[PATCH nft] tests: py: must use input, not output

[PATCH nft] tests: py: must use input, not output

[Florian Westphal]

synproxy must never be used in output rules, doing so results in kernel
crash due to infinite recursive calls back to nf_hook_slow() for the
emitted reply packet.

Up until recently kernel lacked this validation, and now that the kernel
rejects this the test fails.  Use input to make this pass again.

A new test to ensure we reject synproxy in ouput should be added
in the near future.

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 tests/py/ip/objects.t         |  4 ++--
 tests/py/ip/objects.t.payload | 22 +++++++++++-----------
 2 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/tests/py/ip/objects.t b/tests/py/ip/objects.t
index 4fcde7cc12ea..71d5ffe43275 100644
--- a/tests/py/ip/objects.t
+++ b/tests/py/ip/objects.t
@@ -1,6 +1,6 @@
-:output;type filter hook output priority 0
+:input;type filter hook input priority 0
 
-*ip;test-ip4;output
+*ip;test-ip4;input
 
 # counter
 %cnt1 type counter;ok
diff --git a/tests/py/ip/objects.t.payload b/tests/py/ip/objects.t.payload
index 5252724ceead..3da4b28512b6 100644
--- a/tests/py/ip/objects.t.payload
+++ b/tests/py/ip/objects.t.payload
@@ -1,5 +1,5 @@
 # ip saddr 192.168.1.3 counter name "cnt2"
-ip test-ip4 output 
+ip test-ip4 input
   [ payload load 4b @ network header + 12 => reg 1 ]
   [ cmp eq reg 1 0x0301a8c0 ]
   [ objref type 1 name cnt2 ]
@@ -8,14 +8,14 @@ ip test-ip4 output
 __objmap%d test-ip4 43
 __objmap%d test-ip4 0
 	element 0000bb01  : 0 [end]	element 00005000  : 0 [end]	element 00001600  : 0 [end]
-ip test-ip4 output 
+ip test-ip4 input
   [ meta load l4proto => reg 1 ]
   [ cmp eq reg 1 0x00000006 ]
   [ payload load 2b @ transport header + 2 => reg 1 ]
   [ objref sreg 1 set __objmap%d ]
 
 # ip saddr 192.168.1.3 quota name "qt1"
-ip test-ip4 output 
+ip test-ip4 input
   [ payload load 4b @ network header + 12 => reg 1 ]
   [ cmp eq reg 1 0x0301a8c0 ]
   [ objref type 2 name qt1 ]
@@ -24,28 +24,28 @@ ip test-ip4 output
 __objmap%d test-ip4 43
 __objmap%d test-ip4 0
 	element 0000bb01  : 0 [end]	element 00005000  : 0 [end]	element 00001600  : 0 [end]
-ip test-ip4 output 
+ip test-ip4 input
   [ meta load l4proto => reg 1 ]
   [ cmp eq reg 1 0x00000006 ]
   [ payload load 2b @ transport header + 2 => reg 1 ]
   [ objref sreg 1 set __objmap%d ]
 
 # ct helper set "cthelp1"
-ip test-ip4 output
+ip test-ip4 input
   [ objref type 3 name cthelp1 ]
 
 # ct helper set tcp dport map {21 : "cthelp1", 2121 : "cthelp1" }
 __objmap%d test-ip4 43
 __objmap%d test-ip4 0
         element 00001500  : 0 [end]     element 00004908  : 0 [end]
-ip test-ip4 output
+ip test-ip4 input
   [ meta load l4proto => reg 1 ]
   [ cmp eq reg 1 0x00000006 ]
   [ payload load 2b @ transport header + 2 => reg 1 ]
   [ objref sreg 1 set __objmap%d ]
 
 # ip saddr 192.168.1.3 limit name "lim1"
-ip test-ip4 output
+ip test-ip4 input
   [ payload load 4b @ network header + 12 => reg 1 ]
   [ cmp eq reg 1 0x0301a8c0 ]
   [ objref type 4 name lim1 ]
@@ -54,25 +54,25 @@ ip test-ip4 output
 __objmap%d test-ip4 43 size 3
 __objmap%d test-ip4 0
         element 0000bb01  : 0 [end]     element 00005000  : 0 [end]     element 00001600  : 0 [end]
-ip test-ip4 output
+ip test-ip4 input
   [ meta load l4proto => reg 1 ]
   [ cmp eq reg 1 0x00000006 ]
   [ payload load 2b @ transport header + 2 => reg 1 ]
   [ objref sreg 1 set __objmap%d ]
 
 # ct timeout set "cttime1"
-ip test-ip4 output
+ip test-ip4 input
   [ objref type 7 name cttime1 ]
 
 # ct expectation set "ctexpect1"
-ip test-ip4 output
+ip test-ip4 input
   [ objref type 9 name ctexpect1 ]
 
 # synproxy name tcp dport map {443 : "synproxy1", 80 : "synproxy2"}
 __objmap%d test-ip4 43 size 2
 __objmap%d test-ip4 0
 	element 0000bb01  : 0 [end]	element 00005000  : 0 [end]
-ip test-ip4 output
+ip test-ip4 input
   [ meta load l4proto => reg 1 ]
   [ cmp eq reg 1 0x00000006 ]
   [ payload load 2b @ transport header + 2 => reg 1 ]
-- 
2.49.1

Re: [PATCH nft] tests: py: must use input, not output

[Pablo Neira Ayuso]

On Tue, Oct 07, 2025 at 12:48:49PM +0200, Florian Westphal wrote:
> synproxy must never be used in output rules, doing so results in kernel
> crash due to infinite recursive calls back to nf_hook_slow() for the
> emitted reply packet.
> 
> Up until recently kernel lacked this validation, and now that the kernel
> rejects this the test fails.  Use input to make this pass again.
> 
> A new test to ensure we reject synproxy in ouput should be added
> in the near future.
> 
> Signed-off-by: Florian Westphal <fw@strlen.de>

Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>

Thanks.

Re: [PATCH nft] tests: py: must use input, not output

[Fernando Fernandez Mancera]

On 10/7/25 12:48 PM, Florian Westphal wrote:
> synproxy must never be used in output rules, doing so results in kernel
> crash due to infinite recursive calls back to nf_hook_slow() for the
> emitted reply packet.
> 
> Up until recently kernel lacked this validation, and now that the kernel
> rejects this the test fails.  Use input to make this pass again.
> 
> A new test to ensure we reject synproxy in ouput should be added
> in the near future.
> 
> Signed-off-by: Florian Westphal <fw@strlen.de>
> ---

Looks good to me, thanks Florian.

Reviewed-by: Fernando Fernandez Mancera <fmancera@suse.de>