3 # This test is for basic NAT functionality: snat, dnat, redirect, masquerade.
6 # Kselftest framework requirement - SKIP code is 4.
10 nft --version > /dev/null 2>&1
12 echo "SKIP: Could not run test without nft tool"
16 ip -Version > /dev/null 2>&1
18 echo "SKIP: Could not run test without ip tool"
26 ip link add veth0 netns ns0 type veth peer name eth0 netns ns1
27 ip link add veth1 netns ns0 type veth peer name eth0 netns ns2
29 ip -net ns0 link set lo up
30 ip -net ns0 link set veth0 up
31 ip -net ns0 addr add 10.0.1.1/24 dev veth0
32 ip -net ns0 addr add dead:1::1/64 dev veth0
34 ip -net ns0 link set veth1 up
35 ip -net ns0 addr add 10.0.2.1/24 dev veth1
36 ip -net ns0 addr add dead:2::1/64 dev veth1
39 ip -net ns$i link set lo up
40 ip -net ns$i link set eth0 up
41 ip -net ns$i addr add 10.0.$i.99/24 dev eth0
42 ip -net ns$i route add default via 10.0.$i.1
43 ip -net ns$i addr add dead:$i::99/64 dev eth0
44 ip -net ns$i route add default via dead:$i::1
53 echo "ERROR: $counter counter in $ns has unexpected value (expected $expect)" 1>&2
54 ip netns exec $ns nft list counter inet filter $counter 1>&2
62 cnt=$(ip netns exec $ns nft list counter inet filter ns0in | grep -q "packets 1 bytes 84")
64 bad_counter $ns ns0in "packets 1 bytes 84"
67 cnt=$(ip netns exec $ns nft list counter inet filter ns0out | grep -q "packets 1 bytes 84")
69 bad_counter $ns ns0out "packets 1 bytes 84"
73 expect="packets 1 bytes 104"
74 cnt=$(ip netns exec $ns nft list counter inet filter ns0in6 | grep -q "$expect")
76 bad_counter $ns ns0in6 "$expect"
79 cnt=$(ip netns exec $ns nft list counter inet filter ns0out6 | grep -q "$expect")
81 bad_counter $ns ns0out6 "$expect"
93 cnt=$(ip netns exec ns0 nft list counter inet filter ns0in | grep -q "packets 0 bytes 0")
95 bad_counter ns0 ns0in "packets 0 bytes 0"
99 cnt=$(ip netns exec ns0 nft list counter inet filter ns0in6 | grep -q "packets 0 bytes 0")
100 if [ $? -ne 0 ]; then
101 bad_counter ns0 ns0in6 "packets 0 bytes 0"
105 cnt=$(ip netns exec ns0 nft list counter inet filter ns0out | grep -q "packets 0 bytes 0")
106 if [ $? -ne 0 ]; then
107 bad_counter ns0 ns0out "packets 0 bytes 0"
110 cnt=$(ip netns exec ns0 nft list counter inet filter ns0out6 | grep -q "packets 0 bytes 0")
111 if [ $? -ne 0 ]; then
112 bad_counter ns0 ns0out6 "packets 0 bytes 0"
116 for dir in "in" "out" ; do
117 expect="packets 1 bytes 84"
118 cnt=$(ip netns exec ns0 nft list counter inet filter ${ns}${dir} | grep -q "$expect")
119 if [ $? -ne 0 ]; then
120 bad_counter ns0 $ns$dir "$expect"
124 expect="packets 1 bytes 104"
125 cnt=$(ip netns exec ns0 nft list counter inet filter ${ns}${dir}6 | grep -q "$expect")
126 if [ $? -ne 0 ]; then
127 bad_counter ns0 $ns$dir6 "$expect"
138 ip netns exec ns$i nft reset counters inet > /dev/null
145 ip netns exec ns0 nft -f - <<EOF
148 type nat hook output priority 0; policy accept;
149 ip6 daddr dead:1::99 dnat to dead:2::99
153 if [ $? -ne 0 ]; then
154 echo "SKIP: Could not add add ip6 dnat hook"
158 # ping netns1, expect rewrite to netns2
159 ip netns exec ns0 ping -q -c 1 dead:1::99 > /dev/null
