From: Matthieu Baerts <matttbe@kernel.org>
To: Alice Mikityanska <alice.kernel@fastmail.im>
Cc: Shuah Khan <shuah@kernel.org>,
Stanislav Fomichev <stfomichev@gmail.com>,
Andrew Lunn <andrew+netdev@lunn.ch>,
Simon Horman <horms@kernel.org>, Florian Westphal <fw@strlen.de>,
netdev@vger.kernel.org, Alice Mikityanska <alice@isovalent.com>,
Paolo Abeni <pabeni@redhat.com>,
Daniel Borkmann <daniel@iogearbox.net>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Xin Long <lucien.xin@gmail.com>,
Willem de Bruijn <willemdebruijn.kernel@gmail.com>,
Willem de Bruijn <willemb@google.com>,
David Ahern <dsahern@kernel.org>,
Nikolay Aleksandrov <razor@blackwall.org>
Subject: Re: [PATCH net-next v8 9/9] selftests: net: Add a test for BIG TCP in UDP tunnels
Date: Tue, 7 Jul 2026 16:12:33 +0200 [thread overview]
Message-ID: <f9aac06f-25ca-40fb-9e47-d12398262c61@kernel.org> (raw)
In-Reply-To: <48f70526-e4f1-472c-86f6-72c105853a21@app.fastmail.com>
Hi Alice,
On 07/07/2026 10:40, Alice Mikityanska wrote:
> On Tue, Jul 7, 2026, at 11:06, Paolo Abeni wrote:
>> On 7/6/26 8:19 PM, Alice Mikityanska wrote:
(...)
>>> +
>>> +cleanup_tunnel() {
>>> + ip -netns "$CLIENT_NS" link del tun0
>>> + ip -netns "$SERVER_NS" link del tun1
>>> +}
>>> +
>>> +cleanup() {
>>> + ip netns pids "$SERVER_NS" | xargs -r kill
>>> + ip netns pids "$CLIENT_NS" | xargs -r kill
>>> + ip netns del "$SERVER_NS"
>>> + ip netns del "$CLIENT_NS"
>>> + rm -rf "$WORKDIR"
>>> +}
>>> +
>>> +do_test() {
>>> + # When tx csum offload is off, software GSO is performed before passing the
>>> + # packet to veth. Check BIG TCP packets inside the VXLAN tunnel to verify
>>> + # the software checksum path: if the checksum code is broken, these packets
>>> + # will be dropped.
>>> + if [ "$2" = on ]; then
>>> + CAPTURE_IFACE='link'
>>> + else
>>> + CAPTURE_IFACE='tun'
>>> + fi
>>> +
>>> + ip netns exec "$SERVER_NS" tcpdump -nn -s 256 -i "${CAPTURE_IFACE}1" greater 65536 -w "$WORKDIR/server.pcap" 2> /dev/null &
>>> + TCPDUMP_SERVER_PID="$!"
>>> + ip netns exec "$CLIENT_NS" tcpdump -nn -s 256 -i "${CAPTURE_IFACE}0" greater 65536 -w "$WORKDIR/client.pcap" 2> /dev/null &
>>> + TCPDUMP_CLIENT_PID="$!"
>>> +
>>> + # This filter doesn't capture all possible variants of SACK, but it's aimed
>>> + # at the typical one where SACK follows after [nop, nop, timestamp, nop,
>>> + # nop] (14 bytes after the 20-byte TCP header). IPv6 needs a separate match,
>>> + # because man tcpdump says:
>>> + # > Arithmetic expression against transport layer headers, like tcp[0], does
>>> + # > not work against IPv6 packets. It only looks at IPv4 packets.
>>> + ip netns exec "$SERVER_NS" tcpdump -nn -s 256 -i "tun1" '(tcp[tcpflags] & (tcp-syn|tcp-ack) = tcp-ack and tcp[34:2] & 0xffc3 = 0x0502) or (ip6[6] = 0x06 and ip6[53] & 0x12 = 0x10 and ip6[74:2] & 0xffc3 = 0x0502)' -w "$WORKDIR/sack.pcap" 2> /dev/null &
The tcpdump commands might need to be used with ...
--immediate-mode --packet-buffered
... but that's maybe not needed, see below.
>>> + TCPDUMP_SACK_PID="$!"
>>> +
>>> + if [ "$1" = 4 ]; then
>>> + SERVER_IP="$SERVER_IP4_TUN"
>>> + echo "Running IPv4 traffic in the tunnel"
>>> + else
>>> + SERVER_IP="$SERVER_IP6_TUN"
>>> + echo "Running IPv6 traffic in the tunnel"
>>> + fi
>>> +
>>> + sleep 1 # Give tcpdump a second to spin up.
This is possibly not needed, see below.
>>> + ip netns exec "$CLIENT_NS" netperf -t TCP_STREAM -l 5 -H "$SERVER_IP" -- \
>>> + -m 80000 > /dev/null
>>> + sleep 1 # Give tcpdump a second to process buffered packets.
