summaryrefslogtreecommitdiff
path: root/tools
diff options
context:
space:
mode:
authorPaolo Abeni <pabeni@redhat.com>2025-12-18 13:55:01 +0100
committerPaolo Abeni <pabeni@redhat.com>2025-12-18 13:55:01 +0100
commit3e82accd3e9c35acfc68e44e12b37e5fd350c768 (patch)
tree66df313498771397eb1586bf2a6471e6e8e7adb3 /tools
parent78a47532ab4d0beebb13e67c4ef97b3fe9f56be0 (diff)
parentfec7b0795548b43e2c3c46e3143c34ef6070341c (diff)
Merge tag 'nf-25-12-16' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf
Florian Westphal says: ==================== netfilter: updates for net The following patchset contains Netfilter fixes for *net*: 1) Jozsef Kadlecsik is retiring. Fortunately Jozsef will still keep an eye on ipset patches. 2) remove a bogus direction check from nat core, this caused spurious flakes in the 'reverse clash' selftest, from myself. 3) nf_tables doesn't need to do chain validation on register store, from Pablo Neira Ayuso. 4) nf_tables shouldn't revisit chains during ruleset (graph) validation if possible. Both 3 and 4 were slated for -next initially but there are now two independent reports of people hitting soft lockup errors during ruleset validation, so it makes no sense anymore to route this via -next given this is -stable material. From myself. 5) call cond_resched() in a more frequently visited place during nf_tables chain validation, this wasn't possible earlier due to rcu read lock, but nowadays its not held anymore during set walks. 6) Don't fail conntrack packetdrill test with HZ=100 kernels. netfilter pull request nf-25-12-16 * tag 'nf-25-12-16' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf: selftests: netfilter: packetdrill: avoid failure on HZ=100 kernel netfilter: nf_tables: avoid softlockup warnings in nft_chain_validate netfilter: nf_tables: avoid chain re-validation if possible netfilter: nf_tables: remove redundant chain validation on register store netfilter: nf_nat: remove bogus direction check MAINTAINERS: Remove Jozsef Kadlecsik from MAINTAINERS file ==================== Link: https://patch.msgid.link/20251216190904.14507-1-fw@strlen.de Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Diffstat (limited to 'tools')
-rw-r--r--tools/testing/selftests/net/netfilter/conntrack_reverse_clash.c13
-rwxr-xr-xtools/testing/selftests/net/netfilter/conntrack_reverse_clash.sh2
-rw-r--r--tools/testing/selftests/net/netfilter/packetdrill/conntrack_syn_challenge_ack.pkt2
3 files changed, 12 insertions, 5 deletions
diff --git a/tools/testing/selftests/net/netfilter/conntrack_reverse_clash.c b/tools/testing/selftests/net/netfilter/conntrack_reverse_clash.c
index 507930cee8cb..462d628cc3bd 100644
--- a/tools/testing/selftests/net/netfilter/conntrack_reverse_clash.c
+++ b/tools/testing/selftests/net/netfilter/conntrack_reverse_clash.c
@@ -33,9 +33,14 @@ static void die(const char *e)
exit(111);
}
-static void die_port(uint16_t got, uint16_t want)
+static void die_port(const struct sockaddr_in *sin, uint16_t want)
{
- fprintf(stderr, "Port number changed, wanted %d got %d\n", want, ntohs(got));
+ uint16_t got = ntohs(sin->sin_port);
+ char str[INET_ADDRSTRLEN];
+
+ inet_ntop(AF_INET, &sin->sin_addr, str, sizeof(str));
+
+ fprintf(stderr, "Port number changed, wanted %d got %d from %s\n", want, got, str);
exit(1);
}
@@ -100,7 +105,7 @@ int main(int argc, char *argv[])
die("child recvfrom");
if (peer.sin_port != htons(PORT))
- die_port(peer.sin_port, PORT);
+ die_port(&peer, PORT);
} else {
if (sendto(s2, buf, LEN, 0, (struct sockaddr *)&sa1, sizeof(sa1)) != LEN)
continue;
@@ -109,7 +114,7 @@ int main(int argc, char *argv[])
die("parent recvfrom");
if (peer.sin_port != htons((PORT + 1)))
- die_port(peer.sin_port, PORT + 1);
+ die_port(&peer, PORT + 1);
}
}
diff --git a/tools/testing/selftests/net/netfilter/conntrack_reverse_clash.sh b/tools/testing/selftests/net/netfilter/conntrack_reverse_clash.sh
index a24c896347a8..dc7e9d6da062 100755
--- a/tools/testing/selftests/net/netfilter/conntrack_reverse_clash.sh
+++ b/tools/testing/selftests/net/netfilter/conntrack_reverse_clash.sh
@@ -45,6 +45,8 @@ if ip netns exec "$ns0" ./conntrack_reverse_clash; then
echo "PASS: No SNAT performed for null bindings"
else
echo "ERROR: SNAT performed without any matching snat rule"
+ ip netns exec "$ns0" conntrack -L
+ ip netns exec "$ns0" conntrack -S
exit 1
fi
diff --git a/tools/testing/selftests/net/netfilter/packetdrill/conntrack_syn_challenge_ack.pkt b/tools/testing/selftests/net/netfilter/packetdrill/conntrack_syn_challenge_ack.pkt
index 3442cd29bc93..cdb3910af95b 100644
--- a/tools/testing/selftests/net/netfilter/packetdrill/conntrack_syn_challenge_ack.pkt
+++ b/tools/testing/selftests/net/netfilter/packetdrill/conntrack_syn_challenge_ack.pkt
@@ -26,7 +26,7 @@
+0.01 > R 643160523:643160523(0) win 0
-+0.01 `conntrack -f $NFCT_IP_VERSION -L -p tcp --dport 8080 2>/dev/null | grep UNREPLIED | grep -q SYN_SENT`
++0.1 `conntrack -f $NFCT_IP_VERSION -L -p tcp --dport 8080 2>/dev/null | grep UNREPLIED | grep -q SYN_SENT`
// Must go through.
+0.01 > S 0:0(0) win 65535 <mss 1460,sackOK,TS val 1 ecr 0,nop,wscale 8>
generated by cgit (git 2.34.1) at 2025-12-30 17:28:23 +0000