bats test/100-bridge-iptables.bats fails

[Mingli-Yu]

# bats test/100-bridge-iptables.bats
✗ iptables - internal network
   (in test file test/100-bridge-iptables.bats, line 22)
     `assert "$output" == "$before" "make sure tables have not changed"' failed
    nsenter -n -m -w -t 691 ip link set lo up
    nsenter -n -m -w -t 691 iptables -t nat -nvL
   Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
    pkts bytes target     prot opt in     out     source               destination
   
   Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
    pkts bytes target     prot opt in     out     source               destination
   
   Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
    pkts bytes target     prot opt in     out     source               destination
   
   Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
    pkts bytes target     prot opt in     out     source               destination
    nsenter -n -m -w -t 691 /usr/libexec/podman/netavark --rootless false --config /tmp/netavark_bats.XQo3PG/config --file /usr/lib64/netavark/ptest/test
   {"podman":{"dns_search_domains":[],"dns_server_ips":[],"interfaces":{"eth0":{"mac_address":"32:d0:98:db:24:1d","subnets":[{"gateway":"10.88.0.1","ipn}
    nsenter -n -m -w -t 691 iptables -t nat -nvL
   Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
    pkts bytes target     prot opt in     out     source               destination
   
   Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
    pkts bytes target     prot opt in     out     source               destination
   
   Chain OUTPUT (policy ACCEPT 1 packets, 40 bytes)
    pkts bytes target     prot opt in     out     source               destination
   
   Chain POSTROUTING (policy ACCEPT 1 packets, 40 bytes)
    pkts bytes target     prot opt in     out     source               destination
   #/vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
   #|     FAIL: make sure tables have not changed
   #| expected: 'Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
    pkts bytes target     prot opt in     out     source               destination
   
   Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
    pkts bytes target     prot opt in     out     source               destination
   
   Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
    pkts bytes target     prot opt in     out     source               destination
   
   Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
    pkts bytes target     prot opt in     out     source               destination         '
   #|   actual: 'Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)'
   #|         > ' pkts bytes target     prot opt in     out     source               destination         '
   #|         > 'Chain INPUT (policy ACCEPT 0 packets, 0 bytes)'
   #|         > ' pkts bytes target     prot opt in     out     source               destination         '
   #|         > 'Chain OUTPUT (policy ACCEPT 1 packets, 40 bytes)'
   #|         > ' pkts bytes target     prot opt in     out     source               destination         '
   #|         > 'Chain POSTROUTING (policy ACCEPT 1 packets, 40 bytes)'
   #|         > ' pkts bytes target     prot opt in     out     source               destination         '
   #\^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

✗ iptables - port range forwarding dual - udp
   (in test file test/100-bridge-iptables.bats, line 499)
     `test_port_fw ip=dual proto=udp range=3' failed
    nsenter -n -m -w -t 4964 ip link set lo up
   {
     "container_id": "xZFWLlTE9Pfy5eAkZOKXBmRoiKnKTioU25XCLLv9gqUXNxuBCzTCAtt5hyTQQ4NV",
     "container_name": "name-aNR6UljgUg",
     "port_mappings": [
       {
         "host_ip": "",
         "container_port": 15320,
         "host_port": 27963,
         "range": 3,
         "protocol": "udp"
       }
     ],
     "networks": {
       "podman1": {
         "static_ips": [
           "10.47.233.213", "fd88:2da4:7d39:3786::578e"
         ],
         "interface_name": "eth0"
       }
     },
     "network_info": {
       "podman1": {
         "name": "podman1",
         "id": "ed82e3a703682a9c09629d3cf45c1f1e7da5b32aeff3faf82837ef4d005356e6",
         "driver": "bridge",
         "network_interface": "podman1",
         "subnets": [
           {"subnet":"10.47.233.0/24","gateway":"10.47.233.1"},  {"subnet":"fd88:2da4:7d39:3786::/64","gateway":"fd88:2da4:7d39:3786::1"}
         ],
         "ipv6_enabled": true,
         "internal": false,
         "dns_enabled": false,
         "ipam_options": {
           "driver": "host-local"
         }
       }
     }
   }
    nsenter -n -m -w -t 4964 /usr/libexec/podman/netavark --rootless false --config /tmp/netavark_bats.yKHKNX/config setup /proc/4966/ns/net
   {"podman1":{"dns_search_domains":[],"dns_server_ips":[],"interfaces":{"eth0":{"mac_address":"f6:7d:af:c7:dd:ee","subnets":[{"gateway":"10.47.233.1","}
    nsenter -n -m -w -t 4964 ncat -4 --udp 10.47.233.1 27963
    nsenter -n -m -w -t 4964 ncat -4 --udp 10.47.233.1 27963
    nsenter -n -m -w -t 4964 ncat -4 --udp 10.47.233.1 27964
    nsenter -n -m -w -t 4964 ncat -4 --udp 10.47.233.1 27964
    nsenter -n -m -w -t 4964 ncat -4 --udp 10.47.233.1 27965
    nsenter -n -m -w -t 4964 ncat -4 --udp 10.47.233.1 27965
   #/vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
   #|     FAIL: ncat received data
   #| expected: 'SGNRmbzylW'
   #|   actual: 'SGNRmbzylW'
   #|         > 'timeout: sending signal TERM to command 'ncat''
   #\^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

