The test checks that the packets are processed by the bridge device and not forwarded. Signed-off-by: Fernando Fernandez Mancera --- Please keep on mind that this requires: * https://lore.kernel.org/netfilter-devel/20250902113529.5456-1-fmancera@suse.de/ * https://lore.kernel.org/netfilter-devel/20250902113216.5275-1-fmancera@suse.de/ --- tests/shell/features/meta_ibrhwdr.nft | 8 ++ .../shell/testcases/packetpath/bridge_pass_up | 83 +++++++++++++++++++ 2 files changed, 91 insertions(+) create mode 100644 tests/shell/features/meta_ibrhwdr.nft create mode 100755 tests/shell/testcases/packetpath/bridge_pass_up diff --git a/tests/shell/features/meta_ibrhwdr.nft b/tests/shell/features/meta_ibrhwdr.nft new file mode 100644 index 00000000..ba9b3431 --- /dev/null +++ b/tests/shell/features/meta_ibrhwdr.nft @@ -0,0 +1,8 @@ +# cbd2257dc96e ("netfilter: nft_meta_bridge: introduce NFT_META_BRI_IIFHWADDR support") +# v6.16-rc2-16052-gcbd2257dc96e +table bridge nat { + chain PREROUTING { + type filter hook prerouting priority 0; policy accept; + ether daddr set meta ibrhwdr + } +} diff --git a/tests/shell/testcases/packetpath/bridge_pass_up b/tests/shell/testcases/packetpath/bridge_pass_up new file mode 100755 index 00000000..f83d6159 --- /dev/null +++ b/tests/shell/testcases/packetpath/bridge_pass_up @@ -0,0 +1,83 @@ +#!/bin/bash + +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_meta_ibrhwdr) + +rnd=$(mktemp -u XXXXXXXX) +ns1="nft1ifname-$rnd" +ns2="nft2ifname-$rnd" +ns3="nft3ifname-$rnd" + +cleanup() +{ + ip netns del "$ns1" + ip netns del "$ns2" + ip netns del "$ns3" +} + +trap cleanup EXIT + +set -e + +ip netns add "$ns1" +ip netns add "$ns2" +ip netns add "$ns3" + +ip link add veth0 netns $ns1 type veth peer name veth0 netns $ns2 +ip link add veth1 netns $ns3 type veth peer name veth1 netns $ns2 +ip link add br0 netns $ns2 type bridge + +ip -net "$ns1" link set veth0 addr da:d3:00:01:02:03 +ip -net "$ns3" link set veth1 addr de:ad:00:00:be:ef + +ip -net "$ns2" link set veth0 master br0 +ip -net "$ns2" link set veth1 master br0 + +ip -net "$ns1" link set veth0 up +ip -net "$ns2" link set veth0 up +ip -net "$ns3" link set veth1 up +ip -net "$ns2" link set veth1 up +ip -net "$ns2" link set br0 up + +ip -net "$ns1" addr add 10.1.1.10/24 dev veth0 +ip -net "$ns3" addr add 10.1.1.20/24 dev veth1 + +ip netns exec "$ns2" $NFT -f /dev/stdin <<"EOF" +table bridge nat { + chain PREROUTING { + type filter hook prerouting priority 0; policy accept; + ether daddr de:ad:00:00:be:ef meta pkttype set host ether daddr set meta ibrhwdr + } +} + +table bridge process { + chain INPUT { + type filter hook input priority 0; policy accept; + ip protocol icmp ether saddr da:d3:00:01:02:03 counter + } +} + +table bridge donotprocess { + chain FORWARD { + type filter hook forward priority 0; policy accept; + ip protocol icmp ether saddr da:d3:00:01:02:03 counter + } +} +EOF + +ip netns exec "$ns1" ping -c 1 10.1.1.20 || true + +set +e + +ip netns exec "$ns2" $NFT list table bridge process | grep 'counter packets 0' +if [ $? -eq 0 ] +then + exit 1 +fi + +ip netns exec "$ns2" $NFT list table bridge donotprocess | grep 'counter packets 0' +if [ $? -eq 1 ] +then + exit 1 +fi + +exit 0 -- 2.51.0