linux-toradex.git/tools/testing/selftests/net, branch master Linux kernel for Apalis and Colibri modules selftests: tls: size splice_short pipe by page size 2026-06-25T16:01:58+00:00 Nirmoy Das nirmoyd@nvidia.com 2026-06-24T13:44:16+00:00 3e52f56875c6fafee619b5c2b4ded25f2efbd2ec splice_short grows its pipe with (MAX_FRAGS + 1) * 0x1000 so it can queue one short vmsplice() buffer for each fragment before draining the pipe. That assumes 4K pipe buffers. On 64K-page kernels the request is rounded to 262144 bytes, which provides only four pipe buffers. The fifth one-byte vmsplice() blocks in pipe_wait_writable and the test times out before it reaches the TLS path. Request enough bytes for the same number of pipe buffers using the runtime page size, and assert that the kernel granted at least that much. If an unprivileged run cannot raise the pipe above the system pipe-max-size limit, skip the test because it cannot exercise the intended path. Fixes: 3667e9b442b9 ("selftests: tls: add test for short splice due to full skmsg") Signed-off-by: Nirmoy Das <nirmoyd@nvidia.com> Reviewed-by: Simon Horman <horms@kernel.org> Link: https://patch.msgid.link/20260624134416.3235403-1-nirmoyd@nvidia.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> 
splice_short grows its pipe with (MAX_FRAGS + 1) * 0x1000 so it can
queue one short vmsplice() buffer for each fragment before draining the
pipe. That assumes 4K pipe buffers.

On 64K-page kernels the request is rounded to 262144 bytes, which
provides only four pipe buffers. The fifth one-byte vmsplice() blocks in
pipe_wait_writable and the test times out before it reaches the TLS path.

Request enough bytes for the same number of pipe buffers using the
runtime page size, and assert that the kernel granted at least that much.
If an unprivileged run cannot raise the pipe above the system
pipe-max-size limit, skip the test because it cannot exercise the
intended path.

Fixes: 3667e9b442b9 ("selftests: tls: add test for short splice due to full skmsg")
Signed-off-by: Nirmoy Das <nirmoyd@nvidia.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260624134416.3235403-1-nirmoyd@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
selftests: nft_queue.sh: add a bridge queue test 2026-06-23T06:11:22+00:00 Florian Westphal fw@strlen.de 2026-06-02T13:31:06+00:00 8a2cfe7951f679350d39239de4c610448731a68e Add a test queueing from bridge family. This was lacking: we queued from inet for ipv4 and ipv6 but we had no bridge queue test so far. Given kernel MUST validate that in/out port are still part of a bridge device on reinject add a test case for this before adding this check. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 
Add a test queueing from bridge family.
This was lacking: we queued from inet for ipv4 and ipv6 but
we had no bridge queue test so far.

Given kernel MUST validate that in/out port are still part of
a bridge device on reinject add a test case for this before
adding this check.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
selftests: netfilter: conntrack_sctp_collision.sh: Introduce SCTP INIT collision test 2026-06-23T06:11:22+00:00 Yi Chen yiche.cy@gmail.com 2026-06-11T14:50:13+00:00 a49a8e51eebc605d5fd674ba7a451eabf553f5cb The existing test covered a scenario where a delayed INIT_ACK chunk updates the vtag in conntrack after the association has already been established. A similar issue can occur with a delayed SCTP INIT chunk. Add a new simultaneous-open test case where the client's INIT is delayed, allowing conntrack to establish the association based on the server-initiated handshake. When the stale INIT arrives later, it may get recorded and cause a following INIT_ACK from the peer to be accepted instead of dropped. This INIT_ACK overwrites the vtag in conntrack, causing subsequent SCTP DATA chunks to be considered as invalid and then dropped by nft rules matching on ct state invalid. This test verifies such stale INIT chunks do not cause problems. Signed-off-by: Yi Chen <yiche.cy@gmail.com> Acked-by: Xin Long <lucien.xin@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 
The existing test covered a scenario where a delayed INIT_ACK chunk
updates the vtag in conntrack after the association has already been
established.

A similar issue can occur with a delayed SCTP INIT chunk.

Add a new simultaneous-open test case where the client's INIT is
delayed, allowing conntrack to establish the association based on
the server-initiated handshake.

When the stale INIT arrives later, it may get recorded and cause a
following INIT_ACK from the peer to be accepted instead of dropped.
This INIT_ACK overwrites the vtag in conntrack, causing subsequent
SCTP DATA chunks to be considered as invalid and then dropped by
nft rules matching on ct state invalid.

This test verifies such stale INIT chunks do not cause problems.