✗ iptables - bridge teardown
   (in test file test/100-bridge-iptables.bats, line 924)
     `assert "${#lines[@]}" == 1 "only loopback adapter"' failed
    nsenter -n -m -w -t 8405 ip link set lo up
    nsenter -n -m -w -t 8405 /usr/libexec/podman/netavark --rootless false --config /tmp/netavark_bats.N83fdC/config setup /proc/8407/ns/net
   {"podman":{"dns_search_domains":[],"dns_server_ips":[],"interfaces":{"eth0":{"mac_address":"22:12:8d:be:cf:80","subnets":[{"gateway":"10.88.0.1","ipn}
    nsenter -n -m -w -t 8405 /usr/libexec/podman/netavark --rootless false --config /tmp/netavark_bats.N83fdC/config setup /proc/8415/ns/net
   {"podman":{"dns_search_domains":[],"dns_server_ips":[],"interfaces":{"eth0":{"mac_address":"f2:0e:e7:e6:82:61","subnets":[{"gateway":"10.88.0.1","ipn}
    nsenter -n -m -w -t 8405 /usr/libexec/podman/netavark --rootless false --config /tmp/netavark_bats.N83fdC/config teardown /proc/8407/ns/net
    nsenter -n -m -w -t 8405 ip link show podman1
   3: podman1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
       link/ether 1e:06:7e:3a:0d:cb brd ff:ff:ff:ff:ff:ff
    nsenter -n -m -w -t 8405 iptables -S NETAVARK_FORWARD
   -N NETAVARK_FORWARD
   -A NETAVARK_FORWARD -m conntrack --ctstate INVALID -j DROP
   -A NETAVARK_FORWARD -d 10.88.0.0/16 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
   -A NETAVARK_FORWARD -s 10.88.0.0/16 -j ACCEPT
    nsenter -n -m -w -t 8405 /usr/libexec/podman/netavark --rootless false --config /tmp/netavark_bats.N83fdC/config teardown /proc/8415/ns/net
    nsenter -n -m -w -t 8405 ip link show podman1
   Device "podman1" does not exist.
   [ rc=1 (expected) ]
    nsenter -n -m -w -t 8405 iptables -S NETAVARK_FORWARD
   -N NETAVARK_FORWARD
   -A NETAVARK_FORWARD -m conntrack --ctstate INVALID -j DROP
    nsenter -n -m -w -t 8405 ip -o link
   1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000\    link/loopback 00:00:00:00:00:00 brd 00:00
   2: sit0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN mode DEFAULT group default qlen 1000\    link/sit 0.0.0.0 brd 0.0.0.0
   #/vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
   #|     FAIL: only loopback adapter
   #| expected: '1'
   #|   actual: '2'
   #\^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^


