nf_tables: Add net_fib_* options for greater ptest coverage

Lyu, William via lists.yoctoproject.org Tue, 02 Apr 2024 09:49:23 -0700

From: William Lyu <[email protected]>

Backported from commit on branch "yocto-6.6":
70cabea69443e974db04d6dcbe73031d0d726bc1


Several nftables ptest testcases failed due to missing features. The
following kernel configuration options are added as part of the missing
features:

-   NFT_FIB_INET (tristate "Netfilter nf_tables fib inet support")
    This option allows using the FIB expression from the inet table.
    The lookup will be delegated to the IPv4 or IPv6 FIB depending
    on the protocol of the packet.

-   NFT_FIB_IPV4 (tristate "nf_tables fib / ip route lookup support")
    This module enables IPv4 FIB lookups, e.g. for reverse path filtering.
    It also allows query of the FIB for the route type, e.g. local, unicast,
    multicast or blackhole.

-   NFT_FIB_IPV6 (tristate "nf_tables fib / ipv6 route lookup support")
    This module enables IPv6 FIB lookups, e.g. for reverse path filtering.
    It also allows query of the FIB for the route type, e.g. local, unicast,
    multicast or blackhole.

Adding those three kernel configuration options above pass the following
ptest testcases:

-   tests/shell/testcases/parsing/large_rule_pipe
    Previously failed due to using rule:
        meta nfproto ipv6 fib saddr . iif oif missing drop
-   tests/shell/testcases/nft-f/sample-ruleset
    Previously failed due to using rules:
        fib saddr . iif oif eq 0 counter drop
        fib daddr type { broadcast, multicast, anycast } counter drop
        fib daddr type { broadcast, multicast, anycast } counter drop
        fib daddr type { broadcast, multicast, anycast } counter drop
-   tests/shell/testcases/optimizations/ruleset
    Previously failed due to using rule:
        fib daddr type broadcast  drop

Signed-off-by: William Lyu <[email protected]>
---
 features/nf_tables/nft_test.cfg | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/features/nf_tables/nft_test.cfg b/features/nf_tables/nft_test.cfg
index fbebbaba..45ca8e5d 100644
--- a/features/nf_tables/nft_test.cfg
+++ b/features/nf_tables/nft_test.cfg
@@ -1,10 +1,12 @@
 CONFIG_NF_CONNTRACK_TIMEOUT=y
 CONFIG_NF_FLOW_TABLE_INET=m
 CONFIG_NF_FLOW_TABLE=m
+CONFIG_NFT_FIB_INET=y
+CONFIG_NFT_FIB_IPV4=y
+CONFIG_NFT_FIB_IPV6=y
 CONFIG_NFT_FLOW_OFFLOAD=m
 CONFIG_NFT_NUMGEN=m
 CONFIG_NFT_OSF=m
 CONFIG_NFT_QUOTA=m
 CONFIG_NFT_SYNPROXY=m
 CONFIG_NFT_XFRM=m
-
-- 
2.43.0

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#13762): 
https://lists.yoctoproject.org/g/linux-yocto/message/13762
Mute This Topic: https://lists.yoctoproject.org/mt/105291538/21656
Group Owner: [email protected]
Unsubscribe: https://lists.yoctoproject.org/g/linux-yocto/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

[linux-yocto] [yocto-kernel-cache yocto-6.5][PATCH 2/2] features/nf_tables: Add net_fib_* options for greater ptest coverage

Reply via email to