From patchwork Tue Nov 5 08:27:29 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Simon Horman X-Patchwork-Id: 2006749 X-Patchwork-Delegate: aconole@redhat.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=2605:bc80:3010::133; helo=smtp2.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org) Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4XjM0X5x8xz1xyM for ; Tue, 5 Nov 2024 19:27:56 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id EB49140973; Tue, 5 Nov 2024 08:27:48 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id n3OB-eZp8osv; Tue, 5 Nov 2024 08:27:46 +0000 (UTC) X-Comment: SPF check N/A for local connections - client-ip=2605:bc80:3010:104::8cd3:938; helo=lists.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver= DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org F40024097F Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [IPv6:2605:bc80:3010:104::8cd3:938]) by smtp2.osuosl.org (Postfix) with ESMTPS id F40024097F; Tue, 5 Nov 2024 08:27:45 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 18735C08A9; Tue, 5 Nov 2024 08:27:45 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138]) by lists.linuxfoundation.org (Postfix) with ESMTP id BF7E1C08A3 for ; Tue, 5 Nov 2024 08:27:40 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 97CF580F59 for ; Tue, 5 Nov 2024 08:27:39 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id AZtccx6dbl_t for ; Tue, 5 Nov 2024 08:27:39 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=2001:4b98:dc4:8::221; helo=relay1-d.mail.gandi.net; envelope-from=horms@ovn.org; receiver= DMARC-Filter: OpenDMARC Filter v1.4.2 smtp1.osuosl.org 74B2080F55 Authentication-Results: smtp1.osuosl.org; dmarc=none (p=none dis=none) header.from=ovn.org DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 74B2080F55 Received: from relay1-d.mail.gandi.net (relay1-d.mail.gandi.net [IPv6:2001:4b98:dc4:8::221]) by smtp1.osuosl.org (Postfix) with ESMTPS id 74B2080F55 for ; Tue, 5 Nov 2024 08:27:37 +0000 (UTC) Received: by mail.gandi.net (Postfix) with ESMTPSA id CF32E24000A; Tue, 5 Nov 2024 08:27:35 +0000 (UTC) From: Simon Horman Date: Tue, 05 Nov 2024 08:27:29 +0000 MIME-Version: 1.0 Message-Id: <20241105-nft-testsuite-v2-1-e356adf75e81@ovn.org> References: <20241105-nft-testsuite-v2-0-e356adf75e81@ovn.org> In-Reply-To: <20241105-nft-testsuite-v2-0-e356adf75e81@ovn.org> To: dev@openvswitch.org X-Mailer: b4 0.14.0 X-GND-Sasl: horms@ovn.org Subject: [ovs-dev] [PATCH v2 1/3] tests: add nft accept support. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" Certain Linux distributions, like CentOS, have default iptable rules to reject input traffic from bridges such as br-underlay. To address this, IPTABLES_ACCEPT adds an iptables rule to always accept the traffic. As part of an effort to use nft in place of iptables in the testsuite, implement NFT_ACCEPT, an nft version of IPTABLES_ACCEPT. As the condition where IPTABLES_ACCEPT implies the existence of an INPUT chain, only instantiate an nft rule in that chain if it already exists. Also provide a wrapper, XT_ACCEPT, which will call NFT_ACCEPT if nft is available, and IPTABLES_ACCEPT otherwise And provide OVS_CHECK_XT, which can be used to check if the prerequisites for running XT_ACCEPT are present, and skips the current test otherwise. Update the one test where IPTABLES_ACCEPT is used so that it now uses XT_ACCEPT and OVS_CHECK_XT. Signed-off-by: Simon Horman --- v2: Drop dependency on jq: use sed instead --- tests/atlocal.in | 3 +++ tests/ovs-macros.at | 26 ++++++++++++++++++++++++-- tests/system-common-macros.at | 4 ++++ tests/system-traffic.at | 4 ++-- 4 files changed, 33 insertions(+), 4 deletions(-) diff --git a/tests/atlocal.in b/tests/atlocal.in index d6b87f8ec776..1c3d4891a7fc 100644 --- a/tests/atlocal.in +++ b/tests/atlocal.in @@ -188,6 +188,9 @@ find_command ethtool # Set HAVE_IPTABLES find_command iptables +# Set HAVE_NFT +find_command nft + CURL_OPT="-g -v --max-time 1 --retry 2 --retry-delay 1 --connect-timeout 1" # Determine whether "diff" supports "normal" diffs. (busybox diff does not.) diff --git a/tests/ovs-macros.at b/tests/ovs-macros.at index f1b8041fbac9..90258ef07b59 100644 --- a/tests/ovs-macros.at +++ b/tests/ovs-macros.at @@ -360,9 +360,31 @@ m4_ifndef([AT_FAIL_IF], [AT_CHECK([($1) \ && exit 99 || exit 0], [0], [ignore], [ignore])])]) -dnl Certain Linux distributions, like CentOS, have default iptable rules -dnl to reject input traffic from bridges such as br-underlay. dnl Add a rule to always accept the traffic. m4_define([IPTABLES_ACCEPT], [AT_CHECK([iptables -I INPUT 1 -i $1 -j ACCEPT]) on_exit 'iptables -D INPUT 1']) + +dnl Certain Linux distributions, like CentOS, have default iptable rules +dnl to reject input traffic from bridges such as br-underlay. +dnl This implies the existence of a ip filter INPUT chain. +dnl If that chain exists then add a rule to it to always accept all traffic. +m4_define([NFT_ACCEPT], + [if nft list chain ip filter INPUT > /dev/null 2>1; then + AT_CHECK([nft -ae \ + "insert rule ip filter INPUT iifname \"$1\" counter accept"], + [0], [stdout-nolog]) + dnl Extract handle, which is used to delete the rule + AT_CHECK([sed -n 's/.*handle //; T; p' < stdout], [0], [stdout]) + on_exit "nft \"delete rule ip filter INPUT handle $(cat stdout)\"" + fi]) + +dnl Certain Linux distributions, like CentOS, have default iptable rules +dnl to reject input traffic from bridges such as br-underlay. +dnl Add a rule to always accept the traffic. +m4_define([XT_ACCEPT], + [if test $HAVE_NFT = yes; then + NFT_ACCEPT([$1]) + else + IPTABLES_ACCEPT([$1]) + fi]) diff --git a/tests/system-common-macros.at b/tests/system-common-macros.at index ff86d15cdab7..a6be419f60f1 100644 --- a/tests/system-common-macros.at +++ b/tests/system-common-macros.at @@ -379,3 +379,7 @@ m4_define([OVS_CHECK_DROP_ACTION], # OVS_CHECK_PSAMPLE() m4_define([OVS_CHECK_PSAMPLE], [AT_SKIP_IF([! grep -q "Datapath supports psample action" ovs-vswitchd.log])]) + +# OVS_CHECK_XT() +m4_define([OVS_CHECK_XT], + [AT_SKIP_IF([test $HAVE_IPTABLES = no && test $HAVE_NFT = no])]) diff --git a/tests/system-traffic.at b/tests/system-traffic.at index a04d9611053e..2b1686e99391 100644 --- a/tests/system-traffic.at +++ b/tests/system-traffic.at @@ -1186,7 +1186,7 @@ OVS_TRAFFIC_VSWITCHD_STOP(["/Invalid Geneve tunnel metadata on bridge br0 while AT_CLEANUP AT_SETUP([datapath - ping over gre tunnel by simulated packets]) -AT_SKIP_IF([test $HAVE_IPTABLES = no]) +OVS_CHECK_XT() OVS_CHECK_MIN_KERNEL(3, 10) OVS_TRAFFIC_VSWITCHD_START() @@ -1206,7 +1206,7 @@ AT_CHECK([ip link set dev br-underlay up]) dnl Set up tunnel endpoints on OVS outside the namespace. ADD_OVS_TUNNEL([gre], [br0], [at_gre0], [172.31.1.1], [10.1.1.100/24]) -IPTABLES_ACCEPT([br-underlay]) +XT_ACCEPT([br-underlay]) NETNS_DAEMONIZE([at_ns0], [tcpdump -n -i p0 dst host 172.31.1.1 -l > p0.pcap 2>/dev/null], [tcpdump.pid]) sleep 1 From patchwork Tue Nov 5 08:27:30 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Simon Horman X-Patchwork-Id: 2006748 X-Patchwork-Delegate: aconole@redhat.