From: "Yann E. MORIN" <yann.morin.1998@free.fr>
To: Julien Olivain <ju.o@free.fr>
Cc: buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH 1/1] support/testing/tests/package/test_nftables.py: new runtime test
Date: Sun, 20 Aug 2023 16:27:57 +0200 [thread overview]
Message-ID: <20230820142757.GN1778688@scaer> (raw)
In-Reply-To: <20230820103343.353423-1-ju.o@free.fr>
Julien, All,
On 2023-08-20 12:33 +0200, Julien Olivain spake thusly:
> This runtime test was suggested in discussion [1]. It should detect
> potential runtime failures such as the one fixed in commit eb74998125
> "package/nftables: fix the build of the pyhon bindings".
Note that this runtime test would *not* have caught the issue that was
uncovered in [1], because it implied a hidden dependency that was not
expressed in nftables' dpendency chain, but was built before nftables
due to another package seelcting it.
Still, a runtiem test is very nice to have nonetheless! :-)
> [1] https://lists.buildroot.org/pipermail/buildroot/2023-August/672864.html
>
> Cc: Yann E. MORIN <yann.morin.1998@free.fr>
> Signed-off-by: Julien Olivain <ju.o@free.fr>
Applied to master, after adding blurb in the commit log why we need a
special kernel, thanks.
Regards,
Yann E. MORIN.
> ---
> Patch tested on branch master at commit eb74998 with commands:
>
> utils/docker-run make check-package
> ...
> 0 warnings generated
>
> support/testing/run-tests \
> -d dl -o output_folder \
> tests.package.test_nftables
> ...
> OK
> ---
> DEVELOPERS | 2 +
> .../testing/tests/package/test_nftables.py | 110 ++++++++++++++++++
> .../test_nftables/rootfs-overlay/root/nft.py | 22 ++++
> 3 files changed, 134 insertions(+)
> create mode 100644 support/testing/tests/package/test_nftables.py
> create mode 100755 support/testing/tests/package/test_nftables/rootfs-overlay/root/nft.py
>
> diff --git a/DEVELOPERS b/DEVELOPERS
> index 6ffa3ee693..9b500f3701 100644
> --- a/DEVELOPERS
> +++ b/DEVELOPERS
> @@ -1776,6 +1776,8 @@ F: support/testing/tests/package/test_lz4.py
> F: support/testing/tests/package/test_lzop.py
> F: support/testing/tests/package/test_mtools.py
> F: support/testing/tests/package/test_ncdu.py
> +F: support/testing/tests/package/test_nftables.py
> +F: support/testing/tests/package/test_nftables/
> F: support/testing/tests/package/test_octave.py
> F: support/testing/tests/package/test_ola.py
> F: support/testing/tests/package/test_ola/
> diff --git a/support/testing/tests/package/test_nftables.py b/support/testing/tests/package/test_nftables.py
> new file mode 100644
> index 0000000000..7fcc2902b6
> --- /dev/null
> +++ b/support/testing/tests/package/test_nftables.py
> @@ -0,0 +1,110 @@
> +import os
> +
> +import infra.basetest
> +
> +
> +class TestNftables(infra.basetest.BRTest):
> + config = \
> + """
> + BR2_aarch64=y
> + BR2_TOOLCHAIN_EXTERNAL=y
> + BR2_TARGET_GENERIC_GETTY_PORT="ttyAMA0"
> + BR2_LINUX_KERNEL=y
> + BR2_LINUX_KERNEL_CUSTOM_VERSION=y
> + BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="6.1.46"
> + BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
> + BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="board/qemu/aarch64-virt/linux.config"
> + BR2_LINUX_KERNEL_NEEDS_HOST_OPENSSL=y
> + BR2_PACKAGE_NFTABLES=y
> + BR2_PACKAGE_NFTABLES_PYTHON=y
> + BR2_PACKAGE_PYTHON3=y
> + BR2_ROOTFS_OVERLAY="{}"
> + BR2_TARGET_ROOTFS_CPIO=y
> + BR2_TARGET_ROOTFS_CPIO_GZIP=y
> + # BR2_TARGET_ROOTFS_TAR is not set
> + """.format(
> + infra.filepath("tests/package/test_nftables/rootfs-overlay"))
> +
> + def nftables_test(self, prog="nft"):
> + # Table/Chain names for the test
> + nft_table = "br_ip_table"
> + nft_chain = "br_ip_chain_in"
> +
> + # We flush all nftables rules, to start from a known state.
> + self.assertRunOk(f"{prog} flush ruleset")
> +
> + # We create an ip table.
> + self.assertRunOk(f"{prog} add table ip {nft_table}")
> +
> + # We should be able to list this table.
