selftests: netfilter: nft_fib.sh: check lo packets bypass fib lookup

JIRA: https://issues.redhat.com/browse/RHEL-88574

commit fc91d5e
Author: Florian Westphal <fw@strlen.de>
Date:   Wed Apr 23 11:57:29 2025 +0200

    selftests: netfilter: nft_fib.sh: check lo packets bypass fib lookup

    With reverted fix:
    PASS: fib expression did not cause unwanted packet drops
    [   37.285169] ns1-KK76Kt nft_rpfilter: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=32287 DF PROTO=ICMP TYPE=8 CODE=0 ID=1818 SEQ=1
    FAIL: rpfilter did drop packets
    FAIL: ns1-KK76Kt cannot reach 127.0.0.1, ret 0

    Check for this.

    Link: https://lore.kernel.org/netfilter/20250422114352.GA2092@breakpoint.cc/
    Signed-off-by: Florian Westphal <fw@strlen.de>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Signed-off-by: CKI Backport Bot <cki-ci-bot+cki-gitlab-backport-bot@redhat.com>

Author: CKI Backport Bot

tools/testing/selftests/net/netfilter/nft_fib.sh

@@ -45,6 +45,19 @@ table inet filter {
 EOF
 }
 
+load_input_ruleset() {
+	local netns=$1
+
+ip netns exec "$netns" nft -f /dev/stdin <<EOF
+table inet filter {
+	chain input {
+		type filter hook input priority 0; policy accept;
+	        fib saddr . iif oif missing counter log prefix "$netns nft_rpfilter: " drop
+	}
+}
+EOF
+}
+
 load_pbr_ruleset() {
 	local netns=$1
 
@@ -163,6 +176,16 @@ check_drops || exit 1
 
 echo "PASS: fib expression did not cause unwanted packet drops"
 
+load_input_ruleset "$ns1"
+
+test_ping 127.0.0.1 ::1 || exit 1
+check_drops || exit 1
+
+test_ping 10.0.1.99 dead:1::99 || exit 1
+check_drops || exit 1
+
+echo "PASS: fib expression did not discard loopback packets"
+
 ip netns exec "$nsrouter" nft flush table inet filter
 
 ip -net "$ns1" route del default