* [PATCH nft 0/4] more tests/shell updates to run on 5.4 kernels
@ 2023-11-15 9:42 Pablo Neira Ayuso
2023-11-15 9:42 ` [PATCH nft 1/4] tests: shell: skip if kernel does not support flowtable counter Pablo Neira Ayuso
` (3 more replies)
0 siblings, 4 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2023-11-15 9:42 UTC (permalink / raw)
To: netfilter-devel; +Cc: fw, thaller
Hi,
This patchset contains more updates for tests/shell to support 5.4 kernels:
1) Detect if kernel comes with flowtable counter support.
2) Detect if kernel comes with flowtable can be defined with no devices.
3) Skip pipapo tests if transactions/30s-stress.
4) Restore pipapo and chain binding tests in transactions/30s-stress
when it is run standalone.
I am still dealing with 3 tests that fail in 5.4, one of them is:
sets/sets_with_ifnames
which needs a bit of work to detach pipapo support from it.
The remaining two failing tests are related to the flowtable, I am still
diagnosing these.
Pablo Neira Ayuso (4):
tests: shell: skip if kernel does not support flowtable counter
tests: shell: skip if kernel does not support flowtable with no devices
tests: shell: skip pipapo set backend in transactions/30s-stress
tests: shell: restore pipapo and chain binding coverage in standalone 30s-stress
tests/shell/features/flowtable_counter.sh | 16 +++++
tests/shell/features/flowtable_no_devices.nft | 8 +++
.../flowtable/0012flowtable_variable_0 | 2 +
tests/shell/testcases/listing/0020flowtable_0 | 2 +
tests/shell/testcases/transactions/30s-stress | 60 ++++++++++++++++---
5 files changed, 81 insertions(+), 7 deletions(-)
create mode 100755 tests/shell/features/flowtable_counter.sh
create mode 100755 tests/shell/features/flowtable_no_devices.nft
--
2.30.2
^ permalink raw reply [flat|nested] 7+ messages in thread* [PATCH nft 1/4] tests: shell: skip if kernel does not support flowtable counter 2023-11-15 9:42 [PATCH nft 0/4] more tests/shell updates to run on 5.4 kernels Pablo Neira Ayuso @ 2023-11-15 9:42 ` Pablo Neira Ayuso 2023-11-15 9:42 ` [PATCH nft 2/4] tests: shell: skip if kernel does not support flowtable with no devices Pablo Neira Ayuso ` (2 subsequent siblings) 3 siblings, 0 replies; 7+ messages in thread From: Pablo Neira Ayuso @ 2023-11-15 9:42 UTC (permalink / raw) To: netfilter-devel; +Cc: fw, thaller Check if kernel provides flowtable counter supports which is available since 53c2b2899af7 ("netfilter: flowtable: add counter support"). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> --- tests/shell/features/flowtable_counter.sh | 16 ++++++++++++++++ .../testcases/flowtable/0012flowtable_variable_0 | 2 ++ 2 files changed, 18 insertions(+) create mode 100755 tests/shell/features/flowtable_counter.sh diff --git a/tests/shell/features/flowtable_counter.sh b/tests/shell/features/flowtable_counter.sh new file mode 100755 index 000000000000..a4c4c62124b0 --- /dev/null +++ b/tests/shell/features/flowtable_counter.sh @@ -0,0 +1,16 @@ +#!