From: Stefano Brivio <sbrivio@redhat.com>
To: Phil Sutter <phil@nwl.cc>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>, netfilter-devel@vger.kernel.org
Subject: Re: [PATCH nft] tests: shell: Avoid breaking basic connectivity when run
Date: Tue, 26 May 2020 01:12:36 +0200 [thread overview]
Message-ID: <20200526011236.2fe8ae7b@redhat.com> (raw)
In-Reply-To: <20200525155952.GW17795@orbyte.nwl.cc>
On Mon, 25 May 2020 17:59:52 +0200
Phil Sutter <phil@nwl.cc> wrote:
> Hi,
>
> On Sun, May 24, 2020 at 02:59:57PM +0200, Stefano Brivio wrote:
> > It might be convenient to run tests from a development branch that
> > resides on another host, and if we break connectivity on the test
> > host as tests are executed, we con't run them this way.
> >
> > To preserve connectivity, for shell tests, we can simply use the
> > 'forward' hook instead of 'input' in chains/0036_policy_variable_0
> > and transactions/0011_chain_0, without affecting test coverage.
> >
> > For py tests, this is more complicated as some test cases install
> > chains for all the available hooks, and we would probably need a
> > more refined approach to avoid dropping relevant traffic, so I'm
> > not covering that right now.
>
> This is a recurring issue, iptables testsuites suffer from this problem
> as well. There it was solved by running everything in a dedicated netns:
>
> iptables/tests/shell: Call testscripts via 'unshare -n <file>'.
> iptables-test.py: If called with --netns, 'ip netns exec <foo>' is
> added as prefix to any of the iptables commands.
Funny, I thought about doing that in the past and stopped before I could
even type 'unshare'. Silly, everything will break, I thought.
Nope, not at all, now that you say that... both 'unshare -n
./nft-test.py' and 'unshare -n ./run-tests.sh' worked flawlessly.
A minor concern I have is that if CONFIG_NETNS is not set we can't do
that. But we could add a check and run them in the init namespace if
namespaces are not available, that looks reasonable enough.
> I considered doing the same in nftables testsuites several times but
> never managed to keep me motivated enough. Maybe you want to give it a
> try?
I would do that from the main script itself (and figure out how it
should be done in Python, too), just once, it looks cleaner and we
don't change how test scripts are invoked. Something like this:
https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git/tree/tools/testing/selftests/netfilter/nft_concat_range.sh#n1463
--
Stefano
next prev parent reply other threads:[~2020-05-25 23:12 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-24 12:59 [PATCH nft] tests: shell: Avoid breaking basic connectivity when run Stefano Brivio
2020-05-25 15:59 ` Phil Sutter
2020-05-25 23:12 ` Stefano Brivio [this message]
2020-05-26 13:52 ` Phil Sutter
2020-06-14 21:43 ` Stefano Brivio
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200526011236.2fe8ae7b@redhat.com \
--to=sbrivio@redhat.com \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=phil@nwl.cc \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).