selftests: netfilter: add test case for nf trace infrastructure

Enable/disable tracing infrastructure while packets are in-flight. This triggers KASAN splat after e34b9ed9 ("netfilter: nf_tables: avoid skb access on nf_stolen"). While at it, reduce script run time as well. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Jakub Kicinski <kuba@kernel.org>

selftests: netfilter: add test case for nf trace infrastructure
Enable/disable tracing infrastructure while packets are in-flight. This triggers KASAN splat after e34b9ed9 ("netfilter: nf_tables: avoid skb access on nf_stolen"). While at it, reduce script run time as well. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Jakub Kicinski <kuba@kernel.org>
fe9e420d · Florian Westphal · Jakub Kicinski · 399a14ec · fe9e420d
Commit fe9e420d authored Aug 04, 2022 by Florian Westphal Committed by Jakub Kicinski Aug 05, 2022
Hide whitespace changes
Inline Side-by-side

Showing with 76 additions and 5 deletions

tools/testing/selftests/netfilter/nft_trans_stress.sh tools/testing/selftests/netfilter/nft_trans_stress.sh +76 -5

No files found.
--- a/tools/testing/selftests/netfilter/nft_trans_stress.sh
+++ b/tools/testing/selftests/netfilter/nft_trans_stress.sh
@@ -9,8 +9,27 @@
 # Kselftest framework requirement - SKIP code is 4.
 ksft_skip=4
-testns=testns1
+testns=testns-$(mktemp -u "XXXXXXXX")
 tables="foo bar baz quux"
+global_ret=0
+eret=0
+lret=0
+check_result()
+{
+	local r=$1
+	local OK="PASS"
+	if [ $r -ne 0 ] ;then
+		OK="FAIL"
+		global_ret=$r
+	fi
+	echo "$OK: nft $2 test returned $r"
+	eret=0
+}
 nft --version > /dev/null 2>&1
 if [ $? -ne 0 ];then
@@ -59,16 +78,66 @@ done)
 sleep 1
+ip netns exec "$testns" nft -f "$tmp"
 for i in $(seq 1 10) ; do ip netns exec "$testns" nft -f "$tmp" & done
 for table in $tables;do
-	randsleep=$((RANDOM%10))
+	randsleep=$((RANDOM%2))
 	sleep $randsleep
-	ip netns exec "$testns" nft delete table inet $table 2>/dev/null
+	ip netns exec "$testns" nft delete table inet $table
+	lret=$?
+	if [ $lret -ne 0 ]; then
+		eret=$lret
+	fi
 done
-randsleep=$((RANDOM%10))
+check_result $eret "add/delete"
-sleep $randsleep
+for i in $(seq 1 10) ; do
+	(echo "flush ruleset"; cat "$tmp") | ip netns exec "$testns" nft -f /dev/stdin
+	lret=$?
+	if [ $lret -ne 0 ]; then
+		eret=$lret
+	fi
+done
+check_result $eret "reload"
+for i in $(seq 1 10) ; do
+	(echo "flush ruleset"; cat "$tmp"
+	 echo "insert rule inet foo INPUT meta nftrace set 1"
+	 echo "insert rule inet foo OUTPUT meta nftrace set 1"
+	 ) | ip netns exec "$testns" nft -f /dev/stdin
+	lret=$?
+	if [ $lret -ne 0 ]; then
+		eret=$lret
+	fi
+	(echo "flush ruleset"; cat "$tmp"
+	 ) | ip netns exec "$testns" nft -f /dev/stdin
+	lret=$?
+	if [ $lret -ne 0 ]; then
+		eret=$lret
+	fi
+done
+check_result $eret "add/delete with nftrace enabled"
+echo "insert rule inet foo INPUT meta nftrace set 1" >> $tmp
+echo "insert rule inet foo OUTPUT meta nftrace set 1" >> $tmp
+for i in $(seq 1 10) ; do
+	(echo "flush ruleset"; cat "$tmp") | ip netns exec "$testns" nft -f /dev/stdin
+	lret=$?
+	if [ $lret -ne 0 ]; then
+		eret=1
+	fi
+done
+check_result $lret "add/delete with nftrace enabled"
 pkill -9 ping
@@ -76,3 +145,5 @@ wait
 rm -f "$tmp"
 ip netns del "$testns"
+exit $global_ret