From: Florian Westphal <fw@strlen.de>
To: Antonio Ojea <aojea@google.com>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>,
Florian Westphal <fw@strlen.de>,
Eric Dumazet <edumazet@google.com>,
netfilter-devel@vger.kernel.org
Subject: Re: [PATCH v3] selftests: netfilter: conntrack respect reject rules
Date: Tue, 18 Mar 2025 14:23:47 +0100 [thread overview]
Message-ID: <20250318132347.GA20865@breakpoint.cc> (raw)
In-Reply-To: <20250318094138.3328627-1-aojea@google.com>
Antonio Ojea <aojea@google.com> wrote:
> This test ensures that conntrack correctly applies reject rules to
> established connections after DNAT, even when those connections are
> persistent.
>
> The test sets up three network namespaces: ns1, ns2, and nsrouter.
> nsrouter acts as a router with DNAT, exposing a service running in ns2
> via a virtual IP.
>
> The test validates that is possible to filter and reject new and
> established connections to the DNATed IP in the prerouting and forward
> filters.
>
> Signed-off-by: Antonio Ojea <aojea@google.com>
> ---
> V1 -> V2:
> * Modified the test function to accept a third argument which contains
> the nftables rules to be applied.
> * Add a new test case to filter and reject in the prerouting hook.
> V2 -> V3:
> * Add helper functions to remove code duplication
> * Use busywait instead of hardcoded sleeps
You will need to apply the busywait logic to the 'kill -0' too:
# PASS: frontend filter-ip6: fail to connect over the established connection to [dead:4::a]:8080
# [<0>] do_select+0x68e/0x950
# [<0>] core_sys_select+0x1ef/0x4b0
# [<0>] do_pselect.constprop.0+0xe7/0x180
# [<0>] __x64_sys_pselect6+0x58/0x70
# [<0>] do_syscall_64+0x9e/0x1a0
# [<0>] entry_SYSCALL_64_after_hwframe+0x77/0x7f
# ERROR: frontend filter-ip6: persistent connection is not closed as intended
# cat: /proc/756/stack: No such file or directory
The <0> Lines come from cat: /proc/$pid/stack which I added here
locally, i.e. the kill -0 works, enters failure, but a retry after
sleep 2 and the process is gone.
So, I think you need to give the process a bit more time to wake up,
process the rst/eof and exit.
I think you can simply use the busywait helper for this too, pick a short
timeout such as 3000ms as upperlimit, that should do the trick and still
allow to detect a hanging process.
next prev parent reply other threads:[~2025-03-18 13:23 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-13 23:13 [PATCH] selftests: netfilter: conntrack respect reject rules Antonio Ojea
2025-03-14 9:28 ` [PATCH v2] " Antonio Ojea
2025-03-17 13:19 ` Florian Westphal
2025-03-18 9:41 ` [PATCH v3] " Antonio Ojea
2025-03-18 13:23 ` Florian Westphal [this message]
2025-03-18 16:35 ` [PATCH v4] " Antonio Ojea
2025-03-18 20:04 ` Florian Westphal
2025-03-23 10:02 ` Pablo Neira Ayuso
2025-03-23 11:08 ` Antonio Ojea
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250318132347.GA20865@breakpoint.cc \
--to=fw@strlen.de \
--cc=aojea@google.com \
--cc=edumazet@google.com \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.