From patchwork Wed Jan 31 04:08:22 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Brad Cowie <brad@faucet.nz>
X-Patchwork-Id: 194484
Return-Path: <linux-kernel+bounces-45731-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7301:2087:b0:106:209c:c626 with SMTP id
 gs7csp1660934dyb;
        Tue, 30 Jan 2024 20:09:38 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IE3Vh4lsdQx2Tu63KU6EtroaKF61DO0AUWUjZm/xaMm2dK3g8nz2Y1JixNzMSw6eo2EgEVM
X-Received: by 2002:a62:d10f:0:b0:6db:e6b9:4ccf with SMTP id
 z15-20020a62d10f000000b006dbe6b94ccfmr646229pfg.5.1706674177811;
        Tue, 30 Jan 2024 20:09:37 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1706674177; cv=pass;
        d=google.com; s=arc-20160816;
        b=khDJ1712ttPjf150QsT5NZCKjOE9btjxPGMLrEOR/EH07pPOrP8cCTOGQ7pww7vmdO
         PkXZ6rgpyIdPPfRbDQLZ9GQNp7x1KwgAhqcZfs+cXVqKlxu0nxgUk3Nn4oZw2Ate8mOp
         F09ZPdmc0/aWK8kbyfrzvm5YledyDWquTiKDC1im0zrrE1N+rCpirSeraRpOfIZm9DCv
         C8LzJMCz+P3UkS1UMxaw6hEe/zHpb9mHwRu3UYiz39nHkzGNA/3hPBGVw7K04g6Wgl7W
         hrd+A45WxDpubbDHOXUEL1WKe55Tcx+QMyUGJuufa4CoQ3hwu/DE2/Wj5BihTnee2Pby
         v6Kg==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=WelYVPflxMfIUF+8iQKKCRWtrOjz1iaIT0Kh8otsC8U=;
        fh=lfnao/c8siTLGJ78SGrCuQ41ZmRmAcRkAVC81/hBXQA=;
        b=DnolYe5WmLfnJpE6E94o8EsDuCayZWLZ/LB3P6RRG5EI/zYp/gSDKDKcWKMGHCDSFb
         8xyNrEAPFjgrxJ6I3RctDB3Z8Qk4YlDS4Y9+kI+ORLDdhXipAItyHL8pC8bMEQ6Ayw5z
         VYQLLMZWqU2xAsNhSF6h4GDXQmwOgHa9g8csPATJ2p2DbIh0jwyDvkT0cImcAHRosdba
         HXQvjUhWnHN6idu5jUFhYmcgyxLQpVmgE6JcSvHF7Rt8kVLtBDlIjBqMsUym4d61oXPS
         XpNUtG5UFcRHEQRzkk4eyBdoOV0VyNCbwq5vaRFeszLjRG2HwqKVgSHcqkPaGwj62b5A
         t6XA==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@faucet.nz header.s=fe-4ed8c67516
 header.b="Tca/RNfa";
       arc=pass (i=1 spf=pass spfdomain=fe-bounces.faucet.nz dkim=pass
 dkdomain=faucet.nz dmarc=pass fromdomain=faucet.nz);
       spf=pass (google.com: domain of
 linux-kernel+bounces-45731-ouuuleilei=gmail.com@vger.kernel.org designates
 139.178.88.99 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-45731-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=faucet.nz
X-Forwarded-Encrypted: i=1;
 AJvYcCVsvTGOjlRLwji53jbJoSQXTxylsVJK992fKEss1iFguVtxp1IdTnsslylcBFPnFHpYDDcmCFjEUlKQ1Zri3RRFhiUZGA==
Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99])
        by mx.google.com with ESMTPS id
 c12-20020a62e80c000000b006d9b9ca7ffasi8592501pfi.79.2024.01.30.20.09.37
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 30 Jan 2024 20:09:37 -0800 (PST)
Received-SPF: pass (google.com: domain of
 linux-kernel+bounces-45731-ouuuleilei=gmail.com@vger.kernel.org designates
 139.178.88.99 as permitted sender) client-ip=139.178.88.99;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@faucet.nz header.s=fe-4ed8c67516
 header.b="Tca/RNfa";
       arc=pass (i=1 spf=pass spfdomain=fe-bounces.faucet.nz dkim=pass
 dkdomain=faucet.nz dmarc=pass fromdomain=faucet.nz);
       spf=pass (google.com: domain of
 linux-kernel+bounces-45731-ouuuleilei=gmail.com@vger.kernel.org designates
 139.178.88.99 as permitted sender)
 smtp.mailfrom="linux-kernel+bounces-45731-ouuuleilei=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=faucet.nz
