On 2026-02-02 10:41, Jakub Kicinski wrote:

On Mon, 2 Feb 2026 07:53:34 +0900 David Wei wrote:

quoted

On 2026-02-01 09:38, Jakub Kicinski wrote:

quoted

I'm not a Python expert but the pre-init of variables that are set
later on in __init__() (on all possible paths) seems like a waste of LoC

It's so that exceptions thrown -> __del__() don't complain about
undefined vars.

I see. I guess that's cleaner than hasattr(self, "xyz"), fair.

quoted

quoted

quoted

+
+        ip(f"link add type netkit mode l2 forward peer forward numrxqueues {rxqueues}")

Would we be able to do this with YNL?
no big deal but always nice to avoid the dependency on very latest CLI

Hmm, I tried looking into this already. My understanding is that this
can be done in C but not currently in YNL, not without adding a spec.

I thought the only thing C can do that Python can't is deciding nested
extacks.. Ah, of course.. I missed that patch 10 is not updating the
YAML spec. That needs to be fixed, we want YAML to stay in sync for the
families that are already YAML-ized.

Sorry, my mistake. It is possible with rt-link.yaml:

   ynl = RtnlFamily()
   ynl.newlink(...)

quoted

quoted

quoted

+    def _setup_ns(self):
+        self.netns = NetNS()
+        cmd("ip netns attach init 1")
+        self._init_ns_attached = True
+        ip("netns set init 0", ns=self.netns)

Hm, refactor class NetNSEnter or just use its enter method?

I did consider this but I didn't feel like it fit the very specific
purpose of NetNSEnter. I needed the init ns to have a valid nsid from
within the test netns, which I didn't think many other tests would need.

What about the "ip netns attach init 1" ?
that's the main thing that gave me pause TBH
Why is it needed?

The bind-queue lease attribute takes the ifindex/queue/netns-id of the
source phys netdev to lease a queue from. Once a netlink has been moved
into a netns, it doesn't have access to the source phys netdev in the
init ns anymore. This is why initially I did the bind-queue before
moving one of the netkit peers into a netns.

For me to be able to do a bind-queue op inside a netns, I use ip netns
attach to make the init ns available with a nsid inside of a netns.

quoted

quoted

Don't we need to also add a qdisc if there isn't one already?

Sorry, why would qdisc be needed? The bpf prog attaches to tc. I don't
know anything about qdisc, though.

There's a new way of attaching qdisc-less (TCX) but IIUC here you're
attaching in the old way. So you must have a parent object. The ingress
/ clsact qdisc isn't really for queuing packets, it's just a fake qdisc
that lets you attach TC filters to an interface. Machines at Meta have
a clsact qdisc installed by init, but that's far from normal (try to
run this command in vng, you'll see)

Thanks for the explanation. I'll fix this by adding a qdisc if one
doesn't exist.

quoted

quoted

quoted

+        match = re.search(r'pref (\d+).*nk_forward\.bpf.*id (\d+)', tc_info)

I haven't checked but TC doesn't support enough JSON and YNL doesn't
support enough TC to avoid re hacks? :( :(

Yeah the old TC tool doesn't give me this info programmatically :(

Borkmann mentioned TC is outdated/unmaintained. I did use tcx via a C
loader before, but that was removed in an earlier iteration.

Not sure what you're saying. tc bpf CLI supports JSON output since:

commit 3175bca7182b0867c6e9a3d5d1551fdecf70118c
Author: Davide Caratti [off-list ref]
Date:   Thu Apr 30 20:03:30 2020 +0200

     tc: full JSON support for 'bpf' filter

Yes this works, I'll use it instead of regex.