diff --git a/tests/e2e/cli/chain_attach.sh b/tests/e2e/cli/chain_attach.sh index 2b4117ec..0e6c9995 100755 --- a/tests/e2e/cli/chain_attach.sh +++ b/tests/e2e/cli/chain_attach.sh @@ -1,8 +1,5 @@ #!/usr/bin/env bash -set -eux -set -o pipefail - . "$(dirname "$0")"/../e2e_test_util.sh make_sandbox diff --git a/tests/e2e/cli/chain_load.sh b/tests/e2e/cli/chain_load.sh index 77f6dc79..a1d2ef4e 100755 --- a/tests/e2e/cli/chain_load.sh +++ b/tests/e2e/cli/chain_load.sh @@ -1,8 +1,5 @@ #!/usr/bin/env bash -set -eux -set -o pipefail - . "$(dirname "$0")"/../e2e_test_util.sh make_sandbox diff --git a/tests/e2e/cli/chain_set.sh b/tests/e2e/cli/chain_set.sh index 62235817..86c36c87 100755 --- a/tests/e2e/cli/chain_set.sh +++ b/tests/e2e/cli/chain_set.sh @@ -1,8 +1,5 @@ #!/usr/bin/env bash -set -eux -set -o pipefail - . "$(dirname "$0")"/../e2e_test_util.sh make_sandbox diff --git a/tests/e2e/cli/chain_update.sh b/tests/e2e/cli/chain_update.sh index 8bbac355..dbace741 100755 --- a/tests/e2e/cli/chain_update.sh +++ b/tests/e2e/cli/chain_update.sh @@ -1,8 +1,5 @@ #!/usr/bin/env bash -set -eux -set -o pipefail - . "$(dirname "$0")"/../e2e_test_util.sh make_sandbox diff --git a/tests/e2e/cli/chain_update_set.sh b/tests/e2e/cli/chain_update_set.sh index 8466ef87..7f4cd5b2 100755 --- a/tests/e2e/cli/chain_update_set.sh +++ b/tests/e2e/cli/chain_update_set.sh @@ -1,8 +1,5 @@ #!/usr/bin/env bash -set -eux -set -o pipefail - . "$(dirname "$0")"/../e2e_test_util.sh make_sandbox start_bpfilter diff --git a/tests/e2e/cli/hookopts.sh b/tests/e2e/cli/hookopts.sh index a750859c..b7953c02 100755 --- a/tests/e2e/cli/hookopts.sh +++ b/tests/e2e/cli/hookopts.sh @@ -1,8 +1,5 @@ #!/usr/bin/env bash -set -eux -set -o pipefail - . "$(dirname "$0")"/../e2e_test_util.sh # Disallow duplicated hook options diff --git a/tests/e2e/cli/nf_inet_dual_stack.sh b/tests/e2e/cli/nf_inet_dual_stack.sh index 0cc006b2..4cb5106b 100755 --- a/tests/e2e/cli/nf_inet_dual_stack.sh +++ b/tests/e2e/cli/nf_inet_dual_stack.sh @@ -1,8 +1,5 @@ #!/usr/bin/env bash -set -eux -set -o pipefail - . "$(dirname "$0")"/../e2e_test_util.sh make_sandbox @@ -15,14 +12,11 @@ ping -c 1 -W 0.1 ${NS_IP_ADDR} ${FROM_NS} bfcli chain set --from-str "chain nf_dual_0 BF_HOOK_NF_LOCAL_IN{priorities=101-102} ACCEPT rule ip4.proto icmp counter DROP" (! ping -c 1 -W 0.1 ${NS_IP_ADDR}) -# Verify that both inet4 and inet6 BPF links were created -# We expect to see 2 netfilter links attached (one for PF_INET, one for PF_INET6) -# BPF links are in the BPF filesystem, not network namespace, so check from host -LINK_COUNT=$(bpftool link show 2>&1 | grep -c "netfilter") +# Verify that both inet4 and inet6 BPF links were created (bf_link + bf_link_extra) +LINK_COUNT=$(${FROM_NS} find ${WORKDIR}/bpf/bpfilter/nf_dual_0/ -name 'bf_link*' | wc -l) if [ "${LINK_COUNT}" -ne 2 ]; then echo "ERROR: Expected 2 netfilter links (inet4 + inet6), found ${LINK_COUNT}" - echo "DEBUG: Full bpftool link output:" - bpftool link show || true + ${FROM_NS} ls -la ${WORKDIR}/bpf/bpfilter/nf_dual_0/ || true exit 1 fi @@ -33,10 +27,10 @@ ${FROM_NS} bfcli chain update --name nf_dual_0 --from-str "chain nf_dual_0 BF_HO (! ping -c 1 -W 0.1 ${NS_IP_ADDR}) # Verify both links still exist after update -LINK_COUNT_AFTER=$(bpftool link show 2>&1 | grep -c "netfilter") +LINK_COUNT_AFTER=$(${FROM_NS} find ${WORKDIR}/bpf/bpfilter/nf_dual_0/ -name 'bf_link*' | wc -l) if [ "${LINK_COUNT_AFTER}" -ne 2 ]; then echo "ERROR: Expected 2 netfilter links after update, found ${LINK_COUNT_AFTER}" - bpftool link show || true + ${FROM_NS} ls -la ${WORKDIR}/bpf/bpfilter/nf_dual_0/ || true exit 1 fi @@ -45,9 +39,9 @@ ${FROM_NS} bfcli chain flush --name nf_dual_0 ping -c 1 -W 0.1 ${NS_IP_ADDR} # Verify links are removed after flush -LINK_COUNT_FINAL=$(bpftool link show 2>&1 | grep -c "netfilter" || echo "0") +LINK_COUNT_FINAL=$(${FROM_NS} find ${WORKDIR}/bpf/bpfilter/nf_dual_0/ -name 'bf_link*' | wc -l || echo "0") if [ "${LINK_COUNT_FINAL}" -ne 0 ]; then echo "ERROR: Expected 0 netfilter links after flush, found ${LINK_COUNT_FINAL}" - bpftool link show || true + ${FROM_NS} ls -la ${WORKDIR}/bpf/bpfilter/nf_dual_0/ || true exit 1 fi diff --git a/tests/e2e/cli/options_error.sh b/tests/e2e/cli/options_error.sh index c3cce44a..d43c2f17 100755 --- a/tests/e2e/cli/options_error.sh +++ b/tests/e2e/cli/options_error.sh @@ -1,8 +1,5 @@ #!/usr/bin/env bash -set -eux -set -o pipefail - . "$(dirname "$0")"/../e2e_test_util.sh (! bfcli ruleset set --from-str "" --from-file "") diff --git a/tests/e2e/cli/ruleset.sh b/tests/e2e/cli/ruleset.sh index cea733fb..60bf654a 100755 --- a/tests/e2e/cli/ruleset.sh +++ b/tests/e2e/cli/ruleset.sh @@ -1,8 +1,5 @@ #!/usr/bin/env bash -set -eux -set -o pipefail - . "$(dirname "$0")"/../e2e_test_util.sh make_sandbox diff --git a/tests/e2e/daemon/already_running.sh b/tests/e2e/daemon/already_running.sh index 56e96840..21dc4bb3 100755 --- a/tests/e2e/daemon/already_running.sh +++ b/tests/e2e/daemon/already_running.sh @@ -1,8 +1,5 @@ #!/usr/bin/env bash -set -eux -set -o pipefail - . "$(dirname "$0")"/../e2e_test_util.sh make_sandbox diff --git a/tests/e2e/daemon/host_to_netns.sh b/tests/e2e/daemon/host_to_netns.sh index 35ce426c..9b23da2b 100755 --- a/tests/e2e/daemon/host_to_netns.sh +++ b/tests/e2e/daemon/host_to_netns.sh @@ -1,8 +1,5 @@ #!/usr/bin/env bash -set -eux -set -o pipefail - . "$(dirname "$0")"/../e2e_test_util.sh make_sandbox diff --git a/tests/e2e/daemon/netns_to_host.sh b/tests/e2e/daemon/netns_to_host.sh index c289ca81..579f3331 100755 --- a/tests/e2e/daemon/netns_to_host.sh +++ b/tests/e2e/daemon/netns_to_host.sh @@ -1,8 +1,5 @@ #!/usr/bin/env bash -set -eux -set -o pipefail - . "$(dirname "$0")"/../e2e_test_util.sh make_sandbox diff --git a/tests/e2e/daemon/pin_updated_chain.sh b/tests/e2e/daemon/pin_updated_chain.sh index 025d0c56..0ad56d64 100755 --- a/tests/e2e/daemon/pin_updated_chain.sh +++ b/tests/e2e/daemon/pin_updated_chain.sh @@ -1,8 +1,5 @@ #!/usr/bin/env bash -set -eux -set -o pipefail - . "$(dirname "$0")"/../e2e_test_util.sh make_sandbox diff --git a/tests/e2e/daemon/restore_attached.sh b/tests/e2e/daemon/restore_attached.sh index d2e02c21..1cb9fc7f 100755 --- a/tests/e2e/daemon/restore_attached.sh +++ b/tests/e2e/daemon/restore_attached.sh @@ -1,8 +1,5 @@ #!