[PATCH nft] tests: py: use `os.unshare` Python function

[PATCH nft] tests: py: use `os.unshare` Python function

[Jeremy Sowden]

Since Python 3.12 the standard library has included an `os.unshare` function.
Use it if it is available.

Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
 tests/py/nft-test.py | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/tests/py/nft-test.py b/tests/py/nft-test.py
index 53fd3f7ae6fe..64837da36035 100755
--- a/tests/py/nft-test.py
+++ b/tests/py/nft-test.py
@@ -1466,7 +1466,14 @@ def run_test_file(filename, force_all_family_option, specific_file):
     return [tests, passed, total_warning, total_error, total_unit_run]
 
 def spawn_netns():
-    # prefer unshare module
+    # prefer stdlib unshare function ...
+    try:
+        os.unshare(os.CLONE_NEWNET)
+        return True
+    except Exception as e:
+        pass
+
+    # ... or unshare module
     try:
         import unshare
         unshare.unshare(unshare.CLONE_NEWNET)
-- 
2.51.0

Re: [PATCH nft] tests: py: use `os.unshare` Python function

[Phil Sutter]

On Thu, Mar 05, 2026 at 05:53:58PM +0000, Jeremy Sowden wrote:
> Since Python 3.12 the standard library has included an `os.unshare` function.
> Use it if it is available.
> 
> Signed-off-by: Jeremy Sowden <jeremy@azazel.net>

Patch applied, thanks!

Re: [PATCH nft] tests: py: use `os.unshare` Python function

[Phil Sutter]

Hi Jeremy,

On Thu, Mar 05, 2026 at 05:53:58PM +0000, Jeremy Sowden wrote:
> Since Python 3.12 the standard library has included an `os.unshare` function.
> Use it if it is available.

This patch breaks py test suite cases involving time-related matches,
e.g. 'meta time "1970-05-23 21:07:14"'. It expects:

| cmp eq reg 1 0x002bd503 0x43f05400

but instead the rule serializes into:

| cmp eq reg 1 0x002bd849 0x74a8f400

Do you see that too?

Cheers, Phil

Re: [PATCH nft] tests: py: use `os.unshare` Python function

[Jeremy Sowden]

[-- Attachment #1: Type: text/plain, Size: 1639 bytes --]

On 2026-03-06, at 18:41:06 +0100, Phil Sutter wrote:
>On Thu, Mar 05, 2026 at 05:53:58PM +0000, Jeremy Sowden wrote:
> > Since Python 3.12 the standard library has included an `os.unshare` function.
> > Use it if it is available.
> 
> This patch breaks py test suite cases involving time-related matches,
> e.g. 'meta time "1970-05-23 21:07:14"'. It expects:
> 
> | cmp eq reg 1 0x002bd503 0x43f05400

	$ TZ=UTC-2 perl -MPOSIX=strftime -le 'my $ns = hex $ARGV[0]; print strftime "%Y-%m-%d %H:%M:%S", localtime int $ns / 1000000000' 0x002bd50343f05400
	1970-05-23 21:07:14

> but instead the rule serializes into:
> 
> | cmp eq reg 1 0x002bd849 0x74a8f400

	$ TZ=UTC-2 perl -MPOSIX=strftime -le 'my $ns = hex $ARGV[0]; print strftime "%Y-%m-%d %H:%M:%S", localtime int $ns / 1000000000' 0x002bd84974a8f400
	1970-05-23 22:07:14

> Do you see that too?

Yes, e.g.:

	6: WARNING: line 4: 'add rule netdev test-netdev egress meta time > "2022-07-01 11:00:00" accept': '[ cmp gt reg 1 0x16fda8f3 0x1977a000 ]' mismatches '[ cmp gt reg 1 0x16fdac39 0x4a304000 ]'

As with your example, the discrepancy is an hour:

	$ TZ=UTC-2 perl -MPOSIX=strftime -le 'my $ns = hex $ARGV[0]; print strftime "%Y-%m-%d %H:%M:%S", localtime int $ns / 1000000000' 0x16fda8f31977a000
2022-07-01 11:00:00

	$ TZ=UTC-2 perl -MPOSIX=strftime -le 'my $ns = hex $ARGV[0]; print strftime "%Y-%m-%d %H:%M:%S", localtime int $ns / 1000000000' 0x16fdac394a304000
2022-07-01 12:00:00

which suggests it's time-zone related.  Didn't see anything about that
in the doc's.  Will take a closer look.  Apologies.

