Hi Liu Hangbin,
On Thu, Nov 07, 2024 at 02:54:38AM +0000, Hangbin Liu wrote:
Use nft by default if it's supported, as nft is the replacement for iptables, which is used by default in some releases. Additionally, iptables is dropped in some releases.
Signed-off-by: Hangbin Liu liuhangbin@gmail.com
CC nft developers to see if there are any easier configurations, as I'm not very familiar with nft commands.
Basically looks good, just a few minor remarks:
tools/testing/selftests/wireguard/netns.sh | 63 ++++++++++++++++++---- 1 file changed, 53 insertions(+), 10 deletions(-)
diff --git a/tools/testing/selftests/wireguard/netns.sh b/tools/testing/selftests/wireguard/netns.sh index 405ff262ca93..4e29c1a7003c 100755 --- a/tools/testing/selftests/wireguard/netns.sh +++ b/tools/testing/selftests/wireguard/netns.sh @@ -44,6 +44,7 @@ sleep() { read -t "$1" -N 1 || true; } waitiperf() { pretty "${1//*-}" "wait for iperf:${3:-5201} pid $2"; while [[ $(ss -N "$1" -tlpH "sport = ${3:-5201}") != *"iperf3",pid=$2,fd=* ]]; do sleep 0.1; done; } waitncatudp() { pretty "${1//*-}" "wait for udp:1111 pid $2"; while [[ $(ss -N "$1" -ulpH 'sport = 1111') != *"ncat",pid=$2,fd=* ]]; do sleep 0.1; done; } waitiface() { pretty "${1//*-}" "wait for $2 to come up"; ip netns exec "$1" bash -c "while [[ $(< "/sys/class/net/$2/operstate") != up ]]; do read -t .1 -N 0 || true; done;"; } +use_nft() { nft --version &> /dev/null; } cleanup() { set +e @@ -196,13 +197,23 @@ ip1 link set wg0 mtu 1300 ip2 link set wg0 mtu 1300 n1 wg set wg0 peer "$pub2" endpoint 127.0.0.1:2 n2 wg set wg0 peer "$pub1" endpoint 127.0.0.1:1 -n0 iptables -A INPUT -m length --length 1360 -j DROP +if use_nft; then
- n0 nft add table inet filter
Using inet family captures IPv6 traffic, too. You don't seem to explicitly configure it, but the usual auto-config traffic may offset rule counters. If you care about such side-effects, you may want to use ip family instead.
Tables are family-specific, but generic otherwise. So you could add a table for testing in each netns up front:
| if use_nft; then | n0 nft add table ip wgtest | n1 nft add table ip wgtest | n2 nft add table ip wgtest | fi
- n0 nft add chain inet filter INPUT { type filter hook input priority filter ; policy accept ; }
- n0 nft add rule inet filter INPUT meta length 1360 counter drop
+else
- n0 iptables -A INPUT -m length --length 1360 -j DROP
+fi n1 ip route add 192.168.241.2/32 dev wg0 mtu 1299 n2 ip route add 192.168.241.1/32 dev wg0 mtu 1299 n2 ping -c 1 -W 1 -s 1269 192.168.241.1 n2 ip route delete 192.168.241.1/32 dev wg0 mtu 1299 n1 ip route delete 192.168.241.2/32 dev wg0 mtu 1299 -n0 iptables -F INPUT +if use_nft; then
- n0 nft delete table inet filter
Here just flush the table (drops only the rules):
| n0 nft flush table ip wgtest
Cheers, Phil