* [PATCH nft] tests: py: use `os.unshare` Python function @ 2026-03-05 17:53 Jeremy Sowden 2026-03-05 22:15 ` Phil Sutter 2026-03-06 17:41 ` Phil Sutter 0 siblings, 2 replies; 9+ messages in thread From: Jeremy Sowden @ 2026-03-05 17:53 UTC (permalink / raw) To: Netfilter Devel Since Python 3.12 the standard library has included an `os.unshare` function. Use it if it is available. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> --- tests/py/nft-test.py | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/tests/py/nft-test.py b/tests/py/nft-test.py index 53fd3f7ae6fe..64837da36035 100755 --- a/tests/py/nft-test.py +++ b/tests/py/nft-test.py @@ -1466,7 +1466,14 @@ def run_test_file(filename, force_all_family_option, specific_file): return [tests, passed, total_warning, total_error, total_unit_run] def spawn_netns(): - # prefer unshare module + # prefer stdlib unshare function ... + try: + os.unshare(os.CLONE_NEWNET) + return True + except Exception as e: + pass + + # ... or unshare module try: import unshare unshare.unshare(unshare.CLONE_NEWNET) -- 2.51.0 ^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH nft] tests: py: use `os.unshare` Python function 2026-03-05 17:53 [PATCH nft] tests: py: use `os.unshare` Python function Jeremy Sowden @ 2026-03-05 22:15 ` Phil Sutter 2026-03-06 17:41 ` Phil Sutter 1 sibling, 0 replies; 9+ messages in thread From: Phil Sutter @ 2026-03-05 22:15 UTC (permalink / raw) To: Jeremy Sowden; +Cc: Netfilter Devel On Thu, Mar 05, 2026 at 05:53:58PM +0000, Jeremy Sowden wrote: > Since Python 3.12 the standard library has included an `os.unshare` function. > Use it if it is available. > > Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Patch applied, thanks! ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH nft] tests: py: use `os.unshare` Python function 2026-03-05 17:53 [PATCH nft] tests: py: use `os.unshare` Python function Jeremy Sowden 2026-03-05 22:15 ` Phil Sutter @ 2026-03-06 17:41 ` Phil Sutter 2026-03-06 18:35 ` Jeremy Sowden 1 sibling, 1 reply; 9+ messages in thread From: Phil Sutter @ 2026-03-06 17:41 UTC (permalink / raw) To: Jeremy Sowden; +Cc: Netfilter Devel Hi Jeremy, On Thu, Mar 05, 2026 at 05:53:58PM +0000, Jeremy Sowden wrote: > Since Python 3.12 the standard library has included an `os.unshare` function. > Use it if it is available. This patch breaks py test suite cases involving time-related matches, e.g. 'meta time "1970-05-23 21:07:14"'. It expects: | cmp eq reg 1 0x002bd503 0x43f05400 but instead the rule serializes into: | cmp eq reg 1 0x002bd849 0x74a8f400 Do you see that too? Cheers, Phil ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH nft] tests: py: use `os.unshare` Python function 2026-03-06 17:41 ` Phil Sutter @ 2026-03-06 18:35 ` Jeremy Sowden 2026-03-10 23:08 ` Phil Sutter 0 siblings, 1 reply; 9+ messages in thread From: Jeremy Sowden @ 2026-03-06 18:35 UTC (permalink / raw) To: Phil Sutter, Netfilter Devel [-- Attachment #1: Type: text/plain, Size: 1639 bytes --] On 2026-03-06, at 18:41:06 +0100, Phil Sutter wrote: >On Thu, Mar 05, 2026 at 05:53:58PM +0000, Jeremy Sowden wrote: > > Since Python 3.12 the standard library has included an `os.unshare` function. > > Use it if it is available. > > This patch breaks py test suite cases involving time-related matches, > e.g. 'meta time "1970-05-23 21:07:14"'. It expects: > > | cmp eq reg 1 0x002bd503 0x43f05400 $ TZ=UTC-2 perl -MPOSIX=strftime -le 'my $ns = hex $ARGV[0]; print strftime "%Y-%m-%d %H:%M:%S", localtime int $ns / 1000000000' 0x002bd50343f05400 1970-05-23 21:07:14 > but instead the rule serializes into: > > | cmp eq reg 1 0x002bd849 0x74a8f400 $ TZ=UTC-2 perl -MPOSIX=strftime -le 'my $ns = hex $ARGV[0]; print strftime "%Y-%m-%d %H:%M:%S", localtime int $ns / 1000000000' 0x002bd84974a8f400 1970-05-23 22:07:14 > Do you see that too? Yes, e.g.: 6: WARNING: line 4: 'add rule netdev test-netdev egress meta time > "2022-07-01 11:00:00" accept': '[ cmp gt reg 1 