Re: [PATCH V2] selinux-testsuite: Add nftables to inet_socket and sctp tests

Ondrej Mosnacek <omosnace@xxxxxxxxxx> · Fri, 15 May 2020 15:25:21 +0200

On Fri, May 15, 2020 at 3:10 PM Richard Haines
<richard_c_haines@xxxxxxxxxxxxxx> wrote:
> Support secmark tests that require nftables version 9.3 or greater and
> kernel 4.20 or greater.
>
> Signed-off-by: Richard Haines <richard_c_haines@xxxxxxxxxxxxxx>
> ---
> V2 Change:
> Use common tests for iptables/nftables
>
>  README.md                        |   4 +-
>  tests/inet_socket/nftables-flush |   2 +
>  tests/inet_socket/nftables-load  |  74 +++++++++++++++++++++
>  tests/inet_socket/test           | 108 ++++++++++++++++++++-----------
>  tests/sctp/nftables-flush        |   2 +
>  tests/sctp/nftables-load         |  68 +++++++++++++++++++
>  tests/sctp/test                  |  96 +++++++++++++++++----------
>  7 files changed, 281 insertions(+), 73 deletions(-)
>  create mode 100644 tests/inet_socket/nftables-flush
>  create mode 100644 tests/inet_socket/nftables-load
>  create mode 100644 tests/sctp/nftables-flush
>  create mode 100644 tests/sctp/nftables-load
>
[...]
> diff --git a/tests/inet_socket/test b/tests/inet_socket/test
> index 47ce106..ce9bd7f 100755
> --- a/tests/inet_socket/test
> +++ b/tests/inet_socket/test
> @@ -27,6 +27,19 @@ BEGIN {
>          $test_calipso_stream = 1;
>      }
>
> +    # Determine nftables version, must be >= 0.9.3 for secmark support
> +    # with kernel >= 4.20
> +    $test_nft = 0;
> +    $nft      = `nft -v`;
> +    $nft =~ s/\D//g;
> +    $kverminstream = "4.20";
> +
> +    $rc = `$basedir/../kvercmp $kvercur $kverminstream`;
> +    if ( $nft gt "092" and $rc > 0 ) {
> +        $test_count += 8;
> +        $test_nft = 1;
> +    }
> +
>      plan tests => $test_count;
>  }
>
> @@ -348,63 +361,82 @@ if ($test_ipsec) {
>      system "/bin/sh $basedir/ipsec-flush";
>  }
>
> -# Load iptables (IPv4 & IPv6) configuration.
> -system "/bin/sh $basedir/iptables-load";
> +#
> +################## Test iptables/nftables configuration ######################
> +#
> +$test_msg = "Testing iptables (IPv4/IPv6).\n";
> +$cmd      = "/bin/sh";
> +$table    = "iptables";
> +$i        = 0;
> +$loop     = 1;
> +
> +if ($test_nft) {
> +    $loop = 2;
> +}
>
> -# Start the stream server.
> -$pid = server_start( "-t test_inet_server_t", "-n stream 65535" );
> +while ( $i < $loop ) {
> +    print "$test_msg";
> +    system "$cmd $basedir/$table-load";

Ugh, that is ugly... Why not just do something like:

sub test_tables {
    # run the tests...
}
[...]
print "Testing iptables (IPv4/IPv6).\n";
system "/bin/sh $basedir/iptables-load";
test_tables();
system "/bin/sh $basedir/iptables-flush";

print "Testing nftables (IPv4/IPv6).\n";
system "nft -f $basedir/nftables-load";
test_tables();
system "nft -f $basedir/nftables-flush";
[...]

-- 
Ondrej Mosnacek <omosnace at redhat dot com>
Software Engineer, Security Technologies
Red Hat, Inc.