From patchwork Mon Oct 14 16:06:36 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Simon Horman X-Patchwork-Id: 1997057 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=2605:bc80:3010::137; helo=smtp4.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org) Received: from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4XS2DM63KQz1xsc for ; Tue, 15 Oct 2024 03:06:59 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id 78273404E7; Mon, 14 Oct 2024 16:06:57 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id z3bR6I3BrK4C; Mon, 14 Oct 2024 16:06:56 +0000 (UTC) X-Comment: SPF check N/A for local connections - client-ip=140.211.9.56; helo=lists.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver= DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org A4350404AA Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by smtp4.osuosl.org (Postfix) with ESMTPS id A4350404AA; Mon, 14 Oct 2024 16:06:55 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 5E8CAC08AA; Mon, 14 Oct 2024 16:06:55 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133]) by lists.linuxfoundation.org (Postfix) with ESMTP id 3569BC08A3 for ; Mon, 14 Oct 2024 16:06:50 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id 17A15400E0 for ; Mon, 14 Oct 2024 16:06:50 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id iWPPuev_N87M for ; Mon, 14 Oct 2024 16:06:49 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=217.70.183.193; helo=relay1-d.mail.gandi.net; envelope-from=horms@ovn.org; receiver= DMARC-Filter: OpenDMARC Filter v1.4.2 smtp2.osuosl.org A2F8D4015F Authentication-Results: smtp2.osuosl.org; dmarc=none (p=none dis=none) header.from=ovn.org DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org A2F8D4015F Received: from relay1-d.mail.gandi.net (relay1-d.mail.gandi.net [217.70.183.193]) by smtp2.osuosl.org (Postfix) with ESMTPS id A2F8D4015F for ; Mon, 14 Oct 2024 16:06:48 +0000 (UTC) Received: by mail.gandi.net (Postfix) with ESMTPSA id F06FF240005; Mon, 14 Oct 2024 16:06:45 +0000 (UTC) From: Simon Horman Date: Mon, 14 Oct 2024 17:06:36 +0100 MIME-Version: 1.0 Message-Id: <20241014-nft-testsuite-v1-1-6cd52bb0ceb5@ovn.org> References: <20241014-nft-testsuite-v1-0-6cd52bb0ceb5@ovn.org> In-Reply-To: <20241014-nft-testsuite-v1-0-6cd52bb0ceb5@ovn.org> To: dev@openvswitch.org X-Mailer: b4 0.14.0 X-GND-Sasl: horms@ovn.org Subject: [ovs-dev] [PATCH 1/3] tests: add nft accept support. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" Certain Linux distributions, like CentOS, have default iptable rules to reject input traffic from bridges such as br-underlay. To address this, IPTABLES_ACCEPT adds an iptables rule to always accept the traffic. As part of an effort to use nft in place of iptables in the testsuite, implement NFT_ACCEPT, an nft version of IPTABLES_ACCEPT. As the condition where IPTABLES_ACCEPT implies the existence of an INPUT chain, only instantiate an nft rule in that chain if it already exists. Also provide a wrapper, XT_ACCEPT, which will call NFT_ACCEPT if both jq and nft are available, and IPTABLES_ACCEPT otherwise And provide OVS_CHECK_XT, which can be used to check if the prerequisites for running XT_ACCEPT are present, and skips the current test otherwise. Update the one test where IPTABLES_ACCEPT is used so that it now uses XT_ACCEPT and OVS_CHECK_XT. Signed-off-by: Simon Horman --- tests/atlocal.in | 6 ++++++ tests/ovs-macros.at | 27 +++++++++++++++++++++++++-- tests/system-common-macros.at | 5 +++++ tests/system-traffic.at | 4 ++-- 4 files changed, 38 insertions(+), 4 deletions(-) diff --git a/tests/atlocal.in b/tests/atlocal.in index d6b87f8ec776..37aa6c56a8fd 100644 --- a/tests/atlocal.in +++ b/tests/atlocal.in @@ -188,6 +188,12 @@ find_command ethtool # Set HAVE_IPTABLES find_command iptables +# Set HAVE_NFT +find_command nft + +# Set HAVE_JQ +find_command jq + CURL_OPT="-g -v --max-time 1 --retry 2 --retry-delay 1 --connect-timeout 1" # Determine whether "diff" supports "normal" diffs. (busybox diff does not.) diff --git a/tests/ovs-macros.at b/tests/ovs-macros.at index f1b8041fbac9..172d78207cfc 100644 --- a/tests/ovs-macros.at +++ b/tests/ovs-macros.at @@ -360,9 +360,32 @@ m4_ifndef([AT_FAIL_IF], [AT_CHECK([($1) \ && exit 99 || exit 0], [0], [ignore], [ignore])])]) -dnl Certain Linux distributions, like CentOS, have default iptable rules -dnl to reject input traffic from bridges such as br-underlay. dnl Add a rule to always accept the traffic. m4_define([IPTABLES_ACCEPT], [AT_CHECK([iptables -I INPUT 1 -i $1 -j ACCEPT]) on_exit 'iptables -D INPUT 1']) + +dnl Certain Linux distributions, like CentOS, have default iptable rules +dnl to reject input traffic from bridges such as br-underlay. +dnl This implies the existence of a ip filter INPUT chain. +dnl If that chain exists then add a rule to it to always accept all traffic. +m4_define([NFT_ACCEPT], + [if nft list chain ip filter INPUT > /dev/null 2>1; then + AT_CHECK([nft -je \ + "insert rule ip filter INPUT iifname \"$1\" counter accept"], + [0], [stdout-nolog]) + dnl Extract handle, which is used to delete the rule + AT_CHECK([jq '.[["nftables"]].[[0]].insert.rule.handle' < stdout], [0], + [stdout]) + on_exit "nft \"delete rule ip filter INPUT handle $(cat stdout)\"" + fi]) + +dnl Certain Linux distributions, like CentOS, have default iptable rules +dnl to reject input traffic from bridges such as br-underlay. +dnl Add a rule to always accept the traffic. +m4_define([XT_ACCEPT], + [if test $HAVE_NFT = yes -a $HAVE_JQ = yes; then + NFT_ACCEPT([$1]) + else + IPTABLES_ACCEPT([$1]) + fi]) diff --git a/tests/system-common-macros.at b/tests/system-common-macros.at index e9be021f3ffa..7993375d845e 100644 --- a/tests/system-common-macros.at +++ b/tests/system-common-macros.at @@ -382,3 +382,8 @@ m4_define([OVS_CHECK_DROP_ACTION], # OVS_CHECK_PSAMPLE() m4_define([OVS_CHECK_PSAMPLE], [AT_SKIP_IF([! grep -q "Datapath supports psample action" ovs-vswitchd.log])]) + +# OVS_CHECK_XT() +m4_define([OVS_CHECK_XT], + [AT_SKIP_IF([test $HAVE_IPTABLES = no && \ + test $HAVE_NFT = no -o $HAVE_JQ = no])]) diff --git a/tests/system-traffic.at b/tests/system-traffic.at index a04d9611053e..2b1686e99391 100644 --- a/tests/system-traffic.at +++ b/tests/system-traffic.at @@ -1186,7 +1186,7 @@ OVS_TRAFFIC_VSWITCHD_STOP(["/Invalid Geneve tunnel metadata on bridge br0 while AT_CLEANUP AT_SETUP([datapath - ping over gre tunnel by simulated packets]) -AT_SKIP_IF([test $HAVE_IPTABLES = no]) +OVS_CHECK_XT() OVS_CHECK_MIN_KERNEL(3, 10) OVS_TRAFFIC_VSWITCHD_START() @@ -1206,7 +1206,7 @@ AT_CHECK([ip link set dev br-underlay up]) dnl Set up tunnel endpoints on OVS outside the namespace. ADD_OVS_TUNNEL([gre], [br0], [at_gre0], [172.31.1.1], [10.1.1.100/24]) -IPTABLES_ACCEPT([br-underlay]) +XT_ACCEPT([br-underlay]) NETNS_DAEMONIZE([at_ns0], [tcpdump -n -i p0 dst host 172.31.1.1 -l > p0.pcap 2>/dev/null], [tcpdump.pid]) sleep 1