linux/tools/testing/selftests/netfilter, branch v6.0

selftests: nft_concat_range: add socat support

2022-09-07T13:06:26Z

There are different flavors of 'nc' around, this script fails on my test vm because 'nc' is 'nmap-ncat' which isn't 100% compatible. Add socat support and use it if available. Signed-off-by: Florian Westphal

netfilter: remove nf_conntrack_helper sysctl and modparam toggles

2022-08-31T10:12:32Z

__nf_ct_try_assign_helper() remains in place but it now requires a template to configure the helper. A toggle to disable automatic helper assignment was added by: a9006892643a ("netfilter: nf_ct_helper: allow to disable automatic helper assignment") in 2012 to address the issues described in "Secure use of iptables and connection tracking helpers". Automatic conntrack helper assignment was disabled by: 3bb398d925ec ("netfilter: nf_ct_helper: disable automatic helper assignment") back in 2016. This patch removes the sysctl and modparam toggles, users now have to rely on explicit conntrack helper configuration via ruleset. Update tools/testing/selftests/netfilter/nft_conntrack_helper.sh to check that auto-assignment does not happen anymore. Acked-by: Aaron Conole Signed-off-by: Pablo Neira Ayuso

testing: selftests: nft_flowtable.sh: rework test to detect offload failure

2022-08-17T13:12:01Z

This test fails on current kernel releases because the flotwable path now calls dst_check from packet path and will then remove the offload. Test script has two purposes: 1. check that file (random content) can be sent to other netns (and vv) 2. check that the flow is offloaded (rather than handled by classic forwarding path). Since dst_check is in place, 2) fails because the nftables ruleset in router namespace 1 intentionally blocks traffic under the assumption that packets are not passed via classic path at all. Rework this: Instead of blocking traffic, create two named counters, one for original and one for reverse direction. The first three test cases are handled by classic forwarding path (path mtu discovery is disabled and packets exceed MTU). But all other tests enable PMTUD, so the originator and responder are expected to lower packet size and flowtable is expected to do the packet forwarding. For those tests, check that the packet counters (which are only incremented for packets that are passed up to classic forward path) are significantly lower than the file size transferred. I've tested that the counter-checks fail as expected when the 'flow add' statement is removed from the ruleset. Signed-off-by: Florian Westphal

testing: selftests: nft_flowtable.sh: use random netns names

2022-08-17T06:47:02Z

"ns1" is a too generic name, use a random suffix to avoid errors when such a netns exists. Also allows to run multiple instances of the script in parallel. Signed-off-by: Florian Westphal

selftests: netfilter: add test case for nf trace infrastructure

2022-08-06T01:50:15Z

Enable/disable tracing infrastructure while packets are in-flight. This triggers KASAN splat after e34b9ed96ce3 ("netfilter: nf_tables: avoid skb access on nf_stolen"). While at it, reduce script run time as well. Signed-off-by: Florian Westphal Signed-off-by: Jakub Kicinski

selftests: netfilter: correct PKTGEN_SCRIPT_PATHS in nft_concat_range.sh

2022-06-21T08:50:40Z

Before change: make -C netfilter TEST: performance net,port [SKIP] perf not supported port,net [SKIP] perf not supported net6,port [SKIP] perf not supported port,proto [SKIP] perf not supported net6,port,mac [SKIP] perf not supported net6,port,mac,proto [SKIP] perf not supported net,mac [SKIP] perf not supported After change: net,mac [ OK ] baseline (drop from netdev hook): 2061098pps baseline hash (non-ranged entries): 1606741pps baseline rbtree (match on first field only): 1191607pps set with 1000 full, ranged entries: 1639119pps ok 8 selftests: netfilter: nft_concat_range.sh Fixes: 611973c1e06f ("selftests: netfilter: Introduce tests for sets with range concatenation") Reported-by: kernel test robot Signed-off-by: Jie2x Zhou Signed-off-by: Pablo Neira Ayuso

netfilter: nat: really support inet nat without l3 address

2022-06-01T13:53:39Z

When no l3 address is given, priv->family is set to NFPROTO_INET and the evaluation function isn't called. Call it too so l4-only rewrite can work. Also add a test case for this. Fixes: a33f387ecd5aa ("netfilter: nft_nat: allow to specify layer 4 protocol NAT only") Reported-by: Yi Chen Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso

selftests: netfilter: add fib expression forward test case

2022-04-11T10:10:09Z

Its now possible to use fib expression in the forward chain (where both the input and output interfaces are known). Add a simple test case for this. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso

Merge tag 'linux-kselftest-next-5.18-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest

2022-03-23T19:53:00Z

Pull Kselftest updates from Shuah Khan: "Several build and cleanup fixes: - removing obsolete config options - removing dependency on internal kernel macros - adding config options - several build fixes related to headers and install paths" * tag 'linux-kselftest-next-5.18-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest: (22 commits) selftests: Fix build when $(O) points to a relative path selftests: netfilter: fix a build error on openSUSE selftests: kvm: add generated file to the .gitignore selftests/exec: add generated files to .gitignore selftests: add kselftest_install to .gitignore selftests/rtc: continuously read RTC in a loop for 30s selftests/lkdtm: Add UBSAN config selftests/lkdtm: Remove dead config option selftests/exec: Rename file binfmt_script to binfmt_script.py selftests: Use -isystem instead of -I to include headers selftests: vm: remove dependecy from internal kernel macros selftests: vm: Add the uapi headers include variable selftests: mptcp: Add the uapi headers include variable selftests: net: Add the uapi headers include variable selftests: landlock: Add the uapi headers include variable selftests: kvm: Add the uapi headers include variable selftests: futex: Add the uapi headers include variable selftests: Correct the headers install path selftests: Add and export a kernel uapi headers path selftests: set the BUILD variable to absolute path ...

Revert "netfilter: nat: force port remap to prevent shadowing well-known ports"

2022-03-08T12:52:11Z

This reverts commit 878aed8db324bec64f3c3f956e64d5ae7375a5de. This change breaks existing setups where conntrack is used with asymmetric paths. In these cases, the NAT transformation occurs on the syn-ack instead of the syn: 1. SYN x:12345 -> y -> 443 // sent by initiator, receiverd by responder 2. SYNACK y:443 -> x:12345 // First packet seen by conntrack, as sent by responder 3. tuple_force_port_remap() gets called, sees: 'tcp from 443 to port 12345 NAT' -> pick a new source port, inititor receives 4. SYNACK y:$RANDOM -> x:12345 // connection is never established While its possible to avoid the breakage with NOTRACK rules, a kernel update should not break working setups. An alternative to the revert is to augment conntrack to tag mid-stream connections plus more code in the nat core to skip NAT for such connections, however, this leads to more interaction/integration between conntrack and NAT. Therefore, revert, users will need to add explicit nat rules to avoid port shadowing. Link: https://lore.kernel.org/netfilter-devel/20220302105908.GA5852@breakpoint.cc/#R Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2051413 Signed-off-by: Florian Westphal