fix: nftables flaky test

smira · smira · commit 5ca8418049e3 · 2025-10-02T18:41:11.000+04:00
Make sure counters won't increase on the rule, so the test would match
on zero counters.

Signed-off-by: Andrey Smirnov &lt;andrey.smirnov@siderolabs.com&gt;
diff --git a/internal/app/machined/pkg/controllers/network/nftables_chain_test.go b/internal/app/machined/pkg/controllers/network/nftables_chain_test.go
@@ -189,7 +189,7 @@ func (s *NfTablesChainSuite) TestConntrackCounter() {
 		{
 			MatchConntrackState: &network.NfTablesConntrackStateMatch{
 				States: []nethelpers.ConntrackState{
-					nethelpers.ConntrackStateInvalid,
+					nethelpers.ConntrackStateEstablished, // this rule should never match, as previous rule matches it
 				},
 			},
 			AnonCounter: true,
@@ -203,7 +203,7 @@ func (s *NfTablesChainSuite) TestConntrackCounter() {
 	chain test1 {
 		type filter hook input priority security; policy accept;
 		ct state { 0x2000000, 0x4000000 } accept
-		ct state invalid counter packets 0 bytes 0 drop
+		ct state established counter packets 0 bytes 0 drop
 	}
 }`)
 }

Original file line number	Diff line number	Diff line change
`@@ -189,7 +189,7 @@ func (s *NfTablesChainSuite) TestConntrackCounter() {`
`189`	`189`	`{`
`190`	`190`	`MatchConntrackState: &network.NfTablesConntrackStateMatch{`
`191`	`191`	`States: []nethelpers.ConntrackState{`
`192`		`- nethelpers.ConntrackStateInvalid,`
	`192`	`+ nethelpers.ConntrackStateEstablished, // this rule should never match, as previous rule matches it`
`193`	`193`	`},`
`194`	`194`	`},`
`195`	`195`	`AnonCounter: true,`
`@@ -203,7 +203,7 @@ func (s *NfTablesChainSuite) TestConntrackCounter() {`
`203`	`203`	`chain test1 {`
`204`	`204`	`type filter hook input priority security; policy accept;`
`205`	`205`	`ct state { 0x2000000, 0x4000000 } accept`
`206`		`- ct state invalid counter packets 0 bytes 0 drop`
	`206`	`+ ct state established counter packets 0 bytes 0 drop`
`207`	`207`	`}`
`208`	`208`	}`)
`209`	`209`	`}`