From: David Ahern <dsahern@gmail.com>
To: Peilin Ye <yepeilin.cs@gmail.com>,
"David S. Miller" <davem@davemloft.net>,
Jakub Kicinski <kuba@kernel.org>, Shuah Khan <shuah@kernel.org>
Cc: Peilin Ye <peilin.ye@bytedance.com>,
Cong Wang <xiyou.wangcong@gmail.com>,
Hangbin Liu <liuhangbin@gmail.com>,
netdev@vger.kernel.org, linux-kselftest@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH net v3] selftests/fib_tests: Rework fib_rp_filter_test()
Date: Wed, 1 Dec 2021 11:00:26 -0700 [thread overview]
Message-ID: <42b5ebde-2a36-3956-d6dd-bd50e18ff6dc@gmail.com> (raw)
In-Reply-To: <20211201004720.6357-1-yepeilin.cs@gmail.com>
On 11/30/21 5:47 PM, Peilin Ye wrote:
> From: Peilin Ye <peilin.ye@bytedance.com>
>
> Currently rp_filter tests in fib_tests.sh:fib_rp_filter_test() are
> failing. ping sockets are bound to dummy1 using the "-I" option
> (SO_BINDTODEVICE), but socket lookup is failing when receiving ping
> replies, since the routing table thinks they belong to dummy0.
>
> For example, suppose ping is using a SOCK_RAW socket for ICMP messages.
> When receiving ping replies, in __raw_v4_lookup(), sk->sk_bound_dev_if
> is 3 (dummy1), but dif (skb_rtable(skb)->rt_iif) says 2 (dummy0), so the
> raw_sk_bound_dev_eq() check fails. Similar things happen in
> ping_lookup() for SOCK_DGRAM sockets.
>
> These tests used to pass due to a bug [1] in iputils, where "ping -I"
> actually did not bind ICMP message sockets to device. The bug has been
> fixed by iputils commit f455fee41c07 ("ping: also bind the ICMP socket
> to the specific device") in 2016, which is why our rp_filter tests
> started to fail. See [2] .
>
> Fixing the tests while keeping everything in one netns turns out to be
> nontrivial. Rework the tests and build the following topology:
>
> ┌─────────────────────────────┐ ┌─────────────────────────────┐
> │ network namespace 1 (ns1) │ │ network namespace 2 (ns2) │
> │ │ │ │
> │ ┌────┐ ┌─────┐ │ │ ┌─────┐ ┌────┐ │
> │ │ lo │<───>│veth1│<────────┼────┼─>│veth2│<──────────>│ lo │ │
> │ └────┘ ├─────┴──────┐ │ │ ├─────┴──────┐ └────┘ │
> │ │192.0.2.1/24│ │ │ │192.0.2.1/24│ │
> │ └────────────┘ │ │ └────────────┘ │
> └─────────────────────────────┘ └─────────────────────────────┘
>
if the intention of the tests is to validate that rp_filter = 1 works as
designed, then I suggest a simpler test. 2 namespaces, 2 veth pairs.
Request goes through one interface, and the response comes in the other
via routing in ns2. ns1 would see the response coming in the 'wrong'
interface and drops it.
next prev parent reply other threads:[~2021-12-01 18:00 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-29 22:52 [PATCH net] selftests/fib_tests: ping from dummy0 in fib_rp_filter_test() Peilin Ye
2021-11-30 0:46 ` Peilin Ye
2021-11-30 0:49 ` [PATCH net v2] " Peilin Ye
2021-11-30 1:16 ` David Ahern
2021-11-30 5:13 ` Peilin Ye
2021-12-01 0:47 ` [PATCH net v3] selftests/fib_tests: Rework fib_rp_filter_test() Peilin Ye
2021-12-01 18:00 ` David Ahern [this message]
2021-12-01 19:35 ` Peilin Ye
2021-12-02 15:50 ` David Ahern
2021-12-03 2:10 ` patchwork-bot+netdevbpf
2021-12-03 13:41 ` Hangbin Liu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=42b5ebde-2a36-3956-d6dd-bd50e18ff6dc@gmail.com \
--to=dsahern@gmail.com \
--cc=davem@davemloft.net \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=liuhangbin@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=peilin.ye@bytedance.com \
--cc=shuah@kernel.org \
--cc=xiyou.wangcong@gmail.com \
--cc=yepeilin.cs@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).