[PATCH] tests: fix broken nftables test data so that individual tests are successful

Laine Stump posted 1 patch 2 months, 3 weeks ago
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/libvirt tags/patchew/20240612192554.215616-1-laine@redhat.com
tests/networkxml2firewalldata/base.nftables | 202 ++++----------------
1 file changed, 42 insertions(+), 160 deletions(-)
[PATCH] tests: fix broken nftables test data so that individual tests are successful
Posted by Laine Stump 2 months, 3 weeks ago
When the chain names and table name used by the nftables firewall
backend were changed in commit
958aa7f274904eb8e4678a43eac845044f0dcc38, I forgot to change the test
data file base.nftables, which has the extra "list" and "add
chain/table" commands that are generated for the first test case of
networkxml2firewalltest.c. When the full set of tests is run, the
first test will be an iptables test case, so those extra commands
won't be added to any of the nftables cases, and so the data in
base.nftables never matches, and the tests are all successful.

However, if the test are limited with, e.g. VIR_TEST_RANGE=2 (test #2
will be the nftables version of the 1st test case), then the commands
to add nftables table/chains *will* be generated in the test output,
and so the test will fail. Because I was only running the entire test
series after the initial commits of nftables tests, I didn't notice
this. Until now.

base.nftables has now been updated to reflect the current names for
chains/table, and running individual test cases is once again
successful.

Fixes: 958aa7f274904eb8e4678a43eac845044f0dcc38
Signed-off-by: Laine Stump <laine@redhat.com>
---
 tests/networkxml2firewalldata/base.nftables | 202 ++++----------------
 1 file changed, 42 insertions(+), 160 deletions(-)

