| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20240423130604.7013-8-fw@strlen.de>
Date: Tue, 23 Apr 2024 15:05:50 +0200
From: Florian Westphal <fw@...len.de>
To: <netdev@...r.kernel.org>
Cc: Paolo Abeni <pabeni@...hat.com>,
"David S. Miller" <davem@...emloft.net>,
Eric Dumazet <edumazet@...gle.com>,
Jakub Kicinski <kuba@...nel.org>,
<netfilter-devel@...r.kernel.org>,
pablo@...filter.org
Subject: [PATCH net-next 7/7] selftests: netfilter: conntrack_vrf.sh: prefer socat, not iperf3
Use socat, like most of the other scripts already do. This also makes
the script complete slightly faster (3s -> 1s).
iperf3 establishes two connections (1 control connection, and 1+x
depending on test), so adjust expected counter values as well.
Signed-off-by: Florian Westphal <fw@...len.de>
---
.../selftests/net/netfilter/conntrack_vrf.sh | 40 ++++++++++---------
1 file changed, 21 insertions(+), 19 deletions(-)
diff --git a/tools/testing/selftests/net/netfilter/conntrack_vrf.sh b/tools/testing/selftests/net/netfilter/conntrack_vrf.sh
index f7417004ec71..073e8e62d350 100755
--- a/tools/testing/selftests/net/netfilter/conntrack_vrf.sh
+++ b/tools/testing/selftests/net/netfilter/conntrack_vrf.sh
@@ -43,15 +43,9 @@ cleanup()
cleanup_all_ns
}
-if ! nft --version > /dev/null 2>&1;then
- echo "SKIP: Could not run test without nft tool"
- exit $ksft_skip
-fi
-
-if ! conntrack --version > /dev/null 2>&1;then
- echo "SKIP: Could not run test without conntrack tool"
- exit $ksft_skip
-fi
+checktool "nft --version" "run test without nft"
+checktool "conntrack --version" "run test without conntrack"
+checktool "socat -h" "run test without socat"
trap cleanup EXIT
@@ -79,7 +73,15 @@ ip -net "$ns1" li set veth0 up
ip -net "$ns0" addr add $IP0/$PFXL dev veth0
ip -net "$ns1" addr add $IP1/$PFXL dev veth0
-ip netns exec "$ns1" iperf3 -s > /dev/null 2>&1 &
+listener_ready()
+{
+ local ns="$1"
+
+ ss -N "$ns" -l -n -t -o "sport = :55555" | grep -q "55555"
+}
+
+ip netns exec "$ns1" socat -u -4 TCP-LISTEN:55555,reuseaddr,fork STDOUT > /dev/null &
+busywait $BUSYWAIT_TIMEOUT listener_ready "$ns1"
# test vrf ingress handling.
# The incoming connection should be placed in conntrack zone 1,
@@ -160,16 +162,16 @@ table ip nat {
}
}
EOF
- if ! ip netns exec "$ns0" ip vrf exec tvrf iperf3 -t 1 -c $IP1 >/dev/null; then
- echo "FAIL: iperf3 connect failure with masquerade + sport rewrite on vrf device"
+ if ! ip netns exec "$ns0" ip vrf exec tvrf socat -u -4 STDIN TCP:"$IP1":55555 < /dev/null > /dev/null;then
+ echo "FAIL: connect failure with masquerade + sport rewrite on vrf device"
ret=1
return
fi
# must also check that nat table was evaluated on second (lower device) iteration.
- ip netns exec "$ns0" nft list table ip nat |grep -q 'counter packets 2' &&
- if ip netns exec "$ns0" nft list table ip nat |grep -q 'untracked counter packets [1-9]'; then
- echo "PASS: iperf3 connect with masquerade + sport rewrite on vrf device ($qdisc qdisc)"
+ if ip netns exec "$ns0" nft list table ip nat |grep -q 'counter packets 1' &&
+ ip netns exec "$ns0" nft list table ip nat |grep -q 'untracked counter packets [1-9]'; then
+ echo "PASS: connect with masquerade + sport rewrite on vrf device ($qdisc qdisc)"
else
echo "FAIL: vrf rules have unexpected counter value"
ret=1
@@ -195,15 +197,15 @@ table ip nat {
}
}
EOF
- if ! ip netns exec "$ns0" ip vrf exec tvrf iperf3 -t 1 -c $IP1 > /dev/null; then
- echo "FAIL: iperf3 connect failure with masquerade + sport rewrite on veth device"
+ if ! ip netns exec "$ns0" ip vrf exec tvrf socat -u -4 STDIN TCP:"$IP1":55555 < /dev/null > /dev/null;then
+ echo "FAIL: connect failure with masquerade + sport rewrite on veth device"
ret=1
return
fi
# must also check that nat table was evaluated on second (lower device) iteration.
- if ip netns exec "$ns0" nft list table ip nat |grep -q 'counter packets 2'; then
- echo "PASS: iperf3 connect with masquerade + sport rewrite on veth device"
+ if ip netns exec "$ns0" nft list table ip nat |grep -q 'counter packets 1'; then
+ echo "PASS: connect with masquerade + sport rewrite on veth device"
else
echo "FAIL: vrf masq rule has unexpected counter value"
ret=1
--
2.43.2
Powered by blists - more mailing lists