From f4da6c3ebed8ff13f6298cc7363e551a6ca0911d Mon Sep 17 00:00:00 2001 From: Julien Olivain Date: Sun, 20 Aug 2023 12:33:43 +0200 Subject: [PATCH] support/testing/tests/package/test_nftables.py: new runtime test This runtime test was suggested in discussion [1]. It should detect potential runtime failures such as the one fixed in commit eb74998125 "package/nftables: fix the build of the pyhon bindings". We need a special kernel, because not all nftables-related options are enabled in the pre-built one. [1] https://lists.buildroot.org/pipermail/buildroot/2023-August/672864.html Cc: Yann E. MORIN Signed-off-by: Julien Olivain Signed-off-by: Yann E. MORIN --- DEVELOPERS | 2 + .../testing/tests/package/test_nftables.py | 109 ++++++++++++++++++ .../test_nftables/rootfs-overlay/root/nft.py | 22 ++++ 3 files changed, 133 insertions(+) create mode 100644 support/testing/tests/package/test_nftables.py create mode 100755 support/testing/tests/package/test_nftables/rootfs-overlay/root/nft.py diff --git a/DEVELOPERS b/DEVELOPERS index 6ffa3ee693..9b500f3701 100644 --- a/DEVELOPERS +++ b/DEVELOPERS @@ -1776,6 +1776,8 @@ F: support/testing/tests/package/test_lz4.py F: support/testing/tests/package/test_lzop.py F: support/testing/tests/package/test_mtools.py F: support/testing/tests/package/test_ncdu.py +F: support/testing/tests/package/test_nftables.py +F: support/testing/tests/package/test_nftables/ F: support/testing/tests/package/test_octave.py F: support/testing/tests/package/test_ola.py F: support/testing/tests/package/test_ola/ diff --git a/support/testing/tests/package/test_nftables.py b/support/testing/tests/package/test_nftables.py new file mode 100644 index 0000000000..142e7d0352 --- /dev/null +++ b/support/testing/tests/package/test_nftables.py @@ -0,0 +1,109 @@ +import os + +import infra.basetest + + +class TestNftables(infra.basetest.BRTest): + config = \ + """ + BR2_aarch64=y + BR2_TOOLCHAIN_EXTERNAL=y + BR2_TARGET_GENERIC_GETTY_PORT="ttyAMA0" + BR2_LINUX_KERNEL=y + BR2_LINUX_KERNEL_CUSTOM_VERSION=y + BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="6.1.46" + BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y + BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="board/qemu/aarch64-virt/linux.config" + BR2_LINUX_KERNEL_NEEDS_HOST_OPENSSL=y + BR2_PACKAGE_NFTABLES=y + BR2_PACKAGE_PYTHON3=y + BR2_ROOTFS_OVERLAY="{}" + BR2_TARGET_ROOTFS_CPIO=y + BR2_TARGET_ROOTFS_CPIO_GZIP=y + # BR2_TARGET_ROOTFS_TAR is not set + """.format( + infra.filepath("tests/package/test_nftables/rootfs-overlay")) + + def nftables_test(self, prog="nft"): + # Table/Chain names for the test + nft_table = "br_ip_table" + nft_chain = "br_ip_chain_in" + + # We flush all nftables rules, to start from a known state. + self.assertRunOk(f"{prog} flush ruleset") + + # We create an ip table. + self.assertRunOk(f"{prog} add table ip {nft_table}") + + # We should be able to list this table. + list_cmd = f"{prog} list tables ip" + output, exit_code = self.emulator.run(list_cmd) + self.assertEqual(exit_code, 0) + self.assertIn(nft_table, output[0]) + + # We create an ip input chain in our table. + cmd = f"{prog} add chain ip" + cmd += f" {nft_table} {nft_chain}" + cmd += " { type filter hook input priority 0 \\; }" + self.assertRunOk(cmd) + + # We list our chain. + cmd = f"{prog} list chain ip {nft_table} {nft_chain}" + self.assertRunOk(cmd) + + # We add a filter rule to drop pings (icmp echo-requests) to + # the 127.0.0.2 destination. + cmd = f"{prog} add rule ip {nft_table} {nft_chain}" + cmd += " ip daddr 127.0.0.2 icmp type echo-request drop" + self.assertRunOk(cmd) + + # We list our rule. + self.assertRunOk(f"{prog} list ruleset ip") + + # A ping to 127.0.0.1 is expected to work, because it's not + # matching our rule. We expect 3 replies (-c), with 0.5s + # internal (-i), and set a maximum timeout of 2s. + ping_cmd_prefix = "ping -c 3 -i 0.5 -W 2 " + self.assertRunOk(ping_cmd_prefix + "127.0.0.1") + + # A ping to 127.0.0.2 is expected to fail, because our rule is + # supposed to drop it. + ping_test_cmd = ping_cmd_prefix + "127.0.0.2" + _, exit_code = self.emulator.run(ping_test_cmd) + self.assertNotEqual(exit_code, 0) + + # We completely delete the table. This should also delete the + # chain and the rule. + self.assertRunOk(f"{prog} delete table ip {nft_table}") + + # We should no longer see the table in the list. + output, exit_code = self.emulator.run(list_cmd) + self.assertEqual(exit_code, 0) + self.assertNotIn(nft_table, "\n".join(output)) + + # Since we deleted the rule, the ping test command which was + # supposed to fail earlier is now supposed to succeed. + self.assertRunOk(ping_test_cmd) + + def test_run(self): + img = os.path.join(self.builddir, "images", "rootfs.cpio.gz") + kern = os.path.join(self.builddir, "images", "Image") + self.emulator.boot(arch="aarch64", + kernel=kern, + kernel_cmdline=["console=ttyAMA0"], + options=["-M", "virt", + "-cpu", "cortex-a57", + "-m", "256M", + "-initrd", img]) + self.emulator.login() + + # We check the program can execute. + self.assertRunOk("nft --version") + + # We run the nftables test sequence using the default "nft" + # user space configuration tool. + self.nftables_test() + + # We run again the same test sequence using our simple nft + # python implementation, to check the language bindings. + self.nftables_test(prog="/root/nft.py") diff --git a/support/testing/tests/package/test_nftables/rootfs-overlay/root/nft.py b/support/testing/tests/package/test_nftables/rootfs-overlay/root/nft.py new file mode 100755 index 0000000000..89de8e25d1 --- /dev/null +++ b/support/testing/tests/package/test_nftables/rootfs-overlay/root/nft.py @@ -0,0 +1,22 @@ +#! /usr/bin/env python3 +# +# This is a simple reimplementation of the "nft" user-space tool in +# Python, in order to test language bindings. It does not support any +# command line argument supported by the nftables "nft" tool, but +# supports all nftables commands used in the Buildroot runtime test. + +import sys + +import nftables + + +nft = nftables.nftables.Nftables() +cmd = " ".join(sys.argv[1:]) +ret_code, output, error = nft.cmd(cmd) + +if len(output) > 0: + print(output.strip()) +if len(error) > 0: + print(error.strip()) + +sys.exit(ret_code)