[vzt] ./test/zdtm/static:conntracks: Support nftables

Submitted by Vitaly Ostrosablin on Nov. 1, 2019, 9 a.m.

Details

Message ID 20191101085945.260981-1-vostrosablin@virtuozzo.com
State Accepted
Series "./test/zdtm/static:conntracks: Support nftables"
Commit d338b73f9ec704e1de094dda01062407dc9f5100
Headers show

Commit Message

Vitaly Ostrosablin Nov. 1, 2019, 9 a.m.
Update test to support both iptables and nft to create conntrack rules.

PSBM-99101

Signed-off-by: Vitaly Ostrosablin <vostrosablin@virtuozzo.com>
---
 test/zdtm/static/conntracks | 36 ++++++++++++++++++++++++++++++++++--
 1 file changed, 34 insertions(+), 2 deletions(-)

Patch hide | download patch | download mbox

diff --git a/test/zdtm/static/conntracks b/test/zdtm/static/conntracks
index a30e0e268..26220f97c 100755
--- a/test/zdtm/static/conntracks
+++ b/test/zdtm/static/conntracks
@@ -23,7 +23,7 @@  do_or_fail()
 		fail "$failmsg: $output"
 }
 
-do_start()
+do_start_ipt()
 {
 	[ -f "$statefile" ] && die "state file $statefile aleady exists"
 
@@ -35,7 +35,7 @@  do_start()
 		iptables -L \> "$statefile"
 }
 
-do_stop()
+do_stop_ipt()
 {
 	do_or_fail "can't compare the iptables" \
 		iptables -L \| diff -u "$statefile" -
@@ -45,6 +45,38 @@  do_stop()
 	echo "PASS" > $outfile
 }
 
+do_start_nft()
+{
+	[ -f "$statefile" ] && die "state file $statefile aleady exists"
+
+	do_or_fail "can't install a state match" \
+		nft add rule filter INPUT \
+		ct state related,established accept
+
+	do_or_fail "can't list the loaded nftables" \
+		nft list ruleset \> "$statefile"
+}
+
+do_stop_nft()
+{
+	do_or_fail "can't compare the nftables" \
+		nft list ruleset \| diff -u "$statefile" -
+
+	rm -f "$statefile"
+
+	echo "PASS" > $outfile
+}
+
+do_start()
+{
+	[ -x "$(command -v nft)" ] && do_start_nft || do_start_ipt
+}
+
+do_stop()
+{
+	[ -x "$(command -v nft)" ] && do_stop_nft || do_stop_ipt
+}
+
 tmpargs="$(../lib/parseargs.sh --name=$0 \
 		--flags-req=statefile,outfile \
 		--flags-opt="start,stop" -- "$@")" ||

Comments

Andrei Vagin Nov. 3, 2019, 5:06 p.m.
Applied, thanks!

On Fri, Nov 01, 2019 at 09:00:23AM +0000, Vitaly Ostrosablin wrote:
> Update test to support both iptables and nft to create conntrack rules.
> 
> PSBM-99101
> 
> Signed-off-by: Vitaly Ostrosablin <vostrosablin@virtuozzo.com>
> ---
>  test/zdtm/static/conntracks | 36 ++++++++++++++++++++++++++++++++++--
>  1 file changed, 34 insertions(+), 2 deletions(-)
> 
> diff --git a/test/zdtm/static/conntracks b/test/zdtm/static/conntracks
> index a30e0e268..26220f97c 100755
> --- a/test/zdtm/static/conntracks
> +++ b/test/zdtm/static/conntracks
> @@ -23,7 +23,7 @@ do_or_fail()
>  		fail "$failmsg: $output"
>  }
>  
> -do_start()
> +do_start_ipt()
>  {
>  	[ -f "$statefile" ] && die "state file $statefile aleady exists"
>  
> @@ -35,7 +35,7 @@ do_start()
>  		iptables -L \> "$statefile"
>  }
>  
> -do_stop()
> +do_stop_ipt()
>  {
>  	do_or_fail "can't compare the iptables" \
>  		iptables -L \| diff -u "$statefile" -
> @@ -45,6 +45,38 @@ do_stop()
>  	echo "PASS" > $outfile
>  }
>  
> +do_start_nft()
> +{
> +	[ -f "$statefile" ] && die "state file $statefile aleady exists"
> +
> +	do_or_fail "can't install a state match" \
> +		nft add rule filter INPUT \
> +		ct state related,established accept
> +
> +	do_or_fail "can't list the loaded nftables" \
> +		nft list ruleset \> "$statefile"
> +}
> +
> +do_stop_nft()
> +{
> +	do_or_fail "can't compare the nftables" \
> +		nft list ruleset \| diff -u "$statefile" -
> +
> +	rm -f "$statefile"
> +
> +	echo "PASS" > $outfile
> +}
> +
> +do_start()
> +{
> +	[ -x "$(command -v nft)" ] && do_start_nft || do_start_ipt
> +}
> +
> +do_stop()
> +{
> +	[ -x "$(command -v nft)" ] && do_stop_nft || do_stop_ipt
> +}
> +
>  tmpargs="$(../lib/parseargs.sh --name=$0 \
>  		--flags-req=statefile,outfile \
>  		--flags-opt="start,stop" -- "$@")" ||
> -- 
> 2.23.0
> 
> 
> _______________________________________________
> CRIU mailing list
> CRIU@openvz.org
> https://lists.openvz.org/mailman/listinfo/criu
Pavel Tikhomirov Nov. 5, 2019, 8:12 a.m.
JFYI,

