Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

test: Flush routes on lo interface left over from liblxc ipvlan bug #13653

Merged
merged 2 commits into from
Jun 24, 2024
Merged

test: Flush routes on lo interface left over from liblxc ipvlan bug #13653

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
29a04eb
test: Flush routes on lo interface left over from liblxc ipvlan bug
tomponline Jun 24, 2024
88bab02
test: Fix container devices nic bridged filtering tests on recent ver…
tomponline Mar 14, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
49 changes: 32 additions & 17 deletions test/suites/container_devices_nic_bridged_filtering.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,18 +75,21 @@ test_container_devices_nic_bridged_filtering() {
else
macHex=$(echo "${ctAMAC}" |sed "s/://g")
macDec=$(printf "%d" 0x"${macHex}")
macHex=$(printf "0x%x" "${macDec}")

for table in "in" "fwd"
do
if ! nft -nn list chain bridge lxd "${table}.${ctPrefix}A.eth0" | grep -e "iifname \"${ctAHost}\" ether saddr != ${ctAMAC} drop"; then
rules=$(nft -nn list chain bridge lxd "${table}.${ctPrefix}A.eth0")

if ! echo "${rules}" | grep -e "iifname \"${ctAHost}\" ether saddr != ${ctAMAC} drop"; then
echo "MAC filter not applied as part of mac_filtering in nftables (${table}.${ctPrefix}A.eth0)"
false
fi
if ! nft -nn list chain bridge lxd "${table}.${ctPrefix}A.eth0" | grep -e "iifname \"${ctAHost}\" arp saddr ether != ${ctAMAC} drop"; then
if ! echo "${rules}" | grep -e "iifname \"${ctAHost}\" arp saddr ether != ${ctAMAC} drop"; then
echo "MAC ARP filter not applied as part of mac_filtering in nftables (${table}.${ctPrefix}A.eth0)"
false
fi
if ! nft -nn list chain bridge lxd "${table}.${ctPrefix}A.eth0" | grep "iifname \"${ctAHost}\" icmpv6 type 136 @nh,528,48 != ${macDec} drop"; then
if ! echo "${rules}" | grep -P "iifname \"${ctAHost}\" icmpv6 type 136 @nh,528,48 != (${macHex}|${macDec}) drop"; then
echo "MAC NDP filter not applied as part of mac_filtering in nftables (${table}.${ctPrefix}A.eth0)"
false
fi
Expand Down Expand Up @@ -315,31 +318,35 @@ test_container_devices_nic_bridged_filtering() {
fi
else
macDec=$(printf "%d" 0x"${macHex}")
macHex=$(printf "0x%x" "${macDec}")
ipv6Hex="0x20010db8000000000000000000000002"
ipv6Dec="42540766411282592856903984951653826562"

rules=$(nft -nn list chain bridge lxd "${table}.${ctPrefix}A.eth0")

