Ensure that dscp offload modification nftables ruleset works.
Signed-off-by: Boris Sukholitko <boris.sukholitko@xxxxxxxxxxxx>
---
.../selftests/netfilter/nft_flowtable.sh | 40 +++++++++++++++++++
1 file changed, 40 insertions(+)
diff --git a/tools/testing/selftests/netfilter/nft_flowtable.sh b/tools/testing/selftests/netfilter/nft_flowtable.sh
index 51f986f19fee..dc0980c64cc5 100755
--- a/tools/testing/selftests/netfilter/nft_flowtable.sh
+++ b/tools/testing/selftests/netfilter/nft_flowtable.sh
@@ -370,6 +370,46 @@ else
ret=1
fi
+ip netns exec $nsr1 nft flush ruleset
+ip netns exec $nsr1 nft -f - <<EOF
+table inet filter {
+ flowtable f1 {
+ hook ingress priority filter
+ devices = { veth0, veth1 }
+ }
+
+ chain forward {
+ type filter hook forward priority filter; policy accept;
+ ip dscp set cs3 offload
+ ip protocol { tcp, udp, gre } flow add @f1
+ ct state established,related accept
+ }
+}
+EOF
+
+tf=/tmp/test_routing_dscp.dump
+rm -f $tf
+
+ip netns exec $ns1 nohup tcpdump -l -v -ne -i eth0 > $tf &
+td_pid=$!
+
+if test_tcp_forwarding $ns1 $ns2; then
+ kill $td_pid
+ wait $td_pid
+ out="$(grep -B1 '> 10.0.1.99' $tf | grep IP | grep -v 'tos 0x60' | head)"
+ if test -z "$out"; then
+ rm -f $tf
+ echo "PASS: dscp flow offloaded for ns1/ns2 is correct"
+ else
+ echo "non dscp packets found in $tf $out";
+ ret=1
+ fi
+else
+ echo "FAIL: dscp flow offload for ns1/ns2:" 1>&2
+ ip netns exec $nsr1 nft list ruleset
+ ret=1
+fi
+
# delete default route, i.e. ns2 won't be able to reach ns1 and
# will depend on ns1 being masqueraded in nsr1.
# expect ns1 has nsr1 address.
--
2.32.0
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
