[nft PATCH 0/4] Inspect and improve test suite code coverage

[nft PATCH 0/4] Inspect and improve test suite code coverage

[Phil Sutter]

While inspecting the test suites' code coverage using --coverage gcc
option and gcov(r) for analysis, I noticed that 'nft monitor' processes
did not influence the stats at all. It appears that a process receiving
SIGTERM or SIGINT (via kill or ctrl-c) does not dump profiling data at
exit. Installing a signal handler for those signals which calls exit()
resolves this, so patch 1 of this series implements --enable-profiling
into configure which also conditionally enables said signal handler.

Patches 2 and 4 fix for zero test coverage of src/nftrace.c and
src/xt.c, bumping stats to ~90% for both.

Patch 3 fixes for ignored comment matches in translated iptables-nft
rules. This is required for patch 4 which uses a comment match to check
whether nft is built with translation support.

Phil Sutter (4):
  configure: Implement --enable-profiling option
  tests: shell: Add a simple test for nftrace
  xt: Print comment match data as well
  tests: shell: Add a basic test for src/xt.c

 .gitignore                                 |   5 +
 Makefile.am                                |  16 +++
 configure.ac                               |   7 ++
 src/main.c                                 |  30 +++++
 src/xt.c                                   |   6 +-
 tests/shell/features/xtables_xlate.sh      |  21 ++++
 tests/shell/testcases/parsing/compat_xlate | 135 +++++++++++++++++++++
 tests/shell/testcases/trace/0001simple     |  85 +++++++++++++
 8 files changed, 304 insertions(+), 1 deletion(-)
 create mode 100755 tests/shell/features/xtables_xlate.sh
 create mode 100755 tests/shell/testcases/parsing/compat_xlate
 create mode 100755 tests/shell/testcases/trace/0001simple

-- 
2.51.0

[nft PATCH 1/4] configure: Implement --enable-profiling option

[Phil Sutter]

This will set compiler flag --coverage so code coverage may be inspected
using gcov.

In order to successfully profile processes which are killed or
interrupted as well, add a signal handler for those cases which calls
exit(). This is relevant for test cases invoking nft monitor.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 .gitignore   |  5 +++++
 Makefile.am  | 16 ++++++++++++++++
 configure.ac |  7 +++++++
 src/main.c   | 30 ++++++++++++++++++++++++++++++
 4 files changed, 58 insertions(+)

diff --git a/.gitignore b/.gitignore
index 719829b65d212..8673393fac397 100644
--- a/.gitignore
+++ b/.gitignore
@@ -19,6 +19,11 @@ nftversion.h
 # cscope files
 /cscope.*
 
+# gcov-related
+*.gcda
+*.gcno
+*.gcov
+
 # Generated by tests
 *.payload.got
 tests/build/tests.log
diff --git a/Makefile.am b/Makefile.am
index 18af82a927dc0..24ffa07cf0c4a 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -165,6 +165,10 @@ AM_CFLAGS = \
 
 AM_YFLAGS = -d -Wno-yacc
 
+if BUILD_PROFILING
+AM_CFLAGS += --coverage
+endif
+
 ###############################################################################
 
 BUILT_SOURCES += src/parser_bison.h
@@ -457,3 +461,15 @@ TESTS = tests/build/run-tests.sh \
 	tests/py/nft-test.py \
 	tests/shell/run-tests.sh
 endif
+
+all_c_sources = $(filter %.c,$(src_libnftables_la_SOURCES)) $(src_nft_SOURCES)
+if BUILD_MINIGMP
+all_c_sources += $(src_libminigmp_la_SOURCES)
+endif
+if BUILD_AFL
+all_c_sources += $(tools_nft_afl_SOURCES)
+endif
+CLEANFILES += src/libparser_la-parser_bison.gcno
+CLEANFILES += src/libparser_la-scanner.gcno
+CLEANFILES += $(all_c_sources:.c=.gcno)
+CLEANFILES += $(src_nft_SOURCES:.c=.gcda)
diff --git a/configure.ac b/configure.ac
index dd172e88ca581..506f3f78fc460 100644
--- a/configure.ac
+++ b/configure.ac
@@ -172,6 +172,13 @@ AC_ARG_ENABLE([distcheck],
 	      [enable_distcheck=yes], [])
 AM_CONDITIONAL([BUILD_DISTCHECK], [test "x$enable_distcheck" = "xyes"])
 