/bin/bash + +# 53c2b2899af7 ("netfilter: flowtable: add counter support") +# v5.7-rc1~146^2~12^2~16 + +EXPECTED="table ip filter2 { + flowtable main_ft2 { + hook ingress priority filter + devices = { lo } + counter + } +}" + +$NFT -f - <<< $EXPECTED + +diff -u <($NFT list ruleset) - <<<"$EXPECTED" diff --git a/tests/shell/testcases/flowtable/0012flowtable_variable_0 b/tests/shell/testcases/flowtable/0012flowtable_variable_0 index 080059d24935..9c03820f128e 100755 --- a/tests/shell/testcases/flowtable/0012flowtable_variable_0 +++ b/tests/shell/testcases/flowtable/0012flowtable_variable_0 @@ -1,5 +1,7 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_flowtable_counter) + set -e iface_cleanup() { -- 2.30.2 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH nft 2/4] tests: shell: skip if kernel does not support flowtable with no devices 2023-11-15 9:42 [PATCH nft 0/4] more tests/shell updates to run on 5.4 kernels Pablo Neira Ayuso 2023-11-15 9:42 ` [PATCH nft 1/4] tests: shell: skip if kernel does not support flowtable counter Pablo Neira Ayuso @ 2023-11-15 9:42 ` Pablo Neira Ayuso 2023-11-15 9:42 ` [PATCH nft 3/4] tests: shell: skip pipapo set backend in transactions/30s-stress Pablo Neira Ayuso 2023-11-15 9:42 ` [PATCH nft 4/4] tests: shell: restore pipapo and chain binding coverage in standalone 30s-stress Pablo Neira Ayuso 3 siblings, 0 replies; 7+ messages in thread From: Pablo Neira Ayuso @ 2023-11-15 9:42 UTC (permalink / raw) To: netfilter-devel; +Cc: fw, thaller Originally, flowtables required devices in place to work, this was later relaxed to allow flowtable with no initial devices, see 05abe4456fa3 ("netfilter: nf_tables: allow to register flowtable with no devices"). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> --- tests/shell/features/flowtable_no_devices.nft | 8 ++++++++ tests/shell/testcases/listing/0020flowtable_0 | 2 ++ 2 files changed, 10 insertions(+) create mode 100755 tests/shell/features/flowtable_no_devices.nft diff --git a/tests/shell/features/flowtable_no_devices.nft b/tests/shell/features/flowtable_no_devices.nft new file mode 100755 index 000000000000..30dd3db8b8dd --- /dev/null +++ b/tests/shell/features/flowtable_no_devices.nft @@ -0,0 +1,8 @@ +# 05abe4456fa3 ("netfilter: nf_tables: allow to register flowtable with no devices") +# v5.8-rc1~165^2~27^2~1 +table ip filter2 { + flowtable main_ft2 { + hook ingress priority filter + counter + } +} diff --git a/tests/shell/testcases/listing/0020flowtable_0 b/tests/shell/testcases/listing/0020flowtable_0 index 6eb82cfeabc3..0e89f5dd0139 100755 --- a/tests/shell/testcases/listing/0020flowtable_0 +++ b/tests/shell/testcases/listing/0020flowtable_0 @@ -1,5 +1,7 @@ #!/bin/bash +# NFT_TEST_REQUIRES(NFT_TEST_HAVE_flowtable_no_devices) + # list only the flowtable asked for with table set -e -- 2.30.2 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH nft 3/4] tests: shell: skip pipapo set backend in transactions/30s-stress 2023-11-15 9:42 [PATCH nft 0/4] more tests/shell updates to run on 5.4 kernels Pablo Neira Ayuso 2023-11-15 9:42 ` [PATCH nft 1/4] tests: shell: skip if kernel does not support flowtable counter Pablo Neira Ayuso 2023-11-15 9:42 ` [PATCH nft 2/4] tests: shell: skip if kernel does not support flowtable with no devices Pablo Neira Ayuso @ 2023-11-15 9:42 ` Pablo Neira Ayuso 2023-11-15 10:25 ` Thomas Haller 2023-11-15 9:42 ` [PATCH nft 4/4] tests: shell: restore pipapo and chain binding coverage in standalone 30s-stress Pablo Neira Ayuso 3 siblings, 1 reply; 7+ messages in thread From: Pablo Neira Ayuso @ 2023-11-15 9:42 UTC (permalink / raw) To: netfilter-devel; +Cc: fw, thaller Skip tests with concatenations and intervals if kernel does not support it. