[PATCH] tests: shell: Update packetpath/flowtables

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH] tests: shell: Update packetpath/flowtables
@ 2025-04-16 15:53 Yi Chen
  2025-04-16 17:44 ` Florian Westphal
  0 siblings, 1 reply; 2+ messages in thread
From: Yi Chen @ 2025-04-16 15:53 UTC (permalink / raw)
  To: netfilter-devel; +Cc: Florian Westphal

1. The socat receiver should not use the pipfile as output where the sender
   reads data from, this could create an infinite data loop.
2. Sending a packet right after establishing the connection helped uncover
   a new bug.
3. Optimize test log output

Signed-off-by: Yi Chen <yiche@redhat.com>
---
 tests/shell/testcases/packetpath/flowtables | 77 +++++++++++++--------
 1 file changed, 50 insertions(+), 27 deletions(-)

diff --git a/tests/shell/testcases/packetpath/flowtables b/tests/shell/testcases/packetpath/flowtables
index d4e0a5bd..b68c5dd4 100755
--- a/tests/shell/testcases/packetpath/flowtables
+++ b/tests/shell/testcases/packetpath/flowtables
@@ -3,8 +3,6 @@
 # NFT_TEST_REQUIRES(NFT_TEST_HAVE_socat)
 # NFT_TEST_SKIP(NFT_TEST_SKIP_slow)
 
-set -x
-
 rnd=$(mktemp -u XXXXXXXX)
 R="flowtable-router-$rnd"
 C="flowtable-client-$rnd"
@@ -17,9 +15,33 @@ cleanup()
 		ip netns del $i
 	done
 }
-
 trap cleanup EXIT
 
+assert_pass()
+{
+	local ret=$?
+	if [ $ret != 0 ]
+	then
+		echo "FAIL: ${@}"
+		ip netns exec $R cat /proc/net/nf_conntrack
+		exit 1
+	else
+		echo "PASS: ${@}"
+	fi
+}
+assert_fail()
+{
+	local ret=$?
+	if [ $ret == 0 ]
+	then
+		echo "FAIL: ${@}"
+		ip netns exec $R cat /proc/net/nf_conntrack
+		exit 1
+	else
+		echo "PASS: ${@}"
+	fi
+}
+
 ip netns add $R
 ip netns add $S
 ip netns add $C
@@ -35,14 +57,15 @@ ip netns exec $S ip -6 addr add 2001:db8:ffff:22::1/64 dev s_r
 ip netns exec $C ip -6 addr add 2001:db8:ffff:21::2/64 dev c_r
 ip netns exec $R ip -6 addr add 2001:db8:ffff:22::fffe/64 dev r_s
 ip netns exec $R ip -6 addr add 2001:db8:ffff:21::fffe/64 dev r_c
-ip netns exec $R sysctl -w net.ipv6.conf.all.forwarding=1
+ip netns exec $R sysctl -wq net.ipv6.conf.all.forwarding=1
 ip netns exec $C ip route add 2001:db8:ffff:22::/64 via 2001:db8:ffff:21::fffe dev c_r
 ip netns exec $S ip route add 2001:db8:ffff:21::/64 via 2001:db8:ffff:22::fffe dev s_r
 ip netns exec $S ethtool -K s_r tso off
 ip netns exec $C ethtool -K c_r tso off
-
 sleep 3
-ip netns exec $C ping -6 2001:db8:ffff:22::1 -c1 || exit 1
+
+ip netns exec $C ping -q -6 2001:db8:ffff:22::1 -c1
+assert_pass "topo initialization"
 
 ip netns exec $R nft -f - <<EOF
 table ip6 filter {
@@ -61,6 +84,7 @@ table ip6 filter {
         }
 }
 EOF
+assert_pass "apply nft ruleset"
 
 if [ ! -r /proc/net/nf_conntrack ]
 then
@@ -68,32 +92,31 @@ then
 	exit 77
 fi
 
-ip netns exec $R nft list ruleset
-ip netns exec $R sysctl -w net.netfilter.nf_flowtable_tcp_timeout=5 || {
-	echo "E: set net.netfilter.nf_flowtable_tcp_timeout fail, skipping" >&2
-        exit 77
-}
-ip netns exec $R sysctl -w net.netfilter.nf_conntrack_tcp_timeout_established=86400 || {
-        echo "E: set net.netfilter.nf_conntrack_tcp_timeout_established fail, skipping" >&2
-        exit 77
+ip netns exec $R sysctl -wq net.netfilter.nf_flowtable_tcp_timeout=5
+assert_pass "set net.netfilter.nf_flowtable_tcp_timeout=5"
 
-}
+ip netns exec $R sysctl -wq net.netfilter.nf_conntrack_tcp_timeout_established=86400
+assert_pass "set net.netfilter.nf_conntrack_tcp_timeout_established=86400"
 