+AC_ARG_ENABLE([profiling],
+	      AS_HELP_STRING([--enable-profiling], [build for use of gcov/gprof]),
+	      [enable_profiling="$enableval"], [enable_profiling="no"])
+AM_CONDITIONAL([BUILD_PROFILING], [test "x$enable_profiling" = xyes])
+AM_COND_IF([BUILD_PROFILING],
+	   [AC_DEFINE([BUILD_PROFILING], [1], [Define for profiling])])
+
 AC_CONFIG_FILES([					\
 		Makefile				\
 		libnftables.pc				\
diff --git a/src/main.c b/src/main.c
index 29b0533dee7c9..bdcf8ab3c304b 100644
--- a/src/main.c
+++ b/src/main.c
@@ -16,6 +16,7 @@
 #include <errno.h>
 #include <getopt.h>
 #include <fcntl.h>
+#include <signal.h>
 #include <sys/types.h>
 
 #include <nftables/libnftables.h>
@@ -360,6 +361,33 @@ static bool nft_options_check(int argc, char * const argv[])
 	return true;
 }
 
+#ifdef BUILD_PROFILING
+static void termhandler(int signo)
+{
+	switch (signo) {
+	case SIGTERM:
+		exit(143);
+	case SIGINT:
+		exit(130);
+	}
+}
+
+static void setup_sighandler(void)
+{
+	struct sigaction act = {
+		.sa_handler = termhandler,
+	};
+
+	if (sigaction(SIGTERM, &act, NULL) == -1 ||
+	    sigaction(SIGINT, &act, NULL) == -1) {
+		perror("sigaction");
+		exit(1);
+	}
+}
+#else
+static void setup_sighandler(void) { /* empty */ }
+#endif
+
 int main(int argc, char * const *argv)
 {
 	const struct option *options = get_options();
@@ -375,6 +403,8 @@ int main(int argc, char * const *argv)
 	if (getuid() != geteuid())
 		_exit(111);
 
+	setup_sighandler();
+
 	if (!nft_options_check(argc, argv))
 		exit(EXIT_FAILURE);
 
-- 
2.51.0

[nft PATCH 2/4] tests: shell: Add a simple test for nftrace

[Phil Sutter]

The test suites did not cover src/trace.c at all. This test touches over
90% of its lines.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 tests/shell/testcases/trace/0001simple | 85 ++++++++++++++++++++++++++
 1 file changed, 85 insertions(+)
 create mode 100755 tests/shell/testcases/trace/0001simple

