Commit bb0ee78f authored by Florian Westphal's avatar Florian Westphal Committed by Jakub Kicinski

selftests: netfilter: skip tests on early errors

br_netfilter: If we can't add the needed initial nftables ruleset skip the
test, kernel doesn't support a required feature.

rpath: run a subset of the tests if possible, but make sure we return
the skip return value so they are marked appropriately by the kselftest
framework.

nft_audit.sh: provide version information when skipping, this should
help catching kernel problem (feature not available in kernel) vs.
userspace issue (parser doesn't support keyword).
Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
Link: https://lore.kernel.org/r/20240423130604.7013-7-fw@strlen.deSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parent a18f2845
...@@ -124,6 +124,10 @@ table bridge filter { ...@@ -124,6 +124,10 @@ table bridge filter {
} }
} }
EOF EOF
if [ "$?" -ne 0 ];then
echo "SKIP: could not add nftables ruleset"
exit $ksft_skip
fi
# place 1, 2 & 3 in same subnet, connected via ns0:br0. # place 1, 2 & 3 in same subnet, connected via ns0:br0.
# ns4 is placed in same subnet as well, but its not # ns4 is placed in same subnet as well, but its not
......
...@@ -29,7 +29,8 @@ reset rules t c ...@@ -29,7 +29,8 @@ reset rules t c
EOF EOF
if [ "$?" -ne 0 ];then if [ "$?" -ne 0 ];then
echo "SKIP: nft reset feature test failed" echo -n "SKIP: nft reset feature test failed: "
nft --version
exit $SKIP_RC exit $SKIP_RC
fi fi
......
...@@ -64,12 +64,18 @@ ip -net "$ns2" a a fec0:42::1/64 dev d0 nodad ...@@ -64,12 +64,18 @@ ip -net "$ns2" a a fec0:42::1/64 dev d0 nodad
# firewall matches to test # firewall matches to test
[ -n "$iptables" ] && { [ -n "$iptables" ] && {
common='-t raw -A PREROUTING -s 192.168.0.0/16' common='-t raw -A PREROUTING -s 192.168.0.0/16'
ip netns exec "$ns2" "$iptables" $common -m rpfilter if ! ip netns exec "$ns2" "$iptables" $common -m rpfilter;then
echo "Cannot add rpfilter rule"
exit $ksft_skip
fi
ip netns exec "$ns2" "$iptables" $common -m rpfilter --invert ip netns exec "$ns2" "$iptables" $common -m rpfilter --invert
} }
[ -n "$ip6tables" ] && { [ -n "$ip6tables" ] && {
common='-t raw -A PREROUTING -s fec0::/16' common='-t raw -A PREROUTING -s fec0::/16'
ip netns exec "$ns2" "$ip6tables" $common -m rpfilter if ! ip netns exec "$ns2" "$ip6tables" $common -m rpfilter;then
echo "Cannot add rpfilter rule"
exit $ksft_skip
fi
ip netns exec "$ns2" "$ip6tables" $common -m rpfilter --invert ip netns exec "$ns2" "$ip6tables" $common -m rpfilter --invert
} }
[ -n "$nft" ] && ip netns exec "$ns2" $nft -f - <<EOF [ -n "$nft" ] && ip netns exec "$ns2" $nft -f - <<EOF
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment