Message ID | 20240122162640.6374-1-yiche@redhat.com |
---|---|
State | Accepted |
Headers | show |
Series | tests: shell: add test to cover ct offload by using nft flowtables To cover kernel patch ("netfilter: nf_tables: set transport offset from mac header for netdev/egress"). | expand |
Hi, This test reports: I: [OK] 1/1 testcases/packetpath/flowtables or did you see any issue on your end? Thanks! On Tue, Jan 23, 2024 at 12:26:40AM +0800, yiche@redhat.com wrote: > From: Yi Chen <yiche@redhat.com> > > Signed-off-by: Yi Chen <yiche@redhat.com> > --- > tests/shell/testcases/packetpath/flowtables | 96 +++++++++++++++++++++ > 1 file changed, 96 insertions(+) > create mode 100755 tests/shell/testcases/packetpath/flowtables > > diff --git a/tests/shell/testcases/packetpath/flowtables b/tests/shell/testcases/packetpath/flowtables > new file mode 100755 > index 00000000..852a05c6 > --- /dev/null > +++ b/tests/shell/testcases/packetpath/flowtables > @@ -0,0 +1,96 @@ > +#! /bin/bash -x > + > +# NFT_TEST_SKIP(NFT_TEST_SKIP_slow) > + > +rnd=$(mktemp -u XXXXXXXX) > +R="flowtable-router-$rnd" > +C="flowtable-client-$rnd" > +S="flowtbale-server-$rnd" > + > +cleanup() > +{ > + for i in $R $C $S;do > + kill $(ip netns pid $i) 2>/dev/null > + ip netns del $i > + done > +} > + > +trap cleanup EXIT > + > +ip netns add $R > +ip netns add $S > +ip netns add $C > + > +ip link add s_r netns $S type veth peer name r_s netns $R > +ip netns exec $S ip link set s_r up > +ip netns exec $R ip link set r_s up > +ip link add c_r netns $C type veth peer name r_c netns $R > +ip netns exec $R ip link set r_c up > +ip netns exec $C ip link set c_r up > + > +ip netns exec $S ip -6 addr add 2001:db8:ffff:22::1/64 dev s_r > +ip netns exec $C ip -6 addr add 2001:db8:ffff:21::2/64 dev c_r > +ip netns exec $R ip -6 addr add 2001:db8:ffff:22::fffe/64 dev r_s > +ip netns exec $R ip -6 addr add 2001:db8:ffff:21::fffe/64 dev r_c > +ip netns exec $R sysctl -w net.ipv6.conf.all.forwarding=1 > +ip netns exec $C ip route add 2001:db8:ffff:22::/64 via 2001:db8:ffff:21::fffe dev c_r > +ip netns exec $S ip route add 2001:db8:ffff:21::/64 via 2001:db8:ffff:22::fffe dev s_r > +ip netns exec $S ethtool -K s_r tso off > +ip netns exec $C ethtool -K c_r tso off > + > +sleep 3 > +ip netns exec $C ping -6 2001:db8:ffff:22::1 -c1 || exit 1 > + > +ip netns exec $R nft -f - <<EOF > +table ip6 filter { > + flowtable f1 { > + hook ingress priority -100 > + devices = { r_c, r_s } > + } > + > + chain forward { > + type filter hook forward priority filter; policy accept; > + ip6 nexthdr tcp ct state established,related counter packets 0 bytes 0 flow add @f1 counter packets 0 bytes 0 > + ip6 nexthdr tcp ct state invalid counter packets 0 bytes 0 drop > + tcp flags fin,rst counter packets 0 bytes 0 accept > + meta l4proto tcp meta length < 100 counter packets 0 bytes 0 accept > + ip6 nexthdr tcp counter packets 0 bytes 0 log drop > + } > +} > +EOF > + > +if [ ! -r /proc/net/nf_conntrack ] > +then > + echo "E: nf_conntrack unreadable, skipping" >&2 > + exit 77 > +fi > + > +ip netns exec $R nft list ruleset > +ip netns exec $R sysctl -w net.netfilter.nf_flowtable_tcp_timeout=5 || { > + echo "E: set