[PATCHv2 net-next] selftests: wireguards: use nft by default

[PATCHv2 net-next] selftests: wireguards: use nft by default

[Hangbin Liu]

Use nft by default if it's supported, as nft is the replacement for iptables,
which is used by default in some releases. Additionally, iptables is dropped
in some releases.

Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
---
v2: use one nft table for testing (Phil Sutter)
---
 tools/testing/selftests/wireguard/netns.sh | 63 ++++++++++++++++++----
 1 file changed, 53 insertions(+), 10 deletions(-)

diff --git a/tools/testing/selftests/wireguard/netns.sh b/tools/testing/selftests/wireguard/netns.sh
index 405ff262ca93..be4e3b13ed22 100755
--- a/tools/testing/selftests/wireguard/netns.sh
+++ b/tools/testing/selftests/wireguard/netns.sh
@@ -44,6 +44,7 @@ sleep() { read -t "$1" -N 1 || true; }
 waitiperf() { pretty "${1//*-}" "wait for iperf:${3:-5201} pid $2"; while [[ $(ss -N "$1" -tlpH "sport = ${3:-5201}") != *\"iperf3\",pid=$2,fd=* ]]; do sleep 0.1; done; }
 waitncatudp() { pretty "${1//*-}" "wait for udp:1111 pid $2"; while [[ $(ss -N "$1" -ulpH 'sport = 1111') != *\"ncat\",pid=$2,fd=* ]]; do sleep 0.1; done; }
 waitiface() { pretty "${1//*-}" "wait for $2 to come up"; ip netns exec "$1" bash -c "while [[ \$(< \"/sys/class/net/$2/operstate\") != up ]]; do read -t .1 -N 0 || true; done;"; }
+use_nft() { nft --version &> /dev/null; }
 
 cleanup() {
 	set +e
@@ -75,6 +76,12 @@ pp ip netns add $netns1
 pp ip netns add $netns2
 ip0 link set up dev lo
 
+if use_nft; then
+	n0 nft add table ip wgtest
+	n1 nft add table ip wgtest
+	n2 nft add table ip wgtest
+fi
+
 ip0 link add dev wg0 type wireguard
 ip0 link set wg0 netns $netns1
 ip0 link add dev wg0 type wireguard
@@ -196,13 +203,22 @@ ip1 link set wg0 mtu 1300
 ip2 link set wg0 mtu 1300
 n1 wg set wg0 peer "$pub2" endpoint 127.0.0.1:2
 n2 wg set wg0 peer "$pub1" endpoint 127.0.0.1:1
-n0 iptables -A INPUT -m length --length 1360 -j DROP
+if use_nft; then
+	n0 nft add chain ip wgtest INPUT { type filter hook input priority filter \; policy accept \; }
+	n0 nft add rule ip wgtest INPUT meta length 1360 counter drop
+else
+	n0 iptables -A INPUT -m length --length 1360 -j DROP
+fi
 n1 ip route add 192.168.241.2/32 dev wg0 mtu 1299
 n2 ip route add 192.168.241.1/32 dev wg0 mtu 1299
 n2 ping -c 1 -W 1 -s 1269 192.168.241.1
 n2 ip route delete 192.168.241.1/32 dev wg0 mtu 1299
 n1 ip route delete 192.168.241.2/32 dev wg0 mtu 1299
-n0 iptables -F INPUT
+if use_nft; then
+	n0 nft flush table ip wgtest
+else
+	n0 iptables -F INPUT
+fi
 
 ip1 link set wg0 mtu $orig_mtu
 ip2 link set wg0 mtu $orig_mtu
@@ -334,7 +350,12 @@ waitiface $netns2 veths
 n0 bash -c 'printf 1 > /proc/sys/net/ipv4/ip_forward'
 n0 bash -c 'printf 2 > /proc/sys/net/netfilter/nf_conntrack_udp_timeout'
 n0 bash -c 'printf 2 > /proc/sys/net/netfilter/nf_conntrack_udp_timeout_stream'
-n0 iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d 10.0.0.0/24 -j SNAT --to 10.0.0.1
+if use_nft; then
+	n0 nft add chain ip wgtest POSTROUTING { type nat hook postrouting priority srcnat\; policy accept \; }
+	n0 nft add rule ip wgtest POSTROUTING ip saddr 192.168.1.0/24 ip daddr 10.0.0.0/24 counter snat to 10.0.0.1
+else
+	n0 iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d 10.0.0.0/24 -j SNAT --to 10.0.0.1
+fi
 
