test/nfconntrack: use nft or iptables-legacy

nft does not support xtables compat expressions https://git.netfilter.org/nftables/commit/?id=79195a8cc9e9d9cf2d17165bf07ac4cc9d55539f Signed-off-by: Radostin Stoyanov <[email protected]>
checkpoint-restore · Jan 8, 2024 · 120cd22 · 120cd22
1 parent 333fca2
commit 120cd22
Show file tree

Hide file tree

Showing 8 changed files with 44 additions and 7 deletions.
diff --git a/scripts/build/Dockerfile.alpine b/scripts/build/Dockerfile.alpine
@@ -33,6 +33,7 @@ RUN make mrproper && date && make -j $(nproc) CC="$CC" && date
 RUN apk add \
 	ip6tables \
 	iptables \
+	iptables-legacy \
 	nftables \
 	iproute2 \
 	tar \

diff --git a/test/zdtm/static/Makefile b/test/zdtm/static/Makefile
@@ -85,7 +85,8 @@ TST_NOFILE	:=				\
 		socket-tcp4v6			\
 		socket-tcp-local		\
 		socket-tcp-reuseport		\
-		socket-tcp-nfconntrack		\
+		socket-tcp-ipt-nfconntrack	\
+		socket-tcp-nft-nfconntrack	\
 		socket-tcp6-local		\
 		socket-tcp4v6-local		\
 		socket-tcpbuf			\
@@ -277,7 +278,7 @@ pkg-config-check = $(shell sh -c '$(PKG_CONFIG) $(1) && echo y')
 ifeq ($(call pkg-config-check,libbpf),y)
 TST_NOFILE	+=				\
 		bpf_hash			\
-		bpf_array			
+		bpf_array
 endif
 
 ifneq ($(ARCH),arm)
@@ -598,7 +599,8 @@ socket-tcpbuf6-local:	CFLAGS += -D ZDTM_TCP_LOCAL -D ZDTM_IPV6
 socket-tcp6-local:	CFLAGS += -D ZDTM_TCP_LOCAL -D ZDTM_IPV6
 socket-tcp4v6-local:	CFLAGS += -D ZDTM_TCP_LOCAL -D ZDTM_IPV4V6
 socket-tcp-local:	CFLAGS += -D ZDTM_TCP_LOCAL
-socket-tcp-nfconntrack: CFLAGS += -D ZDTM_TCP_LOCAL -DZDTM_CONNTRACK
+socket-tcp-ipt-nfconntrack: CFLAGS += -D ZDTM_TCP_LOCAL -DZDTM_IPT_CONNTRACK
+socket-tcp-nft-nfconntrack: CFLAGS += -D ZDTM_TCP_LOCAL -DZDTM_NFT_CONNTRACK
 socket_listen6:		CFLAGS += -D ZDTM_IPV6
 socket_listen4v6:	CFLAGS += -D ZDTM_IPV4V6
 socket-tcp6-closed:	CFLAGS += -D ZDTM_IPV6

diff --git a/test/zdtm/static/socket-tcp-nfconntrack.c → .../zdtm/static/socket-tcp-ipt-nfconntrack.c b/test/zdtm/static/socket-tcp-nfconntrack.c → .../zdtm/static/socket-tcp-ipt-nfconntrack.c
diff --git a/test/zdtm/static/socket-tcp-ipt-nfconntrack.desc b/test/zdtm/static/socket-tcp-ipt-nfconntrack.desc
@@ -0,0 +1,6 @@
+{
+    'feature': 'has_ipt_legacy',
+    'flavor': 'h',
+    'opts': '--tcp-established',
+    'flags': 'suid'
+}
diff --git a/test/zdtm/static/socket-tcp-nfconntrack.desc b/test/zdtm/static/socket-tcp-nfconntrack.desc
diff --git a/test/zdtm/static/socket-tcp-nft-nfconntrack.c b/test/zdtm/static/socket-tcp-nft-nfconntrack.c
@@ -0,0 +1 @@
+socket-tcp.c
diff --git a/test/zdtm/static/socket-tcp-nft-nfconntrack.desc b/test/zdtm/static/socket-tcp-nft-nfconntrack.desc
@@ -0,0 +1,7 @@
+{
+    'flavor': 'h',
+    'feature': 'network_lock_nftables',
+    'opts': '--tcp-established',
+    'dopts': '--network-lock nftables',
+    'flags': 'suid'
+}
diff --git a/test/zdtm/static/socket-tcp.c b/test/zdtm/static/socket-tcp.c
@@ -67,17 +67,38 @@ int main(int argc, char **argv)
 	int val;
 	socklen_t optlen;
 
-#ifdef ZDTM_CONNTRACK
+#ifdef ZDTM_IPT_CONNTRACK
 	if (unshare(CLONE_NEWNET)) {
 		pr_perror("unshare");
 		return 1;
 	}
 	if (system("ip link set up dev lo"))
 		return 1;
-	if (system("iptables -w -A INPUT -i lo -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT"))
+
+	if (system("iptables-legacy -w -A INPUT -i lo -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT"))
+		return 1;
+	if (system("iptables-legacy -w -A INPUT -j DROP"))
+		return 1;
+
+#endif
+
+#ifdef ZDTM_NFT_CONNTRACK
+	if (unshare(CLONE_NEWNET)) {
+		pr_perror("unshare");
 		return 1;
-	if (system("iptables -w -A INPUT -j DROP"))
+	}
+	if (system("ip link set up dev lo"))
+		return 1;
+
+	if (system("nft add table ip filter"))
 		return 1;
+	if (system("nft add chain ip filter INPUT"))
+		return 1;
+	if (system("nft add rule ip filter INPUT iifname \"lo\" ip protocol tcp ct state new,established counter accept"))
+		return 1;
+	if (system("nft add rule ip filter INPUT counter drop"))
+		return 1;
+
 #endif
 
 #ifdef ZDTM_TCP_LOCAL