From 942c551547e23965f1653776f140297f790a4400 Mon Sep 17 00:00:00 2001

From: Eric Garver <eric@garver.life>

Date: Wed, 16 Oct 2019 12:56:57 -0400

Subject: [PATCH 118/122] fix: tests: convert nftables fib checks to runtime

Instead of when the testsuite is generated.

(cherry picked from commit d5d05165222eb7a4933aace8fe2bc9c46bddab36)

(cherry picked from commit 4aa4e01315b3404370ecaef661cc7eba604eee3d)

---

 src/tests/dbus/firewalld.conf.at | 16 +++++++++++++---

 src/tests/functions.at           | 26 +++++++++++++-------------

 src/tests/regression/gh258.at    | 26 +++++++++++++++++---------

 src/tests/regression/gh509.at    |  2 +-

 4 files changed, 44 insertions(+), 26 deletions(-)

diff --git a/src/tests/dbus/firewalld.conf.at b/src/tests/dbus/firewalld.conf.at

index 3887d7ee4a7d..05eb3dd5f650 100644

--- a/src/tests/dbus/firewalld.conf.at

+++ b/src/tests/dbus/firewalld.conf.at

@@ -1,17 +1,27 @@

 FWD_START_TEST([firewalld.conf])

 dnl Verify defaults over dbus. Should be inline with default firewalld.conf.

+IF_HOST_SUPPORTS_NFT_FIB([

 DBUS_GETALL([config], [config], 0, [dnl

 string "AutomaticHelpers" : variant string "system"

 string "CleanupOnExit" : variant string "no"

 string "DefaultZone" : variant string "public"

-m4_if(no, HOST_SUPPORTS_NFT_FIB, [dnl

-string "IPv6_rpfilter" : variant string "no"],[dnl

-string "IPv6_rpfilter" : variant string "yes"])

+string "IPv6_rpfilter" : variant string "yes"

 string "IndividualCalls" : variant string "no"

 string "Lockdown" : variant string "no"

 string "LogDenied" : variant string "off"

 string "MinimalMark" : variant int32 100

+])], [

+DBUS_GETALL([config], [config], 0, [dnl

+string "AutomaticHelpers" : variant string "system"

+string "CleanupOnExit" : variant string "no"

+string "DefaultZone" : variant string "public"

+string "IPv6_rpfilter" : variant string "no"

+string "IndividualCalls" : variant string "no"

+string "Lockdown" : variant string "no"

+string "LogDenied" : variant string "off"

+string "MinimalMark" : variant int32 100

+])

 ])

 m4_define([_helper], [

diff --git a/src/tests/functions.at b/src/tests/functions.at

index debabba8b8eb..fb68388776c9 100644

--- a/src/tests/functions.at

+++ b/src/tests/functions.at

@@ -74,7 +74,7 @@ m4_define([FWD_START_TEST], [

         dnl fib matching is pretty new in nftables. Don't use rpfilter on older

         dnl kernels.

         m4_if(nftables, FIREWALL_BACKEND, [

-            m4_if(no, HOST_SUPPORTS_NFT_FIB, [

+            IF_HOST_SUPPORTS_NFT_FIB([], [

                 sed -i 's/^IPv6_rpfilter.*/IPv6_rpfilter=no/' ./firewalld.conf

             ])

         ])

@@ -406,22 +406,22 @@ m4_define([CHECK_NFT_CT_HELPER], [

     ])

 ])

-m4_ifnblank(

-    m4_esyscmd([

-        KERNEL_MAJOR=`uname -r | cut -d. -f1`

-        KERNEL_MINOR=`uname -r | cut -d. -f2`

-        if test ${KERNEL_MAJOR} -eq 4 && test ${KERNEL_MINOR} -ge 10 || test ${KERNEL_MAJOR} -gt 4; then

-            echo -n "yes"

-        fi

-    ]),

-    [m4_define([HOST_SUPPORTS_NFT_FIB], [yes])],

-    [m4_define([HOST_SUPPORTS_NFT_FIB], [no])]

-)

-

 m4_define([CHECK_MODULE_PROTO_GRE], [

     AT_SKIP_IF([! NS_CMD([modinfo nf_conntrack_proto_gre])])

 ])

+m4_define([IF_HOST_SUPPORTS_NFT_FIB], [

+    KERNEL_MAJOR=`uname -r | cut -d. -f1`

+    KERNEL_MINOR=`uname -r | cut -d. -f2`

+    if test ${KERNEL_MAJOR} -eq 4 && test ${KERNEL_MINOR} -ge 10 || test ${KERNEL_MAJOR} -gt 4; then

+        :

+        $1

+    else

+        :

+        $2

+    fi

+])

+

 m4_define([NFT_NUMERIC_ARGS], m4_esyscmd([nft -h |grep "numeric-protocol" >/dev/null && echo -n "" || { echo -n "-" && echo -n "nn"; } ]))

 m4_define([HOST_SUPPORTS_IP6TABLES], m4_esyscmd(

diff --git a/src/tests/regression/gh258.at b/src/tests/regression/gh258.at

index fb863c35528e..a4b86e8a006f 100644

--- a/src/tests/regression/gh258.at

+++ b/src/tests/regression/gh258.at

@@ -66,16 +66,24 @@ NFT_LIST_RULES([inet], [filter_FORWARD_OUT_ZONES], 0, [dnl

         }

     }

 ])

-NFT_LIST_RULES([inet], [raw_PREROUTING], 0, [dnl

-    table inet firewalld {

-        chain raw_PREROUTING {

-            m4_if(yes, HOST_SUPPORTS_NFT_FIB, [dnl

-            icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept

-            meta nfproto ipv6 fib saddr . iif oif missing drop

-            ])dnl

-            jump raw_PREROUTING_ZONES

+IF_HOST_SUPPORTS_NFT_FIB([

+    NFT_LIST_RULES([inet], [raw_PREROUTING], 0, [dnl

+        table inet firewalld {

+            chain raw_PREROUTING {

+                icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept

+                meta nfproto ipv6 fib saddr . iif oif missing drop

+                jump raw_PREROUTING_ZONES

+            }

         }

-    }

+    ])

+], [

+    NFT_LIST_RULES([inet], [raw_PREROUTING], 0, [dnl

+        table inet firewalld {

+            chain raw_PREROUTING {

+                jump raw_PREROUTING_ZONES

+            }

+        }

+    ])

 ])

 NFT_LIST_RULES([inet], [raw_PREROUTING_ZONES], 0, [dnl

     table inet firewalld {

diff --git a/src/tests/regression/gh509.at b/src/tests/regression/gh509.at

index 44074fda3550..00cc51c9c51f 100644

--- a/src/tests/regression/gh509.at

+++ b/src/tests/regression/gh509.at

@@ -4,7 +4,7 @@ AT_KEYWORDS(gh509)

 dnl We're going to wipe the config below and therefore use the defaults. As

 dnl such, if our test host doesn't support defaults then we must skip this test

 dnl group.

-m4_if(no, HOST_SUPPORTS_NFT_FIB, [AT_SKIP_IF([:])])

+IF_HOST_SUPPORTS_NFT_FIB([], [AT_SKIP_IF([:])])

 AT_CHECK([if ! rm ./firewalld.conf; then exit 77; fi])

 FWD_RESTART

-- 

2.23.0