 n1 wg set wg0 peer "$pub2" endpoint 10.0.0.100:2 persistent-keepalive 1
 n1 ping -W 1 -c 1 192.168.241.2
@@ -348,10 +369,19 @@ n1 wg set wg0 peer "$pub2" persistent-keepalive 0
 # Test that sk_bound_dev_if works
 n1 ping -I wg0 -c 1 -W 1 192.168.241.2
 # What about when the mark changes and the packet must be rerouted?
-n1 iptables -t mangle -I OUTPUT -j MARK --set-xmark 1
+if use_nft; then
+	n1 nft add chain ip wgtest OUTPUT { type route hook output priority mangle\; policy accept \; }
+	n1 nft add rule ip wgtest OUTPUT counter meta mark set 0x1
+else
+	n1 iptables -t mangle -I OUTPUT -j MARK --set-xmark 1
+fi
 n1 ping -c 1 -W 1 192.168.241.2 # First the boring case
 n1 ping -I wg0 -c 1 -W 1 192.168.241.2 # Then the sk_bound_dev_if case
-n1 iptables -t mangle -D OUTPUT -j MARK --set-xmark 1
+if use_nft; then
+	n1 nft flush table ip wgtest
+else
+	n1 iptables -t mangle -D OUTPUT -j MARK --set-xmark 1
+fi
 
 # Test that onion routing works, even when it loops
 n1 wg set wg0 peer "$pub3" allowed-ips 192.168.242.2/32 endpoint 192.168.241.2:5
@@ -385,16 +415,29 @@ n1 ping -W 1 -c 100 -f 192.168.99.7
 n1 ping -W 1 -c 100 -f abab::1111
 
 # Have ns2 NAT into wg0 packets from ns0, but return an icmp error along the right route.
-n2 iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -d 192.168.241.0/24 -j SNAT --to 192.168.241.2
-n0 iptables -t filter -A INPUT \! -s 10.0.0.0/24 -i vethrs -j DROP # Manual rpfilter just to be explicit.
+if use_nft; then
+	n2 nft add chain ip wgtest POSTROUTING { type nat hook postrouting priority srcnat\; policy accept \; }
+	n2 nft add rule ip wgtest POSTROUTING ip saddr 10.0.0.0/24 ip daddr 192.168.241.0/24 counter snat to 192.168.241.2
+
+	n0 nft add chain ip wgtest INPUT { type filter hook input priority filter \; policy accept \; }
+	n0 nft add rule ip wgtest INPUT iifname "vethrs" ip saddr != 10.0.0.0/24 counter drop
+else
+	n2 iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -d 192.168.241.0/24 -j SNAT --to 192.168.241.2
+	n0 iptables -t filter -A INPUT \! -s 10.0.0.0/24 -i vethrs -j DROP # Manual rpfilter just to be explicit.
+fi
 n2 bash -c 'printf 1 > /proc/sys/net/ipv4/ip_forward'
 ip0 -4 route add 192.168.241.1 via 10.0.0.100
 n2 wg set wg0 peer "$pub1" remove
 [[ $(! n0 ping -W 1 -c 1 192.168.241.1 || false) == *"From 10.0.0.100 icmp_seq=1 Destination Host Unreachable"* ]]
 
-n0 iptables -t nat -F
-n0 iptables -t filter -F
-n2 iptables -t nat -F
+if use_nft; then
+	n0 nft flush table ip wgtest
+	n2 nft flush table ip wgtest
+else
+	n0 iptables -t nat -F
+	n0 iptables -t filter -F
+	n2 iptables -t nat -F
+fi
 ip0 link del vethrc
 ip0 link del vethrs
 ip1 link del wg0
-- 
2.39.5 (Apple Git-154)

Re: [PATCHv2 net-next] selftests: wireguards: use nft by default

[Jason A. Donenfeld]

On Mon, Nov 11, 2024 at 04:19:02AM +0000, Hangbin Liu wrote:
> Use nft by default if it's supported, as nft is the replacement for iptables,
> which is used by default in some releases. Additionally, iptables is dropped
> in some releases.
 
Rather than having this optionality, I'd rather just do everything in
one way or the other. So if you're adamant that we need to use nft, just
convert the whole thing. And then subsequently, make sure that the qemu
test harness supports it. That should probably be a series.

