But have not actually tried it.
commit b5746753eb9666fb54d540b3dd2aafaf82341921 (HEAD ->
vz10.ksefelftest.conntracks)
Author: Konstantin Khorenko <[email protected]>
Date: Fri Dec 19 16:33:35 2025 +0100
selftests: net: run pmtu.sh in netns to avoid host firewall interference
The pmtu.sh kselftest sets up a multi-namespace test topology where the
host network itself is part of the test setup. Test packets originating
from the created namespace are expected to reach test interface created
in the host. When firewall rules are present on the host, this traffic
may be blocked, causing the test to fail.
Run the test in an isolated network namespace to avoid interference
from host firewall rules. This approach is consistent with upstream
solution used in fc49b804967e5b1cc1665efd4de112945e1ab4c6 and follows
the pattern already used by reuseport tests.
https://virtuozzo.atlassian.net/browse/VSTOR-120995
Signed-off-by: Konstantin Khorenko <[email protected]>
diff --git a/tools/testing/selftests/net/Makefile
b/tools/testing/selftests/net/Makefile
index 3ecd2c34b3d1f..68ed3ef8e3499 100644
--- a/tools/testing/selftests/net/Makefile
+++ b/tools/testing/selftests/net/Makefile
@@ -8,7 +8,7 @@ CFLAGS += -I../
TEST_PROGS := run_netsocktests run_afpackettests test_bpf.sh netdevice.sh \
rtnetlink.sh xfrm_policy.sh test_blackhole_dev.sh
-TEST_PROGS += fib_tests.sh fib-onlink-tests.sh pmtu.sh udpgso.sh ip_defrag.sh
+TEST_PROGS += fib_tests.sh fib-onlink-tests.sh pmtu_wrapper.sh udpgso.sh
ip_defrag.sh
TEST_PROGS += udpgso_bench.sh fib_rule_tests.sh msg_zerocopy.sh psock_snd.sh
TEST_PROGS += udpgro_bench.sh udpgro.sh test_vxlan_under_vrf.sh
reuseport_addr_any.sh
TEST_PROGS += reuseport_bpf.sh reuseport_bpf_cpu.sh reuseport_bpf_numa.sh
reuseport_dualstack.sh
diff --git a/tools/testing/selftests/net/pmtu_wrapper.sh
b/tools/testing/selftests/net/pmtu_wrapper.sh
new file mode 100755
index 0000000000000..d43c23ba51552
--- /dev/null
+++ b/tools/testing/selftests/net/pmtu_wrapper.sh
@@ -0,0 +1,4 @@
+#!/bin/sh
+# SPDX-License-Identifier: GPL-2.0
+
+./in_netns.sh ./pmtu.sh "$@"
--
Best regards,
Konstantin Khorenko,
Virtuozzo Linux Kernel Team
On 12/19/25 04:22, Pavel Tikhomirov wrote:
On 12/17/25 05:04, Aleksei Oladko wrote:
The pmtu.sh kselftest set up a multi-namespace test topology where the
host network itself is part of the test setup. Test packets originating
from the created namespace are expected to reach test interface created
in the host. When firewall rules are present on the host, this traffic
may be blocked, causing the test to fail.
Install temporary firewall rules during the test execution to allow
the rest traffic to reach the host interfaces and remove them
afterwards.
https://virtuozzo.atlassian.net/browse/VSTOR-120995
Signed-off-by: Aleksei Oladko <[email protected]>
---
tools/testing/selftests/net/pmtu.sh | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/tools/testing/selftests/net/pmtu.sh
b/tools/testing/selftests/net/pmtu.sh
index 6c651c880fe8..f60581f2bb03 100755
--- a/tools/testing/selftests/net/pmtu.sh
+++ b/tools/testing/selftests/net/pmtu.sh
@@ -1534,8 +1534,26 @@ test_pmtu_ipvX_over_ovs_vxlanY_or_geneveY_exception() {
mtu "" ${type}_a $((${ll_mtu} + 1000)) 2>/dev/null
mtu "${ns_b}" ${type}_b $((${ll_mtu} + 1000))
+ chain=$(nft list table ip filter | awk '/chain/ {name=$2} /hook input/ {print name}')
In nft the table name ("filter" in your example) can be changed arbitrarily, also if one does
"nft flush ruleset", you will also get an error that table does not exist from nft. Can we, maybe,
run this test in netns, so that "host" in terms of the test is not a real host.
+ if [ -n "$chain" ]; then
+ if [ "${type}" = "vxlan" ]; then
+ port="4789"
+ elif [ "${type}" = "geneve" ]; then
+ port="6081"
+ fi
+
+ if [ ${outer_family} -eq 6 ]; then
+ rule_family="6"
+ fi
+ nft_handle=$(nft --echo --json insert rule ip$rule_family
filter $chain \
+ iifname "veth_A-R1" udp dport $port accept | \
+ jq '.nftables[] | .insert.rule.handle')
+ fi
run_cmd ${ns_c} ${ping} -q -M want -i 0.1 -c 20 -s $((${ll_mtu} + 500))
${dst} || return 1
+ if [ -n "$nft_handle" ]; then
+ nft delete rule ip$rule_family filter $chain handle $nft_handle
+ fi
# Check that exceptions were created
pmtu="$(route_get_dst_pmtu_from_exception "${ns_c}" ${dst})"
check_pmtu_value ${exp_mtu} "${pmtu}" "exceeding link layer MTU on Open
vSwitch ${type} interface"
_______________________________________________
Devel mailing list
[email protected]
https://lists.openvz.org/mailman/listinfo/devel
