xref: /linux/tools/testing/selftests/net/netfilter/nft_synproxy.sh (revision 621cde16e49b3ecf7d59a8106a20aaebfb4a59a9) 
1#!/bin/bash
2# SPDX-License-Identifier: GPL-2.0
3
4source lib.sh
5
6ret=0
7
8checktool "nft --version" "run test without nft tool"
9checktool "iperf3 --version" "run test without iperf3"
10
11setup_ns nsr ns1 ns2
12
13modprobe -q nf_conntrack
14
15cleanup() {
16	ip netns pids "$ns1" | xargs kill 2>/dev/null
17	ip netns pids "$ns2" | xargs kill 2>/dev/null
18
19	cleanup_all_ns
20}
21
22trap cleanup EXIT
23
24ip link add veth0 netns "$nsr" type veth peer name eth0 netns "$ns1"
25ip link add veth1 netns "$nsr" type veth peer name eth0 netns "$ns2"
26
27for dev in veth0 veth1; do
28	ip -net "$nsr" link set "$dev" up
29done
30
31ip -net "$nsr" addr add 10.0.1.1/24 dev veth0
32ip -net "$nsr" addr add 10.0.2.1/24 dev veth1
33
34ip netns exec "$nsr" sysctl -q net.ipv4.conf.veth0.forwarding=1
35ip netns exec "$nsr" sysctl -q net.ipv4.conf.veth1.forwarding=1
36ip netns exec "$nsr" sysctl -q net.netfilter.nf_conntrack_tcp_loose=0
37
38for n in $ns1 $ns2; do
39  ip -net "$n" link set eth0 up
40done
41ip -net "$ns1" addr add 10.0.1.99/24 dev eth0
42ip -net "$ns2" addr add 10.0.2.99/24 dev eth0
43ip -net "$ns1" route add default via 10.0.1.1
44ip -net "$ns2" route add default via 10.0.2.1
45
46# test basic connectivity
47if ! ip netns exec "$ns1" ping -c 1 -q 10.0.2.99 > /dev/null; then
48  echo "ERROR: $ns1 cannot reach $ns2" 1>&2
49  exit 1
50fi
51
52if ! ip netns exec "$ns2" ping -c 1 -q 10.0.1.99 > /dev/null; then
53  echo "ERROR: $ns2 cannot reach $ns1" 1>&2
54  exit 1
55fi
56
57ip netns exec "$ns2" iperf3 -s > /dev/null 2>&1 &
58# ip netns exec $nsr tcpdump -vvv -n -i veth1 tcp | head -n 10 &
59
60sleep 1
61
62ip netns exec "$nsr" nft -f - <<EOF
63table inet filter {
64   chain prerouting {
65      type filter hook prerouting priority -300; policy accept;
66      meta iif veth0 tcp flags syn counter notrack
67   }
68
69  chain forward {
70      type filter hook forward priority 0; policy accept;
71
72      ct state new,established counter accept
73
74      meta iif veth0 meta l4proto tcp ct state untracked,invalid synproxy mss 1460 sack-perm timestamp
75
76      ct state invalid counter drop
77
78      # make ns2 unreachable w.o. tcp synproxy
79      tcp flags syn counter drop
80   }
81}
82EOF
83if [ $? -ne 0 ]; then
84	echo "SKIP: Cannot add nft synproxy"
85	exit $ksft_skip
86fi
87
88if ! ip netns exec "$ns1" timeout 5 iperf3 -c 10.0.2.99 -n $((1 * 1024 * 1024)) > /dev/null; then
89	echo "FAIL: iperf3 returned an error" 1>&2
90	ret=1
91	ip netns exec "$nsr" nft list ruleset
92else
93	echo "PASS: synproxy connection successful"
94fi
95
96exit $ret
97