lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250717062218.380dab89@kernel.org>
Date: Thu, 17 Jul 2025 06:22:18 -0700
From: Jakub Kicinski <kuba@...nel.org>
To: fw@...len.de
Cc: Pablo Neira Ayuso <pablo@...filter.org>,
 netfilter-devel@...r.kernel.org, davem@...emloft.net,
 netdev@...r.kernel.org, pabeni@...hat.com, edumazet@...gle.com,
 horms@...nel.org
Subject: Re: [PATCH net 2/7] selftests: netfilter: add conntrack clash
 resolution test case

On Thu, 17 Jul 2025 11:51:17 +0200 Pablo Neira Ayuso wrote:
> Add a dedicated test to exercise conntrack clash resolution path.
> Test program emits 128 identical udp packets in parallel, then reads
> back replies from socat echo server.
> 
> Also check (via conntrack -S) that the clash path was hit at least once.
> Due to the racy nature of the test its possible that despite the
> threaded program all packets were processed in-order or on same cpu,
> emit a SKIP warning in this case.
> 
> Two tests are added:
>  - one to test the simpler, non-nat case
>  - one to exercise clash resolution where packets
>    might have different nat transformations attached to them.

This appears to fail for us:

TAP version 13
1..1
# timeout set to 1800
# selftests: net/netfilter: conntrack_clash.sh
# got 128 of 128 replies
# timed out while waiting for reply from thread
# got 127 of 128 replies
# FAIL: did not receive expected number of replies for 10.0.1.99:22111
# FAIL: clash resolution test for 10.0.1.99:22111 on attempt 2
# got 128 of 128 replies
# timed out while waiting for reply from thread
# got 0 of 128 replies
# FAIL: did not receive expected number of replies for 127.0.0.1:9001
# FAIL: clash resolution test for 127.0.0.1:9001 on attempt 2
# SKIP: Clash resolution did not trigger
not ok 1 selftests: net/netfilter: conntrack_clash.sh # exit=1
make[1]: Leaving directory '/home/virtme/testing-15/tools/testing/selftests/net/netfilter'
make: Leaving directory '/home/virtme/testing-15/tools/testing/selftests'

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