From: Antonio Ojea <aojea@google.com>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Florian Westphal <fw@strlen.de>,
Eric Dumazet <edumazet@google.com>,
netfilter-devel@vger.kernel.org
Subject: Re: [PATCH v4] selftests: netfilter: conntrack respect reject rules
Date: Sun, 23 Mar 2025 12:08:36 +0100 [thread overview]
Message-ID: <CAAdXToR2Sf1NsnE-n0ctdm0nVVT7NgMudqJKE5AVVEPNb1Vzng@mail.gmail.com> (raw)
In-Reply-To: <Z9_cDLTSaGeXcG5X@calendula>
>
>
> I am testing with different stable kernels to uncover timing issues.
>
> With nf and nf-next kernels with instrumentions, **this works just fine**.
>
> But I triggered a weird issue with Debian's 6.1.0-31-amd64:
>
> # ./nft_conntrack_reject_established.sh
> ...
> ERROR: backend filter-ip6: fail to connect to [dead:2::99]:8080
> ERROR: backend filter-ip6: fail to connect over the established connection to [dead:4::a]:8080
> ERROR: backend filter-ip6: fail to connect to [dead:4::a]:8080
> ERROR: backend filter-ip6: fail to connect over the established connection to [dead:4::a]:8080
> ERROR: backend filter-ip6: fail to connect to [dead:2::99]:8080
>
> interestingly if I reversed the order, ie. I run ipv6 before ipv4
> test, then ipv4 fails:
>
> for testname in "${!testcases[@]}"; do
> - test_conntrack_reject_established "ip" "$testname" "${testcases[$testname]}"
> test_conntrack_reject_established "ip6" "$testname" "${testcases[$testname]}"
> + test_conntrack_reject_established "ip" "$testname" "${testcases[$testname]}"
> done
>
> also, running standalone ipv4 test, ie.:
>
> for testname in "${!testcases[@]}"; do
> test_conntrack_reject_established "ip" "$testname" "${testcases[$testname]}"
> done
>
> or ipv6 test, ie.:
>
> for testname in "${!testcases[@]}"; do
> test_conntrack_reject_established "ip6" "$testname" "${testcases[$testname]}"
> done
>
> works perfectly fine.
>
> Hm, where is the issue? I have to double check, maybe -stable 6.1 is
> missing a backport fix.
>
>
Naive question, the nft client used on the tests is the same in all
environments?
The fact that individually works but together doesn't and that the
test is using "inet" tables can point to something related to that
dual stack support?
prev parent reply other threads:[~2025-03-23 11:08 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-13 23:13 [PATCH] selftests: netfilter: conntrack respect reject rules Antonio Ojea
2025-03-14 9:28 ` [PATCH v2] " Antonio Ojea
2025-03-17 13:19 ` Florian Westphal
2025-03-18 9:41 ` [PATCH v3] " Antonio Ojea
2025-03-18 13:23 ` Florian Westphal
2025-03-18 16:35 ` [PATCH v4] " Antonio Ojea
2025-03-18 20:04 ` Florian Westphal
2025-03-23 10:02 ` Pablo Neira Ayuso
2025-03-23 11:08 ` Antonio Ojea [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAAdXToR2Sf1NsnE-n0ctdm0nVVT7NgMudqJKE5AVVEPNb1Vzng@mail.gmail.com \
--to=aojea@google.com \
--cc=edumazet@google.com \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).