On Thu, Jun 12, 2025 at 09:33:39PM +0200, Pablo Neira Ayuso wrote:
> On Thu, Jun 12, 2025 at 01:52:17PM +0200, Phil Sutter wrote:
> [...]
> > diff --git a/tests/shell/testcases/transactions/0050rule_1 b/tests/shell/testcases/transactions/0050rule_1
> > deleted file mode 100755
> > index 89e5f42fc9f4d..0000000000000
> > --- a/tests/shell/testcases/transactions/0050rule_1
> > +++ /dev/null
> > @@ -1,19 +0,0 @@
> > -#!/bin/bash
>
> I would prefer this test does not go away, this is catching for a old
> kernel bug if you take a look at the history, ie. it is an old
> bug reproducer so...
>
> > -
> > -set -e
> > -
> > -RULESET="table inet filter {
> > - flowtable ftable {
> > - hook ingress priority 0; devices = { eno1, eno0, x };
> > - }
> > -
> > -chain forward {
> > - type filter hook forward priority 0; policy drop;
> > -
> > - ip protocol { tcp, udp } ct mark and 1 == 1 counter flow add @ftable
> > - ip6 nexthdr { tcp, udp } ct mark and 2 == 2 counter flow add @ftable
> > - ct mark and 30 == 30 ct state established,related log prefix \"nftables accept: \" level info accept
> > - }
> > -}"
> > -
> > -$NFT -f - <<< "$RULESET" >/dev/null || exit 0
>
> maybe simply add here:
>
> $NFT flush ruleset
>
> to get the same behaviour in old and new kernels.
Ah, good point. It's better to skip the test if ifname_based_hooks
feature is present instead of dropping it.
> I did not look at other tests.
>
> Please have a look at the history of other tests to check if they are
> also catching very old kernel bugs.
The other two tests I touched merely remove flowtable hooks before
returning.
Thanks, Phil
