[LTP] [PATCH v1] cve: icmp_rate_limit: set icmp_msgs

Linux Test Project
 help / color / mirror / Atom feed

* [LTP] [PATCH v1] cve: icmp_rate_limit: set icmp_msgs_burst within network namespace
@ 2026-04-23  2:31 Wei Gao via ltp
  2026-04-23  2:37 ` [LTP] " linuxtestproject.agent
                   ` (2 more replies)
  0 siblings, 3 replies; 6+ messages in thread
From: Wei Gao via ltp @ 2026-04-23  2:31 UTC (permalink / raw)
  To: ltp

When network namespaces are used, the kernel resets network sysctls to
their default values. This makes the global .save_restore for
icmp_msgs_burst ineffective for tests that enter a new network
namespace (e.g. via tst_setup_netns() or manual unshare).

Moving the sysctl configuration into the child namespace ensures the
test always runs with the expected burst value of 50, regardless of the
kernel defaults (which were increased to 10000 in newer versions).

Fixes: 8e919bfb2ab0 ("cve: icmp_rate_limit: Make sure icmp_msgs_burst = 50")
Signed-off-by: Wei Gao <wegao@suse.com>
---
 testcases/cve/icmp_rate_limit01.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/testcases/cve/icmp_rate_limit01.c b/testcases/cve/icmp_rate_limit01.c
index 78480cea6..5193c5dfd 100644
--- a/testcases/cve/icmp_rate_limit01.c
+++ b/testcases/cve/icmp_rate_limit01.c
@@ -62,6 +62,8 @@ static void setup(void)
 	/* Do NOT close this FD, or both interfaces will be destroyed */
 	childns = SAFE_OPEN("/proc/self/ns/net", O_RDONLY);
 
+	SAFE_FILE_PRINTF("/proc/sys/net/ipv4/icmp_msgs_burst", "50");
+
 	/* Configure child namespace */
 	CREATE_VETH_PAIR("ltp_veth1", "ltp_veth2");
 	NETDEV_ADD_ADDRESS_INET("ltp_veth2", htonl(DSTADDR), NETMASK,
@@ -255,7 +257,6 @@ static struct tst_test test = {
 	},
 	.save_restore = (const struct tst_path_val[]) {
 		{"/proc/sys/user/max_user_namespaces", "1024", TST_SR_SKIP},
-		{"/proc/sys/net/ipv4/icmp_msgs_burst", "50", TST_SR_TBROK},
 		{}
 	},
 	.tags = (const struct tst_tag[]) {
-- 
2.52.0


-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

^ permalink raw reply related	[flat|nested] 6+ messages in thread

* Re: [LTP] cve: icmp_rate_limit: set icmp_msgs_burst within network namespace
  2026-04-23  2:31 [LTP] [PATCH v1] cve: icmp_rate_limit: set icmp_msgs_burst within network namespace Wei Gao via ltp
@ 2026-04-23  2:37 ` linuxtestproject.agent
  2026-04-28  8:29 ` [LTP] [PATCH v1] " Andrea Cervesato via ltp
  2026-04-28 13:02 ` Andrea Cervesato via ltp
  2 siblings, 0 replies; 6+ messages in thread
From: linuxtestproject.agent @ 2026-04-23  2:37 UTC (permalink / raw)
  To: Wei Gao; +Cc: ltp, LTP AI Reviewer

Hi Wei,

On 2026-04-23, Wei Gao wrote:
> cve: icmp_rate_limit: set icmp_msgs_burst within network namespace

>  	childns = SAFE_OPEN("/proc/self/ns/net", O_RDONLY);
>  
> +	SAFE_FILE_PRINTF("/proc/sys/net/ipv4/icmp_msgs_burst", "50");

Correct fix. The save_restore entry was writing to the initial namespace
before CLONE_NEWNET, making it ineffective inside the child namespace where
the test actually runs.

> -		{"/proc/sys/net/ipv4/icmp_msgs_burst", "50", TST_SR_TBROK},

No explicit restore needed — the sysctl lives in the child namespace, which
is destroyed when the test exits.

Reviewed-by: LTP AI Reviewer <ltp-ai@noreply.github.com>

---
Note:

Our agent completed the review of the patch.

The agent can sometimes produce false positives although often its
findings are genuine. If you find issues with the review, please
comment this email or ignore the suggestions.