> + list_cmd = f"{prog} list tables ip"
> + output, exit_code = self.emulator.run(list_cmd)
> + self.assertEqual(exit_code, 0)
> + self.assertIn(nft_table, output[0])
> +
> + # We create an ip input chain in our table.
> + cmd = f"{prog} add chain ip"
> + cmd += f" {nft_table} {nft_chain}"
> + cmd += " { type filter hook input priority 0 \\; }"
> + self.assertRunOk(cmd)
> +
> + # We list our chain.
> + cmd = f"{prog} list chain ip {nft_table} {nft_chain}"
> + self.assertRunOk(cmd)
> +
> + # We add a filter rule to drop pings (icmp echo-requests) to
> + # the 127.0.0.2 destination.
> + cmd = f"{prog} add rule ip {nft_table} {nft_chain}"
> + cmd += " ip daddr 127.0.0.2 icmp type echo-request drop"
> + self.assertRunOk(cmd)
> +
> + # We list our rule.
> + self.assertRunOk(f"{prog} list ruleset ip")
> +
> + # A ping to 127.0.0.1 is expected to work, because it's not
> + # matching our rule. We expect 3 replies (-c), with 0.5s
> + # internal (-i), and set a maximum timeout of 2s.
> + ping_cmd_prefix = "ping -c 3 -i 0.5 -W 2 "
> + self.assertRunOk(ping_cmd_prefix + "127.0.0.1")
> +
> + # A ping to 127.0.0.2 is expected to fail, because our rule is
> + # supposed to drop it.
> + ping_test_cmd = ping_cmd_prefix + "127.0.0.2"
> + _, exit_code = self.emulator.run(ping_test_cmd)
> + self.assertNotEqual(exit_code, 0)
> +
> + # We completely delete the table. This should also delete the
> + # chain and the rule.
> + self.assertRunOk(f"{prog} delete table ip {nft_table}")
> +
> + # We should no longer see the table in the list.
> + output, exit_code = self.emulator.run(list_cmd)
> + self.assertEqual(exit_code, 0)
> + self.assertNotIn(nft_table, "\n".join(output))
> +
> + # Since we deleted the rule, the ping test command which was
> + # supposed to fail earlier is now supposed to succeed.
> + self.assertRunOk(ping_test_cmd)
> +
> + def test_run(self):
> + img = os.path.join(self.builddir, "images", "rootfs.cpio.gz")
> + kern = os.path.join(self.builddir, "images", "Image")
> + self.emulator.boot(arch="aarch64",
> + kernel=kern,
> + kernel_cmdline=["console=ttyAMA0"],
> + options=["-M", "virt",
> + "-cpu", "cortex-a57",
> + "-m", "256M",
> + "-initrd", img])
> + self.emulator.login()
> +
> + # We check the program can execute.
> + self.assertRunOk("nft --version")
> +
> + # We run the nftables test sequence using the default "nft"
> + # user space configuration tool.
> + self.nftables_test()
> +
> + # We run again the same test sequence using our simple nft
> + # python implementation, to check the language bindings.
> + self.nftables_test(prog="/root/nft.py")
> diff --git a/support/testing/tests/package/test_nftables/rootfs-overlay/root/nft.py b/support/testing/tests/package/test_nftables/rootfs-overlay/root/nft.py
> new file mode 100755
> index 0000000000..89de8e25d1
> --- /dev/null
> +++ b/support/testing/tests/package/test_nftables/rootfs-overlay/root/nft.py
> @@ -0,0 +1,22 @@
> +#! /usr/bin/env python3
> +#
> +# This is a simple reimplementation of the "nft" user-space tool in
> +# Python, in order to test language bindings. It does not support any
> +# command line argument supported by the nftables "nft" tool, but
> +# supports all nftables commands used in the Buildroot runtime test.
> +
> +import sys
> +
> +import nftables
> +
> +
> +nft = nftables.nftables.Nftables()
> +cmd = " ".join(sys.argv[1:])
> +ret_code, output, error = nft.cmd(cmd)
> +
> +if len(output) > 0:
> + print(output.strip())
> +if len(error) > 0:
> + print(error.strip())
> +
> +sys.exit(ret_code)
> --
> 2.41.0
>
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
prev parent reply other threads:[~2023-08-20 14:28 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-20 10:33 [Buildroot] [PATCH 1/1] support/testing/tests/package/test_nftables.py: new runtime test Julien Olivain
2023-08-20 12:51 ` Yann E. MORIN
2023-08-20 13:45 ` Julien Olivain
2023-08-20 14:27 ` Yann E. MORIN [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230820142757.GN1778688@scaer \
--to=yann.morin.1998@free.fr \
--cc=buildroot@buildroot.org \
--cc=ju.o@free.fr \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox