diff options
| author | David Ahern <dsahern@gmail.com> | 2019-08-01 11:56:46 -0700 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2019-08-03 10:42:04 -0700 |
| commit | 88f2b36053b97d3299976dd3af1c768a7f5d9c55 (patch) | |
| tree | 1453f92a75e13e7f8c335f5fc79210eb5e76592b | |
| parent | 4cd12f61b55bc6a670900d75806a2f0122fc6658 (diff) | |
| download | linux-88f2b36053b97d3299976dd3af1c768a7f5d9c55.tar.bz2 | |
selftests: Add ipv4 netfilter tests to fcnal-test
Add netfilter tests to send tcp reset or icmp unreachable for a port.
Initial tests are VRF only.
Signed-off-by: David Ahern <dsahern@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
| -rwxr-xr-x | tools/testing/selftests/net/fcnal-test.sh | 69 |
1 files changed, 68 insertions, 1 deletions
diff --git a/tools/testing/selftests/net/fcnal-test.sh b/tools/testing/selftests/net/fcnal-test.sh index dcfe0b13dfe9..6f56c91e2d66 100755 --- a/tools/testing/selftests/net/fcnal-test.sh +++ b/tools/testing/selftests/net/fcnal-test.sh @@ -3120,6 +3120,72 @@ ipv6_runtime() } ################################################################################ +# netfilter blocking connections + +netfilter_tcp_reset() +{ + local a + + for a in ${NSA_IP} ${VRF_IP} + do + log_start + run_cmd nettest -s & + sleep 1 + run_cmd_nsb nettest -r ${a} + log_test_addr ${a} $? 1 "Global server, reject with TCP-reset on Rx" + done +} + +netfilter_icmp() +{ + local stype="$1" + local arg + local a + + [ "${stype}" = "UDP" ] && arg="-D" + + for a in ${NSA_IP} ${VRF_IP} + do + log_start + run_cmd nettest ${arg} -s & + sleep 1 + run_cmd_nsb nettest ${arg} -r ${a} + log_test_addr ${a} $? 1 "Global ${stype} server, Rx reject icmp-port-unreach" + done +} + +ipv4_netfilter() +{ + which nettest >/dev/null + if [ $? -ne 0 ]; then + log_error "nettest not found; skipping tests" + return + fi + + log_section "IPv4 Netfilter" + log_subsection "TCP reset" + + setup "yes" + run_cmd iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset + + netfilter_tcp_reset + + log_start + log_subsection "ICMP unreachable" + + log_start + run_cmd iptables -F + run_cmd iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with icmp-port-unreachable + run_cmd iptables -A INPUT -p udp --dport 12345 -j REJECT --reject-with icmp-port-unreachable + + netfilter_icmp "TCP" + netfilter_icmp "UDP" + + log_start + iptables -F +} + +################################################################################ # usage usage() @@ -3139,7 +3205,7 @@ EOF ################################################################################ # main -TESTS_IPV4="ipv4_ping ipv4_tcp ipv4_udp ipv4_addr_bind ipv4_runtime" +TESTS_IPV4="ipv4_ping ipv4_tcp ipv4_udp ipv4_addr_bind ipv4_runtime ipv4_netfilter" TESTS_IPV6="ipv6_ping ipv6_tcp ipv6_udp ipv6_addr_bind ipv6_runtime" PAUSE_ON_FAIL=no PAUSE=no @@ -3183,6 +3249,7 @@ do ipv4_udp|udp) ipv4_udp;; ipv4_bind|bind) ipv4_addr_bind;; ipv4_runtime) ipv4_runtime;; + ipv4_netfilter) ipv4_netfilter;; ipv6_ping|ping6) ipv6_ping;; ipv6_tcp|tcp6) ipv6_tcp;; |