for table in "in" "fwd"
do
if ! nft -nn list chain bridge lxd "${table}.${ctPrefix}A.eth0" | grep "iifname \"${ctAHost}\" ether saddr != ${ctAMAC} drop"; then
if ! echo "${rules}" | grep "iifname \"${ctAHost}\" ether saddr != ${ctAMAC} drop"; then
echo "MAC filter not applied as part of ipv6_filtering in nftables (${table}.${ctPrefix}A.eth0)"
false
fi
if ! nft -nn list chain bridge lxd "${table}.${ctPrefix}A.eth0" | grep "iifname \"${ctAHost}\" arp saddr ether != ${ctAMAC} drop"; then
if ! echo "${rules}" | grep "iifname \"${ctAHost}\" arp saddr ether != ${ctAMAC} drop"; then
echo "MAC ARP filter not applied as part of ipv6_filtering in nftables (${table}.${ctPrefix}A.eth0)"
false
fi
if ! nft -nn list chain bridge lxd "${table}.${ctPrefix}A.eth0" | grep "iifname \"${ctAHost}\" icmpv6 type 136 @nh,528,48 != ${macDec} drop"; then
if ! echo "${rules}" | grep -P "iifname \"${ctAHost}\" icmpv6 type 136 @nh,528,48 != (${macHex}|${macDec}) drop"; then
echo "MAC NDP filter not applied as part of ipv6_filtering in nftables (${table}.${ctPrefix}A.eth0)"
false
fi
if ! nft -nn list chain bridge lxd "${table}.${ctPrefix}A.eth0" | grep "iifname \"${ctAHost}\" icmpv6 type 136 @nh,384,128 != ${ipv6Dec} drop"; then
if ! echo "${rules}" | grep -P "iifname \"${ctAHost}\" icmpv6 type 136 @nh,384,128 != (${ipv6Hex}|${ipv6Dec}) drop"; then
echo "IPv6 NDP filter not applied as part of ipv6_filtering in nftables (${table}.${ctPrefix}A.eth0)"
false
fi
if ! nft -nn list chain bridge lxd "${table}.${ctPrefix}A.eth0" | grep "iifname \"${ctAHost}\" ip6 saddr != 2001:db8::2 drop"; then
if ! echo "${rules}" | grep "iifname \"${ctAHost}\" ip6 saddr != 2001:db8::2 drop"; then
echo "IPv6 filter not applied as part of ipv6_filtering in nftables (${table}.${ctPrefix}A.eth0)"
false
fi
if ! nft -nn list chain bridge lxd "${table}.${ctPrefix}A.eth0" | grep -e "iifname \"${ctAHost}\" icmpv6 type 134 drop"; then
if ! echo "${rules}" | grep -e "iifname \"${ctAHost}\" icmpv6 type 134 drop"; then
echo "IPv6 RA filter not applied as part of ipv6_filtering in nftables (${table}.${ctPrefix}A.eth0)"
false
fi
Expand Down Expand Up @@ -495,29 +502,34 @@ test_container_devices_nic_bridged_filtering() {
false
fi
else
macHex=$(echo "${ctAMAC}" |sed "s/://g")
macDec=$(printf "%d" 0x"${macHex}")
macHex=$(printf "0x%x" "${macDec}")
ipv6Hex="0x20010db8000000000000000000000002"
ipv6Dec="42540766411282592856903984951653826562"

rules=$(nft -nn list chain bridge lxd "${table}.${ctPrefix}A.eth0")

for table in "in" "fwd"
do
if ! nft -nn list chain bridge lxd "${table}.${ctPrefix}A.eth0" | grep "iifname \"${ctAHost}\" ether saddr != ${ctAMAC} drop"; then
if ! echo "${rules}" | grep "iifname \"${ctAHost}\" ether saddr != ${ctAMAC} drop"; then
echo "MAC filter not applied as part of ipv4_filtering in nftables (${table}.${ctPrefix}A.eth0)"
false
fi
if ! nft -nn list chain bridge lxd "${table}.${ctPrefix}A.eth0" | grep "iifname \"${ctAHost}\" arp saddr ether != ${ctAMAC} drop"; then
if ! echo "${rules}" | grep "iifname \"${ctAHost}\" arp saddr ether != ${ctAMAC} drop"; then
echo "MAC ARP filter not applied as part of ipv4_filtering in nftables (${table}.${ctPrefix}A.eth0)"
false
fi