/usr/bin/env bash -set -eux -set -o pipefail - . "$(dirname "$0")"/../e2e_test_util.sh make_sandbox diff --git a/tests/e2e/daemon/restore_non_attached.sh b/tests/e2e/daemon/restore_non_attached.sh index 3dc0b88a..1fa33aaf 100755 --- a/tests/e2e/daemon/restore_non_attached.sh +++ b/tests/e2e/daemon/restore_non_attached.sh @@ -1,8 +1,5 @@ #!/usr/bin/env bash -set -eux -set -o pipefail - . "$(dirname "$0")"/../e2e_test_util.sh make_sandbox diff --git a/tests/e2e/daemon/sock_exists.sh b/tests/e2e/daemon/sock_exists.sh index 528a9527..f7441c83 100755 --- a/tests/e2e/daemon/sock_exists.sh +++ b/tests/e2e/daemon/sock_exists.sh @@ -1,8 +1,5 @@ #!/usr/bin/env bash -set -eux -set -o pipefail - . "$(dirname "$0")"/../e2e_test_util.sh make_sandbox diff --git a/tests/e2e/e2e_test_util.sh b/tests/e2e/e2e_test_util.sh index a9406716..335ae9b7 100755 --- a/tests/e2e/e2e_test_util.sh +++ b/tests/e2e/e2e_test_util.sh @@ -1,34 +1,37 @@ #!/bin/bash -set -e +set -eux -WORKDIR=$(mktemp -d) -BF_OUTPUT_FILE=${WORKDIR}/bf.log -BPFILTER_PID= -SETUSERNS_SOCKET_PATH=${WORKDIR}/setuserns.sock - -IN_SANBOX=0 -WITH_DAEMON=0 -HAS_TOKEN_SUPPORT=0 TEST_PATH= FROM_NS= -# Network settings -NETNS_NAME="bftestns" -VETH_HOST="veth_host" -VETH_NS="veth_ns" -HOST_IP="10.0.0.1/24" -NS_IP="10.0.0.2/24" -HOST_IP_ADDR="10.0.0.1" -NS_IP_ADDR="10.0.0.2" +# Derive resources names from the test name. Allows for pre-test cleanup +# and parallel testing of different tests. +_TEST_NAME=$(basename "$0" .sh) +_TEST_HASH=$(printf '%s' "$_TEST_NAME" | cksum | awk '{print $1}') +_OCTET2=$(( (_TEST_HASH >> 8) & 0xFF )) +_OCTET3=$(( _TEST_HASH & 0xFF )) +_SHORT_ID=$(( _TEST_HASH & 0xFFFF )) + +WORKDIR="/tmp/bpfilter.e2e.${_TEST_NAME}" +_UNIT_NAME="bpfilter-e2e-${_TEST_NAME}" +BF_OUTPUT_FILE=${WORKDIR}/bf.log +BPFILTER_PID= + +NETNS_NAME="bftest_${_TEST_NAME}" +VETH_HOST="veth_h_${_SHORT_ID}" +VETH_NS="veth_n_${_SHORT_ID}" +HOST_IP="10.${_OCTET2}.${_OCTET3}.1/24" +NS_IP="10.${_OCTET2}.${_OCTET3}.2/24" +HOST_IP_ADDR="10.${_OCTET2}.${_OCTET3}.1" +NS_IP_ADDR="10.${_OCTET2}.${_OCTET3}.2" HOST_IFINDEX= NS_IFINDEX= # Tested binaries BFCLI=bfcli -_BPFILTER=bpfilter +_BPFILTER=$(command -v bpfilter) BPFILTER= # bpfilter command to use in tests (includes the required options) -SETUSERNS=setuserns RULESETS_DIR=. ################################################################################ @@ -40,16 +43,11 @@ RULESETS_DIR=. make_sandbox() { echo "Create the sandbox" - IN_SANBOX=1 - # Disable selinux if available, not all distros enforce setlinux if command -v setenforce &> /dev/null; then setenforce 0 || true fi - # Check if BPF token is supported - bash -c "sudo bpftool btf dump file /sys/kernel/btf/vmlinux format c | grep -q \"__s32 prog_token_fd;\"" && HAS_TOKEN_SUPPORT=1 || HAS_TOKEN_SUPPORT=0 - # Create the namespaces mount points mkdir ${WORKDIR}/{ns,bpf} mount --bind ${WORKDIR}/ns ${WORKDIR}/ns @@ -60,43 +58,19 @@ make_sandbox() { # Create the netns to be used by unshare ip netns add ${NETNS_NAME} - # Create the user and mount namespaces, mount a new /run to have the bpfilter socket - if [ $HAS_TOKEN_SUPPORT -eq 1 ]; then - ${SETUSERNS} out --socket ${SETUSERNS_SOCKET_PATH} & - SETUSERNS_PID=$! - - # util-linux 2.38+ supports --map-users/--map-groups - UNSHARE_VERSION=$(unshare --version | grep -oP '\d+\.