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=2605:bc80:3010::133; helo=smtp2.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org) Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4XjM0V4hVZz1xyM for ; Tue, 5 Nov 2024 19:27:54 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id C283D40974; Tue, 5 Nov 2024 08:27:48 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id Hee2gZ1pjFhe; Tue, 5 Nov 2024 08:27:47 +0000 (UTC) X-Comment: SPF check N/A for local connections - client-ip=2605:bc80:3010:104::8cd3:938; helo=lists.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver= DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 1CD7240973 Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [IPv6:2605:bc80:3010:104::8cd3:938]) by smtp2.osuosl.org (Postfix) with ESMTPS id 1CD7240973; Tue, 5 Nov 2024 08:27:47 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id A7EDDC08A9; Tue, 5 Nov 2024 08:27:46 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133]) by lists.linuxfoundation.org (Postfix) with ESMTP id 0D9ECC08A6 for ; Tue, 5 Nov 2024 08:27:41 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id DA772400FB for ; Tue, 5 Nov 2024 08:27:39 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id mTIzztNHiURE for ; Tue, 5 Nov 2024 08:27:39 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=217.70.183.193; helo=relay1-d.mail.gandi.net; envelope-from=horms@ovn.org; receiver= DMARC-Filter: OpenDMARC Filter v1.4.2 smtp2.osuosl.org 7D5EF408E2 Authentication-Results: smtp2.osuosl.org; dmarc=none (p=none dis=none) header.from=ovn.org DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 7D5EF408E2 Received: from relay1-d.mail.gandi.net (relay1-d.mail.gandi.net [217.70.183.193]) by smtp2.osuosl.org (Postfix) with ESMTPS id 7D5EF408E2 for ; Tue, 5 Nov 2024 08:27:38 +0000 (UTC) Received: by mail.gandi.net (Postfix) with ESMTPSA id 2EE38240005; Tue, 5 Nov 2024 08:27:36 +0000 (UTC) From: Simon Horman Date: Tue, 05 Nov 2024 08:27:30 +0000 MIME-Version: 1.0 Message-Id: <20241105-nft-testsuite-v2-2-e356adf75e81@ovn.org> References: <20241105-nft-testsuite-v2-0-e356adf75e81@ovn.org> In-Reply-To: <20241105-nft-testsuite-v2-0-e356adf75e81@ovn.org> To: dev@openvswitch.org X-Mailer: b4 0.14.0 X-GND-Sasl: horms@ovn.org Subject: [ovs-dev] [PATCH v2 2/3] tests: Add nft support to ADD_EXTERNAL_CT. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" Add support for using nft, if available, in ADD_EXTERNAL_CT and the associated check macro, NFT_CHECK_EXTERNAL_CT. These macros are used to accommodate checks that rely on tracking packets outside of OvS and were added by commit 60917c822de6 ("system-traffic: Do not rely on conncount for already tracked packets.") This is part of an effort to use nft, when available, instead of iptables in the testsuite. Signed-off-by: Simon Horman --- tests/system-kmod-macros.at | 80 ++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 75 insertions(+), 5 deletions(-) diff --git a/tests/system-kmod-macros.at b/tests/system-kmod-macros.at index 135892e91278..a48bd532a0b0 100644 --- a/tests/system-kmod-macros.at +++ b/tests/system-kmod-macros.at @@ -268,23 +268,93 @@ m4_define([OVS_CHECK_BAREUDP], AT_CHECK([ip link del dev ovs_bareudp0]) ]) -# CHECK_EXTERNAL_CT() +# IPTABLES_CHECK_EXTERNAL_CT() # # Checks