lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20241024093716.GK402847@kernel.org>
Date: Thu, 24 Oct 2024 10:37:16 +0100
From: Simon Horman <horms@...nel.org>
To: Florian Westphal <fw@...len.de>
Cc: netdev@...r.kernel.org, Paolo Abeni <pabeni@...hat.com>,
	"David S. Miller" <davem@...emloft.net>,
	Eric Dumazet <edumazet@...gle.com>,
	Jakub Kicinski <kuba@...nel.org>, netfilter-devel@...r.kernel.org
Subject: Re: [PATCH net] selftests: netfilter: nft_flowtable.sh: make first
 pass deterministic

On Tue, Oct 22, 2024 at 05:23:18PM +0200, Florian Westphal wrote:
> The CI occasionaly encounters a failing test run.  Example:
>  # PASS: ipsec tunnel mode for ns1/ns2
>  # re-run with random mtus: -o 10966 -l 19499 -r 31322
>  # PASS: flow offloaded for ns1/ns2
> [..]
>  # FAIL: ipsec tunnel ... counter 1157059 exceeds expected value 878489
> 
> This script will re-exec itself, on the second run, random MTUs are
> chosen for the involved links.  This is done so we can cover different
> combinations (large mtu on client, small on server, link has lowest
> mtu, etc).
> 
> Furthermore, file size is random, even for the first run.
> 
> Rework this script and always use the same file size on initial run so
> that at least the first round can be expected to have reproducible
> behavior.
> 
> Second round will use random mtu/filesize.
> 
> Raise the failure limit to that of the file size, this should avoid all
> errneous test errors.  Currently, first fin will remove the offload, so if
> one peer is already closing remaining data is handled by classic path,
> which result in larger-than-expected counter and a test failure.
> 
> Given packet path also counts tcp/ip headers, in case offload is
> completely broken this test will still fail (as expected).
> 
> The test counter limit could be made more strict again in the future
> once flowtable can keep a connection in offloaded state until FINs
> in both directions were seen.
> 
> Signed-off-by: Florian Westphal <fw@...len.de>
> ---
>  If you prefer you can also apply this to net-next instead.

Hi Florian,

No preference on my side.
But if it is for net, then we'll need a fixes tag.
Which you can simply add by responding with it to this email.
(I think it has to start at the beginning of the line.)

In any case,

Reviewed-by: Simon Horman <horms@...nel.org>

...

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