linux.git/tools/testing/selftests/net/ovpn, branch master Linux kernel source tree selftests: ovpn: reduce remaining ping flood counts 2026-05-14T14:24:45+00:00 Ralf Lici ralf@mandelbit.com 2026-05-13T11:10:49+00:00 7f114497784661b887f1097c440221b18e2914e9 Commit 201ba706318d ("selftests: ovpn: reduce ping count in test.sh") lowered the baseline traffic flood ping count to avoid flakes on slower CI instances, however some instances were left out. Apply the same limit to the remaining ovpn selftest flood pings that still request 500 packets. Fixes: 201ba706318d ("selftests: ovpn: reduce ping count in test.sh") Signed-off-by: Ralf Lici <ralf@mandelbit.com> Signed-off-by: Antonio Quartulli <antonio@openvpn.net> 
Commit 201ba706318d ("selftests: ovpn: reduce ping count in test.sh")
lowered the baseline traffic flood ping count to avoid flakes on slower
CI instances, however some instances were left out.

Apply the same limit to the remaining ovpn selftest flood pings that
still request 500 packets.

Fixes: 201ba706318d ("selftests: ovpn: reduce ping count in test.sh")
Signed-off-by: Ralf Lici <ralf@mandelbit.com>
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
selftests: ovpn: reduce ping count in test.sh 2026-05-04T22:31:11+00:00 Ralf Lici ralf@mandelbit.com 2026-04-29T08:00:16+00:00 201ba706318d460a2ea660e3652610be62532a70 The second stage of test.sh ("run baseline data traffic") performs a basic connectivity check with ping -qfc 500 -w 3. On slower CI instances this is too strict for TCP: the RTT is high enough that 500 echo requests do not reliably complete within 3 seconds, so the stage flakes and the test fails even though the ovpn setup is healthy. Reduce the packet count to 100 for both the plain and 3000-byte pings in that stage. This still verifies peer setup, key exchange, routing, and data-path traffic, without making the basic connectivity check depend on timing out under load. Fixes: 959bc330a439 ("testing/selftests: add test tool and scripts for ovpn module") Signed-off-by: Ralf Lici <ralf@mandelbit.com> Signed-off-by: Antonio Quartulli <antonio@openvpn.net> 
The second stage of test.sh ("run baseline data traffic") performs a
basic connectivity check with ping -qfc 500 -w 3.  On slower CI
instances this is too strict for TCP: the RTT is high enough that 500
echo requests do not reliably complete within 3 seconds, so the stage
flakes and the test fails even though the ovpn setup is healthy.

Reduce the packet count to 100 for both the plain and 3000-byte pings in
that stage.  This still verifies peer setup, key exchange, routing, and
data-path traffic, without making the basic connectivity check depend on
timing out under load.

Fixes: 959bc330a439 ("testing/selftests: add test tool and scripts for ovpn module")
Signed-off-by: Ralf Lici <ralf@mandelbit.com>
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
selftests: ovpn: serialize YNL listener startup 2026-04-17T08:54:04+00:00 Ralf Lici ralf@mandelbit.com 2026-04-16T07:19:28+00:00 6c9b1dc218fea8b15893953f5299b209f11fa0a8 Starting one background YNL notification listener per peer back-to-back can intermittently stall the test setup before the listeners even reach the Python main function. This was reproducible in a reduced test.sh setup-only loop: a single listener stayed stable across repeated runs, while starting listeners for all peers could hang early in the listener launch phase. Adding a short delay between listener launches makes the listeners start cleanly and eliminates the reproduced hangs in repeated normal and slow-runner tests. Serialize listener startup with a small sleep between setup_listener calls. Fixes: 77de28cd7cf1 ("selftests: ovpn: add notification parsing and matching") Signed-off-by: Ralf Lici <ralf@mandelbit.com> Signed-off-by: Antonio Quartulli <antonio@openvpn.net> 
Starting one background YNL notification listener per peer back-to-back
can intermittently stall the test setup before the listeners even reach
the Python main function.

This was reproducible in a reduced test.sh setup-only loop: a single
listener stayed stable across repeated runs, while starting listeners
for all peers could hang early in the listener launch phase. Adding a
short delay between listener launches makes the listeners start cleanly
and eliminates the reproduced hangs in repeated normal and slow-runner
tests.

Serialize listener startup with a small sleep between setup_listener
calls.