0x16fda8f3 0x1977a000 ]' mismatches '[ cmp gt reg 1 0x16fdac39 0x4a304000 ]' As with your example, the discrepancy is an hour: $ TZ=UTC-2 perl -MPOSIX=strftime -le 'my $ns = hex $ARGV[0]; print strftime "%Y-%m-%d %H:%M:%S", localtime int $ns / 1000000000' 0x16fda8f31977a000 2022-07-01 11:00:00 $ TZ=UTC-2 perl -MPOSIX=strftime -le 'my $ns = hex $ARGV[0]; print strftime "%Y-%m-%d %H:%M:%S", localtime int $ns / 1000000000' 0x16fdac394a304000 2022-07-01 12:00:00 which suggests it's time-zone related. Didn't see anything about that in the doc's. Will take a closer look. Apologies. J. PS UTC-2 is exotic. :) [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 931 bytes --] ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH nft] tests: py: use `os.unshare` Python function 2026-03-06 18:35 ` Jeremy Sowden @ 2026-03-10 23:08 ` Phil Sutter 2026-03-12 22:14 ` Florian Westphal 2026-03-13 7:56 ` Jeremy Sowden 0 siblings, 2 replies; 9+ messages in thread From: Phil Sutter @ 2026-03-10 23:08 UTC (permalink / raw) To: Jeremy Sowden; +Cc: Netfilter Devel Hi Jeremy, On Fri, Mar 06, 2026 at 06:35:53PM +0000, Jeremy Sowden wrote: > On 2026-03-06, at 18:41:06 +0100, Phil Sutter wrote: > >On Thu, Mar 05, 2026 at 05:53:58PM +0000, Jeremy Sowden wrote: > > > Since Python 3.12 the standard library has included an `os.unshare` function. > > > Use it if it is available. > > > > This patch breaks py test suite cases involving time-related matches, > > e.g. 'meta time "1970-05-23 21:07:14"'. It expects: > > > > | cmp eq reg 1 0x002bd503 0x43f05400 > > $ TZ=UTC-2 perl -MPOSIX=strftime -le 'my $ns = hex $ARGV[0]; print strftime "%Y-%m-%d %H:%M:%S", localtime int $ns / 1000000000' 0x002bd50343f05400 > 1970-05-23 21:07:14 > > > but instead the rule serializes into: > > > > | cmp eq reg 1 0x002bd849 0x74a8f400 > > $ TZ=UTC-2 perl -MPOSIX=strftime -le 'my $ns = hex $ARGV[0]; print strftime "%Y-%m-%d %H:%M:%S", localtime int $ns / 1000000000' 0x002bd84974a8f400 > 1970-05-23 22:07:14 > > > Do you see that too? > > Yes, e.g.: > > 6: WARNING: line 4: 'add rule netdev test-netdev egress meta time > "2022-07-01 11:00:00" accept': '[ cmp gt reg 1 0x16fda8f3 0x1977a000 ]' mismatches '[ cmp gt reg 1 0x16fdac39 0x4a304000 ]' > > As with your example, the discrepancy is an hour: > > $ TZ=UTC-2 perl -MPOSIX=strftime -le 'my $ns = hex $ARGV[0]; print strftime "%Y-%m-%d %H:%M:%S", localtime int $ns / 1000000000' 0x16fda8f31977a000 > 2022-07-01 11:00:00 > > $ TZ=UTC-2 perl -MPOSIX=strftime -le 'my $ns = hex $ARGV[0]; print strftime "%Y-%m-%d %H:%M:%S", localtime int $ns / 1000000000' 0x16fdac394a304000 > 2022-07-01 12:00:00 > > which suggests it's time-zone related. Didn't see anything about that > in the doc's. Will take a closer look. Apologies. Yes, it's odd. Neither unshare module nor 'unshare -n' behave like this, even though os.unshare is described as doing the same as unshare command does. It also doesn't mangle os.environ['TZ'] value, no idea why it messes with this. > PS UTC-2 is exotic. :) Maybe it's Ander Juaristi's native timezone, he added the tests in commit 0518ea3f70d8c ("tests: add meta time test cases"). And then I did: commit 7e326d697ecf43ea029de5584e59701eb61ca87e Author: Phil Sutter <phil@nwl.cc> Date: Sat Nov 16 22:32:18 2019 +0100 tests/py: Set a fixed timezone in nft-test.py Payload generated for 'meta time' matches depends on host's timezone and DST setting. To produce constant output, set a fixed timezone in nft-test.py. Choose UTC-2 since most payloads are correct then, adjust the remaining two tests. Fixes: 0518ea3f70d8c ("tests: add meta time test cases") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Ander Juaristi <a@juaristi.eus> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org> So that's how UTC-2 became py test suite's native timezone. :D Cheers, Phil ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH nft] tests: py: use `os.unshare` Python function 2026-03-10 23:08 ` Phil Sutter @ 2026-03-12 