lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20260210153433.0b282662@kernel.org>
Date: Tue, 10 Feb 2026 15:34:33 -0800
From: Jakub Kicinski <kuba@...nel.org>
To: Aleksei Oladko <aleksey.oladko@...tuozzo.com>
Cc: "David S . Miller" <davem@...emloft.net>, Eric Dumazet
 <edumazet@...gle.com>, Paolo Abeni <pabeni@...hat.com>, Simon Horman
 <horms@...nel.org>, Shuah Khan <shuah@...nel.org>, Petr Machata
 <petrm@...dia.com>, Ido Schimmel <idosch@...dia.com>, Amit Cohen
 <amcohen@...dia.com>, netdev@...r.kernel.org,
 linux-kselftest@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 3/3] selftests: forwarding: fix pedit tests failure with
 br_netfilter enabled

On Tue, 10 Feb 2026 18:51:29 +0000 Aleksei Oladko wrote:
> The tests use the tc pedit action to modify the IPv4 source address
> ("pedit ex munge ip src set"), but the IP header checksum is not
> recalculated after the modification. As a result, the modified packet
> fails sanity checks in br_netfilter after bridging and is dropped,
> which causes the test to fail.
> 
> Fix this by adding an explicit checksum recalculation using the
> "csum ip" action, so the modified packet contains a valid IPv4
> checksum.
> 
> Note on IPv6:
>   The tests in pedit_ip.sh also cover IPv6 (test_ip6_src, test_ip6_dst).
>   The csum ip action is harmless for IPv6 packets since IPv6 has no
>   header checksum — it will be a no-op.

I think this makes the test fail for us:

make: Entering directory '/srv/vmksft/testing/wt-3/tools/testing/selftests'
make[1]: Nothing to be done for 'all'.
TAP version 13
1..1
# timeout set to 10800
# selftests: net/forwarding: pedit_ip.sh
# 6.13 [+6.13] TEST: ping                                                          [ OK ]
# 7.09 [+0.97] TEST: ping6                                                         [ OK ]
# 7.12 [+0.02] Error: Failed to load TC action module.
# 7.12 [+0.00] We have an error talking to the kernel
# 8.36 [+1.24] TEST: dev veth1 ingress pedit ip src set 198.51.100.1               [FAIL]
# 8.36 [+0.01] Expected to get 10 packets, but got 0.
# 8.37 [+0.01] Error: Cannot find specified filter chain.
# 8.38 [+0.00] We have an error talking to the kernel
# 8.39 [+0.01] Error: Failed to load TC action module.
# 8.39 [+0.00] We have an error talking to the kernel
# 9.63 [+1.24] TEST: dev veth2 egress pedit ip src set 198.51.100.1                [FAIL]
# 9.63 [+0.01] Expected to get 10 packets, but got 0.
# 9.64 [+0.00] Error: Cannot find specified filter chain.
# 9.64 [+0.00] We have an error talking to the kernel
# 9.65 [+0.01] Error: Failed to load TC action module.
# 9.65 [+0.00] We have an error talking to the kernel
# 10.89 [+1.24] TEST: dev veth1 ingress pedit ip dst set 198.51.100.1               [FAIL]
# 10.89 [+0.00] Expected to get 10 packets, but got 0.
# 10.90 [+0.01] Error: Cannot find specified filter chain.
# 10.91 [+0.00] We have an error talking to the kernel
# 10.91 [+0.01] Error: Failed to load TC action module.
# 10.91 [+0.00] We have an error talking to the kernel
# 12.14 [+1.23] TEST: dev veth2 egress pedit ip dst set 198.51.100.1                [FAIL]
# 12.15 [+0.01] Expected to get 10 packets, but got 0.
# 12.15 [+0.00] Error: Cannot find specified filter chain.
# 12.16 [+0.00] We have an error talking to the kernel
# 12.17 [+0.01] Error: Failed to load TC action module.
# 12.17 [+0.00] We have an error talking to the kernel
# 13.42 [+1.24] TEST: dev veth1 ingress pedit ip6 src set 2001:db8:2::1             [FAIL]
# 13.42 [+0.00] Expected to get 10 packets, but got 0.
# 13.43 [+0.01] Error: Cannot find specified filter chain.
# 13.43 [+0.00] We have an error talking to the kernel
# 13.45 [+0.01] Error: Failed to load TC action module.
# 13.45 [+0.00] We have an error talking to the kernel
# 14.69 [+1.24] TEST: dev veth2 egress pedit ip6 src set 2001:db8:2::1              [FAIL]
# 14.69 [+0.00] Expected to get 10 packets, but got 0.
# 14.70 [+0.00] Error: Cannot find specified filter chain.
# 14.70 [+0.00] We have an error talking to the kernel
# 14.71 [+0.01] Error: Failed to load TC action module.
# 14.72 [+0.00] We have an error talking to the kernel
# 15.96 [+1.24] TEST: dev veth1 ingress pedit ip6 dst set 2001:db8:2::1             [FAIL]
# 15.96 [+0.00] Expected to get 10 packets, but got 0.
# 15.97 [+0.01] Error: Cannot find specified filter chain.
# 15.97 [+0.00] We have an error talking to the kernel
# 15.99 [+0.01] Error: Failed to load TC action module.
# 15.99 [+0.00] We have an error talking to the kernel
# 17.23 [+1.24] TEST: dev veth2 egress pedit ip6 dst set 2001:db8:2::1              [FAIL]
# 17.23 [+0.01] Expected to get 10 packets, but got 0.
# 17.24 [+0.00] Error: Cannot find specified filter chain.
# 17.24 [+0.00] We have an error talking to the kernel
not ok 1 selftests: net/forwarding: pedit_ip.sh # exit=1


https://netdev-ctrl.bots.linux.dev/logs/vmksft/forwarding/results/512621/80-pedit-ip-sh/stdout

I could be wrong, kernel.org is having a DNS outage so our CI is a bit
unstable.
-- 
pw-bot: cr

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