1. 01 Jul, 2024 9 commits
  2. 29 Jun, 2024 18 commits
  3. 28 Jun, 2024 13 commits
    • Phil Sutter's avatar
      netfilter: xt_recent: Lift restrictions on max hitcount value · f4ebd034
      Phil Sutter authored
      Support tracking of up to 65535 packets per table entry instead of just
      255 to better facilitate longer term tracking or higher throughput
      scenarios.
      
      Note how this aligns sizes of struct recent_entry's 'nstamps' and
      'index' fields when 'nstamps' was larger before. This is unnecessary as
      the value of 'nstamps' grows along with that of 'index' after being
      initialized to 1 (see recent_entry_update()). Its value will thus never
      exceed that of 'index' and therefore does not need to provide space for
      larger values.
      Requested-by: default avatarFabio <pedretti.fabio@gmail.com>
      Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1745Signed-off-by: default avatarPhil Sutter <phil@nwl.cc>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      f4ebd034
    • Florian Westphal's avatar
      selftests: netfilter: nft_queue.sh: add test for disappearing listener · 742ad979
      Florian Westphal authored
      If userspace program exits while the queue its subscribed to has packets
      those need to be discarded.
      
      commit dc21c6cc ("netfilter: nfnetlink_queue: acquire rcu_read_lock()
      in instance_destroy_rcu()") fixed a (harmless) rcu splat that could be
      triggered in this case.
      
      Add a test case to cover this.
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      742ad979
    • David S. Miller's avatar
      Merge branch 'net-selftests-mirroring-cleanup' into main · 748e3bbf
      David S. Miller authored
      Petr Machata says:
      
      ====================
      selftest: Clean-up and stabilize mirroring tests
      
      The mirroring selftests work by sending ICMP traffic between two hosts.
      Along the way, this traffic is mirrored to a gretap netdevice, and counter
      taps are then installed strategically along the path of the mirrored
      traffic to verify the mirroring took place.
      
      The problem with this is that besides mirroring the primary traffic, any
      other service traffic is mirrored as well. At the same time, because the
      tests need to work in HW-offloaded scenarios, the ability of the device to
      do arbitrary packet inspection should not be taken for granted. Most tests
      therefore simply use matchall, one uses flower to match on IP address.
      As a result, the selftests are noisy.
      
      mirror_test() accommodated this noisiness by giving the counters an
      allowance of several packets. But that only works up to a point, and on
      busy systems won't be always enough.
      
      In this patch set, clean up and stabilize the mirroring selftests. The
      original intention was to port the tests over to UDP, but the logic of
      ICMP ends up being so entangled in the mirroring selftests that the
      changes feel overly invasive. Instead, ICMP is kept, but where possible,
      we match on ICMP message type, thus filtering out hits by other ICMP
      messages.
      
      Where this is not practical (where the counter tap is put on a device
      that carries encapsulated packets), switch the counter condition to _at
      least_ X observed packets. This is less robust, but barely so --
      probably the only scenario that this would not catch is something like
      erroneous packet duplication, which would hopefully get caught by the
      numerous other tests in this extensive suite.
      
      - Patches #1 to #3 clean up parameters at various helpers.
      
      - Patches #4 to #6 stabilize the mirroring selftests as described above.
      
      - Mirroring tests currently allow testing SW datapath even on HW
        netdevices by trapping traffic to the SW datapath. This complicates
        the tests a bit without a good reason: to test SW datapath, just run
        the selftests on the veth topology. Thus in patch #7, drop support for
        this dual SW/HW testing.
      
      - At this point, some cleanups were either made possible by the previous
        patches, or were always possible. In patches #8 to #11, realize these
        cleanups.
      
      - In patch #12, fix mlxsw mirror_gre selftest to respect setting TESTS.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      748e3bbf
    • Petr Machata's avatar
      selftests: mlxsw: mirror_gre: Obey TESTS · 098ba97d
      Petr Machata authored
      This test is unusual in that overriding TESTS does not change the tests to
      be run. Split the individual tests into several functions and invoke them
      through tests_run() as appropriate.
      Signed-off-by: default avatarPetr Machata <petrm@nvidia.com>
      Reviewed-by: default avatarDanielle Ratson <danieller@nvidia.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      098ba97d
    • Petr Machata's avatar
      selftests: libs: Drop unused functions · 06704a0d
      Petr Machata authored
      Nothing calls these.
      Signed-off-by: default avatarPetr Machata <petrm@nvidia.com>
      Reviewed-by: default avatarDanielle Ratson <danieller@nvidia.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      06704a0d
    • Petr Machata's avatar
      selftests: libs: Drop slow_path_trap_install()/_uninstall() · 4e9cd3d0
      Petr Machata authored
      These functions are not used anymore.
      Signed-off-by: default avatarPetr Machata <petrm@nvidia.com>
      Reviewed-by: default avatarDanielle Ratson <danieller@nvidia.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4e9cd3d0
    • Petr Machata's avatar
      selftests: mirror_gre_lag_lacp: Drop unnecessary code · 95d33989
      Petr Machata authored
      The selftest does not use functions from mirror_gre_lib, ditch the import.
      
