From patchwork Tue Nov  5 08:27:30 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Simon Horman <horms@ovn.org>
X-Patchwork-Id: 2006748
X-Patchwork-Delegate: aconole@redhat.com
Return-Path: <ovs-dev-bounces@openvswitch.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org
 (client-ip=2605:bc80:3010::133; helo=smtp2.osuosl.org;
 envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org)
Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384)
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4XjM0V4hVZz1xyM
	for <incoming@patchwork.ozlabs.org>; Tue,  5 Nov 2024 19:27:54 +1100 (AEDT)
Received: from localhost (localhost [127.0.0.1])
	by smtp2.osuosl.org (Postfix) with ESMTP id C283D40974;
	Tue,  5 Nov 2024 08:27:48 +0000 (UTC)
X-Virus-Scanned: amavis at osuosl.org
Received: from smtp2.osuosl.org ([127.0.0.1])
 by localhost (smtp2.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP
 id Hee2gZ1pjFhe; Tue,  5 Nov 2024 08:27:47 +0000 (UTC)
X-Comment: SPF check N/A for local connections -
 client-ip=2605:bc80:3010:104::8cd3:938; helo=lists.linuxfoundation.org;
 envelope-from=ovs-dev-bounces@openvswitch.org; receiver=<UNKNOWN>
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 1CD7240973
Received: from lists.linuxfoundation.org (lf-lists.osuosl.org
 [IPv6:2605:bc80:3010:104::8cd3:938])
	by smtp2.osuosl.org (Postfix) with ESMTPS id 1CD7240973;
	Tue,  5 Nov 2024 08:27:47 +0000 (UTC)
Received: from lf-lists.osuosl.org (localhost [127.0.0.1])
	by lists.linuxfoundation.org (Postfix) with ESMTP id A7EDDC08A9;
	Tue,  5 Nov 2024 08:27:46 +0000 (UTC)
X-Original-To: dev@openvswitch.org
Delivered-To: ovs-dev@lists.linuxfoundation.org
Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133])
 by lists.linuxfoundation.org (Postfix) with ESMTP id 0D9ECC08A6
 for <dev@openvswitch.org>; Tue,  5 Nov 2024 08:27:41 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by smtp2.osuosl.org (Postfix) with ESMTP id DA772400FB
 for <dev@openvswitch.org>; Tue,  5 Nov 2024 08:27:39 +0000 (UTC)
X-Virus-Scanned: amavis at osuosl.org
Received: from smtp2.osuosl.org ([127.0.0.1])
 by localhost (smtp2.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP
 id mTIzztNHiURE for <dev@openvswitch.org>;
 Tue,  5 Nov 2024 08:27:39 +0000 (UTC)
Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=217.70.183.193;
 helo=relay1-d.mail.gandi.net; envelope-from=horms@ovn.org;
 receiver=<UNKNOWN>
DMARC-Filter: OpenDMARC Filter v1.4.2 smtp2.osuosl.org 7D5EF408E2
Authentication-Results: smtp2.osuosl.org;
 dmarc=none (p=none dis=none) header.from=ovn.org
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 7D5EF408E2
Received: from relay1-d.mail.gandi.net (relay1-d.mail.gandi.net
 [217.70.183.193])
 by smtp2.osuosl.org (Postfix) with ESMTPS id 7D5EF408E2
 for <dev@openvswitch.org>; Tue,  5 Nov 2024 08:27:38 +0000 (UTC)
Received: by mail.gandi.net (Postfix) with ESMTPSA id 2EE38240005;
 Tue,  5 Nov 2024 08:27:36 +0000 (UTC)
From: Simon Horman <horms@ovn.org>
Date: Tue, 05 Nov 2024 08:27:30 +0000
MIME-Version: 1.0
Message-Id: <20241105-nft-testsuite-v2-2-e356adf75e81@ovn.org>
References: <20241105-nft-testsuite-v2-0-e356adf75e81@ovn.org>
In-Reply-To: <20241105-nft-testsuite-v2-0-e356adf75e81@ovn.org>
To: dev@openvswitch.org
X-Mailer: b4 0.14.0
X-GND-Sasl: horms@ovn.org
Subject: [ovs-dev] [PATCH v2 2/3] tests: Add nft support to ADD_EXTERNAL_CT.
X-BeenThere: ovs-dev@openvswitch.org
X-Mailman-Version: 2.1.30
Precedence: list
List-Id: <ovs-dev.openvswitch.org>
List-Unsubscribe: <https://mail.openvswitch.org/mailman/options/ovs-dev>,
 <mailto:ovs-dev-request@openvswitch.org?subject=unsubscribe>
List-Archive: <http://mail.openvswitch.org/pipermail/ovs-dev/>
List-Post: <mailto:ovs-dev@openvswitch.org>
List-Help: <mailto:ovs-dev-request@openvswitch.org?subject=help>
List-Subscribe: <https://mail.openvswitch.org/mailman/listinfo/ovs-dev>,
 <mailto:ovs-dev-request@openvswitch.org?subject=subscribe>
Errors-To: ovs-dev-bounces@openvswitch.org
Sender: "dev" <ovs-dev-bounces@openvswitch.org>

Add support for using nft, if available, in ADD_EXTERNAL_CT
and the associated check macro, NFT_CHECK_EXTERNAL_CT.

These macros are used to accommodate checks that rely on tracking
packets outside of OvS and were added by commit 60917c822de6
("system-traffic: Do not rely on conncount for already tracked
packets.")

This is part of an effort to use nft, when available, instead of
iptables in the testsuite.

Signed-off-by: Simon Horman <horms@ovn.org>
---
 tests/system-kmod-macros.at | 80 ++++++++++++++++++++++++++++++++++++++++++---
 1 file changed, 75 insertions(+), 5 deletions(-)

diff --git a/tests/system-kmod-macros.at b/tests/system-kmod-macros.at
index 135892e91278..a48bd532a0b0 100644
--- a/tests/system-kmod-macros.at
+++ b/tests/system-kmod-macros.at
@@ -268,23 +268,93 @@ m4_define([OVS_CHECK_BAREUDP],
     AT_CHECK([ip link del dev ovs_bareudp0])
 ])
 
-# CHECK_EXTERNAL_CT()
+# IPTABLES_CHECK_EXTERNAL_CT()
 #
 # Checks if packets can be tracked outside OvS.
-m4_define([CHECK_EXTERNAL_CT],
+# iptables variant of this macro
+m4_define([IPTABLES_CHECK_EXTERNAL_CT],
 [
     dnl Kernel config (CONFIG_NETFILTER_XT_TARGET_CT)
     dnl and user space extensions need to be present.
-    AT_SKIP_IF([test $HAVE_IPTABLES = no])
     AT_SKIP_IF([! iptables -t raw -I OUTPUT 1 -j CT])
     AT_CHECK([iptables -t raw -D OUTPUT 1])
 ])
 
-# ADD_EXTERNAL_CT()
+# NFT_CHECK_EXTERNAL_CT()
+#
+# Checks if packets can be tracked outside OvS.
+# nft variant of this macro
+m4_define([NFT_CHECK_EXTERNAL_CT],
+[
+    dnl Kernel config (CONFIG_NETFILTER_XT_TARGET_CT)
+    dnl and user space extensions need to be present.
+    AT_SKIP_IF([! nft -c -f - << EOF
+                table ip raw {
+                    chain output-ovs-testsuite {
+                        type filter hook output priority raw;
+                        ct state new
+                    }
+                }
+EOF
+               ])
+])
+
+# CHECK_EXTERNAL_CT()
+#
+# Checks if packets can be tracked outside OvS.
+m4_define([CHECK_EXTERNAL_CT],
+[
+    dnl Kernel config (CONFIG_NETFILTER_XT_TARGET_CT)
+    dnl and user space extensions need to be present.
+    if test $HAVE_NFT = yes; then
+         NFT_CHECK_EXTERNAL_CT()
+    elif test $HAVE_IPTABLES = yes; then
+         IPTABLES_CHECK_EXTERNAL_CT()
+    else
+         AT_SKIP_IF([true])
+    fi
+])
+
+# IPTABLES_ADD_EXTERNAL_CT()
 #
 # Let conntrack start tracking the packets outside OvS.
-m4_define([ADD_EXTERNAL_CT],
+# iptables variant of this macro
+m4_define([IPTABLES_ADD_EXTERNAL_CT],
 [
     AT_CHECK([iptables -t raw -I OUTPUT 1 -o $1 -j CT])
     on_exit 'iptables -t raw -D OUTPUT 1'
 ])
+
+# NFT_ADD_EXTERNAL_CT()
+#
+# Let conntrack start tracking the packets outside OvS.
+# nft variant of this macro
+m4_define([NFT_ADD_EXTERNAL_CT],
+[
+    if ! nft list table ip raw > /dev/null 2>1; then
+        on_exit 'nft "delete table ip raw"'
+    fi
+
+    AT_CHECK([nft -f - << EOF
+                  table ip raw {
+                      chain output-ovs-testsuite {
+                          type filter hook output priority raw;
+                          oifname "$1" ct state new
+                      }
+                  }
+EOF
+               ])
+    on_exit 'nft "delete chain ip raw output-ovs-testsuite"'
+])
+
+# ADD_EXTERNAL_CT()
+#
+# Checks if packets can be tracked outside OvS.
+m4_define([ADD_EXTERNAL_CT],
+[
+    if test $HAVE_NFT = yes; then
+        NFT_ADD_EXTERNAL_CT([$1])
+    else
+        IPTABLES_ADD_EXTERNAL_CT([$1])
+    fi
+])