On Tue, 6 May 2025 01:41:46 +0200 Pablo Neira Ayuso wrote: > From: Florian Westphal <fw@xxxxxxxxx> > > Add a new test case to check: > - conntrack_max limit is effective > - conntrack_max limit cannot be exceeded from within a netns > - resizing the hash table while packets are inflight works > - removal of all conntrack rules disables conntrack in netns > - conntrack tool dump (conntrack -L) returns expected number > of (unique) entries > - procfs interface - if available - has same number of entries > as conntrack -L dump > > Expected output with selftest framework: > selftests: net/netfilter: conntrack_resize.sh > PASS: got 1 connections: netns conntrack_max is pernet bound > PASS: got 100 connections: netns conntrack_max is init_net bound > PASS: dump in netns had same entry count (-C 1778, -L 1778, -p 1778, /proc 0) > PASS: dump in netns had same entry count (-C 2000, -L 2000, -p 2000, /proc 0) > PASS: test parallel conntrack dumps > PASS: resize+flood > PASS: got 0 connections: conntrack disabled > PASS: got 1 connections: conntrack enabled > ok 1 selftests: net/netfilter: conntrack_resize.sh This test seems quite flaky on debug kernels: https://netdev.bots.linux.dev/contest.html?test=conntrack-resize-sh&executor=vmksft-nf-dbg # FAIL: proc inconsistency after uniq filter for nsclient2-whtRtS: 1968 != 1945
