lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <aEDGpWxv26Ac5AAw@calendula>
Date: Thu, 5 Jun 2025 00:20:21 +0200
From: Pablo Neira Ayuso <pablo@...filter.org>
To: netfilter-devel@...r.kernel.org
Cc: netfilter@...r.kernel.org, netdev@...r.kernel.org,
	netfilter-announce@...ts.netfilter.org
Subject: [ANNOUNCE] knft testing/fuzzer utility for nftables

Hi,

knft is a tool to improve test coverage for the low-level nftables
kernel API by providing a relatively simple way to define a transaction
batch with nftables objects without having to mingle with netlink.
A set of tests 612 test (.t) files are included.

knft also provides a rudimentary deterministic fuzzer (via -f option)
along with several fuzzing modes that mangle existing tests in different
ways to improve coverage for error unwinding paths:

 deltable     \
 delbasechain  \
 delchain       \
 delrule        | - delete object in this batch
 delset         /
 delelem       /
 delobj       /
 flushset         - flush set
 dup              - duplicate object
 reverse-commit   - turn commit into abort
 reverse-abort    - turn abort into commit
 table-dormant    - inject table dormant flag
 table-wakeup     - inject table wake-up flag
 swap             - swap objects
 bogus            - inject bogus object to make the transaction fail

To inspect how the selected fuzzing mode mangles the test, you can use
the -d option to enable debugging along with -c to run it in dry-run
mode, eg.

 # src/./knft -c -f deltable -d tests/expr/meta/03-mark_ok.t
 tests/expr/meta/03-mark_ok.t...
 [FUZZING] tests/expr/meta/03-mark_ok.t (deltable)
 >>>> fuzz_loop at index 0 in state=0
 add_table(NFPROTO_IPV4, "test", NULL, NULL, NULL);
 del_table(NFPROTO_IPV4, "test", NULL);
 add_chain("test", NULL, NULL, NULL, NULL);
 add_rule("test", "0x1", NULL, NULL, NULL);
 meta(NULL, "NFT_REG32_15", "3");
 cmp("NFT_REG32_15", "0", "ffffffff");
 commit();
 <<<< fuzz_loop backtrack STACK limit reached
 ==== still more tries at index 0 in state=0
 add_table(NFPROTO_IPV4, "test", NULL, NULL, NULL);
 add_chain("test", NULL, NULL, NULL, NULL);
 del_table(NFPROTO_IPV4, "test", NULL);
 add_rule("test", "0x1", NULL, NULL, NULL);
 meta(NULL, "NFT_REG32_15", "3");
 cmp("NFT_REG32_15", "0", "ffffffff");
 commit();
 <<<< fuzz_loop backtrack STACK limit reached
 ...

knft provides a few more options:

-e to display the error reported by the kernel.
-n to perform test runs without flushing the existing ruleset.

This tool requires libmnl to build and to parse the netlink messages
that are sent and received by the kernel.

This tool is released under the GPLv2 (or any later) and it is
available under the netfilter git repositories:

    git clone https://git.netfilter.org/knft

This project is funded through the NGI0 Entrust established by NLnet
(https://nlnet.nl) with support from the European Commission's Next
Generation Internet programme.

Happy firewalling.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