fi ip -Version > /dev/null 2>&1 if [ $? -ne 0 ];then echo "SKIP: Could not run test without ip tool" exit $ksft_skip fi conntrack -V > /dev/null 2>&1 if [ $? -ne 0 ];then echo "SKIP: Could not run test without conntrack tool" exit $ksft_skip fi which nc >/dev/null 2>&1 if [ $? -ne 0 ];then echo "SKIP: Could not run test without netcat tool" exit $ksft_skip fi trap cleanup EXIT ip netns add ${ns1} ip netns add ${ns2} ip link add veth0 netns ${ns1} type veth peer name veth0 netns ${ns2} > /dev/null 2>&1 if [ $? -ne 0 ];then echo "SKIP: No virtual ethernet pair device support in kernel" exit $ksft_skip fi ip -net ${ns1} link set lo up ip -net ${ns1} link set veth0 up ip -net ${ns2} link set lo up ip -net ${ns2} link set veth0 up ip -net ${ns1} addr add 10.0.1.1/24 dev veth0 ip -net ${ns1} addr add dead:1::1/64 dev veth0 ip -net ${ns2} addr add 10.0.1.2/24 dev veth0 ip -net ${ns2} addr add dead:1::2/64 dev veth0 load_ruleset_family() { local family=$1 local ns=$2 ip netns exec ${ns} nft -f - <<EOF table $family raw { ct helper ftp { type "ftp" protocol tcp } chain pre { type filter hook prerouting priority 0; policy accept; tcp dport 2121 ct helper set "ftp" } chain output { type filter hook output priority 0; policy accept; tcp dport 2121 ct helper set "ftp" } } EOF return $? } check_for_helper() { local netns=$1 local message=$2 local port=$3 if echo $message |grep -q 'ipv6';then local family="ipv6" else local family="ipv4" fi ip netns exec ${netns} conntrack -L -f $family -p tcp --dport $port 2> /dev/null |grep -q 'helper=ftp' if [ $? -ne 0 ] ; then if [ $autoassign -eq 0 ] ;then echo "FAIL: ${netns} did not show attached helper $message" 1>&2 ret=1 else echo "PASS: ${netns} did not show attached helper $message" 1>&2 fi else if [ $autoassign -eq 0 ] ;then echo "PASS: ${netns} connection on port $port has ftp helper attached" 1>&2 else echo "FAIL: ${netns} connection on port $port has ftp helper attached" 1>&2 ret=1 fi fi return 0 } test_helper() { local port=$1 local autoassign=$2 if [ $autoassign -eq 0 ] ;then msg="set via ruleset" else msg="auto-assign" fi sleep 3 | ip netns exec ${ns2} nc -w 2 -l -p $port > /dev/null & sleep 1 | ip netns exec ${ns1} nc -w 2 10.0.1.2 $port > /dev/null & sleep 1 check_for_helper "$ns1" "ip $msg" $port $autoassign check_for_helper "$ns2" "ip $msg" $port $autoassign wait if [ $testipv6 -eq 0 ] ;then return 0 fi ip netns exec ${ns1} conntrack -F 2> /dev/null ip netns exec ${ns2} conntrack -F 2> /dev/null sleep 3 | ip netns exec ${ns2} nc -w 2 -6 -l -p $port > /dev/null & sleep 1 | ip netns exec ${ns1} nc -w 2 -6 dead:1::2 $port > /dev/null & sleep 1 check_for_helper "$ns1" "ipv6 $msg" $port check_for_helper "$ns2" "ipv6 $msg" $port wait } load_ruleset_family ip ${ns1} if [ $? -ne 0 ];then echo "FAIL: ${ns1} cannot load ip ruleset" 1>&2 exit 1 fi load_ruleset_family ip6 ${ns1} if [ $? -ne 0 ];then echo "SKIP: ${ns1} cannot load ip6 ruleset" 1>&2 testipv6=0 fi load_ruleset_family inet ${ns2} if [ $? -ne 0 ];then echo "SKIP: ${ns1} cannot load inet ruleset" 1>&2 load_ruleset_family ip ${ns2} if [ $? -ne 0 ];then echo "FAIL: ${ns2} cannot load ip ruleset" 1>&2 exit 1 fi if [ $testipv6 -eq 1 ] ;then load_ruleset_family ip6 ${ns2} if [ $? -ne 0 ];then echo "FAIL: ${ns2} cannot load ip6 ruleset" 1>&2 exit 1 fi fi fi test_helper 2121 0 ip netns exec ${ns1} sysctl -qe 'net.netfilter.nf_conntrack_helper=1' ip netns exec ${ns2} sysctl -qe 'net.netfilter.nf_conntrack_helper=1' test_helper 21 1 exit $ret