Signed-off-by: Yi Chen <yiche.cy@gmail.com>
Acked-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: flowtable: fix and simplify IP6IP6 tunnel handling 2026-06-19T10:22:29+00:00 Lorenzo Bianconi lorenzo@kernel.org 2026-06-15T09:18:25+00:00 f4c2d8668d85ed125985da663c824a9c25498257 Fix nf_flow_ip6_tunnel_proto() to use pskb_may_pull() instead of skb_header_pointer() to ensure the outer IPv6 header is in the skb headroom, which is required for subsequent packet processing. Move ctx->offset update inside the IPPROTO_IPV6 conditional block since it should only be adjusted when an IP6IP6 tunnel is actually detected. Simplify the rx path by removing ipv6_skip_exthdr() and checking ip6h->nexthdr directly, as the flowtable fast path only handles simple IP6IP6 encapsulation without extension headers. Drop the tunnel encapsulation limit destination option support from the tx path to match, since the rx path no longer handles extension headers. Remove the encap_limit parameter from nf_flow_offload_ipv6_forward(), nf_flow_tunnel_ip6ip6_push() and nf_flow_tunnel_v6_push(), along with the ipv6_tel_txoption struct and related headroom/MTU adjustments. Fixes: d98103575dcdd ("netfilter: flowtable: Add IP6IP6 rx sw acceleration") Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 
Fix nf_flow_ip6_tunnel_proto() to use pskb_may_pull() instead of
skb_header_pointer() to ensure the outer IPv6 header is in the skb
headroom, which is required for subsequent packet processing. Move
ctx->offset update inside the IPPROTO_IPV6 conditional block since it
should only be adjusted when an IP6IP6 tunnel is actually detected.
Simplify the rx path by removing ipv6_skip_exthdr() and checking
ip6h->nexthdr directly, as the flowtable fast path only handles simple
IP6IP6 encapsulation without extension headers.
Drop the tunnel encapsulation limit destination option support from the
tx path to match, since the rx path no longer handles extension headers.
Remove the encap_limit parameter from nf_flow_offload_ipv6_forward(),
nf_flow_tunnel_ip6ip6_push() and nf_flow_tunnel_v6_push(), along with
the ipv6_tel_txoption struct and related headroom/MTU adjustments.

Fixes: d98103575dcdd ("netfilter: flowtable: Add IP6IP6 rx sw acceleration")
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
selftests: net: fix file owner for broadcast_ether_dst test 2026-06-19T01:22:30+00:00 Ross Porter ross.porter@canonical.com 2026-06-17T06:10:39+00:00 b8613e9792002add3bf77122868cc06ce142e953 Ensure the output file is always owned by root (even if tcpdump was compiled with `--with-user`), by passing the `-Z root` argument when invoking it. Cc: stable@vger.kernel.org Reported-by: Edoardo Canepa <edoardo.canepa@canonical.com> Closes: https://bugs.launchpad.net/ubuntu-kernel-tests/+bug/2129815 Fixes: bf59028ea8d4 ("selftests: net: add test for destination in broadcast packets") Suggested-by: Edoardo Canepa <edoardo.canepa@canonical.com> Tested-by: Ross Porter <ross.porter@canonical.com> Signed-off-by: Ross Porter <ross.porter@canonical.com> Link: https://patch.msgid.link/20260617061039.79717-2-ross.porter@canonical.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> 
Ensure the output file is always owned by root (even if tcpdump was
compiled with `--with-user`), by passing the `-Z root` argument when
invoking it.

Cc: stable@vger.kernel.org
Reported-by: Edoardo Canepa <edoardo.canepa@canonical.com>
Closes: https://bugs.launchpad.net/ubuntu-kernel-tests/+bug/2129815
Fixes: bf59028ea8d4 ("selftests: net: add test for destination in broadcast packets")
Suggested-by: Edoardo Canepa <edoardo.canepa@canonical.com>
Tested-by: Ross Porter <ross.porter@canonical.com>
Signed-off-by: Ross Porter <ross.porter@canonical.com>
Link: https://patch.msgid.link/20260617061039.79717-2-ross.porter@canonical.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
selftests: vlan_bridge_binding: Fix flaky operational state check 2026-06-19T01:15:34+00:00 Ido Schimmel idosch@nvidia.com 2026-06-17T10:43:23+00:00 4045f1c3d68ef4b589ae2587e6ff66ce8017daf2 check_operstate() busy waits for up to one second for the operational state to change to the expected state. This is not enough since carrier loss events can be delayed by the kernel for up to one second (see __linkwatch_run_queue()), leading to sporadic failures. Fix by increasing the busy wait period to two seconds. Fixes: dca12e9ab760 ("selftests: net: Add a VLAN bridge binding selftest") Reported-by: Jakub Kicinski <kuba@kernel.org> Closes: https://lore.kernel.org/netdev/20260616092733.3a31be4d@kernel.org/ Signed-off-by: Ido Schimmel <idosch@nvidia.com> Reviewed-by: Nikolay Aleksandrov <razor@blackwall.org> Reviewed-by: Petr Machata <petrm@nvidia.com> Link: https://patch.msgid.link/20260617104323.1069457-1-idosch@nvidia.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> 
check_operstate() busy waits for up to one second for the operational
state to change to the expected state. This is not enough since carrier
loss events can be delayed by the kernel for up to one second (see
__linkwatch_run_queue()), leading to sporadic failures.

