From: Shaun Brady <brady.1345@gmail.com>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter-devel@vger.kernel.org, ppwaskie@kernel.org, fw@strlen.de
Subject: Re: [PATCH v6 2/2] Add test for nft_max_table_jumps_netns sysctl
Date: Mon, 28 Jul 2025 21:53:03 -0400 [thread overview]
Message-ID: <aIgpf2bkG34lw0V6@fedora> (raw)
In-Reply-To: <aIgMMnl-2WMQlFH-@calendula>
On Tue, Jul 29, 2025 at 01:48:02AM +0200, Pablo Neira Ayuso wrote:
> Would you rework this to a more elaborated torture test that exercises
> both commit and abort path?
>
> It would be great to have something similar to
> nftables/tests/shell/testcases/transactions/30s-stress
> but to exercise loop detection.
I can, but I would see it as an additional stress test, where as the
existing test are more unit like, and test the sysctl for discrete
behavior.
Regarding the commit/abort paths, I ended up (in my testing, not the
final code) temporarily changing:
if (status & NFNL_BATCH_FAILURE)
abort_action = NFNL_ABORT_NONE;
else
abort_action = NFNL_ABORT_VALIDATE;
to
if (status & NFNL_BATCH_FAILURE)
abort_action = NFNL_ABORT_VALIDATE;
else
abort_action = NFNL_ABORT_VALIDATE;
to run over the validate path during an abort (as above, a batch failure
won't do it). Would the else path be caused by an abort message from
the client, as in a Ctrl+C? Is there a prescribed way to inject this
kind of fault as to naturally run over the path?
Further, are you wanting to test/stress the ability of transactions
(both committing and aborting) to intermingle/coexist/coordinate (at a
glance I don't see tests for that in the kernel tree), or specifically
the validation code in those paths?
Assuming it's just the validation code, roughly, would the following be
what you're thinking:
create N random nft input files, one part being valid commits, the
other with aborts injected.
Set the jump sysctl limit
Loop over the randon input files
if valid
we can or can not add jumps as expected by the limit (and included jumps)
else (abort)
we should be able not not add jumps as per the LAST file (we rolled back successfully)
Want to make sure I'm not imagining the wrong thing.
Thanks!
SB
next prev parent reply other threads:[~2025-07-29 1:53 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-28 4:03 [PATCH v6 1/2] netfilter: nf_tables: Implement jump limit for nft_table_validate Shaun Brady
2025-07-28 4:03 ` [PATCH v6 2/2] Add test for nft_max_table_jumps_netns sysctl Shaun Brady
2025-07-28 23:48 ` Pablo Neira Ayuso
2025-07-29 1:53 ` Shaun Brady [this message]
2025-07-28 7:17 ` [PATCH v6 1/2] netfilter: nf_tables: Implement jump limit for nft_table_validate kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aIgpf2bkG34lw0V6@fedora \
--to=brady.1345@gmail.com \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=ppwaskie@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.