diff --git a/tests/shell/testcases/trace/0001simple b/tests/shell/testcases/trace/0001simple
new file mode 100755
index 0000000000000..a1bf4dd1318b2
--- /dev/null
+++ b/tests/shell/testcases/trace/0001simple
@@ -0,0 +1,85 @@
+#!/bin/bash -x
+
+set -e
+
+ns1=$(mktemp -u ns1-XXXXXX)
+ns2=$(mktemp -u ns2-XXXXXX)
+tracelog=$(mktemp)
+tracepid=0
+cleanup() {
+	ip netns del $ns1
+	ip netns del $ns2
+	[ $tracepid -eq 0 ] || {
+		kill $tracepid
+		wait
+	}
+	rm -f $tracelog
+}
+trap "cleanup" EXIT
+ip netns add $ns1
+ip netns add $ns2
+ip -net $ns1 link add eth0 type veth peer name eth0 netns $ns2
+ip -net $ns1 link set eth0 up
+ip -net $ns1 addr add 10.23.42.1/24 dev eth0
+ip -net $ns2 link set eth0 up
+ip -net $ns2 addr add 10.23.42.2/24 dev eth0
+ns1mac=$(ip -net $ns1 link show dev eth0 | awk '/link\/ether/{ print $2 }')
+ns2mac=$(ip -net $ns2 link show dev eth0 | awk '/link\/ether/{ print $2 }')
+ip netns exec $ns1 ping -c 1 10.23.42.2
+ip netns exec $ns2 ping -c 1 10.23.42.1
+
+ip netns exec $ns1 $NFT -f - <<EOF
+table inet t {
+	chain pre {
+		type filter hook prerouting priority 0
+
+		icmp type { echo-request, echo-reply } meta mark set 0x42 ct state new,established meta nftrace set 1
+	}
+	chain foo {
+		tcp dport 456 accept
+		ct status != dying return
+		tcp dport 23 drop
+	}
+	chain input {
+		type filter hook input priority 0
+
+		meta mark 0x42 jump foo
+		meta mark 0x42 tcp dport 789 accept
+	}
+	chain output {
+		type filter hook output priority 0
+
+		icmp type echo-reply meta nftrace set 1
+	}
+}
+EOF
+
+ip netns exec $ns1 $NFT monitor trace >$tracelog &
+tracepid=$!
+sleep 0.5
+ip netns exec $ns2 ping -c 1 10.23.42.1
+sleep 0.5
+kill $tracepid
+wait
+tracepid=0
+
+EXPECT="trace id 0 inet t pre conntrack: ct direction original ct state new ct id 0 
+trace id 0 inet t pre packet: iif \"eth0\" ether saddr $ns2mac ether daddr $ns1mac ip saddr 10.23.42.2 ip daddr 10.23.42.1 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 0 ip protocol icmp ip length 84 icmp type echo-request icmp code 0 icmp id 0 icmp sequence 1 
+trace id 0 inet t pre rule icmp type { echo-reply, echo-request } meta mark set 0x00000042 ct state established,new meta nftrace set 1 (verdict continue)
+trace id 0 inet t pre policy accept meta mark 0x00000042 
+trace id 0 inet t input conntrack: ct direction original ct state new ct id 0 
+trace id 0 inet t input packet: iif \"eth0\" ether saddr $ns2mac ether daddr $ns1mac ip saddr 10.23.42.2 ip daddr 10.23.42.1 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 0 ip protocol icmp ip length 84 icmp type echo-request icmp code 0 icmp id 0 icmp sequence 1 
+trace id 0 inet t input rule meta mark 0x00000042 jump foo (verdict jump foo)
+trace id 0 inet t foo rule ct status != dying return (verdict return)
+trace id 0 inet t input policy accept meta mark 0x00000042 
+trace id 0 inet t output conntrack: ct direction reply ct state established ct status seen-reply,confirmed ct id 0 
+trace id 0 inet t output packet: oif \"eth0\" ip saddr 10.23.42.1 ip daddr 10.23.42.2 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 0 ip protocol icmp ip length 84 icmp type echo-reply icmp code 0 icmp id 0 icmp sequence 1 
+trace id 0 inet t output rule icmp type echo-reply meta nftrace set 1 (verdict continue)
+trace id 0 inet t output policy accept "
+
+
+tracefilter() {
+	sed -e 's/\(trace\|ip\|icmp\|ct\) id [^ ]\+/\1 id 0/g'
+}
+diff -u <(echo "$EXPECT") <(cat $tracelog | tracefilter)
+exit 0
-- 
2.51.0

[nft PATCH 3/4] xt: Print comment match data as well

[Phil Sutter]

In order to translate comment matches into the single nftables rule
comment, libxtables does not immediately (maybe mid-rule) print a
comment match's string but instead stores it into struct
xt_xlate::comment array for later.

Since xt_stmt_xlate() is called by a statement's .print callback which
can't communicate data back to caller, nftables has to print it right
away.

