| #
dc9dfd8a |
|
14-May-2024 |
Florian Westphal <fw@strlen.de> |
selftests: netfilter: fix packetdrill conntrack testcase
Some versions of conntrack(8) default to ipv4-only, so this needs to request
ipv6 explicitly, like all other spots already do.
Fixes: a8a388c2aae4 ("selftests: netfilter: add packetdrill based conntrack tests")
Reported-by: Jakub Kicinski <kuba@kernel.org>
Closes: https://lore.kernel.org/netdev/20240513114649.6d764307@kernel.org/
Signed-off-by: Florian Westphal <fw@strlen.de>
Link: https://lore.kernel.org/r/20240514144415.11433-1-fw@strlen.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
|
| #
a8a388c2 |
|
07-May-2024 |
Florian Westphal <fw@strlen.de> |
selftests: netfilter: add packetdrill based conntrack tests
Add a new test script that uses packetdrill tool to exercise conntrack
state machine.
Needs ip/ip6tables and conntrack tool (to check if we have an entry in
the expected state).
Test cases added here cover following scenarios:
1. already-acked (retransmitted) packets are not tagged as INVALID
2. RST packet coming when conntrack is already closing (FIN/CLOSE_WAIT)
transitions conntrack to CLOSE even if the RST is not an exact match
3. RST packets with out-of-window sequence numbers are marked as INVALID
4. SYN+Challenge ACK: check that challenge ack is allowed to pass
5. Old SYN/ACK: check conntrack handles the case where SYN is answered
with SYN/ACK for an old, previous connection attempt
6. Check SYN reception while in ESTABLISHED state generates a challenge
ack, RST response clears 'outdated' state + next SYN retransmit gets
us into 'SYN_RECV' conntrack state.
Tests get run twice, once with ipv4 and once with ipv6.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|