linux/tools/testing/selftests/netfilter, branch v5.19

selftests: netfilter: correct PKTGEN_SCRIPT_PATHS in nft_concat_range.sh

2022-06-21T08:50:40Z

Before change: make -C netfilter TEST: performance net,port [SKIP] perf not supported port,net [SKIP] perf not supported net6,port [SKIP] perf not supported port,proto [SKIP] perf not supported net6,port,mac [SKIP] perf not supported net6,port,mac,proto [SKIP] perf not supported net,mac [SKIP] perf not supported After change: net,mac [ OK ] baseline (drop from netdev hook): 2061098pps baseline hash (non-ranged entries): 1606741pps baseline rbtree (match on first field only): 1191607pps set with 1000 full, ranged entries: 1639119pps ok 8 selftests: netfilter: nft_concat_range.sh Fixes: 611973c1e06f ("selftests: netfilter: Introduce tests for sets with range concatenation") Reported-by: kernel test robot Signed-off-by: Jie2x Zhou Signed-off-by: Pablo Neira Ayuso

netfilter: nat: really support inet nat without l3 address

2022-06-01T13:53:39Z

When no l3 address is given, priv->family is set to NFPROTO_INET and the evaluation function isn't called. Call it too so l4-only rewrite can work. Also add a test case for this. Fixes: a33f387ecd5aa ("netfilter: nft_nat: allow to specify layer 4 protocol NAT only") Reported-by: Yi Chen Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso

selftests: netfilter: add fib expression forward test case

2022-04-11T10:10:09Z

Its now possible to use fib expression in the forward chain (where both the input and output interfaces are known). Add a simple test case for this. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso

Merge tag 'linux-kselftest-next-5.18-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest

2022-03-23T19:53:00Z

Pull Kselftest updates from Shuah Khan: "Several build and cleanup fixes: - removing obsolete config options - removing dependency on internal kernel macros - adding config options - several build fixes related to headers and install paths" * tag 'linux-kselftest-next-5.18-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest: (22 commits) selftests: Fix build when $(O) points to a relative path selftests: netfilter: fix a build error on openSUSE selftests: kvm: add generated file to the .gitignore selftests/exec: add generated files to .gitignore selftests: add kselftest_install to .gitignore selftests/rtc: continuously read RTC in a loop for 30s selftests/lkdtm: Add UBSAN config selftests/lkdtm: Remove dead config option selftests/exec: Rename file binfmt_script to binfmt_script.py selftests: Use -isystem instead of -I to include headers selftests: vm: remove dependecy from internal kernel macros selftests: vm: Add the uapi headers include variable selftests: mptcp: Add the uapi headers include variable selftests: net: Add the uapi headers include variable selftests: landlock: Add the uapi headers include variable selftests: kvm: Add the uapi headers include variable selftests: futex: Add the uapi headers include variable selftests: Correct the headers install path selftests: Add and export a kernel uapi headers path selftests: set the BUILD variable to absolute path ...

Revert "netfilter: nat: force port remap to prevent shadowing well-known ports"

2022-03-08T12:52:11Z

This reverts commit 878aed8db324bec64f3c3f956e64d5ae7375a5de. This change breaks existing setups where conntrack is used with asymmetric paths. In these cases, the NAT transformation occurs on the syn-ack instead of the syn: 1. SYN x:12345 -> y -> 443 // sent by initiator, receiverd by responder 2. SYNACK y:443 -> x:12345 // First packet seen by conntrack, as sent by responder 3. tuple_force_port_remap() gets called, sees: 'tcp from 443 to port 12345 NAT' -> pick a new source port, inititor receives 4. SYNACK y:$RANDOM -> x:12345 // connection is never established While its possible to avoid the breakage with NOTRACK rules, a kernel update should not break working setups. An alternative to the revert is to augment conntrack to tag mid-stream connections plus more code in the nat core to skip NAT for such connections, however, this leads to more interaction/integration between conntrack and NAT. Therefore, revert, users will need to add explicit nat rules to avoid port shadowing. Link: https://lore.kernel.org/netfilter-devel/20220302105908.GA5852@breakpoint.cc/#R Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2051413 Signed-off-by: Florian Westphal