22:14 ` Florian Westphal 2026-03-12 22:20 ` Pablo Neira Ayuso 2026-03-13 7:56 ` Jeremy Sowden 1 sibling, 1 reply; 9+ messages in thread From: Florian Westphal @ 2026-03-12 22:14 UTC (permalink / raw) To: Phil Sutter, Jeremy Sowden, Netfilter Devel Phil Sutter <phil@nwl.cc> wrote: > > which suggests it's time-zone related. Didn't see anything about that > > in the doc's. Will take a closer look. Apologies. > > Yes, it's odd. Neither unshare module nor 'unshare -n' behave like this, > even though os.unshare is described as doing the same as unshare command > does. It also doesn't mangle os.environ['TZ'] value, no idea why it > messes with this. Is there anyone working on a fix? This breaks my CI pipeline (i.e. I disabled meta.t tests). ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH nft] tests: py: use `os.unshare` Python function 2026-03-12 22:14 ` Florian Westphal @ 2026-03-12 22:20 ` Pablo Neira Ayuso 2026-03-13 7:57 ` Jeremy Sowden 0 siblings, 1 reply; 9+ messages in thread From: Pablo Neira Ayuso @ 2026-03-12 22:20 UTC (permalink / raw) To: Florian Westphal; +Cc: Phil Sutter, Jeremy Sowden, Netfilter Devel On Thu, Mar 12, 2026 at 11:14:20PM +0100, Florian Westphal wrote: > Phil Sutter <phil@nwl.cc> wrote: > > > which suggests it's time-zone related. Didn't see anything about that > > > in the doc's. Will take a closer look. Apologies. > > > > Yes, it's odd. Neither unshare module nor 'unshare -n' behave like this, > > even though os.unshare is described as doing the same as unshare command > > does. It also doesn't mangle os.environ['TZ'] value, no idea why it > > messes with this. > > Is there anyone working on a fix? > > This breaks my CI pipeline (i.e. I disabled meta.t tests). I suggest to revert by now, as it seems os.unshare is not equivalent to 'unshare -n'. ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH nft] tests: py: use `os.unshare` Python function 2026-03-12 22:20 ` Pablo Neira Ayuso @ 2026-03-13 7:57 ` Jeremy Sowden 0 siblings, 0 replies; 9+ messages in thread From: Jeremy Sowden @ 2026-03-13 7:57 UTC (permalink / raw) To: Pablo Neira Ayuso; +Cc: Florian Westphal, Phil Sutter, Netfilter Devel [-- Attachment #1: Type: text/plain, Size: 780 bytes --] On 2026-03-12, at 23:20:10 +0100, Pablo Neira Ayuso wrote: > On Thu, Mar 12, 2026 at 11:14:20PM +0100, Florian Westphal wrote: > > Phil Sutter <phil@nwl.cc> wrote: > > > > which suggests it's time-zone related. Didn't see anything about that > > > > in the doc's. Will take a closer look. Apologies. > > > > > > Yes, it's odd. Neither unshare module nor 'unshare -n' behave like this, > > > even though os.unshare is described as doing the same as unshare command > > > does. It also doesn't mangle os.environ['TZ'] value, no idea why it > > > messes with this. > > > > Is there anyone working on a fix? > > > > This breaks my CI pipeline (i.e. I disabled meta.t tests). > > I suggest to revert by now, as it seems os.unshare is not equivalent > to 'unshare -n'. Agreed. J. [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 931 bytes --] ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH nft] tests: py: use `os.unshare` Python function 2026-03-10 23:08 ` Phil Sutter 2026-03-12 22:14 ` Florian Westphal @ 2026-03-13 7:56 ` Jeremy Sowden 1 sibling, 0 replies; 9+ messages in thread From: Jeremy Sowden @ 2026-03-13 7:56 UTC (permalink / raw) To: Phil Sutter, Netfilter Devel [-- Attachment #1: Type: text/plain, Size: 3942 bytes --] On 2026-03-11, at 00:08:59 +0100, Phil Sutter wrote: > On Fri, Mar 06, 2026 at 06:35:53PM +0000, Jeremy Sowden wrote: > > On 2026-03-06, at 18:41:06 +0100, Phil Sutter wrote: > > > On Thu, Mar 05, 2026 at 05:53:58PM +0000, Jeremy Sowden wrote: > > > > Since Python 3.12 the standard library has included an `os.unshare` function. > > > > Use it if it is available. > > > > > > This patch breaks py test suite cases involving time-related > > > matches, e.g. 