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> --- tests/shell/testcases/transactions/30s-stress | 51 ++++++++++++++++--- 1 file changed, 44 insertions(+), 7 deletions(-) diff --git a/tests/shell/testcases/transactions/30s-stress b/tests/shell/testcases/transactions/30s-stress index 4c3c6a275941..b6ad06abed32 100755 --- a/tests/shell/testcases/transactions/30s-stress +++ b/tests/shell/testcases/transactions/30s-stress @@ -38,6 +38,10 @@ if [ -z "${NFT_TEST_HAVE_chain_binding+x}" ] ; then fi fi +if [ "$NFT_TEST_HAVE_pipapo" != y ] ;then + echo "Skipping pipapo set backend, kernel does not support it" +fi + testns=testns-$(mktemp -u "XXXXXXXX") tmp="" @@ -264,6 +268,19 @@ randdelns() done } +available_flags() +{ + local -n available_flags=$1 + selected_key=$2 + if [ "$selected_key" == "single" ] ;then + available_flags+=("interval") + elif [ "$selected_key" == "concat" ] ;then + if [ "$NFT_TEST_HAVE_pipapo" = y ] ;then + available_flags+=("interval") + fi + fi +} + random_element_string="" # create a random element. Could cause any of the following: @@ -295,7 +312,10 @@ random_elem() fr=$((RANDOM%2)) f=0 - for flags in "" "interval" ; do + + FLAGS=("") + available_flags FLAGS $key + for flags in ${FLAGS[@]} ; do cnt=$((cnt+1)) if [ $f -ne fkr ] ;then f=$((f+1)) @@ -504,8 +524,10 @@ for table in $tables; do # bitmap 2byte echo "insert rule inet $table $chain tcp dport != { 22, 23, 80 } goto defaultchain" >> "$tmp" echo "insert rule inet $table $chain tcp dport { 1-1024, 8000-8080 } jump defaultchain comment rbtree" >> "$tmp" - # pipapo (concat + set), with goto anonymous chain. - gen_anon_chain_jump "$table $chain ip saddr . tcp dport { 1.2.3.4 . 1-1024, 1.2.3.6 - 1.2.3.10 . 8000-8080, 1.2.3.4 . 8080, 1.2.3.6 - 1.2.3.10 . 22 }" >> "$tmp" + if [ "$NFT_TEST_HAVE_pipapo" = y ] ;then + # pipapo (concat + set), with goto anonymous chain. + gen_anon_chain_jump "$table $chain ip saddr . tcp dport { 1.2.3.4 . 1-1024, 1.2.3.6 - 1.2.3.10 . 8000-8080, 1.2.3.4 . 8080, 1.2.3.6 - 1.2.3.10 . 22 }" >> "$tmp" + fi # add a few anonymous sets. rhashtable is convered by named sets below. c=$((RANDOM%$count)) @@ -518,8 +540,10 @@ for table in $tables; do # bitmap 2byte echo "insert rule inet $table $chain tcp dport != { 22, 23, 80 } goto defaultchain" >> "$tmp" echo "insert rule inet $table $chain tcp dport { 1-1024, 8000-8080 } jump defaultchain comment rbtree" >> "$tmp" - # pipapo (concat + set), with goto anonymous chain. - gen_anon_chain_jump "$table $chain ip saddr . tcp dport { 1.2.3.4 . 1-1024, 1.2.3.6 - 1.2.3.10 . 8000-8080, 1.2.3.4 . 8080, 1.2.3.6 - 1.2.3.10 . 22 }" >> "$tmp" + if [ "$NFT_TEST_HAVE_pipapo" = y ] ;then + # pipapo (concat + set), with goto anonymous chain. + gen_anon_chain_jump "$table $chain ip saddr . tcp dport { 1.2.3.4 . 1-1024, 1.2.3.6 - 1.2.3.10 . 8000-8080, 1.2.3.4 . 8080, 1.2.3.6 - 1.2.3.10 . 