From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Shaun Brady <brady.1345@gmail.com>
Cc: netfilter-devel@vger.kernel.org, ppwaskie@kernel.org, fw@strlen.de
Subject: Re: [PATCH v6 2/2] Add test for nft_max_table_jumps_netns sysctl
Date: Tue, 29 Jul 2025 01:48:02 +0200 [thread overview]
Message-ID: <aIgMMnl-2WMQlFH-@calendula> (raw)
In-Reply-To: <20250728040315.1014454-2-brady.1345@gmail.com>
On Mon, Jul 28, 2025 at 12:03:15AM -0400, Shaun Brady wrote:
> Introduce test for recently added jump limit functionality. Tests
> sysctl behavior with regard to netns, as well as calling user_ns.
Would you rework this to a more elaborated torture test that exercises
both commit and abort path?
It would be great to have something similar to
nftables/tests/shell/testcases/transactions/30s-stress
but to exercise loop detection.
Thanks.
> Signed-off-by: Shaun Brady <brady.1345@gmail.com>
> ---
> .../testing/selftests/net/netfilter/Makefile | 1 +
> .../netfilter/nft_max_table_jumps_netns.sh | 227 ++++++++++++++++++
> 2 files changed, 228 insertions(+)
> create mode 100755 tools/testing/selftests/net/netfilter/nft_max_table_jumps_netns.sh
>
> diff --git a/tools/testing/selftests/net/netfilter/Makefile b/tools/testing/selftests/net/netfilter/Makefile
> index a98ed892f55f..62193e0cd8ec 100644
> --- a/tools/testing/selftests/net/netfilter/Makefile
> +++ b/tools/testing/selftests/net/netfilter/Makefile
> @@ -26,6 +26,7 @@ TEST_PROGS += nft_conntrack_helper.sh
> TEST_PROGS += nft_fib.sh
> TEST_PROGS += nft_flowtable.sh
> TEST_PROGS += nft_interface_stress.sh
> +TEST_PROGS += nft_max_table_jumps_netns.sh
> TEST_PROGS += nft_meta.sh
> TEST_PROGS += nft_nat.sh
> TEST_PROGS += nft_nat_zones.sh
> diff --git a/tools/testing/selftests/net/netfilter/nft_max_table_jumps_netns.sh b/tools/testing/selftests/net/netfilter/nft_max_table_jumps_netns.sh
> new file mode 100755
> index 000000000000..9dedd45f4fd2
> --- /dev/null
> +++ b/tools/testing/selftests/net/netfilter/nft_max_table_jumps_netns.sh
> @@ -0,0 +1,227 @@
> +#!/bin/bash
> +# SPDX-License-Identifier: GPL-2.0
> +#
> +# A test script for nf_max_table_jumps_netns limit sysctl
> +#
> +source lib.sh
> +
> +DEFAULT_SYSCTL=65536
> +
> +user_owned_netns="a_user_owned_netns"
> +
> +cleanup() {
> + ip netns del $user_owned_netns 2>/dev/null || true
> +}
> +
> +trap cleanup EXIT
> +
> +init_net_value=$(sysctl -n net.netfilter.nf_max_table_jumps_netns)
> +
> +# Check that init ns inits to default value
> +if [ "$init_net_value" -ne "$DEFAULT_SYSCTL" ];then
> + echo "Fail: Does not init default value"
> + exit 1
> +fi
> +
> +# Set to extremely small, demonstrate CAN exceed value
> +sysctl -w net.netfilter.nf_max_table_jumps_netns=32 2>&1 >/dev/null
> +new_value=$(sysctl -n net.netfilter.nf_max_table_jumps_netns)
> +if [ "$new_value" -ne "32" ];then
> + echo "Fail: Set value not respected"
> + exit 1
> +fi
> +
> +nft -f - <<EOF
> +table inet loop-test {
> + chain test0 {
> + type filter hook input priority filter; policy accept;
> + jump test1
> + jump test1
> + }
> +
> + chain test1 {
> + jump test2
> + jump test2
> + }
> +
> + chain test2 {
> + jump test3
> + tcp dport 8080 drop
> + tcp dport 8080 drop
> + }
> +
> + chain test3 {
> + jump test4
> + }
> +
> + chain test4 {
> + jump test5
> + }
> +
> + chain test5 {
> + jump test6
> + }
> +
> + chain test6 {
> + jump test7
> + }
> +
> + chain test7 {
> + jump test8
> + }
> +
> + chain test8 {
> + jump test9
> + }
> +
> + chain test9 {