'meta time "1970-05-23 21:07:14"'. It expects: > > > > > > | cmp eq reg 1 0x002bd503 0x43f05400 > > > > $ TZ=UTC-2 perl -MPOSIX=strftime -le 'my $ns = hex $ARGV[0]; print strftime "%Y-%m-%d %H:%M:%S", localtime int $ns / 1000000000' 0x002bd50343f05400 > > 1970-05-23 21:07:14 > > > > > but instead the rule serializes into: > > > > > > | cmp eq reg 1 0x002bd849 0x74a8f400 > > > > $ TZ=UTC-2 perl -MPOSIX=strftime -le 'my $ns = hex $ARGV[0]; print strftime "%Y-%m-%d %H:%M:%S", localtime int $ns / 1000000000' 0x002bd84974a8f400 > > 1970-05-23 22:07:14 > > > > > Do you see that too? > > > > Yes, e.g.: > > > > 6: WARNING: line 4: 'add rule netdev test-netdev egress meta time > "2022-07-01 11:00:00" accept': '[ cmp gt reg 1 0x16fda8f3 0x1977a000 ]' mismatches '[ cmp gt reg 1 0x16fdac39 0x4a304000 ]' > > > > As with your example, the discrepancy is an hour: > > > > $ TZ=UTC-2 perl -MPOSIX=strftime -le 'my $ns = hex $ARGV[0]; print strftime "%Y-%m-%d %H:%M:%S", localtime int $ns / 1000000000' 0x16fda8f31977a000 > > 2022-07-01 11:00:00 > > > > $ TZ=UTC-2 perl -MPOSIX=strftime -le 'my $ns = hex $ARGV[0]; print strftime "%Y-%m-%d %H:%M:%S", localtime int $ns / 1000000000' 0x16fdac394a304000 > > 2022-07-01 12:00:00 > > > > which suggests it's time-zone related. Didn't see anything about > > that in the doc's. Will take a closer look. Apologies. > > Yes, it's odd. Neither unshare module nor 'unshare -n' behave like > this, even though os.unshare is described as doing the same as unshare > command does. It also doesn't mangle os.environ['TZ'] value, no idea > why it messes with this. What makes it weirder is that setting the time-zone at the command-line fixes it: $ cat tests/py/any/meta-time-test.t :input;type filter hook input priority 0 *ip;test-ip4;input time > "2022-07-01 11:00:00" accept;ok;meta time > "2022-07-01 11:00:00" accept $ sudo env TZ=UTC-2 /usr/bin/python3 tests/py/nft-test.py any/meta-time-test.t INFO: Log will be available at /tmp/nftables-test.log any/meta-time-test.t: 1 unit tests, 0 error, 0 warning $ sudo /usr/bin/python3 tests/py/nft-test.py any/meta-time-test.t INFO: Log will be available at /tmp/nftables-test.log 8: WARNING: line 4: 'add rule ip test-ip4 input time > "2022-07-01 11:00:00" accept': '[ cmp gt reg 1 0x16fda8f3 0x1977a000 ]' mismatches '[ cmp gt reg 1 0x16fdac39 0x4a304000 ]' meta-time-test.t.payload.got: WARNING: line 2: Wrote payload for rule t 8: WARNING: line 4: 'add rule ip test-ip4 input meta time > "2022-07-01 11:00:00" accept': '[ cmp gt reg 1 0x16fda8f3 0x1977a000 ]' mismatches '[ cmp gt reg 1 0x16fdac39 0x4a304000 ]' 6: WARNING: line 4: '{"nftables": [{"add": {"rule": {"family": "ip", "table": "test-ip4", "chain": "input", "expr": [{"match": {"left": {"meta": {"key": "time"}}, "op": ">", "right": "2022-07-01 11:00:00"}}, {"accept": null}]}}}]}': '[ cmp gt reg 1 0x16fda8f3 0x1977a000 ]' mismatches '[ cmp gt reg 1 0x16fdac39 0x4a304000 ]' meta-time-test.t.json.payload.got: WARNING: line 2: Wrote JSON payload for rule t any/meta-time-test.t: 1 unit tests, 3 error, 0 warning This seems to imply that modifying `os.environ` doesn't actually modify the environment. I don't know Python very well, and this is the first time I've had a rummage in the internals, and I have not yet been able to explain it. I think the right thing, unfortunately, is to revert the commit until I can get to the bottom of it. J. [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 931 bytes --] ^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2026-03-13 7:58 UTC | newest] Thread overview: 9+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2026-03-05 17:53 [PATCH nft] tests: py: use `os.unshare` Python function Jeremy Sowden 2026-03-05 22:15 ` Phil Sutter 2026-03-06 17:41 ` Phil Sutter 2026-03-06 18:35 ` Jeremy Sowden 2026-03-10 23:08 ` Phil Sutter 2026-03-12 22:14 ` Florian Westphal 2026-03-12 22:20 ` Pablo Neira Ayuso 2026-03-13 7:57 ` Jeremy Sowden 2026-03-13 7:56 ` Jeremy Sowden
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.