160 if [ $? -ne 0 ]; then
162 echo "ERROR: ping6 failed"
166 expect="packets 0 bytes 0"
167 for dir in "in6" "out6" ; do
168 cnt=$(ip netns exec ns0 nft list counter inet filter ns1${dir} | grep -q "$expect")
169 if [ $? -ne 0 ]; then
170 bad_counter ns0 ns1$dir "$expect"
175 expect="packets 1 bytes 104"
176 for dir in "in6" "out6" ; do
177 cnt=$(ip netns exec ns0 nft list counter inet filter ns2${dir} | grep -q "$expect")
178 if [ $? -ne 0 ]; then
179 bad_counter ns0 ns2$dir "$expect"
184 # expect 0 count in ns1
185 expect="packets 0 bytes 0"
186 for dir in "in6" "out6" ; do
187 cnt=$(ip netns exec ns1 nft list counter inet filter ns0${dir} | grep -q "$expect")
188 if [ $? -ne 0 ]; then
189 bad_counter ns1 ns0$dir "$expect"
194 # expect 1 packet in ns2
195 expect="packets 1 bytes 104"
196 for dir in "in6" "out6" ; do
197 cnt=$(ip netns exec ns2 nft list counter inet filter ns0${dir} | grep -q "$expect")
198 if [ $? -ne 0 ]; then
199 bad_counter ns2 ns0$dir "$expect"
204 test $lret -eq 0 && echo "PASS: ipv6 ping to ns1 was NATted to ns2"
205 ip netns exec ns0 nft flush chain ip6 nat output
213 ip netns exec ns0 nft -f - <<EOF
216 type nat hook output priority 0; policy accept;
217 ip daddr 10.0.1.99 dnat to 10.0.2.99
221 # ping netns1, expect rewrite to netns2
222 ip netns exec ns0 ping -q -c 1 10.0.1.99 > /dev/null
223 if [ $? -ne 0 ]; then
225 echo "ERROR: ping failed"
229 expect="packets 0 bytes 0"
230 for dir in "in" "out" ; do
231 cnt=$(ip netns exec ns0 nft list counter inet filter ns1${dir} | grep -q "$expect")
232 if [ $? -ne 0 ]; then
233 bad_counter ns0 ns1$dir "$expect"
238 expect="packets 1 bytes 84"
239 for dir in "in" "out" ; do
240 cnt=$(ip netns exec ns0 nft list counter inet filter ns2${dir} | grep -q "$expect")
241 if [ $? -ne 0 ]; then
242 bad_counter ns0 ns2$dir "$expect"
247 # expect 0 count in ns1
248 expect="packets 0 bytes 0"
249 for dir in "in" "out" ; do
250 cnt=$(ip netns exec ns1 nft list counter inet filter ns0${dir} | grep -q "$expect")
251 if [ $? -ne 0 ]; then
252 bad_counter ns1 ns0$dir "$expect"
257 # expect 1 packet in ns2
258 expect="packets 1 bytes 84"
259 for dir in "in" "out" ; do
260 cnt=$(ip netns exec ns2 nft list counter inet filter ns0${dir} | grep -q "$expect")
261 if [ $? -ne 0 ]; then
262 bad_counter ns2 ns0$dir "$expect"
267 test $lret -eq 0 && echo "PASS: ping to ns1 was NATted to ns2"
269 ip netns exec ns0 nft flush chain ip nat output
272 ip netns exec ns0 ping -q -c 1 10.0.1.99 > /dev/null
273 if [ $? -ne 0 ]; then
275 echo "ERROR: ping failed"
279 expect="packets 1 bytes 84"
280 for dir in "in" "out" ; do
281 cnt=$(ip netns exec ns0 nft list counter inet filter ns1${dir} | grep -q "$expect")
282 if [ $? -ne 0 ]; then
283 bad_counter ns1 ns1$dir "$expect"
287 expect="packets 0 bytes 0"
288 for dir in "in" "out" ; do
289 cnt=$(ip netns exec ns0 nft list counter inet filter ns2${dir} | grep -q "$expect")
290 if [ $? -ne 0 ]; then
291 bad_counter ns0 ns2$dir "$expect"
296 # expect 1 count in ns1
297 expect="packets 1 bytes 84"
298 for dir in "in" "out" ; do
299 cnt=$(ip netns exec ns1 nft list counter inet filter ns0${dir} | grep -q "$expect")
