git.baikalelectronics.ru Git - kernel.git/commit

author	Florian Westphal <fw@strlen.de>
	Wed, 8 Sep 2021 12:28:38 +0000 (14:28 +0200)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Tue, 21 Sep 2021 01:46:55 +0000 (03:46 +0200)
commit	0d4a8daf47060410d0ede0e64b1626b974969e20
tree	c8fac922a8d0cc231f51501cfe85fd997580969c	tree \| snapshot
parent	efbfa17658efa111efbb0149b9d4b4afa60d92b2	commit \| diff

selftests: netfilter: add selftest for directional zone support

Add a script to exercise NAT port clash resolution with directional zones.

Add net namespaces that use the same IP address and connect them to a
gateway.

Gateway uses policy routing based on iif/mark and conntrack zones to
isolate the client namespaces. In server direction, same zone with NAT
to single address is used.

Then, connect to a server from each client netns, using identical
connection id, i.e. saddr:sport -> daddr:dport.

Expectation is for all connections to succeeed: NAT gatway is
supposed to do port reallocation for each of the (clashing) connections.

This is based on the description/use case provided in the commit message of
beb5cbd91fb55d ("netfilter: nf_conntrack: add direction support for zones").

Cc: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>