\d+' | head -1) - if [ "$(printf '%s\n' "2.38" "$UNSHARE_VERSION" | sort -V | head -1)" = "2.38" ]; then - UNSHARE_MAP_OPTS="--map-users=all --map-groups=all" - else - UNSHARE_MAP_OPTS="" - fi - unshare \ - --user=${WORKDIR}/ns/user \ --mount=${WORKDIR}/ns/mnt \ --net=/var/run/netns/${NETNS_NAME} \ --keep-caps \ - ${UNSHARE_MAP_OPTS} \ - -r /bin/bash -c " + /bin/bash -c " set -e mount -t tmpfs tmpfs /run - ${SETUSERNS} in --socket ${SETUSERNS_SOCKET_PATH} --bpffs-mount-path ${WORKDIR}/bpf - " & - - BPFILTER="${_BPFILTER} --verbose debug --with-bpf-token --bpffs-path ${WORKDIR}/bpf" - wait $SETUSERNS_PID - else - unshare --net=/var/run/netns/${NETNS_NAME} & - BPFILTER="${_BPFILTER} --verbose debug" - fi + mount -t bpf bpf ${WORKDIR}/bpf + " - if [ "${HAS_TOKEN_SUPPORT:-1}" -eq 1 ]; then - FROM_NS="nsenter --mount=${WORKDIR}/ns/mnt --user=${WORKDIR}/ns/user --net=/var/run/netns/${NETNS_NAME}" - else - FROM_NS="nsenter --net=/var/run/netns/${NETNS_NAME}" - fi + BPFILTER="${_BPFILTER} --verbose debug --bpffs-path ${WORKDIR}/bpf" + + FROM_NS="nsenter --mount=${WORKDIR}/ns/mnt --net=/var/run/netns/${NETNS_NAME}" # Create the veth ip link add ${VETH_HOST} type veth peer name ${VETH_NS} @@ -123,7 +97,6 @@ make_sandbox() { echo " Tested binaries" echo " bfcli: ${BFCLI}" echo " bpfilter: ${_BPFILTER}" - echo " setuserns: ${SETUSERNS}" echo " rulesets-dir: ${RULESETS_DIR}" } @@ -134,13 +107,8 @@ destroy_sandbox() { umount /var/run/netns/${NETNS_NAME} || true ip netns delete ${NETNS_NAME} || true - # If BPF token is not supported, user and mnt namespaces are not mounted - if [ "${HAS_TOKEN_SUPPORT:-1}" -eq 1 ]; then umount ${WORKDIR}/bpf || true - umount ${WORKDIR}/ns/user || true umount ${WORKDIR}/ns/mnt || true - fi - umount ${WORKDIR}/ns || true rm -rf ${WORKDIR} || true @@ -161,7 +129,6 @@ start_bpfilter() { # Wait for the daemon to listen to the requests while [ $(date +%s) -lt $end_time ]; do if grep -q "waiting for requests" "${BF_OUTPUT_FILE}"; then - WITH_DAEMON=1 return 0 fi sleep 0.1 @@ -187,38 +154,22 @@ stop_bpfilter() { echo "Stop bpfilter" - if [ -n "$BPFILTER_PID" ]; then - if [ "$skip_cleanup" -eq 0 ] && [ "${HAS_TOKEN_SUPPORT:-1}" -ne 1 ]; then - bfcli ruleset flush || true - fi + bfcli ruleset flush || true + kill $BPFILTER_PID 2>/dev/null || true + wait $BPFILTER_PID || true - kill $BPFILTER_PID 2>/dev/null || true - wait $BPFILTER_PID || true - fi - - WITH_DAEMON=0 + echo "========== bpfilter output ==========" + cat "$BF_OUTPUT_FILE" || true } cleanup() { - echo "cleanup() called with exit value $1" - - if [ "$WITH_DAEMON" -ne 0 ]; then - stop_bpfilter - - echo "========== bpfilter output ==========" - cat "$BF_OUTPUT_FILE" || true - fi - - if [ "$IN_SANBOX" -ne 0 ]; then - destroy_sandbox - fi - - exit $1 + stop_bpfilter + destroy_sandbox } # Set trap to ensure cleanup happens -trap 'cleanup $?' EXIT -trap 'cleanup 1' INT TERM +trap 'ret=$?; cleanup; exit ${ret}' EXIT +trap 'cleanup 1; exit 1' INT TERM ################################################################################ @@ -228,3 +179,6 @@ trap 'cleanup 1' INT TERM ################################################################################ WITH_TIMEOUT="timeout --signal INT --preserve-status .5" + +cleanup +mkdir -p ${WORKDIR} \ No newline at end of file diff --git a/tests/e2e/matchers/icmp_code.sh b/tests/e2e/matchers/icmp_code.sh index 3f85600f..8c1698ff 100755 --- a/tests/e2e/matchers/icmp_code.sh +++ b/tests/e2e/matchers/icmp_code.sh @@ -1,8 +1,5 @@ #!