Fix by increasing the busy wait period to two seconds.

Fixes: dca12e9ab760 ("selftests: net: Add a VLAN bridge binding selftest")
Reported-by: Jakub Kicinski <kuba@kernel.org>
Closes: https://lore.kernel.org/netdev/20260616092733.3a31be4d@kernel.org/
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Reviewed-by: Nikolay Aleksandrov <razor@blackwall.org>
Reviewed-by: Petr Machata <petrm@nvidia.com>
Link: https://patch.msgid.link/20260617104323.1069457-1-idosch@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
selftests: net: add local ECMP rehash test 2026-06-15T22:58:13+00:00 Neil Spring ntspring@meta.com 2026-06-15T04:21:58+00:00 ae57a55332436ca58d1824d3375478afd51dca6a Add ecmp_rehash.sh with nine scenarios verifying that TCP rehash selects a different local ECMP path for IPv6: - SYN retransmission (forward path blocked during setup) - SYN/ACK retransmission (reverse path blocked during setup) - Midstream RTO (forward path blocked on established connection) - Midstream ACK rehash (reverse path blocked on established connection) - PLB rehash (ECN-driven congestion on established connection) - Hash policy 1 negative test (rehash attempted but path unchanged) - No flowlabel leak (client mp_hash does not alter on-wire flowlabel) - Dst rebuild consistency (dst invalidation does not change path) - Syncookie server path consistency (SYN-ACK and post-cookie ACKs use the same ECMP path) The policy 1 test verifies that fib_multipath_hash_policy=1 computes a deterministic 5-tuple hash, so txhash re-rolls do not change the ECMP path while TcpTimeoutRehash still increments. The flowlabel leak test sets auto_flowlabels=0 on the client and installs tc filters on client egress that drop TCP packets with nonzero flowlabel, confirming that the client's fl6->mp_hash does not leak into the on-wire IPv6 flow label. The PLB test needs DCTCP, a restricted congestion control. Rather than relax the host-global tcp_allowed_congestion_control (no per-netns equivalent), it pins dctcp on the test routes via the congctl route attribute, confined to the test namespaces. The dst rebuild test streams data, invalidates the cached dst by adding and removing a dummy route (bumping the fib6_node sernum), and verifies that traffic stays on the same path. The sernum change causes ip6_dst_check() to fail on the next transmit, triggering a fresh route lookup via inet6_csk_route_socket(). ECMP_REBUILD_ROUNDS=10 repeats the check to reduce the probability of a buggy kernel passing by chance with 2-way ECMP. The syncookie server path consistency test verifies that the server's SYN-ACK and subsequent ACKs use the same ECMP path. With syncookies, the request socket is freed after the SYN-ACK, so cookie_tcp_reqsk_init() must derive the same txhash (from the cookie) that was used for the SYN-ACK's route lookup. The syncookie test forces tcp_syncookies=2; it skips when CONFIG_SYN_COOKIES is not available. selftests/net/config selects it (and CONFIG_TCP_CONG_DCTCP for the PLB test). Signed-off-by: Neil Spring <ntspring@meta.com> Link: https://patch.msgid.link/20260615042158.1600746-3-ntspring@meta.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> 
Add ecmp_rehash.sh with nine scenarios verifying that TCP rehash
selects a different local ECMP path for IPv6:

  - SYN retransmission (forward path blocked during setup)
  - SYN/ACK retransmission (reverse path blocked during setup)
  - Midstream RTO (forward path blocked on established connection)
  - Midstream ACK rehash (reverse path blocked on established connection)
  - PLB rehash (ECN-driven congestion on established connection)
  - Hash policy 1 negative test (rehash attempted but path unchanged)
  - No flowlabel leak (client mp_hash does not alter on-wire flowlabel)
  - Dst rebuild consistency (dst invalidation does not change path)
  - Syncookie server path consistency (SYN-ACK and post-cookie ACKs
    use the same ECMP path)

The policy 1 test verifies that fib_multipath_hash_policy=1 computes
a deterministic 5-tuple hash, so txhash re-rolls do not change the
ECMP path while TcpTimeoutRehash still increments.

The flowlabel leak test sets auto_flowlabels=0 on the client and
installs tc filters on client egress that drop TCP packets with
nonzero flowlabel, confirming that the client's fl6->mp_hash does
not leak into the on-wire IPv6 flow label.

