Antonio Ojea <aojea@xxxxxxxxxx> wrote: > This test ensures that conntrack correctly applies reject rules to > established connections after DNAT, even when those connections are > persistent. > > The test sets up three network namespaces: ns1, ns2, and nsrouter. > nsrouter acts as a router with DNAT, exposing a service running in ns2 > via a virtual IP. > > The test validates that is possible to filter and reject new and > established connections to the DNATed IP in the prerouting and forward > filters. > > Signed-off-by: Antonio Ojea <aojea@xxxxxxxxxx> > --- > V1 -> V2: > * Modified the test function to accept a third argument which contains > the nftables rules to be applied. > * Add a new test case to filter and reject in the prerouting hook. > V2 -> V3: > * Add helper functions to remove code duplication > * Use busywait instead of hardcoded sleeps You will need to apply the busywait logic to the 'kill -0' too: # PASS: frontend filter-ip6: fail to connect over the established connection to [dead:4::a]:8080 # [<0>] do_select+0x68e/0x950 # [<0>] core_sys_select+0x1ef/0x4b0 # [<0>] do_pselect.constprop.0+0xe7/0x180 # [<0>] __x64_sys_pselect6+0x58/0x70 # [<0>] do_syscall_64+0x9e/0x1a0 # [<0>] entry_SYSCALL_64_after_hwframe+0x77/0x7f # ERROR: frontend filter-ip6: persistent connection is not closed as intended # cat: /proc/756/stack: No such file or directory The <0> Lines come from cat: /proc/$pid/stack which I added here locally, i.e. the kill -0 works, enters failure, but a retry after sleep 2 and the process is gone. So, I think you need to give the process a bit more time to wake up, process the rst/eof and exit. I think you can simply use the busywait helper for this too, pick a short timeout such as 3000ms as upperlimit, that should do the trick and still allow to detect a hanging process.