/usr/bin/env bash -set -eux -set -o pipefail - . "$(dirname "$0")"/../e2e_test_util.sh bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmp.code eq 0 counter DROP" diff --git a/tests/e2e/matchers/icmp_type.sh b/tests/e2e/matchers/icmp_type.sh index 0234ac61..05d8709d 100755 --- a/tests/e2e/matchers/icmp_type.sh +++ b/tests/e2e/matchers/icmp_type.sh @@ -1,8 +1,5 @@ #!/usr/bin/env bash -set -eux -set -o pipefail - . "$(dirname "$0")"/../e2e_test_util.sh bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmp.type eq echo-reply counter DROP" diff --git a/tests/e2e/matchers/icmpv6_code.sh b/tests/e2e/matchers/icmpv6_code.sh index 0919e63e..02831843 100755 --- a/tests/e2e/matchers/icmpv6_code.sh +++ b/tests/e2e/matchers/icmpv6_code.sh @@ -1,8 +1,5 @@ #!/usr/bin/env bash -set -eux -set -o pipefail - . "$(dirname "$0")"/../e2e_test_util.sh bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmpv6.code eq 0 counter DROP" diff --git a/tests/e2e/matchers/icmpv6_type.sh b/tests/e2e/matchers/icmpv6_type.sh index 4de349d2..9d65bb3b 100755 --- a/tests/e2e/matchers/icmpv6_type.sh +++ b/tests/e2e/matchers/icmpv6_type.sh @@ -1,8 +1,5 @@ #!/usr/bin/env bash -set -eux -set -o pipefail - . "$(dirname "$0")"/../e2e_test_util.sh bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmpv6.type eq mld-listener-report counter DROP" diff --git a/tests/e2e/matchers/ip4_daddr.sh b/tests/e2e/matchers/ip4_daddr.sh index 4bd9ea7d..0666b8bb 100755 --- a/tests/e2e/matchers/ip4_daddr.sh +++ b/tests/e2e/matchers/ip4_daddr.sh @@ -1,8 +1,5 @@ #!/usr/bin/env bash -set -eux -set -o pipefail - . "$(dirname "$0")"/../e2e_test_util.sh bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.daddr eq 1.1.1.1 counter DROP" diff --git a/tests/e2e/matchers/ip4_dnet.sh b/tests/e2e/matchers/ip4_dnet.sh index 9677c604..72e14f89 100755 --- a/tests/e2e/matchers/ip4_dnet.sh +++ b/tests/e2e/matchers/ip4_dnet.sh @@ -1,8 +1,5 @@ #!/usr/bin/env bash -set -eux -set -o pipefail - . "$(dirname "$0")"/../e2e_test_util.sh bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dnet eq 1.1.1.1/0 counter DROP" diff --git a/tests/e2e/matchers/ip4_dscp.sh b/tests/e2e/matchers/ip4_dscp.sh index 061d6fa8..1935273a 100755 --- a/tests/e2e/matchers/ip4_dscp.sh +++ b/tests/e2e/matchers/ip4_dscp.sh @@ -1,8 +1,5 @@ #!/usr/bin/env bash -set -eux -set -o pipefail - . "$(dirname "$0")"/../e2e_test_util.sh # Test valid decimal values diff --git a/tests/e2e/matchers/ip4_proto.sh b/tests/e2e/matchers/ip4_proto.sh index 4e5dc698..57db1115 100755 --- a/tests/e2e/matchers/ip4_proto.sh +++ b/tests/e2e/matchers/ip4_proto.sh @@ -1,8 +1,5 @@ #!