On Thu, Jul 05, 2018 at 01:56:23AM +0800, Xin Long wrote: > On Wed, Jul 4, 2018 at 3:23 AM, David Ahern <dsah...@gmail.com> wrote: > > your commands are not a proper test. The test should succeed and fail > > based on the routing lookup, not iptables rules. > A proper test can be done easily with netns, as vrf can't isolate much. > I don't want to bother forwarding/ directory with netns, so I will probably > just drop this selftest, and let the feature patch go first. > > What do you think?
You can add a tc rule on the ingress of h2 and make sure that in the first case ping succeeds and the tc rule wasn't hit. In the second case ping should also succeed, but the tc rule should be hit. This is similar to your original netns test. You can look at tc_flower.sh for reference and in particular at tc_check_packets().
