nft_flowtable.sh selftest failures

nft_flowtable.sh selftest failures

[Paolo Abeni]

Hi,

the mentioned self test failed in the last 2 CI iterations, on both
metal and debug build, with the following output:

# PASS: flow offload for ns1/ns2 with dnat and pmtu discovery ns1 <- ns2
# Error: Requested AUTH algorithm not found.
# Error: Requested AUTH algorithm not found.
# Error: Requested AUTH algorithm not found.
# Error: Requested AUTH algorithm not found.
# FAIL: file mismatch for ns1 -> ns2
# -rw------- 1 root root 2097152 Aug 11 20:23 /tmp/tmp.x1oVr3mu0P
# -rw------- 1 root root 0 Aug 11 20:23 /tmp/tmp.77gElv9oit
# FAIL: file mismatch for ns1 <- ns2
# -rw------- 1 root root 2097152 Aug 11 20:23 /tmp/tmp.x1oVr3mu0P
# -rw------- 1 root root 0 Aug 11 20:23 /tmp/tmp.ogDiTh8ZXf
# FAIL: ipsec tunnel mode for ns1/ns2

see, i.e.:
https://netdev-3.bots.linux.dev/vmksft-nf/results/249461/14-nft-flowtable-sh/

I don't see relevant patches landing in the relevant builds, I suspect
the relevant kernel config knob (CONFIG_CRYPTO_SHA1 ?) was always
missing in the ST config, pulled in by NIPA due to some CI setup tweak
possibly changed recently (Jakub could possibly have a better idea/view
about the latter). Could you please have a look?

NIPA generates the kernel config and the kernel build itself with
something alike:

rm -f .config
vng --build  --config tools/testing/selftests/net/forwarding/config

/P

Re: nft_flowtable.sh selftest failures

[Paolo Abeni]

On 8/12/25 9:50 AM, Paolo Abeni wrote:
> the mentioned self test failed in the last 2 CI iterations, on both
> metal and debug build, with the following output:
> 
> # PASS: flow offload for ns1/ns2 with dnat and pmtu discovery ns1 <- ns2
> # Error: Requested AUTH algorithm not found.
> # Error: Requested AUTH algorithm not found.
> # Error: Requested AUTH algorithm not found.
> # Error: Requested AUTH algorithm not found.
> # FAIL: file mismatch for ns1 -> ns2
> # -rw------- 1 root root 2097152 Aug 11 20:23 /tmp/tmp.x1oVr3mu0P
> # -rw------- 1 root root 0 Aug 11 20:23 /tmp/tmp.77gElv9oit
> # FAIL: file mismatch for ns1 <- ns2
> # -rw------- 1 root root 2097152 Aug 11 20:23 /tmp/tmp.x1oVr3mu0P
> # -rw------- 1 root root 0 Aug 11 20:23 /tmp/tmp.ogDiTh8ZXf
> # FAIL: ipsec tunnel mode for ns1/ns2
> 
> see, i.e.:
> https://netdev-3.bots.linux.dev/vmksft-nf/results/249461/14-nft-flowtable-sh/
> 
> I don't see relevant patches landing in the relevant builds, I suspect
> the relevant kernel config knob (CONFIG_CRYPTO_SHA1 ?) was always
> missing in the ST config, pulled in by NIPA due to some CI setup tweak
> possibly changed recently (Jakub could possibly have a better idea/view
> about the latter). Could you please have a look?
> 
> NIPA generates the kernel config and the kernel build itself with
> something alike:
> 
> rm -f .config
> vng --build  --config tools/testing/selftests/net/forwarding/config

Addendum: others (not nft-related) tests (vrf-xfrm-tests.sh,
xfrm_policy.sh) are failing apparently due to the same root cause
(missing sha1 knob), so I guess it's really a NIPA issue.

/P

Re: nft_flowtable.sh selftest failures

[Florian Westphal]

Paolo Abeni <pabeni@redhat.com> wrote:
> > I don't see relevant patches landing in the relevant builds, I suspect
> > the relevant kernel config knob (CONFIG_CRYPTO_SHA1 ?) was always
> > missing in the ST config, pulled in by NIPA due to some CI setup tweak
> > possibly changed recently (Jakub could possibly have a better idea/view
> > about the latter). Could you please have a look?

