selftests: netfilter: ensure conntrack is enabled for helper test

[PATCH] selftests: netfilter: ensure conntrack is enabled for helper test

Posted by Aleksei Oladko 2 weeks, 3 days ago

The nft_conntrack_helper.sh assumes that conntrack entries are created
for the generated test traffic. This is not the case when only raw table
rules are installed, as conntrack is not required and remains disabled.

Add a stateful rule to force conntrack to be enabled, ensuring that
conntrack entries are created and the helper assignment can be verified.

Signed-off-by: Aleksei Oladko <aleksey.oladko@virtuozzo.com>
---
 .../testing/selftests/net/netfilter/nft_conntrack_helper.sh | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/tools/testing/selftests/net/netfilter/nft_conntrack_helper.sh b/tools/testing/selftests/net/netfilter/nft_conntrack_helper.sh
index abcaa7337197..43761f2eb3ec 100755
--- a/tools/testing/selftests/net/netfilter/nft_conntrack_helper.sh
+++ b/tools/testing/selftests/net/netfilter/nft_conntrack_helper.sh
@@ -60,6 +60,12 @@ table $family raw {
 		tcp dport 2121 ct helper set "ftp"
 	}
 }
+table $family filter {
+	chain forward {
+		type filter hook forward priority 0; policy accept;
+		ct state new,established,related accept
+	}
+}
 EOF
 	return $?
 }
-- 
2.43.0

Re: [PATCH] selftests: netfilter: ensure conntrack is enabled for helper test

Posted by Florian Westphal 2 weeks, 3 days ago

Aleksei Oladko <aleksey.oladko@virtuozzo.com> wrote:
> The nft_conntrack_helper.sh assumes that conntrack entries are created
> for the generated test traffic. This is not the case when only raw table
> rules are installed, as conntrack is not required and remains disabled.

If that were true the test should fail, it calls 'conntrack -L' to check for helper
presence.