3 # This tests the fib expression.
5 # Kselftest framework requirement - SKIP code is 4.
9 sfx=$(mktemp -u "XXXXXXXX")
12 nsrouter="nsrouter-$sfx"
15 log_netns=$(sysctl -n net.netfilter.nf_log_all_netns)
21 ip netns del ${nsrouter}
23 [ $log_netns -eq 0 ] && sysctl -q net.netfilter.nf_log_all_netns=$log_netns
26 nft --version > /dev/null 2>&1
28 echo "SKIP: Could not run test without nft tool"
32 ip -Version > /dev/null 2>&1
34 echo "SKIP: Could not run test without ip tool"
38 ip netns add ${nsrouter}
40 echo "SKIP: Could not create net namespace"
46 dmesg | grep -q ' nft_rpfilter: '
48 dmesg -c | grep ' nft_rpfilter: '
49 echo "WARN: a previous test run has failed" 1>&2
52 sysctl -q net.netfilter.nf_log_all_netns=1
59 ip netns exec ${netns} nft -f /dev/stdin <<EOF
62 type filter hook prerouting priority 0; policy accept;
63 fib saddr . iif oif missing counter log prefix "$netns nft_rpfilter: " drop
69 load_ruleset_count() {
72 ip netns exec ${netns} nft -f /dev/stdin <<EOF
75 type filter hook prerouting priority 0; policy accept;
76 ip daddr 1.1.1.1 fib saddr . iif oif missing counter drop
77 ip6 daddr 1c3::c01d fib saddr . iif oif missing counter drop
84 dmesg | grep -q ' nft_rpfilter: '
86 dmesg | grep ' nft_rpfilter: '
87 echo "FAIL: rpfilter did drop packets"
99 line=$(ip netns exec ${ns} nft list table inet filter | grep 'fib saddr . iif' | grep $address | grep "packets $want" )
102 if [ $ret -ne 0 ];then
103 echo "Netns $ns fib counter doesn't match expected packet count of $want for $address" 1>&2
104 ip netns exec ${ns} nft list table inet filter
108 if [ $want -gt 0 ]; then
109 echo "PASS: fib expression did drop packets for $address"
115 load_ruleset ${nsrouter}
119 ip link add veth0 netns ${nsrouter} type veth peer name eth0 netns ${ns1} > /dev/null 2>&1
121 echo "SKIP: No virtual ethernet pair device support in kernel"
124 ip link add veth1 netns ${nsrouter} type veth peer name eth0 netns ${ns2}
126 ip -net ${nsrouter} link set lo up
127 ip -net ${nsrouter} link set veth0 up
128 ip -net ${nsrouter} addr add 10.0.1.1/24 dev veth0
129 ip -net ${nsrouter} addr add dead:1::1/64 dev veth0
131 ip -net ${nsrouter} link set veth1 up
132 ip -net ${nsrouter} addr add 10.0.2.1/24 dev veth1
133 ip -net ${nsrouter} addr add dead:2::1/64 dev veth1
135 ip -net ${ns1} link set lo up
136 ip -net ${ns1} link set eth0 up
138 ip -net ${ns2} link set lo up
139 ip -net ${ns2} link set eth0 up
141 ip -net ${ns1} addr add 10.0.1.99/24 dev eth0
142 ip -net ${ns1} addr add dead:1::99/64 dev eth0
143 ip -net ${ns1} route add default via 10.0.1.1
144 ip -net ${ns1} route add default via dead:1::1
146 ip -net ${ns2} addr add 10.0.2.99/24 dev eth0
147 ip -net ${ns2} addr add dead:2::99/64 dev eth0
148 ip -net ${ns2} route add default via 10.0.2.1
149 ip -net ${ns2} route add default via dead:2::1
155 ip netns exec ${ns1} ping -c 1 -q $daddr4 > /dev/null
157 if [ $ret -ne 0 ];then
159 echo "FAIL: ${ns1} cannot reach $daddr4, ret $ret" 1>&2
163 ip netns exec ${ns1} ping -c 3 -q $daddr6 > /dev/null
165 if [ $ret -ne 0 ];then
167 echo "FAIL: ${ns1} cannot reach $daddr6, ret $ret" 1>&2
174 ip netns exec ${nsrouter} sysctl net.ipv6.conf.all.forwarding=1 > /dev/null
175 ip netns exec ${nsrouter} sysctl net.ipv4.conf.veth0.forwarding=1 > /dev/null
176 ip netns exec ${nsrouter} sysctl net.ipv4.conf.veth1.forwarding=1 > /dev/null
180 test_ping 10.0.2.1 dead:2::1 || exit 1
181 check_drops || exit 1
183 test_ping 10.0.2.99 dead:2::99 || exit 1
184 check_drops || exit 1
186 echo "PASS: fib expression did not cause unwanted packet drops"
188 ip netns exec ${nsrouter} nft flush table inet filter
190 ip -net ${ns1} route del default
191 ip -net ${ns1} -6 route del default
193 ip -net ${ns1} addr del 10.0.1.99/24 dev eth0
194 ip -net ${ns1} addr del dead:1::99/64 dev eth0
196 ip -net ${ns1} addr add 10.0.2.99/24 dev eth0
197 ip -net ${ns1} addr add dead:2::99/64 dev eth0
199 ip -net ${ns1} route add default via 10.0.2.1
200 ip -net ${ns1} -6 route add default via dead:2::1
202 ip -net ${nsrouter} addr add dead:2::1/64 dev veth0
204 # switch to ruleset that doesn't log, this time
205 # its expected that this does drop the packets.
206 load_ruleset_count ${nsrouter}
208 # ns1 has a default route, but nsrouter does not.
209 # must not check return value, ping to 1.1.1.1 will
211 check_fib_counter 0 ${nsrouter} 1.1.1.1 || exit 1
212 check_fib_counter 0 ${nsrouter} 1c3::c01d || exit 1
214 ip netns exec ${ns1} ping -c 1 -W 1 -q 1.1.1.1 > /dev/null
215 check_fib_counter 1 ${nsrouter} 1.1.1.1 || exit 1
218 ip netns exec ${ns1} ping -c 3 -q 1c3::c01d > /dev/null
219 check_fib_counter 3 ${nsrouter} 1c3::c01d || exit 1