The PLB test needs DCTCP, a restricted congestion control.  Rather
than relax the host-global tcp_allowed_congestion_control (no
per-netns equivalent), it pins dctcp on the test routes via the
congctl route attribute, confined to the test namespaces.

The dst rebuild test streams data, invalidates the cached dst by
adding and removing a dummy route (bumping the fib6_node sernum),
and verifies that traffic stays on the same path.  The sernum change
causes ip6_dst_check() to fail on the next transmit, triggering a
fresh route lookup via inet6_csk_route_socket().
ECMP_REBUILD_ROUNDS=10 repeats the check to reduce the probability
of a buggy kernel passing by chance with 2-way ECMP.

The syncookie server path consistency test verifies that the
server's SYN-ACK and subsequent ACKs use the same ECMP path.
With syncookies, the request socket is freed after the SYN-ACK,
so cookie_tcp_reqsk_init() must derive the same txhash (from the
cookie) that was used for the SYN-ACK's route lookup.

The syncookie test forces tcp_syncookies=2; it skips when
CONFIG_SYN_COOKIES is not available.  selftests/net/config selects
it (and CONFIG_TCP_CONG_DCTCP for the PLB test).

Signed-off-by: Neil Spring <ntspring@meta.com>
Link: https://patch.msgid.link/20260615042158.1600746-3-ntspring@meta.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
selftests/net/openvswitch: add SET action test 2026-06-15T21:16:06+00:00 Minxi Hou houminxi@gmail.com 2026-06-12T13:05:03+00:00 3b165c2a29cfb6453f26e1ac833ca6afd28d28cf Add test_action_set exercising OVS_ACTION_ATTR_SET with an ipv4 dst rewrite. The test verifies the SET action in three steps: first confirm normal forwarding, then apply set(ipv4(dst=10.0.0.99)) to rewrite the destination to an address nobody owns and verify ping fails, then restore normal forwarding and verify connectivity recovers. Signed-off-by: Minxi Hou <houminxi@gmail.com> Reviewed-by: Aaron Conole <aconole@redhat.com> Link: https://patch.msgid.link/20260612130503.311240-1-houminxi@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> 
Add test_action_set exercising OVS_ACTION_ATTR_SET with an ipv4 dst
rewrite. The test verifies the SET action in three steps: first
confirm normal forwarding, then apply set(ipv4(dst=10.0.0.99)) to
rewrite the destination to an address nobody owns and verify ping
fails, then restore normal forwarding and verify connectivity
recovers.

Signed-off-by: Minxi Hou <houminxi@gmail.com>
Reviewed-by: Aaron Conole <aconole@redhat.com>
Link: https://patch.msgid.link/20260612130503.311240-1-houminxi@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
selftests: net: add test for IPv4 devconf netlink notifications 2026-06-13T21:15:53+00:00 Fernando Fernandez Mancera fmancera@suse.de 2026-06-09T20:45:20+00:00 32229484e381b2c9a0c0f50cf16329ac7ab9478f Introduce a new test, `ipv4_devconf_notify`, to verify that the kernel sends the appropriate netlink notifications when IPv4 devconf parameters are modified. The test depends on the newly introduced iproute2 command: `ip link set dev <ifname> inet` Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de> Link: https://patch.msgid.link/20260609204520.4670-3-fmancera@suse.de Signed-off-by: Jakub Kicinski <kuba@kernel.org> 
Introduce a new test, `ipv4_devconf_notify`, to verify that the kernel
sends the appropriate netlink notifications when IPv4 devconf parameters
are modified.

The test depends on the newly introduced iproute2 command:

`ip link set dev <ifname> inet`

Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
Link: https://patch.msgid.link/20260609204520.4670-3-fmancera@suse.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
selftests: netfilter: add phony nft_offload test 2026-06-13T17:29:39+00:00 Florian Westphal fw@strlen.de 2026-06-12T09:22:09+00:00 5394aa0bb00da862e8c85c2768cbb12612044d13 ... "phony", because its not testing offloads, it tests the control plane code. Also test error unwind via fault injection framework. For a proper test, real hardware would be required given we'd have check if 'previously handed off to hardware' offload commands are properly removed again on failure or rule flush. Signed-off-by: Florian Westphal <fw@strlen.de> Link: https://patch.msgid.link/20260612092209.11966-3-fw@strlen.de Signed-off-by: Jakub Kicinski <kuba@kernel.org> 
... "phony", because its not testing offloads, it tests the control
plane code.  Also test error unwind via fault injection framework.

For a proper test, real hardware would be required given we'd have
check if 'previously handed off to hardware' offload commands are
properly removed again on failure or rule flush.

Signed-off-by: Florian Westphal <fw@strlen.de>
Link: https://patch.msgid.link/20260612092209.11966-3-fw@strlen.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>