1#!/bin/bash 2 3source lib.sh 4 5checktool "nft --version" "run test without nft tool" 6 7read t < /proc/sys/kernel/tainted 8if [ "$t" -ne 0 ];then 9 echo SKIP: kernel is tainted 10 exit $ksft_skip 11fi 12 13cleanup() { 14 cleanup_all_ns 15} 16 17setup_ns c1 c2 c3 sender 18 19trap cleanup EXIT 20 21nf_queue_wait() 22{ 23 grep -q "^ *$1 " "/proc/self/net/netfilter/nfnetlink_queue" 24} 25 26port_add() { 27 ns="$1" 28 dev="$2" 29 a="$3" 30 31 ip link add name "$dev" type veth peer name "$dev" netns "$ns" 32 33 ip -net "$ns" addr add 192.168.1."$a"/24 dev "$dev" 34 ip -net "$ns" link set "$dev" up 35 36 ip link set "$dev" master br0 37 ip link set "$dev" up 38} 39 40[ "${1}" != "run" ] && { unshare -n "${0}" run; exit $?; } 41 42ip link add br0 type bridge 43ip addr add 192.168.1.254/24 dev br0 44 45port_add "$c1" "c1" 1 46port_add "$c2" "c2" 2 47port_add "$c3" "c3" 3 48port_add "$sender" "sender" 253 49 50ip link set br0 up 51 52modprobe -q br_netfilter 53 54sysctl net.bridge.bridge-nf-call-iptables=1 || exit 1 55 56ip netns exec "$sender" ping -I sender -c1 192.168.1.1 || exit 1 57ip netns exec "$sender" ping -I sender -c1 192.168.1.2 || exit 2 58ip netns exec "$sender" ping -I sender -c1 192.168.1.3 || exit 3 59 60nft -f /dev/stdin <<EOF 61table ip filter { 62 chain forward { 63 type filter hook forward priority 0; policy accept; 64 ct state new counter 65 ip protocol icmp counter queue num 0 bypass 66 } 67} 68EOF 69./nf_queue -t 5 > /dev/null & 70 71busywait 5000 nf_queue_wait 72 73for i in $(seq 1 5); do conntrack -F > /dev/null 2> /dev/null; sleep 0.1 ; done & 74ip netns exec "$sender" ping -I sender -f -c 50 -b 192.168.1.255 75 76read t < /proc/sys/kernel/tainted 77if [ "$t" -eq 0 ];then 78 echo PASS: kernel not tainted 79else 80 echo ERROR: kernel is tainted 81 dmesg 82 exit 1 83fi 84 85exit 0 86