if ! nft -nn list chain bridge lxd "${table}.${ctPrefix}A.eth0" | grep "iifname \"${ctAHost}\" icmpv6 type 136 @nh,528,48 != ${macDec} drop"; then
if ! echo "${rules}" | grep -P "iifname \"${ctAHost}\" icmpv6 type 136 @nh,528,48 != (${macHex}|${macDec}) drop"; then
echo "MAC NDP filter not applied as part of ipv6_filtering in nftables (${table}.${ctPrefix}A.eth0)"
false
fi
if ! nft -nn list chain bridge lxd "${table}.${ctPrefix}A.eth0" | grep "iifname \"${ctAHost}\" icmpv6 type 136 @nh,384,128 != ${ipv6Dec} drop"; then
if ! echo "${rules}" | grep -P "iifname \"${ctAHost}\" icmpv6 type 136 @nh,384,128 != (${ipv6Hex}|${ipv6Dec}) drop"; then
echo "IPv6 NDP filter not applied as part of ipv6_filtering in nftables (${table}.${ctPrefix}A.eth0)"
false
fi
if ! nft -nn list chain bridge lxd "${table}.${ctPrefix}A.eth0" | grep "iifname \"${ctAHost}\" ip6 saddr != 2001:db8::2 drop"; then
if ! echo "${rules}" | grep "iifname \"${ctAHost}\" ip6 saddr != 2001:db8::2 drop"; then
echo "IPv6 filter not applied as part of ipv6_filtering in nftables (${table}.${ctPrefix}A.eth0)"
false
fi
Expand Down Expand Up @@ -577,19 +589,22 @@ test_container_devices_nic_bridged_filtering() {
else
macHex=$(echo "${ctAMAC}" |sed "s/://g")
macDec=$(printf "%d" 0x"${macHex}")
macHex=$(printf "0x%x" "${macDec}")

rules=$(nft -nn list chain bridge lxd "${table}.${ctPrefix}A.eth0")

for table in "in" "fwd"
do
if ! nft -nn list chain bridge lxd "${table}.${ctPrefix}A.eth0" | grep "iifname \"${ctAHost}\" ether saddr != ${ctAMAC} drop"; then
if ! echo "${rules}" | grep "iifname \"${ctAHost}\" ether saddr != ${ctAMAC} drop"; then
echo "MAC filter not applied as part of mac_filtering in nftables (${table}.${ctPrefix}A.eth0)"
false
fi
if ! nft -nn list chain bridge lxd "${table}.${ctPrefix}A.eth0" | grep "iifname \"${ctAHost}\" arp saddr ether != ${ctAMAC} drop"; then
if ! echo "${rules}" | grep "iifname \"${ctAHost}\" arp saddr ether != ${ctAMAC} drop"; then
echo "MAC ARP filter not applied as part of mac_filtering in nftables (${table}.${ctPrefix}A.eth0)"
false
fi

if ! nft -nn list chain bridge lxd "${table}.${ctPrefix}A.eth0" | grep "iifname \"${ctAHost}\" icmpv6 type 136 @nh,528,48 != ${macDec} drop"; then
if ! echo "${rules}" | grep -P "iifname \"${ctAHost}\" icmpv6 type 136 @nh,528,48 != (${macHex}|${macDec}) drop"; then
echo "MAC NDP filter not applied as part of mac_filtering in nftables (${table}.${ctPrefix}A.eth0)"
false
fi
Expand Down
7 changes: 7 additions & 0 deletions test/suites/container_devices_nic_ipvlan.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,8 @@ test_container_devices_nic_ipvlan() {
fi

lxc stop "${ctName}" --force
ip -4 route flush dev lo
ip -6 route flush dev lo

# Check that MTU is inherited from parent device when not specified on device.
ip link set "${ctName}" mtu 1405
Expand Down Expand Up @@ -66,6 +68,9 @@ test_container_devices_nic_ipvlan() {

# Check IPVLAN ontop of VLAN parent.
lxc stop -f "${ctName}"
ip -4 route flush dev lo
ip -6 route flush dev lo

lxc config device set "${ctName}" eth0 vlan 1234
lxc start "${ctName}"

Expand Down Expand Up @@ -99,4 +104,6 @@ test_container_devices_nic_ipvlan() {
lxc delete "${ctName}" -f
lxc delete "${ctName}2" -f
ip link delete "${ctName}" type dummy
ip -4 route flush dev lo
ip -6 route flush dev lo
}
Loading