 # A trick to control the timing to send a packet
-ip netns exec $S socat TCP6-LISTEN:10001 GOPEN:/tmp/pipefile-$rnd,ignoreeof &
+ip netns exec $S socat TCP6-LISTEN:10001 GOPEN:/tmp/socat-$rnd,ignoreeof &
 sleep 1
 ip netns exec $C socat -b 2048 PIPE:/tmp/pipefile-$rnd 'TCP:[2001:db8:ffff:22::1]:10001' &
 sleep 1
-ip netns exec $R grep 'OFFLOAD' /proc/net/nf_conntrack   || { echo "check [OFFLOAD] tag (failed)"; exit 1; }
-ip netns exec $R cat /proc/net/nf_conntrack
+ip netns exec $C echo "send sth" >> /tmp/pipefile-$rnd        ; assert_pass "send a packet"
+ip netns exec $R grep -q 'OFFLOAD' /proc/net/nf_conntrack     ; assert_pass "check [OFFLOAD] tag"
 sleep 6
-ip netns exec $R grep 'OFFLOAD' /proc/net/nf_conntrack   && { echo "CT OFFLOAD timeout, fail back to classical path (failed)"; exit 1; }
-ip netns exec $R grep '8639[0-9]' /proc/net/nf_conntrack || { echo "check nf_conntrack_tcp_timeout_established (failed)"; exit 1; }
-ip netns exec $C echo "send sth" >> /tmp/pipefile-$rnd
-ip netns exec $R grep 'OFFLOAD' /proc/net/nf_conntrack   || { echo "traffic seen, back to OFFLOAD path (failed)"; exit 1; }
-ip netns exec $C sleep 3
-ip netns exec $C echo "send sth" >> /tmp/pipefile-$rnd
-ip netns exec $C sleep 3
-ip netns exec $R grep 'OFFLOAD' /proc/net/nf_conntrack   || { echo "Traffic seen in 5s (nf_flowtable_tcp_timeout), so stay in OFFLOAD (failed)"; exit 1; }
-
+ip netns exec $R grep -q 'OFFLOAD' /proc/net/nf_conntrack     ; assert_fail "CT OFFLOAD timeout, back to the classical path"
+ip netns exec $R grep -q '863[89][0-9]' /proc/net/nf_conntrack; assert_pass "check timeout adopt nf_conntrack_tcp_timeout_established"
+ip netns exec $C echo "send sth" >> /tmp/pipefile-$rnd        ; assert_pass "send a packet"
+ip netns exec $R grep -q 'OFFLOAD' /proc/net/nf_conntrack     ; assert_pass "packet detected, back to the OFFLOAD path"
+
+i=3; while ((i--))
+do
+	sleep 3
+	ip netns exec $C echo "send sth" >> /tmp/pipefile-$rnd; assert_pass "send a packet"
+	sleep 3
+	ip netns exec $R grep -q 'OFFLOAD' /proc/net/nf_conntrack
+	assert_pass "Traffic seen in 5s (nf_flowtable_tcp_timeout), should stay in OFFLOAD"
+done
 exit 0
-- 
2.49.0


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] tests: shell: Update packetpath/flowtables
  2025-04-16 15:53 [PATCH] tests: shell: Update packetpath/flowtables Yi Chen
@ 2025-04-16 17:44 ` Florian Westphal
  0 siblings, 0 replies; 2+ messages in thread
From: Florian Westphal @ 2025-04-16 17:44 UTC (permalink / raw)
  To: Yi Chen; +Cc: netfilter-devel, Florian Westphal

Yi Chen <yiche@redhat.com> wrote:
> 1. The socat receiver should not use the pipfile as output where the sender
>    reads data from, this could create an infinite data loop.
> 2. Sending a packet right after establishing the connection helped uncover
>    a new bug.

This refers to
'[nf] netfilter: conntrack: fix erronous removal of offload bit'
https://patchwork.ozlabs.org/project/netfilter-devel/patch/20250415135355.11427-1-fw@strlen.de/

The updated test passes with that patch applied and fails without it:

PASS: Traffic seen in 5s (nf_flowtable_tcp_timeout), should stay in OFFLOAD
PASS: send a packet
FAIL: Traffic seen in 5s (nf_flowtable_tcp_timeout), should stay in OFFLOAD
ipv6     10 tcp      6 86392 ESTABLISHED src=2001:0db8:ffff:0021:0000:0000:0000:0002 dst=2001:0db8:ffff:0022:0000:0000:0000:0001 sport=59488 dport=10001 src=2001:0db8:ffff:0022:0000:0000:0000:0001 dst=2001:0db8:ffff:0021:0000:0000:0000:0002 sport=10001 dport=59488 [ASSURED] mark=0 zone=0 use=3

Update LGTM, I'll apply it after the fix is in nf.git.

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2025-04-16 17:44 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-04-16 15:53 [PATCH] tests: shell: Update packetpath/flowtables Yi Chen
2025-04-16 17:44 ` Florian Westphal

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.