Regards,
LTP AI Reviewer

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [LTP] [PATCH v1] cve: icmp_rate_limit: set icmp_msgs_burst within network namespace
  2026-04-23  2:31 [LTP] [PATCH v1] cve: icmp_rate_limit: set icmp_msgs_burst within network namespace Wei Gao via ltp
  2026-04-23  2:37 ` [LTP] " linuxtestproject.agent
@ 2026-04-28  8:29 ` Andrea Cervesato via ltp
  2026-04-28 12:27   ` Cyril Hrubis
  2026-04-28 13:02 ` Andrea Cervesato via ltp
  2 siblings, 1 reply; 6+ messages in thread
From: Andrea Cervesato via ltp @ 2026-04-28  8:29 UTC (permalink / raw)
  To: Wei Gao via ltp; +Cc: ltp

Reviwed-by: Andrea Cervesato <andrea.cervesato@suse.com>

Ping @Cyril

--
Andrea Cervesato
SUSE QE Automation Engineer Linux
andrea.cervesato@suse.com

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [LTP] [PATCH v1] cve: icmp_rate_limit: set icmp_msgs_burst within network namespace
  2026-04-28  8:29 ` [LTP] [PATCH v1] " Andrea Cervesato via ltp
@ 2026-04-28 12:27   ` Cyril Hrubis
  2026-04-29 11:45     ` Martin Doucha
  0 siblings, 1 reply; 6+ messages in thread
From: Cyril Hrubis @ 2026-04-28 12:27 UTC (permalink / raw)
  To: Andrea Cervesato; +Cc: Wei Gao via ltp

Hi!
> Reviwed-by: Andrea Cervesato <andrea.cervesato@suse.com>
> 
> Ping @Cyril

It took me while to realize that it's the child namespace that generates
the errors and I also checked that the ratelimiting in kernel is per net
namespace. Anyways:

Reviewed-by: Cyril Hrubis <chrubis@suse.cz>

-- 
Cyril Hrubis
chrubis@suse.cz

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [LTP] [PATCH v1] cve: icmp_rate_limit: set icmp_msgs_burst within network namespace
  2026-04-23  2:31 [LTP] [PATCH v1] cve: icmp_rate_limit: set icmp_msgs_burst within network namespace Wei Gao via ltp
  2026-04-23  2:37 ` [LTP] " linuxtestproject.agent
  2026-04-28  8:29 ` [LTP] [PATCH v1] " Andrea Cervesato via ltp
@ 2026-04-28 13:02 ` Andrea Cervesato via ltp
  2 siblings, 0 replies; 6+ messages in thread
From: Andrea Cervesato via ltp @ 2026-04-28 13:02 UTC (permalink / raw)
  To: Wei Gao via ltp; +Cc: ltp

Merged, Thanks!

--
Andrea Cervesato
SUSE QE Automation Engineer Linux
andrea.cervesato@suse.com

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [LTP] [PATCH v1] cve: icmp_rate_limit: set icmp_msgs_burst within network namespace
  2026-04-28 12:27   ` Cyril Hrubis
@ 2026-04-29 11:45     ` Martin Doucha
  0 siblings, 0 replies; 6+ messages in thread
From: Martin Doucha @ 2026-04-29 11:45 UTC (permalink / raw)
  To: Cyril Hrubis, Andrea Cervesato; +Cc: Wei Gao via ltp

On 4/28/26 14:27, Cyril Hrubis wrote:
> Hi!
>> Reviwed-by: Andrea Cervesato <andrea.cervesato@suse.com>
>>
>> Ping @Cyril
> 
> It took me while to realize that it's the child namespace that generates
> the errors and I also checked that the ratelimiting in kernel is per net
> namespace. Anyways:

Hi,
icmp_msgs_burst sysfile was added into non-root namespaces only in 
kernel v6.12. The test now fails in setup() on any older kernel. I'll 
send a patch to override the global value first and then conditionally 
override namespace as well.

-- 
Martin Doucha   mdoucha@suse.cz
SW Quality Engineer
SUSE LINUX, s.r.o.
CORSO IIa
Krizikova 148/34
186 00 Prague 8
Czech Republic

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2026-04-29 11:46 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-23  2:31 [LTP] [PATCH v1] cve: icmp_rate_limit: set icmp_msgs_burst within network namespace Wei Gao via ltp
2026-04-23  2:37 ` [LTP] " linuxtestproject.agent
2026-04-28  8:29 ` [LTP] [PATCH v1] " Andrea Cervesato via ltp
2026-04-28 12:27   ` Cyril Hrubis
2026-04-29 11:45     ` Martin Doucha
2026-04-28 13:02 ` Andrea Cervesato via ltp

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox