Received: by 2002:a05:7412:d1aa:b0:fc:a2b0:25d7 with SMTP id ba42csp1431190rdb; Tue, 30 Jan 2024 20:09:26 -0800 (PST) X-Google-Smtp-Source: AGHT+IEmJQFgtAO0ePXRwToGn5dQg5uaL/I0HITyhcLoxD8eFKIGKpyn2vGtoSTioGeyLYEW9ene X-Received: by 2002:a17:902:b190:b0:1d8:ab46:c17 with SMTP id s16-20020a170902b19000b001d8ab460c17mr549333plr.53.1706674166249; Tue, 30 Jan 2024 20:09:26 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1706674166; cv=pass; d=google.com; s=arc-20160816; b=nrH5o6gUz/t3FZyQpVvH2o6nIkV+ukiSBUA03SQQGzH2rQnBSuWZDGliyqpILyfWZQ BZgp8pOJcI6Hj7oRRCtLgwqxtdwtXikfQCSNLhS+QtJA0IVws5+WJ6B1kkD3bEubUpTp fbCHldd7CZNmJjFLUxd+cc0p3H9Eb0S1piQ3M5nZgTk4bIoeC1fWk7hK6EEcSq5Z7bA5 8wl7Llrd8FerKm53tFNMxR4N+bMuDmuTdFGuLGnphJOzyApDOhkTKuiss04CRAg1fXK6 6/ptPOkQ/ELGH91szFay8tNn6bv2Fnn9odtDpRc7GcsAYQP6oSMnkdrRO4/WG6fkpAH7 agBA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:message-id:date:subject:cc:to :from:dkim-signature; bh=WelYVPflxMfIUF+8iQKKCRWtrOjz1iaIT0Kh8otsC8U=; fh=cZG4cEc2IyReQ1gA9WSNOaZ10nIhPEvtXjqqWOePmUE=; b=V1FW0bB4BTz5xxRyQPxkUee9tRnU6NJZYDgTzW9qj1lGewpNSShKtEsaCzQod6ba+N 7v5wYjsNXPOadE7Nw6kRjr/z7XpRztrh/RS/uGYId8/B6ctjtXaAtSZBEom//skKDaBS 5uhu2+nM45K5CSpY07MglPV+gs029SdDNV39m9HSmVHCgGLnjEuWLS4UZo/RLsJIH6xO VK4Vfp9kGOjEqMUpQfQe2X3kIipIjw00RTyFj9dtdSm4p2ygenTTH9D+YiJfBeGSLwYt lOMGBGf+m5U41ZdEYIsenrfyl4hK4q/oOAfeA3Exid0GbCW/uGuE6J6acxAQAbB5k/dJ AwRw==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@faucet.nz header.s=fe-4ed8c67516 header.b="Tca/RNfa"; arc=pass (i=1 spf=pass spfdomain=fe-bounces.faucet.nz dkim=pass dkdomain=faucet.nz dmarc=pass fromdomain=faucet.nz); spf=pass (google.com: domain of linux-kernel+bounces-45731-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-45731-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=faucet.nz X-Forwarded-Encrypted: i=1; AJvYcCXysP2jA0I45OqbU1nHHTG76j0LAzVsWrSOPAocZt2oKw5Jm/ZhreOKLGLbcB1ZUF84PsKiwfVFSzKBy9wfkrpUv4X0WEX6uQBXk81GoQ== Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id c1-20020a170903234100b001d8a94d10d9si4574566plh.448.2024.01.30.20.09.26 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Jan 2024 20:09:26 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-45731-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; dkim=pass header.i=@faucet.nz header.s=fe-4ed8c67516 header.b="Tca/RNfa"; arc=pass (i=1 spf=pass spfdomain=fe-bounces.faucet.nz dkim=pass dkdomain=faucet.nz dmarc=pass fromdomain=faucet.nz); spf=pass (google.com: domain of linux-kernel+bounces-45731-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-45731-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=faucet.nz Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id DD799288455 for ; Wed, 31 Jan 2024 04:09:25 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 239E017570; Wed, 31 Jan 2024 04:09:21 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=faucet.nz header.i=@faucet.nz header.b="Tca/RNfa" Received: from smtp.forwardemail.net (smtp.forwardemail.net [149.28.215.223]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9DAD516426 for ; Wed, 31 Jan 2024 04:09:18 