if packets can be tracked outside OvS. -m4_define([CHECK_EXTERNAL_CT], +# iptables variant of this macro +m4_define([IPTABLES_CHECK_EXTERNAL_CT], [ dnl Kernel config (CONFIG_NETFILTER_XT_TARGET_CT) dnl and user space extensions need to be present. - AT_SKIP_IF([test $HAVE_IPTABLES = no]) AT_SKIP_IF([! iptables -t raw -I OUTPUT 1 -j CT]) AT_CHECK([iptables -t raw -D OUTPUT 1]) ]) -# ADD_EXTERNAL_CT() +# NFT_CHECK_EXTERNAL_CT() +# +# Checks if packets can be tracked outside OvS. +# nft variant of this macro +m4_define([NFT_CHECK_EXTERNAL_CT], +[ + dnl Kernel config (CONFIG_NETFILTER_XT_TARGET_CT) + dnl and user space extensions need to be present. + AT_SKIP_IF([! nft -c -f - << EOF + table ip raw { + chain output-ovs-testsuite { + type filter hook output priority raw; + ct state new + } + } +EOF + ]) +]) + +# CHECK_EXTERNAL_CT() +# +# Checks if packets can be tracked outside OvS. +m4_define([CHECK_EXTERNAL_CT], +[ + dnl Kernel config (CONFIG_NETFILTER_XT_TARGET_CT) + dnl and user space extensions need to be present. + if test $HAVE_NFT = yes; then + NFT_CHECK_EXTERNAL_CT() + elif test $HAVE_IPTABLES = yes; then + IPTABLES_CHECK_EXTERNAL_CT() + else + AT_SKIP_IF([true]) + fi +]) + +# IPTABLES_ADD_EXTERNAL_CT() # # Let conntrack start tracking the packets outside OvS. -m4_define([ADD_EXTERNAL_CT], +# iptables variant of this macro +m4_define([IPTABLES_ADD_EXTERNAL_CT], [ AT_CHECK([iptables -t raw -I OUTPUT 1 -o $1 -j CT]) on_exit 'iptables -t raw -D OUTPUT 1' ]) + +# NFT_ADD_EXTERNAL_CT() +# +# Let conntrack start tracking the packets outside OvS. +# nft variant of this macro +m4_define([NFT_ADD_EXTERNAL_CT], +[ + if ! nft list table ip raw > /dev/null 2>1; then + on_exit 'nft "delete table ip raw"' + fi + + AT_CHECK([nft -f - << EOF + table ip raw { + chain output-ovs-testsuite { + type filter hook output priority raw; + oifname "$1" ct state new + } + } +EOF + ]) + on_exit 'nft "delete chain ip raw output-ovs-testsuite"' +]) + +# ADD_EXTERNAL_CT() +# +# Checks if packets can be tracked outside OvS. +m4_define([ADD_EXTERNAL_CT], +[ + if test $HAVE_NFT = yes; then + NFT_ADD_EXTERNAL_CT([$1]) + else + IPTABLES_ADD_EXTERNAL_CT([$1]) + fi +]) From patchwork Tue Nov 5 08:27:31 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Simon Horman X-Patchwork-Id: 2006747 X-Patchwork-Delegate: aconole@redhat.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=2605:bc80:3010::136; helo=smtp3.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org) Received: from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4XjM0M5b0Vz1xyM for ; Tue, 5 Nov 2024 19:27:47 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id CB5BB60853; Tue, 5 Nov 2024 08:27:44 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id euCTbkvgg6tR; Tue, 5 Nov 2024 08:27:43 +0000 (UTC) X-Comment: SPF check N/A for local connections - client-ip=140.211.9.56; helo=lists.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver= DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 98F0860854 Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by smtp3.osuosl.org (Postfix) with ESMTPS id 98F0860854; Tue, 5 Nov 2024 08:27:43 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 64D89C08A9; Tue, 5 Nov 2024 08:27:43 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp2.osuosl.org (smtp2.osuosl.org [140.211.166.133]) by lists.linuxfoundation.org (Postfix) with ESMTP id D4FE6C08A3 for ; Tue, 5 Nov 2024 08:27:39 