Can't reproduce this here.

Latest net tree:
vng --build  --config tools/testing/selftests/net/netfilter/config
grep SHA1 .config
# CONFIG_SCTP_DEFAULT_COOKIE_HMAC_SHA1 is not set
# CONFIG_SCTP_COOKIE_HMAC_SHA1 is not set
CONFIG_CRYPTO_SHA1=m
make -C tools/testing/selftests/ TARGETS=net/netfilter
vng -v --run . --user root --cpus 4 -- \
   make -C tools/testing/selftests TARGETS=net/netfilter run_tests TEST_PROGS=nft_flowtable.sh
[..]
# PASS: ipsec tunnel mode for ns1/ns2
ok 1 selftests: net/netfilter: nft_flowtable.sh

> > NIPA generates the kernel config and the kernel build itself with
> > something alike:
> > 
> > rm -f .config
> > vng --build  --config tools/testing/selftests/net/forwarding/config
> 
> Addendum: others (not nft-related) tests (vrf-xfrm-tests.sh,
> xfrm_policy.sh) are failing apparently due to the same root cause
> (missing sha1 knob), so I guess it's really a NIPA issue.

Looks like it, I mean, I can't repro it here.

Let me know if I missed anything or if there is something I can
do to help debugging this.

Re: nft_flowtable.sh selftest failures

[Matthieu Baerts]

Hi Florian,

(+ Eric in Cc)

On 12/08/2025 11:22, Florian Westphal wrote:
> Paolo Abeni <pabeni@redhat.com> wrote:
>>> I don't see relevant patches landing in the relevant builds, I suspect
>>> the relevant kernel config knob (CONFIG_CRYPTO_SHA1 ?) was always
>>> missing in the ST config, pulled in by NIPA due to some CI setup tweak
>>> possibly changed recently (Jakub could possibly have a better idea/view
>>> about the latter). Could you please have a look?
> 
> Can't reproduce this here.
> 
> Latest net tree:

I don't know if it can help, but did you try to reproduce it on top of
the branch used by the CI?

 https://github.com/linux-netdev/testing/tree/net-next-2025-08-12--06-00

This branch is on top of net-next, where 'net' has been merged, all
pending patches listed on Patchwork have been applied, plus a few
additional patches are there to either fix some temp issues or improve
the CI somehow. Maybe one of these patches caused the removal of
CONFIG_CRYPTO_SHA1.

I guess that's the case, because when looking at the diff [1] when the
issue got introduced, I see some patches [2] from Eric Biggers modifying
some sctp's Kconfig file. They probably cause the issue, but the fix
should be to add CONFIG_CRYPTO_SHA1 in the ST config as mentioned by Paolo.

[1]
https://netdev.bots.linux.dev/static/nipa/branch_deltas/net-next-2025-08-12--03-00.html
[2] https://patchwork.kernel.org/project/netdevbpf/list/?series=990201

Cheers,
Matt
-- 
Sponsored by the NGI0 Core fund.

Re: nft_flowtable.sh selftest failures

[Florian Westphal]

Matthieu Baerts <matttbe@kernel.org> wrote:
> I don't know if it can help, but did you try to reproduce it on top of
> the branch used by the CI?
> 
>  https://github.com/linux-netdev/testing/tree/net-next-2025-08-12--06-00
> 
> This branch is on top of net-next, where 'net' has been merged, all
> pending patches listed on Patchwork have been applied, plus a few
> additional patches are there to either fix some temp issues or improve
> the CI somehow. Maybe one of these patches caused the removal of
> CONFIG_CRYPTO_SHA1.

Yes:
    sctp: Use HMAC-SHA1 and HMAC-SHA256 library for chunk authentication

removes it.