J.

PS UTC-2 is exotic. :)

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 931 bytes --]

Re: [PATCH nft] tests: py: use `os.unshare` Python function

[Phil Sutter]

Hi Jeremy,

On Fri, Mar 06, 2026 at 06:35:53PM +0000, Jeremy Sowden wrote:
> On 2026-03-06, at 18:41:06 +0100, Phil Sutter wrote:
> >On Thu, Mar 05, 2026 at 05:53:58PM +0000, Jeremy Sowden wrote:
> > > Since Python 3.12 the standard library has included an `os.unshare` function.
> > > Use it if it is available.
> > 
> > This patch breaks py test suite cases involving time-related matches,
> > e.g. 'meta time "1970-05-23 21:07:14"'. It expects:
> > 
> > | cmp eq reg 1 0x002bd503 0x43f05400
> 
> 	$ TZ=UTC-2 perl -MPOSIX=strftime -le 'my $ns = hex $ARGV[0]; print strftime "%Y-%m-%d %H:%M:%S", localtime int $ns / 1000000000' 0x002bd50343f05400
> 	1970-05-23 21:07:14
> 
> > but instead the rule serializes into:
> > 
> > | cmp eq reg 1 0x002bd849 0x74a8f400
> 
> 	$ TZ=UTC-2 perl -MPOSIX=strftime -le 'my $ns = hex $ARGV[0]; print strftime "%Y-%m-%d %H:%M:%S", localtime int $ns / 1000000000' 0x002bd84974a8f400
> 	1970-05-23 22:07:14
> 
> > Do you see that too?
> 
> Yes, e.g.:
> 
> 	6: WARNING: line 4: 'add rule netdev test-netdev egress meta time > "2022-07-01 11:00:00" accept': '[ cmp gt reg 1 0x16fda8f3 0x1977a000 ]' mismatches '[ cmp gt reg 1 0x16fdac39 0x4a304000 ]'
> 
> As with your example, the discrepancy is an hour:
> 
> 	$ TZ=UTC-2 perl -MPOSIX=strftime -le 'my $ns = hex $ARGV[0]; print strftime "%Y-%m-%d %H:%M:%S", localtime int $ns / 1000000000' 0x16fda8f31977a000
> 2022-07-01 11:00:00
> 
> 	$ TZ=UTC-2 perl -MPOSIX=strftime -le 'my $ns = hex $ARGV[0]; print strftime "%Y-%m-%d %H:%M:%S", localtime int $ns / 1000000000' 0x16fdac394a304000
> 2022-07-01 12:00:00
> 
> which suggests it's time-zone related.  Didn't see anything about that
> in the doc's.  Will take a closer look.  Apologies.

Yes, it's odd. Neither unshare module nor 'unshare -n' behave like this,
even though os.unshare is described as doing the same as unshare command
does. It also doesn't mangle os.environ['TZ'] value, no idea why it
messes with this.

> PS UTC-2 is exotic. :)

Maybe it's Ander Juaristi's native timezone, he added the tests in
commit 0518ea3f70d8c ("tests: add meta time test cases"). And then I
did:

commit 7e326d697ecf43ea029de5584e59701eb61ca87e
Author: Phil Sutter <phil@nwl.cc>
Date:   Sat Nov 16 22:32:18 2019 +0100

    tests/py: Set a fixed timezone in nft-test.py
    
    Payload generated for 'meta time' matches depends on host's timezone and
    DST setting. To produce constant output, set a fixed timezone in
    nft-test.py. Choose UTC-2 since most payloads are correct then, adjust
    the remaining two tests.
    
