From aabf279ca07d9d5c3d2e6d4efd7d4c5bc2dd471e Mon Sep 17 00:00:00 2001 From: Laine Stump Date: Wed, 12 Jun 2024 15:25:46 -0400 Subject: [PATCH] tests: fix broken nftables test data so that individual tests are successful MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When the chain names and table name used by the nftables firewall backend were changed in commit 958aa7f274904eb8e4678a43eac845044f0dcc38, I forgot to change the test data file base.nftables, which has the extra "list" and "add chain/table" commands that are generated for the first test case of networkxml2firewalltest.c. When the full set of tests is run, the first test will be an iptables test case, so those extra commands won't be added to any of the nftables cases, and so the data in base.nftables never matches, and the tests are all successful. However, if the test are limited with, e.g. VIR_TEST_RANGE=2 (test #2 will be the nftables version of the 1st test case), then the commands to add nftables table/chains *will* be generated in the test output, and so the test will fail. Because I was only running the entire test series after the initial commits of nftables tests, I didn't notice this. Until now. base.nftables has now been updated to reflect the current names for chains/table, and running individual test cases is once again successful. Fixes: 958aa7f274904eb8e4678a43eac845044f0dcc38 Reviewed-by: Michal Privoznik Reviewed-by: Daniel P. Berrangé Signed-off-by: Laine Stump --- tests/networkxml2firewalldata/base.nftables | 202 ++++---------------- 1 file changed, 42 insertions(+), 160 deletions(-) diff --git a/tests/networkxml2firewalldata/base.nftables b/tests/networkxml2firewalldata/base.nftables index 4f1f475a85..a064318739 100644 --- a/tests/networkxml2firewalldata/base.nftables +++ b/tests/networkxml2firewalldata/base.nftables @@ -2,255 +2,137 @@ nft \ list \ table \ ip \ -libvirt +libvirt_network nft \ add \ table \ ip \ -libvirt +libvirt_network nft \ add \ chain \ ip \ -libvirt \ -INPUT \ -'{ type filter hook input priority 0; policy accept; }' -nft \ -add \ -chain \ -ip \ -libvirt \ -FORWARD \ +libvirt_network \ +forward \ '{ type filter hook forward priority 0; policy accept; }' nft \ add \ chain \ ip \ -libvirt \ -OUTPUT \ -'{ type filter hook output priority 0; policy accept; }' -nft \ -add \ -chain \ -ip \ -libvirt \ -LIBVIRT_INP +libvirt_network \ +guest_output nft \ insert \ rule \ ip \ -libvirt \ -INPUT \ +libvirt_network \ +forward \ counter \ jump \ -LIBVIRT_INP +guest_output nft \ add \ chain \ ip \ -libvirt \ -LIBVIRT_OUT +libvirt_network \ +guest_input nft \ insert \ rule \ ip \ -libvirt \ -OUTPUT \ +libvirt_network \ +forward \ counter \ jump \ -LIBVIRT_OUT +guest_input nft \ add \ chain \ ip \ -libvirt \ -LIBVIRT_FWO +libvirt_network \ +guest_cross nft \ insert \ rule \ ip \ -libvirt \ -FORWARD \ +libvirt_network \ +forward \ counter \ jump \ -LIBVIRT_FWO +guest_cross nft \ add \ chain \ ip \ -libvirt \ -LIBVIRT_FWI -nft \ -insert \ -rule \ -ip \ -libvirt \ -FORWARD \ -counter \ -jump \ -LIBVIRT_FWI -nft \ -add \ -chain \ -ip \ -libvirt \ -LIBVIRT_FWX -nft \ -insert \ -rule \ -ip \ -libvirt \ -FORWARD \ -counter \ -jump \ -LIBVIRT_FWX -nft \ -add \ -chain \ -ip \ -libvirt \ -POSTROUTING \ +libvirt_network \ +guest_nat \ '{ type nat hook postrouting priority 100; policy accept; }' nft \ -add \ -chain \ -ip \ -libvirt \ -LIBVIRT_PRT -nft \ -insert \ -rule \ -ip \ -libvirt \ -POSTROUTING \ -counter \ -jump \ -LIBVIRT_PRT -nft \ list \ table \ ip6 \ -libvirt +libvirt_network nft \ add \ table \ ip6 \ -libvirt +libvirt_network nft \ add \ chain \ ip6 \ -libvirt \ -INPUT \ -'{ type filter hook input priority 0; policy accept; }' -nft \ -add \ -chain \ -ip6 \ -libvirt \ -FORWARD \ +libvirt_network \ +forward \ '{ type filter hook forward priority 0; policy accept; }' nft \ add \ chain \ ip6 \ -libvirt \ -OUTPUT \ -'{ type filter hook output priority 0; policy accept; }' -nft \ -add \ -chain \ -ip6 \ -libvirt \ -LIBVIRT_INP +libvirt_network \ +guest_output nft \ insert \ rule \ ip6 \ -libvirt \ -INPUT \ +libvirt_network \ +forward \ counter \ jump \ -LIBVIRT_INP +guest_output nft \ add \ chain \ ip6 \ -libvirt \ -LIBVIRT_OUT +libvirt_network \ +guest_input nft \ insert \ rule \ ip6 \ -libvirt \ -OUTPUT \ +libvirt_network \ +forward \ counter \ jump \ -LIBVIRT_OUT +guest_input nft \ add \ chain \ ip6 \ -libvirt \ -LIBVIRT_FWO +libvirt_network \ +guest_cross nft \ insert \ rule \ ip6 \ -libvirt \ -FORWARD \ +libvirt_network \ +forward \ counter \ jump \ -LIBVIRT_FWO +guest_cross nft \ add \ chain \ ip6 \ -libvirt \ -LIBVIRT_FWI -nft \ -insert \ -rule \ -ip6 \ -libvirt \ -FORWARD \ -counter \ -jump \ -LIBVIRT_FWI -nft \ -add \ -chain \ -ip6 \ -libvirt \ -LIBVIRT_FWX -nft \ -insert \ -rule \ -ip6 \ -libvirt \ -FORWARD \ -counter \ -jump \ -LIBVIRT_FWX -nft \ -add \ -chain \ -ip6 \ -libvirt \ -POSTROUTING \ +libvirt_network \ +guest_nat \ '{ type nat hook postrouting priority 100; policy accept; }' -nft \ -add \ -chain \ -ip6 \ -libvirt \ -LIBVIRT_PRT -nft \ -insert \ -rule \ -ip6 \ -libvirt \ -POSTROUTING \ -counter \ -jump \ -LIBVIRT_PRT