Message ID | 1595522143-85526-1-git-send-email-u9012063@gmail.com |
---|---|
State | Accepted |
Commit | 5e06e7ac99dcbeb4ce0de94991e1d08f1a3a21b1 |
Headers | show |
Series | [ovs-dev] tests: Refactor the iptables accept rule. | expand |
On 7/23/2020 9:35 AM, William Tu wrote: > Certain Linux distributions, like CentOS, have default iptable > rules to reject input traffic from br-underlay. Refactor by > creating a macro 'IPTABLES_ACCEPT([bridge])' for adding the > accept rule to the iptable input chain. > > Signed-off-by: William Tu <u9012063@gmail.com> > --- > tests/ovs-macros.at | 7 +++++++ > tests/system-traffic.at | 12 ++---------- > 2 files changed, 9 insertions(+), 10 deletions(-) > > diff --git a/tests/ovs-macros.at b/tests/ovs-macros.at > index fee50901543e..b1f666f4e83f 100644 > --- a/tests/ovs-macros.at > +++ b/tests/ovs-macros.at > @@ -333,3 +333,10 @@ m4_ifndef([AT_FAIL_IF], > [m4_define([AT_FAIL_IF], > [AT_CHECK([($1) \ > && exit 99 || exit 0], [0], [ignore], [ignore])])]) > + > +dnl Certain Linux distributions, like CentOS, have default iptable rules > +dnl to reject input traffic from bridges such as br-underlay. > +dnl Add a rule to always accept the traffic. > +m4_define([IPTABLES_ACCEPT], > + [AT_CHECK([iptables -I INPUT 1 -i $1 -j ACCEPT]) > + on_exit 'iptables -D INPUT 1 -i $1']) > diff --git a/tests/system-traffic.at b/tests/system-traffic.at > index 2a0fbadff4a1..02f0e2716320 100644 > --- a/tests/system-traffic.at > +++ b/tests/system-traffic.at > @@ -688,11 +688,7 @@ AT_CHECK([ip link set dev br-underlay up]) > dnl Set up tunnel endpoints on OVS outside the namespace. > ADD_OVS_TUNNEL([gre], [br0], [at_gre0], [172.31.1.1], [10.1.1.100/24]) > > -dnl Certain Linux distributions, like CentOS, have default iptable rules > -dnl to reject input traffic from br-underlay. Here we add a rule to walk > -dnl around it. > -iptables -I INPUT 1 -i br-underlay -j ACCEPT > -on_exit 'iptables -D INPUT 1' > +IPTABLES_ACCEPT([br-underlay]) > > ip netns exec at_ns0 tcpdump -n -i p0 dst host 172.31.1.1 -l > p0.pcap & > sleep 1 > @@ -739,11 +735,7 @@ dnl Set up tunnel endpoints on OVS outside the namespace and emulate a native > dnl linux device inside the namespace. > ADD_OVS_TUNNEL([erspan], [br0], [at_erspan0], [172.31.1.1], [10.1.1.100/24], [options:key=1 options:erspan_ver=1 options:erspan_idx=7]) > > -dnl Certain Linux distributions, like CentOS, have default iptable rules > -dnl to reject input traffic from br-underlay. Here we add a rule to walk > -dnl around it. > -iptables -I INPUT 1 -i br-underlay -j ACCEPT > -on_exit 'iptables -D INPUT 1' > +IPTABLES_ACCEPT([br-underlay]) > > ip netns exec at_ns0 tcpdump -n -x -i p0 dst host 172.31.1.1 -l > p0.pcap & > sleep 1 > LGTM - I didn't see any regression. Acked-by: Greg Rose <gvrose8192@gmail.com>
On Fri, Jul 24, 2020 at 10:03 AM Gregory Rose <gvrose8192@gmail.com> wrote: > > > On 7/23/2020 9:35 AM, William Tu wrote: > > Certain Linux distributions, like CentOS, have default iptable > > rules to reject input traffic from br-underlay. Refactor by > > creating a macro 'IPTABLES_ACCEPT([bridge])' for adding the > > accept rule to the iptable input chain. > > > > Signed-off-by: William Tu <u9012063@gmail.com> > > --- > > tests/ovs-macros.at | 7 +++++++ > > tests/system-traffic.at | 12 ++---------- > > 2 files changed, 9 insertions(+), 10 deletions(-) > > > > diff --git a/tests/ovs-macros.at b/tests/ovs-macros.at > > index fee50901543e..b1f666f4e83f 100644 > > --- a/tests/ovs-macros.at > > +++ b/tests/ovs-macros.at > > @@ -333,3 +333,10 @@ m4_ifndef([AT_FAIL_IF], > > [m4_define([AT_FAIL_IF], > > [AT_CHECK([($1) \ > > && exit 99 || exit 0], [0], [ignore], [ignore])])]) > > + > > +dnl Certain Linux distributions, like CentOS, have default iptable rules > > +dnl to reject input traffic from bridges such as br-underlay. > > +dnl Add a rule to always accept the traffic. > > +m4_define([IPTABLES_ACCEPT], > > + [AT_CHECK([iptables -I INPUT 1 -i $1 -j