linux/tools/testing/selftests/net/netfilter/nft_zones_many.sh

#!/bin/bash

# Test insertion speed for packets with identical addresses/ports
# that are all placed in distinct conntrack zones.

source lib.sh

zones=2000
[ "$KSFT_MACHINE_SLOW" = yes ] && zones=500

have_ct_tool=0
ret=0

cleanup()
{
	cleanup_all_ns
}

checktool "nft --version" "run test without nft tool"
checktool "socat -V" "run test without socat tool"

setup_ns ns1

trap cleanup EXIT

if conntrack -V > /dev/null 2>&1; then
	have_ct_tool=1
fi

test_zones() {
	local max_zones=$1

ip netns exec "$ns1" nft -f /dev/stdin<<EOF
flush ruleset
table inet raw {
	map rndzone {
		typeof numgen inc mod $max_zones : ct zone
	}

	chain output {
		type filter hook output priority -64000; policy accept;
		udp dport 12345  ct zone set numgen inc mod 65536 map @rndzone
	}
}
EOF
if [ "$?" -ne 0 ];then
	echo "SKIP: Cannot add nftables rules"
	exit $ksft_skip
fi

	ip netns exec "$ns1" sysctl -q net.netfilter.nf_conntrack_udp_timeout=3600

	(
		echo "add element inet raw rndzone {"
	for i in $(seq 1 "$max_zones");do
		echo -n "$i : $i"
		if [ "$i" -lt "$max_zones" ]; then
			echo ","
		else
			echo "}"
		fi
	done
	) | ip netns exec "$ns1" nft -f /dev/stdin

	local i=0
	local j=0
	local outerstart
	local stop
	outerstart=$(date +%s%3N)
	stop=$outerstart

	while [ "$i" -lt "$max_zones" ]; do
		local start
		start=$(date +%s%3N)
		i=$((i + 1000))
		j=$((j + 1))
		# nft rule in output places each packet in a different zone.
		dd if=/dev/zero bs=8k count=1000 2>/dev/null | ip netns exec "$ns1" socat -u STDIN UDP:127.0.0.1:12345,sourceport=12345
		if [ $? -ne 0 ] ;then
			ret=1
			break
		fi

		stop=$(date +%s%3N)
		local duration=$((stop-start))
		echo "PASS: added 1000 entries in $duration ms (now $i total, loop $j)"
	done

	if [ "$have_ct_tool" -eq 1 ]; then
		local count duration
		count=$(ip netns exec "$ns1" conntrack -C)
		duration=$((stop-outerstart))

		if [ "$count" -ge "$max_zones" ]; then
			echo "PASS: inserted $count entries from packet path in $duration ms total"
		else
			ip netns exec "$ns1" conntrack -S 1>&2
			echo "FAIL: inserted $count entries from packet path in $duration ms total, expected $max_zones entries"
			ret=1
		fi
	fi

	if [ $ret -ne 0 ];then
		echo "FAIL: insert $max_zones entries from packet path" 1>&2
	fi
}

test_conntrack_tool() {
	local max_zones=$1

	ip netns exec "$ns1" conntrack -F >/dev/null 2>/dev/null

	local outerstart start stop i
	outerstart=$(date +%s%3N)
	start=$(date +%s%3N)
	stop="$start"
	i=0
	while [ "$i" -lt "$max_zones" ]; do
		i=$((i + 1))
		ip netns exec "$ns1" conntrack -I -s 1.1.1.1 -d 2.2.2.2 --protonum 6 \
	                 --timeout 3600 --state ESTABLISHED --sport 12345 --dport 1000 --zone $i >/dev/null 2>&1
		if [ $? -ne 0 ];then
			ip netns exec "$ns1" conntrack -I -s 1.1.1.1 -d 2.2.2.2 --protonum 6 \
	                 --timeout 3600 --state ESTABLISHED --sport 12345 --dport 1000 --zone $i > /dev/null
			echo "FAIL: conntrack -I returned an error"
			ret=1
			break
		fi

		if [ $((i%1000)) -eq 0 ];then
			stop=$(date +%s%3N)

			local duration=$((stop-start))
			echo "PASS: added 1000 entries in $duration ms (now $i total)"
			start=$stop
		fi
	done

	local count
	local duration
	count=$(ip netns exec "$ns1" conntrack -C)
	duration=$((stop-outerstart))

	if [ "$count" -eq "$max_zones" ]; then
		echo "PASS: inserted $count entries via ctnetlink in $duration ms"
	else
		ip netns exec "$ns1" conntrack -S 1>&2
		echo "FAIL: inserted $count entries via ctnetlink in $duration ms, expected $max_zones entries ($duration ms)"
		ret=1
	fi
}

test_zones $zones

if [ "$have_ct_tool" -eq 1 ];then
	test_conntrack_tool $zones
else
	echo "SKIP: Could not run ctnetlink insertion test without conntrack tool"
	if [ $ret -eq 0 ];then
		exit $ksft_skip
	fi
fi

exit $ret