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sv.mirrors.kernel.org (Postfix) with ESMTPS id 88C6A288052
	for <ouuuleilei@gmail.com>; Wed, 31 Jan 2024 04:09:37 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 186FA16416;
	Wed, 31 Jan 2024 04:09:23 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=faucet.nz header.i=@faucet.nz
 header.b="Tca/RNfa"
Received: from smtp.forwardemail.net (smtp.forwardemail.net [149.28.215.223])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9DAD516426
	for <linux-kernel@vger.kernel.org>; Wed, 31 Jan 2024 04:09:18 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=149.28.215.223
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1706674160; cv=none;
 b=YjYkiVtULN4hOvWhLBVijo5n1dYzc9qviqNBO10oPMSI9KfdaYuQdjTSs6dUnYa5WzsbzmA6ewrXbcu65nPxCepCC/Y+2p9R0RXfs51KzPaQMY/ZHuLt17fnSEph0r2Iw1FL1Xoqf8QTQ8sK4mK6MYd1AgeKOsg5J6KGiDaKKc4=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1706674160; c=relaxed/simple;
	bh=pnxDDAKEBMo7lWFcc3J2ntyngcKsl4r03QwlqkuSvNQ=;
	h=From:To:Cc:Subject:Date:Message-Id:MIME-Version;
 b=TIC7+Rq6N6VxZay8eA91tEvWFWkyuWEpm5iQA507TxYUgPnA3+lnpl1UqxZj93I3f7Rcy84kl/MfY5xfMpDcgFgWFYIZmaLQXoCUSEWV6RxAbKqLqAiOisUR1QdpgefEZJRnXWy2eXNzlF1Pm1KbQNaDcxURyGM5quhFetYBLBw=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=faucet.nz;
 spf=pass smtp.mailfrom=fe-bounces.faucet.nz;
 dkim=pass (1024-bit key) header.d=faucet.nz header.i=@faucet.nz
 header.b=Tca/RNfa; arc=none smtp.client-ip=149.28.215.223
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=faucet.nz
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=fe-bounces.faucet.nz
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=faucet.nz;
 h=Content-Transfer-Encoding: MIME-Version: Message-Id: Date: Subject: Cc:
 To: From; q=dns/txt; s=fe-4ed8c67516; t=1706674143;
 bh=WelYVPflxMfIUF+8iQKKCRWtrOjz1iaIT0Kh8otsC8U=;
 b=Tca/RNfafOnsPZrJDhemomfilOp7ml97MkuVeqcs7Ol3RboyaaW6ppfYCN+XTz62wbG/8hLoM
 CwiSDuNbMsxvNKPkHO1RyJ4t4F/IC7JMHVxsEWmnSAhmKdZbG9UoLULV0FZpjqef4VRp/csUtXl
 hSU/whXiviNJZ84Gn7q82JQ=
From: Brad Cowie <brad@faucet.nz>
To: netdev@vger.kernel.org
Cc: pshelar@ovn.org, davem@davemloft.net, edumazet@google.com,
 kuba@kernel.org, pabeni@redhat.com, shuah@kernel.org, dev@openvswitch.org,
 linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org, Brad Cowie
 <brad@faucet.nz>, Aaron Conole <aconole@redhat.com>
Subject: [PATCH net-next] selftests: openvswitch: Test ICMP related matches
 work with SNAT
Date: Wed, 31 Jan 2024 17:08:22 +1300
Message-Id: <20240131040822.835867-1-brad@faucet.nz>
X-Mailer: git-send-email 2.34.1
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Report-Abuse-To: abuse@forwardemail.net
X-Report-Abuse: abuse@forwardemail.net
X-Complaints-To: abuse@forwardemail.net
X-ForwardEmail-Version: 0.4.40
X-ForwardEmail-Sender: rfc822; brad@faucet.nz, smtp.forwardemail.net,
 149.28.215.223
X-ForwardEmail-ID: 65b9c7de887f9e7cfa92c933
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1789577582824115583
X-GMAIL-MSGID: 1789577582824115583

Add a test case for regression in openvswitch nat that was fixed by
commit e6345d2824a3 ("netfilter: nf_nat: fix action not being set for
all ct states").

