xref: /linux/tools/testing/selftests/net/ovpn/test-mark.sh (revision 5ea5880764cbb164afb17a62e76ca75dc371409d) 
1#!/bin/bash
2# SPDX-License-Identifier: GPL-2.0
3# Copyright (C) 2020-2025 OpenVPN, Inc.
4#
5#	Author:	Ralf Lici <ralf@mandelbit.com>
6#		Antonio Quartulli <antonio@openvpn.net>
7
8#set -x
9set -e
10
11MARK=1056
12
13source ./common.sh
14
15cleanup
16
17modprobe -q ovpn || true
18
19for p in $(seq 0 "${NUM_PEERS}"); do
20	create_ns "${p}"
21done
22
23for p in $(seq 0 3); do
24	setup_ns "${p}" 5.5.5.$((p + 1))/24
25done
26
27# add peer0 with mark
28ip netns exec peer0 "${OVPN_CLI}" new_multi_peer tun0 1 ASYMM \
29	"${UDP_PEERS_FILE}" \
30	${MARK}
31for p in $(seq 1 3); do
32	ip netns exec peer0 "${OVPN_CLI}" new_key tun0 "${p}" 1 0 "${ALG}" 0 \
33		data64.key
34done
35
36for p in $(seq 1 3); do
37	add_peer "${p}"
38done
39
40for p in $(seq 1 3); do
41	ip netns exec peer0 "${OVPN_CLI}" set_peer tun0 "${p}" 60 120
42	ip netns exec peer"${p}" "${OVPN_CLI}" set_peer tun"${p}" \
43		$((p + 9)) 60 120
44done
45
46sleep 1
47
48for p in $(seq 1 3); do
49	ip netns exec peer0 ping -qfc 500 -w 3 5.5.5.$((p + 1))
50done
51
52echo "Adding an nftables drop rule based on mark value ${MARK}"
53ip netns exec peer0 nft flush ruleset
54ip netns exec peer0 nft 'add table inet filter'
55ip netns exec peer0 nft 'add chain inet filter output {
56	type filter hook output priority 0;
57	policy accept;
58}'
59ip netns exec peer0 nft add rule inet filter output \
60	meta mark == ${MARK} \
61	counter drop
62
63DROP_COUNTER=$(ip netns exec peer0 nft list chain inet filter output \
64	| sed -n 's/.*packets \([0-9]*\).*/\1/p')
65sleep 1
66
67# ping should fail
68for p in $(seq 1 3); do
69	PING_OUTPUT=$(ip netns exec peer0 ping \
70		-qfc 500 -w 1 5.5.5.$((p + 1)) 2>&1) && exit 1
71	echo "${PING_OUTPUT}"
72	LOST_PACKETS=$(echo "$PING_OUTPUT" \
73		| awk '/packets transmitted/ { print $1 }')
74	# increment the drop counter by the amount of lost packets
75	DROP_COUNTER=$((DROP_COUNTER + LOST_PACKETS))
76done
77
78# check if the final nft counter matches our counter
79TOTAL_COUNT=$(ip netns exec peer0 nft list chain inet filter output \
80	| sed -n 's/.*packets \([0-9]*\).*/\1/p')
81if [ "${DROP_COUNTER}" -ne "${TOTAL_COUNT}" ]; then
82	echo "Expected ${TOTAL_COUNT} drops, got ${DROP_COUNTER}"
83	exit 1
84fi
85
86echo "Removing the drop rule"
87ip netns exec peer0 nft flush ruleset
88sleep 1
89
90for p in $(seq 1 3); do
91	ip netns exec peer0 ping -qfc 500 -w 3 5.5.5.$((p + 1))
92done
93
94cleanup
95
96modprobe -r ovpn || true
97