selftests: netfilter: add packetdrill based conntrack tests

Add a new test script that uses packetdrill tool to exercise conntrack
state machine.

Needs ip/ip6tables and conntrack tool (to check if we have an entry in
the expected state).

Test cases added here cover following scenarios:
1. already-acked (retransmitted) packets are not tagged as INVALID
2. RST packet coming when conntrack is already closing (FIN/CLOSE_WAIT)
transitions conntrack to CLOSE even if the RST is not an exact match
3. RST packets with out-of-window sequence numbers are marked as INVALID
4. SYN+Challenge ACK: check that challenge ack is allowed to pass
5. Old SYN/ACK: check conntrack handles the case where SYN is answered
with SYN/ACK for an old, previous connection attempt
6. Check SYN reception while in ESTABLISHED state generates a challenge
ack, RST response clears 'outdated' state + next SYN retransmit gets
us into 'SYN_RECV' conntrack state.

Tests get run twice, once with ipv4 and once with ipv6.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

selftests: netfilter: nft_concat_range.sh: reduce debug kernel run time

Even a 1h timeout isn't enough for nft_concat_range.sh to complete on
debug kernels.

Reduce test complexity and only match on single entry if
KSFT_MACHINE_SLOW is set.

To spot 'slow' tests, print the subtest duration (in seconds) in
addition to the status.

Add new nft_concat_range_perf.sh script, not executed via kselftest,
to run the performance (pps match rate) tests.

Those need about 25m to complete which seems too much to run this
via 'make run_tests'.

Signed-off-by: Florian Westphal <fw@strlen.de>
Link: https://lore.kernel.org/r/20240430145810.23447-1-fw@strlen.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

tools: testing: selftests: prefer TEST_PROGS for conntrack_dump_flush

Currently conntrack_dump_flush test program always runs when passing
TEST_PROGS argument:

% make -C tools/testing/selftests TARGETS=net/netfilter \
TEST_PROGS=conntrack_ipip_mtu.sh run_tests
make: Entering [..]
TAP version 13
1..2 [..]
selftests: net/netfilter: conntrack_dump_flush [..]

Move away from TEST_CUSTOM_PROGS to avoid this. After this,
above command will only run the program specified in TEST_PROGS.

Link: https://lore.kernel.org/netdev/20240423191609.70c14c42@kernel.org/
Signed-off-by: Florian Westphal <fw@strlen.de>
Link: https://lore.kernel.org/r/20240424095824.5555-1-fw@strlen.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

selftests: netfilter: update makefiles and kernel config

Jakub reports the Makefile missed a few updates to make kselftest-install
work for the netfilter tests and points out that config file lacks many
dependencies such as VETH support.

The settings file (timeout 8m) is added for nft_concat_range.sh script
which can take several minutes to complete.

Fixes: 3f189349e52a ("selftests: netfilter: move to net subdir")
Reported-by: Jakub Kicinski <kuba@kernel.org>
Closes: https://lore.kernel.org/all/20240412175413.04e5e616@kernel.org/
Signed-off-by: Florian Westphal <fw@strlen.de>
Link: https://lore.kernel.org/r/20240418152744.15105-13-fw@strlen.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

selftests: netfilter: move to net subdir

.. so this can start re-using existing lib.sh infra in next patches.

Several of these scripts will not work, e.g. because they assume
rp_filter is disabled, or reliance on a particular version/flavor
of "netcat" tool.

Add config settings for them.

nft_trans_stress.sh script is removed, it also exists in the nftables
userspace selftests. I do not see a reason to keep two versions in
different repositories/projects.

The settings file is removed for now:

It was used to increase the timeout to avoid slow scripts from getting
zapped by the 45s timeout, but some of the slow scripts can be sped up.
Re-add it later for scripts that cannot be sped up easily.

Update MAINTAINERS to reflect that future updates to netfilter
scripts should go through netfilter-devel@.

Signed-off-by: Florian Westphal <fw@strlen.de>
Link: https://lore.kernel.org/r/20240411233624.8129-2-fw@strlen.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>