@@ -188,6 +188,9 @@ find_command ethtool
# Set HAVE_IPTABLES
find_command iptables
+# Set HAVE_NFT
+find_command nft
+
CURL_OPT="-g -v --max-time 1 --retry 2 --retry-delay 1 --connect-timeout 1"
# Determine whether "diff" supports "normal" diffs. (busybox diff does not.)
@@ -360,9 +360,31 @@ m4_ifndef([AT_FAIL_IF],
[AT_CHECK([($1) \
&& exit 99 || exit 0], [0], [ignore], [ignore])])])
-dnl Certain Linux distributions, like CentOS, have default iptable rules
-dnl to reject input traffic from bridges such as br-underlay.
dnl Add a rule to always accept the traffic.
m4_define([IPTABLES_ACCEPT],
[AT_CHECK([iptables -I INPUT 1 -i $1 -j ACCEPT])
on_exit 'iptables -D INPUT 1'])
+
+dnl Certain Linux distributions, like CentOS, have default iptable rules
+dnl to reject input traffic from bridges such as br-underlay.
+dnl This implies the existence of a ip filter INPUT chain.
+dnl If that chain exists then add a rule to it to always accept all traffic.
+m4_define([NFT_ACCEPT],
+ [if nft list chain ip filter INPUT > /dev/null 2>1; then
+ AT_CHECK([nft -ae \
+ "insert rule ip filter INPUT iifname \"$1\" counter accept"],
+ [0], [stdout-nolog])
+ dnl Extract handle, which is used to delete the rule
+ AT_CHECK([sed -n 's/.*handle //; T; p' < stdout], [0], [stdout])
+ on_exit "nft \"delete rule ip filter INPUT handle $(cat stdout)\""
+ fi])
+
+dnl Certain Linux distributions, like CentOS, have default iptable rules
+dnl to reject input traffic from bridges such as br-underlay.
+dnl Add a rule to always accept the traffic.
+m4_define([XT_ACCEPT],
+ [if test $HAVE_NFT = yes; then
+ NFT_ACCEPT([$1])
+ else
+ IPTABLES_ACCEPT([$1])
+ fi])
@@ -379,3 +379,7 @@ m4_define([OVS_CHECK_DROP_ACTION],
# OVS_CHECK_PSAMPLE()
m4_define([OVS_CHECK_PSAMPLE],
[AT_SKIP_IF([! grep -q "Datapath supports psample action" ovs-vswitchd.log])])
+
+# OVS_CHECK_XT()
+m4_define([OVS_CHECK_XT],
+ [AT_SKIP_IF([test $HAVE_IPTABLES = no && test $HAVE_NFT = no])])
@@ -1186,7 +1186,7 @@ OVS_TRAFFIC_VSWITCHD_STOP(["/Invalid Geneve tunnel metadata on bridge br0 while
AT_CLEANUP
AT_SETUP([datapath - ping over gre tunnel by simulated packets])
-AT_SKIP_IF([test $HAVE_IPTABLES = no])
+OVS_CHECK_XT()
OVS_CHECK_MIN_KERNEL(3, 10)
OVS_TRAFFIC_VSWITCHD_START()
@@ -1206,7 +1206,7 @@ AT_CHECK([ip link set dev br-underlay up])
dnl Set up tunnel endpoints on OVS outside the namespace.
ADD_OVS_TUNNEL([gre], [br0], [at_gre0], [172.31.1.1], [10.1.1.100/24])
-IPTABLES_ACCEPT([br-underlay])
+XT_ACCEPT([br-underlay])
NETNS_DAEMONIZE([at_ns0], [tcpdump -n -i p0 dst host 172.31.1.1 -l > p0.pcap 2>/dev/null], [tcpdump.pid])
sleep 1
Certain Linux distributions, like CentOS, have default iptable rules to reject input traffic from bridges such as br-underlay. To address this, IPTABLES_ACCEPT adds an iptables rule to always accept the traffic. As part of an effort to use nft in place of iptables in the testsuite, implement NFT_ACCEPT, an nft version of IPTABLES_ACCEPT. As the condition where IPTABLES_ACCEPT implies the existence of an INPUT chain, only instantiate an nft rule in that chain if it already exists. Also provide a wrapper, XT_ACCEPT, which will call NFT_ACCEPT if nft is available, and IPTABLES_ACCEPT otherwise And provide OVS_CHECK_XT, which can be used to check if the prerequisites for running XT_ACCEPT are present, and skips the current test otherwise. Update the one test where IPTABLES_ACCEPT is used so that it now uses XT_ACCEPT and OVS_CHECK_XT. Signed-off-by: Simon Horman <horms@ovn.org> --- v2: Drop dependency on jq: use sed instead --- tests/atlocal.in | 3 +++ tests/ovs-macros.at | 26 ++++++++++++++++++++++++-- tests/system-common-macros.at | 4 ++++ tests/system-traffic.at | 4 ++-- 4 files changed, 33 insertions(+), 4 deletions(-)