Re: [PATCH net v2 2/3] selftests: add selftest for the SRv6 End.DX4 behavior with netfilter

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

On Wed, Jun 05, 2024 at 07:23:09PM -0700, Jakub Kicinski wrote:
> On Thu, 6 Jun 2024 10:10:44 +0800 Hangbin Liu wrote:
> > > Please follow the instructions from here:
> > > https://github.com/linux-netdev/nipa/wiki/How-to-run-netdev-selftests-CI-style
> > > the kernel we build for testing is minimal.
> > > 
> > > We see this output:
> > > 
> > > # ################################################################################
> > > # TEST SECTION: SRv6 VPN connectivity test with netfilter enabled in routers
> > > # ################################################################################  
> > 
> > If I run the test specifically, I also got error:
> > sysctl: cannot stat /proc/sys/net/netfilter/nf_hooks_lwtunnel: No such file or directory
> > 
> > This is because CONFIG_NF_CONNTRACK is build as module. The test need to load
> > nf_conntrack specifically. I guest the reason you don't have this error is
> > because you have run the netfilter tests first? Which has loaded this module.

Hm, this dependency with conntrack does not look good. This sysctl
nf_hooks_lwtunnel should be in the netfilter core. The connection
tracking gets loaded on demand, the availability of this sysctl is
fragile.

> Ah, quite possibly, good catch! We don't reboot between tests,
> and the VM must have run 10 or so other tests before.
> 
> > > # Warning: Extension rpfilter revision 0 not supported, missing kernel module?
> > > # iptables v1.8.8 (nf_tables):  RULE_APPEND failed (No such file or directory): rule in chain PREROUTING
> > > # Warning: Extension rpfilter revision 0 not supported, missing kernel module?
> > > # iptables v1.8.8 (nf_tables):  RULE_APPEND failed (No such file or directory): rule in chain PREROUTING  
> > 
> > Just checked, we need CONFIG_IP_NF_MATCH_RPFILTER=m in config file.
> 
> :( Must be lack of compat support then? I CCed netfilter, perhaps they
> can advise. I wonder if there is a iptables-nftables compatibility list
> somewhere.

iptables-nft potentially requires all CONFIG_IP_NF_MATCH_* and
CONFIG_IP_NF_TARGET_* extensions, in this new testcase it uses
rpfilter which seems not to be used in any of the existing tests so
far, that is why CONFIG_IP_NF_MATCH_RPFILTER=m is required.




[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux