diff options
| author | Florian Westphal <fw@strlen.de> | 2024-05-07 14:02:10 +0300 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2024-05-10 12:13:45 +0300 |
| commit | a8a388c2aae490c08d59a6c15d15a968fea5089a (patch) | |
| tree | d254ecac5f74bdaa8c62b95644099365554b69c4 /net/netfilter/nft_connlimit.c | |
| parent | 532aec7e878b527fcee8877350ab5c5341789626 (diff) | |
| download | linux-a8a388c2aae490c08d59a6c15d15a968fea5089a.tar.xz | |
selftests: netfilter: add packetdrill based conntrack tests
Add a new test script that uses packetdrill tool to exercise conntrack
state machine.
Needs ip/ip6tables and conntrack tool (to check if we have an entry in
the expected state).
Test cases added here cover following scenarios:
1. already-acked (retransmitted) packets are not tagged as INVALID
2. RST packet coming when conntrack is already closing (FIN/CLOSE_WAIT)
transitions conntrack to CLOSE even if the RST is not an exact match
3. RST packets with out-of-window sequence numbers are marked as INVALID
4. SYN+Challenge ACK: check that challenge ack is allowed to pass
5. Old SYN/ACK: check conntrack handles the case where SYN is answered
with SYN/ACK for an old, previous connection attempt
6. Check SYN reception while in ESTABLISHED state generates a challenge
ack, RST response clears 'outdated' state + next SYN retransmit gets
us into 'SYN_RECV' conntrack state.
Tests get run twice, once with ipv4 and once with ipv6.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net/netfilter/nft_connlimit.c')
0 files changed, 0 insertions, 0 deletions