Since parser_bison accepts rule comments only at end of line though, the
output from above can't be restored anymore. Which is a bad idea to
begin with so accept this quirk and avoid refactoring the statement
printing API.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 src/xt.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/xt.c b/src/xt.c
index f7bee21618030..c3a8c47621cbb 100644
--- a/src/xt.c
+++ b/src/xt.c
@@ -112,8 +112,12 @@ void xt_stmt_xlate(const struct stmt *stmt, struct output_ctx *octx)
 		break;
 	}
 
-	if (rc == 1)
+	if (rc == 1) {
 		nft_print(octx, "%s", xt_xlate_get(xl));
+		if (xt_xlate_get_comment(xl))
+			nft_print(octx, "comment %s",
+				  xt_xlate_get_comment(xl));
+	}
 	xt_xlate_free(xl);
 	free(entry);
 #endif
-- 
2.51.0

[nft PATCH 4/4] tests: shell: Add a basic test for src/xt.c

[Phil Sutter]

The feature test introduced in this patch checks iptables-nft presence
and usability as well as translation support presence in nft (as it may
not be compiled in).

The actual test case will optionally call ip6tables-nft and ebtables-nft
as well.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 tests/shell/features/xtables_xlate.sh      |  21 ++++
 tests/shell/testcases/parsing/compat_xlate | 135 +++++++++++++++++++++
 2 files changed, 156 insertions(+)
 create mode 100755 tests/shell/features/xtables_xlate.sh
 create mode 100755 tests/shell/testcases/parsing/compat_xlate