>>> + kill "$TCPDUMP_SERVER_PID" "$TCPDUMP_CLIENT_PID" "$TCPDUMP_SACK_PID"
>>> + wait "$TCPDUMP_SERVER_PID" "$TCPDUMP_CLIENT_PID" "$TCPDUMP_SACK_PID"
>>> + PACKETS_SERVER=$(tcpdump --count -r "$WORKDIR/server.pcap" 2> /dev/null | cut -d ' ' -f 1)
>>> + PACKETS_CLIENT=$(tcpdump --count -r "$WORKDIR/client.pcap" 2> /dev/null | cut -d ' ' -f 1)
>>> + PACKETS_SACK=$(tcpdump --count -r "$WORKDIR/sack.pcap" 2> /dev/null | cut -d ' ' -f 1)
>>> +
>>> + echo "Captured BIG TCP RX packets: $PACKETS_SERVER"
>>> + echo "Captured BIG TCP TX packets: $PACKETS_CLIENT"
>>> + echo "Captured TCP SACK packets: $PACKETS_SACK"
>>> + [ "$PACKETS_SERVER" -gt "$PACKETS_THRESHOLD" ] || return 1
>>> + [ "$PACKETS_CLIENT" -gt "$PACKETS_THRESHOLD" ] || return 1
>>> + [ "$PACKETS_SACK" -lt "$(( PACKETS_CLIENT / 2 ))" ] || return 1
>>
>> KCI fails here, see:
>>
>> https://netdev-ctrl.bots.linux.dev/logs/vmksft/net/results/722863/156-big-tcp-tunnels-sh/stdout
>>
>> possibly the above parsing is a bit fragile/tcpdump version's dependent?!?
>
> TL/DR: I've seen this when I ran out of space in /tmp before adding -s 256.
>
> Hmm, the changes I made in this iteration were aimed at addressing version-
> dependent behavior of tcpdump... I used to count the lines of its
> output. Newer tcpdump prints two lines per encapsulated packet. Older
> tcpdump can't parse BIG TCP in this test and prints one line per packet.
> To make it more robust, I decided to store the pcap and count the
> packets there (--count doesn't work with live capture when tcpdump is
> interrupted). The pitfall is that now it takes a few hundred megabytes
> in /tmp to store those pcaps.
Wow :)
If you need to keep tcpdump -- see below -- you can probably reduce even
more the packet size (-s 256), I don't know what's the minimum. And
purge the workdir in cleanup_tunnel().
> Now, seeing empty stdout from tcpdump could be if the pcap file is empty
> (doesn't contain the pcap header), because we ran out of space in /tmp
> (first two tcpdumps took all space, the third didn't write the header -
> I observed this behavior before I added -s 256). We don't see the
> corresponding error messages, because tcpdump starts with 2> /dev/null
> (otherwise it floods the screen with statistics). Could this be the
> reason? How much space is allocated for /tmp in the CI runners?
>
> I can probably address it by limiting the overall number of captured
> packets with -c, but then I won't be able to compare $PACKETS_SACK
> relative to $PACKETS_CLIENT.
If you only need to count some packets matching a filter, what about
using Netfilter rules with a counter, instead of using pcap files?
You can have counters not attached to rules altering packets:
https://wiki.nftables.org/wiki-nftables/index.php/Counters
It might even be easier to match the SACK packets, with the 'tcp option
sack' filter from nft [1]. And for the size, I guess you can use "meta
length > 65536" [2], or checking other fields from IP/TCP headers.
If you want to keep your cBPF filter, you can also use nfbpf_compile for
the translation, and use that with 'iptables -m bpf --bytecode <...>',
but it might not be needed.
[1] https://www.mankier.com/8/nft#Payload_Expressions-Extension_Header_Expressions
[2] https://www.mankier.com/8/nft#Primary_Expressions-Meta_Expressions
Cheers,
Matt
--
Sponsored by the NGI0 Core fund.
next prev parent reply other threads:[~2026-07-07 14:12 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-06 18:19 [PATCH net-next v8 0/9] BIG TCP for UDP tunnels Alice Mikityanska
2026-07-06 18:19 ` [PATCH net-next v8 1/9] net: Use helpers to get/set UDP len tree-wide Alice Mikityanska
2026-07-06 18:19 ` [PATCH net-next v8 2/9] net: Enable BIG TCP with partial GSO Alice Mikityanska
2026-07-06 18:19 ` [PATCH net-next v8 3/9] udp: Support BIG TCP GSO packets where they can occur Alice Mikityanska
2026-07-06 18:19 ` [PATCH net-next v8 4/9] udp: Support gro_ipv4_max_size > 65536 Alice Mikityanska
2026-07-06 18:19 ` [PATCH net-next v8 5/9] udp: Validate UDP length in udp_gro_receive Alice Mikityanska
2026-07-06 18:19 ` [PATCH net-next v8 6/9] udp: Set length in UDP header to 0 for big GSO packets Alice Mikityanska
2026-07-06 18:19 ` [PATCH net-next v8 7/9] vxlan: Enable BIG TCP packets Alice Mikityanska
2026-07-06 18:19 ` [PATCH net-next v8 8/9] geneve: " Alice Mikityanska
2026-07-06 18:19 ` [PATCH net-next v8 9/9] selftests: net: Add a test for BIG TCP in UDP tunnels Alice Mikityanska
2026-07-07 8:06 ` Paolo Abeni
2026-07-07 8:40 ` Alice Mikityanska
2026-07-07 14:12 ` Matthieu Baerts [this message]
2026-07-07 16:40 ` Alice Mikityanska
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f9aac06f-25ca-40fb-9e47-d12398262c61@kernel.org \
--to=matttbe@kernel.org \
--cc=alice.kernel@fastmail.im \
--cc=alice@isovalent.com \
--cc=andrew+netdev@lunn.ch \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=dsahern@kernel.org \
--cc=edumazet@google.com \
--cc=fw@strlen.de \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=lucien.xin@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=razor@blackwall.org \
--cc=shuah@kernel.org \
--cc=stfomichev@gmail.com \
--cc=willemb@google.com \
--cc=willemdebruijn.kernel@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.