/usr/bin/env bash -set -eux -set -o pipefail - . "$(dirname "$0")"/../e2e_test_util.sh bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.proto eq icmp counter DROP" diff --git a/tests/e2e/matchers/ip4_saddr.sh b/tests/e2e/matchers/ip4_saddr.sh index 7ce82d64..3cf28c2e 100755 --- a/tests/e2e/matchers/ip4_saddr.sh +++ b/tests/e2e/matchers/ip4_saddr.sh @@ -1,8 +1,5 @@ #!/usr/bin/env bash -set -eux -set -o pipefail - . "$(dirname "$0")"/../e2e_test_util.sh bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.saddr eq 1.1.1.1 counter DROP" diff --git a/tests/e2e/matchers/ip4_snet.sh b/tests/e2e/matchers/ip4_snet.sh index 11698109..5bbd6359 100755 --- a/tests/e2e/matchers/ip4_snet.sh +++ b/tests/e2e/matchers/ip4_snet.sh @@ -1,8 +1,5 @@ #!/usr/bin/env bash -set -eux -set -o pipefail - . "$(dirname "$0")"/../e2e_test_util.sh bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.snet eq 1.1.1.1/0 counter DROP" diff --git a/tests/e2e/matchers/ip6_daddr.sh b/tests/e2e/matchers/ip6_daddr.sh index 7e9fc2f5..5ca078d7 100755 --- a/tests/e2e/matchers/ip6_daddr.sh +++ b/tests/e2e/matchers/ip6_daddr.sh @@ -1,8 +1,5 @@ #!/usr/bin/env bash -set -eux -set -o pipefail - . "$(dirname "$0")"/../e2e_test_util.sh bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr eq 2001:0db8:85a3:0000:0000:8a2e:0370:7334 counter DROP" diff --git a/tests/e2e/matchers/ip6_dnet.sh b/tests/e2e/matchers/ip6_dnet.sh index ee75a641..9fc8b607 100755 --- a/tests/e2e/matchers/ip6_dnet.sh +++ b/tests/e2e/matchers/ip6_dnet.sh @@ -1,8 +1,5 @@ #!/usr/bin/env bash -set -eux -set -o pipefail - . "$(dirname "$0")"/../e2e_test_util.sh bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet eq 2001:db8::/32 counter DROP" diff --git a/tests/e2e/matchers/ip6_dscp.sh b/tests/e2e/matchers/ip6_dscp.sh index d00f294b..5207115d 100755 --- a/tests/e2e/matchers/ip6_dscp.sh +++ b/tests/e2e/matchers/ip6_dscp.sh @@ -1,8 +1,5 @@ #!/usr/bin/env bash -set -eux -set -o pipefail - . "$(dirname "$0")"/../e2e_test_util.sh # Test valid decimal values with 'eq' operator diff --git a/tests/e2e/matchers/ip6_nexthdr.sh b/tests/e2e/matchers/ip6_nexthdr.sh index 31697d6b..727635cb 100755 --- a/tests/e2e/matchers/ip6_nexthdr.sh +++ b/tests/e2e/matchers/ip6_nexthdr.sh @@ -1,8 +1,5 @@ #!/usr/bin/env bash -set -eux -set -o pipefail - . "$(dirname "$0")"/../e2e_test_util.sh bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.nexthdr eq icmp counter DROP" diff --git a/tests/e2e/matchers/ip6_saddr.sh b/tests/e2e/matchers/ip6_saddr.sh index 61acfc95..21691f28 100755 --- a/tests/e2e/matchers/ip6_saddr.sh +++ b/tests/e2e/matchers/ip6_saddr.sh @@ -1,8 +1,5 @@ #!/usr/bin/env bash -set -eux -set -o pipefail - . "$(dirname "$0")"/../e2e_test_util.sh bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr eq 2001:0db8:85a3:0000:0000:8a2e:0370:7334 counter DROP" diff --git a/tests/e2e/matchers/ip6_snet.sh b/tests/e2e/matchers/ip6_snet.sh index cf00dbd1..eeceeb7f 100755 --- a/tests/e2e/matchers/ip6_snet.sh +++ b/tests/e2e/matchers/ip6_snet.sh @@ -1,8 +1,5 @@ #!/usr/bin/env bash -set -eux -set -o pipefail - . "$(dirname "$0")"/../e2e_test_util.sh bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet eq 2001:db8::/32 counter DROP" diff --git a/tests/e2e/matchers/meta_dport.sh b/tests/e2e/matchers/meta_dport.sh index 2df285fe..6504d68c 100755 --- a/tests/e2e/matchers/meta_dport.sh +++ b/tests/e2e/matchers/meta_dport.sh @@ -1,8 +1,5 @@ #!