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=149.28.215.223 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706674160; cv=none; b=YjYkiVtULN4hOvWhLBVijo5n1dYzc9qviqNBO10oPMSI9KfdaYuQdjTSs6dUnYa5WzsbzmA6ewrXbcu65nPxCepCC/Y+2p9R0RXfs51KzPaQMY/ZHuLt17fnSEph0r2Iw1FL1Xoqf8QTQ8sK4mK6MYd1AgeKOsg5J6KGiDaKKc4= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706674160; c=relaxed/simple; bh=pnxDDAKEBMo7lWFcc3J2ntyngcKsl4r03QwlqkuSvNQ=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=TIC7+Rq6N6VxZay8eA91tEvWFWkyuWEpm5iQA507TxYUgPnA3+lnpl1UqxZj93I3f7Rcy84kl/MfY5xfMpDcgFgWFYIZmaLQXoCUSEWV6RxAbKqLqAiOisUR1QdpgefEZJRnXWy2eXNzlF1Pm1KbQNaDcxURyGM5quhFetYBLBw= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=faucet.nz; spf=pass smtp.mailfrom=fe-bounces.faucet.nz; dkim=pass (1024-bit key) header.d=faucet.nz header.i=@faucet.nz header.b=Tca/RNfa; arc=none smtp.client-ip=149.28.215.223 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=faucet.nz Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=fe-bounces.faucet.nz DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=faucet.nz; h=Content-Transfer-Encoding: MIME-Version: Message-Id: Date: Subject: Cc: To: From; q=dns/txt; s=fe-4ed8c67516; t=1706674143; bh=WelYVPflxMfIUF+8iQKKCRWtrOjz1iaIT0Kh8otsC8U=; b=Tca/RNfafOnsPZrJDhemomfilOp7ml97MkuVeqcs7Ol3RboyaaW6ppfYCN+XTz62wbG/8hLoM CwiSDuNbMsxvNKPkHO1RyJ4t4F/IC7JMHVxsEWmnSAhmKdZbG9UoLULV0FZpjqef4VRp/csUtXl hSU/whXiviNJZ84Gn7q82JQ= From: Brad Cowie To: netdev@vger.kernel.org Cc: pshelar@ovn.org, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, shuah@kernel.org, dev@openvswitch.org, linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org, Brad Cowie , Aaron Conole Subject: [PATCH net-next] selftests: openvswitch: Test ICMP related matches work with SNAT Date: Wed, 31 Jan 2024 17:08:22 +1300 Message-Id: <20240131040822.835867-1-brad@faucet.nz> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Report-Abuse-To: abuse@forwardemail.net X-Report-Abuse: abuse@forwardemail.net X-Complaints-To: abuse@forwardemail.net X-ForwardEmail-Version: 0.4.40 X-ForwardEmail-Sender: rfc822; brad@faucet.nz, smtp.forwardemail.net, 149.28.215.223 X-ForwardEmail-ID: 65b9c7de887f9e7cfa92c933 Add a test case for regression in openvswitch nat that was fixed by commit e6345d2824a3 ("netfilter: nf_nat: fix action not being set for all ct states"). Link: https://lore.kernel.org/netdev/20231221224311.130319-1-brad@faucet.nz/ Link: https://mail.openvswitch.org/pipermail/ovs-dev/2024-January/410476.html Suggested-by: Aaron Conole Signed-off-by: Brad Cowie --- .../selftests/net/openvswitch/openvswitch.sh | 62 +++++++++++++++++++ 1 file changed, 62 insertions(+) diff --git a/tools/testing/selftests/net/openvswitch/openvswitch.sh b/tools/testing/selftests/net/openvswitch/openvswitch.sh index f8499d4c87f3..87b80bee6df4 100755 --- a/tools/testing/selftests/net/openvswitch/openvswitch.sh +++ b/tools/testing/selftests/net/openvswitch/openvswitch.sh @@ -17,6 +17,7 @@ tests=" ct_connect_v4 ip4-ct-xon: Basic ipv4 tcp connection using ct connect_v4 ip4-xon: Basic