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id B1405400FB for ; Tue, 5 Nov 2024 08:27:39 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id aHYb3T50FTGx for ; Tue, 5 Nov 2024 08:27:38 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=217.70.183.193; helo=relay1-d.mail.gandi.net; envelope-from=horms@ovn.org; receiver= DMARC-Filter: OpenDMARC Filter v1.4.2 smtp2.osuosl.org 76B8B4012F Authentication-Results: smtp2.osuosl.org; dmarc=none (p=none dis=none) header.from=ovn.org DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 76B8B4012F Received: from relay1-d.mail.gandi.net (relay1-d.mail.gandi.net [217.70.183.193]) by smtp2.osuosl.org (Postfix) with ESMTPS id 76B8B4012F for ; Tue, 5 Nov 2024 08:27:38 +0000 (UTC) Received: by mail.gandi.net (Postfix) with ESMTPSA id 84530240006; Tue, 5 Nov 2024 08:27:36 +0000 (UTC) From: Simon Horman Date: Tue, 05 Nov 2024 08:27:31 +0000 MIME-Version: 1.0 Message-Id: <20241105-nft-testsuite-v2-3-e356adf75e81@ovn.org> References: <20241105-nft-testsuite-v2-0-e356adf75e81@ovn.org> In-Reply-To: <20241105-nft-testsuite-v2-0-e356adf75e81@ovn.org> To: dev@openvswitch.org X-Mailer: b4 0.14.0 X-GND-Sasl: horms@ovn.org Subject: [ovs-dev] [PATCH v2 3/3] tests: Handle marks using nft if available. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" Update the "offloads - ping over vxlan tunnel with gbp - offloads enabled" test to use nft, instead of iptables, if available. This is part of an effort to use nft in place of iptables throughout the testsuite. Unlike other patches towards this series, simply inline nft support into the test, rather than using macros. This matches the current iptables support in this test. Signed-off-by: Simon Horman --- tests/system-offloads-traffic.at | 29 +++++++++++++++++++++++++++-- 1 file changed, 27 insertions(+), 2 deletions(-) diff --git a/tests/system-offloads-traffic.at b/tests/system-offloads-traffic.at index 6e3b063eee9d..78c6f5d7ec7e 100644 --- a/tests/system-offloads-traffic.at +++ b/tests/system-offloads-traffic.at @@ -812,6 +812,7 @@ OVS_CHECK_VXLAN() OVS_TRAFFIC_VSWITCHD_START([], [], [-- set Open_vSwitch . other_config:hw-offload=true]) AT_SKIP_IF([! grep -q "probe tc: vxlan gbp is supported." ovs-vswitchd.log]) +AT_SKIP_IF([test $HAVE_NFT = no -a $HAVE_IPTABLES = no]) ADD_BR([br-underlay]) AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"]) @@ -832,8 +833,32 @@ AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"]) ADD_NATIVE_TUNNEL([vxlan], [at_vxlan1], [at_ns0], [172.31.1.100], [10.1.1.1/24], [id 0 dstport 4789 gbp]) -NS_CHECK_EXEC([at_ns0], [iptables -I OUTPUT -p ip -j MARK --set-mark 512 2>/dev/null], [0]) -NS_CHECK_EXEC([at_ns0], [iptables -I INPUT -m mark --mark 512 -j ACCEPT 2>/dev/null], [0], [ignore]) + +if test $HAVE_NFT = yes; then + NS_CHECK_EXEC([at_ns0], [nft -f - << EOF + table ip filter { + chain OUTPUT { + type filter hook output priority filter; policy accept; + counter meta mark set 512 + } + } + + table ip filter { + chain INPUT { + type filter hook input priority filter; policy accept; + mark 512 counter accept; + } + } +EOF + ]) +else + NS_CHECK_EXEC([at_ns0], + [iptables -I OUTPUT -p ip -j MARK --set-mark 512 2>/dev/null], + [0]) + NS_CHECK_EXEC([at_ns0], + [iptables -I INPUT -m mark --mark 512 -j ACCEPT 2>/dev/null], + [0], [ignore]) +fi dnl First, check the underlay. NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -W 2 172.31.1.100 | FORMAT_PING], [0], [dnl