check that policy can be changed from accept to drop and that the kernel acts on this. Signed-off-by: Florian Westphal <fw@xxxxxxxxx> --- .../packetpath/dumps/policy.json-nft | 121 ++++++++++++++++++ .../testcases/packetpath/dumps/policy.nft | 11 ++ tests/shell/testcases/packetpath/policy | 42 ++++++ 3 files changed, 174 insertions(+) create mode 100644 tests/shell/testcases/packetpath/dumps/policy.json-nft create mode 100644 tests/shell/testcases/packetpath/dumps/policy.nft create mode 100755 tests/shell/testcases/packetpath/policy diff --git a/tests/shell/testcases/packetpath/dumps/policy.json-nft b/tests/shell/testcases/packetpath/dumps/policy.json-nft new file mode 100644 index 000000000000..26e8a0525f2b --- /dev/null +++ b/tests/shell/testcases/packetpath/dumps/policy.json-nft @@ -0,0 +1,121 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "underflow", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "input", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "drop" + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "icmp", + "field": "type" + } + }, + "right": "echo-reply" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "input", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": "127.0.0.1" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "right": "127.0.0.2" + } + }, + { + "counter": { + "packets": 3, + "bytes": 252 + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "input", + "handle": 0, + "expr": [ + { + "goto": { + "target": "underflow" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/packetpath/dumps/policy.nft b/tests/shell/testcases/packetpath/dumps/policy.nft new file mode 100644 index 000000000000..e625ea6c82be --- /dev/null +++ b/tests/shell/testcases/packetpath/dumps/policy.nft @@ -0,0 +1,11 @@ +table inet filter { + chain underflow { + } + + chain input { + type filter hook input priority filter; policy drop; + icmp type echo-reply accept + ip saddr 127.0.0.1 ip daddr 127.0.0.2 counter packets 3 bytes 252 accept + goto underflow + } +} diff --git a/tests/shell/testcases/packetpath/policy b/tests/shell/testcases/packetpath/policy new file mode 100755 index 000000000000..0bb42a548870 --- /dev/null +++ b/tests/shell/testcases/packetpath/policy @@ -0,0 +1,42 @@ +#!/bin/bash + +ip link set lo up + +$NFT -f - <<EOF +table inet filter { + chain underflow { } + + chain input { + type filter hook input priority filter; policy accept; + icmp type echo-reply accept + ip saddr 127.0.0.1 ip daddr 127.0.0.2 counter accept + goto underflow + } +} +EOF +[ $? -ne 0 ] && exit 1 + +ping -q -c 1 127.0.0.2 >/dev/null || exit 2 + +# should work, polict is accept. +ping -q -c 1 127.0.0.1 >/dev/null || exit 1 + +$NFT -f - <<EOF +table inet filter { + chain input { + type filter hook input priority filter; policy drop; + } +} +EOF +[ $? -ne 0 ] && exit 1 + +$NFT list ruleset + +ping -W 1 -q -c 1 127.0.0.2 + +ping -q -c 1 127.0.0.2 >/dev/null || exit 2 + +# should fail, policy is set to drop +ping -W 1 -q -c 1 127.0.0.1 >/dev/null 2>&1 && exit 1 + +exit 0 -- 2.43.2