From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: netfilter@vger.kernel.org, netdev@vger.kernel.org,
netfilter-announce@lists.netfilter.org
Subject: [ANNOUNCE] knft testing/fuzzer utility for nftables
Date: Thu, 5 Jun 2025 00:20:21 +0200 [thread overview]
Message-ID: <aEDGpWxv26Ac5AAw@calendula> (raw)
Hi,
knft is a tool to improve test coverage for the low-level nftables
kernel API by providing a relatively simple way to define a transaction
batch with nftables objects without having to mingle with netlink.
A set of tests 612 test (.t) files are included.
knft also provides a rudimentary deterministic fuzzer (via -f option)
along with several fuzzing modes that mangle existing tests in different
ways to improve coverage for error unwinding paths:
deltable \
delbasechain \
delchain \
delrule | - delete object in this batch
delset /
delelem /
delobj /
flushset - flush set
dup - duplicate object
reverse-commit - turn commit into abort
reverse-abort - turn abort into commit
table-dormant - inject table dormant flag
table-wakeup - inject table wake-up flag
swap - swap objects
bogus - inject bogus object to make the transaction fail
To inspect how the selected fuzzing mode mangles the test, you can use
the -d option to enable debugging along with -c to run it in dry-run
mode, eg.
# src/./knft -c -f deltable -d tests/expr/meta/03-mark_ok.t
tests/expr/meta/03-mark_ok.t...
[FUZZING] tests/expr/meta/03-mark_ok.t (deltable)
>>>> fuzz_loop at index 0 in state=0
add_table(NFPROTO_IPV4, "test", NULL, NULL, NULL);
del_table(NFPROTO_IPV4, "test", NULL);
add_chain("test", NULL, NULL, NULL, NULL);
add_rule("test", "0x1", NULL, NULL, NULL);
meta(NULL, "NFT_REG32_15", "3");
cmp("NFT_REG32_15", "0", "ffffffff");
commit();
<<<< fuzz_loop backtrack STACK limit reached
==== still more tries at index 0 in state=0
add_table(NFPROTO_IPV4, "test", NULL, NULL, NULL);
add_chain("test", NULL, NULL, NULL, NULL);
del_table(NFPROTO_IPV4, "test", NULL);
add_rule("test", "0x1", NULL, NULL, NULL);
meta(NULL, "NFT_REG32_15", "3");
cmp("NFT_REG32_15", "0", "ffffffff");
commit();
<<<< fuzz_loop backtrack STACK limit reached
...
knft provides a few more options:
-e to display the error reported by the kernel.
-n to perform test runs without flushing the existing ruleset.
This tool requires libmnl to build and to parse the netlink messages
that are sent and received by the kernel.
This tool is released under the GPLv2 (or any later) and it is
available under the netfilter git repositories:
git clone https://git.netfilter.org/knft
This project is funded through the NGI0 Entrust established by NLnet
(https://nlnet.nl) with support from the European Commission's Next
Generation Internet programme.
Happy firewalling.
reply other threads:[~2025-06-04 22:20 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aEDGpWxv26Ac5AAw@calendula \
--to=pablo@netfilter.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-announce@lists.netfilter.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).