300 if [ $? -ne 0 ]; then
301 bad_counter ns0 ns0$dir "$expect"
306 # expect 0 packet in ns2
307 expect="packets 0 bytes 0"
308 for dir in "in" "out" ; do
309 cnt=$(ip netns exec ns2 nft list counter inet filter ns0${dir} | grep -q "$expect")
310 if [ $? -ne 0 ]; then
311 bad_counter ns2 ns2$dir "$expect"
316 test $lret -eq 0 && echo "PASS: ping to ns1 OK after nat output chain flush"
326 ip netns exec ns0 sysctl net.ipv6.conf.all.forwarding=1 > /dev/null
328 ip netns exec ns2 ping -q -c 1 dead:1::99 > /dev/null # ping ns2->ns1
329 if [ $? -ne 0 ] ; then
330 echo "ERROR: cannot ping ns1 from ns2 via ipv6"
335 expect="packets 1 bytes 104"
336 for dir in "in6" "out6" ; do
337 cnt=$(ip netns exec ns1 nft list counter inet filter ns2${dir} | grep -q "$expect")
338 if [ $? -ne 0 ]; then
339 bad_counter ns1 ns2$dir "$expect"
343 cnt=$(ip netns exec ns2 nft list counter inet filter ns1${dir} | grep -q "$expect")
344 if [ $? -ne 0 ]; then
345 bad_counter ns2 ns1$dir "$expect"
352 # add masquerading rule
353 ip netns exec ns0 nft -f - <<EOF
356 type nat hook postrouting priority 0; policy accept;
357 meta oif veth0 masquerade
361 ip netns exec ns2 ping -q -c 1 dead:1::99 > /dev/null # ping ns2->ns1
362 if [ $? -ne 0 ] ; then
363 echo "ERROR: cannot ping ns1 from ns2 with active ipv6 masquerading"
367 # ns1 should have seen packets from ns0, due to masquerade
368 expect="packets 1 bytes 104"
369 for dir in "in6" "out6" ; do
371 cnt=$(ip netns exec ns1 nft list counter inet filter ns0${dir} | grep -q "$expect")
372 if [ $? -ne 0 ]; then
373 bad_counter ns1 ns0$dir "$expect"
377 cnt=$(ip netns exec ns2 nft list counter inet filter ns1${dir} | grep -q "$expect")
378 if [ $? -ne 0 ]; then
379 bad_counter ns2 ns1$dir "$expect"
384 # ns1 should not have seen packets from ns2, due to masquerade
385 expect="packets 0 bytes 0"
386 for dir in "in6" "out6" ; do
387 cnt=$(ip netns exec ns1 nft list counter inet filter ns2${dir} | grep -q "$expect")
388 if [ $? -ne 0 ]; then
389 bad_counter ns1 ns0$dir "$expect"
393 cnt=$(ip netns exec ns1 nft list counter inet filter ns2${dir} | grep -q "$expect")
394 if [ $? -ne 0 ]; then
395 bad_counter ns2 ns1$dir "$expect"
400 ip netns exec ns0 nft flush chain ip6 nat postrouting
401 if [ $? -ne 0 ]; then
402 echo "ERROR: Could not flush ip6 nat postrouting" 1>&2
406 test $lret -eq 0 && echo "PASS: IPv6 masquerade for ns2"
415 ip netns exec ns0 sysctl net.ipv4.conf.veth0.forwarding=1 > /dev/null
416 ip netns exec ns0 sysctl net.ipv4.conf.veth1.forwarding=1 > /dev/null
418 ip netns exec ns2 ping -q -c 1 10.0.1.99 > /dev/null # ping ns2->ns1
419 if [ $? -ne 0 ] ; then
420 echo "ERROR: canot ping ns1 from ns2"
424 expect="packets 1 bytes 84"
425 for dir in "in" "out" ; do
426 cnt=$(ip netns exec ns1 nft list counter inet filter ns2${dir} | grep -q "$expect")
427 if [ $? -ne 0 ]; then
428 bad_counter ns1 ns2$dir "$expect"
432 cnt=$(ip netns exec ns2 nft list counter inet filter ns1${dir} | grep -q "$expect")
433 if [ $? -ne 0 ]; then
434 bad_counter ns2 ns1$dir "$expect"
441 # add masquerading rule
442 ip netns exec ns0 nft -f - <<EOF
