#
a8a388c2 |
|
07-May-2024 |
Florian Westphal <fw@strlen.de> |
selftests: netfilter: add packetdrill based conntrack tests Add a new test script that uses packetdrill tool to exercise conntrack state machine. Needs ip/ip6tables and conntrack tool (to check if we have an entry in the expected state). Test cases added here cover following scenarios: 1. already-acked (retransmitted) packets are not tagged as INVALID 2. RST packet coming when conntrack is already closing (FIN/CLOSE_WAIT) transitions conntrack to CLOSE even if the RST is not an exact match 3. RST packets with out-of-window sequence numbers are marked as INVALID 4. SYN+Challenge ACK: check that challenge ack is allowed to pass 5. Old SYN/ACK: check conntrack handles the case where SYN is answered with SYN/ACK for an old, previous connection attempt 6. Check SYN reception while in ESTABLISHED state generates a challenge ack, RST response clears 'outdated' state + next SYN retransmit gets us into 'SYN_RECV' conntrack state. Tests get run twice, once with ipv4 and once with ipv6. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
#
496bc586 |
|
30-Apr-2024 |
Florian Westphal <fw@strlen.de> |
selftests: netfilter: nft_concat_range.sh: reduce debug kernel run time Even a 1h timeout isn't enough for nft_concat_range.sh to complete on debug kernels. Reduce test complexity and only match on single entry if KSFT_MACHINE_SLOW is set. To spot 'slow' tests, print the subtest duration (in seconds) in addition to the status. Add new nft_concat_range_perf.sh script, not executed via kselftest, to run the performance (pps match rate) tests. Those need about 25m to complete which seems too much to run this via 'make run_tests'. Signed-off-by: Florian Westphal <fw@strlen.de> Link: https://lore.kernel.org/r/20240430145810.23447-1-fw@strlen.de Signed-off-by: Jakub Kicinski <kuba@kernel.org>
|
#
a9e59f71 |
|
24-Apr-2024 |
Florian Westphal <fw@strlen.de> |
tools: testing: selftests: prefer TEST_PROGS for conntrack_dump_flush Currently conntrack_dump_flush test program always runs when passing TEST_PROGS argument: % make -C tools/testing/selftests TARGETS=net/netfilter \ TEST_PROGS=conntrack_ipip_mtu.sh run_tests make: Entering [..] TAP version 13 1..2 [..] selftests: net/netfilter: conntrack_dump_flush [..] Move away from TEST_CUSTOM_PROGS to avoid this. After this, above command will only run the program specified in TEST_PROGS. Link: https://lore.kernel.org/netdev/20240423191609.70c14c42@kernel.org/ Signed-off-by: Florian Westphal <fw@strlen.de> Link: https://lore.kernel.org/r/20240424095824.5555-1-fw@strlen.de Signed-off-by: Jakub Kicinski <kuba@kernel.org>
|
#
0b2e1db9 |
|
18-Apr-2024 |
Florian Westphal <fw@strlen.de> |
selftests: netfilter: update makefiles and kernel config Jakub reports the Makefile missed a few updates to make kselftest-install work for the netfilter tests and points out that config file lacks many dependencies such as VETH support. The settings file (timeout 8m) is added for nft_concat_range.sh script which can take several minutes to complete. Fixes: 3f189349e52a ("selftests: netfilter: move to net subdir") Reported-by: Jakub Kicinski <kuba@kernel.org> Closes: https://lore.kernel.org/all/20240412175413.04e5e616@kernel.org/ Signed-off-by: Florian Westphal <fw@strlen.de> Link: https://lore.kernel.org/r/20240418152744.15105-13-fw@strlen.de Signed-off-by: Jakub Kicinski <kuba@kernel.org>
|
#
3f189349 |
|
11-Apr-2024 |
Florian Westphal <fw@strlen.de> |
selftests: netfilter: move to net subdir .. so this can start re-using existing lib.sh infra in next patches. Several of these scripts will not work, e.g. because they assume rp_filter is disabled, or reliance on a particular version/flavor of "netcat" tool. Add config settings for them. nft_trans_stress.sh script is removed, it also exists in the nftables userspace selftests. I do not see a reason to keep two versions in different repositories/projects. The settings file is removed for now: It was used to increase the timeout to avoid slow scripts from getting zapped by the 45s timeout, but some of the slow scripts can be sped up. Re-add it later for scripts that cannot be sped up easily. Update MAINTAINERS to reflect that future updates to netfilter scripts should go through netfilter-devel@. Signed-off-by: Florian Westphal <fw@strlen.de> Link: https://lore.kernel.org/r/20240411233624.8129-2-fw@strlen.de Signed-off-by: Jakub Kicinski <kuba@kernel.org>
|