diff --git a/tests/shell/features/xtables_xlate.sh b/tests/shell/features/xtables_xlate.sh
new file mode 100755
index 0000000000000..9c1f7d84c7640
--- /dev/null
+++ b/tests/shell/features/xtables_xlate.sh
@@ -0,0 +1,21 @@
+#!/bin/bash
+
+# Does nft support translating compat extensions using libxtables?
+# Answer a related question first: Do we have a usable iptables-nft available?
+
+iptables-nft --version | grep -q nf_tables || {
+	echo "iptables-nft not available or not nft-variant"
+	exit 1
+}
+
+ns=$(mktemp -u ns-XXXXXX)
+trap "ip netns del $ns" EXIT
+ip netns add $ns || exit 1
+
+ext_arg="-m comment --comment foobar"
+ip netns exec $ns iptables-nft -vv -A FORWARD $ext_arg | \
+		grep -q "match name comment" || {
+	echo "comment match does not use compat extension?!"
+	exit 1
+}
+ip netns exec $ns $NFT list chain ip filter FORWARD 2>/dev/null | grep -q "foobar"
diff --git a/tests/shell/testcases/parsing/compat_xlate b/tests/shell/testcases/parsing/compat_xlate
new file mode 100755
index 0000000000000..bc774311ffdc2
--- /dev/null
+++ b/tests/shell/testcases/parsing/compat_xlate
@@ -0,0 +1,135 @@
+#!/bin/bash
+
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_xtables_xlate)
+
+set -e
+
+IPTABLES_RULESET='*filter
+-A FORWARD -m comment --comment "this is a comment"
+-A FORWARD -m iprange --src-range 10.0.0.1-10.0.0.23 --dst-range 10.1.0.5-10.2.0.1
+-A FORWARD -p tcp -j TCPMSS --clamp-mss-to-pmtu
+-A FORWARD -p udp --dport 1
+-A FORWARD -p sctp --dport 3
+-A FORWARD -p dccp --dport 4
+-A FORWARD -p esp
+-A FORWARD -p ah
+COMMIT'
+IPTABLES_EXPECT='# Warning: table ip filter is managed by iptables-nft, do not touch!
+table ip filter {
+	chain FORWARD {
+		type filter hook forward priority filter; policy accept;
+		comment "this is a comment" counter packets 0 bytes 0
+		ip saddr 10.0.0.1-10.0.0.23 ip daddr 10.1.0.5-10.2.0.1 counter packets 0 bytes 0
+		ip protocol tcp counter packets 0 bytes 0 tcp option maxseg size set rt mtu
+		udp dport 1 counter packets 0 bytes 0
+		ip protocol sctp sctp dport 3 counter packets 0 bytes 0
+		ip protocol dccp dccp dport 4 counter packets 0 bytes 0
+		ip protocol esp counter packets 0 bytes 0
+		ip protocol ah counter packets 0 bytes 0
+	}
+}'
+
+IP6TABLES_RULESET='*filter
+-A FORWARD -m comment --comment "this is a comment"
+-A FORWARD -m iprange --src-range fec0::1-fec0::23 --dst-range fec0:1::5-fec0:2::1
+-A FORWARD -p tcp -j TCPMSS --clamp-mss-to-pmtu
+COMMIT'
+IP6TABLES_EXPECT='
+# Warning: table ip6 filter is managed by iptables-nft, do not touch!
+table ip6 filter {
+	chain FORWARD {
+		type filter hook forward priority filter; policy accept;
+		comment "this is a comment" counter packets 0 bytes 0
+		ip6 saddr fec0::1-fec0::23 ip6 daddr fec0:1::5-fec0:2::1 counter packets 0 bytes 0
+		meta l4proto tcp counter packets 0 bytes 0 tcp option maxseg size set rt mtu
+	}
+}'
+
+ARPTABLES_RULESET='*filter
+-A INPUT -s 10.0.0.0/8 -j ACCEPT
+-A INPUT -d 192.168.123.1 -j ACCEPT
+-A INPUT --source-mac fe:ed:ba:be:00:01 -j ACCEPT
+-A INPUT --destination-mac fe:ed:ba:be:00:01 -j ACCEPT
+-N foo
+-A foo -i lo -j ACCEPT
+-A foo -l 6 -j ACCEPT
+-A foo -j MARK --set-mark 12345
+-A foo --opcode Request -j ACCEPT
+-A foo --h-type 1 --proto-type 0x800 -j ACCEPT
+-A foo -l 6 --h-type 1 --proto-type 0x800 -i lo --opcode Request -j ACCEPT
+-A INPUT -j foo
+-A INPUT
+-A OUTPUT -o lo -j ACCEPT
+-A OUTPUT -o eth134 -j mangle --mangle-ip-s 10.0.0.1
+-A OUTPUT -o eth432 -j CLASSIFY --set-class feed:babe
+-A OUTPUT -o eth432 --opcode Request -j CLASSIFY --set-class feed:babe
+-P OUTPUT DROP
+COMMIT'
+ARPTABLES_EXPECT='
+# Warning: table arp filter is managed by iptables-nft, do not touch!
+table arp filter {
+	chain INPUT {
+		type filter hook input priority filter; policy accept;
+		arp htype 1 arp hlen 6 arp plen 4 arp saddr ip 10.0.0.0/8 counter packets 0 bytes 0 accept
+		arp htype 1 arp hlen 6 arp plen 4 arp daddr ip 192.168.123.1 counter packets 0 bytes 0 accept
+		arp htype 1 arp hlen 6 arp plen 4 arp saddr ether fe:ed:ba:be:00:01 counter packets 0 bytes 0 accept
+		arp htype 1 arp hlen 6 arp plen 4 arp daddr ether fe:ed:ba:be:00:01 counter packets 0 bytes 0 accept
+		arp htype 1 arp hlen 6 arp plen 4 counter packets 0 bytes 0 jump foo
+		arp htype 1 arp hlen 6 arp plen 4 counter packets 0 bytes 0
+	}
+
+	chain foo {
+		iifname "lo" arp htype 1 arp hlen 6 arp plen 4 counter packets 0 bytes 0 accept
+		arp htype 1 arp hlen 6 arp plen 4 counter packets 0 bytes 0 accept
+		arp htype 1 arp hlen 6 arp plen 4 counter packets 0 bytes 0 meta mark set 0x12345
+		arp htype 1 arp hlen 6 arp plen 4 arp operation request counter packets 0 bytes 0 accept
+		arp htype 1 arp ptype ip arp hlen 6 arp plen 4 counter packets 0 bytes 0 accept
+		iifname "lo" arp htype 1 arp ptype ip arp hlen 6 arp plen 4 arp operation request counter packets 0 bytes 0 accept
+	}
+
+	chain OUTPUT {
+		type filter hook output priority filter; policy drop;
+		oifname "lo" arp htype 1 arp hlen 6 arp plen 4 counter packets 0 bytes 0 accept
+		oifname "eth134" arp htype 1 arp hlen 6 arp plen 4 counter packets 0 bytes 0 arp saddr ip set 10.0.0.1 accept
+		oifname "eth432" arp htype 1 arp hlen 6 arp plen 4 counter packets 0 bytes 0 meta priority set feed:babe
+		oifname "eth432" arp htype 1 arp hlen 6 arp plen 4 arp operation request counter packets 0 bytes 0 meta priority set feed:babe
+	}
+}'
+
+EBTABLES_RULESET='*filter
+-A FORWARD -p IPv4 -j mark --mark-set 1
+-A FORWARD -p IPv6 -j mark --mark-set 2
+COMMIT'
+EBTABLES_EXPECT='
+# Warning: table bridge filter is managed by iptables-nft, do not touch!
+table bridge filter {
+	chain FORWARD {
+		type filter hook forward priority filter; policy accept;
+		ether type ip counter packets 0 bytes 0 meta mark set 0x1 accept
+		ether type ip6 counter packets 0 bytes 0 meta mark set 0x2 accept
+	}
+}'
+
+iptables-nft-restore <<< "$IPTABLES_RULESET"
+EXPECT="$IPTABLES_EXPECT"
+
+if ip6tables-nft --version | grep -q 'nf_tables'; then
+	echo "testing ip6tables, too"
+	ip6tables-nft-restore <<< "$IP6TABLES_RULESET"
+	EXPECT+="$IP6TABLES_EXPECT"
+fi
+if arptables-nft --version | grep -q 'nf_tables'; then
+	echo "testing arptables, too"
+	arptables-nft-restore <<< "$ARPTABLES_RULESET"
+	EXPECT+="$ARPTABLES_EXPECT"
+fi
+if ebtables-nft --version | grep -q 'nf_tables'; then
+	echo "testing ebtables, too"
+	ebtables-nft-restore <<< "$EBTABLES_RULESET"
+	EXPECT+="$EBTABLES_EXPECT"
+fi
+
+$DIFF -u <(echo "$EXPECT") <($NFT list ruleset 2>&1)
+
+# avoid attempts at replaying the ruleset
+$NFT flush ruleset
-- 
2.51.0