diff --git a/tests/networkxml2firewalldata/base.nftables b/tests/networkxml2firewalldata/base.nftables
index 4f1f475a85..a064318739 100644
--- a/tests/networkxml2firewalldata/base.nftables
+++ b/tests/networkxml2firewalldata/base.nftables
@@ -2,255 +2,137 @@ nft \
 list \
 table \
 ip \
-libvirt
+libvirt_network
 nft \
 add \
 table \
 ip \
-libvirt
+libvirt_network
 nft \
 add \
 chain \
 ip \
-libvirt \
-INPUT \
-'{ type filter hook input priority 0; policy accept; }'
-nft \
-add \
-chain \
-ip \
-libvirt \
-FORWARD \
+libvirt_network \
+forward \
 '{ type filter hook forward priority 0; policy accept; }'
 nft \
 add \
 chain \
 ip \
-libvirt \
-OUTPUT \
-'{ type filter hook output priority 0; policy accept; }'
-nft \
-add \
-chain \
-ip \
-libvirt \
-LIBVIRT_INP
-nft \
-insert \
-rule \
-ip \
-libvirt \
-INPUT \
-counter \
-jump \
-LIBVIRT_INP
-nft \
-add \
-chain \
-ip \
-libvirt \
-LIBVIRT_OUT
-nft \
-insert \
-rule \
-ip \
-libvirt \
-OUTPUT \
-counter \
-jump \
-LIBVIRT_OUT
-nft \
-add \
-chain \
-ip \
-libvirt \
-LIBVIRT_FWO
+libvirt_network \
+guest_output
 nft \
 insert \
 rule \
 ip \
-libvirt \
-FORWARD \
+libvirt_network \
+forward \
 counter \
 jump \
-LIBVIRT_FWO
+guest_output
 nft \
 add \
 chain \
 ip \
-libvirt \
-LIBVIRT_FWI
+libvirt_network \
+guest_input
 nft \
 insert \
 rule \
 ip \
-libvirt \
-FORWARD \
+libvirt_network \
+forward \
 counter \
 jump \
-LIBVIRT_FWI
+guest_input
 nft \
 add \
 chain \
 ip \
-libvirt \
-LIBVIRT_FWX
+libvirt_network \
+guest_cross
 nft \
 insert \
 rule \
 ip \
-libvirt \
-FORWARD \
+libvirt_network \
+forward \
 counter \
 jump \
-LIBVIRT_FWX
+guest_cross
 nft \
 add \
 chain \
 ip \
-libvirt \
-POSTROUTING \
+libvirt_network \
+guest_nat \
 '{ type nat hook postrouting priority 100; policy accept; }'
 nft \
-add \
-chain \
-ip \
-libvirt \
-LIBVIRT_PRT
-nft \
-insert \
-rule \
-ip \
-libvirt \
-POSTROUTING \
-counter \
-jump \
-LIBVIRT_PRT
-nft \
 list \
 table \
 ip6 \
-libvirt
+libvirt_network
 nft \
 add \
 table \
 ip6 \
-libvirt
+libvirt_network
 nft \
 add \
 chain \
 ip6 \
-libvirt \
-INPUT \
-'{ type filter hook input priority 0; policy accept; }'
-nft \
-add \
-chain \
-ip6 \
-libvirt \
-FORWARD \
+libvirt_network \
+forward \
 '{ type filter hook forward priority 0; policy accept; }'
 nft \
 add \
 chain \
 ip6 \
-libvirt \
-OUTPUT \
-'{ type filter hook output priority 0; policy accept; }'
-nft \
-add \
-chain \
-ip6 \
-libvirt \
-LIBVIRT_INP
-nft \
-insert \
-rule \
-ip6 \
-libvirt \
-INPUT \
-counter \
-jump \
-LIBVIRT_INP
-nft \
-add \
-chain \
-ip6 \
-libvirt \
-LIBVIRT_OUT
-nft \
-insert \
-rule \
-ip6 \
-libvirt \
-OUTPUT \
-counter \
-jump \
-LIBVIRT_OUT
-nft \
-add \
-chain \
-ip6 \
-libvirt \
-LIBVIRT_FWO
+libvirt_network \
+guest_output
 nft \
 insert \
 rule \
 ip6 \
-libvirt \
-FORWARD \
+libvirt_network \
+forward \
 counter \
 jump \
-LIBVIRT_FWO
+guest_output
 nft \
 add \
 chain \
 ip6 \
-libvirt \
-LIBVIRT_FWI
+libvirt_network \
+guest_input
 nft \
 insert \
 rule \
 ip6 \
-libvirt \
-FORWARD \
+libvirt_network \
+forward \
 counter \
 jump \
-LIBVIRT_FWI
+guest_input
 nft \
 add \
 chain \
 ip6 \
-libvirt \
-LIBVIRT_FWX
+libvirt_network \
+guest_cross
 nft \
 insert \
 rule \
 ip6 \
-libvirt \
-FORWARD \
+libvirt_network \
+forward \
 counter \
 jump \
-LIBVIRT_FWX
+guest_cross
 nft \
 add \
 chain \
 ip6 \
-libvirt \
-POSTROUTING \
+libvirt_network \
+guest_nat \
 '{ type nat hook postrouting priority 100; policy accept; }'
-nft \
-add \
-chain \
-ip6 \
-libvirt \
-LIBVIRT_PRT
-nft \
-insert \
-rule \
-ip6 \
-libvirt \
-POSTROUTING \
-counter \
-jump \
-LIBVIRT_PRT
-- 
2.45.2
Re: [PATCH] tests: fix broken nftables test data so that individual tests are successful
Posted by Daniel P. Berrangé 2 months, 2 weeks ago
On Wed, Jun 12, 2024 at 03:25:46PM -0400, Laine Stump wrote:
> When the chain names and table name used by the nftables firewall
> backend were changed in commit
> 958aa7f274904eb8e4678a43eac845044f0dcc38, I forgot to change the test
> data file base.nftables, which has the extra "list" and "add
> chain/table" commands that are generated for the first test case of
> networkxml2firewalltest.c. When the full set of tests is run, the
> first test will be an iptables test case, so those extra commands
> won't be added to any of the nftables cases, and so the data in
> base.nftables never matches, and the tests are all successful.
> 
> However, if the test are limited with, e.g. VIR_TEST_RANGE=2 (test #2
> will be the nftables version of the 1st test case), then the commands
> to add nftables table/chains *will* be generated in the test output,
> and so the test will fail. Because I was only running the entire test
> series after the initial commits of nftables tests, I didn't notice
> this. Until now.
> 
> base.nftables has now been updated to reflect the current names for
> chains/table, and running individual test cases is once again
> successful.
> 
> Fixes: 958aa7f274904eb8e4678a43eac845044f0dcc38
> Signed-off-by: Laine Stump <laine@redhat.com>
> ---
>  tests/networkxml2firewalldata/base.nftables | 202 ++++----------------
>  1 file changed, 42 insertions(+), 160 deletions(-)

Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>

and pushed


With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|
Re: [PATCH] tests: fix broken nftables test data so that individual tests are successful
Posted by Michal Prívozník 2 months, 2 weeks ago
On 6/12/24 21:25, Laine Stump wrote:
> When the chain names and table name used by the nftables firewall
> backend were changed in commit
> 958aa7f274904eb8e4678a43eac845044f0dcc38, I forgot to change the test
> data file base.nftables, which has the extra "list" and "add
> chain/table" commands that are generated for the first test case of
> networkxml2firewalltest.c. When the full set of tests is run, the
> first test will be an iptables test case, so those extra commands
> won't be added to any of the nftables cases, and so the data in
> base.nftables never matches, and the tests are all successful.
> 
> However, if the test are limited with, e.g. VIR_TEST_RANGE=2 (test #2
> will be the nftables version of the 1st test case), then the commands
> to add nftables table/chains *will* be generated in the test output,
> and so the test will fail. Because I was only running the entire test
> series after the initial commits of nftables tests, I didn't notice
> this. Until now.
> 
> base.nftables has now been updated to reflect the current names for
> chains/table, and running individual test cases is once again
> successful.
> 
> Fixes: 958aa7f274904eb8e4678a43eac845044f0dcc38
> Signed-off-by: Laine Stump <laine@redhat.com>
> ---
>  tests/networkxml2firewalldata/base.nftables | 202 ++++----------------
>  1 file changed, 42 insertions(+), 160 deletions(-)

Reviewed-by: Michal Privoznik <mprivozn@redhat.com>

Michal
Re: [PATCH] tests: fix broken nftables test data so that individual tests are successful
Posted by Laine Stump 2 months, 2 weeks ago
*ping*

(if you ack it. please also push since I'm mostly away from my computer 
for the next 2.5 weeks)

