[CRIU] [PATCH] [vzt] ./test/zdtm/static:conntracks: Support nftables
Pavel Tikhomirov
snorcht at gmail.com
Tue Nov 5 11:12:08 MSK 2019
JFYI,
>+ do_or_fail "can't install a state match" \
>+ nft add rule filter INPUT \
>+ ct state related,established accept
1) No one can be sure that filter table and INPUT chain are in nft ruleset.
Maybe it is insured by something outside test/zdtm/static/conntracks, sorry
if I'm missing it. But if not these would fail.
2) Patch to support nft migration is only in VZ7 criu yet (
https://src.openvz.org/projects/OVZ/repos/criu/commits/256854a9ecfbc0da4b3053a805facfd6c39939e8),
maybe it's a bit early to add a test for nft as it should fail AFAICS. But
the test is "noauto" so maybe we don't care anyway.
Best Regards, Tikhomirov Pavel.
вс, 3 нояб. 2019 г. в 20:14, Andrei Vagin <avagin at gmail.com>:
> Applied, thanks!
>
> On Fri, Nov 01, 2019 at 09:00:23AM +0000, Vitaly Ostrosablin wrote:
> > Update test to support both iptables and nft to create conntrack rules.
> >
> > PSBM-99101
> >
> > Signed-off-by: Vitaly Ostrosablin <vostrosablin at virtuozzo.com>
> > ---
> > test/zdtm/static/conntracks | 36 ++++++++++++++++++++++++++++++++++--
> > 1 file changed, 34 insertions(+), 2 deletions(-)
> >
> > diff --git a/test/zdtm/static/conntracks b/test/zdtm/static/conntracks
> > index a30e0e268..26220f97c 100755
> > --- a/test/zdtm/static/conntracks
> > +++ b/test/zdtm/static/conntracks
> > @@ -23,7 +23,7 @@ do_or_fail()
> > fail "$failmsg: $output"
> > }
> >
> > -do_start()
> > +do_start_ipt()
> > {
> > [ -f "$statefile" ] && die "state file $statefile aleady exists"
> >
> > @@ -35,7 +35,7 @@ do_start()
> > iptables -L \> "$statefile"
> > }
> >
> > -do_stop()
> > +do_stop_ipt()
> > {
> > do_or_fail "can't compare the iptables" \
> > iptables -L \| diff -u "$statefile" -
> > @@ -45,6 +45,38 @@ do_stop()
> > echo "PASS" > $outfile
> > }
> >
> > +do_start_nft()
> > +{
> > + [ -f "$statefile" ] && die "state file $statefile aleady exists"
> > +
> > + do_or_fail "can't install a state match" \
> > + nft add rule filter INPUT \
> > + ct state related,established accept
> > +
> > + do_or_fail "can't list the loaded nftables" \
> > + nft list ruleset \> "$statefile"
> > +}
> > +
> > +do_stop_nft()
> > +{
> > + do_or_fail "can't compare the nftables" \
> > + nft list ruleset \| diff -u "$statefile" -
> > +
> > + rm -f "$statefile"
> > +
> > + echo "PASS" > $outfile
> > +}
> > +
> > +do_start()
> > +{
> > + [ -x "$(command -v nft)" ] && do_start_nft || do_start_ipt
> > +}
> > +
> > +do_stop()
> > +{
> > + [ -x "$(command -v nft)" ] && do_stop_nft || do_stop_ipt
> > +}
> > +
> > tmpargs="$(../lib/parseargs.sh --name=$0 \
> > --flags-req=statefile,outfile \
> > --flags-opt="start,stop" -- "$@")" ||
> > --
> > 2.23.0
> >
> >
> > _______________________________________________
> > CRIU mailing list
> > CRIU at openvz.org
> > https://lists.openvz.org/mailman/listinfo/criu
> _______________________________________________
> CRIU mailing list
> CRIU at openvz.org
> https://lists.openvz.org/mailman/listinfo/criu
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openvz.org/pipermail/criu/attachments/20191105/d64503ee/attachment.html>
More information about the CRIU
mailing list