Re: [nft PATCH 1/4] configure: Implement --enable-profiling option

[Pablo Neira Ayuso]

On Tue, Jan 27, 2026 at 11:29:13PM +0100, Phil Sutter wrote:
> diff --git a/src/main.c b/src/main.c
> index 29b0533dee7c9..bdcf8ab3c304b 100644
> --- a/src/main.c
> +++ b/src/main.c
> @@ -16,6 +16,7 @@
>  #include <errno.h>
>  #include <getopt.h>
>  #include <fcntl.h>
> +#include <signal.h>
>  #include <sys/types.h>
>  
>  #include <nftables/libnftables.h>
> @@ -360,6 +361,33 @@ static bool nft_options_check(int argc, char * const argv[])
>  	return true;
>  }
>  
> +#ifdef BUILD_PROFILING
> +static void termhandler(int signo)
> +{
> +	switch (signo) {
> +	case SIGTERM:
> +		exit(143);
> +	case SIGINT:
> +		exit(130);
> +	}
> +}
> +
> +static void setup_sighandler(void)
> +{
> +	struct sigaction act = {
> +		.sa_handler = termhandler,
> +	};
> +
> +	if (sigaction(SIGTERM, &act, NULL) == -1 ||
> +	    sigaction(SIGINT, &act, NULL) == -1) {
> +		perror("sigaction");
> +		exit(1);
> +	}
> +}
> +#else
> +static void setup_sighandler(void) { /* empty */ }
> +#endif

Nitpick: This is small, but please add it to src/profile.c, to make
extending it future proof and reduce ifdef pollution a bit.

