diff mbox series

[ovs-dev,v2,2/3] tests: Add nft support to ADD_EXTERNAL_CT.

Message ID 20241105-nft-testsuite-v2-2-e356adf75e81@ovn.org
State Accepted
Commit 91ee0673962595cf2ce6cbcd91c1c9158ce5ca43
Delegated to: aaron conole
Headers show
Series tests: use nft when available | expand

Checks

Context Check Description
ovsrobot/apply-robot success apply and check: success
ovsrobot/github-robot-_Build_and_Test success github build: passed

Commit Message

Simon Horman Nov. 5, 2024, 8:27 a.m. UTC
Add support for using nft, if available, in ADD_EXTERNAL_CT
and the associated check macro, NFT_CHECK_EXTERNAL_CT.

These macros are used to accommodate checks that rely on tracking
packets outside of OvS and were added by commit 60917c822de6
("system-traffic: Do not rely on conncount for already tracked
packets.")

This is part of an effort to use nft, when available, instead of
iptables in the testsuite.

Signed-off-by: Simon Horman <horms@ovn.org>
---
 tests/system-kmod-macros.at | 80 ++++++++++++++++++++++++++++++++++++++++++---
 1 file changed, 75 insertions(+), 5 deletions(-)
diff mbox series

Patch

diff --git a/tests/system-kmod-macros.at b/tests/system-kmod-macros.at
index 135892e91278..a48bd532a0b0 100644
--- a/tests/system-kmod-macros.at
+++ b/tests/system-kmod-macros.at
@@ -268,23 +268,93 @@  m4_define([OVS_CHECK_BAREUDP],
     AT_CHECK([ip link del dev ovs_bareudp0])
 ])
 
-# CHECK_EXTERNAL_CT()
+# IPTABLES_CHECK_EXTERNAL_CT()
 #
 # Checks if packets can be tracked outside OvS.
-m4_define([CHECK_EXTERNAL_CT],
+# iptables variant of this macro
+m4_define([IPTABLES_CHECK_EXTERNAL_CT],
 [
     dnl Kernel config (CONFIG_NETFILTER_XT_TARGET_CT)
     dnl and user space extensions need to be present.
-    AT_SKIP_IF([test $HAVE_IPTABLES = no])
     AT_SKIP_IF([! iptables -t raw -I OUTPUT 1 -j CT])
     AT_CHECK([iptables -t raw -D OUTPUT 1])
 ])
 
-# ADD_EXTERNAL_CT()
+# NFT_CHECK_EXTERNAL_CT()
+#
+# Checks if packets can be tracked outside OvS.
+# nft variant of this macro
+m4_define([NFT_CHECK_EXTERNAL_CT],
+[
+    dnl Kernel config (CONFIG_NETFILTER_XT_TARGET_CT)
+    dnl and user space extensions need to be present.
+    AT_SKIP_IF([! nft -c -f - << EOF
+                table ip raw {
+                    chain output-ovs-testsuite {
+                        type filter hook output priority raw;
+                        ct state new
+                    }
+                }
+EOF
+               ])
+])
+
+# CHECK_EXTERNAL_CT()
+#
+# Checks if packets can be tracked outside OvS.
+m4_define([CHECK_EXTERNAL_CT],
+[
+    dnl Kernel config (CONFIG_NETFILTER_XT_TARGET_CT)
+    dnl and user space extensions need to be present.
+    if test $HAVE_NFT = yes; then
+         NFT_CHECK_EXTERNAL_CT()
+    elif test $HAVE_IPTABLES = yes; then
+         IPTABLES_CHECK_EXTERNAL_CT()
+    else
+         AT_SKIP_IF([true])
+    fi
+])
+
+# IPTABLES_ADD_EXTERNAL_CT()
 #
 # Let conntrack start tracking the packets outside OvS.
-m4_define([ADD_EXTERNAL_CT],
+# iptables variant of this macro
+m4_define([IPTABLES_ADD_EXTERNAL_CT],
 [
     AT_CHECK([iptables -t raw -I OUTPUT 1 -o $1 -j CT])
     on_exit 'iptables -t raw -D OUTPUT 1'
 ])
+
+# NFT_ADD_EXTERNAL_CT()
+#
+# Let conntrack start tracking the packets outside OvS.
+# nft variant of this macro
+m4_define([NFT_ADD_EXTERNAL_CT],
+[
+    if ! nft list table ip raw > /dev/null 2>1; then
+        on_exit 'nft "delete table ip raw"'
+    fi
+
+    AT_CHECK([nft -f - << EOF
+                  table ip raw {
+                      chain output-ovs-testsuite {
+                          type filter hook output priority raw;
+                          oifname "$1" ct state new
+                      }
+                  }
+EOF
+               ])
+    on_exit 'nft "delete chain ip raw output-ovs-testsuite"'
+])
+
+# ADD_EXTERNAL_CT()
+#
+# Checks if packets can be tracked outside OvS.
+m4_define([ADD_EXTERNAL_CT],
+[
+    if test $HAVE_NFT = yes; then
+        NFT_ADD_EXTERNAL_CT([$1])
+    else
+        IPTABLES_ADD_EXTERNAL_CT([$1])
+    fi
+])