445 type nat hook postrouting priority 0; policy accept;
446 meta oif veth0 masquerade
450 ip netns exec ns2 ping -q -c 1 10.0.1.99 > /dev/null # ping ns2->ns1
451 if [ $? -ne 0 ] ; then
452 echo "ERROR: cannot ping ns1 from ns2 with active ip masquerading"
456 # ns1 should have seen packets from ns0, due to masquerade
457 expect="packets 1 bytes 84"
458 for dir in "in" "out" ; do
459 cnt=$(ip netns exec ns1 nft list counter inet filter ns0${dir} | grep -q "$expect")
460 if [ $? -ne 0 ]; then
461 bad_counter ns1 ns0$dir "$expect"
465 cnt=$(ip netns exec ns2 nft list counter inet filter ns1${dir} | grep -q "$expect")
466 if [ $? -ne 0 ]; then
467 bad_counter ns2 ns1$dir "$expect"
472 # ns1 should not have seen packets from ns2, due to masquerade
473 expect="packets 0 bytes 0"
474 for dir in "in" "out" ; do
475 cnt=$(ip netns exec ns1 nft list counter inet filter ns2${dir} | grep -q "$expect")
476 if [ $? -ne 0 ]; then
477 bad_counter ns1 ns0$dir "$expect"
481 cnt=$(ip netns exec ns1 nft list counter inet filter ns2${dir} | grep -q "$expect")
482 if [ $? -ne 0 ]; then
483 bad_counter ns2 ns1$dir "$expect"
488 ip netns exec ns0 nft flush chain ip nat postrouting
489 if [ $? -ne 0 ]; then
490 echo "ERROR: Could not flush nat postrouting" 1>&2
494 test $lret -eq 0 && echo "PASS: IP masquerade for ns2"
503 ip netns exec ns0 sysctl net.ipv6.conf.all.forwarding=1 > /dev/null
505 ip netns exec ns2 ping -q -c 1 dead:1::99 > /dev/null # ping ns2->ns1
506 if [ $? -ne 0 ] ; then
507 echo "ERROR: cannnot ping ns1 from ns2 via ipv6"
511 expect="packets 1 bytes 104"
512 for dir in "in6" "out6" ; do
513 cnt=$(ip netns exec ns1 nft list counter inet filter ns2${dir} | grep -q "$expect")
514 if [ $? -ne 0 ]; then
515 bad_counter ns1 ns2$dir "$expect"
519 cnt=$(ip netns exec ns2 nft list counter inet filter ns1${dir} | grep -q "$expect")
520 if [ $? -ne 0 ]; then
521 bad_counter ns2 ns1$dir "$expect"
529 ip netns exec ns0 nft -f - <<EOF
532 type nat hook prerouting priority 0; policy accept;
533 meta iif veth1 meta l4proto icmpv6 ip6 saddr dead:2::99 ip6 daddr dead:1::99 redirect
537 ip netns exec ns2 ping -q -c 1 dead:1::99 > /dev/null # ping ns2->ns1
538 if [ $? -ne 0 ] ; then
539 echo "ERROR: cannot ping ns1 from ns2 with active ip6 redirect"
543 # ns1 should have seen no packets from ns2, due to redirection
544 expect="packets 0 bytes 0"
545 for dir in "in6" "out6" ; do
546 cnt=$(ip netns exec ns1 nft list counter inet filter ns2${dir} | grep -q "$expect")
547 if [ $? -ne 0 ]; then
548 bad_counter ns1 ns0$dir "$expect"
553 # ns0 should have seen packets from ns2, due to masquerade
554 expect="packets 1 bytes 104"
555 for dir in "in6" "out6" ; do
556 cnt=$(ip netns exec ns0 nft list counter inet filter ns2${dir} | grep -q "$expect")
557 if [ $? -ne 0 ]; then
558 bad_counter ns1 ns0$dir "$expect"
563 ip netns exec ns0 nft delete table ip6 nat
564 if [ $? -ne 0 ]; then
565 echo "ERROR: Could not delete ip6 nat table" 1>&2
569 test $lret -eq 0 && echo "PASS: IPv6 redirection for ns2"
578 ip netns exec ns0 sysctl net.ipv4.conf.veth0.forwarding=1 > /dev/null