On 6/12/24 3:25 PM, Laine Stump wrote:
> When the chain names and table name used by the nftables firewall
> backend were changed in commit
> 958aa7f274904eb8e4678a43eac845044f0dcc38, I forgot to change the test
> data file base.nftables, which has the extra "list" and "add
> chain/table" commands that are generated for the first test case of
> networkxml2firewalltest.c. When the full set of tests is run, the
> first test will be an iptables test case, so those extra commands
> won't be added to any of the nftables cases, and so the data in
> base.nftables never matches, and the tests are all successful.
> 
> However, if the test are limited with, e.g. VIR_TEST_RANGE=2 (test #2
> will be the nftables version of the 1st test case), then the commands
> to add nftables table/chains *will* be generated in the test output,
> and so the test will fail. Because I was only running the entire test
> series after the initial commits of nftables tests, I didn't notice
> this. Until now.
> 
> base.nftables has now been updated to reflect the current names for
> chains/table, and running individual test cases is once again
> successful.
> 
> Fixes: 958aa7f274904eb8e4678a43eac845044f0dcc38
> Signed-off-by: Laine Stump <laine@redhat.com>
> ---
>   tests/networkxml2firewalldata/base.nftables | 202 ++++----------------
>   1 file changed, 42 insertions(+), 160 deletions(-)
> 
> diff --git a/tests/networkxml2firewalldata/base.nftables b/tests/networkxml2firewalldata/base.nftables
> index 4f1f475a85..a064318739 100644
> --- a/tests/networkxml2firewalldata/base.nftables
> +++ b/tests/networkxml2firewalldata/base.nftables
> @@ -2,255 +2,137 @@ nft \
>   list \
>   table \
>   ip \
> -libvirt
> +libvirt_network
>   nft \
>   add \
>   table \
>   ip \
> -libvirt
> +libvirt_network
>   nft \
>   add \
>   chain \
>   ip \
> -libvirt \
> -INPUT \
> -'{ type filter hook input priority 0; policy accept; }'
> -nft \
> -add \
> -chain \
> -ip \
> -libvirt \
> -FORWARD \
> +libvirt_network \
> +forward \
>   '{ type filter hook forward priority 0; policy accept; }'
>   nft \
>   add \
>   chain \
>   ip \
> -libvirt \
> -OUTPUT \
> -'{ type filter hook output priority 0; policy accept; }'
> -nft \
> -add \
> -chain \
> -ip \
> -libvirt \
> -LIBVIRT_INP
> -nft \
> -insert \
> -rule \
> -ip \
> -libvirt \
> -INPUT \
> -counter \
> -jump \
> -LIBVIRT_INP
> -nft \
> -add \
> -chain \
> -ip \
> -libvirt \
> -LIBVIRT_OUT
> -nft \
> -insert \
> -rule \
> -ip \
> -libvirt \
> -OUTPUT \
> -counter \
> -jump \
> -LIBVIRT_OUT
> -nft \
> -add \
> -chain \
> -ip \
> -libvirt \
> -LIBVIRT_FWO
> +libvirt_network \
> +guest_output
>   nft \
>   insert \
>   rule \
>   ip \
> -libvirt \
> -FORWARD \
> +libvirt_network \
> +forward \
>   counter \
>   jump \
> -LIBVIRT_FWO
> +guest_output
>   nft \
>   add \
>   chain \
>   ip \
> -libvirt \
> -LIBVIRT_FWI
> +libvirt_network \
> +guest_input
>   nft \
>   insert \
>   rule \
>   ip \
> -libvirt \
> -FORWARD \
> +libvirt_network \
> +forward \
>   counter \
>   jump \
> -LIBVIRT_FWI
> +guest_input
>   nft \
>   add \
>   chain \
>   ip \
> -libvirt \
> -LIBVIRT_FWX
> +libvirt_network \
> +guest_cross
>   nft \
>   insert \
>   rule \
>   ip \
> -libvirt \
> -FORWARD \
> +libvirt_network \
> +forward \
>   counter \
>   jump \
> -LIBVIRT_FWX
> +guest_cross
>   nft \
>   add \
>   chain \
>   ip \
> -libvirt \
> -POSTROUTING \
> +libvirt_network \
> +guest_nat \
>   '{ type nat hook postrouting priority 100; policy accept; }'
>   nft \
> -add \
> -chain \
> -ip \
> -libvirt \
> -LIBVIRT_PRT
> -nft \
> -insert \
> -rule \
> -ip \
> -libvirt \
> -POSTROUTING \
> -counter \
> -jump \
> -LIBVIRT_PRT
> -nft \
>   list \
>   table \
>   ip6 \
> -libvirt
> +libvirt_network
>   nft \
>   add \
>   table \
>   ip6 \
> -libvirt
> +libvirt_network
>   nft \
>   add \
>   chain \
>   ip6 \
> -libvirt \
> -INPUT \
> -'{ type filter hook input priority 0; policy accept; }'
> -nft \
> -add \
> -chain \
> -ip6 \
> -libvirt \
> -FORWARD \
> +libvirt_network \
> +forward \
>   '{ type filter hook forward priority 0; policy accept; }'
>   nft \
>   add \
>   chain \
>   ip6 \
> -libvirt \
> -OUTPUT \
> -'{ type filter hook output priority 0; policy accept; }'
> -nft \
> -add \
> -chain \
> -ip6 \
> -libvirt \
> -LIBVIRT_INP
> -nft \
> -insert \
> -rule \
> -ip6 \
> -libvirt \
> -INPUT \
> -counter \
> -jump \
> -LIBVIRT_INP
> -nft \
> -add \
> -chain \
> -ip6 \
> -libvirt \
> -LIBVIRT_OUT
> -nft \
> -insert \
> -rule \
> -ip6 \
> -libvirt \
> -OUTPUT \
> -counter \
> -jump \
> -LIBVIRT_OUT
> -nft \
> -add \
> -chain \
> -ip6 \
> -libvirt \
> -LIBVIRT_FWO
> +libvirt_network \
> +guest_output
>   nft \
>   insert \
>   rule \
>   ip6 \
> -libvirt \
> -FORWARD \
> +libvirt_network \
> +forward \
>   counter \
>   jump \
> -LIBVIRT_FWO
> +guest_output
>   nft \
>   add \
>   chain \
>   ip6 \
> -libvirt \
> -LIBVIRT_FWI
> +libvirt_network \
> +guest_input
>   nft \
>   insert \
>   rule \
>   ip6 \
> -libvirt \
> -FORWARD \
> +libvirt_network \
> +forward \
>   counter \
>   jump \
> -LIBVIRT_FWI
> +guest_input
>   nft \
>   add \
>   chain \
>   ip6 \
> -libvirt \
> -LIBVIRT_FWX
> +libvirt_network \
> +guest_cross
>   nft \
>   insert \
>   rule \
>   ip6 \
> -libvirt \
> -FORWARD \
> +libvirt_network \
> +forward \
>   counter \
>   jump \
> -LIBVIRT_FWX
> +guest_cross
>   nft \
>   add \
>   chain \
>   ip6 \
> -libvirt \
> -POSTROUTING \
> +libvirt_network \
> +guest_nat \
>   '{ type nat hook postrouting priority 100; policy accept; }'
> -nft \
> -add \
> -chain \
> -ip6 \
> -libvirt \
> -LIBVIRT_PRT
> -nft \
> -insert \
> -rule \
> -ip6 \
> -libvirt \
> -POSTROUTING \
> -counter \
> -jump \
> -LIBVIRT_PRT