[Devel] [PATCH vz10 10/12] selftests: net: pmtu.sh: allow test traffic despite host firewall rules

Konstantin Khorenko khorenko at virtuozzo.com
Fri Dec 19 18:34:57 MSK 2025 

But have not actually tried it.

commit b5746753eb9666fb54d540b3dd2aafaf82341921 (HEAD -> vz10.ksefelftest.conntracks)
Author: Konstantin Khorenko <khorenko at virtuozzo.com>
Date:   Fri Dec 19 16:33:35 2025 +0100

     selftests: net: run pmtu.sh in netns to avoid host firewall interference

     The pmtu.sh kselftest sets up a multi-namespace test topology where the
     host network itself is part of the test setup. Test packets originating
     from the created namespace are expected to reach test interface created
     in the host. When firewall rules are present on the host, this traffic
     may be blocked, causing the test to fail.

     Run the test in an isolated network namespace to avoid interference
     from host firewall rules. This approach is consistent with upstream
     solution used in fc49b804967e5b1cc1665efd4de112945e1ab4c6 and follows
     the pattern already used by reuseport tests.

     https://virtuozzo.atlassian.net/browse/VSTOR-120995


     Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>

diff --git a/tools/testing/selftests/net/Makefile b/tools/testing/selftests/net/Makefile
index 3ecd2c34b3d1f..68ed3ef8e3499 100644
--- a/tools/testing/selftests/net/Makefile
+++ b/tools/testing/selftests/net/Makefile
@@ -8,7 +8,7 @@ CFLAGS += -I../

  TEST_PROGS := run_netsocktests run_afpackettests test_bpf.sh netdevice.sh \
               rtnetlink.sh xfrm_policy.sh test_blackhole_dev.sh
-TEST_PROGS += fib_tests.sh fib-onlink-tests.sh pmtu.sh udpgso.sh ip_defrag.sh
+TEST_PROGS += fib_tests.sh fib-onlink-tests.sh pmtu_wrapper.sh udpgso.sh ip_defrag.sh
  TEST_PROGS += udpgso_bench.sh fib_rule_tests.sh msg_zerocopy.sh psock_snd.sh
  TEST_PROGS += udpgro_bench.sh udpgro.sh test_vxlan_under_vrf.sh reuseport_addr_any.sh
  TEST_PROGS += reuseport_bpf.sh reuseport_bpf_cpu.sh reuseport_bpf_numa.sh reuseport_dualstack.sh
diff --git a/tools/testing/selftests/net/pmtu_wrapper.sh b/tools/testing/selftests/net/pmtu_wrapper.sh
new file mode 100755
index 0000000000000..d43c23ba51552
--- /dev/null
+++ b/tools/testing/selftests/net/pmtu_wrapper.sh
@@ -0,0 +1,4 @@
+#!/bin/sh
+# SPDX-License-Identifier: GPL-2.0
+
+./in_netns.sh ./pmtu.sh "$@"

--
Best regards,

Konstantin Khorenko,
Virtuozzo Linux Kernel Team

On 12/19/25 04:22, Pavel Tikhomirov wrote:
> 
> 
> On 12/17/25 05:04, Aleksei Oladko wrote:
>> The pmtu.sh kselftest set up a multi-namespace test topology where the
>> host network itself is part of the test setup. Test packets originating
>> from the created namespace are expected to reach test interface created
>> in the host. When firewall rules are present on the host, this traffic
>> may be blocked, causing the test to fail.
>>
>> Install temporary firewall rules during the test execution to allow
>> the rest traffic to reach the host interfaces and remove them
>> afterwards.
>>
>> https://virtuozzo.atlassian.net/browse/VSTOR-120995
>>
>> Signed-off-by: Aleksei Oladko <aleksey.oladko at virtuozzo.com>
>> ---
>>   tools/testing/selftests/net/pmtu.sh | 18 ++++++++++++++++++
>>   1 file changed, 18 insertions(+)
>>
>> diff --git a/tools/testing/selftests/net/pmtu.sh b/tools/testing/selftests/net/pmtu.sh
>> index 6c651c880fe8..f60581f2bb03 100755
>> --- a/tools/testing/selftests/net/pmtu.sh
>> +++ b/tools/testing/selftests/net/pmtu.sh
>> @@ -1534,8 +1534,26 @@ test_pmtu_ipvX_over_ovs_vxlanY_or_geneveY_exception() {
>>   		mtu ""        ${type}_a  $((${ll_mtu} + 1000)) 2>/dev/null
>>   	mtu "${ns_b}" ${type}_b  $((${ll_mtu} + 1000))
>>   
>> +	chain=$(nft list table ip filter | awk '/chain/ {name=$2} /hook input/ {print name}')
> 
> In nft the table name ("filter" in your example) can be changed arbitrarily, also if one does "nft flush ruleset", you will also get an error that table does not exist from nft. Can we, maybe, run this test in netns, so that "host" in terms of the test is not a real host.
> 
>> +	if [ -n "$chain" ]; then
>> +		if [ "${type}" = "vxlan" ]; then
>> +			port="4789"
>> +		elif [ "${type}" = "geneve" ]; then
>> +			port="6081"
>> +		fi
>> +
>> +		if [ ${outer_family} -eq 6 ]; then
>> +			rule_family="6"
>> +		fi
>> +		nft_handle=$(nft --echo --json insert rule ip$rule_family filter $chain \
>> +			iifname "veth_A-R1" udp dport $port accept | \
>> +			jq '.nftables[] | .insert.rule.handle')
>> +	fi
>>   	run_cmd ${ns_c} ${ping} -q -M want -i 0.1 -c 20 -s $((${ll_mtu} + 500)) ${dst} || return 1
>>   
>> +	if [ -n "$nft_handle" ]; then
>> +		nft delete rule ip$rule_family filter $chain handle $nft_handle
>> +	fi
>>   	# Check that exceptions were created
>>   	pmtu="$(route_get_dst_pmtu_from_exception "${ns_c}" ${dst})"
>>   	check_pmtu_value ${exp_mtu} "${pmtu}" "exceeding link layer MTU on Open vSwitch ${type} interface"
>

More information about the Devel mailing list