test/nfconntrack: use nft or iptables-legacy

nft does not support xtables compat expressions https://git.netfilter.org/nftables/commit/?id=79195a8cc9e9d9cf2d17165bf07ac4cc9d55539f Signed-off-by: Radostin Stoyanov <rstoyanov@fedoraproject.org>
2025-09-01 23:05:39 +00:00 · 2024-01-05 18:07:59 +00:00
parent 0416d81e4d
commit e5f4d8c6fb
8 changed files with 44 additions and 7 deletions
--- a/scripts/build/Dockerfile.alpine
+++ b/scripts/build/Dockerfile.alpine
@@ -33,6 +33,7 @@ RUN make mrproper && date && make -j $(nproc) CC="$CC" && date
 RUN apk add \
 	ip6tables \
 	iptables \
+	iptables-legacy \
 	nftables \
 	iproute2 \
 	tar \
--- a/test/zdtm/static/Makefile
+++ b/test/zdtm/static/Makefile
@@ -85,7 +85,8 @@ TST_NOFILE	:=				\
 		socket-tcp4v6			\
 		socket-tcp-local		\
 		socket-tcp-reuseport		\
-		socket-tcp-nfconntrack		\
+		socket-tcp-ipt-nfconntrack	\
+		socket-tcp-nft-nfconntrack	\
 		socket-tcp6-local		\
 		socket-tcp4v6-local		\
 		socket-tcpbuf			\
@@ -277,7 +278,7 @@ pkg-config-check = $(shell sh -c '$(PKG_CONFIG) $(1) && echo y')
 ifeq ($(call pkg-config-check,libbpf),y)
 TST_NOFILE	+=				\
 		bpf_hash			\
-		bpf_array			
+		bpf_array
 endif

 ifneq ($(ARCH),arm)
@@ -598,7 +599,8 @@ socket-tcpbuf6-local:	CFLAGS += -D ZDTM_TCP_LOCAL -D ZDTM_IPV6
 socket-tcp6-local:	CFLAGS += -D ZDTM_TCP_LOCAL -D ZDTM_IPV6
 socket-tcp4v6-local:	CFLAGS += -D ZDTM_TCP_LOCAL -D ZDTM_IPV4V6
 socket-tcp-local:	CFLAGS += -D ZDTM_TCP_LOCAL
-socket-tcp-nfconntrack: CFLAGS += -D ZDTM_TCP_LOCAL -DZDTM_CONNTRACK
+socket-tcp-ipt-nfconntrack: CFLAGS += -D ZDTM_TCP_LOCAL -DZDTM_IPT_CONNTRACK
+socket-tcp-nft-nfconntrack: CFLAGS += -D ZDTM_TCP_LOCAL -DZDTM_NFT_CONNTRACK
 socket_listen6:		CFLAGS += -D ZDTM_IPV6
 socket_listen4v6:	CFLAGS += -D ZDTM_IPV4V6
 socket-tcp6-closed:	CFLAGS += -D ZDTM_IPV6
--- a/test/zdtm/static/socket-tcp-ipt-nfconntrack.c
+++ b/test/zdtm/static/socket-tcp-ipt-nfconntrack.c
--- a/test/zdtm/static/socket-tcp-ipt-nfconntrack.desc
+++ b/test/zdtm/static/socket-tcp-ipt-nfconntrack.desc
@@ -0,0 +1,6 @@
+{
+    'feature': 'has_ipt_legacy',
+    'flavor': 'h',
+    'opts': '--tcp-established',
+    'flags': 'suid'
+}
--- a/test/zdtm/static/socket-tcp-nfconntrack.desc
+++ b/test/zdtm/static/socket-tcp-nfconntrack.desc
@@ -1 +0,0 @@
-{'flavor': 'h', 'opts': '--tcp-established', 'flags': 'suid'}
--- a/test/zdtm/static/socket-tcp-nft-nfconntrack.c
+++ b/test/zdtm/static/socket-tcp-nft-nfconntrack.c
@@ -0,0 +1 @@
+socket-tcp.c
--- a/test/zdtm/static/socket-tcp-nft-nfconntrack.desc
+++ b/test/zdtm/static/socket-tcp-nft-nfconntrack.desc
@@ -0,0 +1,7 @@
+{
+    'flavor': 'h',
+    'feature': 'network_lock_nftables',
+    'opts': '--tcp-established',
+    'dopts': '--network-lock nftables',
+    'flags': 'suid'
+}
--- a/test/zdtm/static/socket-tcp.c
+++ b/test/zdtm/static/socket-tcp.c
@@ -67,17 +67,38 @@ int main(int argc, char **argv)
 	int val;
 	socklen_t optlen;

-#ifdef ZDTM_CONNTRACK
+#ifdef ZDTM_IPT_CONNTRACK
 	if (unshare(CLONE_NEWNET)) {
 		pr_perror("unshare");
 		return 1;
 	}
 	if (system("ip link set up dev lo"))
 		return 1;
-	if (system("iptables -w -A INPUT -i lo -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT"))
+
+	if (system("iptables-legacy -w -A INPUT -i lo -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT"))
 		return 1;
-	if (system("iptables -w -A INPUT -j DROP"))
+	if (system("iptables-legacy -w -A INPUT -j DROP"))
 		return 1;
+
+#endif
+
+#ifdef ZDTM_NFT_CONNTRACK
+	if (unshare(CLONE_NEWNET)) {
+		pr_perror("unshare");
+		return 1;
+	}
+	if (system("ip link set up dev lo"))
+		return 1;
+
+	if (system("nft add table ip filter"))
+		return 1;
+	if (system("nft add chain ip filter INPUT"))
+		return 1;
+	if (system("nft add rule ip filter INPUT iifname \"lo\" ip protocol tcp ct state new,established counter accept"))
+		return 1;
+	if (system("nft add rule ip filter INPUT counter drop"))
+		return 1;
+
 #endif

 #ifdef ZDTM_TCP_LOCAL
				`@@ -1 +0,0 @@`
				`{'flavor': 'h', 'opts': '--tcp-established', 'flags': 'suid'}`