{"id":2229771,"url":"http://patchwork.ozlabs.org/api/1.1/patches/2229771/?format=json","web_url":"http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260428174130.14287-1-fw@strlen.de/","project":{"id":26,"url":"http://patchwork.ozlabs.org/api/1.1/projects/26/?format=json","name":"Netfilter Development","link_name":"netfilter-devel","list_id":"netfilter-devel.vger.kernel.org","list_email":"netfilter-devel@vger.kernel.org","web_url":null,"scm_url":null,"webscm_url":null},"msgid":"<20260428174130.14287-1-fw@strlen.de>","date":"2026-04-28T17:41:26","name":"[conntrack-tools] tests: nfct: make it suitable for CI pipeline","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"2a510acc7ad2610209bf5f6c114f77e17089b99c","submitter":{"id":1025,"url":"http://patchwork.ozlabs.org/api/1.1/people/1025/?format=json","name":"Florian Westphal","email":"fw@strlen.de"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260428174130.14287-1-fw@strlen.de/mbox/","series":[{"id":501912,"url":"http://patchwork.ozlabs.org/api/1.1/series/501912/?format=json","web_url":"http://patchwork.ozlabs.org/project/netfilter-devel/list/?series=501912","date":"2026-04-28T17:41:26","name":"[conntrack-tools] tests: nfct: make it suitable for CI pipeline","version":1,"mbox":"http://patchwork.ozlabs.org/series/501912/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2229771/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2229771/checks/","tags":{},"headers":{"Return-Path":"\n <netfilter-devel+bounces-12264-incoming=patchwork.ozlabs.org@vger.kernel.org>","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c04:e001:36c::12fc:5321; helo=tor.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-12264-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=91.216.245.30","smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=strlen.de","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=Chamillionaire.breakpoint.cc"],"Received":["from tor.lore.kernel.org (tor.lore.kernel.org\n [IPv6:2600:3c04:e001:36c::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g4np42PYJz1yHv\n\tfor <incoming@patchwork.ozlabs.org>; Wed, 29 Apr 2026 03:42:52 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby tor.lore.kernel.org (Postfix) with ESMTP id 0F835301C6F2\n\tfor <incoming@patchwork.ozlabs.org>; Tue, 28 Apr 2026 17:41:56 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 1A39644D696;\n\tTue, 28 Apr 2026 17:41:55 +0000 (UTC)","from Chamillionaire.breakpoint.cc (Chamillionaire.breakpoint.cc\n [91.216.245.30])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 5E2AD44D022\n\tfor <netfilter-devel@vger.kernel.org>; Tue, 28 Apr 2026 17:41:53 +0000 (UTC)","by Chamillionaire.breakpoint.cc (Postfix, from userid 1003)\n\tid 39F3760420; Tue, 28 Apr 2026 19:41:51 +0200 (CEST)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1777398114; cv=none;\n b=qTQfinbYhOCg952lNf+PtETg/tI6Xm4O+Rg2O0V9oH4X86oqKnIEmfXQ3UYdpPInibMm7NDU7ghSqBeWJRPWrGdh0UVCZ6Mke+leOFLNdGX4ynmZFE7OPYeW8IYGhv6C/zDr79f7sy13a7uycpMSv13WiWnFhv9Juaq6HzFJCWA=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1777398114; c=relaxed/simple;\n\tbh=8mUgn8gYZ7wybOzSRhjEXcennaKpyJGHLCbcD26Pb/M=;\n\th=From:To:Cc:Subject:Date:Message-ID:MIME-Version;\n