net.netfilter.nf_flowtable_tcp_timeout fail, skipping" >&2 > + exit 77 > +} > +ip netns exec $R sysctl -w net.netfilter.nf_conntrack_tcp_timeout_established=86400 || { > + echo "E: set net.netfilter.nf_conntrack_tcp_timeout_established fail, skipping" >&2 > + exit 77 > + > +} > + > +# A trick to control the timing to send a packet > +ip netns exec $S socat TCP6-LISTEN:10001 GOPEN:pipefile,ignoreeof & > +sleep 1 > +ip netns exec $C socat -b 2048 PIPE:pipefile TCP:[2001:db8:ffff:22::1]:10001 & > +sleep 1 > +ip netns exec $R grep 'OFFLOAD' /proc/net/nf_conntrack || { echo "check [OFFLOAD] tag (failed)"; exit 1; } > +ip netns exec $R cat /proc/net/nf_conntrack > +sleep 6 > +ip netns exec $R grep 'OFFLOAD' /proc/net/nf_conntrack && { echo "CT OFFLOAD timeout, fail back to classical path (failed)"; exit 1; } > +ip netns exec $R grep '8639[0-9]' /proc/net/nf_conntrack || { echo "check nf_conntrack_tcp_timeout_established (failed)"; exit 1; } > +ip netns exec $C echo "send sth" >> pipefile > +ip netns exec $R grep 'OFFLOAD' /proc/net/nf_conntrack || { echo "traffic seen, back to OFFLOAD path (failed)"; exit 1; } > +ip netns exec $C sleep 3 > +ip netns exec $C echo "send sth" >> pipefile > +ip netns exec $C sleep 3 > +ip netns exec $R grep 'OFFLOAD' /proc/net/nf_conntrack || { echo "Traffic seen in 5s (nf_flowtable_tcp_timeout), so stay in OFFLOAD (failed)"; exit 1; } > + > +exit 0 > -- > 2.43.0 > >
Pablo Neira Ayuso <pablo@netfilter.org> wrote: > Hi, > > This test reports: > > I: [OK] 1/1 testcases/packetpath/flowtables > > or did you see any issue on your end? Yes, this scenario got broken in the past, e.g. via 41f2c7c342d3 ("net/sched: act_ct: Fix promotion of offloaded unreplied tuple"). nf.git is fine, but I think its good to have a test case to prevent obvious breakage in the future.
> Hi, > > This test reports: > > I: [OK] 1/1 testcases/packetpath/flowtables > > or did you see any issue on your end? Yes, on the latest rhel-9 kernel 5.14.0-408.el9 which hasn't involved this patch: a67db600fd38e08 netfilter: nf_tables: set transport offset from mac header for netdev/egress it report: W: [FAILED] 1/1 testcases/packetpath/flowtables This test case existed before and caught this issue.
On Tue, Jan 23, 2024 at 11:26:47AM +0800, Yi Chen wrote: > > Hi, > > > > This test reports: > > > > I: [OK] 1/1 testcases/packetpath/flowtables > > > > or did you see any issue on your end? > > Yes, on the latest rhel-9 kernel 5.14.0-408.el9 which hasn't involved > this patch: > a67db600fd38e08 netfilter: nf_tables: set transport offset from mac > header for netdev/egress > > it report: > W: [FAILED] 1/1 testcases/packetpath/flowtables > > This test case existed before and caught this issue. Great, thanks for submitting this
