leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

selftests: add script to stress-test nft packet path vs. control plane

Browse Source 
Start flood ping for each cpu while loading/flushing rulesets to make
sure we do not access already-free'd rules from nf_tables evaluation loop.

Also add this to TARGETS so 'make run_tests' in selftest dir runs it
automatically.

This would have caught the bug fixed in previous change
("netfilter: nf_tables: do not skip inactive chains during generation update")
sooner.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
Florian Westphal 2018-10-31 18:26:21 +01:00 committed by Pablo Neira Ayuso
parent 0fb39bbe43
commit 25d8bcedbf
4 changed files with 87 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
tools/testing/selftests/Makefile
View File

@ -24,6 +24,7 @@ TARGETS += memory-hotplug
TARGETS += mount TARGETS += mount
TARGETS += mqueue TARGETS += mqueue
TARGETS += net TARGETS += net
TARGETS += netfilter
TARGETS += nsfs TARGETS += nsfs
TARGETS += powerpc TARGETS += powerpc
TARGETS += proc TARGETS += proc

6
tools/testing/selftests/netfilter/Makefile Normal file
View File

@ -0,0 +1,6 @@
# SPDX-License-Identifier: GPL-2.0
# Makefile for netfilter selftests
TEST_PROGS := nft_trans_stress.sh
include ../lib.mk

2
tools/testing/selftests/netfilter/config Normal file
View File

@ -0,0 +1,2 @@
CONFIG_NET_NS=y
NF_TABLES_INET=y

78
tools/testing/selftests/netfilter/nft_trans_stress.sh Executable file
View File

@ -0,0 +1,78 @@
#!/bin/bash
#
# This test is for stress-testing the nf_tables config plane path vs.
# packet path processing: Make sure we never release rules that are
# still visible to other cpus.
#
# set -e
# Kselftest framework requirement - SKIP code is 4.
ksft_skip=4
testns=testns1
tables="foo bar baz quux"
nft --version > /dev/null 2>&1
if [ $? -ne 0 ];then
echo "SKIP: Could not run test without nft tool"
exit $ksft_skip
fi
ip -Version > /dev/null 2>&1
if [ $? -ne 0 ];then
echo "SKIP: Could not run test without ip tool"
exit $ksft_skip
fi
tmp=$(mktemp)
for table in $tables; do
echo add table inet "$table" >> "$tmp"
echo flush table inet "$table" >> "$tmp"
echo "add chain inet $table INPUT { type filter hook input priority 0; }" >> "$tmp"
echo "add chain inet $table OUTPUT { type filter hook output priority 0; }" >> "$tmp"
for c in $(seq 1 400); do
chain=$(printf "chain%03u" "$c")
echo "add chain inet $table $chain" >> "$tmp"
done
for c in $(seq 1 400); do
chain=$(printf "chain%03u" "$c")
for BASE in INPUT OUTPUT; do
echo "add rule inet $table $BASE counter jump $chain" >> "$tmp"
done
echo "add rule inet $table $chain counter return" >> "$tmp"
done
done
ip netns add "$testns"
ip -netns "$testns" link set lo up
lscpu | grep ^CPU\(s\): | ( read cpu cpunum ;
cpunum=$((cpunum-1))
for i in $(seq 0 $cpunum);do
mask=$(printf 0x%x $((1<<$i)))
ip netns exec "$testns" taskset $mask ping -4 127.0.0.1 -fq > /dev/null &
ip netns exec "$testns" taskset $mask ping -6 ::1 -fq > /dev/null &
done)
sleep 1
for i in $(seq 1 10) ; do ip netns exec "$testns" nft -f "$tmp" & done
for table in $tables;do
randsleep=$((RANDOM%10))
sleep $randsleep
ip netns exec "$testns" nft delete table inet $table 2>/dev/null
done
randsleep=$((RANDOM%10))
sleep $randsleep
pkill -9 ping
wait
rm -f "$tmp"
ip netns del "$testns"