[ANNOUNCE] knft testing/fuzzer utility for nftables

Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> · Thu, 5 Jun 2025 00:20:21 +0200

Hi,

knft is a tool to improve test coverage for the low-level nftables
kernel API by providing a relatively simple way to define a transaction
batch with nftables objects without having to mingle with netlink.
A set of tests 612 test (.t) files are included.

knft also provides a rudimentary deterministic fuzzer (via -f option)
along with several fuzzing modes that mangle existing tests in different
ways to improve coverage for error unwinding paths:

 deltable     \
 delbasechain  \
 delchain       \
 delrule        | - delete object in this batch
 delset         /
 delelem       /
 delobj       /
 flushset         - flush set
 dup              - duplicate object
 reverse-commit   - turn commit into abort
 reverse-abort    - turn abort into commit
 table-dormant    - inject table dormant flag
 table-wakeup     - inject table wake-up flag
 swap             - swap objects
 bogus            - inject bogus object to make the transaction fail

To inspect how the selected fuzzing mode mangles the test, you can use
the -d option to enable debugging along with -c to run it in dry-run
mode, eg.

 # src/./knft -c -f deltable -d tests/expr/meta/03-mark_ok.t
 tests/expr/meta/03-mark_ok.t...
 [FUZZING] tests/expr/meta/03-mark_ok.t (deltable)
 >>>> fuzz_loop at index 0 in state=0
 add_table(NFPROTO_IPV4, "test", NULL, NULL, NULL);
 del_table(NFPROTO_IPV4, "test", NULL);
 add_chain("test", NULL, NULL, NULL, NULL);
 add_rule("test", "0x1", NULL, NULL, NULL);
 meta(NULL, "NFT_REG32_15", "3");
 cmp("NFT_REG32_15", "0", "ffffffff");
 commit();
 <<<< fuzz_loop backtrack STACK limit reached
 ==== still more tries at index 0 in state=0
 add_table(NFPROTO_IPV4, "test", NULL, NULL, NULL);
 add_chain("test", NULL, NULL, NULL, NULL);
 del_table(NFPROTO_IPV4, "test", NULL);
 add_rule("test", "0x1", NULL, NULL, NULL);
 meta(NULL, "NFT_REG32_15", "3");
 cmp("NFT_REG32_15", "0", "ffffffff");
 commit();
 <<<< fuzz_loop backtrack STACK limit reached
 ...

knft provides a few more options:

-e to display the error reported by the kernel.
-n to perform test runs without flushing the existing ruleset.

This tool requires libmnl to build and to parse the netlink messages
that are sent and received by the kernel.

This tool is released under the GPLv2 (or any later) and it is
available under the netfilter git repositories:

    git clone https://git.netfilter.org/knft

This project is funded through the NGI0 Entrust established by NLnet
(https://nlnet.nl) with support from the European Commission's Next
Generation Internet programme.

Happy firewalling.