lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250506061125.1a244d12@kernel.org>
Date: Tue, 6 May 2025 06:11:25 -0700
From: Jakub Kicinski <kuba@...nel.org>
To: Pablo Neira Ayuso <pablo@...filter.org>
Cc: netfilter-devel@...r.kernel.org, davem@...emloft.net,
 netdev@...r.kernel.org, pabeni@...hat.com, edumazet@...gle.com,
 fw@...len.de, horms@...nel.org
Subject: Re: [PATCH nf-next 2/7] selftests: netfilter: add conntrack stress
 test

On Tue,  6 May 2025 01:41:46 +0200 Pablo Neira Ayuso wrote:
> From: Florian Westphal <fw@...len.de>
> 
> Add a new test case to check:
>  - conntrack_max limit is effective
>  - conntrack_max limit cannot be exceeded from within a netns
>  - resizing the hash table while packets are inflight works
>  - removal of all conntrack rules disables conntrack in netns
>  - conntrack tool dump (conntrack -L) returns expected number
>    of (unique) entries
>  - procfs interface - if available - has same number of entries
>    as conntrack -L dump
> 
> Expected output with selftest framework:
>  selftests: net/netfilter: conntrack_resize.sh
>  PASS: got 1 connections: netns conntrack_max is pernet bound
>  PASS: got 100 connections: netns conntrack_max is init_net bound
>  PASS: dump in netns had same entry count (-C 1778, -L 1778, -p 1778, /proc 0)
>  PASS: dump in netns had same entry count (-C 2000, -L 2000, -p 2000, /proc 0)
>  PASS: test parallel conntrack dumps
>  PASS: resize+flood
>  PASS: got 0 connections: conntrack disabled
>  PASS: got 1 connections: conntrack enabled
> ok 1 selftests: net/netfilter: conntrack_resize.sh

This test seems quite flaky on debug kernels:

https://netdev.bots.linux.dev/contest.html?test=conntrack-resize-sh&executor=vmksft-nf-dbg

# FAIL: proc inconsistency after uniq filter for nsclient2-whtRtS: 1968 != 1945

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