| Message ID | 20250322093016.16631-2-liuhangbin@gmail.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | wireguard: selftests: use nftables for testing | expand |
On Sat, Mar 22, 2025 at 09:30:15AM +0000, Hangbin Liu wrote: > Convert iptabels to nft as it is the replacement for iptables, which is used ~~~~~~~~ Typo, but I would write "Convert the selftest to nft ..." instead since that is what you're converting, iptables is just replaced. :) > by default in most releases. > > Signed-off-by: Hangbin Liu <liuhangbin@gmail.com> > --- > tools/testing/selftests/wireguard/netns.sh | 29 ++++++++++++++-------- > 1 file changed, 19 insertions(+), 10 deletions(-) > > diff --git a/tools/testing/selftests/wireguard/netns.sh b/tools/testing/selftests/wireguard/netns.sh > index 55500f901fbc..8b840fef90af 100755 > --- a/tools/testing/selftests/wireguard/netns.sh > +++ b/tools/testing/selftests/wireguard/netns.sh > @@ -75,6 +75,11 @@ pp ip netns add $netns1 > pp ip netns add $netns2 > ip0 link set up dev lo > > +# init nft tables > +n0 nft add table ip wgtest > +n1 nft add table ip wgtest > +n2 nft add table ip wgtest > + > ip0 link add dev wg0 type wireguard > ip0 link set wg0 netns $netns1 > ip0 link add dev wg0 type wireguard > @@ -196,13 +201,14 @@ ip1 link set wg0 mtu 1300 > ip2 link set wg0 mtu 1300 > n1 wg set wg0 peer "$pub2" endpoint 127.0.0.1:2 > n2 wg set wg0 peer "$pub1" endpoint 127.0.0.1:1 > -n0 iptables -A INPUT -m length --length 1360 -j DROP > +n0 nft add chain ip wgtest INPUT { type filter hook input priority filter \; policy accept \; } You may skip the 'policy accept \;' part in all 'add chain' commands as this is the default for all chains. Unless you prefer to explicitly state the chain policy, of course. Cheers, Phil
On Sun, Mar 23, 2025 at 10:10:33PM +0100, Phil Sutter wrote: > On Sat, Mar 22, 2025 at 09:30:15AM +0000, Hangbin Liu wrote: > > Convert iptabels to nft as it is the replacement for iptables, which is used > ~~~~~~~~ > > Typo, but I would write "Convert the selftest to nft ..." instead since > that is what you're converting, iptables is just replaced. :) > > > by default in most releases. > > > > Signed-off-by: Hangbin Liu <liuhangbin@gmail.com> > > --- > > tools/testing/selftests/wireguard/netns.sh | 29 ++++++++++++++-------- > > 1 file changed, 19 insertions(+), 10 deletions(-) > > > > diff --git a/tools/testing/selftests/wireguard/netns.sh b/tools/testing/selftests/wireguard/netns.sh > > index 55500f901fbc..8b840fef90af 100755 > > --- a/tools/testing/selftests/wireguard/netns.sh > > +++ b/tools/testing/selftests/wireguard/netns.sh > > @@ -75,6 +75,11 @@ pp ip netns add $netns1 > > pp ip netns add $netns2 > > ip0 link set up dev lo > > > > +# init nft tables > > +n0 nft add table ip wgtest > > +n1 nft add table ip wgtest > > +n2 nft add table ip wgtest > > + > > ip0 link add dev wg0 type wireguard > > ip0 link set wg0 netns $netns1 > > ip0 link add dev wg0 type wireguard > > @@ -196,13 +201,14 @@ ip1 link set wg0 mtu 1300 > > ip2 link set wg0 mtu 1300 > > n1 wg set wg0 peer "$pub2" endpoint 127.0.0.1:2 > > n2 wg set wg0 peer "$pub1" endpoint 127.0.0.1:1 > > -n0 iptables -A INPUT -m length --length 1360 -j DROP > > +n0 nft add chain ip wgtest INPUT { type filter hook input priority filter \; policy accept \; } > > You may skip the 'policy accept \;' part in all 'add chain' commands as > this is the default for all chains. Unless you prefer to explicitly > state the chain policy, of course. Yes, I would prefer to keep the "policy accept" unless Jason has objects. Thanks Hangbin
