1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
|
#!/bin/bash
# NFT_TEST_REQUIRES(NFT_TEST_HAVE_inet_ingress)
set -e
read taint < /proc/sys/kernel/tainted
if [ "$taint" -ne 0 ]; then
echo "Kernel already tainted up front."
exit 77
fi
iface_cleanup() {
ip link del d0 &>/dev/null || :
}
trap 'iface_cleanup' EXIT
load_rules()
{
if [ "$NFT_TEST_HAVE_netdev_egress" != n ]; then
EGRESS="add chain netdev nm-mlag-dummy0 tx-snoop-source-mac { type filter hook egress devices = { dummy0 } priority filter; policy accept; }
add rule netdev nm-mlag-dummy0 tx-snoop-source-mac update @macset-tagged { ether saddr . vlan id timeout 5s } return
add rule netdev nm-mlag-dummy0 tx-snoop-source-mac update @macset-untagged { ether saddr timeout 5s }"
fi
RULESET="add table netdev nm-mlag-dummy0
add set netdev nm-mlag-dummy0 macset-tagged { typeof ether saddr . vlan id; size 65535; flags dynamic,timeout; }
add set netdev nm-mlag-dummy0 macset-untagged { typeof ether saddr; size 65535; flags dynamic,timeout; }
$EGRESS
add chain netdev nm-mlag-dummy0 rx-drop-looped-packets { type filter hook ingress devices = { dummy0 } priority filter; policy accept; }
add rule netdev nm-mlag-dummy0 rx-drop-looped-packets ether saddr . vlan id @macset-tagged drop
add rule netdev nm-mlag-dummy0 rx-drop-looped-packets ether type 8021q return
add rule netdev nm-mlag-dummy0 rx-drop-looped-packets ether saddr @macset-untagged drop"
$NFT -f - <<< $RULESET
}
for i in $(seq 1 500);do
ip link add dummy0 type dummy
load_rules
# zap ruleset and down device at same time
$NFT flush ruleset &
ip link del dummy0 &
wait
read taint < /proc/sys/kernel/tainted
if [ "$taint" -ne 0 ]; then
exit 1
fi
done
exit 0
|
