lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250717150941.9057-1-fw@strlen.de>
Date: Thu, 17 Jul 2025 17:09:37 +0200
From: Florian Westphal <fw@...len.de>
To: <netdev@...r.kernel.org>
Cc: pablo@...filter.org,
	pabeni@...hat.com,
	kuba@...nel.org,
	Florian Westphal <fw@...len.de>
Subject: [PATCH net] selftests: netfilter: tone-down conntrack clash test

Stop this test from failing.

This is a stop-gap measure to not keep failing on NIPA CI.

The test is supposed to observe that clash_resolution stat counter
incremented (code path was covered).  This path is only exercised
when multiple packets race: depending on kernel config, number of CPUs,
scheduling policy etc. this might not trigger at all.

Therefore, if the test program did not observe the expected number of
replies, make a note of it but do not flip script retval to 1.

With this change the test should either SKIP or pass.
Hard error can be restored later once its clear whats going on.

Fixes: 78a588363587 ("selftests: netfilter: add conntrack clash resolution test case")
Signed-off-by: Florian Westphal <fw@...len.de>
---
 .../net/netfilter/conntrack_clash.sh          | 40 ++++++++++---------
 .../selftests/net/netfilter/udpclash.c        | 11 +++--
 2 files changed, 27 insertions(+), 24 deletions(-)

diff --git a/tools/testing/selftests/net/netfilter/conntrack_clash.sh b/tools/testing/selftests/net/netfilter/conntrack_clash.sh
index 3712c1b9b38b..1c54505e0d03 100755
--- a/tools/testing/selftests/net/netfilter/conntrack_clash.sh
+++ b/tools/testing/selftests/net/netfilter/conntrack_clash.sh
@@ -93,19 +93,20 @@ ping_test()
 run_one_clash_test()
 {
 	local ns="$1"
-	local daddr="$2"
-	local dport="$3"
+	local ctns="$2"
+	local daddr="$3"
+	local dport="$4"
 	local entries
 	local cre
 
-	if ! ip netns exec "$ns" ./udpclash $daddr $dport;then
-		echo "FAIL: did not receive expected number of replies for $daddr:$dport"
-		ret=1
-		return 1
+	if ! ip netns exec "$ns" timeout 10s ./udpclash $daddr $dport;then
+		echo "NOTICE: udpclash did not receive any packets, cpus $(nprocs)"
+		ip netns exec "$ns" ss -niupa
+		# don't fail: check if clash resolution triggered.
 	fi
 
-	entries=$(conntrack -S | wc -l)
-	cre=$(conntrack -S | grep -v "clash_resolve=0" | wc -l)
+	entries=$(ip netns exec "$ctns" conntrack -S | wc -l)
+	cre=$(ip netns exec "$ctns" conntrack -S | grep "clash_resolve=0" | wc -l)
 
 	if [ "$cre" -ne "$entries" ] ;then
 		clash_resolution_active=1
@@ -117,8 +118,8 @@ run_one_clash_test()
 		return 0
 	fi
 
-	# not a failure: clash resolution logic did not trigger, but all replies
-	# were received.  With right timing, xmit completed sequentially and
+	# not a failure: clash resolution logic did not trigger.
+	# With right timing, xmit completed sequentially and
 	# no parallel insertion occurs.
 	return $ksft_skip
 }
@@ -126,20 +127,23 @@ run_one_clash_test()
 run_clash_test()
 {
 	local ns="$1"
-	local daddr="$2"
-	local dport="$3"
+	local ctns="$2"
+	local daddr="$3"
+	local dport="$4"
+	local harderr=0
 
 	for i in $(seq 1 10);do
-		run_one_clash_test "$ns" "$daddr" "$dport"
+		run_one_clash_test "$ns" "$ctns" "$daddr" "$dport"
 		local rv=$?
 		if [ $rv -eq 0 ];then
 			echo "PASS: clash resolution test for $daddr:$dport on attempt $i"
 			return 0
 		elif [ $rv -eq 1 ];then
-			echo "FAIL: clash resolution test for $daddr:$dport on attempt $i"
-			return 1
+			harderr=1
 		fi
 	done
+
+	[ $harderr -eq 1 ] && echo "FAIL: no packets received for $daddr:$dport with $(nproc) cpus"
 }
 
 ip link add veth0 netns "$nsclient1" type veth peer name veth0 netns "$nsrouter"
@@ -161,15 +165,15 @@ spawn_servers "$nsclient2"
 
 # exercise clash resolution with nat:
 # nsrouter is supposed to dnat to 10.0.2.1:900{0,1,2,3}.
-run_clash_test "$nsclient1" 10.0.1.99 "$dport"
+run_clash_test "$nsclient1" "$nsrouter" 10.0.1.99 "$dport"
 
 # exercise clash resolution without nat.
 load_simple_ruleset "$nsclient2"
-run_clash_test "$nsclient2" 127.0.0.1 9001
+run_clash_test "$nsclient2" "$nsclient2" 127.0.0.1 9001
 
 if [ $clash_resolution_active -eq 0 ];then
 	[ "$ret" -eq 0 ] && ret=$ksft_skip
-	echo "SKIP: Clash resolution did not trigger"
+	echo "SKIP: Clash resolution did not trigger with $(nproc) cpus."
 fi
 
 exit $ret
diff --git a/tools/testing/selftests/net/netfilter/udpclash.c b/tools/testing/selftests/net/netfilter/udpclash.c
index 85c7b906ad08..506caf110605 100644
--- a/tools/testing/selftests/net/netfilter/udpclash.c
+++ b/tools/testing/selftests/net/netfilter/udpclash.c
@@ -87,10 +87,8 @@ static int run_test(int fd, const struct sockaddr_in *si_remote)
 		ret = recvfrom(fd, repl, sizeof(repl), MSG_NOSIGNAL,
 			       (struct sockaddr *) &si_repl, &si_repl_len);
 		if (ret < 0) {
-			if (timeout++ > 5000) {
-				fputs("timed out while waiting for reply from thread\n", stderr);
+			if (timeout++ > 10000)
 				break;
-			}
 
 			/* give reply time to pass though the stack */
 			usleep(1000);
@@ -114,11 +112,12 @@ static int run_test(int fd, const struct sockaddr_in *si_remote)
 		repl_count++;
 	}
 
-	printf("got %d of %d replies\n", repl_count, THREAD_COUNT);
-
 	free(tid);
 
-	return repl_count == THREAD_COUNT ? 0 : 1;
+	if (repl_count != THREAD_COUNT)
+		printf("got %d of %d replies\n", repl_count, THREAD_COUNT);
+
+	return repl_count > 0 ? 0 : 1;
 }
 
 int main(int argc, char *argv[])
-- 
2.49.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