[PATCH nft] tests: add atomic chain replace test

Florian Westphal <fw@xxxxxxxxx> · Mon, 3 Mar 2025 20:38:20 +0100

Add a test that replaces one base chain and check that no
filtered packets make it through, i.e. that the 'old chain'
doesn't disappear before new one is active.

Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
---
 .../testcases/transactions/atomic_replace.sh  | 73 +++++++++++++++++++
 .../dumps/atomic_replace.sh.nodump            |  0
 2 files changed, 73 insertions(+)
 create mode 100755 tests/shell/testcases/transactions/atomic_replace.sh
 create mode 100644 tests/shell/testcases/transactions/dumps/atomic_replace.sh.nodump

diff --git a/tests/shell/testcases/transactions/atomic_replace.sh b/tests/shell/testcases/transactions/atomic_replace.sh
new file mode 100755
index 000000000000..dce178602a6f
--- /dev/null
+++ b/tests/shell/testcases/transactions/atomic_replace.sh
@@ -0,0 +1,73 @@
+#!/bin/bash
+
+set -e
+
+rnd=$(mktemp -u XXXXXXXX)
+ns="nft-atomic-$rnd"
+pid1=""
+pid2=""
+duration=8
+
+cleanup()
+{
+	kill "$pid1" "$pid2"
+	ip netns del "$ns"
+}
+
+trap cleanup EXIT
+
+ip netns add "$ns" || exit 111
+ip -net "$ns" link set lo up
+
+ip netns exec "$ns" ping 127.0.0.1 -q -c 1
+
+ip netns exec "$ns" $NFT -f - <<EOF
+table ip t {
+	set s {
+		type ipv4_addr
+		elements = { 127.0.0.1 }
+	}
+
+	chain input {
+		type filter hook input priority 0; policy accept;
+		ip protocol icmp counter
+	}
+
+	chain output {
+		type filter hook output priority 0; policy accept;
+		ip protocol icmp ip daddr @s drop
+	}
+}
+EOF
+
+ip netns exec "$ns" ping -f 127.0.0.1 &
+pid1=$!
+ip netns exec "$ns" ping -f 127.0.0.1 &
+pid2=$!
+
+time_now=$(date +%s)
+time_stop=$((time_now + duration))
+repl=0
+
+while [ $time_now -lt $time_stop ]; do
+ip netns exec "$ns" $NFT -f - <<EOF
+flush chain ip t output
+table ip t {
+	chain output {
+		type filter hook output priority 0; policy accept;
+		ip protocol icmp ip daddr @s drop
+	}
+}
+EOF
+	repl=$((repl+1))
+
+	# do at least 100 replaces and stop after $duration seconds.
+	if [ $((repl % 101)) -eq 100 ];then
+		time_now=$(date +%s)
+	fi
+done
+
+# must match, all icmp packets dropped in output.
+ip netns exec "$ns" $NFT list chain ip t input | grep "counter packets 0"
+
+echo "Completed $repl chain replacements"
diff --git a/tests/shell/testcases/transactions/dumps/atomic_replace.sh.nodump b/tests/shell/testcases/transactions/dumps/atomic_replace.sh.nodump
new file mode 100644
index 000000000000..e69de29bb2d1
-- 
2.48.1