> + jump test10
> + }
> +
> + chain test10 {
> + jump test11
> + }
> +
> + chain test11 {
> + jump test12
> + }
> +
> + chain test12 {
> + jump test13
> + }
> +
> + chain test13 {
> + jump test14
> + }
> +
> + chain test14 {
> + jump test15
> + jump test15
> + }
> +
> + chain test15 {
> + }
> +}
> +EOF
> +
> +if [ $? -ne 0 ];then
> + echo "Fail: limit not exceeded when expected"
> + exit 1
> +fi
> +
> +nft flush ruleset
> +
> +# reset to default
> +sysctl -w net.netfilter.nf_max_table_jumps_netns=$DEFAULT_SYSCTL 2>&1 >/dev/null
> +
> +# Make init_user_ns owned netns, can change value, limit is applied
> +ip netns add $user_owned_netns
> +ip netns exec $user_owned_netns sysctl -qw net.netfilter.nf_max_table_jumps_netns=32 2>&1
> +if [ $? -ne 0 ];then
> + echo "Fail: Can't change value in init_user_ns owned namespace"
> + exit 1
> +fi
> +
> +ip netns exec $user_owned_netns \
> +nft -f - 2>&1 <<EOF
> +table inet loop-test {
> + chain test0 {
> + type filter hook input priority filter; policy accept;
> + jump test1
> + jump test1
> + }
> +
> + chain test1 {
> + jump test2
> + jump test2
> + }
> +
> + chain test2 {
> + jump test3
> + tcp dport 8080 drop
> + tcp dport 8080 drop
> + }
> +
> + chain test3 {
> + jump test4
> + }
> +
> + chain test4 {
> + jump test5
> + }
> +
> + chain test5 {
> + jump test6
> + }
> +
> + chain test6 {
> + jump test7
> + }
> +
> + chain test7 {
> + jump test8
> + }
> +
> + chain test8 {
> + jump test9
> + }
> +
> + chain test9 {
> + jump test10
> + }
> +
> + chain test10 {
> + jump test11
> + }
> +
> + chain test11 {
> + jump test12
> + }
> +
> + chain test12 {
> + jump test13
> + }
> +
> + chain test13 {
> + jump test14
> + }
> +
> + chain test14 {
> + jump test15
> + jump test15
> + }
> +
> + chain test15 {
> + }
> +}
> +EOF
> +
> +if [ $? -eq 0 ];then
> + echo "Fail: Limited incorrectly applied"
> + exit 1
> +fi
> +ip netns del $user_owned_netns
> +
> +# Previously set value does not impact root namespace; check value from before
> +new_value=$(sysctl -n net.netfilter.nf_max_table_jumps_netns)
> +if [ "$new_value" -ne "$DEFAULT_SYSCTL" ];then
> + echo "Fail: Non-init namespace altered init namespace"
> + exit 1
> +fi
> +
> +# Make non-init_user_ns owned netns, can not change value
> +unshare -Un sysctl -w net.netfilter.nf_max_table_jumps_netns=1234 2>&1
> +if [ $? -ne 0 ];then
> + echo "Fail: Error message incorrect when non-user-init"
> + exit 1
> +fi
> +
> +# Double check user namespace can still see limit
> +new_value=(unshare -Un sysctl -n net.netfilter.nf_max_table_jumps_netns)
> +if [ "$new_value" -ne "$DEFAULT_SYSCTL" ];then
> + echo "Fail: Unexpected failure when non-user-init"
> + exit 1
> +fi
> +
> +
> +exit 0
> --
> 2.49.0
>
next prev parent reply other threads:[~2025-07-28 23:48 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-28 4:03 [PATCH v6 1/2] netfilter: nf_tables: Implement jump limit for nft_table_validate Shaun Brady
2025-07-28 4:03 ` [PATCH v6 2/2] Add test for nft_max_table_jumps_netns sysctl Shaun Brady
2025-07-28 23:48 ` Pablo Neira Ayuso [this message]
2025-07-29 1:53 ` Shaun Brady
2025-07-28 7:17 ` [PATCH v6 1/2] netfilter: nf_tables: Implement jump limit for nft_table_validate kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aIgMMnl-2WMQlFH-@calendula \
--to=pablo@netfilter.org \
--cc=brady.1345@gmail.com \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=ppwaskie@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.