22 }" >> "$tmp" + fi # add constant/immutable sets size=$((RANDOM%5120000)) @@ -533,12 +557,21 @@ for table in $tables; do # add named sets with various combinations (plain value, range, concatenated values, concatenated ranges, with timeouts, with data ...) for key in "ip saddr" "ip saddr . tcp dport"; do - for flags in "" "flags interval;" ; do + FLAGS=("") + if [ "$key" == "ip saddr" ] ;then + FLAGS+=("flags interval;") + elif [ "$key" == "ip saddr . tcp dport" ] ;then + if [ "$NFT_TEST_HAVE_pipapo" = y ] ;then + FLAGS+=("flags interval;") + fi + fi + for ((i = 0; i < ${#FLAGS[@]}; i++)) ; do timeout=$((RANDOM%10)) timeout=$((timeout+1)) timeout="timeout ${timeout}s" cnt=$((cnt+1)) + flags=${FLAGS[$i]} echo "add set inet $table set_${cnt} { typeof ${key} ; ${flags} }" >> "$tmp" echo "add set inet $table sett${cnt} { typeof ${key} ; $timeout; ${flags} }" >> "$tmp" echo "add map inet $table dmap_${cnt} { typeof ${key} : meta mark ; ${flags} }" >> "$tmp" @@ -550,7 +583,11 @@ for table in $tables; do cnt=0 for key in "single" "concat"; do - for flags in "" "interval" ; do + FLAGS=("") + available_flags FLAGS $key + + for ((i = 0; i < ${#FLAGS[@]}; i++)) ; do + flags=${FLAGS[$i]} want="${key}${flags}" cnt=$((cnt+1)) maxip=$((RANDOM%256)) -- 2.30.2 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH nft 3/4] tests: shell: skip pipapo set backend in transactions/30s-stress 2023-11-15 9:42 ` [PATCH nft 3/4] tests: shell: skip pipapo set backend in transactions/30s-stress Pablo Neira Ayuso @ 2023-11-15 10:25 ` Thomas Haller 2023-11-15 10:34 ` Pablo Neira Ayuso 0 siblings, 1 reply; 7+ messages in thread From: Thomas Haller @ 2023-11-15 10:25 UTC (permalink / raw) To: Pablo Neira Ayuso, netfilter-devel; +Cc: fw On Wed, 2023-11-15 at 10:42 +0100, Pablo Neira Ayuso wrote: > > > +if [ "$NFT_TEST_HAVE_pipapo" != y ] ;then > + echo "Skipping pipapo set backend, kernel does not support > it" > +fi It's good and useful to run a reduced subset of the test, if some kernel feature is missing. But in that case, the end of the test should have something like if [ "$NFT_TEST_HAVE_pipapo" = n ] ; then echo "Ran a partial test only, due to NFT_TEST_HAVE_pipapo=n" exit 77 fi so that it shows up as skipped. In other words, "partially skipped" should also show up as skipped. Btw, I find it better to compare the $NFT_TEST_HAVE_ variables only against "n", like: if [ "$NFT_TEST_HAVE_pipapo" = n ] ; then if [ "$NFT_TEST_HAVE_pipapo" != n ] ; then so that the SKIPPING only happens after an explicit opt-out. Then you wouldn't need the workaround »·······if [ -z "${NFT_TEST_HAVE_pipapo+x}" ]; then »·······»·······NFT_TEST_HAVE_pipapo=y »·······fi above. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH nft 3/4] tests: shell: skip pipapo set backend in transactions/30s-stress 2023-11-15 10:25 ` Thomas Haller @ 2023-11-15 10:34 ` Pablo Neira Ayuso 0 siblings, 0 replies; 7+ messages in thread From: Pablo Neira Ayuso @ 2023-11-15 10:34 UTC (permalink / raw) To: Thomas Haller; +Cc: netfilter-devel, fw On Wed, Nov 15, 2023 at 11:25:44AM +0100, Thomas Haller wrote: > On Wed, 2023-11-15 at 10:42 +0100, Pablo Neira Ayuso wrote: > > > > > > +if [ "$NFT_TEST_HAVE_pipapo" != y ] ;then > > + echo "Skipping pipapo set backend, kernel does not support > > it" > > +fi > > It's good and useful to run a reduced subset of the test, if some > kernel feature is missing. > > But in that case, the end of the test should have something like > > if [ "$NFT_TEST_HAVE_pipapo" = n ] ; then > echo "Ran a partial test only, due to NFT_TEST_HAVE_pipapo=n" > exit 77 > fi > > so that it shows up as skipped. In other words, "partially skipped" > should also show up as skipped. I don't want this. This test is very useful in older kernels to catch bugs, I don't want to see a SKIPPED here. I prefer the tests autoadapts itself to what the kernel provides. ^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH nft 4/4] tests: shell: restore pipapo and chain binding coverage in standalone 30s-stress 2023-11-15 9:42 [PATCH nft 0/4] more tests/shell updates to run on 5.4 kernels Pablo Neira Ayuso ` (2 preceding siblings ...) 2023-11-15 9:42 ` [PATCH nft 3/4] tests: shell: skip pipapo set backend in transactions/30s-stress Pablo Neira Ayuso @ 2023-11-15 9:42 ` Pablo Neira Ayuso 3 siblings, 0 replies; 7+ messages in thread From: Pablo Neira Ayuso @ 2023-11-15 9:42 UTC (permalink / raw) To: netfilter-devel; +Cc: fw, thaller Do not disable pipapo and chain binding coverage for standalone runs by default. Instead, turn them on by default and allow users to disable them through: # export NFT_TEST_HAVE_chain_binding=n; bash tests/shell/testcases/transactions/30s-stress 3600 ... running standalone with: NFT_TEST_HAVE_chain_binding=n NFT_TEST_HAVE_pipapo=y given feature detection is not available in this case, thus, user has to provide an explicit hint on what this kernel supports. Fixes: c5b5b1044fdd ("tests/shell: add feature probing via "features/*.nft" files") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> --- tests/shell/testcases/transactions/30s-stress | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/tests/shell/testcases/transactions/30s-stress b/tests/shell/testcases/transactions/30s-stress index b6ad06abed32..5c0a9465711b 100755 --- a/tests/shell/testcases/transactions/30s-stress +++ b/tests/shell/testcases/transactions/30s-stress @@ -6,6 +6,15 @@ runtime=30 # allow stand-alone execution as well, e.g. '$0 3600' if [ x"$1" != "x" ] ;then + echo "running standalone with:" + if [ -z "${NFT_TEST_HAVE_chain_binding+x}" ]; then + NFT_TEST_HAVE_chain_binding=y + fi + if [ -z "${NFT_TEST_HAVE_pipapo+x}" ]; then + NFT_TEST_HAVE_pipapo=y + fi + echo "NFT_TEST_HAVE_chain_binding="$NFT_TEST_HAVE_chain_binding + echo "NFT_TEST_HAVE_pipapo="$NFT_TEST_HAVE_pipapo if [ $1 -ge 0 ]; then runtime="$1" else -- 2.30.2 ^ permalink raw reply related [flat|nested] 7+ messages in thread
end of thread, other threads:[~2023-11-15 10:34 UTC | newest] Thread overview: 7+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2023-11-15 9:42 [PATCH nft 0/4] more tests/shell updates to run on 5.4 kernels Pablo Neira Ayuso 2023-11-15 9:42 ` [PATCH nft 1/4] tests: shell: skip if kernel does not support flowtable counter Pablo Neira Ayuso 2023-11-15 9:42 ` [PATCH nft 2/4] tests: shell: skip if kernel does not support flowtable with no devices Pablo Neira Ayuso 2023-11-15 9:42 ` [PATCH nft 3/4] tests: shell: skip pipapo set backend in transactions/30s-stress Pablo Neira Ayuso 2023-11-15 10:25 ` Thomas Haller 2023-11-15 10:34 ` Pablo Neira Ayuso 2023-11-15 9:42 ` [PATCH nft 4/4] tests: shell: restore pipapo and chain binding coverage in standalone 30s-stress Pablo Neira Ayuso
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).