On 12/16/25 21:57, Aleksei Oladko wrote:
The nft_conntrack_helper.sh assumes that conntrack entries are created
for the generated test traffic. This is not the case when only raw table
rules are installed, as conntrack is not required and remains disabled.
Add a stateful rule to force conntrack to be enabled, ensuring that
conntrack entries are created and the helper assignment can be verified.
https://virtuozzo.atlassian.net/browse/VSTOR-120993
Signed-off-by: Aleksei Oladko <[email protected]>
---
.../testing/selftests/net/netfilter/nft_conntrack_helper.sh | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/tools/testing/selftests/net/netfilter/nft_conntrack_helper.sh
b/tools/testing/selftests/net/netfilter/nft_conntrack_helper.sh
index abcaa7337197..8d01ce85c6a3 100755
--- a/tools/testing/selftests/net/netfilter/nft_conntrack_helper.sh
+++ b/tools/testing/selftests/net/netfilter/nft_conntrack_helper.sh
@@ -60,6 +60,12 @@ table $family raw {
tcp dport 2121 ct helper set "ftp"
}
}
+table $family filter {
+ chain forward {
+ type filter hook forward priority 0; policy accept;
+ ct state established,related accept
ct state new,established,related accept
may be better to add "new" as well here?
+ }
+}
EOF
return $?
}
_______________________________________________
Devel mailing list
[email protected]
https://lists.openvz.org/mailman/listinfo/devel
