1#!/bin/bash 2 3source lib.sh 4 5checktool "nft --version" "run test without nft tool" 6 7cleanup() { 8 cleanup_all_ns 9} 10 11setup_ns c1 c2 c3 sender 12 13trap cleanup EXIT 14 15nf_queue_wait() 16{ 17 grep -q "^ *$1 " "/proc/self/net/netfilter/nfnetlink_queue" 18} 19 20port_add() { 21 ns="$1" 22 dev="$2" 23 a="$3" 24 25 ip link add name "$dev" type veth peer name "$dev" netns "$ns" 26 27 ip -net "$ns" addr add 192.168.1."$a"/24 dev "$dev" 28 ip -net "$ns" link set "$dev" up 29 30 ip link set "$dev" master br0 31 ip link set "$dev" up 32} 33 34[ "${1}" != "run" ] && { unshare -n "${0}" run; exit $?; } 35 36ip link add br0 type bridge 37ip addr add 192.168.1.254/24 dev br0 38 39port_add "$c1" "c1" 1 40port_add "$c2" "c2" 2 41port_add "$c3" "c3" 3 42port_add "$sender" "sender" 253 43 44ip link set br0 up 45 46modprobe -q br_netfilter 47 48sysctl net.bridge.bridge-nf-call-iptables=1 || exit 1 49 50ip netns exec "$sender" ping -I sender -c1 192.168.1.1 || exit 1 51ip netns exec "$sender" ping -I sender -c1 192.168.1.2 || exit 2 52ip netns exec "$sender" ping -I sender -c1 192.168.1.3 || exit 3 53 54nft -f /dev/stdin <<EOF 55table ip filter { 56 chain forward { 57 type filter hook forward priority 0; policy accept; 58 ct state new counter 59 ip protocol icmp counter queue num 0 bypass 60 } 61} 62EOF 63./nf_queue -t 5 > /dev/null & 64 65busywait 5000 nf_queue_wait 66 67for i in $(seq 1 5); do conntrack -F > /dev/null 2> /dev/null; sleep 0.1 ; done & 68ip netns exec "$sender" ping -I sender -f -c 50 -b 192.168.1.255 69 70read t < /proc/sys/kernel/tainted 71if [ "$t" -eq 0 ];then 72 echo PASS: kernel not tainted 73else 74 echo ERROR: kernel is tainted 75 exit 1 76fi 77 78exit 0 79