3 # This script demonstrates interaction of conntrack and vrf.
4 # The vrf driver calls the netfilter hooks again, with oif/iif
5 # pointing at the VRF device.
7 # For ingress, this means first iteration has iifname of lower/real
8 # device. In this script, thats veth0.
9 # Second iteration is iifname set to vrf device, tvrf in this script.
11 # For egress, this is reversed: first iteration has the vrf device,
12 # second iteration is done with the lower/real/veth0 device.
14 # test_ct_zone_in demonstrates unexpected change of nftables
15 # behavior # caused by commit 09e856d54bda5f28 "vrf: Reset skb conntrack
16 # connection on VRF rcv"
18 # It was possible to assign conntrack zone to a packet (or mark it for
19 # `notracking`) in the prerouting chain before conntrack, based on real iif.
21 # After the change, the zone assignment is lost and the zone is assigned based
22 # on the VRF master interface (in case such a rule exists).
23 # assignment is lost. Instead, assignment based on the `iif` matching
24 # Thus it is impossible to distinguish packets based on the original
27 # test_masquerade_vrf and test_masquerade_veth0 demonstrate the problem
28 # that was supposed to be fixed by the commit mentioned above to make sure
29 # that any fix to test case 1 won't break masquerade again.
38 sfx=$(mktemp -u "XXXXXXXX")
44 ip netns pids $ns0 | xargs kill 2>/dev/null
45 ip netns pids $ns1 | xargs kill 2>/dev/null
47 ip netns del $ns0 $ns1
50 nft --version > /dev/null 2>&1
52 echo "SKIP: Could not run test without nft tool"
56 ip -Version > /dev/null 2>&1
58 echo "SKIP: Could not run test without ip tool"
64 echo "SKIP: Could not create net namespace $ns0"
71 ip netns exec $ns0 sysctl -q -w net.ipv4.conf.default.rp_filter=0
72 ip netns exec $ns0 sysctl -q -w net.ipv4.conf.all.rp_filter=0
73 ip netns exec $ns0 sysctl -q -w net.ipv4.conf.all.rp_filter=0
75 ip link add veth0 netns "$ns0" type veth peer name veth0 netns "$ns1" > /dev/null 2>&1
77 echo "SKIP: Could not add veth device"
81 ip -net $ns0 li add tvrf type vrf table 9876
83 echo "SKIP: Could not add vrf device"
87 ip -net $ns0 li set lo up
89 ip -net $ns0 li set veth0 master tvrf
90 ip -net $ns0 li set tvrf up
91 ip -net $ns0 li set veth0 up
92 ip -net $ns1 li set veth0 up
94 ip -net $ns0 addr add $IP0/$PFXL dev veth0
95 ip -net $ns1 addr add $IP1/$PFXL dev veth0
97 ip netns exec $ns1 iperf3 -s > /dev/null 2>&1&
99 echo "SKIP: Could not start iperf3"
103 # test vrf ingress handling.
104 # The incoming connection should be placed in conntrack zone 1,
105 # as decided by the first iteration of the ruleset.
108 ip netns exec $ns0 nft -f - <<EOF
111 type filter hook prerouting priority raw;
113 iif { veth0, tvrf } counter meta nftrace set 1
114 iif veth0 counter ct zone set 1 counter return
115 iif tvrf counter ct zone set 2 counter return
116 ip protocol icmp counter
121 type filter hook output priority raw;
123 oif veth0 counter ct zone set 1 counter return
124 oif tvrf counter ct zone set 2 counter return
129 ip netns exec $ns1 ping -W 1 -c 1 -I veth0 $IP0 > /dev/null
131 # should be in zone 1, not zone 2
132 count=$(ip netns exec $ns0 conntrack -L -s $IP1 -d $IP0 -p icmp --zone 1 2>/dev/null | wc -l)
133 if [ $count -eq 1 ]; then
134 echo "PASS: entry found in conntrack zone 1"
136 echo "FAIL: entry not found in conntrack zone 1"
137 count=$(ip netns exec $ns0 conntrack -L -s $IP1 -d $IP0 -p icmp --zone 2 2> /dev/null | wc -l)
138 if [ $count -eq 1 ]; then
139 echo "FAIL: entry found in zone 2 instead"
141 echo "FAIL: entry not in zone 1 or 2, dumping table"
142 ip netns exec $ns0 conntrack -L
143 ip netns exec $ns0 nft list ruleset
148 # add masq rule that gets evaluated w. outif set to vrf device.
149 # This tests the first iteration of the packet through conntrack,
150 # oifname is the vrf device.
151 test_masquerade_vrf()
155 if [ "$qdisc" != "default" ]; then
156 tc -net $ns0 qdisc add dev tvrf root $qdisc
159 ip netns exec $ns0 conntrack -F 2>/dev/null
161 ip netns exec $ns0 nft -f - <<EOF
165 type filter hook output priority raw;
167 oif tvrf ct state untracked counter
170 type filter hook postrouting priority mangle;
172 oif tvrf ct state untracked counter
175 type nat hook postrouting priority 0;
176 # NB: masquerade should always be combined with 'oif(name) bla',
177 # lack of this is intentional here, we want to exercise double-snat.
178 ip saddr 172.30.30.0/30 counter masquerade random
182 ip netns exec $ns0 ip vrf exec tvrf iperf3 -t 1 -c $IP1 >/dev/null
183 if [ $? -ne 0 ]; then
184 echo "FAIL: iperf3 connect failure with masquerade + sport rewrite on vrf device"
189 # must also check that nat table was evaluated on second (lower device) iteration.
190 ip netns exec $ns0 nft list table ip nat |grep -q 'counter packets 2' &&
191 ip netns exec $ns0 nft list table ip nat |grep -q 'untracked counter packets [1-9]'
192 if [ $? -eq 0 ]; then
193 echo "PASS: iperf3 connect with masquerade + sport rewrite on vrf device ($qdisc qdisc)"
195 echo "FAIL: vrf rules have unexpected counter value"
199 if [ "$qdisc" != "default" ]; then
200 tc -net $ns0 qdisc del dev tvrf root
204 # add masq rule that gets evaluated w. outif set to veth device.
205 # This tests the 2nd iteration of the packet through conntrack,
206 # oifname is the lower device (veth0 in this case).
207 test_masquerade_veth()
209 ip netns exec $ns0 conntrack -F 2>/dev/null
210 ip netns exec $ns0 nft -f - <<EOF
214 type nat hook postrouting priority 0;
215 meta oif veth0 ip saddr 172.30.30.0/30 counter masquerade random
219 ip netns exec $ns0 ip vrf exec tvrf iperf3 -t 1 -c $IP1 > /dev/null
220 if [ $? -ne 0 ]; then
221 echo "FAIL: iperf3 connect failure with masquerade + sport rewrite on veth device"
226 # must also check that nat table was evaluated on second (lower device) iteration.
227 ip netns exec $ns0 nft list table ip nat |grep -q 'counter packets 2'
228 if [ $? -eq 0 ]; then
229 echo "PASS: iperf3 connect with masquerade + sport rewrite on veth device"
231 echo "FAIL: vrf masq rule has unexpected counter value"
237 test_masquerade_vrf "default"
238 test_masquerade_vrf "pfifo"