Link: https://lore.kernel.org/netdev/20231221224311.130319-1-brad@faucet.nz/
Link: https://mail.openvswitch.org/pipermail/ovs-dev/2024-January/410476.html
Suggested-by: Aaron Conole <aconole@redhat.com>
Signed-off-by: Brad Cowie <brad@faucet.nz>
Tested-by: Aaron Conole <aconole@redhat.com>
Acked-by: Aaron Conole <aconole@redhat.com>
---
 .../selftests/net/openvswitch/openvswitch.sh  | 62 +++++++++++++++++++
 1 file changed, 62 insertions(+)

diff --git a/tools/testing/selftests/net/openvswitch/openvswitch.sh b/tools/testing/selftests/net/openvswitch/openvswitch.sh
index f8499d4c87f3..87b80bee6df4 100755
--- a/tools/testing/selftests/net/openvswitch/openvswitch.sh
+++ b/tools/testing/selftests/net/openvswitch/openvswitch.sh
@@ -17,6 +17,7 @@ tests="
 	ct_connect_v4				ip4-ct-xon: Basic ipv4 tcp connection using ct
 	connect_v4				ip4-xon: Basic ipv4 ping between two NS
 	nat_connect_v4				ip4-nat-xon: Basic ipv4 tcp connection via NAT
+	nat_related_v4				ip4-nat-related: ICMP related matches work with SNAT
 	netlink_checks				ovsnl: validate netlink attrs and settings
 	upcall_interfaces			ovs: test the upcall interfaces
 	drop_reason				drop: test drop reasons are emitted"
@@ -473,6 +474,67 @@ test_nat_connect_v4 () {
 	return 0
 }
 
+# nat_related_v4 test
+#  - client->server ip packets go via SNAT
+#  - client solicits ICMP destination unreachable packet from server
+#  - undo NAT for ICMP reply and test dst ip has been updated
+test_nat_related_v4 () {
+	which nc >/dev/null 2>/dev/null || return $ksft_skip
+
+	sbx_add "test_nat_related_v4" || return $?
+
+	ovs_add_dp "test_nat_related_v4" natrelated4 || return 1
+	info "create namespaces"
+	for ns in client server; do
+		ovs_add_netns_and_veths "test_nat_related_v4" "natrelated4" "$ns" \
+			"${ns:0:1}0" "${ns:0:1}1" || return 1
+	done
+
+	ip netns exec client ip addr add 172.31.110.10/24 dev c1
+	ip netns exec client ip link set c1 up
+	ip netns exec server ip addr add 172.31.110.20/24 dev s1
+	ip netns exec server ip link set s1 up
+
+	ip netns exec server ip route add 192.168.0.20/32 via 172.31.110.10
+
+	# Allow ARP
+	ovs_add_flow "test_nat_related_v4" natrelated4 \
+		"in_port(1),eth(),eth_type(0x0806),arp()" "2" || return 1
+	ovs_add_flow "test_nat_related_v4" natrelated4 \
+		"in_port(2),eth(),eth_type(0x0806),arp()" "1" || return 1
+
+	# Allow IP traffic from client->server, rewrite source IP with SNAT to 192.168.0.20
+	ovs_add_flow "test_nat_related_v4" natrelated4 \
+		"ct_state(-trk),in_port(1),eth(),eth_type(0x0800),ipv4(dst=172.31.110.20)" \
+		"ct(commit,nat(src=192.168.0.20)),recirc(0x1)" || return 1
+	ovs_add_flow "test_nat_related_v4" natrelated4 \
+		"recirc_id(0x1),ct_state(+trk-inv),in_port(1),eth(),eth_type(0x0800),ipv4()" \
+		"2" || return 1
+
+	# Allow related ICMP responses back from server and undo NAT to restore original IP
+	# Drop any ICMP related packets where dst ip hasn't been restored back to original IP
+	ovs_add_flow "test_nat_related_v4" natrelated4 \
+		"ct_state(-trk),in_port(2),eth(),eth_type(0x0800),ipv4()" \
+		"ct(commit,nat),recirc(0x2)" || return 1
+	ovs_add_flow "test_nat_related_v4" natrelated4 \
+		"recirc_id(0x2),ct_state(+rel+trk),in_port(2),eth(),eth_type(0x0800),ipv4(src=172.31.110.20,dst=172.31.110.10,proto=1),icmp()" \
+		"1" || return 1
+	ovs_add_flow "test_nat_related_v4" natrelated4 \
+		"recirc_id(0x2),ct_state(+rel+trk),in_port(2),eth(),eth_type(0x0800),ipv4(dst=192.168.0.20,proto=1),icmp()" \
+		"drop" || return 1
+
+	# Solicit destination unreachable response from server
+	ovs_sbx "test_nat_related_v4" ip netns exec client \
+		bash -c "echo a | nc -u -w 1 172.31.110.20 10000"
+
+	# Check to make sure no packets matched the drop rule with incorrect dst ip
+	python3 "$ovs_base/ovs-dpctl.py" dump-flows natrelated4 \
+		| grep "drop" | grep "packets:0" >/dev/null || return 1
+
+	info "done..."
+	return 0
+}
+
 # netlink_validation
 # - Create a dp
 # - check no warning with "old version" simulation