✗ iptables - test firewalld reload
   (in test file test/100-bridge-iptables.bats, line 1001)
     `run_in_host_netns firewall-cmd --reload' failed
    nsenter -n -m -w -t 9098 ip link set lo up
    nsenter -n -m -w -t 9098 dbus-daemon --address=unix:path=/tmp/netavark_bats.aUZi58/netavark-firewalld --print-pid --config-file=/usr/lib64/netavark/f
   9110
   firewalld pid: 9111
    nsenter -n -m -w -t 9098 firewall-cmd --state
   not running
   [ rc=252 ]
    nsenter -n -m -w -t 9098 firewall-cmd --state
   running
    nsenter -n -m -w -t 9098 /usr/libexec/podman/netavark --rootless false --config /tmp/netavark_bats.aUZi58/config --file /usr/lib64/netavark/ptest/tet
   {"podman":{"dns_search_domains":[],"dns_server_ips":[],"interfaces":{"eth0":{"mac_address":"9e:94:9e:42:2d:0f","subnets":[{"gateway":"10.88.0.1","ipn}
    nsenter -n -m -w -t 9098 iptables -S POSTROUTING -t nat
   -P POSTROUTING ACCEPT
   -A POSTROUTING -j NETAVARK-HOSTPORT-MASQ
   -A POSTROUTING -s 10.88.0.0/16 -j NETAVARK-1D8721804F16F
    nsenter -n -m -w -t 9098 iptables -S NETAVARK-1D8721804F16F -t nat
   -N NETAVARK-1D8721804F16F
   -A NETAVARK-1D8721804F16F -d 10.88.0.0/16 -j ACCEPT
   -A NETAVARK-1D8721804F16F ! -d 224.0.0.0/4 -j MASQUERADE
    nsenter -n -m -w -t 9098 iptables -S FORWARD
   -P FORWARD ACCEPT
   -A FORWARD -m comment --comment "netavark firewall rules" -j NETAVARK_FORWARD
    nsenter -n -m -w -t 9098 iptables -S NETAVARK_FORWARD
   -N NETAVARK_FORWARD
   -A NETAVARK_FORWARD -m conntrack --ctstate INVALID -j DROP
   -A NETAVARK_FORWARD -d 10.88.0.0/16 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
   -A NETAVARK_FORWARD -s 10.88.0.0/16 -j ACCEPT
    nsenter -n -m -w -t 9098 firewall-cmd --reload
   timeout: sending signal TERM to command 'nsenter'
   [ rc=124 (** EXPECTED 0 **) ]
   *** TIMED OUT ***
   /usr/lib64/netavark/ptest/test/helpers.bash: line 49:  9111 Killed                  nsenter -n -t $HOST_NS_PID firewalld --nopid --nofork --system-co"


