Hi Pablo,
On Sun, Jun 15, 2025 at 11:47:20AM +0200, Pablo Neira Ayuso wrote:
> On Thu, Jun 12, 2025 at 01:52:14PM +0200, Phil Sutter wrote:
> > An update deleting a hook from a flowtable was indistinguishable from a
> > flowtable deletion.
>
> tests/monitor fails:
>
> --- /tmp/tmp.CxT9laP7kj/tmp.qTOOOcfTUY 2025-06-15 11:44:55.690784518 +0200
> +++ /tmp/tmp.CxT9laP7kj/tmp.JdiYcpuAKK 2025-06-15 11:44:56.337658195 +0200
> @@ -1 +1,2 @@
> -delete flowtable ip t ft
> +delete flowtable ip t ft { hook ingress priority 0; devices = { lo }; }
> +# new generation 3 by process 2954068 (nft)
Ah crap, this requires the kernel patch 'netfilter: nf_tables:
Reintroduce shortened deletion notifications'.
I don't see how user space could work around the old kernel behaviour,
so monitor testsuite will fail for old kernels with either this patch
applied or as soon as we add a test for a flowtable update removing a
hook spec.
The only way out I see is to accept the extra data unchecked in monitor
testsuite, i.e. practically disabling the tests for flowtable deletion
or updates, which obviously sucks. No idea how to move forward now.
Sorry, Phil
