On Mon, Mar 03, 2025 at 08:38:20PM +0100, Florian Westphal wrote:
> Add a test that replaces one base chain and check that no
> filtered packets make it through, i.e. that the 'old chain'
> doesn't disappear before new one is active.
>
> Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
Acked-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
> ---
> .../testcases/transactions/atomic_replace.sh | 73 +++++++++++++++++++
> .../dumps/atomic_replace.sh.nodump | 0
> 2 files changed, 73 insertions(+)
> create mode 100755 tests/shell/testcases/transactions/atomic_replace.sh
> create mode 100644 tests/shell/testcases/transactions/dumps/atomic_replace.sh.nodump
>
> diff --git a/tests/shell/testcases/transactions/atomic_replace.sh b/tests/shell/testcases/transactions/atomic_replace.sh
> new file mode 100755
> index 000000000000..dce178602a6f
> --- /dev/null
> +++ b/tests/shell/testcases/transactions/atomic_replace.sh
> @@ -0,0 +1,73 @@
> +#!/bin/bash
> +
> +set -e
> +
> +rnd=$(mktemp -u XXXXXXXX)
> +ns="nft-atomic-$rnd"
> +pid1=""
> +pid2=""
> +duration=8
> +
> +cleanup()
> +{
> + kill "$pid1" "$pid2"
> + ip netns del "$ns"
> +}
> +
> +trap cleanup EXIT
> +
> +ip netns add "$ns" || exit 111
> +ip -net "$ns" link set lo up
> +
> +ip netns exec "$ns" ping 127.0.0.1 -q -c 1
> +
> +ip netns exec "$ns" $NFT -f - <<EOF
> +table ip t {
> + set s {
> + type ipv4_addr
> + elements = { 127.0.0.1 }
> + }
> +
> + chain input {
> + type filter hook input priority 0; policy accept;
> + ip protocol icmp counter
> + }
> +
> + chain output {
> + type filter hook output priority 0; policy accept;
> + ip protocol icmp ip daddr @s drop
> + }
> +}
> +EOF
> +
> +ip netns exec "$ns" ping -f 127.0.0.1 &
> +pid1=$!
> +ip netns exec "$ns" ping -f 127.0.0.1 &
> +pid2=$!
> +
> +time_now=$(date +%s)
> +time_stop=$((time_now + duration))
> +repl=0
> +
> +while [ $time_now -lt $time_stop ]; do
> +ip netns exec "$ns" $NFT -f - <<EOF
> +flush chain ip t output
> +table ip t {
> + chain output {
> + type filter hook output priority 0; policy accept;
> + ip protocol icmp ip daddr @s drop
> + }
> +}
> +EOF
> + repl=$((repl+1))
> +
> + # do at least 100 replaces and stop after $duration seconds.
> + if [ $((repl % 101)) -eq 100 ];then
> + time_now=$(date +%s)
> + fi
> +done
> +
> +# must match, all icmp packets dropped in output.
> +ip netns exec "$ns" $NFT list chain ip t input | grep "counter packets 0"
> +
> +echo "Completed $repl chain replacements"
> diff --git a/tests/shell/testcases/transactions/dumps/atomic_replace.sh.nodump b/tests/shell/testcases/transactions/dumps/atomic_replace.sh.nodump
> new file mode 100644
> index 000000000000..e69de29bb2d1
> --
> 2.48.1
>
>
