tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

selftests: netfilter: fix conntrack stress test failures on debug kernels

Jakub reports test failures on debug kernel:
FAIL: proc inconsistency after uniq filter for ...

This is because entries are expiring while validation is happening.

Increase the timeout of ctnetlink injected entries and the
icmp (ping) timeout to 1h to avoid this.

To reduce run-time, add less entries via ctnetlink when KSFT_MACHINE_SLOW
is set.

also log of a failed run had:
PASS: dump in netns had same entry count (-C 0, -L 0, -p 0, /proc 0)

... i.e. all entries already expired: add a check and set failure if
this happens.

While at it, include a diff when there were duplicate entries and add
netns name to error messages (it tells if icmp or ctnetlink failed).

Fixes: d33f889fd80c ("selftests: netfilter: add conntrack stress test")
Reported-by: Jakub Kicinski <kuba@kernel.org>
Closes: https://lore.kernel.org/netdev/20250506061125.1a244d12@kernel.org/
Signed-off-by: Florian Westphal <fw@strlen.de>
Link: https://patch.msgid.link/20250507075000.5819-1-fw@strlen.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

authored by

Florian Westphal and committed by
Jakub Kicinski 1f389a64 6b02fd77

+42 -21
+42 -21
tools/testing/selftests/net/netfilter/conntrack_resize.sh
··· 9 9 init_net_max=0 10 10 ct_buckets=0 11 11 tmpfile="" 12 + tmpfile_proc="" 13 + tmpfile_uniq="" 12 14 ret=0 15 + 16 + insert_count=2000 17 + [ "$KSFT_MACHINE_SLOW" = "yes" ] && insert_count=400 13 18 14 19 modprobe -q nf_conntrack 15 20 if ! sysctl -q net.netfilter.nf_conntrack_max >/dev/null;then ··· 28 23 cleanup() { 29 24 cleanup_all_ns 30 25 31 - rm -f "$tmpfile" 26 + rm -f "$tmpfile" "$tmpfile_proc" "$tmpfile_uniq" 32 27 33 28 # restore original sysctl setting 34 29 sysctl -q net.netfilter.nf_conntrack_max=$init_net_max ··· 59 54 ip netns exec "$ns" bash -c "for i in \$(seq 1 $bulk); do \ 60 55 if ! conntrack -I -s \$((\$RANDOM%256)).\$((\$RANDOM%256)).\$((\$RANDOM%256)).\$((\$RANDOM%255+1)) \ 61 56 -d \$((\$RANDOM%256)).\$((\$RANDOM%256)).\$((\$RANDOM%256)).\$((\$RANDOM%255+1)) \ 62 - --protonum 17 --timeout 120 --status ASSURED,SEEN_REPLY --sport \$RANDOM --dport 53; then \ 57 + --protonum 17 --timeout 3600 --status ASSURED,SEEN_REPLY --sport \$RANDOM --dport 53; then \ 63 58 return;\ 64 59 fi & \ 65 60 done ; wait" 2>/dev/null ··· 196 191 local n="$1" 197 192 local r=0 198 193 199 - r=$((RANDOM%2000)) 194 + r=$((RANDOM%$insert_count)) 200 195 201 196 ctflood "$n" "$timeout" "floodresize" & 202 197 insert_ctnetlink "$n" "$r" & ··· 237 232 local proto=0 238 233 local proc=0 239 234 local unique="" 240 - 241 - c=$(ip netns exec "$ns" conntrack -C) 235 + local lret=0 242 236 243 237 # NOTE: assumes timeouts are large enough to not have 244 238 # expirations in all following tests. 