selftests: netfilter: skip tests on early errors

br_netfilter: If we can't add the needed initial nftables ruleset skip the test, kernel doesn't support a required feature. rpath: run a subset of the tests if possible, but make sure we return the skip return value so they are marked appropriately by the kselftest framework. nft_audit.sh: provide version information when skipping, this should help catching kernel problem (feature not available in kernel) vs. userspace issue (parser doesn't support keyword). Signed-off-by: Florian Westphal <fw@strlen.de> Link: https://lore.kernel.org/r/20240423130604.7013-7-fw@strlen.de Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-05 13:06:59 +02:00 · 2024-04-23 15:05:49 +02:00 · 2024-04-23 15:05:49 +02:00 · bb0ee78f94
commit bb0ee78f94
parent a18f284574
3 changed files with 14 additions and 3 deletions
--- a/tools/testing/selftests/net/netfilter/br_netfilter.sh
+++ b/tools/testing/selftests/net/netfilter/br_netfilter.sh
@ -124,6 +124,10 @@ table bridge filter {
 	}
 }
 EOF
+if [ "$?" -ne 0 ];then
+	echo "SKIP: could not add nftables ruleset"
+	exit $ksft_skip
+fi

 # place 1, 2 & 3 in same subnet, connected via ns0:br0.
 # ns4 is placed in same subnet as well, but its not
--- a/tools/testing/selftests/net/netfilter/nft_audit.sh
+++ b/tools/testing/selftests/net/netfilter/nft_audit.sh
@ -29,7 +29,8 @@ reset rules t c
 EOF

 if [ "$?" -ne 0 ];then
-	echo "SKIP: nft reset feature test failed"
+	echo -n "SKIP: nft reset feature test failed: "
+	nft --version
 	exit $SKIP_RC
 fi

--- a/tools/testing/selftests/net/netfilter/rpath.sh
+++ b/tools/testing/selftests/net/netfilter/rpath.sh
@ -64,12 +64,18 @@ ip -net "$ns2" a a fec0:42::1/64 dev d0 nodad
 # firewall matches to test
 [ -n "$iptables" ] && {
 	common='-t raw -A PREROUTING -s 192.168.0.0/16'
-	ip netns exec "$ns2" "$iptables" $common -m rpfilter
+	if ! ip netns exec "$ns2" "$iptables" $common -m rpfilter;then
+		echo "Cannot add rpfilter rule"
+		exit $ksft_skip
+	fi
 	ip netns exec "$ns2" "$iptables" $common -m rpfilter --invert
 }
 [ -n "$ip6tables" ] && {
 	common='-t raw -A PREROUTING -s fec0::/16'
-	ip netns exec "$ns2" "$ip6tables" $common -m rpfilter
+	if ! ip netns exec "$ns2" "$ip6tables" $common -m rpfilter;then
+		echo "Cannot add rpfilter rule"
+		exit $ksft_skip
+	fi
 	ip netns exec "$ns2" "$ip6tables" $common -m rpfilter --invert
 }
 [ -n "$nft" ] && ip netns exec "$ns2" $nft -f - <<EOF