selftests: netfilter: fix a build error on openSUSE

2022-03-03T22:17:54Z

This patch fixed the following build error on openSUSE Leap 15.3: ======================================================================= gcc nf-queue.c -lmnl -o tools/testing/selftests/netfilter/nf-queue nf-queue.c:13:10: fatal error: libmnl/libmnl.h: No such file or directory #include ^~~~~~~~~~~~~~~~~ compilation terminated. ======================================================================= It is because libmnl.h is put in the directory of "/usr/include/libmnl/libmnl/" on openSUSE, not "/usr/include/libmnl/": > rpm -ql libmnl-devel /usr/include/libmnl /usr/include/libmnl/libmnl /usr/include/libmnl/libmnl/libmnl.h /usr/lib64/libmnl.so /usr/lib64/pkgconfig/libmnl.pc Suggested-by: Kai Liu Signed-off-by: Geliang Tang Reviewed-by: Shuah Khan Signed-off-by: Shuah Khan

selftests: netfilter: add nfqueue TCP_NEW_SYN_RECV socket race test

2022-03-01T10:48:58Z

causes: BUG: KASAN: slab-out-of-bounds in sk_free+0x25/0x80 Write of size 4 at addr ffff888106df0284 by task nf-queue/1459 sk_free+0x25/0x80 nf_queue_entry_release_refs+0x143/0x1a0 nf_reinject+0x233/0x770 ... without 'netfilter: nf_queue: don't assume sk is full socket'. Signed-off-by: Florian Westphal

selftests: netfilter: disable rp_filter on router

2022-02-10T23:01:04Z

Some distros may enable rp_filter by default. After ns1 change addr to 10.0.2.99 and set default router to 10.0.2.1, while the connected router address is still 10.0.1.1. The router will not reply the arp request from ns1. Fix it by setting the router's veth0 rp_filter to 0. Before the fix: # ./nft_fib.sh PASS: fib expression did not cause unwanted packet drops Netns nsrouter-HQkDORO2 fib counter doesn't match expected packet count of 1 for 1.1.1.1 table inet filter { chain prerouting { type filter hook prerouting priority filter; policy accept; ip daddr 1.1.1.1 fib saddr . iif oif missing counter packets 0 bytes 0 drop ip6 daddr 1c3::c01d fib saddr . iif oif missing counter packets 0 bytes 0 drop } } After the fix: # ./nft_fib.sh PASS: fib expression did not cause unwanted packet drops PASS: fib expression did drop packets for 1.1.1.1 PASS: fib expression did drop packets for 1c3::c01d Fixes: 82944421243e ("selftests: netfilter: add fib test case") Signed-off-by: Yi Chen Signed-off-by: Hangbin Liu Signed-off-by: Pablo Neira Ayuso

selftests: netfilter: synproxy test requires nf_conntrack

2022-02-10T15:34:46Z

Otherwise, this test does not find the sysctl entry in place: sysctl: cannot stat /proc/sys/net/netfilter/nf_conntrack_tcp_loose: No such file or directory iperf3: error - unable to send control message: Bad file descriptor FAIL: iperf3 returned an error Fixes: 7152303cbec4 ("selftests: netfilter: add synproxy test") Signed-off-by: Pablo Neira Ayuso

selftests: netfilter: fix exit value for nft_concat_range

2022-02-09T10:07:06Z

When the nft_concat_range test failed, it exit 1 in the code specifically. But when part of, or all of the test passed, it will failed the [ ${passed} -eq 0 ] check and thus exit with 1, which is the same exit value with failure result. Fix it by exit 0 when passed is not 0. Fixes: 611973c1e06f ("selftests: netfilter: Introduce tests for sets with range concatenation") Signed-off-by: Hangbin Liu Reviewed-by: Stefano Brivio Signed-off-by: Pablo Neira Ayuso