From: Phil Sutter <phil@nwl.cc>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter-devel@vger.kernel.org, Florian Westphal <fw@strlen.de>
Subject: [nft PATCH] tests: shell: Fix ifname_based_hooks feature check
Date: Wed, 25 Jun 2025 18:53:36 +0200 [thread overview]
Message-ID: <20250625165336.26654-1-phil@nwl.cc> (raw)
The test was technically incorrect: Instead of detecting whether
interface hooks are name-based or not, it actually tested whether
netdev-family chains are removed along with their last hook.
Since the latter behaviour is established in kernel commit fc0133428e7a
("netfilter: nf_tables: Tolerate chains with no remaining hooks") and
thus independent from the name-based hooks change, treating both as the
same kernel feature is not acceptable.
Fix this by detecting whether a netdev-family chain may be added despite
specifying a non-existent interface to hook into. Keep the old check
around with a better name, although unused for now.
Reported-by: Florian Westphal <fw@strlen.de>
Fixes: f27e5abd81f29 ("tests: shell: Adjust to ifname-based hooks")
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
tests/shell/features/empty_netdev_chains.sh | 12 ++++++++++++
tests/shell/features/ifname_based_hooks.sh | 18 +++++++++---------
2 files changed, 21 insertions(+), 9 deletions(-)
create mode 100755 tests/shell/features/empty_netdev_chains.sh
diff --git a/tests/shell/features/empty_netdev_chains.sh b/tests/shell/features/empty_netdev_chains.sh
new file mode 100755
index 0000000000000..cada6956f165b
--- /dev/null
+++ b/tests/shell/features/empty_netdev_chains.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+
+# check if netdev chains survive without a single device
+
+unshare -n bash -c "ip link add d0 type dummy; \
+ $NFT \"table netdev t { \
+ chain c { \
+ type filter hook ingress priority 0; devices = { d0 }; \
+ }; \
+ }\"; \
+ ip link del d0; \
+ $NFT list chain netdev t c"
diff --git a/tests/shell/features/ifname_based_hooks.sh b/tests/shell/features/ifname_based_hooks.sh
index cada6956f165b..1f6af531c8c42 100755
--- a/tests/shell/features/ifname_based_hooks.sh
+++ b/tests/shell/features/ifname_based_hooks.sh
@@ -1,12 +1,12 @@
#!/bin/bash
-# check if netdev chains survive without a single device
+# check if adding a netdev-family chain hooking into a non-existent device is
+# accepted or not
-unshare -n bash -c "ip link add d0 type dummy; \
- $NFT \"table netdev t { \
- chain c { \
- type filter hook ingress priority 0; devices = { d0 }; \
- }; \
- }\"; \
- ip link del d0; \
- $NFT list chain netdev t c"
+RULESET="table netdev t {
+ chain c {
+ type filter hook ingress priority 0
+ devices = { foobar123 }
+ }
+}"
+unshare -n $NFT -f - <<< "$RULESET"
--
2.49.0
next reply other threads:[~2025-06-25 17:20 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-25 16:53 Phil Sutter [this message]
2025-06-26 12:08 ` [nft PATCH] tests: shell: Fix ifname_based_hooks feature check Florian Westphal
2025-06-26 12:29 ` Phil Sutter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250625165336.26654-1-phil@nwl.cc \
--to=phil@nwl.cc \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).