579 ip netns exec ns0 sysctl net.ipv4.conf.veth1.forwarding=1 > /dev/null
581 ip netns exec ns2 ping -q -c 1 10.0.1.99 > /dev/null # ping ns2->ns1
582 if [ $? -ne 0 ] ; then
583 echo "ERROR: cannot ping ns1 from ns2"
587 expect="packets 1 bytes 84"
588 for dir in "in" "out" ; do
589 cnt=$(ip netns exec ns1 nft list counter inet filter ns2${dir} | grep -q "$expect")
590 if [ $? -ne 0 ]; then
591 bad_counter ns1 ns2$dir "$expect"
595 cnt=$(ip netns exec ns2 nft list counter inet filter ns1${dir} | grep -q "$expect")
596 if [ $? -ne 0 ]; then
597 bad_counter ns2 ns1$dir "$expect"
605 ip netns exec ns0 nft -f - <<EOF
608 type nat hook prerouting priority 0; policy accept;
609 meta iif veth1 ip protocol icmp ip saddr 10.0.2.99 ip daddr 10.0.1.99 redirect
613 ip netns exec ns2 ping -q -c 1 10.0.1.99 > /dev/null # ping ns2->ns1
614 if [ $? -ne 0 ] ; then
615 echo "ERROR: cannot ping ns1 from ns2 with active ip redirect"
619 # ns1 should have seen no packets from ns2, due to redirection
620 expect="packets 0 bytes 0"
621 for dir in "in" "out" ; do
623 cnt=$(ip netns exec ns1 nft list counter inet filter ns2${dir} | grep -q "$expect")
624 if [ $? -ne 0 ]; then
625 bad_counter ns1 ns0$dir "$expect"
630 # ns0 should have seen packets from ns2, due to masquerade
631 expect="packets 1 bytes 84"
632 for dir in "in" "out" ; do
633 cnt=$(ip netns exec ns0 nft list counter inet filter ns2${dir} | grep -q "$expect")
634 if [ $? -ne 0 ]; then
635 bad_counter ns1 ns0$dir "$expect"
640 ip netns exec ns0 nft delete table ip nat
641 if [ $? -ne 0 ]; then
642 echo "ERROR: Could not delete nat table" 1>&2
646 test $lret -eq 0 && echo "PASS: IP redirection for ns2"
652 # ip netns exec ns0 ping -c 1 -q 10.0.$i.99
654 ip netns exec ns$i nft -f - <<EOF
673 type ipv4_addr : counter
674 elements = { 10.0.1.1 : "ns0in",
677 10.0.2.99 : "ns2in" }
681 type ipv6_addr : counter
682 elements = { dead:1::1 : "ns0in6",
683 dead:2::1 : "ns0in6",
684 dead:1::99 : "ns1in6",
685 dead:2::99 : "ns2in6" }
689 type ipv4_addr : counter
690 elements = { 10.0.1.1 : "ns0out",
693 10.0.2.99: "ns2out" }
697 type ipv6_addr : counter
698 elements = { dead:1::1 : "ns0out6",
699 dead:2::1 : "ns0out6",
700 dead:1::99 : "ns1out6",
701 dead:2::99 : "ns2out6" }
705 type filter hook input priority 0; policy accept;
706 counter name ip saddr map @nsincounter
707 icmpv6 type { "echo-request", "echo-reply" } counter name ip6 saddr map @nsincounter6
710 type filter hook output priority 0; policy accept;
711 counter name ip daddr map @nsoutcounter
712 icmpv6 type { "echo-request", "echo-reply" } counter name ip6 daddr map @nsoutcounter6
719 # test basic connectivity
721 ip netns exec ns0 ping -c 1 -q 10.0.$i.99 > /dev/null
723 echo "ERROR: Could not reach other namespace(s)" 1>&2
727 ip netns exec ns0 ping -c 1 -q dead:$i::99 > /dev/null
729 echo "ERROR: Could not reach other namespace(s) via ipv6" 1>&2
733 if [ $? -ne 0 ]; then
737 check_ns0_counters ns$i
738 if [ $? -ne 0 ]; then
744 if [ $ret -eq 0 ];then
745 echo "PASS: netns routing/connectivity: ns0 can reach ns1 and ns2"
760 for i in 0 1 2; do ip netns del ns$i;done