b=TlbOsAAEACc2JHXQwPop0w+ePQMJjyE059LyhXN64ZZH8ctl0okNYw5GAFqaxNpU1cn8JZ14Z65ZlwESpGaj/P6Jeoo1N3kEfwJ0yD54OoSMpXH4Ykzp9+9zDAbPb0vPqrTDGj5WASp70NQz3sEao2Dqz5XXBn9J38aRMB8zlUs=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=strlen.de;\n spf=pass smtp.mailfrom=Chamillionaire.breakpoint.cc;\n arc=none smtp.client-ip=91.216.245.30","From":"Florian Westphal <fw@strlen.de>","To":"<netfilter-devel@vger.kernel.org>","Cc":"Florian Westphal <fw@strlen.de>","Subject":"[PATCH conntrack-tools] tests: nfct: make it suitable for CI pipeline","Date":"Tue, 28 Apr 2026 19:41:26 +0200","Message-ID":"<20260428174130.14287-1-fw@strlen.de>","X-Mailer":"git-send-email 2.53.0","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"<netfilter-devel.vger.kernel.org>","List-Subscribe":"<mailto:netfilter-devel+subscribe@vger.kernel.org>","List-Unsubscribe":"<mailto:netfilter-devel+unsubscribe@vger.kernel.org>","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit"},"content":"1. make run-test.sh call test prog via unshare -n.\n2. remove various modprobe calls, these are all built into\n   nf_conntrack.ko.\n3. make test.c exit nonzero when bad tests are detected.\n4. remove dccp+udplite, they fail on modern kernels due to removal of\n   these protocols.\n5. update test-live.sh.  Auto-rexec via unshare. Streamline output:\n\nCheck timeout policy test-generic for protocol 13\n    [NEW] unknown  13 3 src=10.0.0.1 dst=8.8.8.8 [UNREPLIED] src=8.8.8.8 dst=10.0.0.1\nCheck timeout policy test-tcp for protocol tcp\n    [NEW] tcp      6 2 SYN_SENT src=10.0.0.1 dst=8.8.8.8 sport=5050 dport=80 [UNREPLIED] src=8.8.8.8 dst=10.0.0.1 sport=80 dport=5050\nCheck timeout policy test-icmp for protocol icmp\n    [NEW] icmp     1 4 src=10.0.0.1 dst=8.8.8.8 type=8 code=0 id=41473 [UNREPLIED] src=8.8.8.8 dst=10.0.0.1 type=0 code=0 id=41473\n\nThe effective timeout is validated by checking the new timeout reported\nvia ctnetlink.\n\nSigned-off-by: Florian Westphal <fw@strlen.de>\n---\n tests/nfct/run-test.sh       |  15 +----\n tests/nfct/test-live.sh      | 125 +++++++++++++++++++++++------------\n tests/nfct/test.c            |   4 ++\n tests/nfct/timeout/03udplite |  16 -----\n tests/nfct/timeout/07dccp    |  16 -----\n 5 files changed, 89 insertions(+), 87 deletions(-)\n mode change 100644 => 100755 tests/nfct/run-test.sh\n mode change 100644 => 100755 tests/nfct/test-live.sh\n delete mode 100644 tests/nfct/timeout/03udplite\n delete mode 100644 tests/nfct/timeout/07dccp","diff":"diff --git a/tests/nfct/run-test.sh b/tests/nfct/run-test.sh\nold mode 100644\nnew mode 100755\nindex f5f220baebf1..88999f8c8517\n--- a/tests/nfct/run-test.sh\n+++ b/tests/nfct/run-test.sh\n@@ -7,16 +7,5 @@ then\n \texit 1\n fi\n \n-gcc test.c -o test\n-#\n-# XXX: module auto-load not support by nfnetlink_cttimeout yet :-(\n-#\n-# any or all of these might be built-ins rather than modules, so don't error\n-# out on failure from modprobe\n-modprobe nf_conntrack_ipv4 || true\n-modprobe nf_conntrack_ipv6 || true\n-modprobe nf_conntrack_proto_udplite || true\n-modprobe nf_conntrack_proto_sctp || true\n-modprobe nf_conntrack_proto_dccp || true\n-modprobe nf_conntrack_proto_gre || true\n-./test timeout\n+test -x test || gcc test.c -o test\n+exec unshare -n ./test timeout\ndiff --git a/tests/nfct/test-live.sh b/tests/nfct/test-live.sh\nold mode 100644\nnew mode 100755\nindex 22570875f4e6..6f752ee61f59\n--- a/tests/nfct/test-live.sh\n+++ b/tests/nfct/test-live.sh\n@@ -3,71 +3,112 @@\n # simple testing for cttimeout infrastructure using one single computer\n #\n \n-WAIT_BETWEEN_TESTS=10\n-\n-# flush cttimeout table\n-nfct flush timeout\n-\n-# flush the conntrack table\n-conntrack -F\n+if [ \"$1\" != \"run\" ] ;then\n+\texec unshare -n ./$0 \"run\"\n+fi\n+\n+die() {\n+\techo \"$@\"\n+\texit 1\n+}\n+\n+warn() {\n+\techo \"WARN: $@\"\n+}\n+\n+tmp=$(mktemp)\n+cleanup()\n+{\n+\tip link del eth0\n+\trm -f \"$tmp\"\n+}\n+trap cleanup EXIT\n+\n+ret=0\n+check_timeout() {\n+\tlocal proto=\"$1\"\n+\tlocal timeout=\"$2\"\n+\n+\tif ! grep '[NEW]' \"$tmp\" | grep \"$proto $timeout\";then\n+\t\twarn \"Did not find expected output, got:\"\n+\t\tcat \"$tmp\"\n+\t\techo ----- EOF -----\n+\t\tret=1\n+\tfi\n+}\n+\n+add_rule() {\n+\tlocal proto=\"$1\"\n+\tlocal name=\"$2\"\n+\n+\techo \"Check timeout policy $name for protocol $proto\"\n+\tiptables -I OUTPUT -t raw -p \"$proto\" -j CT --timeout \"$name\" || die \"can't add -p $proto -j CT $name\"\n+}\n+\n+rm_rules() {\n+\tlocal proto=\"$1\"\n+\tlocal name=\"$2\"\n+\n+\tiptables -D OUTPUT -t raw -p $proto -j CT --timeout \"$name\" || warn \"can't remove $proto $name rule\"\n+\tnfct del timeout \"$name\" || warn \"can't remove $name policy\"\n+}\n+\n+ip link add eth0 type dummy\n+ip link set eth0 up\n+ip link set lo up\n+ip addr add 10.0.0.1/8 dev eth0\n+ip route add default via 10.0.0.99 dev eth0\n+\n+WAIT_BETWEEN_TESTS=5\n \n #\n # No.1: test generic timeout policy\n #\n+conntrack -E -p 13 > \"$tmp\" 2>/dev/null &\n+pid=$!\n \n-echo \"---- test no. 1 ----\"\n-\n-conntrack -E -p 13 &\n-\n-nfct add timeout test-generic inet generic timeout 100\n-iptables -I OUTPUT -t raw -p all -j CT --timeout test-generic\n-hping3 -c 1 -V -I eth0 -0 8.8.8.8 -H 13\n-\n-killall -15 conntrack\n-\n-echo \"---- end test no. 1 ----\"\n+nfct add timeout \"test-generic\" inet generic timeout 3 || die \"can't add generic timeout\"\n+add_rule 13 \"test-generic\"\n+hping3 -c 1 -I eth0 -0 8.8.8.8 -H 13 > /dev/null 2>&1\n+check_timeout 13 3\n+kill $pid\n \n sleep $WAIT_BETWEEN_TESTS\n-\n-iptables -D OUTPUT -t raw -p all -j CT --timeout test-generic\n-nfct del timeout test-generic\n+rm_rules 13 \"test-generic\"\n \n #\n # No.2: test TCP timeout policy\n #\n \n-echo \"---- test no. 2 ----\"\n+conntrack -E -p tcp > \"$tmp\" 2>/dev/null &\n+pid=$!