tests: shell: Refactored nat_ftp, added rulesets and testcase functions

Refactored the setup of nft rulesets, now it is possible to set up an SNAT or DNAT-only ruleset for future tests. Presented the testcase function to test passive or active modes. Signed-off-by: Andrii Melnychenko <a.melnychenko@vyos.io> Signed-off-by: Florian Westphal <fw@strlen.de>
2026-01-26 18:39:03 +00:00 · 2025-10-30 15:57:30 +01:00 · 2025-10-30 15:57:30 +01:00 · bd75ff1478
commit bd75ff1478
parent 95f82543dc
1 changed files with 53 additions and 33 deletions
--- a/tests/shell/testcases/packetpath/nat_ftp
+++ b/tests/shell/testcases/packetpath/nat_ftp
@ -77,7 +77,7 @@ ip -net $S route add ${ip_rc}/64 via ${ip_rs} dev s_r
 ip netns exec $C ping -q -6 ${ip_sr} -c1 > /dev/null
 assert_pass "topo initialization"

-reload_ruleset()
+reload_ruleset_base()
 {
 	ip netns exec $R conntrack -F 2> /dev/null
 	ip netns exec $R $NFT -f - <<-EOF
@ -87,12 +87,6 @@ reload_ruleset()
 			type "ftp" protocol tcp;
 		}

-		chain PRE-dnat {
-			type nat hook prerouting priority dstnat; policy accept;
-			# Dnat the control connection, data connection will be automaticly NATed.
-			ip6 daddr ${ip_rc} counter ip6 nexthdr tcp tcp dport 2121 counter dnat ip6 to [${ip_sr}]:21
-		}
-
 		chain PRE-aftnat {
 			type filter hook prerouting priority 350; policy drop;
 			iifname r_c tcp dport 21 ct state new ct helper set "ftp-standard" counter accept
@ -111,14 +105,43 @@ reload_ruleset()
 			ip6 nexthdr tcp ct state established counter accept
 			ip6 nexthdr tcp ct state related     counter log accept
 		}
+	}
+	EOF
+	assert_pass "apply ftp helper base ruleset"
+}

+load_dnat()
+{
+	ip netns exec $R $NFT -f - <<-EOF
+	table ip6 ftp_helper_nat_test {
+		chain PRE-dnat {
+			type nat hook prerouting priority dstnat; policy accept;
+			# Dnat the control connection, data connection will be automaticly NATed.
+			ip6 daddr ${ip_rc} counter ip6 nexthdr tcp tcp dport 2121 counter dnat ip6 to [${ip_sr}]:21
+		}
+	}
+	EOF
+	assert_pass "apply ftp helper DNAT ruleset"
+}
+
+load_snat()
+{
+	ip netns exec $R $NFT -f - <<-EOF
+	table ip6 ftp_helper_nat_test {
 		chain POST-srcnat {
 			type nat hook postrouting priority srcnat; policy accept;
 			ip6 daddr ${ip_sr} ip6 nexthdr tcp tcp dport 21 counter snat ip6 to [${ip_rs}]:16500
 		}
 	}
 	EOF
-	assert_pass "apply ftp helper ruleset"
+	assert_pass "apply ftp helper SNAT ruleset"
+}
+
+reload_ruleset()
+{
+	reload_ruleset_base
+	load_dnat
+	load_snat
 }

 dd if=/dev/urandom of="$INFILE" bs=4096 count=1 2>/dev/null
@ -141,38 +164,35 @@ wait_local_port_listen $S 21 tcp
 ip netns exec $S ss -6ltnp | grep -q '*:21'
 assert_pass "start vsftpd server"

+test_case()
+{
+	tag=$1
+	ftp_ip_and_port=$2
+	client_ip_to_check=$3
+	additional_curl_options=$4
+
+	ip netns exec $S tcpdump -q --immediate-mode -Ui s_r -w ${PCAP} 2> /dev/null &
+	pid=$!
+	sleep 0.5
+	ip netns exec $C curl ${additional_curl_options} --no-progress-meter --connect-timeout 5 ftp://${ftp_ip_and_port}/$(basename $INFILE) -o $OUTFILE
+	assert_pass "curl ftp "${tag}
+
+	cmp "$INFILE" "$OUTFILE"
+	assert_pass "FTP "${tag}": The input and output files remain the same when traffic passes through NAT."
+
+	kill $pid;
+	tcpdump -nnr ${PCAP} src ${client_ip_to_check} and dst ${ip_sr} 2>&1 |grep -q FTP
+	assert_pass "assert FTP traffic NATed"
+}

 # test passive mode
 reload_ruleset
-ip netns exec $S tcpdump -q --immediate-mode -Ui s_r -w ${PCAP} 2> /dev/null &
-pid=$!
-sleep 0.5
-ip netns exec $C curl --no-progress-meter --connect-timeout 5 ftp://[${ip_rc}]:2121/$(basename $INFILE) -o $OUTFILE
-assert_pass "curl ftp passive mode "
-
-cmp "$INFILE" "$OUTFILE"
-assert_pass "FTP Passive mode: The input and output files remain the same when traffic passes through NAT."
-
-kill $pid; sync
-tcpdump -nnr ${PCAP} src ${ip_rs} and dst ${ip_sr} 2>&1 |grep -q FTP
-assert_pass "assert FTP traffic NATed"
+test_case "Passive mode" "[${ip_rc}]:2121" ${ip_rs}


 # test active mode
 reload_ruleset
-
-ip netns exec $S tcpdump -q --immediate-mode -Ui s_r -w ${PCAP} 2> /dev/null &
-pid=$!
-sleep 0.5
-ip netns exec $C curl --no-progress-meter -P - --connect-timeout 5 ftp://[${ip_rc}]:2121/$(basename $INFILE) -o $OUTFILE
-assert_pass "curl ftp active mode "
-
-cmp "$INFILE" "$OUTFILE"
-assert_pass "FTP Active mode: in and output files remain the same when FTP traffic passes through NAT."
-
-kill $pid; sync
-tcpdump -nnr ${PCAP} src ${ip_rs} and dst ${ip_sr} 2>&1 |grep -q FTP
-assert_pass "assert FTP traffic NATed"
+test_case "Active mode" "[${ip_rc}]:2121" ${ip_rs} "-P -"

 # trap calls cleanup
 exit 0