new file mode 100755
@@ -0,0 +1,116 @@
+#!/bin/bash
+
+# test a kernel netns loading a simple ruleset
+
+IP=$(which ip)
+if [ ! -x "$IP" ] ; then
+ echo "E: no ip binary" >&2
+ exit 1
+fi
+
+MKTEMP=$(which mktemp)
+if [ -x $MKTEMP ] ; then
+ tmpfile=$(${MKTEMP})
+else
+ tmpfile=$(/tmp/${RANDOM})
+fi
+
+if [ ! -w $tmpfile ] ; then
+ echo "Failed to create tmp file" >&2
+ exit 0
+fi
+
+trap "rm -rf $tmpfile" EXIT # cleanup if aborted
+
+RULESET="table ip t {
+ set s {
+ type ipv4_addr
+ elements = { 1.1.0.0}
+ }
+
+ chain c {
+ ct state new
+ udp dport { 12345}
+ ip saddr @s drop
+ jump other
+ }
+
+ chain other {
+ }
+}
+table ip6 t {
+ set s {
+ type ipv6_addr
+ elements = { fe00::1}
+ }
+
+ chain c {
+ ct state new
+ udp dport { 12345}
+ ip6 saddr @s drop
+ jump other
+ }
+
+ chain other {
+ }
+}
+table inet t {
+ set s {
+ type ipv6_addr
+ elements = { fe00::1}
+ }
+
+ chain c {
+ ct state new
+ udp dport { 12345}
+ ip6 saddr @s drop
+ jump other
+ }
+
+ chain other {
+ }
+}
+table bridge t {
+ chain c {
+ jump other
+ }
+
+ chain other {
+ accept
+ }
+}
+table arp t {
+ chain c {
+ jump other
+ }
+
+ chain other {
+ accept
+ }
+}"
+
+# netns
+NETNS_NAME=$(basename "$0")
+$IP netns add $NETNS_NAME
+if [ $? -ne 0 ] ; then
+ echo "E: unable to create netns" >&2
+ exit 1
+fi
+
+echo "$RULESET" > $tmpfile
+$IP netns exec $NETNS_NAME $NFT -f $tmpfile
+if [ $? -ne 0 ] ; then
+ echo "E: unable to load ruleset in netns" >&2
+ $IP netns del $NETNS_NAME
+ exit 1
+fi
+
+KERNEL_RULESET="$($IP netns exec $NETNS_NAME $NFT list ruleset)"
+$IP netns del $NETNS_NAME
+if [ "$RULESET" != "$KERNEL_RULESET" ] ; then
+ DIFF="$(which diff)"
+ [ -x $DIFF ] && $DIFF -u <(echo "$RULESET") <(echo "$KERNEL_RULESET")
+ exit 1
+fi
+exit 0
+
new file mode 100755
@@ -0,0 +1,63 @@
+#!/bin/bash
+
+# test a kernel netns loading a simple ruleset
+
+IP=$(which ip)
+if [ ! -x "$IP" ] ; then
+ echo "E: no ip binary" >&2
+ exit 1
+fi
+
+function netns_exec()
+{
+ # $1: netns_name $2: command
+ $IP netns exec $1 $2
+ if [ $? -ne 0 ] ; then
+ echo "E: failed to execute command in netns $1: $2" >&2
+ $IP netns del $1
+ exit 1
+ fi
+}
+
+NETNS_NAME=$(basename "$0")
+$IP netns add $NETNS_NAME
+if [ $? -ne 0 ] ; then
+ echo "E: unable to create netns" >&2
+ exit 1
+fi
+
+netns_exec $NETNS_NAME "$NFT add table ip t"
+netns_exec $NETNS_NAME "$NFT add chain ip t c"
+netns_exec $NETNS_NAME "$NFT add chain ip t other"
+netns_exec $NETNS_NAME "$NFT add set ip t s { type ipv4_addr; }"
+netns_exec $NETNS_NAME "$NFT add element ip t s {1.1.0.0 }"
+netns_exec $NETNS_NAME "$NFT add rule ip t c ct state new"
+netns_exec $NETNS_NAME "$NFT add rule ip t c udp dport { 12345 }"
+netns_exec $NETNS_NAME "$NFT add rule ip t c ip saddr @s drop"
+netns_exec $NETNS_NAME "$NFT add rule ip t c jump other"
+
+RULESET="table ip t {
+ set s {
+ type ipv4_addr
+ elements = { 1.1.0.0}
+ }
+
+ chain c {
+ ct state new
+ udp dport { 12345}
