nftables/0046-tests-shell-connect-chains-to-hook-point.patch

From a47b862ee07e029f6aa324cb628d4b2ec0d9d6e2 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Thu, 28 May 2026 14:52:27 +0200
Subject: [PATCH] tests: shell: connect chains to hook point

JIRA: https://issues.redhat.com/browse/RHEL-179874
Upstream Status: nftables commit 1fc78397e9a1fb5e41841b8b4e92a9eb9536c6f1
Conflicts: Removed changes to non-existent dumps and test cases.

commit 1fc78397e9a1fb5e41841b8b4e92a9eb9536c6f1
Author: Florian Westphal <fw@strlen.de>
Date:   Wed Jul 10 02:33:37 2024 +0200

    tests: shell: connect chains to hook point

    These tests should fail because they contain a loop or exceed the jump stack.

    But this depends on the kernel validating chains that are not bound to any
    basechain/hook point.

    Wire up the initial chain to filter type.

    Without this tests will start to fail when kernel stops validating
    chains that are not reachable by any base chain.

    Signed-off-by: Florian Westphal <fw@strlen.de>

Signed-off-by: Phil Sutter <psutter@redhat.com>
---
 tests/shell/testcases/chains/0003jump_loop_1         | 3 ++-
 tests/shell/testcases/chains/0010endless_jump_loop_1 | 2 +-
 tests/shell/testcases/chains/0011endless_jump_loop_1 | 2 +-
 tests/shell/testcases/chains/0018check_jump_loop_1   | 2 +-
 tests/shell/testcases/transactions/0023rule_1        | 2 +-
 5 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/tests/shell/testcases/chains/0003jump_loop_1 b/tests/shell/testcases/chains/0003jump_loop_1
index 80e243f..1a8eaf6 100755
--- a/tests/shell/testcases/chains/0003jump_loop_1
+++ b/tests/shell/testcases/chains/0003jump_loop_1
@@ -5,8 +5,9 @@ set -e
 MAX_JUMPS=16
 
 $NFT add table t
+$NFT "add chain t c1 { type filter hook prerouting priority 0; }"
 
-for i in $(seq 1 $MAX_JUMPS)
+for i in $(seq 2 $MAX_JUMPS)
 do
 	$NFT add chain t c${i}
 done
diff --git a/tests/shell/testcases/chains/0010endless_jump_loop_1 b/tests/shell/testcases/chains/0010endless_jump_loop_1
index 5d3ef23..6000e5d 100755
--- a/tests/shell/testcases/chains/0010endless_jump_loop_1
+++ b/tests/shell/testcases/chains/0010endless_jump_loop_1
@@ -3,7 +3,7 @@
 set -e
 
 $NFT add table t
-$NFT add chain t c
+$NFT add chain "t c { type filter hook input priority 0; }"
 
 # kernel should return ELOOP
 $NFT add rule t c tcp dport vmap {1 : jump c} 2>/dev/null || exit 0
diff --git a/tests/shell/testcases/chains/0011endless_jump_loop_1 b/tests/shell/testcases/chains/0011endless_jump_loop_1
index d75932d..66abf8d 100755
--- a/tests/shell/testcases/chains/0011endless_jump_loop_1
+++ b/tests/shell/testcases/chains/0011endless_jump_loop_1
@@ -3,7 +3,7 @@
 set -e
 
 $NFT add table t
-$NFT add chain t c1
+$NFT add chain "t c1 { type filter hook forward priority 0; }"
 $NFT add chain t c2
 $NFT add map t m {type inet_service : verdict \;}
 $NFT add element t m {2 : jump c2}
diff --git a/tests/shell/testcases/chains/0018check_jump_loop_1 b/tests/shell/testcases/chains/0018check_jump_loop_1
index b87520f..1e674d3 100755
--- a/tests/shell/testcases/chains/0018check_jump_loop_1
+++ b/tests/shell/testcases/chains/0018check_jump_loop_1
@@ -3,7 +3,7 @@
 set -e
 
 $NFT add table ip filter
-$NFT add chain ip filter ap1
+$NFT add chain ip filter ap1 "{ type filter hook input priority 0; }"
 $NFT add chain ip filter ap2
 $NFT add rule ip filter ap1 jump ap2
 
diff --git a/tests/shell/testcases/transactions/0023rule_1 b/tests/shell/testcases/transactions/0023rule_1
index e58c088..863bcde 100755
--- a/tests/shell/testcases/transactions/0023rule_1
+++ b/tests/shell/testcases/transactions/0023rule_1
@@ -1,7 +1,7 @@
 #!/bin/bash
 
 RULESET="add table x
-add chain x y
+add chain x y { type filter hook input priority 0; }
 add rule x y jump y"
 
 # kernel must return ELOOP
-- 
2.53.0