245 - l=$(ip netns exec "$ns" conntrack -L 2>/dev/null | tee "$tmpfile" | wc -l) 239 + l=$(ip netns exec "$ns" conntrack -L 2>/dev/null | sort | tee "$tmpfile" | wc -l) 240 + c=$(ip netns exec "$ns" conntrack -C) 241 + 242 + if [ "$c" -eq 0 ]; then 243 + echo "FAIL: conntrack count for $ns is 0" 244 + lret=1 245 + fi 246 246 247 247 if [ "$c" -ne "$l" ]; then 248 - echo "FAIL: count inconsistency for $ns: $c != $l" 249 - ret=1 248 + echo "FAIL: conntrack count inconsistency for $ns -L: $c != $l" 249 + lret=1 250 250 fi 251 251 252 252 # check the dump we retrieved is free of duplicated entries. 253 - unique=$(sort "$tmpfile" | uniq | wc -l) 253 + unique=$(uniq "$tmpfile" | tee "$tmpfile_uniq" | wc -l) 254 254 if [ "$l" -ne "$unique" ]; then 255 - echo "FAIL: count identical but listing contained redundant entries: $l != $unique" 256 - ret=1 255 + echo "FAIL: listing contained redundant entries for $ns: $l != $unique" 256 + diff -u "$tmpfile" "$tmpfile_uniq" 257 + lret=1 257 258 fi 258 259 259 260 # we either inserted icmp or only udp, hence, --proto should return same entry count as without filter. 260 - proto=$(ip netns exec "$ns" conntrack -L --proto $protoname 2>/dev/null | wc -l) 261 + proto=$(ip netns exec "$ns" conntrack -L --proto $protoname 2>/dev/null | sort | uniq | tee "$tmpfile_uniq" | wc -l) 261 262 if [ "$l" -ne "$proto" ]; then 262 - echo "FAIL: dump inconsistency for $ns: $l != $proto" 263 - ret=1 263 + echo "FAIL: dump inconsistency for $ns -L --proto $protoname: $l != $proto" 264 + diff -u "$tmpfile" "$tmpfile_uniq" 265 + lret=1 264 266 fi 265 267 266 268 if [ -r /proc/self/net/nf_conntrack ] ; then 267 - proc=$(ip netns exec "$ns" bash -c "wc -l < /proc/self/net/nf_conntrack") 269 + proc=$(ip netns exec "$ns" bash -c "sort < /proc/self/net/nf_conntrack | tee \"$tmpfile_proc\" | wc -l") 268 270 269 271 if [ "$l" -ne "$proc" ]; then 270 272 echo "FAIL: proc inconsistency for $ns: $l != $proc" 271 - ret=1 273 + lret=1 272 274 fi 273 275 274 - proc=$(ip netns exec "$ns" bash -c "sort < /proc/self/net/nf_conntrack | uniq | wc -l") 275 - 276 + proc=$(uniq "$tmpfile_proc" | tee "$tmpfile_uniq" | wc -l) 276 277 if [ "$l" -ne "$proc" ]; then 277 278 echo "FAIL: proc inconsistency after uniq filter for $ns: $l != $proc" 278 - ret=1 279 + diff -u "$tmpfile_proc" "$tmpfile_uniq" 280 + lret=1 279 281 fi 280 282 fi 281 283 282 - echo "PASS: dump in netns had same entry count (-C $c, -L $l, -p $proto, /proc $proc)" 284 + if [ $lret -eq 0 ];then 285 + echo "PASS: dump in netns $ns had same entry count (-C $c, -L $l, -p $proto, /proc $proc)" 286 + else 287 + echo "FAIL: dump in netns $ns had different entry count (-C $c, -L $l, -p $proto, /proc $proc)" 288 + ret=1 289 + fi 283 290 } 284 291 285 292 test_dump_all() ··· 304 287 ct_flush_once "$nsclient1" 305 288 ct_flush_once "$nsclient2" 306 289 290 + ip netns exec "$nsclient1" sysctl -q net.netfilter.nf_conntrack_icmp_timeout=3600 291 + 307 292 ctflood "$nsclient1" $timeout "dumpall" & 308 - insert_ctnetlink "$nsclient2" 2000 293 + insert_ctnetlink "$nsclient2" $insert_count 309 294 310 295 wait 311 296 ··· 417 398 done 418 399 419 400 tmpfile=$(mktemp) 401 + tmpfile_proc=$(mktemp) 402 + tmpfile_uniq=$(mktemp) 420 403 test_conntrack_max_limit 421 404 test_dump_all 422 405 test_floodresize_all