git.baikalelectronics.ru Git - kernel.git/commit

author	Florian Westphal <fw@strlen.de>
	Mon, 23 Mar 2020 16:34:30 +0000 (17:34 +0100)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Tue, 24 Mar 2020 19:00:12 +0000 (20:00 +0100)
commit	8ccf4019c71e588cb8cc82f3308be70b100c08a5
tree	42a2e03e5bfa5e70bd281e9fedfe9f196786ed00	tree \| snapshot
parent	ed7040a300fa33f4d5f93c60f5162e5dc0cf216d	commit \| diff

selftests: netfilter: add nfqueue test case

Add a test case to check nf queue infrastructure.
Could be extended in the future to also cover serialization of
conntrack, uid and secctx attributes in nfqueue.

For now, this checks that 'queue bypass' works, that a queue rule with
no bypass option blocks traffic and that userspace receives the expected
number of packets.
For this we add two queues and hook all of
prerouting/input/forward/output/postrouting.

Packets get queued twice with a dummy base chain in between:
This passes with current nf tree, but reverting
commit 991c76be3561 ("netfilter: nf_queue: fix reinject verdict handling")
makes this trip (it processes 30 instead of expected 20 packets).

v2: update config file with queue and other options missing/needed for
other tests.
v3: also test with tcp, this reveals problem with commit
2951e815ec3e ("netfilter: Support iif matches in POSTROUTING"), due to
skb->dev pointing at another skb in the retransmit rbtree (skb->dev
aliases to rbnode child).

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

tools/testing/selftests/netfilter/Makefile		diff \| blob \| history
tools/testing/selftests/netfilter/config		diff \| blob \| history
tools/testing/selftests/netfilter/nf-queue.c	[new file with mode: 0644]	blob
tools/testing/selftests/netfilter/nft_queue.sh	[new file with mode: 0755]	blob