diff --git a/tests/shell/testcases/packetpath/flowtables b/tests/shell/testcases/packetpath/flowtables new file mode 100755 index 00000000..852a05c6 --- /dev/null +++ b/tests/shell/testcases/packetpath/flowtables @@ -0,0 +1,96 @@ +#! /bin/bash -x + +# NFT_TEST_SKIP(NFT_TEST_SKIP_slow) + +rnd=$(mktemp -u XXXXXXXX) +R="flowtable-router-$rnd" +C="flowtable-client-$rnd" +S="flowtbale-server-$rnd" + +cleanup() +{ + for i in $R $C $S;do + kill $(ip netns pid $i) 2>/dev/null + ip netns del $i + done +} + +trap cleanup EXIT + +ip netns add $R +ip netns add $S +ip netns add $C + +ip link add s_r netns $S type veth peer name r_s netns $R +ip netns exec $S ip link set s_r up +ip netns exec $R ip link set r_s up +ip link add c_r netns $C type veth peer name r_c netns $R +ip netns exec $R ip link set r_c up +ip netns exec $C ip link set c_r up + +ip netns exec $S ip -6 addr add 2001:db8:ffff:22::1/64 dev s_r +ip netns exec $C ip -6 addr add 2001:db8:ffff:21::2/64 dev c_r +ip netns exec $R ip -6 addr add 2001:db8:ffff:22::fffe/64 dev r_s +ip netns exec $R ip -6 addr add 2001:db8:ffff:21::fffe/64 dev r_c +ip netns exec $R sysctl -w net.ipv6.conf.all.forwarding=1 +ip netns exec $C ip route add 2001:db8:ffff:22::/64 via 2001:db8:ffff:21::fffe dev c_r +ip netns exec $S ip route add 2001:db8:ffff:21::/64 via 2001:db8:ffff:22::fffe dev s_r +ip netns exec $S ethtool -K s_r tso off +ip netns exec $C ethtool -K c_r tso off + +sleep 3 +ip netns exec $C ping -6 2001:db8:ffff:22::1 -c1 || exit 1 + +ip netns exec $R nft -f - <<EOF +table ip6 filter { + flowtable f1 { + hook ingress priority -100 + devices = { r_c, r_s } + } + + chain forward { + type filter hook forward priority filter; policy accept; + ip6 nexthdr tcp ct state established,related counter packets 0 bytes 0 flow add @f1 counter packets 0 bytes 0 + ip6 nexthdr tcp ct state invalid counter packets 0 bytes 0 drop + tcp flags fin,rst counter packets 0 bytes 0 accept + meta l4proto tcp meta length < 100 counter packets 0 bytes 0 accept + ip6 nexthdr tcp counter packets 0 bytes 0 log drop + } +} +EOF + +if [ ! -r /proc/net/nf_conntrack ] +then + echo "E: nf_conntrack unreadable, skipping" >&2 + exit 77 +fi + +ip netns exec $R nft list ruleset +ip netns exec $R sysctl -w net.netfilter.nf_flowtable_tcp_timeout=5 || { + echo "E: set net.netfilter.nf_flowtable_tcp_timeout fail, skipping" >&2 + exit 77 +} +ip netns exec $R sysctl -w net.netfilter.nf_conntrack_tcp_timeout_established=86400 || { + echo "E: set net.netfilter.nf_conntrack_tcp_timeout_established fail, skipping" >&2 + exit 77 + +} + +# A trick to control the timing to send a packet +ip netns exec $S socat TCP6-LISTEN:10001 GOPEN:pipefile,ignoreeof & +sleep 1 +ip netns exec $C socat -b 2048 PIPE:pipefile TCP:[2001:db8:ffff:22::1]:10001 & +sleep 1 +ip netns exec $R grep 'OFFLOAD' /proc/net/nf_conntrack || { echo "check [OFFLOAD] tag (failed)"; exit 1; } +ip netns exec $R cat /proc/net/nf_conntrack +sleep 6 +ip netns exec $R grep 'OFFLOAD' /proc/net/nf_conntrack && { echo "CT OFFLOAD timeout, fail back to classical path (failed)"; exit 1; } +ip netns exec $R grep '8639[0-9]' /proc/net/nf_conntrack || { echo "check nf_conntrack_tcp_timeout_established (failed)"; exit 1; } +ip netns exec $C echo "send sth" >> pipefile +ip netns exec $R grep 'OFFLOAD' /proc/net/nf_conntrack || { echo "traffic seen, back to OFFLOAD path (failed)"; exit 1; } +ip netns exec $C sleep 3 +ip netns exec $C echo "send sth" >> pipefile +ip netns exec $C sleep 3 +ip netns exec $R grep 'OFFLOAD' /proc/net/nf_conntrack || { echo "Traffic seen in 5s (nf_flowtable_tcp_timeout), so stay in OFFLOAD (failed)"; exit 1; } + +exit 0