 ✗ iptables - port forwarding ipv4 - tcp with firewalld reload
   (in test file test/100-bridge-iptables.bats, line 1027)
     `test_port_fw firewalld_reload=true' failed
    nsenter -n -m -w -t 9239 ip link set lo up
   {
     "container_id": "FR01hhVccwTLfBXpYKgRsh5QFav1V4hARRL5Le21fYcM8xwuz0DIULGA1S87fOyK",
     "container_name": "name-qkut1KaoxG",
     "port_mappings": [
       {
         "host_ip": "",
         "container_port": 1077,
         "host_port": 22638,
         "range": 1,
         "protocol": "tcp"
       }
     ],
     "networks": {
       "podman1": {
         "static_ips": [
           "10.139.115.53"
         ],
         "interface_name": "eth0"
       }
     },
     "network_info": {
       "podman1": {
         "name": "podman1",
         "id": "ed82e3a703682a9c09629d3cf45c1f1e7da5b32aeff3faf82837ef4d005356e6",
         "driver": "bridge",
         "network_interface": "podman1",
         "subnets": [
           {"subnet":"10.139.115.0/24","gateway":"10.139.115.1"}
         ],
         "ipv6_enabled": true,
         "internal": false,
         "dns_enabled": false,
         "ipam_options": {
           "driver": "host-local"
         }
       }
     }
   }
    nsenter -n -m -w -t 9239 dbus-daemon --address=unix:path=/tmp/netavark_bats.BLSES9/netavark-firewalld --print-pid --config-file=/usr/lib64/netavark/f
   9265
   firewalld pid: 9266
    nsenter -n -m -w -t 9239 firewall-cmd --state
   not running
   [ rc=252 ]
    nsenter -n -m -w -t 9239 firewall-cmd --state
   running
    nsenter -n -m -w -t 9239 /usr/libexec/podman/netavark --rootless false --config /tmp/netavark_bats.BLSES9/config setup /proc/9241/ns/net
   {"podman1":{"dns_search_domains":[],"dns_server_ips":[],"interfaces":{"eth0":{"mac_address":"b2:ec:65:e4:e0:30","subnets":[{"gateway":"10.139.115.1",}
    nsenter -n -m -w -t 9239 firewall-cmd --reload
   timeout: sending signal TERM to command 'nsenter'
   [ rc=124 (** EXPECTED 0 **) ]
   *** TIMED OUT ***
   /usr/lib64/netavark/ptest/test/helpers.bash: line 49:  9266 Killed                  nsenter -n -t $HOST_NS_PID firewalld --nopid --nofork --system-co"
   /usr/lib64/netavark/ptest/test/helpers.bash: line 49:  9301 Killed                  nsenter -n -t $HOST_NS_PID $NETAVARK --config "$NETAVARK_TMPDIR/cd

54 tests, 5 failures

[Luap99]

Please provide all the detail of your environment, what distro? Which version of bats, firewalld, ncat, iptables, etc...

[Luap99]

sit0@NONE: mtu 1480 qdisc noop state DOWN mode DEFAULT group default qlen 1000\ link/sit 0.0.0.0 brd 0.0.0.0

Looks like you are using the sit kernel module? If this device is automatically added to all network namespaces then this will break many test assumptions. I recommend to disable that if you want to run the tests.

[Mingli-Yu]

sit0@NONE: mtu 1480 qdisc noop state DOWN mode DEFAULT group default qlen 1000\ link/sit 0.0.0.0 brd 0.0.0.0

Looks like you are using the sit kernel module? If this device is automatically added to all network namespaces then this will break many test assumptions. I recommend to disable that if you want to run the tests.

Thanks very much for your respond!

BTW, do you mean netavark only works without CONFIG_IPV6_SIT or only the netavark tests works without CONFIG_IPV6_SIT?

We use an embedded Linux based on https://www.yoctoproject.org. And the related packages version as below:

 # rpm -qa | grep bats
bats-1.11.0-r0.core2_64
# rpm -qa | grep firewalld
firewalld-1.3.2-r0.core2_64
# which ncat
/usr/bin/ncat
# rpm -qf /usr/bin/ncat
nmap-7.80-r0.core2_64
# rpm -qa | grep iptables | grep -v iptables-module
iptables-1.8.10-r0.core2_64

[Luap99]

I am talking about the tests only, but I am not familiar with CONFIG_IPV6_SIT so I wouldn't know for sure.
The main issue here is that having a second interface besides lo will break the test assumptions as we make sure that netavark deleted the interfaces by simply counting all interfaces and we only expect lo to be there (at least for one of the linked failures above). I suggest you try to run them without the kernel module loaded.

I have no idea about the firewall-cmd ones, timeout seems odd. If you do not use firewalld then I would suggest you just ignore/disable them.

For the ncat maybe the 5 seconds is not enough in your env so maybe try giving it more here

netavark/test/helpers.bash

Line 647 in 395ace5

nsenter -n -t "${CONTAINER_NS_PIDS[$container_ns]}" timeout --foreground -v --kill=10 5 \

[Mingli-Yu]

I am talking about the tests only, but I am not familiar with CONFIG_IPV6_SIT so I wouldn't know for sure. The main issue here is that having a second interface besides lo will break the test assumptions as we make sure that netavark deleted the interfaces by simply counting all interfaces and we only expect lo to be there (at least for one of the linked failures above). I suggest you try to run them without the kernel module loaded.