\n \n-conntrack -E -p tcp &\n+nfct add timeout test-tcp inet tcp syn_sent 2 || die \"can't add tcp timeout policy\"\n+add_rule \"tcp\" \"test-tcp\"\n+hping3 -S -p 80 -s 5050 8.8.8.8 -c 1 > /dev/null 2>&1\n \n-nfct add timeout test-tcp inet tcp syn_sent 100\n-iptables -I OUTPUT -t raw -p tcp -j CT --timeout test-tcp\n-hping3 -V -S -p 80 -s 5050 8.8.8.8 -c 1\n+check_timeout 6 2\n+kill $pid\n \n sleep $WAIT_BETWEEN_TESTS\n-\n-iptables -D OUTPUT -t raw -p tcp -j CT --timeout test-tcp\n-nfct del timeout test-tcp\n-\n-killall -15 conntrack\n-\n-echo \"---- end test no. 2 ----\"\n+rm_rules \"tcp\" \"test-tcp\"\n \n #\n # No. 3: test ICMP timeout policy\n #\n \n-echo \"---- test no. 3 ----\"\n+conntrack -E -p icmp > \"$tmp\" 2>/dev/null &\n+pid=$!\n \n-conntrack -E -p icmp &\n+nfct add timeout test-icmp inet icmp timeout 4 || die \"can't add test-icmp policy\"\n+add_rule \"icmp\" \"test-icmp\"\n \n-nfct add timeout test-icmp inet icmp timeout 50\n-iptables -I OUTPUT -t raw -p icmp -j CT --timeout test-icmp\n-hping3 -1 8.8.8.8 -c 2\n+hping3 -1 8.8.8.8 -c 2 > /dev/null 2>&1\n \n-iptables -D OUTPUT -t raw -p icmp -j CT --timeout test-icmp\n-nfct del timeout test-icmp\n+check_timeout 1 4\n+kill \"$pid\"\n \n-killall -15 conntrack\n+sleep $WAIT_BETWEEN_TESTS\n+rm_rules \"icmp\" \"test-icmp\"\n \n-echo \"---- end test no. 3 ----\"\n+exit $ret\ndiff --git a/tests/nfct/test.c b/tests/nfct/test.c\nindex a833dcc9e99b..bce927829190 100644\n--- a/tests/nfct/test.c\n+++ b/tests/nfct/test.c\n@@ -97,4 +97,8 @@ int main(int argc, char *argv[])\n \tclosedir(d);\n \n \tfprintf(stdout, \"OK: %d BAD: %d\\n\", ok, bad);\n+\tif (bad)\n+\t\treturn 1;\n+\n+\treturn ok > 0 ? 0 : 1;\n }\ndiff --git a/tests/nfct/timeout/03udplite b/tests/nfct/timeout/03udplite\ndeleted file mode 100644\nindex 8ed345901651..000000000000\n--- a/tests/nfct/timeout/03udplite\n+++ /dev/null\n@@ -1,16 +0,0 @@\n-# add policy object `test'\n-nfct add timeout test inet udplite unreplied 10 ; OK\n-# get policy object `test'\n-nfct get timeout test ; OK\n-# delete policy object `test'\n-nfct delete timeout test ; OK\n-# get unexistent policy object `dummy'\n-nfct get timeout test ; BAD\n-# delete policy object `test', however, it does not exists anymore\n-nfct delete timeout test ; BAD\n-# add policy object `test'\n-nfct add timeout test inet udplite unreplied 1 replied 2 ; OK\n-# get policy object `test'\n-nfct get timeout test ; OK\n-# delete policy object `test'\n-nfct delete timeout test ; OK\ndiff --git a/tests/nfct/timeout/07dccp b/tests/nfct/timeout/07dccp\ndeleted file mode 100644\nindex 1d885853f577..000000000000\n--- a/tests/nfct/timeout/07dccp\n+++ /dev/null\n@@ -1,16 +0,0 @@\n-# add policy object `test'\n-nfct add timeout test inet dccp request 100 ; OK\n-# get policy object `test'\n-nfct get timeout test ; OK\n-# delete policy object `test'\n-nfct delete timeout test ; OK\n-# get unexistent policy object `dummy'\n-nfct get timeout test ; BAD\n-# delete policy object `test', however, it does not exists anymore\n-nfct delete timeout test ; BAD\n-# add policy object `test'\n-nfct add timeout test inet dccp request 1 respond 2 partopen 3 open 4 closereq 5 closing 6 timewait 7 ; OK\n-# get policy object `test'\n-nfct get timeout test ; OK\n-# delete policy object `test'\n-nfct delete timeout test ; OK\n","prefixes":["conntrack-tools"]}