1#!/bin/bash 2# SPDX-License-Identifier: GPL-2.0 3# Copyright (C) 2020-2025 OpenVPN, Inc. 4# 5# Author: Ralf Lici <ralf@mandelbit.com> 6# Antonio Quartulli <antonio@openvpn.net> 7 8#set -x 9set -e 10 11MARK=1056 12 13source ./common.sh 14 15cleanup 16 17modprobe -q ovpn || true 18 19for p in $(seq 0 "${NUM_PEERS}"); do 20 create_ns "${p}" 21done 22 23for p in $(seq 0 3); do 24 setup_ns "${p}" 5.5.5.$((p + 1))/24 25done 26 27# add peer0 with mark 28ip netns exec peer0 "${OVPN_CLI}" new_multi_peer tun0 1 ASYMM \ 29 "${UDP_PEERS_FILE}" \ 30 ${MARK} 31for p in $(seq 1 3); do 32 ip netns exec peer0 "${OVPN_CLI}" new_key tun0 "${p}" 1 0 "${ALG}" 0 \ 33 data64.key 34done 35 36for p in $(seq 1 3); do 37 add_peer "${p}" 38done 39 40for p in $(seq 1 3); do 41 ip netns exec peer0 "${OVPN_CLI}" set_peer tun0 "${p}" 60 120 42 ip netns exec peer"${p}" "${OVPN_CLI}" set_peer tun"${p}" \ 43 $((p + 9)) 60 120 44done 45 46sleep 1 47 48for p in $(seq 1 3); do 49 ip netns exec peer0 ping -qfc 500 -w 3 5.5.5.$((p + 1)) 50done 51 52echo "Adding an nftables drop rule based on mark value ${MARK}" 53ip netns exec peer0 nft flush ruleset 54ip netns exec peer0 nft 'add table inet filter' 55ip netns exec peer0 nft 'add chain inet filter output { 56 type filter hook output priority 0; 57 policy accept; 58}' 59ip netns exec peer0 nft add rule inet filter output \ 60 meta mark == ${MARK} \ 61 counter drop 62 63DROP_COUNTER=$(ip netns exec peer0 nft list chain inet filter output \ 64 | sed -n 's/.*packets \([0-9]*\).*/\1/p') 65sleep 1 66 67# ping should fail 68for p in $(seq 1 3); do 69 PING_OUTPUT=$(ip netns exec peer0 ping \ 70 -qfc 500 -w 1 5.5.5.$((p + 1)) 2>&1) && exit 1 71 echo "${PING_OUTPUT}" 72 LOST_PACKETS=$(echo "$PING_OUTPUT" \ 73 | awk '/packets transmitted/ { print $1 }') 74 # increment the drop counter by the amount of lost packets 75 DROP_COUNTER=$((DROP_COUNTER + LOST_PACKETS)) 76done 77 78# check if the final nft counter matches our counter 79TOTAL_COUNT=$(ip netns exec peer0 nft list chain inet filter output \ 80 | sed -n 's/.*packets \([0-9]*\).*/\1/p') 81if [ "${DROP_COUNTER}" -ne "${TOTAL_COUNT}" ]; then 82 echo "Expected ${TOTAL_COUNT} drops, got ${DROP_COUNTER}" 83 exit 1 84fi 85 86echo "Removing the drop rule" 87ip netns exec peer0 nft flush ruleset 88sleep 1 89 90for p in $(seq 1 3); do 91 ip netns exec peer0 ping -qfc 500 -w 3 5.5.5.$((p + 1)) 92done 93 94cleanup 95 96modprobe -r ovpn || true 97