summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2022-06-05 21:04:43 +0200
committerGitHub <noreply@github.com>2022-06-05 21:04:43 +0200
commita28833922ff0c04de34ac3b5cfc4bbc271dbb4ca (patch)
treeeb67ab4fec871473ce2e710a0a976a6be64ae5f6
parent256ad3fc329a846f1a2b7378bbeb8777357b433a (diff)
parent13f8cf1bc70cc6b9c8fa82119e6509aa4465b37a (diff)
downloadvyos-1x-a28833922ff0c04de34ac3b5cfc4bbc271dbb4ca.tar.gz
vyos-1x-a28833922ff0c04de34ac3b5cfc4bbc271dbb4ca.zip
Merge pull request #1350 from nicolas-fort/T4387-WLB-smoketest
T4387: add more firewall checks for WLB smoketests.
-rwxr-xr-xsmoketest/scripts/cli/test_load_balancning_wan.py72
1 files changed, 70 insertions, 2 deletions
diff --git a/smoketest/scripts/cli/test_load_balancning_wan.py b/smoketest/scripts/cli/test_load_balancning_wan.py
index 8e54f66a3..303dece86 100755
--- a/smoketest/scripts/cli/test_load_balancning_wan.py
+++ b/smoketest/scripts/cli/test_load_balancning_wan.py
@@ -64,28 +64,39 @@ class TestLoadBalancingWan(VyOSUnitTestSHIM.TestCase):
ns1 = 'ns201'
ns2 = 'ns202'
+ ns3 = 'ns203'
iface1 = 'eth201'
iface2 = 'eth202'
+ iface3 = 'eth203'
container_iface1 = 'ceth0'
container_iface2 = 'ceth1'
+ container_iface3 = 'ceth2'
# Create network namespeces
create_netns(ns1)
create_netns(ns2)
+ create_netns(ns3)
create_veth_pair(iface1, container_iface1)
create_veth_pair(iface2, container_iface2)
+ create_veth_pair(iface3, container_iface3)
move_interface_to_netns(container_iface1, ns1)
move_interface_to_netns(container_iface2, ns2)
+ move_interface_to_netns(container_iface3, ns3)
call(f'sudo ip address add 203.0.113.10/24 dev {iface1}')
call(f'sudo ip address add 192.0.2.10/24 dev {iface2}')
+ call(f'sudo ip address add 198.51.100.10/24 dev {iface3}')
call(f'sudo ip link set dev {iface1} up')
call(f'sudo ip link set dev {iface2} up')
+ call(f'sudo ip link set dev {iface3} up')
cmd_in_netns(ns1, f'ip link set {container_iface1} name eth0')
cmd_in_netns(ns2, f'ip link set {container_iface2} name eth0')
+ cmd_in_netns(ns3, f'ip link set {container_iface3} name eth0')
cmd_in_netns(ns1, 'ip address add 203.0.113.1/24 dev eth0')
cmd_in_netns(ns2, 'ip address add 192.0.2.1/24 dev eth0')
+ cmd_in_netns(ns3, 'ip address add 198.51.100.1/24 dev eth0')
cmd_in_netns(ns1, 'ip link set dev eth0 up')
cmd_in_netns(ns2, 'ip link set dev eth0 up')
+ cmd_in_netns(ns3, 'ip link set dev eth0 up')
# Set load-balancing configuration
self.cli_set(base_path + ['wan', 'interface-health', iface1, 'failure-count', '2'])
@@ -95,6 +106,10 @@ class TestLoadBalancingWan(VyOSUnitTestSHIM.TestCase):
self.cli_set(base_path + ['wan', 'interface-health', iface2, 'nexthop', '192.0.2.1'])
self.cli_set(base_path + ['wan', 'interface-health', iface2, 'success-count', '1'])
+ self.cli_set(base_path + ['wan', 'rule', '10', 'inbound-interface', iface3])
+ self.cli_set(base_path + ['wan', 'rule', '10', 'source', 'address', '198.51.100.0/24'])
+
+
# commit changes
self.cli_commit()
@@ -120,10 +135,13 @@ class TestLoadBalancingWan(VyOSUnitTestSHIM.TestCase):
ns1 = 'nsA'
ns2 = 'nsB'
+ ns3 = 'nsC'
iface1 = 'veth1'
iface2 = 'veth2'
+ iface3 = 'veth3'
container_iface1 = 'ceth0'
container_iface2 = 'ceth1'
+ container_iface3 = 'ceth2'
mangle_isp1 = """table ip mangle {
chain ISP_veth1 {
counter ct mark set 0xc9
@@ -138,24 +156,57 @@ class TestLoadBalancingWan(VyOSUnitTestSHIM.TestCase):
counter accept
}
}"""
+ mangle_prerouting = """table ip mangle {
+ chain PREROUTING {
+ type filter hook prerouting priority mangle; policy accept;
