From patchwork Fri Sep 1 15:05:57 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Thomas Haller X-Patchwork-Id: 1828882 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=O1GUpkso; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2620:137:e000::1:20; helo=out1.vger.email; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by legolas.ozlabs.org (Postfix) with ESMTP id 4RchKj04jhz1ygF for ; Sat, 2 Sep 2023 01:10:17 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240715AbjIAPKR (ORCPT ); Fri, 1 Sep 2023 11:10:17 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43226 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237546AbjIAPKR (ORCPT ); Fri, 1 Sep 2023 11:10:17 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5E66510CF for ; Fri, 1 Sep 2023 08:09:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1693580970; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=t6hbqSZnGNl4qzYYKq8nZ+4WRXmAfCj9DrY5N+aBvjE=; b=O1GUpksoRUmuYP+R/zENYg1cOIPn4gPhjVBE/veLp5J9yV+e2xoKgihoU9HKqYzz9ayCot n6uIv1hPvxpM6USXpeqmka+++ICjTR6qmQaNuNpyN0ACGy6MFybPM0LYbyypiBFIDOmwU+ LsBMi9Y3pqXq3Dw3lk7OZIC52tEoDs4= Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-572-DPF3Rd-XMFOArPT2Ip_9Yg-1; Fri, 01 Sep 2023 11:09:29 -0400 X-MC-Unique: DPF3Rd-XMFOArPT2Ip_9Yg-1 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.rdu2.redhat.com [10.11.54.1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 86F67381DC82 for ; Fri, 1 Sep 2023 15:09:28 +0000 (UTC) Received: from localhost.localdomain (unknown [10.39.192.26]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 0743B40C84A5; Fri, 1 Sep 2023 15:09:27 +0000 (UTC) From: Thomas Haller To: NetFilter Cc: Thomas Haller Subject: [PATCH nft v2 1/3] tests/shell: rework command line parsing in "run-tests.sh" Date: Fri, 1 Sep 2023 17:05:57 +0200 Message-ID: <20230901150916.183949-2-thaller@redhat.com> In-Reply-To: <20230901150916.183949-1-thaller@redhat.com> References: <20230901150916.183949-1-thaller@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.1 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL, SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Parse the arguments in a loop, so that their order does not matter. Also, it would be easier to parse flags with parameters. Currently this is after the is-root check and after unshare. That makes no sense with the "--help" option. That will be addressed next. Signed-off-by: Thomas Haller --- tests/shell/run-tests.sh | 94 +++++++++++++++++++++++++++------------- 1 file changed, 64 insertions(+), 30 deletions(-) diff --git a/tests/shell/run-tests.sh b/tests/shell/run-tests.sh index b66ef4fa4d1f..2ece280a2408 100755 --- a/tests/shell/run-tests.sh +++ b/tests/shell/run-tests.sh @@ -1,10 +1,5 @@ #!/bin/bash -# Configuration -TESTDIR="./$(dirname $0)/testcases" -SRC_NFT="$(dirname $0)/../../src/nft" -DIFF=$(which diff) - msg_error() { echo "E: $1 ..." >&2 exit 1 @@ -18,6 +13,28 @@ msg_info() { echo "I: $1" } +usage() { + echo " $0 [OPTIONS]" + echo + echo "OPTIONS:" + echo " \"-v\" : also VERBOSE=y" + echo " \"-g\" : also DUMPGEN=y" + echo " \"-V\" : also VALGRIND=y" + echo " \"-K\" : also KMEMLEAK=y" + echo + echo "VARIABLES:" + echo " NFT= : Path to nft executable" + echo " VERBOSE=*|y : See also \"-v\" option" + echo " DUMPGEN=*|y : See also \"-g\" option" + echo " VALGRIND=*|y : See also \"-V\" option" + echo " KMEMLEAK=*|y : See also \"-y\" option" +} + +# Configuration +TESTDIR="./$(dirname $0)/testcases" +SRC_NFT="$(dirname $0)/../../src/nft" +DIFF=$(which diff) + if [ "$(id -u)" != "0" ] ; then msg_error "this requires root!" fi @@ -31,6 +48,48 @@ if [ "${1}" != "run" ]; then fi shift +VERBOSE="$VERBOSE" +DUMPGEN="$DUMPGEN" +VALGRIND="$VALGRIND" +KMEMLEAK="$KMEMLEAK" + +TESTS=() + +while [ $# -gt 0 ] ; do + A="$1" + shift + case "$A" in + -v) + VERBOSE=y + ;; + -g) + DUMPGEN=y + ;; + -V) + VALGRIND=y + ;; + -K) + KMEMLEAK=y + ;; + -h|--help) + usage + exit 0 + ;; + --) + TESTS=("$@") + VERBOSE=y + shift $# + ;; + *) + TESTS=("$A" "$@") + VERBOSE=y + shift $# + ;; + esac +done + +SINGLE="${TESTS[*]}" + [ -z "$NFT" ] && NFT=$SRC_NFT ${NFT} > /dev/null 2>&1 ret=$? @@ -59,31 +118,6 @@ if [ ! -x "$DIFF" ] ; then DIFF=true fi -if [ "$1" == "-v" ] ; then - VERBOSE=y - shift -fi - -if [ "$1" == "-g" ] ; then - DUMPGEN=y - shift -fi - -if [ "$1" == "-V" ] ; then - VALGRIND=y - shift -fi - -if [ "$1" == "-K" ]; then - KMEMLEAK=y - shift -fi - -for arg in "$@"; do - SINGLE+=" $arg" - VERBOSE=y -done - kernel_cleanup() { $NFT flush ruleset $MODPROBE -raq \ From patchwork Fri Sep 1 15:05:58 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Thomas Haller X-Patchwork-Id: 1828883 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=fs0Bfclb; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2620:137:e000::1:20; helo=out1.vger.email; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by legolas.ozlabs.org (Postfix) with ESMTP id 4RchKj2S9Gz1ygY for ; Sat, 2 Sep 2023 01:10:17 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233593AbjIAPKQ (ORCPT ); Fri, 1 Sep 2023 11:10:16 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43246 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237546AbjIAPKQ (ORCPT ); Fri, 1 Sep 2023 11:10:16 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C3E9A10F3 for ; Fri, 1 Sep 2023 08:09:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1693580971; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=EHE/6OLGs2HQOunBKziawwPeR5/uWNr8lB/o48s935U=; b=fs0BfclbBuNViQU4iZTxI+sj/Sn70hHjPLlZwdcf4/qz7tVCfspVlIzA3L64+bxHIcB8bV 6E6W1+xZSeR8wF8/HlDJY2g8M/uwx8xvph+xsZ3muV9uKouQl7dI0HCabBRs2A8cCXjP9H obWVy28/ioKv+36h4DCLbGmFteINW3I= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-77-5d47vrhtOKysJsi4da_5-Q-1; Fri, 01 Sep 2023 11:09:29 -0400 X-MC-Unique: 5d47vrhtOKysJsi4da_5-Q-1 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.rdu2.redhat.com [10.11.54.1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 4E081944E81 for ; Fri, 1 Sep 2023 15:09:29 +0000 (UTC) Received: from localhost.localdomain (unknown [10.39.192.26]) by smtp.corp.redhat.com (Postfix) with ESMTPS id C325840C84A5; Fri, 1 Sep 2023 15:09:28 +0000 (UTC) From: Thomas Haller To: NetFilter Cc: Thomas Haller Subject: [PATCH nft v2 2/3] tests/shell: rework finding tests and add "--list-tests" option Date: Fri, 1 Sep 2023 17:05:58 +0200 Message-ID: <20230901150916.183949-3-thaller@redhat.com> In-Reply-To: <20230901150916.183949-1-thaller@redhat.com> References: <20230901150916.183949-1-thaller@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.1 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL, SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Cleanup finding the test files. Also add a "--list-tests" option to see which tests are found and would run. Also get rid of the FIND="$(which find)" detection. It's not that the user could set the used find program via an environment variable. Also, which system doesn't have "find"? Just fail when our call to "find" fails. This is still after "unshare", which makes no sense and will be