With a include/profile.h also you can define the empty stub for
setup_sighandler() when !BUILD_PROFILING.

Thanks

> +
>  int main(int argc, char * const *argv)
>  {
>  	const struct option *options = get_options();
> @@ -375,6 +403,8 @@ int main(int argc, char * const *argv)
>  	if (getuid() != geteuid())
>  		_exit(111);
>  
> +	setup_sighandler();
> +
>  	if (!nft_options_check(argc, argv))
>  		exit(EXIT_FAILURE);
>  
> -- 
> 2.51.0
> 

Re: [nft PATCH 3/4] xt: Print comment match data as well

[Pablo Neira Ayuso]

On Tue, Jan 27, 2026 at 11:29:15PM +0100, Phil Sutter wrote:
> In order to translate comment matches into the single nftables rule
> comment, libxtables does not immediately (maybe mid-rule) print a
> comment match's string but instead stores it into struct
> xt_xlate::comment array for later.
> 
> Since xt_stmt_xlate() is called by a statement's .print callback which
> can't communicate data back to caller, nftables has to print it right
> away.

This is a bugfix, correct?

> Since parser_bison accepts rule comments only at end of line though, the
> output from above can't be restored anymore. Which is a bad idea to
> begin with so accept this quirk and avoid refactoring the statement
> printing API.
> 
> Signed-off-by: Phil Sutter <phil@nwl.cc>
> ---
>  src/xt.c | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
> 
> diff --git a/src/xt.c b/src/xt.c
> index f7bee21618030..c3a8c47621cbb 100644
> --- a/src/xt.c
> +++ b/src/xt.c
> @@ -112,8 +112,12 @@ void xt_stmt_xlate(const struct stmt *stmt, struct output_ctx *octx)
>  		break;
>  	}
>  
> -	if (rc == 1)
> +	if (rc == 1) {
>  		nft_print(octx, "%s", xt_xlate_get(xl));
> +		if (xt_xlate_get_comment(xl))
> +			nft_print(octx, "comment %s",
> +				  xt_xlate_get_comment(xl));
> +	}
>  	xt_xlate_free(xl);
>  	free(entry);
>  #endif
> -- 
> 2.51.0
> 

Re: [nft PATCH 0/4] Inspect and improve test suite code coverage

[Pablo Neira Ayuso]

On Tue, Jan 27, 2026 at 11:29:12PM +0100, Phil Sutter wrote:
> While inspecting the test suites' code coverage using --coverage gcc
> option and gcov(r) for analysis, I noticed that 'nft monitor' processes
> did not influence the stats at all. It appears that a process receiving
> SIGTERM or SIGINT (via kill or ctrl-c) does not dump profiling data at
> exit. Installing a signal handler for those signals which calls exit()
> resolves this, so patch 1 of this series implements --enable-profiling
> into configure which also conditionally enables said signal handler.
> 
> Patches 2 and 4 fix for zero test coverage of src/nftrace.c and
> src/xt.c, bumping stats to ~90% for both.
> 
> Patch 3 fixes for ignored comment matches in translated iptables-nft
> rules. This is required for patch 4 which uses a comment match to check
> whether nft is built with translation support.

Apart from the aforementioned nitpick, series LGTM.

