[Devel] [PATCH vz10 10/12] selftests: net: pmtu.sh: allow test traffic despite host firewall rules

Pavel Tikhomirov ptikhomirov at virtuozzo.com
Fri Dec 19 06:22:44 MSK 2025 


On 12/17/25 05:04, Aleksei Oladko wrote:
> The pmtu.sh kselftest set up a multi-namespace test topology where the
> host network itself is part of the test setup. Test packets originating
> from the created namespace are expected to reach test interface created
> in the host. When firewall rules are present on the host, this traffic
> may be blocked, causing the test to fail.
> 
> Install temporary firewall rules during the test execution to allow
> the rest traffic to reach the host interfaces and remove them
> afterwards.
> 
> https://virtuozzo.atlassian.net/browse/VSTOR-120995
> 
> Signed-off-by: Aleksei Oladko <aleksey.oladko at virtuozzo.com>
> ---
>  tools/testing/selftests/net/pmtu.sh | 18 ++++++++++++++++++
>  1 file changed, 18 insertions(+)
> 
> diff --git a/tools/testing/selftests/net/pmtu.sh b/tools/testing/selftests/net/pmtu.sh
> index 6c651c880fe8..f60581f2bb03 100755
> --- a/tools/testing/selftests/net/pmtu.sh
> +++ b/tools/testing/selftests/net/pmtu.sh
> @@ -1534,8 +1534,26 @@ test_pmtu_ipvX_over_ovs_vxlanY_or_geneveY_exception() {
>  		mtu ""        ${type}_a  $((${ll_mtu} + 1000)) 2>/dev/null
>  	mtu "${ns_b}" ${type}_b  $((${ll_mtu} + 1000))
>  
> +	chain=$(nft list table ip filter | awk '/chain/ {name=$2} /hook input/ {print name}')

In nft the table name ("filter" in your example) can be changed arbitrarily, also if one does "nft flush ruleset", you will also get an error that table does not exist from nft. Can we, maybe, run this test in netns, so that "host" in terms of the test is not a real host.

> +	if [ -n "$chain" ]; then
> +		if [ "${type}" = "vxlan" ]; then
> +			port="4789"
> +		elif [ "${type}" = "geneve" ]; then
> +			port="6081"
> +		fi
> +
> +		if [ ${outer_family} -eq 6 ]; then
> +			rule_family="6"
> +		fi
> +		nft_handle=$(nft --echo --json insert rule ip$rule_family filter $chain \
> +			iifname "veth_A-R1" udp dport $port accept | \
> +			jq '.nftables[] | .insert.rule.handle')
> +	fi
>  	run_cmd ${ns_c} ${ping} -q -M want -i 0.1 -c 20 -s $((${ll_mtu} + 500)) ${dst} || return 1
>  
> +	if [ -n "$nft_handle" ]; then
> +		nft delete rule ip$rule_family filter $chain handle $nft_handle
> +	fi
>  	# Check that exceptions were created
>  	pmtu="$(route_get_dst_pmtu_from_exception "${ns_c}" ${dst})"
>  	check_pmtu_value ${exp_mtu} "${pmtu}" "exceeding link layer MTU on Open vSwitch ${type} interface"

-- 
Best regards, Pavel Tikhomirov
Senior Software Developer, Virtuozzo.

More information about the Devel mailing list