From adce219a4634be9c1e90160e8709518d784603c7 Mon Sep 17 00:00:00 2001 From: Dmitrii Iurco Date: Sat, 6 Jun 2026 15:35:19 -0400 Subject: [PATCH] fix: clean up stale wg-quick nftables tables in e2e test teardown wg-quick creates an nftables 'preraw' table per interface that drops decrypted ICMP replies arriving on any other interface. If a test run crashes before bring_down(), the table persists and silently kills pings on subsequent runs (handshake succeeds, replies are decrypted, but the stale table drops them before the ping process sees them). Extend cleanup_stale_e2e_interfaces() to also delete any orphaned wg-quick-pic-e2e-* nftables tables found on the host. Co-Authored-By: Claude Sonnet 4.6 --- tests/e2e/helpers/wg_runner.py | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/tests/e2e/helpers/wg_runner.py b/tests/e2e/helpers/wg_runner.py index 583afdd..f8dd7ca 100644 --- a/tests/e2e/helpers/wg_runner.py +++ b/tests/e2e/helpers/wg_runner.py @@ -52,9 +52,18 @@ def build_wg_config(private_key: str, peer_ip: str, server_pubkey: str, def cleanup_stale_e2e_interfaces(): - """Remove any leftover pic-e2e-* interfaces from previous failed runs.""" + """Remove any leftover pic-e2e-* interfaces and nftables tables from previous failed runs.""" result = subprocess.run(['ip', 'link', 'show'], capture_output=True, text=True) for line in result.stdout.splitlines(): if 'pic-e2e-' in line: iface = line.split(':')[1].strip().split('@')[0] subprocess.run(['sudo', 'ip', 'link', 'delete', iface], capture_output=True) + + # wg-quick creates an nftables table per interface; if the interface was never brought + # down cleanly the table persists and drops decrypted ICMP replies on future runs. + nft_result = subprocess.run(['nft', 'list', 'tables'], capture_output=True, text=True) + for line in nft_result.stdout.splitlines(): + if 'wg-quick-pic-e2e-' in line: + table_name = line.strip().split()[-1] + subprocess.run(['sudo', 'nft', 'delete', 'table', 'ip', table_name], + capture_output=True)