linux/tools/testing/selftests/netfilter, branch v6.4

selftests: nft_flowtable.sh: check ingress/egress chain too

2023-05-10T07:31:07Z

Make sure flowtable interacts correctly with ingress and egress chains, i.e. those get handled before and after flow table respectively. Adds three more tests: 1. repeat flowtable test, but with 'ip dscp set cs3' done in inet forward chain. Expect that some packets have been mangled (before flowtable offload became effective) while some pass without mangling (after offload succeeds). 2. repeat flowtable test, but with 'ip dscp set cs3' done in veth0:ingress. Expect that all packets pass with cs3 dscp field. 3. same as 2, but use veth1:egress. Expect the same outcome. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso

selftests: nft_flowtable.sh: monitor result file sizes

2023-05-10T07:31:07Z

When running nft_flowtable.sh in VM on a busy server we've found that the time of the netcat file transfers vary wildly. Therefore replace hardcoded 3 second sleep with the loop checking for a change in the file sizes. Once no change in detected we test the results. Nice side effect is that we shave 1 second sleep in the fast case (hard-coded 3 second sleep vs two 1 second sleeps). Acked-by: Florian Westphal Signed-off-by: Boris Sukholitko Signed-off-by: Pablo Neira Ayuso

selftests: nft_flowtable.sh: wait for specific nc pids

2023-05-10T07:31:06Z

Doing wait with no parameters may interfere with some of the tests having their own background processes. Although no such test is currently present, the cleanup is useful to rely on the nft_flowtable.sh for local development (e.g. running background tcpdump command during the tests). Signed-off-by: Boris Sukholitko Signed-off-by: Pablo Neira Ayuso

selftests: nft_flowtable.sh: no need for ps -x option

2023-05-10T07:31:05Z

Some ps commands (e.g. busybox derived) have no -x option. For the purposes of hash calculation of the list of processes this option is inessential. Signed-off-by: Boris Sukholitko Signed-off-by: Pablo Neira Ayuso

selftests: nft_flowtable.sh: use /proc for pid checking

2023-05-10T07:30:52Z

Some ps commands (e.g. busybox derived) have no -p option. Use /proc for pid existence check. Signed-off-by: Boris Sukholitko Signed-off-by: Pablo Neira Ayuso

selftests: netfilter: fix libmnl pkg-config usage

2023-05-03T06:24:31Z

1. Don't hard-code pkg-config 2. Remove distro-specific default for CFLAGS 3. Use pkg-config for LDLIBS Fixes: a50a88f026fb ("selftests: netfilter: fix a build error on openSUSE") Suggested-by: Jan Engelhardt Signed-off-by: Jeremy Sowden Signed-off-by: Pablo Neira Ayuso

selftests: nft_nat: ensuring the listening side is up before starting the client

2023-03-01T16:23:23Z

The test_local_dnat_portonly() function initiates the client-side as soon as it sets the listening side to the background. This could lead to a race condition where the server may not be ready to listen. To ensure that the server-side is up and running before initiating the client-side, a delay is introduced to the test_local_dnat_portonly() function. Before the fix: # ./nft_nat.sh PASS: netns routing/connectivity: ns0-rthlYrBU can reach ns1-rthlYrBU and ns2-rthlYrBU PASS: ping to ns1-rthlYrBU was ip NATted to ns2-rthlYrBU PASS: ping to ns1-rthlYrBU OK after ip nat output chain flush PASS: ipv6 ping to ns1-rthlYrBU was ip6 NATted to ns2-rthlYrBU 2023/02/27 04:11:03 socat[6055] E connect(5, AF=2 10.0.1.99:2000, 16): Connection refused ERROR: inet port rewrite After the fix: # ./nft_nat.sh PASS: netns routing/connectivity: ns0-9sPJV6JJ can reach ns1-9sPJV6JJ and ns2-9sPJV6JJ PASS: ping to ns1-9sPJV6JJ was ip NATted to ns2-9sPJV6JJ PASS: ping to ns1-9sPJV6JJ OK after ip nat output chain flush PASS: ipv6 ping to ns1-9sPJV6JJ was ip6 NATted to ns2-9sPJV6JJ PASS: inet port rewrite without l3 address Fixes: 282e5f8fe907 ("netfilter: nat: really support inet nat without l3 address") Signed-off-by: Hangbin Liu Signed-off-by: Pablo Neira Ayuso

netfilter: ip6t_rpfilter: Fix regression with VRF interfaces

2023-02-21T23:22:20Z

When calling ip6_route_lookup() for the packet arriving on the VRF interface, the result is always the real (slave) interface. Expect this when validating the result. Fixes: acc641ab95b66 ("netfilter: rpfilter/fib: Populate flowic_l3mdev field") Signed-off-by: Phil Sutter Signed-off-by: Pablo Neira Ayuso

selftests: netfilter: fix transaction test script timeout handling

2023-01-11T18:17:40Z

The kselftest framework uses a default timeout of 45 seconds for all test scripts. Increase the timeout to two minutes for the netfilter tests, this should hopefully be enough, Make sure that, should the script be canceled, the net namespace and the spawned ping instances are removed. Fixes: 25d8bcedbf43 ("selftests: add script to stress-test nft packet path vs. control plane") Reported-by: Mirsad Goran Todorovac Signed-off-by: Florian Westphal Tested-by: Mirsad Goran Todorovac Signed-off-by: Pablo Neira Ayuso

netfilter: conntrack: set icmpv6 redirects as RELATED

2022-11-30T22:01:20Z

icmp conntrack will set icmp redirects as RELATED, but icmpv6 will not do this. For icmpv6, only icmp errors (code <= 128) are examined for RELATED state. ICMPV6 Redirects are part of neighbour discovery mechanism, those are handled by marking a selected subset (e.g. neighbour solicitations) as UNTRACKED, but not REDIRECT -- they will thus be flagged as INVALID. Add minimal support for REDIRECTs. No parsing of neighbour options is added for simplicity, so this will only check that we have the embeeded original header (ND_OPT_REDIRECT_HDR), and then attempt to do a flow lookup for this tuple. Also extend the existing test case to cover redirects. Fixes: 9fb9cbb1082d ("[NETFILTER]: Add nf_conntrack subsystem.") Reported-by: Eric Garver Link: https://github.com/firewalld/firewalld/issues/1046 Signed-off-by: Florian Westphal Acked-by: Eric Garver Signed-off-by: Pablo Neira Ayuso