> Phil Sutter (4):
>   configure: Implement --enable-profiling option
>   tests: shell: Add a simple test for nftrace
>   xt: Print comment match data as well
>   tests: shell: Add a basic test for src/xt.c
> 
>  .gitignore                                 |   5 +
>  Makefile.am                                |  16 +++
>  configure.ac                               |   7 ++
>  src/main.c                                 |  30 +++++
>  src/xt.c                                   |   6 +-
>  tests/shell/features/xtables_xlate.sh      |  21 ++++
>  tests/shell/testcases/parsing/compat_xlate | 135 +++++++++++++++++++++
>  tests/shell/testcases/trace/0001simple     |  85 +++++++++++++
>  8 files changed, 304 insertions(+), 1 deletion(-)
>  create mode 100755 tests/shell/features/xtables_xlate.sh
>  create mode 100755 tests/shell/testcases/parsing/compat_xlate
>  create mode 100755 tests/shell/testcases/trace/0001simple
> 
> -- 
> 2.51.0
> 

Re: [nft PATCH 3/4] xt: Print comment match data as well

[Phil Sutter]

On Thu, Feb 05, 2026 at 02:35:29AM +0100, Pablo Neira Ayuso wrote:
> On Tue, Jan 27, 2026 at 11:29:15PM +0100, Phil Sutter wrote:
> > In order to translate comment matches into the single nftables rule
> > comment, libxtables does not immediately (maybe mid-rule) print a
> > comment match's string but instead stores it into struct
> > xt_xlate::comment array for later.
> > 
> > Since xt_stmt_xlate() is called by a statement's .print callback which
> > can't communicate data back to caller, nftables has to print it right
> > away.
> 
> This is a bugfix, correct?

I'd vote for feature. A side-effect of this patch is that translated
rules containing a comment match can't be restored anymore because of:

> > Since parser_bison accepts rule comments only at end of line though, the
> > output from above can't be restored anymore. Which is a bad idea to
> > begin with so accept this quirk and avoid refactoring the statement
> > printing API.

IMHO, bug fixes should not have such side-effects.

Cheers, Phil

Re: [nft PATCH 0/4] Inspect and improve test suite code coverage

[Phil Sutter]

On Thu, Feb 05, 2026 at 02:35:57AM +0100, Pablo Neira Ayuso wrote:
> On Tue, Jan 27, 2026 at 11:29:12PM +0100, Phil Sutter wrote:
> > While inspecting the test suites' code coverage using --coverage gcc
> > option and gcov(r) for analysis, I noticed that 'nft monitor' processes
> > did not influence the stats at all. It appears that a process receiving
> > SIGTERM or SIGINT (via kill or ctrl-c) does not dump profiling data at
> > exit. Installing a signal handler for those signals which calls exit()
> > resolves this, so patch 1 of this series implements --enable-profiling
> > into configure which also conditionally enables said signal handler.
> > 
> > Patches 2 and 4 fix for zero test coverage of src/nftrace.c and
> > src/xt.c, bumping stats to ~90% for both.
> > 
> > Patch 3 fixes for ignored comment matches in translated iptables-nft
> > rules. This is required for patch 4 which uses a comment match to check
> > whether nft is built with translation support.
> 
> Apart from the aforementioned nitpick, series LGTM.

Thanks for your review. I'll adjust patch 1 as per your feedback and
resubmit.

Re: [nft PATCH 0/4] Inspect and improve test suite code coverage

[Phil Sutter]

On Tue, Jan 27, 2026 at 11:29:12PM +0100, Phil Sutter wrote:
> While inspecting the test suites' code coverage using --coverage gcc
> option and gcov(r) for analysis, I noticed that 'nft monitor' processes
> did not influence the stats at all. It appears that a process receiving
> SIGTERM or SIGINT (via kill or ctrl-c) does not dump profiling data at
> exit. Installing a signal handler for those signals which calls exit()
> resolves this, so patch 1 of this series implements --enable-profiling
> into configure which also conditionally enables said signal handler.
> 
> Patches 2 and 4 fix for zero test coverage of src/nftrace.c and
> src/xt.c, bumping stats to ~90% for both.
> 
> Patch 3 fixes for ignored comment matches in translated iptables-nft
> rules. This is required for patch 4 which uses a comment match to check
> whether nft is built with translation support.
> 
> Phil Sutter (4):
>   configure: Implement --enable-profiling option
>   tests: shell: Add a simple test for nftrace
>   xt: Print comment match data as well
>   tests: shell: Add a basic test for src/xt.c

Applied patches 2-4.