#
dc9dfd8a |
|
14-May-2024 |
Florian Westphal <fw@strlen.de> |
selftests: netfilter: fix packetdrill conntrack testcase Some versions of conntrack(8) default to ipv4-only, so this needs to request ipv6 explicitly, like all other spots already do. Fixes: a8a388c2aae4 ("selftests: netfilter: add packetdrill based conntrack tests") Reported-by: Jakub Kicinski <kuba@kernel.org> Closes: https://lore.kernel.org/netdev/20240513114649.6d764307@kernel.org/ Signed-off-by: Florian Westphal <fw@strlen.de> Link: https://lore.kernel.org/r/20240514144415.11433-1-fw@strlen.de Signed-off-by: Jakub Kicinski <kuba@kernel.org>
|
#
a8a388c2 |
|
07-May-2024 |
Florian Westphal <fw@strlen.de> |
selftests: netfilter: add packetdrill based conntrack tests Add a new test script that uses packetdrill tool to exercise conntrack state machine. Needs ip/ip6tables and conntrack tool (to check if we have an entry in the expected state). Test cases added here cover following scenarios: 1. already-acked (retransmitted) packets are not tagged as INVALID 2. RST packet coming when conntrack is already closing (FIN/CLOSE_WAIT) transitions conntrack to CLOSE even if the RST is not an exact match 3. RST packets with out-of-window sequence numbers are marked as INVALID 4. SYN+Challenge ACK: check that challenge ack is allowed to pass 5. Old SYN/ACK: check conntrack handles the case where SYN is answered with SYN/ACK for an old, previous connection attempt 6. Check SYN reception while in ESTABLISHED state generates a challenge ack, RST response clears 'outdated' state + next SYN retransmit gets us into 'SYN_RECV' conntrack state. Tests get run twice, once with ipv4 and once with ipv6. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|