Certain Linux distributions, like CentOS, have default iptable rules to reject input traffic from bridges such as br-underlay.
To address this, IPTABLES_ACCEPT adds an iptables rule to always accept the traffic. As part of an effort to use nft in place of iptables in the testsuite, implement NFT_ACCEPT, an nft version of IPTABLES_ACCEPT. As the condition where IPTABLES_ACCEPT implies the existence of an INPUT chain, only instantiate an nft rule in that chain if it already exists. Also provide a wrapper, XT_ACCEPT, which will call NFT_ACCEPT if nft is available, and IPTABLES_ACCEPT otherwise And provide OVS_CHECK_XT, which can be used to check if the prerequisites for running XT_ACCEPT are present, and skips the current test otherwise. Update the one test where IPTABLES_ACCEPT is used so that it now uses XT_ACCEPT and OVS_CHECK_XT. Signed-off-by: Simon Horman <[email protected]> --- v2: Drop dependency on jq: use sed instead --- tests/atlocal.in | 3 +++ tests/ovs-macros.at | 26 ++++++++++++++++++++++++-- tests/system-common-macros.at | 4 ++++ tests/system-traffic.at | 4 ++-- 4 files changed, 33 insertions(+), 4 deletions(-) diff --git a/tests/atlocal.in b/tests/atlocal.in index d6b87f8ec776..1c3d4891a7fc 100644 --- a/tests/atlocal.in +++ b/tests/atlocal.in @@ -188,6 +188,9 @@ find_command ethtool # Set HAVE_IPTABLES find_command iptables +# Set HAVE_NFT +find_command nft + CURL_OPT="-g -v --max-time 1 --retry 2 --retry-delay 1 --connect-timeout 1" # Determine whether "diff" supports "normal" diffs. (busybox diff does not.) diff --git a/tests/ovs-macros.at b/tests/ovs-macros.at index f1b8041fbac9..90258ef07b59 100644 --- a/tests/ovs-macros.at +++ b/tests/ovs-macros.at @@ -360,9 +360,31 @@ m4_ifndef([AT_FAIL_IF], [AT_CHECK([($1) \ && exit 99 || exit 0], [0], [ignore], [ignore])])]) -dnl Certain Linux distributions, like CentOS, have default iptable rules -dnl to reject input traffic from bridges such as br-underlay. dnl Add a rule to always accept the traffic. m4_define([IPTABLES_ACCEPT], [AT_CHECK([iptables -I INPUT 1 -i $1 -j ACCEPT]) on_exit 'iptables -D INPUT 1']) + +dnl Certain Linux distributions, like CentOS, have default iptable rules +dnl to reject input traffic from bridges such as br-underlay. +dnl This implies the existence of a ip filter INPUT chain. +dnl If that chain exists then add a rule to it to always accept all traffic. +m4_define([NFT_ACCEPT], + [if nft list chain ip filter INPUT > /dev/null 2>1; then + AT_CHECK([nft -ae \ + "insert rule ip filter INPUT iifname \"$1\" counter accept"], + [0], [stdout-nolog]) + dnl Extract handle, which is used to delete the rule + AT_CHECK([sed -n 's/.*handle //; T; p' < stdout], [0], [stdout]) + on_exit "nft \"delete rule ip filter INPUT handle $(cat stdout)\"" + fi]) + +dnl Certain Linux distributions, like CentOS, have default iptable rules +dnl to reject input traffic from bridges such as br-underlay. +dnl Add a rule to always accept the traffic. +m4_define([XT_ACCEPT], + [if test $HAVE_NFT = yes; then + NFT_ACCEPT([$1]) + else + IPTABLES_ACCEPT([$1]) + fi]) diff --git a/tests/system-common-macros.at b/tests/system-common-macros.at index ff86d15cdab7..a6be419f60f1 100644 --- a/tests/system-common-macros.at +++ b/tests/system-common-macros.at @@ -379,3 +379,7 @@ m4_define([OVS_CHECK_DROP_ACTION], # OVS_CHECK_PSAMPLE() m4_define([OVS_CHECK_PSAMPLE], [AT_SKIP_IF([! grep -q "Datapath supports psample action" ovs-vswitchd.log])]) + +# OVS_CHECK_XT() +m4_define([OVS_CHECK_XT], + [AT_SKIP_IF([test $HAVE_IPTABLES = no && test $HAVE_NFT = no])]) diff --git a/tests/system-traffic.at b/tests/system-traffic.at index a04d9611053e..2b1686e99391 100644 --- a/tests/system-traffic.at +++ b/tests/system-traffic.at @@ -1186,7 +1186,7 @@ OVS_TRAFFIC_VSWITCHD_STOP(["/Invalid Geneve tunnel metadata on bridge br0 while AT_CLEANUP AT_SETUP([datapath - ping over gre tunnel by simulated packets]) -AT_SKIP_IF([test $HAVE_IPTABLES = no]) +OVS_CHECK_XT() OVS_CHECK_MIN_KERNEL(3, 10) OVS_TRAFFIC_VSWITCHD_START() @@ -1206,7 +1206,7 @@ AT_CHECK([ip link set dev br-underlay up]) dnl Set up tunnel endpoints on OVS outside the namespace. ADD_OVS_TUNNEL([gre], [br0], [at_gre0], [172.31.1.1], [10.1.1.100/24]) -IPTABLES_ACCEPT([br-underlay]) +XT_ACCEPT([br-underlay]) NETNS_DAEMONIZE([at_ns0], [tcpdump -n -i p0 dst host 172.31.1.1 -l > p0.pcap 2>/dev/null], [tcpdump.pid]) sleep 1 -- 2.45.2 _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