ACCEPT]) > > + on_exit 'iptables -D INPUT 1 -i $1']) > > diff --git a/tests/system-traffic.at b/tests/system-traffic.at > > index 2a0fbadff4a1..02f0e2716320 100644 > > --- a/tests/system-traffic.at > > +++ b/tests/system-traffic.at > > @@ -688,11 +688,7 @@ AT_CHECK([ip link set dev br-underlay up]) > > dnl Set up tunnel endpoints on OVS outside the namespace. > > ADD_OVS_TUNNEL([gre], [br0], [at_gre0], [172.31.1.1], [10.1.1.100/24]) > > > > -dnl Certain Linux distributions, like CentOS, have default iptable rules > > -dnl to reject input traffic from br-underlay. Here we add a rule to walk > > -dnl around it. > > -iptables -I INPUT 1 -i br-underlay -j ACCEPT > > -on_exit 'iptables -D INPUT 1' > > +IPTABLES_ACCEPT([br-underlay]) > > > > ip netns exec at_ns0 tcpdump -n -i p0 dst host 172.31.1.1 -l > p0.pcap & > > sleep 1 > > @@ -739,11 +735,7 @@ dnl Set up tunnel endpoints on OVS outside the namespace and emulate a native > > dnl linux device inside the namespace. > > ADD_OVS_TUNNEL([erspan], [br0], [at_erspan0], [172.31.1.1], [10.1.1.100/24], [options:key=1 options:erspan_ver=1 options:erspan_idx=7]) > > > > -dnl Certain Linux distributions, like CentOS, have default iptable rules > > -dnl to reject input traffic from br-underlay. Here we add a rule to walk > > -dnl around it. > > -iptables -I INPUT 1 -i br-underlay -j ACCEPT > > -on_exit 'iptables -D INPUT 1' > > +IPTABLES_ACCEPT([br-underlay]) > > > > ip netns exec at_ns0 tcpdump -n -x -i p0 dst host 172.31.1.1 -l > p0.pcap & > > sleep 1 > > > > LGTM - I didn't see any regression. > > Acked-by: Greg Rose <gvrose8192@gmail.com> Thanks, I applied to master.
diff --git a/tests/ovs-macros.at b/tests/ovs-macros.at index fee50901543e..b1f666f4e83f 100644 --- a/tests/ovs-macros.at +++ b/tests/ovs-macros.at @@ -333,3 +333,10 @@ m4_ifndef([AT_FAIL_IF], [m4_define([AT_FAIL_IF], [AT_CHECK([($1) \ && exit 99 || exit 0], [0], [ignore], [ignore])])]) + +dnl Certain Linux distributions, like CentOS, have default iptable rules +dnl to reject input traffic from bridges such as br-underlay. +dnl Add a rule to always accept the traffic. +m4_define([IPTABLES_ACCEPT], + [AT_CHECK([iptables -I INPUT 1 -i $1 -j ACCEPT]) + on_exit 'iptables -D INPUT 1 -i $1']) diff --git a/tests/system-traffic.at b/tests/system-traffic.at index 2a0fbadff4a1..02f0e2716320 100644 --- a/tests/system-traffic.at +++ b/tests/system-traffic.at @@ -688,11 +688,7 @@ AT_CHECK([ip link set dev br-underlay up]) dnl Set up tunnel endpoints on OVS outside the namespace. ADD_OVS_TUNNEL([gre], [br0], [at_gre0], [172.31.1.1], [10.1.1.100/24]) -dnl Certain Linux distributions, like CentOS, have default iptable rules -dnl to reject input traffic from br-underlay. Here we add a rule to walk -dnl around it. -iptables -I INPUT 1 -i br-underlay -j ACCEPT -on_exit 'iptables -D INPUT 1' +IPTABLES_ACCEPT([br-underlay]) ip netns exec at_ns0 tcpdump -n -i p0 dst host 172.31.1.1 -l > p0.pcap & sleep 1 @@ -739,11 +735,7 @@ dnl Set up tunnel endpoints on OVS outside the namespace and emulate a native dnl linux device inside the namespace. ADD_OVS_TUNNEL([erspan], [br0], [at_erspan0], [172.31.1.1], [10.1.1.100/24], [options:key=1 options:erspan_ver=1 options:erspan_idx=7]) -dnl Certain Linux distributions, like CentOS, have default iptable rules -dnl to reject input traffic from br-underlay. Here we add a rule to walk -dnl around it. -iptables -I INPUT 1 -i br-underlay -j ACCEPT -on_exit 'iptables -D INPUT 1' +IPTABLES_ACCEPT([br-underlay]) ip netns exec at_ns0 tcpdump -n -x -i p0 dst host 172.31.1.1 -l > p0.pcap & sleep 1
Certain Linux distributions, like CentOS, have default iptable rules to reject input traffic from br-underlay. Refactor by creating a macro 'IPTABLES_ACCEPT([bridge])' for adding the accept rule to the iptable input chain. Signed-off-by: William Tu <u9012063@gmail.com> --- tests/ovs-macros.at | 7 +++++++ tests/system-traffic.at | 12 ++---------- 2 files changed, 9 insertions(+), 10 deletions(-)