Paolo Abeni [off-list ref] wrote:

quoted

I don't see relevant patches landing in the relevant builds, I suspect
the relevant kernel config knob (CONFIG_CRYPTO_SHA1 ?) was always
missing in the ST config, pulled in by NIPA due to some CI setup tweak
possibly changed recently (Jakub could possibly have a better idea/view
about the latter). Could you please have a look?

Can't reproduce this here.

Latest net tree:
vng --build  --config tools/testing/selftests/net/netfilter/config
grep SHA1 .config
# CONFIG_SCTP_DEFAULT_COOKIE_HMAC_SHA1 is not set
# CONFIG_SCTP_COOKIE_HMAC_SHA1 is not set
CONFIG_CRYPTO_SHA1=m
make -C tools/testing/selftests/ TARGETS=net/netfilter
vng -v --run . --user root --cpus 4 -- \
   make -C tools/testing/selftests TARGETS=net/netfilter run_tests TEST_PROGS=nft_flowtable.sh
[..]
# PASS: ipsec tunnel mode for ns1/ns2
ok 1 selftests: net/netfilter: nft_flowtable.sh

quoted

NIPA generates the kernel config and the kernel build itself with
something alike:

rm -f .config
vng --build  --config tools/testing/selftests/net/forwarding/config

Addendum: others (not nft-related) tests (vrf-xfrm-tests.sh,
xfrm_policy.sh) are failing apparently due to the same root cause
(missing sha1 knob), so I guess it's really a NIPA issue.

Looks like it, I mean, I can't repro it here.

Let me know if I missed anything or if there is something I can
do to help debugging this.