diff --git a/tools/testing/selftests/wireguard/netns.sh b/tools/testing/selftests/wireguard/netns.sh index 55500f901fbc..8b840fef90af 100755 --- a/tools/testing/selftests/wireguard/netns.sh +++ b/tools/testing/selftests/wireguard/netns.sh @@ -75,6 +75,11 @@ pp ip netns add $netns1 pp ip netns add $netns2 ip0 link set up dev lo +# init nft tables +n0 nft add table ip wgtest +n1 nft add table ip wgtest +n2 nft add table ip wgtest + ip0 link add dev wg0 type wireguard ip0 link set wg0 netns $netns1 ip0 link add dev wg0 type wireguard @@ -196,13 +201,14 @@ ip1 link set wg0 mtu 1300 ip2 link set wg0 mtu 1300 n1 wg set wg0 peer "$pub2" endpoint 127.0.0.1:2 n2 wg set wg0 peer "$pub1" endpoint 127.0.0.1:1 -n0 iptables -A INPUT -m length --length 1360 -j DROP +n0 nft add chain ip wgtest INPUT { type filter hook input priority filter \; policy accept \; } +n0 nft add rule ip wgtest INPUT meta length 1360 drop n1 ip route add 192.168.241.2/32 dev wg0 mtu 1299 n2 ip route add 192.168.241.1/32 dev wg0 mtu 1299 n2 ping -c 1 -W 1 -s 1269 192.168.241.1 n2 ip route delete 192.168.241.1/32 dev wg0 mtu 1299 n1 ip route delete 192.168.241.2/32 dev wg0 mtu 1299 -n0 iptables -F INPUT +n0 nft flush table ip wgtest ip1 link set wg0 mtu $orig_mtu ip2 link set wg0 mtu $orig_mtu @@ -335,7 +341,8 @@ n0 bash -c 'printf 1 > /proc/sys/net/ipv4/ip_forward' [[ -e /proc/sys/net/netfilter/nf_conntrack_udp_timeout ]] || modprobe nf_conntrack n0 bash -c 'printf 2 > /proc/sys/net/netfilter/nf_conntrack_udp_timeout' n0 bash -c 'printf 2 > /proc/sys/net/netfilter/nf_conntrack_udp_timeout_stream' -n0 iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d 10.0.0.0/24 -j SNAT --to 10.0.0.1 +n0 nft add chain ip wgtest POSTROUTING { type nat hook postrouting priority srcnat\; policy accept \; } +n0 nft add rule ip wgtest POSTROUTING ip saddr 192.168.1.0/24 ip daddr 10.0.0.0/24 snat to 10.0.0.1 n1 wg set wg0 peer "$pub2" endpoint 10.0.0.100:2 persistent-keepalive 1 n1 ping -W 1 -c 1 192.168.241.2 @@ -349,10 +356,11 @@ n1 wg set wg0 peer "$pub2" persistent-keepalive 0 # Test that sk_bound_dev_if works n1 ping -I wg0 -c 1 -W 1 192.168.241.2 # What about when the mark changes and the packet must be rerouted? -n1 iptables -t mangle -I OUTPUT -j MARK --set-xmark 1 +n1 nft add chain ip wgtest OUTPUT { type route hook output priority mangle\; policy accept \; } +n1 nft add rule ip wgtest OUTPUT meta mark set 0x1 n1 ping -c 1 -W 1 192.168.241.2 # First the boring case n1 ping -I wg0 -c 1 -W 1 192.168.241.2 # Then the sk_bound_dev_if case -n1 iptables -t mangle -D OUTPUT -j MARK --set-xmark 1 +n1 nft flush table ip wgtest # Test that onion routing works, even when it loops n1 wg set wg0 peer "$pub3" allowed-ips 192.168.242.2/32 endpoint 192.168.241.2:5 @@ -386,16 +394,17 @@ n1 ping -W 1 -c 100 -f 192.168.99.7 n1 ping -W 1 -c 100 -f abab::1111 # Have ns2 NAT into wg0 packets from ns0, but return an icmp error along the right route. -n2 iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -d 192.168.241.0/24 -j SNAT --to 192.168.241.2 -n0 iptables -t filter -A INPUT \! -s 10.0.0.0/24 -i vethrs -j DROP # Manual rpfilter just to be explicit. +n2 nft add chain ip wgtest POSTROUTING { type nat hook postrouting priority srcnat\; policy accept \; } +n2 nft add rule ip wgtest POSTROUTING ip saddr 10.0.0.0/24 ip daddr 192.168.241.0/24 snat to 192.168.241.2 +n0 nft add chain ip wgtest INPUT { type filter hook input priority filter \; policy accept \; } +n0 nft add rule ip wgtest INPUT iifname "vethrs" ip saddr != 10.0.0.0/24 drop n2 bash -c 'printf 1 > /proc/sys/net/ipv4/ip_forward' ip0 -4 route add 192.168.241.1 via 10.0.0.100 n2 wg set wg0 peer "$pub1" remove [[ $(! n0 ping -W 1 -c 1 192.168.241.1 || false) == *"From 10.0.0.100 icmp_seq=1 Destination Host Unreachable"* ]] -n0 iptables -t nat -F -n0 iptables -t filter -F -n2 iptables -t nat -F +n0 nft flush table ip wgtest +n2 nft flush table ip wgtest ip0 link del vethrc ip0 link del vethrs ip1 link del wg0
Convert iptabels to nft as it is the replacement for iptables, which is used by default in most releases. Signed-off-by: Hangbin Liu <liuhangbin@gmail.com> --- tools/testing/selftests/wireguard/netns.sh | 29 ++++++++++++++-------- 1 file changed, 19 insertions(+), 10 deletions(-)