On Mon, Jul 28, 2025 at 12:03:15AM -0400, Shaun Brady wrote:
> Introduce test for recently added jump limit functionality. Tests
> sysctl behavior with regard to netns, as well as calling user_ns.
Would you rework this to a more elaborated torture test that exercises
both commit and abort path?
It would be great to have something similar to
nftables/tests/shell/testcases/transactions/30s-stress
but to exercise loop detection.
Thanks.
> Signed-off-by: Shaun Brady <brady.1345@xxxxxxxxx>
> ---
> .../testing/selftests/net/netfilter/Makefile | 1 +
> .../netfilter/nft_max_table_jumps_netns.sh | 227 ++++++++++++++++++
> 2 files changed, 228 insertions(+)
> create mode 100755 tools/testing/selftests/net/netfilter/nft_max_table_jumps_netns.sh
>
> diff --git a/tools/testing/selftests/net/netfilter/Makefile b/tools/testing/selftests/net/netfilter/Makefile
> index a98ed892f55f..62193e0cd8ec 100644
> --- a/tools/testing/selftests/net/netfilter/Makefile
> +++ b/tools/testing/selftests/net/netfilter/Makefile
> @@ -26,6 +26,7 @@ TEST_PROGS += nft_conntrack_helper.sh
> TEST_PROGS += nft_fib.sh
> TEST_PROGS += nft_flowtable.sh
> TEST_PROGS += nft_interface_stress.sh
> +TEST_PROGS += nft_max_table_jumps_netns.sh
> TEST_PROGS += nft_meta.sh
> TEST_PROGS += nft_nat.sh
> TEST_PROGS += nft_nat_zones.sh
> diff --git a/tools/testing/selftests/net/netfilter/nft_max_table_jumps_netns.sh b/tools/testing/selftests/net/netfilter/nft_max_table_jumps_netns.sh
> new file mode 100755
> index 000000000000..9dedd45f4fd2
> --- /dev/null
> +++ b/tools/testing/selftests/net/netfilter/nft_max_table_jumps_netns.sh
> @@ -0,0 +1,227 @@
> +#!/bin/bash
> +# SPDX-License-Identifier: GPL-2.0
> +#
> +# A test script for nf_max_table_jumps_netns limit sysctl
> +#
> +source lib.sh
> +
> +DEFAULT_SYSCTL=65536
> +
> +user_owned_netns="a_user_owned_netns"
> +
> +cleanup() {
> + ip netns del $user_owned_netns 2>/dev/null || true
> +}
> +
> +trap cleanup EXIT
> +
> +init_net_value=$(sysctl -n net.netfilter.nf_max_table_jumps_netns)
> +
> +# Check that init ns inits to default value
> +if [ "$init_net_value" -ne "$DEFAULT_SYSCTL" ];then
> + echo "Fail: Does not init default value"
> + exit 1
> +fi
> +
> +# Set to extremely small, demonstrate CAN exceed value
> +sysctl -w net.netfilter.nf_max_table_jumps_netns=32 2>&1 >/dev/null
> +new_value=$(sysctl -n net.netfilter.nf_max_table_jumps_netns)
> +if [ "$new_value" -ne "32" ];then
> + echo "Fail: Set value not respected"
> + exit 1
> +fi
> +
> +nft -f - <<EOF
> +table inet loop-test {
> + chain test0 {
> + type filter hook input priority filter; policy accept;
> + jump test1
> + jump test1
> + }
> +
> + chain test1 {
> + jump test2
> + jump test2
> + }
> +
> + chain test2 {
> + jump test3
> + tcp dport 8080 drop
> + tcp dport 8080 drop
> + }
> +
> + chain test3 {
> + jump test4
> + }
> +
> + chain test4 {
> + jump test5
> + }
> +
> + chain test5 {
> + jump test6
> + }
> +
> + chain test6 {
> + jump test7
> + }
> +
> + chain test7 {
> + jump test8
> + }
> +
> + chain test8 {
> + jump test9
> + }
> +
> + chain test9 {
> + jump test10
> + }
> +
> + chain test10 {
> + jump test11
> + }
> +
> + chain test11 {
> + jump test12
> + }
> +
> + chain test12 {
> + jump test13
> + }
> +
> + chain test13 {
> + jump test14
> + }
> +
> + chain test14 {
> + jump test15
> + jump test15
> + }
> +
> + chain test15 {
> + }
> +}
> +EOF
> +
> +if [ $? -ne 0 ];then
> + echo "Fail: limit not exceeded when expected"
> + exit 1
> +fi
> +
> +nft flush ruleset
> +
> +# reset to default
> +sysctl -w net.netfilter.nf_max_table_jumps_netns=$DEFAULT_SYSCTL 2>&1 >/dev/null
> +
> +# Make init_user_ns owned netns, can change value, limit is applied
> +ip netns add $user_owned_netns
> +ip netns exec $user_owned_netns sysctl -qw net.netfilter.nf_max_table_jumps_netns=32 2>&1
> +if [ $? -ne 0 ];then
> + echo "Fail: Can't change value in init_user_ns owned namespace"
> + exit 1
> +fi
> +
> +ip netns exec $user_owned_netns \
> +nft -f - 2>&1 <<EOF
> +table inet loop-test {
> + chain test0 {
> + type filter hook input priority filter; policy accept;
> + jump test1
> + jump test1
> + }
> +
> + chain test1 {
> + jump test2
> + jump test2
> + }
> +
> + chain test2 {
> + jump test3
> + tcp dport 8080 drop
> + tcp dport 8080 drop
> + }
> +
> + chain test3 {
> + jump test4
> + }
> +
> + chain test4 {
> + jump test5
> + }
> +
> + chain test5 {
> + jump test6
> + }
> +
> + chain test6 {
> + jump test7
> + }
> +
> + chain test7 {
> + jump test8
> + }
> +
> + chain test8 {
> + jump test9
> + }
> +
> + chain test9 {
> + jump test10
> + }
> +
> + chain test10 {
> + jump test11
> + }
> +
> + chain test11 {
> + jump test12
> + }
> +
> + chain test12 {
> + jump test13
> + }
> +
> + chain test13 {
> + jump test14
> + }
> +
> + chain test14 {
> + jump test15
> + jump test15
> + }
> +
> + chain test15 {
> + }
> +}
> +EOF
> +
> +if [ $? -eq 0 ];then
> + echo "Fail: Limited incorrectly applied"
> + exit 1
> +fi
> +ip netns del $user_owned_netns
> +
> +# Previously set value does not impact root namespace; check value from before
> +new_value=$(sysctl -n net.netfilter.nf_max_table_jumps_netns)
> +if [ "$new_value" -ne "$DEFAULT_SYSCTL" ];then
> + echo "Fail: Non-init namespace altered init namespace"
> + exit 1
> +fi
> +
> +# Make non-init_user_ns owned netns, can not change value
> +unshare -Un sysctl -w net.netfilter.nf_max_table_jumps_netns=1234 2>&1
> +if [ $? -ne 0 ];then
> + echo "Fail: Error message incorrect when non-user-init"
> + exit 1
> +fi
> +
> +# Double check user namespace can still see limit
> +new_value=(unshare -Un sysctl -n net.netfilter.nf_max_table_jumps_netns)
> +if [ "$new_value" -ne "$DEFAULT_SYSCTL" ];then
> + echo "Fail: Unexpected failure when non-user-init"
> + exit 1
> +fi
> +
> +
> +exit 0
> --
> 2.49.0
>
