tc-testing: add test for ct DNAT tuple collision

When this test fails, /proc/net/nf_conntrack gets only 1 entry: ipv4 2 tcp 6 119 SYN_SENT src=10.0.0.10 dst=10.0.0.10 sport=5000 dport=10 [UNREPLIED] src=20.0.0.1 dst=10.0.0.10 sport=10 dport=5000 mark=0 secctx=system_u:object_r:unlabeled_t:s0 zone=0 use=2 When it works, it gets 2 entries: ipv4 2 tcp 6 119 SYN_SENT src=10.0.0.10 dst=10.0.0.20 sport=5000 dport=10 [UNREPLIED] src=20.0.0.1 dst=10.0.0.10 sport=10 dport=58203 mark=0 secctx=system_u:object_r:unlabeled_t:s0 zone=0 use=2 ipv4 2 tcp 6 119 SYN_SENT src=10.0.0.10 dst=10.0.0.10 sport=5000 dport=10 [UNREPLIED] src=20.0.0.1 dst=10.0.0.10 sport=10 dport=5000 mark=0 secctx=system_u:object_r:unlabeled_t:s0 zone=0 use=2 The missing entry is because the 2nd packet hits a tuple collusion and the conntrack entry doesn't get allocated. Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2024-11-23 12:42:02 +00:00 · 2021-06-22 12:05:02 -03:00 · 2021-06-22 12:05:02 -03:00 · e469056413
commit e469056413
parent 11f04de902
1 changed files with 45 additions and 0 deletions
--- a/tools/testing/selftests/tc-testing/tc-tests/actions/ct.json
+++ b/tools/testing/selftests/tc-testing/tc-tests/actions/ct.json
@ -406,5 +406,50 @@
        "teardown": [
            "$TC actions flush action ct"
        ]
    },
    {
        "id": "3992",
        "name": "Add ct action triggering DNAT tuple conflict",
        "category": [
            "actions",
            "ct",
 	    "scapy"
        ],
 	"plugins": {
 		"requires": [
 			"nsPlugin",
 			"scapyPlugin"
 		]
 	},
        "setup": [
            [
                "$TC qdisc del dev $DEV1 ingress",
                0,
                1,
 		2,
                255
            ],
 	    "$TC qdisc add dev $DEV1 ingress"
        ],
        "cmdUnderTest": "$TC filter add dev $DEV1 ingress protocol ip prio 1 flower ct_state -trk action ct commit nat dst addr 20.0.0.1 port 10 pipe action drop",
 	"scapy": [
 	    {
 		"iface": "$DEV0",
 		"count": 1,
 		"packet": "Ether(type=0x800)/IP(src='10.0.0.10',dst='10.0.0.10')/TCP(sport=5000,dport=10)"
 	    },
 	    {
 		"iface": "$DEV0",
 		"count": 1,
 		"packet": "Ether(type=0x800)/IP(src='10.0.0.10',dst='10.0.0.20')/TCP(sport=5000,dport=10)"
 	    }
 	],
        "expExitCode": "0",
        "verifyCmd": "cat /proc/net/nf_conntrack",
        "matchPattern": "dst=10.0.0.20",
        "matchCount": "1",
        "teardown": [
            "$TC qdisc del dev $DEV1 ingress"
        ]
    }
 ]