> I guess that's the case, because when looking at the diff [1] when the
> issue got introduced, I see some patches [2] from Eric Biggers modifying
> some sctp's Kconfig file. They probably cause the issue, but the fix
> should be to add CONFIG_CRYPTO_SHA1 in the ST config as mentioned by Paolo.

seems like these two are the only ones that need it. at least
xfrm_policy.sh passes again after this change.

diff --git a/tools/testing/selftests/net/config b/tools/testing/selftests/net/config
--- a/tools/testing/selftests/net/config
+++ b/tools/testing/selftests/net/config
@@ -115,6 +115,7 @@ CONFIG_VXLAN=m
 CONFIG_IP_SCTP=m
 CONFIG_NETFILTER_XT_MATCH_POLICY=m
 CONFIG_CRYPTO_ARIA=y
+CONFIG_CRYPTO_SHA1=y
 CONFIG_XFRM_INTERFACE=m
 CONFIG_XFRM_USER=m
 CONFIG_IP_NF_MATCH_RPFILTER=m
diff --git a/tools/testing/selftests/net/netfilter/config b/tools/testing/selftests/net/netfilter/config
--- a/tools/testing/selftests/net/netfilter/config
+++ b/tools/testing/selftests/net/netfilter/config
@@ -98,3 +98,4 @@ CONFIG_NET_PKTGEN=m
 CONFIG_TUN=m
 CONFIG_INET_DIAG=m
 CONFIG_INET_SCTP_DIAG=m
+CONFIG_CRYPTO_SHA1=y

Re: nft_flowtable.sh selftest failures

[Eric Biggers]

On Tue, Aug 12, 2025 at 12:43:22PM +0200, Florian Westphal wrote:
> Matthieu Baerts <matttbe@kernel.org> wrote:
> > I don't know if it can help, but did you try to reproduce it on top of
> > the branch used by the CI?
> > 
> >  https://github.com/linux-netdev/testing/tree/net-next-2025-08-12--06-00
> > 
> > This branch is on top of net-next, where 'net' has been merged, all
> > pending patches listed on Patchwork have been applied, plus a few
> > additional patches are there to either fix some temp issues or improve
> > the CI somehow. Maybe one of these patches caused the removal of
> > CONFIG_CRYPTO_SHA1.
> 
> Yes:
>     sctp: Use HMAC-SHA1 and HMAC-SHA256 library for chunk authentication
> 
> removes it.
> 
> > I guess that's the case, because when looking at the diff [1] when the
> > issue got introduced, I see some patches [2] from Eric Biggers modifying
> > some sctp's Kconfig file. They probably cause the issue, but the fix
> > should be to add CONFIG_CRYPTO_SHA1 in the ST config as mentioned by Paolo.
> 
> seems like these two are the only ones that need it. at least
> xfrm_policy.sh passes again after this change.
> 
> diff --git a/tools/testing/selftests/net/config b/tools/testing/selftests/net/config
> --- a/tools/testing/selftests/net/config
> +++ b/tools/testing/selftests/net/config
> @@ -115,6 +115,7 @@ CONFIG_VXLAN=m
>  CONFIG_IP_SCTP=m
>  CONFIG_NETFILTER_XT_MATCH_POLICY=m
>  CONFIG_CRYPTO_ARIA=y
> +CONFIG_CRYPTO_SHA1=y
>  CONFIG_XFRM_INTERFACE=m
>  CONFIG_XFRM_USER=m
>  CONFIG_IP_NF_MATCH_RPFILTER=m
> diff --git a/tools/testing/selftests/net/netfilter/config b/tools/testing/selftests/net/netfilter/config
> --- a/tools/testing/selftests/net/netfilter/config
> +++ b/tools/testing/selftests/net/netfilter/config
> @@ -98,3 +98,4 @@ CONFIG_NET_PKTGEN=m
>  CONFIG_TUN=m
>  CONFIG_INET_DIAG=m
>  CONFIG_INET_SCTP_DIAG=m
> +CONFIG_CRYPTO_SHA1=y

Yes that's correct.  I've included a fix for this in v2 of the series
(https://lore.kernel.org/netdev/20250813040121.90609-2-ebiggers@kernel.org/).
Thanks for finding this!

- Eric