/usr/bin/env bash -set -eux -set -o pipefail - . "$(dirname "$0")"/../e2e_test_util.sh bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.dport eq 0 counter DROP" diff --git a/tests/e2e/matchers/meta_flow_hash.sh b/tests/e2e/matchers/meta_flow_hash.sh index 3a5d82dd..1216e97b 100755 --- a/tests/e2e/matchers/meta_flow_hash.sh +++ b/tests/e2e/matchers/meta_flow_hash.sh @@ -1,8 +1,5 @@ #!/usr/bin/env bash -set -eux -set -o pipefail - . "$(dirname "$0")"/../e2e_test_util.sh (! bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_XDP ACCEPT rule meta.flow_hash eq 0 counter DROP") diff --git a/tests/e2e/matchers/meta_iface.sh b/tests/e2e/matchers/meta_iface.sh index 1ff1d06c..05c24ec7 100755 --- a/tests/e2e/matchers/meta_iface.sh +++ b/tests/e2e/matchers/meta_iface.sh @@ -1,8 +1,5 @@ #!/usr/bin/env bash -set -eux -set -o pipefail - . "$(dirname "$0")"/../e2e_test_util.sh bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.iface eq lo counter DROP" diff --git a/tests/e2e/matchers/meta_l3_proto.sh b/tests/e2e/matchers/meta_l3_proto.sh index c8a117bc..486609cb 100755 --- a/tests/e2e/matchers/meta_l3_proto.sh +++ b/tests/e2e/matchers/meta_l3_proto.sh @@ -1,8 +1,5 @@ #!/usr/bin/env bash -set -eux -set -o pipefail - . "$(dirname "$0")"/../e2e_test_util.sh bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.l3_proto eq ipv4 counter DROP" diff --git a/tests/e2e/matchers/meta_l4_proto.sh b/tests/e2e/matchers/meta_l4_proto.sh index 5c02eb75..cd924753 100755 --- a/tests/e2e/matchers/meta_l4_proto.sh +++ b/tests/e2e/matchers/meta_l4_proto.sh @@ -1,8 +1,5 @@ #!/usr/bin/env bash -set -eux -set -o pipefail - . "$(dirname "$0")"/../e2e_test_util.sh bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.l4_proto eq icmp counter DROP" diff --git a/tests/e2e/matchers/meta_mark.sh b/tests/e2e/matchers/meta_mark.sh index 0c3bb01a..574df5ad 100755 --- a/tests/e2e/matchers/meta_mark.sh +++ b/tests/e2e/matchers/meta_mark.sh @@ -1,8 +1,5 @@ #!/usr/bin/env bash -set -eux -set -o pipefail - . "$(dirname "$0")"/../e2e_test_util.sh (! bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_XDP ACCEPT rule meta.mark eq 0 counter DROP") diff --git a/tests/e2e/matchers/meta_probability.sh b/tests/e2e/matchers/meta_probability.sh index d23608ea..4a67484e 100755 --- a/tests/e2e/matchers/meta_probability.sh +++ b/tests/e2e/matchers/meta_probability.sh @@ -1,8 +1,5 @@ #!/usr/bin/env bash -set -eux -set -o pipefail - . "$(dirname "$0")"/../e2e_test_util.sh bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.probability eq 0% counter DROP" diff --git a/tests/e2e/matchers/meta_sport.sh b/tests/e2e/matchers/meta_sport.sh index 7478d84c..8c66891c 100755 --- a/tests/e2e/matchers/meta_sport.sh +++ b/tests/e2e/matchers/meta_sport.sh @@ -1,8 +1,5 @@ #!/usr/bin/env bash -set -eux -set -o pipefail - . "$(dirname "$0")"/../e2e_test_util.sh bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.sport eq 0 counter DROP" diff --git a/tests/e2e/matchers/named_set.sh b/tests/e2e/matchers/named_set.sh index 0f753afa..977d82fb 100755 --- a/tests/e2e/matchers/named_set.sh +++ b/tests/e2e/matchers/named_set.sh @@ -1,8 +1,5 @@ #!