Fixes: 77de28cd7cf1 ("selftests: ovpn: add notification parsing and matching")
Signed-off-by: Ralf Lici <ralf@mandelbit.com>
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
selftests: ovpn: align command flow with TAP 2026-04-17T08:54:03+00:00 Ralf Lici ralf@mandelbit.com 2026-03-23T14:12:32+00:00 1be93bb979ab02554541b04406e9e3a6a8e0ce9e Current tests do not properly adhere to the TAP infrastructure therefore they do not properly report failures leading to hangs of the CI machinery. Restructure ovpn selftests into using the TAP infrastructure: split each test in stages, execute stage bodies with fail-fast semantics, and emit KTAP pass/fail for each stage. Centralize behavior control in common.sh and makes the scripts use dedicated wrappers for required-success, expected-failure, and non-fatal commands. Also add the OVPN_VERBOSE mode that exposes captured command output for debugging. This way tests won't hang anymore in case of failure when executed within the CI machinery. This change also makes default OVPN_CLI and YNL resolution independent from the caller CWD by anchoring both to COMMON_DIR, so behavior is stable across direct execution and run_tests-style execution. Fixes: 959bc330a439 ("testing/selftests: add test tool and scripts for ovpn module") Signed-off-by: Ralf Lici <ralf@mandelbit.com> Signed-off-by: Antonio Quartulli <antonio@openvpn.net> 
Current tests do not properly adhere to the TAP infrastructure
therefore they do not properly report failures leading to hangs of
the CI machinery.

Restructure ovpn selftests into using the TAP infrastructure: split each
test in stages, execute stage bodies with fail-fast semantics, and emit
KTAP pass/fail for each stage.

Centralize behavior control in common.sh and makes the scripts use
dedicated wrappers for required-success, expected-failure, and non-fatal
commands. Also add the OVPN_VERBOSE mode that exposes captured command
output for debugging.
This way tests won't hang anymore in case of failure when executed
within the CI machinery.

This change also makes default OVPN_CLI and YNL resolution
independent from the caller CWD by anchoring both to COMMON_DIR, so
behavior is stable across direct execution and run_tests-style
execution.

Fixes: 959bc330a439 ("testing/selftests: add test tool and scripts for ovpn module")
Signed-off-by: Ralf Lici <ralf@mandelbit.com>
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
selftests: ovpn: add prefix to helpers and shared variables 2026-04-17T08:54:03+00:00 Ralf Lici ralf@mandelbit.com 2026-03-20T16:29:38+00:00 7c29665a3a3cce1b0e9d6b96054eef64bfc4cebd Current naming for shared variables, helpers and netnamespaces is a bit unfortunate as it doesn't come with a clean prefix. This showed to be problematic in case of name clashes with external scripts or in case of abrupt test termination (hanging netns' weren't easily reconducible to ovpn). Rename common helper entry points and all shared globals in the ovpn selftests to ovpn_ or OVPN_ names so test scripts and wrappers use a single explicit prefix. Also rename the temporary network namespaces created by the tests from peerN to ovpn_peerN. This makes leaked namespaces easier to identify. This is a mechanical refactor only, behavior is unchanged. Fixes: 959bc330a439 ("testing/selftests: add test tool and scripts for ovpn module") Signed-off-by: Ralf Lici <ralf@mandelbit.com> Signed-off-by: Antonio Quartulli <antonio@openvpn.net> 
Current naming for shared variables, helpers and netnamespaces is
a bit unfortunate as it doesn't come with a clean prefix.
This showed to be problematic in case of name clashes with external
scripts or in case of abrupt test termination (hanging netns' weren't
easily reconducible to ovpn).

Rename common helper entry points and all shared globals in the ovpn
selftests to ovpn_ or OVPN_ names so test scripts and wrappers use a
single explicit prefix. Also rename the temporary network namespaces
created by the tests from peerN to ovpn_peerN. This makes leaked
namespaces easier to identify.

This is a mechanical refactor only, behavior is unchanged.

Fixes: 959bc330a439 ("testing/selftests: add test tool and scripts for ovpn module")
Signed-off-by: Ralf Lici <ralf@mandelbit.com>
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
selftests: ovpn: flatten slurped notification JSON before filtering 2026-04-17T08:54:03+00:00 Ralf Lici ralf@mandelbit.com 2026-03-24T14:54:18+00:00 222e7f8d1ca3aaebe7588a79bf64d9820813785c Notification comparison uses jq -s, which slurps all inputs into an array. Some inputs can be arrays themselves, and applying the .msg.peer filter directly on those entries triggers jq type errors. Expand any array-valued JSON items returned by jq -s before selecting .msg.peer, so the filter handles both normal notification objects and [] entries without type errors. Fixes: 77de28cd7cf1 ("selftests: ovpn: add notification parsing and matching") Signed-off-by: Ralf Lici <ralf@mandelbit.com> Signed-off-by: Antonio Quartulli <antonio@openvpn.net> 
Notification comparison uses jq -s, which slurps all inputs into an
array. Some inputs can be arrays themselves, and applying the .msg.peer
filter directly on those entries triggers jq type errors.

Expand any array-valued JSON items returned by jq -s before selecting
.msg.peer, so the filter handles both normal notification objects and []
entries without type errors.

