Hi, On Wed, Jun 05, 2024 at 07:23:09PM -0700, Jakub Kicinski wrote: > On Thu, 6 Jun 2024 10:10:44 +0800 Hangbin Liu wrote: > > > Please follow the instructions from here: > > > https://github.com/linux-netdev/nipa/wiki/How-to-run-netdev-selftests-CI-style > > > the kernel we build for testing is minimal. > > > > > > We see this output: > > > > > > # ################################################################################ > > > # TEST SECTION: SRv6 VPN connectivity test with netfilter enabled in routers > > > # ################################################################################ > > > > If I run the test specifically, I also got error: > > sysctl: cannot stat /proc/sys/net/netfilter/nf_hooks_lwtunnel: No such file or directory > > > > This is because CONFIG_NF_CONNTRACK is build as module. The test need to load > > nf_conntrack specifically. I guest the reason you don't have this error is > > because you have run the netfilter tests first? Which has loaded this module. Hm, this dependency with conntrack does not look good. This sysctl nf_hooks_lwtunnel should be in the netfilter core. The connection tracking gets loaded on demand, the availability of this sysctl is fragile. > Ah, quite possibly, good catch! We don't reboot between tests, > and the VM must have run 10 or so other tests before. > > > > # Warning: Extension rpfilter revision 0 not supported, missing kernel module? > > > # iptables v1.8.8 (nf_tables): RULE_APPEND failed (No such file or directory): rule in chain PREROUTING > > > # Warning: Extension rpfilter revision 0 not supported, missing kernel module? > > > # iptables v1.8.8 (nf_tables): RULE_APPEND failed (No such file or directory): rule in chain PREROUTING > > > > Just checked, we need CONFIG_IP_NF_MATCH_RPFILTER=m in config file. > > :( Must be lack of compat support then? I CCed netfilter, perhaps they > can advise. I wonder if there is a iptables-nftables compatibility list > somewhere. iptables-nft potentially requires all CONFIG_IP_NF_MATCH_* and CONFIG_IP_NF_TARGET_* extensions, in this new testcase it uses rpfilter which seems not to be used in any of the existing tests so far, that is why CONFIG_IP_NF_MATCH_RPFILTER=m is required.