<div dir="ltr"><div>JFYI, <br></div><div><br></div><div>>+ do_or_fail "can't install a state match" \<br>>+ nft add rule filter INPUT \<br>>+ ct state related,established accept</div><div><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><br></div><div>1) No one can be sure that filter table and INPUT chain are in nft ruleset. Maybe it is insured by something outside test/zdtm/static/conntracks, sorry if I'm missing it. But if not these would fail.<br></div><div><br></div><div>2) Patch to support nft migration is only in VZ7 criu yet (<a href="https://src.openvz.org/projects/OVZ/repos/criu/commits/256854a9ecfbc0da4b3053a805facfd6c39939e8">https://src.openvz.org/projects/OVZ/repos/criu/commits/256854a9ecfbc0da4b3053a805facfd6c39939e8</a>), maybe it's a bit early to add a test for nft as it should fail AFAICS. But the test is "noauto" so maybe we don't care anyway.<br></div><div dir="ltr"><br>Best Regards, Tikhomirov Pavel.</div></div></div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">вс, 3 нояб. 2019 г. в 20:14, Andrei Vagin <<a href="mailto:avagin@gmail.com">avagin@gmail.com</a>>:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Applied, thanks!<br>
<br>
On Fri, Nov 01, 2019 at 09:00:23AM +0000, Vitaly Ostrosablin wrote:<br>
> Update test to support both iptables and nft to create conntrack rules.<br>
> <br>
> PSBM-99101<br>
> <br>
> Signed-off-by: Vitaly Ostrosablin <<a href="mailto:vostrosablin@virtuozzo.com" target="_blank">vostrosablin@virtuozzo.com</a>><br>
> ---<br>
> test/zdtm/static/conntracks | 36 ++++++++++++++++++++++++++++++++++--<br>
> 1 file changed, 34 insertions(+), 2 deletions(-)<br>
> <br>
> diff --git a/test/zdtm/static/conntracks b/test/zdtm/static/conntracks<br>
> index a30e0e268..26220f97c 100755<br>
> --- a/test/zdtm/static/conntracks<br>
> +++ b/test/zdtm/static/conntracks<br>
> @@ -23,7 +23,7 @@ do_or_fail()<br>
> fail "$failmsg: $output"<br>
> }<br>
> <br>
> -do_start()<br>
> +do_start_ipt()<br>
> {<br>
> [ -f "$statefile" ] && die "state file $statefile aleady exists"<br>
> <br>
> @@ -35,7 +35,7 @@ do_start()<br>
> iptables -L \> "$statefile"<br>
> }<br>
> <br>
> -do_stop()<br>
> +do_stop_ipt()<br>
> {<br>
> do_or_fail "can't compare the iptables" \<br>
> iptables -L \| diff -u "$statefile" -<br>
> @@ -45,6 +45,38 @@ do_stop()<br>
> echo "PASS" > $outfile<br>
> }<br>
> <br>
> +do_start_nft()<br>
> +{<br>
> + [ -f "$statefile" ] && die "state file $statefile aleady exists"<br>
> +<br>
> + do_or_fail "can't install a state match" \<br>
> + nft add rule filter INPUT \<br>
> + ct state related,established accept<br>
> +<br>
> + do_or_fail "can't list the loaded nftables" \<br>
> + nft list ruleset \> "$statefile"<br>
> +}<br>
> +<br>
> +do_stop_nft()<br>
> +{<br>
> + do_or_fail "can't compare the nftables" \<br>
> + nft list ruleset \| diff -u "$statefile" -<br>
> +<br>
> + rm -f "$statefile"<br>
> +<br>
> + echo "PASS" > $outfile<br>
> +}<br>
> +<br>
> +do_start()<br>
> +{<br>
> + [ -x "$(command -v nft)" ] && do_start_nft || do_start_ipt<br>
> +}<br>
> +<br>
> +do_stop()<br>
> +{<br>
> + [ -x "$(command -v nft)" ] && do_stop_nft || do_stop_ipt<br>
> +}<br>
> +<br>
> tmpargs="$(../lib/parseargs.sh --name=$0 \<br>
> --flags-req=statefile,outfile \<br>
> --flags-opt="start,stop" -- "$@")" ||<br>
> -- <br>
> 2.23.0<br>
> <br>
> <br>
> _______________________________________________<br>
> CRIU mailing list<br>
> <a href="mailto:CRIU@openvz.org" target="_blank">CRIU@openvz.org</a><br>
> <a href="https://lists.openvz.org/mailman/listinfo/criu" rel="noreferrer" target="_blank">https://lists.openvz.org/mailman/listinfo/criu</a><br>
_______________________________________________<br>
CRIU mailing list<br>
<a href="mailto:CRIU@openvz.org" target="_blank">CRIU@openvz.org</a><br>
<a href="https://lists.openvz.org/mailman/listinfo/criu" rel="noreferrer" target="_blank">https://lists.openvz.org/mailman/listinfo/criu</a><br>
</blockquote></div>