>+       do_or_fail "can't install a state match" \
>+               nft add rule filter INPUT \
>+               ct state related,established accept

1) No one can be sure that filter table and INPUT chain are in nft ruleset.
Maybe it is insured by something outside test/zdtm/static/conntracks, sorry
if I'm missing it. But if not these would fail.

2) Patch to support nft migration is only in VZ7 criu yet (
https://src.openvz.org/projects/OVZ/repos/criu/commits/256854a9ecfbc0da4b3053a805facfd6c39939e8),
maybe it's a bit early to add a test for nft as it should fail AFAICS. But
the test is "noauto" so maybe we don't care anyway.

Best Regards, Tikhomirov Pavel.


вс, 3 нояб. 2019 г. в 20:14, Andrei Vagin <avagin@gmail.com>:

> Applied, thanks!
>
> On Fri, Nov 01, 2019 at 09:00:23AM +0000, Vitaly Ostrosablin wrote:
> > Update test to support both iptables and nft to create conntrack rules.
> >
> > PSBM-99101
> >
> > Signed-off-by: Vitaly Ostrosablin <vostrosablin@virtuozzo.com>
> > ---
> >  test/zdtm/static/conntracks | 36 ++++++++++++++++++++++++++++++++++--
> >  1 file changed, 34 insertions(+), 2 deletions(-)
> >
> > diff --git a/test/zdtm/static/conntracks b/test/zdtm/static/conntracks
> > index a30e0e268..26220f97c 100755
> > --- a/test/zdtm/static/conntracks
> > +++ b/test/zdtm/static/conntracks
> > @@ -23,7 +23,7 @@ do_or_fail()
> >               fail "$failmsg: $output"
> >  }
> >
> > -do_start()
> > +do_start_ipt()
> >  {
> >       [ -f "$statefile" ] && die "state file $statefile aleady exists"
> >
> > @@ -35,7 +35,7 @@ do_start()
> >               iptables -L \> "$statefile"
> >  }
> >
> > -do_stop()
> > +do_stop_ipt()
> >  {
> >       do_or_fail "can't compare the iptables" \
> >               iptables -L \| diff -u "$statefile" -
> > @@ -45,6 +45,38 @@ do_stop()
> >       echo "PASS" > $outfile
> >  }
> >
> > +do_start_nft()
> > +{
> > +     [ -f "$statefile" ] && die "state file $statefile aleady exists"
> > +
> > +     do_or_fail "can't install a state match" \
> > +             nft add rule filter INPUT \
> > +             ct state related,established accept
> > +
> > +     do_or_fail "can't list the loaded nftables" \
> > +             nft list ruleset \> "$statefile"
> > +}
> > +
> > +do_stop_nft()
> > +{
> > +     do_or_fail "can't compare the nftables" \
> > +             nft list ruleset \| diff -u "$statefile" -
> > +
> > +     rm -f "$statefile"
> > +
> > +     echo "PASS" > $outfile
> > +}
> > +
> > +do_start()
> > +{
> > +     [ -x "$(command -v nft)" ] && do_start_nft || do_start_ipt
> > +}
> > +
> > +do_stop()
> > +{
> > +     [ -x "$(command -v nft)" ] && do_stop_nft || do_stop_ipt
> > +}
> > +
> >  tmpargs="$(../lib/parseargs.sh --name=$0 \
> >               --flags-req=statefile,outfile \
> >               --flags-opt="start,stop" -- "$@")" ||
> > --
> > 2.23.0
> >
> >
> > _______________________________________________
> > CRIU mailing list
> > CRIU@openvz.org
> > https://lists.openvz.org/mailman/listinfo/criu
> _______________________________________________
> CRIU mailing list
> CRIU@openvz.org
> https://lists.openvz.org/mailman/listinfo/criu
>