For some reason, we can't disable CONFIG_IPV6_SIT as it built-in kernel, not via module. Could you help to provide the cases which are maybe affected by sit module?

I have no idea about the firewall-cmd ones, timeout seems odd. If you do not use firewalld then I would suggest you just ignore/disable them.

Yes, we did not use firewalld, is there only options provided to skip the cases as I notice not any 200-bridge-firewalld.bats includes the test related to firewalld, but also 250-bridge-nftables.bats includes firewalld cases?

For the ncat maybe the 5 seconds is not enough in your env so maybe try giving it more here

netavark/test/helpers.bash

Line 647 in 395ace5

nsenter -n -t "${CONTAINER_NS_PIDS[$container_ns]}" timeout --foreground -v --kill=10 5 \

After a simple search, it seems the timeout is hardcoded, is it possible to provide a option to configure timeout?

Thanks you very much!

[Luap99]

I am talking about the tests only, but I am not familiar with CONFIG_IPV6_SIT so I wouldn't know for sure. The main issue here is that having a second interface besides lo will break the test assumptions as we make sure that netavark deleted the interfaces by simply counting all interfaces and we only expect lo to be there (at least for one of the linked failures above). I suggest you try to run them without the kernel module loaded.

For some reason, we can't disable CONFIG_IPV6_SIT as it built-in kernel, not via module. Could you help to provide the cases which are maybe affected by sit module?

Sorry I don't have time to look into that, my only suggestion is to build the kernel without it to run the tests and see how the results differ.

I have no idea about the firewall-cmd ones, timeout seems odd. If you do not use firewalld then I would suggest you just ignore/disable them.

Yes, we did not use firewalld, is there only options provided to skip the cases as I notice not any 200-bridge-firewalld.bats includes the test related to firewalld, but also 250-bridge-nftables.bats includes firewalld cases?

There are some special cases that need to check that the iptables and nftables integration works with the firewalld reload service. I think it is possible to move them into the firewalld file as well but not a priority.

For the ncat maybe the 5 seconds is not enough in your env so maybe try giving it more here

netavark/test/helpers.bash

Line 647 in 395ace5

nsenter -n -t "${CONTAINER_NS_PIDS[$container_ns]}" timeout --foreground -v --kill=10 5 \

After a simple search, it seems the timeout is hardcoded, is it possible to provide a option to configure timeout?

I would suggest to bump the timeout in our tests, none should have a need to configure this. If 5s is not enough everywhere we can increase it by default.

[Mingli-Yu]

I am talking about the tests only, but I am not familiar with CONFIG_IPV6_SIT so I wouldn't know for sure. The main issue here is that having a second interface besides lo will break the test assumptions as we make sure that netavark deleted the interfaces by simply counting all interfaces and we only expect lo to be there (at least for one of the linked failures above). I suggest you try to run them without the kernel module loaded.

For some reason, we can't disable CONFIG_IPV6_SIT as it built-in kernel, not via module. Could you help to provide the cases which are maybe affected by sit module?

Sorry I don't have time to look into that, my only suggestion is to build the kernel without it to run the tests and see how the results differ.

After disable CONFIG_IPV6_SIT, some of the above failed cases did pass, but only two of them as below.
iptables - bridge teardown
iptables - port range forwarding dual - udp

And could you help to confirm again, if the netavark only works with CONFIG_IPV6_SIT disabled. Or just the netavark tests need to disable CONFIG_IPV6_SIT. If just the tests need, maybe improving the tests to make the tests work with CONFIG_IPV6_SIT is helpful.

