diff mbox series

[ovs-dev,1/3] tests: add nft accept support.

Message ID 20241014-nft-testsuite-v1-1-6cd52bb0ceb5@ovn.org
State New
Headers show
Series tests: use nft when available | expand

Checks

Context Check Description
ovsrobot/apply-robot warning apply and check: warning
ovsrobot/github-robot-_Build_and_Test success github build: passed

Commit Message

Simon Horman Oct. 14, 2024, 4:06 p.m. UTC 
Certain Linux distributions, like CentOS, have default iptable rules
to reject input traffic from bridges such as br-underlay.

To address this, IPTABLES_ACCEPT adds an iptables rule to always accept
the traffic.

As part of an effort to use nft in place of iptables in the testsuite,
implement NFT_ACCEPT, an nft version of IPTABLES_ACCEPT. As the
condition where IPTABLES_ACCEPT implies the existence of an INPUT chain,
only instantiate an nft rule in that chain if it already exists.

Also provide a wrapper, XT_ACCEPT, which will call NFT_ACCEPT if
both jq and nft are available, and IPTABLES_ACCEPT otherwise

And provide OVS_CHECK_XT, which can be used to check if the
prerequisites for running XT_ACCEPT are present, and skips the current
test otherwise.

Update the one test where IPTABLES_ACCEPT is used so that it
now uses XT_ACCEPT and OVS_CHECK_XT.

Signed-off-by: Simon Horman <horms@ovn.org>
---
 tests/atlocal.in              |  6 ++++++
 tests/ovs-macros.at           | 27 +++++++++++++++++++++++++--
 tests/system-common-macros.at |  5 +++++
 tests/system-traffic.at       |  4 ++--
 4 files changed, 38 insertions(+), 4 deletions(-)

Comments

0-day Robot Oct. 14, 2024, 4:25 p.m. UTC | #1 
Bleep bloop.  Greetings Simon Horman, I am a robot and I have tried out your patch.
Thanks for your contribution.

I encountered some error that I wasn't expecting.  See the details below.


checkpatch:
WARNING: The subject summary should start with a capital.
Subject: tests: add nft accept support.


Please check this out.  If you feel there has been an error, please email aconole@redhat.com

Thanks,
0-day Robot
diff mbox series

Patch

diff --git a/tests/atlocal.in b/tests/atlocal.in
index d6b87f8ec776..37aa6c56a8fd 100644
--- a/tests/atlocal.in
+++ b/tests/atlocal.in
@@ -188,6 +188,12 @@  find_command ethtool
 # Set HAVE_IPTABLES
 find_command iptables
 
+# Set HAVE_NFT
+find_command nft
+
+# Set HAVE_JQ
+find_command jq
+
 CURL_OPT="-g -v --max-time 1 --retry 2 --retry-delay 1 --connect-timeout 1"
 
 # Determine whether "diff" supports "normal" diffs.  (busybox diff does not.)
diff --git a/tests/ovs-macros.at b/tests/ovs-macros.at
index f1b8041fbac9..172d78207cfc 100644
--- a/tests/ovs-macros.at
+++ b/tests/ovs-macros.at
@@ -360,9 +360,32 @@  m4_ifndef([AT_FAIL_IF],
     [AT_CHECK([($1) \
     && exit 99 || exit 0], [0], [ignore], [ignore])])])
 
-dnl Certain Linux distributions, like CentOS, have default iptable rules
-dnl to reject input traffic from bridges such as br-underlay.
 dnl Add a rule to always accept the traffic.
 m4_define([IPTABLES_ACCEPT],
   [AT_CHECK([iptables -I INPUT 1 -i $1 -j ACCEPT])
    on_exit 'iptables -D INPUT 1'])
+
+dnl Certain Linux distributions, like CentOS, have default iptable rules
+dnl to reject input traffic from bridges such as br-underlay.
+dnl This implies the existence of a ip filter INPUT chain.
+dnl If that chain exists then add a rule to it to always accept all traffic.
+m4_define([NFT_ACCEPT],
+  [if nft list chain ip filter INPUT > /dev/null 2>1; then
+     AT_CHECK([nft -je \
+               "insert rule ip filter INPUT iifname \"$1\" counter accept"],
+               [0], [stdout-nolog])
+     dnl Extract handle, which is used to delete the rule
+     AT_CHECK([jq '.[["nftables"]].[[0]].insert.rule.handle' < stdout], [0],
+              [stdout])
+     on_exit "nft \"delete rule ip filter INPUT handle $(cat stdout)\""
+   fi])
+
+dnl Certain Linux distributions, like CentOS, have default iptable rules
+dnl to reject input traffic from bridges such as br-underlay.
+dnl Add a rule to always accept the traffic.
+m4_define([XT_ACCEPT],
+  [if test $HAVE_NFT = yes -a $HAVE_JQ = yes; then
+       NFT_ACCEPT([$1])
+   else
+       IPTABLES_ACCEPT([$1])
+   fi])
diff --git a/tests/system-common-macros.at b/tests/system-common-macros.at
index e9be021f3ffa..7993375d845e 100644
--- a/tests/system-common-macros.at
+++ b/tests/system-common-macros.at
@@ -382,3 +382,8 @@  m4_define([OVS_CHECK_DROP_ACTION],
 # OVS_CHECK_PSAMPLE()
 m4_define([OVS_CHECK_PSAMPLE],
     [AT_SKIP_IF([! grep -q "Datapath supports psample action" ovs-vswitchd.log])])
+
+# OVS_CHECK_XT()
+m4_define([OVS_CHECK_XT],
+    [AT_SKIP_IF([test $HAVE_IPTABLES = no && \
+                 test $HAVE_NFT = no -o $HAVE_JQ = no])])
diff --git a/tests/system-traffic.at b/tests/system-traffic.at
index a04d9611053e..2b1686e99391 100644
--- a/tests/system-traffic.at
+++ b/tests/system-traffic.at
@@ -1186,7 +1186,7 @@  OVS_TRAFFIC_VSWITCHD_STOP(["/Invalid Geneve tunnel metadata on bridge br0 while
 AT_CLEANUP
 
 AT_SETUP([datapath - ping over gre tunnel by simulated packets])
-AT_SKIP_IF([test $HAVE_IPTABLES = no])
+OVS_CHECK_XT()
 OVS_CHECK_MIN_KERNEL(3, 10)
 
 OVS_TRAFFIC_VSWITCHD_START()
@@ -1206,7 +1206,7 @@  AT_CHECK([ip link set dev br-underlay up])
 dnl Set up tunnel endpoints on OVS outside the namespace.
 ADD_OVS_TUNNEL([gre], [br0], [at_gre0], [172.31.1.1], [10.1.1.100/24])
 
-IPTABLES_ACCEPT([br-underlay])
+XT_ACCEPT([br-underlay])
 
 NETNS_DAEMONIZE([at_ns0], [tcpdump -n -i p0 dst host 172.31.1.1 -l > p0.pcap 2>/dev/null], [tcpdump.pid])
 sleep 1