ipv4 ping between two NS nat_connect_v4 ip4-nat-xon: Basic ipv4 tcp connection via NAT + nat_related_v4 ip4-nat-related: ICMP related matches work with SNAT netlink_checks ovsnl: validate netlink attrs and settings upcall_interfaces ovs: test the upcall interfaces drop_reason drop: test drop reasons are emitted" @@ -473,6 +474,67 @@ test_nat_connect_v4 () { return 0 } +# nat_related_v4 test +# - client->server ip packets go via SNAT +# - client solicits ICMP destination unreachable packet from server +# - undo NAT for ICMP reply and test dst ip has been updated +test_nat_related_v4 () { + which nc >/dev/null 2>/dev/null || return $ksft_skip + + sbx_add "test_nat_related_v4" || return $? + + ovs_add_dp "test_nat_related_v4" natrelated4 || return 1 + info "create namespaces" + for ns in client server; do + ovs_add_netns_and_veths "test_nat_related_v4" "natrelated4" "$ns" \ + "${ns:0:1}0" "${ns:0:1}1" || return 1 + done + + ip netns exec client ip addr add 172.31.110.10/24 dev c1 + ip netns exec client ip link set c1 up + ip netns exec server ip addr add 172.31.110.20/24 dev s1 + ip netns exec server ip link set s1 up + + ip netns exec server ip route add 192.168.0.20/32 via 172.31.110.10 + + # Allow ARP + ovs_add_flow "test_nat_related_v4" natrelated4 \ + "in_port(1),eth(),eth_type(0x0806),arp()" "2" || return 1 + ovs_add_flow "test_nat_related_v4" natrelated4 \ + "in_port(2),eth(),eth_type(0x0806),arp()" "1" || return 1 + + # Allow IP traffic from client->server, rewrite source IP with SNAT to 192.168.0.20 + ovs_add_flow "test_nat_related_v4" natrelated4 \ + "ct_state(-trk),in_port(1),eth(),eth_type(0x0800),ipv4(dst=172.31.110.20)" \ + "ct(commit,nat(src=192.168.0.20)),recirc(0x1)" || return 1 + ovs_add_flow "test_nat_related_v4" natrelated4 \ + "recirc_id(0x1),ct_state(+trk-inv),in_port(1),eth(),eth_type(0x0800),ipv4()" \ + "2" || return 1 + + # Allow related ICMP responses back from server and undo NAT to restore original IP + # Drop any ICMP related packets where dst ip hasn't been restored back to original IP + ovs_add_flow "test_nat_related_v4" natrelated4 \ + "ct_state(-trk),in_port(2),eth(),eth_type(0x0800),ipv4()" \ + "ct(commit,nat),recirc(0x2)" || return 1 + ovs_add_flow "test_nat_related_v4" natrelated4 \ + "recirc_id(0x2),ct_state(+rel+trk),in_port(2),eth(),eth_type(0x0800),ipv4(src=172.31.110.20,dst=172.31.110.10,proto=1),icmp()" \ + "1" || return 1 + ovs_add_flow "test_nat_related_v4" natrelated4 \ + "recirc_id(0x2),ct_state(+rel+trk),in_port(2),eth(),eth_type(0x0800),ipv4(dst=192.168.0.20,proto=1),icmp()" \ + "drop" || return 1 + + # Solicit destination unreachable response from server + ovs_sbx "test_nat_related_v4" ip netns exec client \ + bash -c "echo a | nc -u -w 1 172.31.110.20 10000" + + # Check to make sure no packets matched the drop rule with incorrect dst ip + python3 "$ovs_base/ovs-dpctl.py" dump-flows natrelated4 \ + | grep "drop" | grep "packets:0" >/dev/null || return 1 + + info "done..." + return 0 +} + # netlink_validation # - Create a dp # - check no warning with "old version" simulation -- 2.34.1