But there still some cases failed such as:
✗ iptables - internal network
(in test file test/100-bridge-iptables.bats, line 22)
`assert "$output" == "$before" "make sure tables have not changed"' failed
nsenter -n -m -w -t 960 ip link set lo up
nsenter -n -m -w -t 960 iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
nsenter -n -m -w -t 960 /usr/libexec/podman/netavark --rootless false --config /tmp/netavark_bats.KS84Nc/config --file /usr/lib64/netavark/ptest/test
{"podman":{"dns_search_domains":[],"dns_server_ips":[],"interfaces":{"eth0":{"mac_address":"7a:98:74:21:e2:7d","subnets":[{"gateway":"10.88.0.1","ipn}
nsenter -n -m -w -t 960 iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 1 packets, 40 bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 1 packets, 40 bytes)
pkts bytes target prot opt in out source destination
#/vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
#| FAIL: make sure tables have not changed
#| expected: 'Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination '
#| actual: 'Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)'
#| > ' pkts bytes target prot opt in out source destination '
#| > 'Chain INPUT (policy ACCEPT 0 packets, 0 bytes)'
#| > ' pkts bytes target prot opt in out source destination '
#| > 'Chain OUTPUT (policy ACCEPT 1 packets, 40 bytes)'
#| > ' pkts bytes target prot opt in out source destination '
#| > 'Chain POSTROUTING (policy ACCEPT 1 packets, 40 bytes)'
#| > ' pkts bytes target prot opt in out source destination '
#^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

I have no idea about the firewall-cmd ones, timeout seems odd. If you do not use firewalld then I would suggest you just ignore/disable them.

Yes, we did not use firewalld, is there only options provided to skip the cases as I notice not any 200-bridge-firewalld.bats includes the test related to firewalld, but also 250-bridge-nftables.bats includes firewalld cases?

There are some special cases that need to check that the iptables and nftables integration works with the firewalld reload service. I think it is possible to move them into the firewalld file as well but not a priority.

Thanks your feedback! It's more helpful if move the firewalld related tests in one file and I sent a PR as #994.

For the ncat maybe the 5 seconds is not enough in your env so maybe try giving it more here

netavark/test/helpers.bash

Line 647 in 395ace5

nsenter -n -t "${CONTAINER_NS_PIDS[$container_ns]}" timeout --foreground -v --kill=10 5 \

After a simple search, it seems the timeout is hardcoded, is it possible to provide a option to configure timeout?

I would suggest to bump the timeout in our tests, none should have a need to configure this. If 5s is not enough everywhere we can increase it by default.

After a quick search for

netavark/test/helpers.bash

Line 647 in 395ace5

nsenter -n -t "${CONTAINER_NS_PIDS[$container_ns]}" timeout --foreground -v --kill=10 5 \

, do you mean change the hardcoded timeout value?

BTW, is it possible to print the test result into a file? That is to say, gather the output as below into a file.
100-bridge-iptables.bats
✓ check iptables driver is in use
✗ iptables - internal network
(in test file test/100-bridge-iptables.bats, line 22)
`assert "$output" == "$before" "make sure tables have not changed"' failed
nsenter -n -m -w -t 10844 ip link set lo up
nsenter -n -m -w -t 10844 iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
nsenter -n -m -w -t 10844 /usr/libexec/podman/netavark --rootless false --config /tmp/netavark_bats.PHBxtg/config --file /usr/lib64/netavark/ptest/tt
{"podman":{"dns_search_domains":[],"dns_server_ips":[],"interfaces":{"eth0":{"mac_address":"4e:96:5c:d1:2e:eb","subnets":[{"gateway":"10.88.0.1","ipn}
nsenter -n -m -w -t 10844 iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 1 packets, 40 bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 1 packets, 40 bytes)
pkts bytes target prot opt in out source destination
#/vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
#| FAIL: make sure tables have not changed
#| expected: 'Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination '
#| actual: 'Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)'
#| > ' pkts bytes target prot opt in out source destination '
#| > 'Chain INPUT (policy ACCEPT 0 packets, 0 bytes)'
#| > ' pkts bytes target prot opt in out source destination '
#| > 'Chain OUTPUT (policy ACCEPT 1 packets, 40 bytes)'
#| > ' pkts bytes target prot opt in out source destination '
#| > 'Chain POSTROUTING (policy ACCEPT 1 packets, 40 bytes)'
#| > ' pkts bytes target prot opt in out source destination '
#^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[snip]

Thanks!