linux/tools/testing/selftests/netfilter, branch v5.1Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
https://git.shady.money/linux/atom?h=v5.12019-04-15T05:31:50Znetfilter: nat: fix icmp id randomization2019-04-15T05:31:50ZFlorian Westphalfw@strlen.de2019-04-09T12:45:20Zurn:sha1:5bdac418f33f60b07a34e01e722889140ee8fac9
Sven Auhagen reported that a 2nd ping request will fail if 'fully-random'
mode is used.
Reason is that if no proto information is given, min/max are both 0,
so we set the icmp id to 0 instead of chosing a random value between
0 and 65535.
Update test case as well to catch this, without fix this yields:
[..]
ERROR: cannot ping ns1 from ns2 with ip masquerade fully-random (attempt 2)
ERROR: cannot ping ns1 from ns2 with ipv6 masquerade fully-random (attempt 2)
... becaus 2nd ping clashes with existing 'id 0' icmp conntrack and gets
dropped.
Fixes: 203f2e78200c27e ("netfilter: nat: remove l4proto->unique_tuple")
Reported-by: Sven Auhagen <sven.auhagen@voleatech.de>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
selftests: netfilter: check icmp pkttoobig errors are set as related2019-04-13T12:52:57ZFlorian Westphalfw@strlen.de2019-03-25T22:11:53Zurn:sha1:becf2319f320cae43e20cf179cc51a355a0deb5f
When an icmp error such as pkttoobig is received, conntrack checks
if the "inner" header (header of packet that did not fit link mtu)
is matches an existing connection, and, if so, sets that packet as
being related to the conntrack entry it found.
It was recently reported that this "related" setting also works
if the inner header is from another, different connection (i.e.,
artificial/forged icmp error).
Add a test, followup patch will add additional "inner dst matches
outer dst in reverse direction" check before setting related state.
Link: https://www.synacktiv.com/posts/systems/icmp-reachable.html
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
selftests: netfilter: add simple masq/redirect test cases2019-02-04T13:21:27ZFlorian Westphalfw@strlen.de2019-01-29T14:16:23Zurn:sha1:98bfc3414bda335dbd7fec58bde6266f991801d7
Check basic nat/redirect/masquerade for ipv4 and ipv6.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
selftests: netfilter: fix config fragment CONFIG_NF_TABLES_INET2019-02-04T13:21:02ZNaresh Kambojunaresh.kamboju@linaro.org2019-01-29T06:28:35Zurn:sha1:952b72f89ae23b316da8c1021b18d0c388ad6cc4
In selftests the config fragment for netfilter was added as
NF_TABLES_INET=y and this patch correct it as CONFIG_NF_TABLES_INET=y
Signed-off-by: Naresh Kamboju <naresh.kamboju@linaro.org>
Acked-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
selftests: add script to stress-test nft packet path vs. control plane2018-11-12T15:13:35ZFlorian Westphalfw@strlen.de2018-10-31T17:26:21Zurn:sha1:25d8bcedbf4329895dbaf9dd67baa6f18dad918c
Start flood ping for each cpu while loading/flushing rulesets to make
sure we do not access already-free'd rules from nf_tables evaluation loop.
Also add this to TARGETS so 'make run_tests' in selftest dir runs it
automatically.
This would have caught the bug fixed in previous change
("netfilter: nf_tables: do not skip inactive chains during generation update")
sooner.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>