Re: [Devel] [PATCH vz10 10/12] selftests: net: pmtu.sh: allow test traffic despite host firewall rules

Thu, 18 Dec 2025 19:29:46 -0800 


On 12/17/25 05:04, Aleksei Oladko wrote:
> The pmtu.sh kselftest set up a multi-namespace test topology where the
> host network itself is part of the test setup. Test packets originating
> from the created namespace are expected to reach test interface created
> in the host. When firewall rules are present on the host, this traffic
> may be blocked, causing the test to fail.
> 
> Install temporary firewall rules during the test execution to allow
> the rest traffic to reach the host interfaces and remove them
> afterwards.
> 
> https://virtuozzo.atlassian.net/browse/VSTOR-120995
> 
> Signed-off-by: Aleksei Oladko <[email protected]>
> ---
>  tools/testing/selftests/net/pmtu.sh | 18 ++++++++++++++++++
>  1 file changed, 18 insertions(+)
> 
> diff --git a/tools/testing/selftests/net/pmtu.sh 
> b/tools/testing/selftests/net/pmtu.sh
> index 6c651c880fe8..f60581f2bb03 100755
> --- a/tools/testing/selftests/net/pmtu.sh
> +++ b/tools/testing/selftests/net/pmtu.sh
> @@ -1534,8 +1534,26 @@ test_pmtu_ipvX_over_ovs_vxlanY_or_geneveY_exception() {
>               mtu ""        ${type}_a  $((${ll_mtu} + 1000)) 2>/dev/null
>       mtu "${ns_b}" ${type}_b  $((${ll_mtu} + 1000))
>  
> +     chain=$(nft list table ip filter | awk '/chain/ {name=$2} /hook input/ 
> {print name}')

In nft the table name ("filter" in your example) can be changed arbitrarily, 
also if one does "nft flush ruleset", you will also get an error that table 
does not exist from nft. Can we, maybe, run this test in netns, so that "host" 
in terms of the test is not a real host.

> +     if [ -n "$chain" ]; then
> +             if [ "${type}" = "vxlan" ]; then
> +                     port="4789"
> +             elif [ "${type}" = "geneve" ]; then
> +                     port="6081"
> +             fi
> +
> +             if [ ${outer_family} -eq 6 ]; then
> +                     rule_family="6"
> +             fi
> +             nft_handle=$(nft --echo --json insert rule ip$rule_family 
> filter $chain \
> +                     iifname "veth_A-R1" udp dport $port accept | \
> +                     jq '.nftables[] | .insert.rule.handle')
> +     fi
>       run_cmd ${ns_c} ${ping} -q -M want -i 0.1 -c 20 -s $((${ll_mtu} + 500)) 
> ${dst} || return 1
>  
> +     if [ -n "$nft_handle" ]; then
> +             nft delete rule ip$rule_family filter $chain handle $nft_handle
> +     fi
>       # Check that exceptions were created
>       pmtu="$(route_get_dst_pmtu_from_exception "${ns_c}" ${dst})"
>       check_pmtu_value ${exp_mtu} "${pmtu}" "exceeding link layer MTU on Open 
> vSwitch ${type} interface"

-- 
Best regards, Pavel Tikhomirov
Senior Software Developer, Virtuozzo.

_______________________________________________
Devel mailing list
[email protected]
https://lists.openvz.org/mailman/listinfo/devel























					Reply via email to