addressed next. Signed-off-by: Thomas Haller --- tests/shell/run-tests.sh | 52 ++++++++++++++++++++-------------------- 1 file changed, 26 insertions(+), 26 deletions(-) diff --git a/tests/shell/run-tests.sh b/tests/shell/run-tests.sh index 2ece280a2408..147185cb548a 100755 --- a/tests/shell/run-tests.sh +++ b/tests/shell/run-tests.sh @@ -17,10 +17,11 @@ usage() { echo " $0 [OPTIONS]" echo echo "OPTIONS:" - echo " \"-v\" : also VERBOSE=y" - echo " \"-g\" : also DUMPGEN=y" - echo " \"-V\" : also VALGRIND=y" - echo " \"-K\" : also KMEMLEAK=y" + echo " \"-v\" : also VERBOSE=y" + echo " \"-g\" : also DUMPGEN=y" + echo " \"-V\" : also VALGRIND=y" + echo " \"-K\" : also KMEMLEAK=y" + echo " \"-L\"|\"-list-tests\" : list the test name and quit" echo echo "VARIABLES:" echo " NFT= : Path to nft executable" @@ -31,8 +32,9 @@ usage() { } # Configuration -TESTDIR="./$(dirname $0)/testcases" -SRC_NFT="$(dirname $0)/../../src/nft" +BASEDIR="$(dirname "$0")" +TESTDIR="$BASEDIR/testcases" +SRC_NFT="$BASEDIR/../../src/nft" DIFF=$(which diff) if [ "$(id -u)" != "0" ] ; then @@ -52,6 +54,7 @@ VERBOSE="$VERBOSE" DUMPGEN="$DUMPGEN" VALGRIND="$VALGRIND" KMEMLEAK="$KMEMLEAK" +DO_LIST_TESTS= TESTS=() @@ -75,6 +78,9 @@ while [ $# -gt 0 ] ; do usage exit 0 ;; + -L|--list-tests) + DO_LIST_TESTS=y + ;; --) TESTS=("$@") VERBOSE=y @@ -88,7 +94,19 @@ while [ $# -gt 0 ] ; do esac done -SINGLE="${TESTS[*]}" +if [ ! -d "$TESTDIR" ] ; then + msg_error "missing testdir $TESTDIR" +fi + +if [ "${#TESTS[@]}" -eq 0 ]; then + TESTS=( $(find "$TESTDIR" -type f -executable | sort) ) || \ + msg_error "Could not find tests" +fi + +if [ "$DO_LIST_TESTS" = y ] ; then + printf '%s\n' "${TESTS[@]}" + exit 0 +fi [ -z "$NFT" ] && NFT=$SRC_NFT ${NFT} > /dev/null 2>&1 @@ -99,15 +117,6 @@ else msg_info "using nft command: ${NFT}" fi -if [ ! -d "$TESTDIR" ] ; then - msg_error "missing testdir $TESTDIR" -fi - -FIND="$(which find)" -if [ ! -x "$FIND" ] ; then - msg_error "no find binary found" -fi - MODPROBE="$(which modprobe)" if [ ! -x "$MODPROBE" ] ; then msg_error "no modprobe binary found" @@ -142,14 +151,6 @@ kernel_cleanup() { nft_xfrm } -find_tests() { - if [ ! -z "$SINGLE" ] ; then - echo $SINGLE - return - fi - ${FIND} ${TESTDIR} -type f -executable | sort -} - printscript() { # (cmd, tmpd) cat < X-Patchwork-Id: 1828884 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=cZjzMSFA; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2620:137:e000::1:20; helo=out1.vger.email; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by legolas.ozlabs.org (Postfix) with ESMTP id 4RchKj6Y7Kz1yh7 for ; Sat, 2 Sep 2023 01:10:17 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241535AbjIAPKT (ORCPT ); Fri, 1 Sep 2023 11:10:19 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43270 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237546AbjIAPKS (ORCPT ); Fri, 1 Sep 2023 11:10:18 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6F22210EF for ; Fri, 1 Sep 2023 08:09:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1693580971; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=xvgLsgpDP1WTm4gL91qYXo2AQvyFjFAdyOEtAGuxZNQ=; b=cZjzMSFABro+ev5cc/iVa0im8IW8cJRw6xfPzN2vLgWEJ0H1t1NeLGtf6fNv/kOVZMaCNz oCPwfOa7ZDBQ+eyEFhJxXKWxv9UCLaEO7557eccrY9MP8cb6Y/aJ7sw5duUJuFPJk9gNHm 97Z3gYCIsBKwYnWGpvkCbqG8WPqyv1M= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-198-1tfNnNADOwOjra0PgT_lEQ-1; Fri, 01 Sep 2023 11:09:30 -0400 X-MC-Unique: 1tfNnNADOwOjra0PgT_lEQ-1 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.rdu2.redhat.com [10.11.54.1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 15049923004 for ; Fri, 1 Sep 2023 15:09:30 +0000 (UTC) Received: from localhost.localdomain (unknown [10.39.192.26]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 8A9A440C84A5; Fri, 1 Sep 2023 15:09:29 +0000 (UTC) From: Thomas Haller To: NetFilter Cc: Thomas Haller Subject: [PATCH nft v2 3/3] tests/shell: run each test in separate namespace and allow rootless Date: Fri, 1 Sep 2023 17:05:59 +0200 Message-ID: <20230901150916.183949-4-thaller@redhat.com> In-Reply-To: <20230901150916.183949-1-thaller@redhat.com> References: <20230901150916.183949-1-thaller@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.1 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL, SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Don't unshare the entire shell script, calling itself again. Instead, call unshare separately for each test invocation. That means, all tests use now a different sandbox. Also, allow to run rootless/unprivileged. The user still can opt-out from unshare via -U/--no-unshare option or NFT_TEST_NO_UNSHARE=y. That might be useful if unshare for some reason doesn't work for the user, or if you want to test on your host system. Also try to also run a separate PID namespace, to get more isolation. If that is not working, then fallback without separate PID namespace. We no longer require [ `id -u` = 0 ] to proceed, so a rootless user can run the tests. We detect whether we have real root and set NFT_TEST_HAVE_REALROOT=y. Some tests won't work rootless. For example, the socket buffers is limited by /proc/sys/net/core/{wmem_max,rmem_max} which real-root can override, but rootless tests cannot. Such tests should check for [ "$NFT_TEST_HAVE_REALROOT" != y ] and skip the test gracefully. Optimally, tests also work in the rootless environment and most tests should pass in both, and not check for have-realroot. Usually, the user doesn't need to tell the script whether they have real root. The script will autodetect it via [ `id -u` = 0 ]. But that won't work if you run inside a rootless container already. In that case, you would want to tell the script that we don't have real-root. Either via -R/--without-root option or NFT_TEST_HAVE_REALROOT=n. If they wish, the test can know whether they run inside "unshare" environment by checking for [ "$NFT_TEST_IS_UNSHARED" = y ]. Signed-off-by: Thomas Haller --- tests/shell/run-tests.sh | 83 +++++++++++++++++++++++++++++----------- 1 file changed, 61 insertions(+), 22 deletions(-) diff --git a/tests/shell/run-tests.sh b/tests/shell/run-tests.sh index 147185cb548a..fda738983ec9 100755 --- a/tests/shell/run-tests.sh +++ b/tests/shell/run-tests.sh @@ -17,11 +17,13 @@ usage() { echo " $0 [OPTIONS]" echo echo "OPTIONS:" - echo " \"-v\" : also VERBOSE=y" - echo " \"-g\" : also DUMPGEN=y" - echo " \"-V\" : also VALGRIND=y" - echo " \"-K\" : also KMEMLEAK=y" - echo " \"-L\"|\"-list-tests\" : list the test name and quit" + echo " \"-v\" : also VERBOSE=y" + echo " \"-g\" : also DUMPGEN=y" + echo " \"-V\" : also VALGRIND=y" + echo " \"-K\" : also KMEMLEAK=y" + echo " \"-L\"|\"--list-tests\" : list the test name and quit" + echo " \"-R\"|\"--without-realroot\" : sets NFT_TEST_HAVE_REALROOT=n" + echo " \"-U\"|\"--no-unshare\" : sets NFT_TEST_NO_UNSHARE=y" echo echo "VARIABLES:" echo " NFT= : Path to nft executable" @@ -29,31 +31,28 @@ usage() { echo " DUMPGEN=*|y : See also \"-g\" option" echo " VALGRIND=*|y : See also \"-V\" option" echo " KMEMLEAK=*|y : See also \"-y\" option" + echo " NFT_TEST_HAVE_REALROOT=*|y : To indicate whether the test has real root permissions." + echo " Usually, you don't need this and it gets autodetected." + echo " You might want to set it, if you know better than the" + echo " \`id -u\` check, whether the user is root in the main namespace." + echo " Note that without real root, certain tests may not work," + echo " e.g. due to limited /proc/sys/net/core/{wmem_max,rmem_max}." + echo " Checks that cannot pass in such environment should check for" + echo " [ \"$NFT_TEST_HAVE_REALROOT\" != y ] and skip gracefully." + echo " NFT_TEST_NO_UNSHARE=*|y : Usually, each test will run in a separate namespace." + echo " You can opt-out from that by setting NFT_TEST_NO_UNSHARE=y." } -# Configuration BASEDIR="$(dirname "$0")" TESTDIR="$BASEDIR/testcases" SRC_NFT="$BASEDIR/../../src/nft" -DIFF=$(which diff) - -if [ "$(id -u)" != "0" ] ; then - msg_error "this requires root!" -fi - -if [ "${1}" != "run" ]; then - if unshare -f -n true; then - unshare -n "${0}" run $@ - exit $? - fi - msg_warn "cannot run in own namespace, connectivity might break" -fi -shift VERBOSE="$VERBOSE" DUMPGEN="$DUMPGEN" VALGRIND="$VALGRIND" KMEMLEAK="$KMEMLEAK" +NFT_TEST_HAVE_REALROOT="$NFT_TEST_HAVE_REALROOT" +NFT_TEST_NO_UNSHARE="$NFT_TEST_NO_UNSHARE" DO_LIST_TESTS= TESTS=() @@ -81,6 +80,12 @@ while [ $# -gt 0 ] ; do -L|--list-tests) DO_LIST_TESTS=y ;; + -R|--without-realroot) + NFT_TEST_HAVE_REALROOT=n + ;; + -U|--no-unshare) + NFT_TEST_NO_UNSHARE=y + ;; --) TESTS=("$@") VERBOSE=y @@ -108,6 +113,33 @@ if [ "$DO_LIST_TESTS" = y ] ; then exit 0 fi +if [ "$NFT_TEST_HAVE_REALROOT" = "" ] ; then + # The caller didn't set NFT_TEST_HAVE_REALROOT and didn't specify + # -R/--without-root option. Autodetect it based on `id -u`. + export NFT_TEST_HAVE_REALROOT="$(test "$(id -u)" = "0" && echo y || echo n)" +fi + +UNSHARE=() +NFT_TEST_IS_UNSHARED=n +if [ "$NFT_TEST_NO_UNSHARE" != y ]; then + # We unshare both if we NFT_TEST_HAVE_REALROOT and the rootless/unpriv + # case. Without real root, some tests may fail. Tests that don't work + # without real root should check for [ "$NFT_TEST_HAVE_REALROOT" != y ] + # and skip gracefully. + UNSHARE=( unshare -f -p --mount-proc -U --map-root-user -n ) + if ! "${UNSHARE[@]}" true ; then + # Try without PID namespace. + UNSHARE=( unshare -f -U --map-root-user -n ) + if ! "${UNSHARE[@]}" true ; then + msg_error "Unshare does not work. Rerun with -U/--no-unshare or NFT_TEST_NO_UNSHARE=y" + fi + fi + NFT_TEST_IS_UNSHARED=y +fi + +# If they wish, test can check whether they run unshared. +export NFT_TEST_IS_UNSHARED + [ -z "$NFT" ] && NFT=$SRC_NFT ${NFT} > /dev/null 2>&1 ret=$? @@ -128,7 +160,9 @@ if [ ! -x "$DIFF" ] ; then fi kernel_cleanup() { - $NFT flush ruleset + if [ "$NFT_TEST_IS_UNSHARED" != y ] ; then + $NFT flush ruleset + fi $MODPROBE -raq \ nft_reject_ipv4 nft_reject_bridge nft_reject_ipv6 nft_reject \ nft_redir_ipv4 nft_redir_ipv6 nft_redir \ @@ -253,7 +287,7 @@ for testfile in "${TESTS[@]}" ; do kernel_cleanup msg_info "[EXECUTING] $testfile" - test_output=$(NFT="$NFT" DIFF=$DIFF ${testfile} 2>&1) + test_output=$(NFT="$NFT" DIFF=$DIFF "${UNSHARE[@]}" "$testfile" 2>&1) rc_got=$? echo -en "\033[1A\033[K" # clean the [EXECUTING] foobar line @@ -312,4 +346,9 @@ check_kmemleak_force msg_info "results: [OK] $ok [FAILED] $failed [TOTAL] $((ok+failed))" kernel_cleanup + +if [ "$failed" -gt 0 -a "$NFT_TEST_HAVE_REALROOT" != y ] ; then + msg_info "test was not running as real root" +fi + [ "$failed" -eq 0 ]