diff mbox series

[ovs-dev,v2,1/3] tests: add nft accept support.

Message ID 20241105-nft-testsuite-v2-1-e356adf75e81@ovn.org
State Accepted
Commit d595473ccaae81c99ff966ce889ccbdc4c88150a
Delegated to: aaron conole
Headers show
Series tests: use nft when available | expand

Checks

Context Check Description
ovsrobot/apply-robot warning apply and check: warning
ovsrobot/github-robot-_Build_and_Test success github build: passed

Commit Message

Simon Horman Nov. 5, 2024, 8:27 a.m. UTC
Certain Linux distributions, like CentOS, have default iptable rules
to reject input traffic from bridges such as br-underlay.

To address this, IPTABLES_ACCEPT adds an iptables rule to always accept
the traffic.

As part of an effort to use nft in place of iptables in the testsuite,
implement NFT_ACCEPT, an nft version of IPTABLES_ACCEPT. As the
condition where IPTABLES_ACCEPT implies the existence of an INPUT chain,
only instantiate an nft rule in that chain if it already exists.

Also provide a wrapper, XT_ACCEPT, which will call NFT_ACCEPT if
nft is available, and IPTABLES_ACCEPT otherwise

And provide OVS_CHECK_XT, which can be used to check if the
prerequisites for running XT_ACCEPT are present, and skips the current
test otherwise.

Update the one test where IPTABLES_ACCEPT is used so that it
now uses XT_ACCEPT and OVS_CHECK_XT.

Signed-off-by: Simon Horman <horms@ovn.org>
---
v2: Drop dependency on jq: use sed instead
---
 tests/atlocal.in              |  3 +++
 tests/ovs-macros.at           | 26 ++++++++++++++++++++++++--
 tests/system-common-macros.at |  4 ++++
 tests/system-traffic.at       |  4 ++--
 4 files changed, 33 insertions(+), 4 deletions(-)

Comments

0-day Robot Nov. 5, 2024, 8:40 a.m. UTC | #1
Bleep bloop.  Greetings Simon Horman, I am a robot and I have tried out your patch.
Thanks for your contribution.

I encountered some error that I wasn't expecting.  See the details below.


checkpatch:
WARNING: The subject summary should start with a capital.
Subject: tests: add nft accept support.


Please check this out.  If you feel there has been an error, please email aconole@redhat.com

Thanks,
0-day Robot
Aaron Conole Nov. 11, 2024, 11:08 p.m. UTC | #2
0-day Robot <robot@bytheb.org> writes:

> Bleep bloop.  Greetings Simon Horman, I am a robot and I have tried
> out your patch.
> Thanks for your contribution.
>
> I encountered some error that I wasn't expecting.  See the details below.
>
>
> checkpatch:
> WARNING: The subject summary should start with a capital.
> Subject: tests: add nft accept support.

I fixed this up while applying.

> Please check this out.  If you feel there has been an error, please
> email aconole@redhat.com
>
> Thanks,
> 0-day Robot
> _______________________________________________
> dev mailing list
> dev@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
diff mbox series

Patch

diff --git a/tests/atlocal.in b/tests/atlocal.in
index d6b87f8ec776..1c3d4891a7fc 100644
--- a/tests/atlocal.in
+++ b/tests/atlocal.in
@@ -188,6 +188,9 @@  find_command ethtool
 # Set HAVE_IPTABLES
 find_command iptables
 
+# Set HAVE_NFT
+find_command nft
+
 CURL_OPT="-g -v --max-time 1 --retry 2 --retry-delay 1 --connect-timeout 1"
 
 # Determine whether "diff" supports "normal" diffs.  (busybox diff does not.)
diff --git a/tests/ovs-macros.at b/tests/ovs-macros.at
index f1b8041fbac9..90258ef07b59 100644
--- a/tests/ovs-macros.at
+++ b/tests/ovs-macros.at
@@ -360,9 +360,31 @@  m4_ifndef([AT_FAIL_IF],
     [AT_CHECK([($1) \
     && exit 99 || exit 0], [0], [ignore], [ignore])])])
 
-dnl Certain Linux distributions, like CentOS, have default iptable rules
-dnl to reject input traffic from bridges such as br-underlay.
 dnl Add a rule to always accept the traffic.
 m4_define([IPTABLES_ACCEPT],
   [AT_CHECK([iptables -I INPUT 1 -i $1 -j ACCEPT])
    on_exit 'iptables -D INPUT 1'])
+
+dnl Certain Linux distributions, like CentOS, have default iptable rules
+dnl to reject input traffic from bridges such as br-underlay.
+dnl This implies the existence of a ip filter INPUT chain.
+dnl If that chain exists then add a rule to it to always accept all traffic.
+m4_define([NFT_ACCEPT],
+  [if nft list chain ip filter INPUT > /dev/null 2>1; then
+     AT_CHECK([nft -ae \
+               "insert rule ip filter INPUT iifname \"$1\" counter accept"],
+               [0], [stdout-nolog])
+     dnl Extract handle, which is used to delete the rule
+     AT_CHECK([sed -n 's/.*handle //; T; p' < stdout], [0], [stdout])
+     on_exit "nft \"delete rule ip filter INPUT handle $(cat stdout)\""
+   fi])
+
+dnl Certain Linux distributions, like CentOS, have default iptable rules
+dnl to reject input traffic from bridges such as br-underlay.
+dnl Add a rule to always accept the traffic.
+m4_define([XT_ACCEPT],
+  [if test $HAVE_NFT = yes; then
+       NFT_ACCEPT([$1])
+   else
+       IPTABLES_ACCEPT([$1])
+   fi])
diff --git a/tests/system-common-macros.at b/tests/system-common-macros.at
index ff86d15cdab7..a6be419f60f1 100644
--- a/tests/system-common-macros.at
+++ b/tests/system-common-macros.at
@@ -379,3 +379,7 @@  m4_define([OVS_CHECK_DROP_ACTION],
 # OVS_CHECK_PSAMPLE()
 m4_define([OVS_CHECK_PSAMPLE],
     [AT_SKIP_IF([! grep -q "Datapath supports psample action" ovs-vswitchd.log])])
+
+# OVS_CHECK_XT()
+m4_define([OVS_CHECK_XT],
+    [AT_SKIP_IF([test $HAVE_IPTABLES = no && test $HAVE_NFT = no])])
diff --git a/tests/system-traffic.at b/tests/system-traffic.at
index a04d9611053e..2b1686e99391 100644
--- a/tests/system-traffic.at
+++ b/tests/system-traffic.at
@@ -1186,7 +1186,7 @@  OVS_TRAFFIC_VSWITCHD_STOP(["/Invalid Geneve tunnel metadata on bridge br0 while
 AT_CLEANUP
 
 AT_SETUP([datapath - ping over gre tunnel by simulated packets])
-AT_SKIP_IF([test $HAVE_IPTABLES = no])
+OVS_CHECK_XT()
 OVS_CHECK_MIN_KERNEL(3, 10)
 
 OVS_TRAFFIC_VSWITCHD_START()
@@ -1206,7 +1206,7 @@  AT_CHECK([ip link set dev br-underlay up])
 dnl Set up tunnel endpoints on OVS outside the namespace.
 ADD_OVS_TUNNEL([gre], [br0], [at_gre0], [172.31.1.1], [10.1.1.100/24])
 
-IPTABLES_ACCEPT([br-underlay])
+XT_ACCEPT([br-underlay])
 
 NETNS_DAEMONIZE([at_ns0], [tcpdump -n -i p0 dst host 172.31.1.1 -l > p0.pcap 2>/dev/null], [tcpdump.pid])
 sleep 1