Jason

Re: [PATCHv2 net-next] selftests: wireguards: use nft by default

[Hangbin Liu]

On Sun, Nov 17, 2024 at 09:09:00PM +0100, Jason A. Donenfeld wrote:
> On Mon, Nov 11, 2024 at 04:19:02AM +0000, Hangbin Liu wrote:
> > Use nft by default if it's supported, as nft is the replacement for iptables,
> > which is used by default in some releases. Additionally, iptables is dropped
> > in some releases.
>  
> Rather than having this optionality, I'd rather just do everything in
> one way or the other. So if you're adamant that we need to use nft, just
> convert the whole thing. And then subsequently, make sure that the qemu
> test harness supports it. That should probably be a series.

Thanks, I will do an update for the qemu test.

Hangbin

Re: [PATCHv2 net-next] selftests: wireguards: use nft by default

[Hangbin Liu]

On Sun, Nov 17, 2024 at 09:09:00PM +0100, Jason A. Donenfeld wrote:
> On Mon, Nov 11, 2024 at 04:19:02AM +0000, Hangbin Liu wrote:
> > Use nft by default if it's supported, as nft is the replacement for iptables,
> > which is used by default in some releases. Additionally, iptables is dropped
> > in some releases.
>  
> Rather than having this optionality, I'd rather just do everything in
> one way or the other. So if you're adamant that we need to use nft, just
> convert the whole thing. And then subsequently, make sure that the qemu
> test harness supports it. That should probably be a series.

Hmm, try build nft but got error

# make -C tools/testing/selftests/wireguard/qemu/
make: Entering directory '/home/net/tools/testing/selftests/wireguard/qemu'
Building for x86_64-linux-musl using x86_64-redhat-linux
cd /home/net/tools/testing/selftests/wireguard/qemu/build/x86_64/nftables-1.0.9 && ./configure --prefix=/ --build=x86_64-redhat-linux --host=x86_64-linux-musl --enable-static --disable-shared
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
...
checking for pkg-config... /usr/bin/pkg-config
configure: WARNING: using cross tools not prefixed with host triplet
checking pkg-config is at least version 0.9.0... yes
checking for libmnl >= 1.0.4... yes
checking for libnftnl >= 1.2.6... yes
checking for __gmpz_init in -lgmp... no
configure: error: No suitable version of libgmp found

But I can config it manually like: ./configure --prefix=/ --build=x86_64-redhat-linux --host=x86_64-linux-musl --enable-static
--disable-shared correctly

Do you have any idea?

Thanks
Hangbin

Re: [PATCHv2 net-next] selftests: wireguards: use nft by default

[Phil Sutter]

Hangbin,

On Tue, Nov 19, 2024 at 07:22:21AM +0000, Hangbin Liu wrote:
> On Sun, Nov 17, 2024 at 09:09:00PM +0100, Jason A. Donenfeld wrote:
> > On Mon, Nov 11, 2024 at 04:19:02AM +0000, Hangbin Liu wrote:
> > > Use nft by default if it's supported, as nft is the replacement for iptables,
> > > which is used by default in some releases. Additionally, iptables is dropped
> > > in some releases.
> >  
> > Rather than having this optionality, I'd rather just do everything in
> > one way or the other. So if you're adamant that we need to use nft, just
> > convert the whole thing. And then subsequently, make sure that the qemu
> > test harness supports it. That should probably be a series.
> 
> Hmm, try build nft but got error
> 
> # make -C tools/testing/selftests/wireguard/qemu/
> make: Entering directory '/home/net/tools/testing/selftests/wireguard/qemu'
> Building for x86_64-linux-musl using x86_64-redhat-linux
> cd /home/net/tools/testing/selftests/wireguard/qemu/build/x86_64/nftables-1.0.9 && ./configure --prefix=/ --build=x86_64-redhat-linux --host=x86_64-linux-musl --enable-static --disable-shared
> checking for a BSD-compatible install... /usr/bin/install -c
> checking whether build environment is sane... yes
> ...
> checking for pkg-config... /usr/bin/pkg-config
> configure: WARNING: using cross tools not prefixed with host triplet
> checking pkg-config is at least version 0.9.0... yes
> checking for libmnl >= 1.0.4... yes
> checking for libnftnl >= 1.2.6... yes
> checking for __gmpz_init in -lgmp... no
> configure: error: No suitable version of libgmp found

You may find proper details about the failure in config.log. My guess is
the cross build prevents host libraries from being used. (No idea why
your manual call works, though.)

> But I can config it manually like: ./configure --prefix=/ --build=x86_64-redhat-linux --host=x86_64-linux-musl --enable-static
> --disable-shared correctly
> 
> Do you have any idea?

You may just pass '--with-mini-gmp' to nftables' configure call to avoid
the external dependency.

Cheers, Phil