Fixes: 77de28cd7cf1 ("selftests: ovpn: add notification parsing and matching")
Signed-off-by: Ralf Lici <ralf@mandelbit.com>
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
selftests: ovpn: fail notification check on mismatch 2026-04-17T08:54:03+00:00 Ralf Lici ralf@mandelbit.com 2026-03-23T14:32:26+00:00 c409da0fe15e2b2aae7f93edbab977e23117ce4d compare_ntfs doesn't fail when expected and received notification streams diverge. Fix this bug by tracking the diff exit status explicitly and return it to the caller so notification mismatches propagate as test failures. Fixes: 77de28cd7cf1 ("selftests: ovpn: add notification parsing and matching") Signed-off-by: Ralf Lici <ralf@mandelbit.com> Signed-off-by: Antonio Quartulli <antonio@openvpn.net> 
compare_ntfs doesn't fail when expected and received notification
streams diverge.

Fix this bug by tracking the diff exit status explicitly and return it
to the caller so notification mismatches propagate as test failures.

Fixes: 77de28cd7cf1 ("selftests: ovpn: add notification parsing and matching")
Signed-off-by: Ralf Lici <ralf@mandelbit.com>
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
selftests: ovpn: add nftables config dependencies for test-mark 2026-04-17T08:54:03+00:00 Ralf Lici ralf@mandelbit.com 2026-03-24T07:48:57+00:00 e5fd34ab8dff6c5bd4f2e9ee4f3945b79e511068 test-mark.sh installs nftables rules in an inet/filter output chain and verifies packet drops via nft counters. In vmksft this can fail when the nftables core is not enabled by the ovpn selftest config. Add the missing kernel options required by this test: - CONFIG_NETFILTER - CONFIG_NF_TABLES - CONFIG_NF_TABLES_INET Fixes: 7b80d8a33500 ("selftests: ovpn: add test for the FW mark feature") Reported-by: Jakub Kicinski <kuba@kernel.org> Closes: https://lore.kernel.org/all/20260319124114.42f91f72@kernel.org/ Signed-off-by: Ralf Lici <ralf@mandelbit.com> Signed-off-by: Antonio Quartulli <antonio@openvpn.net> 
test-mark.sh installs nftables rules in an inet/filter output chain and
verifies packet drops via nft counters. In vmksft this can fail when the
nftables core is not enabled by the ovpn selftest config.

Add the missing kernel options required by this test:
- CONFIG_NETFILTER
- CONFIG_NF_TABLES
- CONFIG_NF_TABLES_INET

Fixes: 7b80d8a33500 ("selftests: ovpn: add test for the FW mark feature")
Reported-by: Jakub Kicinski <kuba@kernel.org>
Closes: https://lore.kernel.org/all/20260319124114.42f91f72@kernel.org/
Signed-off-by: Ralf Lici <ralf@mandelbit.com>
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
selftests: ovpn: add test for the FW mark feature 2026-03-17T10:09:20+00:00 Ralf Lici ralf@mandelbit.com 2025-11-19T10:56:52+00:00 7b80d8a33500bd8ae5081c053f0447b502581d79 Add a selftest to verify that the FW mark socket option is correctly supported and its value propagated by ovpn. The test adds and removes nftables DROP rules based on the mark value, and checks that the rule counter aligns with the number of lost ping packets. Cc: Shuah Khan <shuah@kernel.org> Cc: linux-kselftest@vger.kernel.org Cc: horms@kernel.org Signed-off-by: Ralf Lici <ralf@mandelbit.com> Signed-off-by: Antonio Quartulli <antonio@openvpn.net> 
Add a selftest to verify that the FW mark socket option is correctly
supported and its value propagated by ovpn.

The test adds and removes nftables DROP rules based on the mark value,
and checks that the rule counter aligns with the number of lost ping
packets.

Cc: Shuah Khan <shuah@kernel.org>
Cc: linux-kselftest@vger.kernel.org
Cc: horms@kernel.org
Signed-off-by: Ralf Lici <ralf@mandelbit.com>
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
selftests: ovpn: check asymmetric peer-id 2026-03-17T10:09:05+00:00 Ralf Lici ralf@mandelbit.com 2025-07-23T12:35:34+00:00 367f4b163a8cff20d0cb06eb265a1bf1c6652bd9 Extend the base test to verify that the correct peer-id is set in data packet headers. This is done by capturing ping packets with tcpdump during the initial exchange and matching the first portion of the header against the expected sequence for every connection. Cc: Shuah Khan <shuah@kernel.org> Cc: linux-kselftest@vger.kernel.org Cc: horms@kernel.org Signed-off-by: Ralf Lici <ralf@mandelbit.com> Signed-off-by: Antonio Quartulli <antonio@openvpn.net> 
Extend the base test to verify that the correct peer-id is set in data
packet headers. This is done by capturing ping packets with tcpdump during
the initial exchange and matching the first portion of the header
against the expected sequence for every connection.

Cc: Shuah Khan <shuah@kernel.org>
Cc: linux-kselftest@vger.kernel.org
Cc: horms@kernel.org
Signed-off-by: Ralf Lici <ralf@mandelbit.com>
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>