+ ip saddr @s drop
+ jump other
+ }
+
+ chain other {
+ }
+}"
+
+KERNEL_RULESET="$($IP netns exec $NETNS_NAME $NFT list ruleset)"
+$IP netns del $NETNS_NAME
+if [ "$RULESET" != "$KERNEL_RULESET" ] ; then
+ DIFF="$(which diff)"
+ [ -x $DIFF ] && $DIFF -u <(echo "$RULESET") <(echo "$KERNEL_RULESET")
+ exit 1
+fi
+exit 0
new file mode 100755
@@ -0,0 +1,130 @@
+#!/bin/bash
+
+# test using many netns
+
+# arbitry value of 'many'
+HOWMANY=20
+
+IP=$(which ip)
+if [ ! -x "$IP" ] ; then
+ echo "E: no ip binary" >&2
+ exit 1
+fi
+
+MKTEMP=$(which mktemp)
+if [ -x $MKTEMP ] ; then
+ tmpfile=$(${MKTEMP})
+else
+ tmpfile=$(/tmp/${RANDOM})
+fi
+
+if [ ! -w $tmpfile ] ; then
+ echo "Failed to create tmp file" >&2
+ exit 0
+fi
+
+trap "rm -rf $tmpfile" EXIT # cleanup if aborted
+
+RULESET="table ip t {
+ set s {
+ type ipv4_addr
+ elements = { 1.1.0.0}
+ }
+
+ chain c {
+ ct state new
+ udp dport { 12345}
+ ip saddr @s drop
+ jump other
+ }
+
+ chain other {
+ }
+}
+table ip6 t {
+ set s {
+ type ipv6_addr
+ elements = { fe00::1}
+ }
+
+ chain c {
+ ct state new
+ udp dport { 12345}
+ ip6 saddr @s drop
+ jump other
+ }
+
+ chain other {
+ }
+}
+table inet t {
+ set s {
+ type ipv6_addr
+ elements = { fe00::1}
+ }
+
+ chain c {
+ ct state new
+ udp dport { 12345}
+ ip6 saddr @s drop
+ jump other
+ }
+
+ chain other {
+ }
+}
+table bridge t {
+ chain c {
+ jump other
+ }
+
+ chain other {
+ accept
+ }
+}
+table arp t {
+ chain c {
+ jump other
+ }
+
+ chain other {
+ accept
+ }
+}"
+
+echo "$RULESET" > $tmpfile
+
+function test_netns()
+{
+ local NETNS_NAME=$1
+ $IP netns add $NETNS_NAME
+ if [ $? -ne 0 ] ; then
+ echo "E: unable to create netns" >&2
+ exit 1
+ fi
+
+ $IP netns exec $NETNS_NAME $NFT -f $tmpfile
+ if [ $? -ne 0 ] ; then
+ echo "E: unable to load ruleset in netns" >&2
+ $IP netns del $NETNS_NAME
+ exit 1
+ fi
+
+ KERNEL_RULESET="$($IP netns exec $NETNS_NAME $NFT list ruleset)"
+ if [ "$RULESET" != "$KERNEL_RULESET" ] ; then
+ echo "E: ruleset in netns $NETNS_NAME differs from the loaded" >&2
+ DIFF="$(which diff)"
+ [ -x $DIFF ] && $DIFF -u <(echo "$RULESET") <(echo "$KERNEL_RULESET")
+ exit 1
+ fi
+
+ $IP netns del $NETNS_NAME
+}
+
+for i in $(seq 1 $HOWMANY) ; do
+ NETNS_NAME="$netns${i}_$(basename "$0")"
+ test_netns $NETNS_NAME
+done
+
+exit 0
+
A basic tests to check we can perform operations in different network namespaces. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> --- tests/shell/testcases/netns/0001nft-f_0 | 116 +++++++++++++++++++++ tests/shell/testcases/netns/0002loosecommands_0 | 63 +++++++++++ tests/shell/testcases/netns/0003many_0 | 130 +++++++++++++++++++++++ 3 files changed, 309 insertions(+) create mode 100755 tests/shell/testcases/netns/0001nft-f_0 create mode 100755 tests/shell/testcases/netns/0002loosecommands_0 create mode 100755 tests/shell/testcases/netns/0003many_0 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html