    Fixes: 0518ea3f70d8c ("tests: add meta time test cases")
    Signed-off-by: Phil Sutter <phil@nwl.cc>
    Acked-by: Ander Juaristi <a@juaristi.eus>
    Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>

So that's how UTC-2 became py test suite's native timezone. :D

Cheers, Phil

Re: [PATCH nft] tests: py: use `os.unshare` Python function

[Florian Westphal]

Phil Sutter <phil@nwl.cc> wrote:
> > which suggests it's time-zone related.  Didn't see anything about that
> > in the doc's.  Will take a closer look.  Apologies.
> 
> Yes, it's odd. Neither unshare module nor 'unshare -n' behave like this,
> even though os.unshare is described as doing the same as unshare command
> does. It also doesn't mangle os.environ['TZ'] value, no idea why it
> messes with this.

Is there anyone working on a fix?

This breaks my CI pipeline (i.e. I disabled meta.t tests).

Re: [PATCH nft] tests: py: use `os.unshare` Python function

[Pablo Neira Ayuso]

On Thu, Mar 12, 2026 at 11:14:20PM +0100, Florian Westphal wrote:
> Phil Sutter <phil@nwl.cc> wrote:
> > > which suggests it's time-zone related.  Didn't see anything about that
> > > in the doc's.  Will take a closer look.  Apologies.
> > 
> > Yes, it's odd. Neither unshare module nor 'unshare -n' behave like this,
> > even though os.unshare is described as doing the same as unshare command
> > does. It also doesn't mangle os.environ['TZ'] value, no idea why it
> > messes with this.
> 
> Is there anyone working on a fix?
> 
> This breaks my CI pipeline (i.e. I disabled meta.t tests).

I suggest to revert by now, as it seems os.unshare is not equivalent
to 'unshare -n'.

Re: [PATCH nft] tests: py: use `os.unshare` Python function

[Jeremy Sowden]

[-- Attachment #1: Type: text/plain, Size: 3942 bytes --]

On 2026-03-11, at 00:08:59 +0100, Phil Sutter wrote:
> On Fri, Mar 06, 2026 at 06:35:53PM +0000, Jeremy Sowden wrote:
> > On 2026-03-06, at 18:41:06 +0100, Phil Sutter wrote:
> > > On Thu, Mar 05, 2026 at 05:53:58PM +0000, Jeremy Sowden wrote:
> > > > Since Python 3.12 the standard library has included an `os.unshare` function.
> > > > Use it if it is available.
> > >
> > > This patch breaks py test suite cases involving time-related
> > > matches, e.g. 'meta time "1970-05-23 21:07:14"'. It expects:
> > >
> > > | cmp eq reg 1 0x002bd503 0x43f05400
> >
> > 	$ TZ=UTC-2 perl -MPOSIX=strftime -le 'my $ns = hex $ARGV[0]; print strftime "%Y-%m-%d %H:%M:%S", localtime int $ns / 1000000000' 0x002bd50343f05400
> > 	1970-05-23 21:07:14
> >
> > > but instead the rule serializes into:
> > >
> > > | cmp eq reg 1 0x002bd849 0x74a8f400
> >
> > 	$ TZ=UTC-2 perl -MPOSIX=strftime -le 'my $ns = hex $ARGV[0]; print strftime "%Y-%m-%d %H:%M:%S", localtime int $ns / 1000000000' 0x002bd84974a8f400
> > 	1970-05-23 22:07:14
> >
> > > Do you see that too?
> >
> > Yes, e.g.:
> >
> > 	6: WARNING: line 4: 'add rule netdev test-netdev egress meta time > "2022-07-01 11:00:00" accept': '[ cmp gt reg 1 0x16fda8f3 0x1977a000 ]' mismatches '[ cmp gt reg 1 0x16fdac39 0x4a304000 ]'
> >
> > As with your example, the discrepancy is an hour:
> >
> > 	$ TZ=UTC-2 perl -MPOSIX=strftime -le 'my $ns = hex $ARGV[0]; print strftime "%Y-%m-%d %H:%M:%S", localtime int $ns / 1000000000' 0x16fda8f31977a000
> > 2022-07-01 11:00:00
> >
> > 	$ TZ=UTC-2 perl -MPOSIX=strftime -le 'my $ns = hex $ARGV[0]; print strftime "%Y-%m-%d %H:%M:%S", localtime int $ns / 1000000000' 0x16fdac394a304000
> > 2022-07-01 12:00:00
> >
> > which suggests it's time-zone related.  Didn't see anything about
> > that in the doc's.  Will take a closer look.  Apologies.
>
> Yes, it's odd. Neither unshare module nor 'unshare -n' behave like
> this, even though os.unshare is described as doing the same as unshare
> command does. It also doesn't mangle os.environ['TZ'] value, no idea
> why it messes with this.

