[Devel] [PATCH vz10 2/2] selftests: forwarding: fix pedit tests failure with br_netfilter enabled
Pavel Tikhomirov
ptikhomirov at virtuozzo.com
Fri Feb 27 13:15:30 MSK 2026
In general, this looks good.
On 2/27/26 10:17, Aleksei Oladko wrote:
> The tests use the tc pedit action to modify the IPv4 source address
> ("pedit ex munge ip src set"), but the IP header checksum is not
> recalculated after the modification. As a result, the modified packet
> fails sanity checks in br_netfilter after bridging and is dropped,
> which causes the test to fail.
>
> Fix this by ensuring net.bridge.bridge-nf-call-iptables is set to 0
> during the test execution. This prevents the bridge from passing
> L2 traffic to netfilter, bypassing the checksum validation that
> causes the test failure.
>
> https://virtuozzo.atlassian.net/browse/VSTOR-123249
>
> Fixes: 92ad3828944e ("selftests: forwarding: Add a test for pedit munge SIP and DIP")
> Fixes: 226657ba2389 ("selftests: forwarding: Add a forwarding test for pedit munge dsfield")
> Signed-off-by: Aleksei Oladko <aleksey.oladko at virtuozzo.com>
Reviewed-by: Ido Schimmel <idosch at nvidia.com>
Link: https://patch.msgid.link/20260213131907.43351-4-aleksey.oladko@virtuozzo.com
Signed-off-by: Paolo Abeni <pabeni at redhat.com>
(cherry picked from commit a8c198d16c64cdf57f481a4cd3e769502802369e)
Some missing tags ^.
>
> ---
> tools/testing/selftests/net/forwarding/pedit_dsfield.sh | 8 ++++++++
> tools/testing/selftests/net/forwarding/pedit_ip.sh | 8 ++++++++
> 2 files changed, 16 insertions(+)
>
> diff --git a/tools/testing/selftests/net/forwarding/pedit_dsfield.sh b/tools/testing/selftests/net/forwarding/pedit_dsfield.sh
> index af008fbf2725..eb2d8034de9c 100755
> --- a/tools/testing/selftests/net/forwarding/pedit_dsfield.sh
> +++ b/tools/testing/selftests/net/forwarding/pedit_dsfield.sh
> @@ -98,12 +98,20 @@ setup_prepare()
> h1_create
> h2_create
> switch_create
> +
> + if [ -f /proc/sys/net/bridge/bridge-nf-call-iptables ]; then
> + sysctl_set net.bridge.bridge-nf-call-iptables 0
> + fi
> }
>
> cleanup()
> {
> pre_cleanup
>
> + if [ -f /proc/sys/net/bridge/bridge-nf-call-iptables ]; then
> + sysctl_restore net.bridge.bridge-nf-call-iptables
> + fi
> +
> switch_destroy
> h2_destroy
> h1_destroy
> diff --git a/tools/testing/selftests/net/forwarding/pedit_ip.sh b/tools/testing/selftests/net/forwarding/pedit_ip.sh
> index d14efb2d23b2..9235674627ab 100755
> --- a/tools/testing/selftests/net/forwarding/pedit_ip.sh
> +++ b/tools/testing/selftests/net/forwarding/pedit_ip.sh
> @@ -91,12 +91,20 @@ setup_prepare()
> h1_create
> h2_create
> switch_create
> +
> + if [ -f /proc/sys/net/bridge/bridge-nf-call-iptables ]; then
> + sysctl_set net.bridge.bridge-nf-call-iptables 0
> + fi
> }
>
> cleanup()
> {
> pre_cleanup
>
> + if [ -f /proc/sys/net/bridge/bridge-nf-call-iptables ]; then
> + sysctl_restore net.bridge.bridge-nf-call-iptables
> + fi
> +
> switch_destroy
> h2_destroy
> h1_destroy
--
Best regards, Pavel Tikhomirov
Senior Software Developer, Virtuozzo.
More information about the Devel
mailing list