      It does not use arping either, so drop the require_command as well.
      Signed-off-by: default avatarPetr Machata <petrm@nvidia.com>
      Reviewed-by: default avatarDanielle Ratson <danieller@nvidia.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      95d33989
    • Petr Machata's avatar
      selftests: mlxsw: mirror_gre: Simplify · 388b2d98
      Petr Machata authored
      After the previous patch, the function test_span_failable() is always
      called with should_fail=1. Drop the argument and streamline the code.
      Signed-off-by: default avatarPetr Machata <petrm@nvidia.com>
      Reviewed-by: default avatarDanielle Ratson <danieller@nvidia.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      388b2d98
    • Petr Machata's avatar
      selftests: mirror: Drop dual SW/HW testing · d361d78f
      Petr Machata authored
      The mirroring tests are currently run in a skip_hw and optionally a skip_sw
      mode. The former tests the SW datapath, the latter the HW datapath, if
      available. In order to be able to test SW datapath on HW loopbacks, traps
      are installed on ingress to get traffic from the HW datapath to the SW one.
      This adds an unnecessary complexity when it would be much simpler to just
      use a veth-based topology to test the SW datapath. Thus drop all the code
      that supports this dual testing.
      Signed-off-by: default avatarPetr Machata <petrm@nvidia.com>
      Reviewed-by: default avatarDanielle Ratson <danieller@nvidia.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d361d78f
    • Petr Machata's avatar
      selftests: mirror: mirror_test(): Allow exact count of packets · a86e0df9
      Petr Machata authored
      The mirroring selftests work by sending ICMP traffic between two hosts.
      Along the way, this traffic is mirrored to a gretap netdevice, and counter
      taps are then installed strategically along the path of the mirrored
      traffic to verify the mirroring took place.
      
      The problem with this is that besides mirroring the primary traffic, any
      other service traffic is mirrored as well. At the same time, because the
      tests need to work in HW-offloaded scenarios, the ability of the device to
      do arbitrary packet inspection should not be taken for granted. Most tests
      therefore simply use matchall, one uses flower to match on IP address.
      
      As a result, the selftests are noisy, because besides the primary ICMP
      traffic, any amount of other service traffic is mirrored as well.
      
      mirror_test() accommodated this noisiness by giving the counters an
      allowance of several packets. But in the previous patch, where possible,
      counter taps were changed to match only on an exact ICMP message. At least
      in those cases, we can demand an exact number of packets to match.
      
      Where the tap is installed on a connective netdevice, the exact matching is
      not practical (though with u32, anything is possible). In those places,
      there should still be some leeway -- and probably bigger than before,
      because experience shows that these tests are very noisy.
      
      To that end, change mirror_test() so that it can be either called with an
      exact number to expect, or with an expression. Where leeway is needed,
      adjust callers to pass a ">= 10" instead of mere 10.
      Signed-off-by: default avatarPetr Machata <petrm@nvidia.com>
      Reviewed-by: default avatarDanielle Ratson <danieller@nvidia.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a86e0df9
    • Petr Machata's avatar
      selftests: mirror: do_test_span_dir_ips(): Install accurate taps · 83341535
      Petr Machata authored
      The mirroring selftests work by sending ICMP traffic between two hosts.
      Along the way, this traffic is mirrored to a gretap netdevice, and counter
      taps are then installed strategically along the path of the mirrored
      traffic to verify the mirroring took place.
      
      The problem with this is that besides mirroring the primary traffic, any
      other service traffic is mirrored as well. At the same time, because the
      tests need to work in HW-offloaded scenarios, the ability of the device to
      do arbitrary packet inspection should not be taken for granted. Most tests
      therefore simply use matchall, one uses flower to match on IP address.
      
      As a result, the selftests are noisy, because besides the primary ICMP
      traffic, any amount of other service traffic is mirrored as well.
      
      However, often the counter tap is installed at the remote end of the gretap
      tunnel. Since this is a SW-datapath scenario anyway, we can make the filter
      arbitrarily accurate.
      
      Thus in this patch, add parameters forward_type and backward_type to
      several mirroring test helpers, as some other helpers already have. Then
      change do_test_span_dir_ips() to instead of installing one generic tap and
      using it for test in both directions, install the tap for each direction
      separately, matching on the ICMP type given by these parameters.
      Signed-off-by: default avatarPetr Machata <petrm@nvidia.com>
      Reviewed-by: default avatarDanielle Ratson <danieller@nvidia.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      83341535
    • Petr Machata's avatar
      selftests: mirror_gre_lag_lacp: Check counters at tunnel · 95e7b860
      Petr Machata authored
      The test works by sending packets through a tunnel, whence they are
      forwarded to a LAG. One of the LAG children is removed from the LAG prior
      to the exercise, and the test then counts how many packets pass through the
      other one. The issue with this is that it counts all packets, not just the
      encapsulated ones.
      
      So instead add a second gretap endpoint to receive the sent packets, and
      check reception counters there.
      Signed-off-by: default avatarPetr Machata <petrm@nvidia.com>
      Reviewed-by: default avatarDanielle Ratson <danieller@nvidia.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      95e7b860
    • Petr Machata's avatar
      selftests: lib: tc_rule_stats_get(): Move default to argument definition · 9b5d5f27
      Petr Machata authored
      The argument $dir has a fallback value of "ingress". Move the fallback from
      the usage site to the argument definition block to make the fact clearer.
      Signed-off-by: default avatarPetr Machata <petrm@nvidia.com>
      Reviewed-by: default avatarDanielle Ratson <danieller@nvidia.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9b5d5f27