From: Jakub Kicinski <kuba@kernel.org>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter-devel@vger.kernel.org, davem@davemloft.net,
netdev@vger.kernel.org, pabeni@redhat.com, edumazet@google.com,
fw@strlen.de, horms@kernel.org
Subject: Re: [PATCH nf-next 2/7] selftests: netfilter: add conntrack stress test
Date: Tue, 6 May 2025 06:11:25 -0700 [thread overview]
Message-ID: <20250506061125.1a244d12@kernel.org> (raw)
In-Reply-To: <20250505234151.228057-3-pablo@netfilter.org>
On Tue, 6 May 2025 01:41:46 +0200 Pablo Neira Ayuso wrote:
> From: Florian Westphal <fw@strlen.de>
>
> Add a new test case to check:
> - conntrack_max limit is effective
> - conntrack_max limit cannot be exceeded from within a netns
> - resizing the hash table while packets are inflight works
> - removal of all conntrack rules disables conntrack in netns
> - conntrack tool dump (conntrack -L) returns expected number
> of (unique) entries
> - procfs interface - if available - has same number of entries
> as conntrack -L dump
>
> Expected output with selftest framework:
> selftests: net/netfilter: conntrack_resize.sh
> PASS: got 1 connections: netns conntrack_max is pernet bound
> PASS: got 100 connections: netns conntrack_max is init_net bound
> PASS: dump in netns had same entry count (-C 1778, -L 1778, -p 1778, /proc 0)
> PASS: dump in netns had same entry count (-C 2000, -L 2000, -p 2000, /proc 0)
> PASS: test parallel conntrack dumps
> PASS: resize+flood
> PASS: got 0 connections: conntrack disabled
> PASS: got 1 connections: conntrack enabled
> ok 1 selftests: net/netfilter: conntrack_resize.sh
This test seems quite flaky on debug kernels:
https://netdev.bots.linux.dev/contest.html?test=conntrack-resize-sh&executor=vmksft-nf-dbg
# FAIL: proc inconsistency after uniq filter for nsclient2-whtRtS: 1968 != 1945
next prev parent reply other threads:[~2025-05-06 13:11 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-05 23:41 [PATCH nf-next 0/7] Netfilter updates for net-next Pablo Neira Ayuso
2025-05-05 23:41 ` [PATCH nf-next 1/7] netfilter: bridge: Move specific fragmented packet to slow_path instead of dropping it Pablo Neira Ayuso
2025-05-06 11:30 ` patchwork-bot+netdevbpf
2025-05-05 23:41 ` [PATCH nf-next 2/7] selftests: netfilter: add conntrack stress test Pablo Neira Ayuso
2025-05-06 13:11 ` Jakub Kicinski [this message]
2025-05-06 13:36 ` Florian Westphal
2025-05-05 23:41 ` [PATCH nf-next 3/7] netfilter: nft_quota: match correctly when the quota just depleted Pablo Neira Ayuso
2025-05-05 23:41 ` [PATCH nf-next 4/7] netfilter: nf_conntrack: speed up reads from nf_conntrack proc file Pablo Neira Ayuso
2025-05-05 23:41 ` [PATCH nf-next 5/7] netfilter: nft_set_pipapo: prevent overflow in lookup table allocation Pablo Neira Ayuso
2025-05-05 23:41 ` [PATCH nf-next 6/7] netfilter: nft_set_pipapo: clamp maximum map bucket size to INT_MAX Pablo Neira Ayuso
2025-05-05 23:41 ` [PATCH nf-next 7/7] selftests: netfilter: nft_fib.sh: check lo packets bypass fib lookup Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250506061125.1a244d12@kernel.org \
--to=kuba@kernel.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=fw@strlen.de \
--cc=horms@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.