+ counter jump WANLOADBALANCE_PRE
+ }
+}"""
+ mangle_wanloadbalance_pre = """table ip mangle {
+ chain WANLOADBALANCE_PRE {
+ iifname "veth3" ip saddr 198.51.100.0/24 ct state new counter jump ISP_veth1
+ iifname "veth3" ip saddr 198.51.100.0/24 ct state new counter jump ISP_veth2
+ iifname "veth3" ip saddr 198.51.100.0/24 counter meta mark set ct mark
+ }
+}"""
+ nat_wanloadbalance = """table ip nat {
+ chain WANLOADBALANCE {
+ ct mark 0xc9 counter snat to 203.0.113.10
+ ct mark 0xca counter snat to 192.0.2.10
+ }
+}"""
+ nat_vyos_pre_snat_hook = """table ip nat {
+ chain VYOS_PRE_SNAT_HOOK {
+ counter jump WANLOADBALANCE
+ return
+ }
+}"""
# Create network namespeces
create_netns(ns1)
create_netns(ns2)
+ create_netns(ns3)
create_veth_pair(iface1, container_iface1)
create_veth_pair(iface2, container_iface2)
+ create_veth_pair(iface3, container_iface3)
move_interface_to_netns(container_iface1, ns1)
move_interface_to_netns(container_iface2, ns2)
+ move_interface_to_netns(container_iface3, ns3)
call(f'sudo ip address add 203.0.113.10/24 dev {iface1}')
call(f'sudo ip address add 192.0.2.10/24 dev {iface2}')
+ call(f'sudo ip address add 198.51.100.10/24 dev {iface3}')
call(f'sudo ip link set dev {iface1} up')
call(f'sudo ip link set dev {iface2} up')
+ call(f'sudo ip link set dev {iface3} up')
cmd_in_netns(ns1, f'ip link set {container_iface1} name eth0')
cmd_in_netns(ns2, f'ip link set {container_iface2} name eth0')
+ cmd_in_netns(ns3, f'ip link set {container_iface3} name eth0')
cmd_in_netns(ns1, 'ip address add 203.0.113.1/24 dev eth0')
cmd_in_netns(ns2, 'ip address add 192.0.2.1/24 dev eth0')
+ cmd_in_netns(ns3, 'ip address add 198.51.100.1/24 dev eth0')
cmd_in_netns(ns1, 'ip link set dev eth0 up')
cmd_in_netns(ns2, 'ip link set dev eth0 up')
+ cmd_in_netns(ns3, 'ip link set dev eth0 up')
# Set load-balancing configuration
self.cli_set(base_path + ['wan', 'interface-health', iface1, 'failure-count', '2'])
@@ -164,19 +215,36 @@ class TestLoadBalancingWan(VyOSUnitTestSHIM.TestCase):
self.cli_set(base_path + ['wan', 'interface-health', iface2, 'failure-count', '2'])
self.cli_set(base_path + ['wan', 'interface-health', iface2, 'nexthop', '192.0.2.1'])
self.cli_set(base_path + ['wan', 'interface-health', iface2, 'success-count', '1'])
+ self.cli_set(base_path + ['wan', 'rule', '10', 'inbound-interface', iface3])
+ self.cli_set(base_path + ['wan', 'rule', '10', 'source', 'address', '198.51.100.0/24'])
+ self.cli_set(base_path + ['wan', 'rule', '10', 'interface', iface1])
+ self.cli_set(base_path + ['wan', 'rule', '10', 'interface', iface2])
# commit changes
self.cli_commit()
time.sleep(5)
- # Check chains
- #call('sudo nft list ruleset')
+
+ # Check mangle chains
tmp = cmd(f'sudo nft -s list chain mangle ISP_{iface1}')
self.assertEqual(tmp, mangle_isp1)
tmp = cmd(f'sudo nft -s list chain mangle ISP_{iface2}')
self.assertEqual(tmp, mangle_isp2)
+ tmp = cmd(f'sudo nft -s list chain mangle PREROUTING')
+ self.assertEqual(tmp, mangle_prerouting)
+
+ tmp = cmd(f'sudo nft -s list chain mangle WANLOADBALANCE_PRE')
+ self.assertEqual(tmp, mangle_wanloadbalance_pre)
+
+ # Check nat chains
+ tmp = cmd(f'sudo nft -s list chain nat WANLOADBALANCE')
+ self.assertEqual(tmp, nat_wanloadbalance)
+
+ tmp = cmd(f'sudo nft -s list chain nat VYOS_PRE_SNAT_HOOK')
+ self.assertEqual(tmp, nat_vyos_pre_snat_hook)
+
# Delete veth interfaces and netns
for iface in [iface1, iface2]:
call(f'sudo ip link del dev {iface}')