What makes it weirder is that setting the time-zone at the command-line
fixes it:

     $ cat tests/py/any/meta-time-test.t
     :input;type filter hook input priority 0

     *ip;test-ip4;input

     time > "2022-07-01 11:00:00" accept;ok;meta time > "2022-07-01 11:00:00" accept
     $ sudo env TZ=UTC-2 /usr/bin/python3 tests/py/nft-test.py any/meta-time-test.t
     INFO: Log will be available at /tmp/nftables-test.log
     any/meta-time-test.t: 1 unit tests, 0 error, 0 warning
     $ sudo /usr/bin/python3 tests/py/nft-test.py any/meta-time-test.t
     INFO: Log will be available at /tmp/nftables-test.log
     8: WARNING: line 4: 'add rule ip test-ip4 input time > "2022-07-01 11:00:00" accept': '[ cmp gt reg 1 0x16fda8f3 0x1977a000 ]' mismatches '[ cmp gt reg 1 0x16fdac39 0x4a304000 ]'
     meta-time-test.t.payload.got: WARNING: line 2: Wrote payload for rule t
     8: WARNING: line 4: 'add rule ip test-ip4 input meta time > "2022-07-01 11:00:00" accept': '[ cmp gt reg 1 0x16fda8f3 0x1977a000 ]' mismatches '[ cmp gt reg 1 0x16fdac39 0x4a304000 ]'
     6: WARNING: line 4: '{"nftables": [{"add": {"rule": {"family": "ip", "table": "test-ip4", "chain": "input", "expr": [{"match": {"left": {"meta": {"key": "time"}}, "op": ">", "right": "2022-07-01 11:00:00"}}, {"accept": null}]}}}]}': '[ cmp gt reg 1 0x16fda8f3 0x1977a000 ]' mismatches '[ cmp gt reg 1 0x16fdac39 0x4a304000 ]'
     meta-time-test.t.json.payload.got: WARNING: line 2: Wrote JSON payload for rule t
     any/meta-time-test.t: 1 unit tests, 3 error, 0 warning

This seems to imply that modifying `os.environ` doesn't actually modify
the environment.  I don't know Python very well, and this is the first
time I've had a rummage in the internals, and I have not yet been able
to explain it.  I think the right thing, unfortunately, is to revert the
commit until I can get to the bottom of it.

J.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 931 bytes --]

Re: [PATCH nft] tests: py: use `os.unshare` Python function

[Jeremy Sowden]

[-- Attachment #1: Type: text/plain, Size: 780 bytes --]

On 2026-03-12, at 23:20:10 +0100, Pablo Neira Ayuso wrote:
> On Thu, Mar 12, 2026 at 11:14:20PM +0100, Florian Westphal wrote:
> > Phil Sutter <phil@nwl.cc> wrote:
> > > > which suggests it's time-zone related.  Didn't see anything about that
> > > > in the doc's.  Will take a closer look.  Apologies.
> > >
> > > Yes, it's odd. Neither unshare module nor 'unshare -n' behave like this,
> > > even though os.unshare is described as doing the same as unshare command
> > > does. It also doesn't mangle os.environ['TZ'] value, no idea why it
> > > messes with this.
> >
> > Is there anyone working on a fix?
> >
> > This breaks my CI pipeline (i.e. I disabled meta.t tests).
>
> I suggest to revert by now, as it seems os.unshare is not equivalent
> to 'unshare -n'.

Agreed.

J.


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 931 bytes --]