From: Florian Westphal <fw@strlen.de>
To: <netfilter-devel@vger.kernel.org>
Cc: pablo@netfilter.org
Subject: [RFC nf-next 03/11] tests: netfilter: conntrack_resize: prepare for pernet conntrack table
Date: Wed, 5 Nov 2025 17:47:57 +0100 [thread overview]
Message-ID: <20251105164805.3992-4-fw@strlen.de> (raw)
In-Reply-To: <20251105164805.3992-1-fw@strlen.de>
The test_conntrack_max_limit subtest will fail once we have pernet
tables, each netns can set its own limits, not bound by init_net max
setting.
Also, because ct hashtable is allocated on demand,
net.netfilter.nf_conntrack_buckets will be 0 until first user enables
conntrack, so don't try to reset this value to 0 when that was the
original value.
Signed-off-by: Florian Westphal <fw@strlen.de>
---
.../net/netfilter/conntrack_resize.sh | 26 +++++--------------
1 file changed, 6 insertions(+), 20 deletions(-)
diff --git a/tools/testing/selftests/net/netfilter/conntrack_resize.sh b/tools/testing/selftests/net/netfilter/conntrack_resize.sh
index 615fe3c6f405..c155de936287 100755
--- a/tools/testing/selftests/net/netfilter/conntrack_resize.sh
+++ b/tools/testing/selftests/net/netfilter/conntrack_resize.sh
@@ -35,7 +35,7 @@ cleanup() {
# restore original sysctl setting
sysctl -q net.netfilter.nf_conntrack_max=$init_net_max
- sysctl -q net.netfilter.nf_conntrack_buckets=$ct_buckets
+ [ "$ct_buckets" -gt 0 ] && sysctl -q net.netfilter.nf_conntrack_buckets=$ct_buckets
}
trap cleanup EXIT
@@ -90,9 +90,11 @@ ctresize() {
local duration="$1"
local now=$(date +%s)
local end=$((now + duration))
+ local rnd
while [ $now -lt $end ]; do
- sysctl -q net.netfilter.nf_conntrack_buckets=$RANDOM
+ rnd=$((RANDOM+1))
+ sysctl -q net.netfilter.nf_conntrack_buckets=$rnd
now=$(date +%s)
done
}
@@ -434,18 +436,6 @@ check_sysctl_immutable()
return 1
}
-test_conntrack_max_limit()
-{
- sysctl -q net.netfilter.nf_conntrack_max=100
- insert_ctnetlink "$nsclient1" 101
-
- # check netns is clamped by init_net, i.e., either netns follows
- # init_net value, or a higher pernet limit (compared to init_net) is ignored.
- check_ctcount "$nsclient1" 100 "netns conntrack_max is init_net bound"
-
- sysctl -q net.netfilter.nf_conntrack_max=$init_net_max
-}
-
test_conntrack_disable()
{
local timeout=2
@@ -476,15 +466,12 @@ check_max_alias 262000
setup_ns nsclient1 nsclient2
# check this only works from init_net
-for n in netfilter.nf_conntrack_buckets netfilter.nf_conntrack_expect_max net.nf_conntrack_max;do
- check_sysctl_immutable "$nsclient1" "net.$n" 1
-done
+check_sysctl_immutable "$nsclient1" "net.$netfilter.nf_conntrack_expect_max" 1
# won't work on older kernels. If it works, check that the netns obeys the limit
if check_sysctl_immutable "$nsclient1" net.netfilter.nf_conntrack_max 0;then
# subtest: if pernet is changeable, check that reducing it in pernet
- # limits the pernet entries. Inverse, pernet clamped by a lower init_net
- # setting, is already checked by "test_conntrack_max_limit" test.
+ # limits the pernet entries.
ip netns exec "$nsclient1" sysctl -q net.netfilter.nf_conntrack_max=1
insert_ctnetlink "$nsclient1" 2
@@ -507,7 +494,6 @@ done
tmpfile=$(mktemp)
tmpfile_proc=$(mktemp)
tmpfile_uniq=$(mktemp)
-test_conntrack_max_limit
test_dump_all
test_floodresize_all
test_conntrack_disable
--
2.51.0
next prev parent reply other threads:[~2025-11-05 16:48 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-05 16:47 [RFC nf-next 00/11] netfilter: conntrack: pernet hash tables Florian Westphal
2025-11-05 16:47 ` [RFC nf-next 01/11] netfilter: netns nf_conntrack: per-netns net.netfilter.nf_conntrack_max sysctl Florian Westphal
2025-11-05 16:47 ` [RFC nf-next 02/11] netfilter: conntrack: don't schedule gc worker when table is empty Florian Westphal
2025-11-05 16:47 ` Florian Westphal [this message]
2025-11-05 16:47 ` [RFC nf-next 04/11] netfilter: conntrack: pass pointer to buckets instead of index Florian Westphal
2025-11-05 16:47 ` [RFC nf-next 05/11] netfilter: conntrack: split hashtable auto-size to helper function Florian Westphal
2025-11-05 16:48 ` [RFC nf-next 06/11] netfilter: conntrack: move nf_conntrack_hash to struct net Florian Westphal
2025-11-07 14:03 ` kernel test robot
2025-11-05 16:48 ` [RFC nf-next 07/11] netfilter: conntrack: init and start independent gc workers when needed Florian Westphal
2025-11-05 16:48 ` [RFC nf-next 08/11] netfilter: conntrack: make nf_conntrack hash table pernet Florian Westphal
2025-11-07 16:05 ` kernel test robot
2025-11-05 16:48 ` [RFC nf-next 09/11] netfilter: conntrack: delay conntrack hashtable allocation until needed Florian Westphal
2025-11-05 16:48 ` [RFC nf-next 10/11] netfilter: conntrack: allow non-init-net to change table size Florian Westphal
2025-11-05 16:48 ` [RFC nf-next 11/11] netfilter: nf_nat: make bysource hash table pernet Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251105164805.3992-4-fw@strlen.de \
--to=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.