/usr/bin/env bash -set -eux -set -o pipefail - . "$(dirname "$0")"/../e2e_test_util.sh bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT diff --git a/tests/e2e/matchers/set.sh b/tests/e2e/matchers/set.sh index d17e5d37..6abb4016 100755 --- a/tests/e2e/matchers/set.sh +++ b/tests/e2e/matchers/set.sh @@ -1,8 +1,5 @@ #!/usr/bin/env bash -set -eux -set -o pipefail - . "$(dirname "$0")"/../e2e_test_util.sh bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule (ip4.saddr, icmp.code) in {192.168.1.1,41; 192.168.1.1,42} counter DROP" @@ -75,12 +72,10 @@ bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ( icm make_sandbox start_bpfilter - # Count set maps before creating chain - MAP_COUNT_BEFORE=$(bpftool map 2>&1 | grep -c "name set_" || true) ${FROM_NS} bfcli chain set --from-str "chain test BF_HOOK_XDP{ifindex=${NS_IFINDEX}} ACCEPT rule (ip4.saddr) in { 192.168.1.1 } DROP rule (ip4.saddr) in {} ACCEPT" - # Verify only 1 new set map was created (empty set should not create a map) - MAP_COUNT_AFTER=$(bpftool map 2>&1 | grep -c "name set_" || true) - [ $((MAP_COUNT_AFTER - MAP_COUNT_BEFORE)) -eq 1 ] || { echo "ERROR: Expected 1 new set map, found $((MAP_COUNT_AFTER - MAP_COUNT_BEFORE))"; exit 1; } + # Verify only 1 set map was pinned (empty set should not create a map) + MAP_COUNT=$(${FROM_NS} find ${WORKDIR}/bpf/bpfilter/test/ -name 'set_*' | wc -l) + [ "${MAP_COUNT}" -eq 1 ] || { echo "ERROR: Expected 1 set map, found ${MAP_COUNT}"; exit 1; } stop_bpfilter diff --git a/tests/e2e/matchers/tcp_dport.sh b/tests/e2e/matchers/tcp_dport.sh index a16443ea..d782f125 100755 --- a/tests/e2e/matchers/tcp_dport.sh +++ b/tests/e2e/matchers/tcp_dport.sh @@ -1,8 +1,5 @@ #!/usr/bin/env bash -set -eux -set -o pipefail - . "$(dirname "$0")"/../e2e_test_util.sh bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.dport eq 0 counter DROP" diff --git a/tests/e2e/matchers/tcp_flags.sh b/tests/e2e/matchers/tcp_flags.sh index fd3d0a1d..2e7eb4bf 100755 --- a/tests/e2e/matchers/tcp_flags.sh +++ b/tests/e2e/matchers/tcp_flags.sh @@ -1,8 +1,5 @@ #!/usr/bin/env bash -set -eux -set -o pipefail - . "$(dirname "$0")"/../e2e_test_util.sh bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.flags eq fin counter DROP" diff --git a/tests/e2e/matchers/tcp_sport.sh b/tests/e2e/matchers/tcp_sport.sh index 8f8a82d6..e25675ea 100755 --- a/tests/e2e/matchers/tcp_sport.sh +++ b/tests/e2e/matchers/tcp_sport.sh @@ -1,8 +1,5 @@ #!/usr/bin/env bash -set -eux -set -o pipefail - . "$(dirname "$0")"/../e2e_test_util.sh bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.sport eq 0 counter DROP" diff --git a/tests/e2e/matchers/udp_dport.sh b/tests/e2e/matchers/udp_dport.sh index d63ddfb3..352d2f41 100755 --- a/tests/e2e/matchers/udp_dport.sh +++ b/tests/e2e/matchers/udp_dport.sh @@ -1,8 +1,5 @@ #!/usr/bin/env bash -set -eux -set -o pipefail - . "$(dirname "$0")"/../e2e_test_util.sh bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.dport eq 0 counter DROP" diff --git a/tests/e2e/matchers/udp_sport.sh b/tests/e2e/matchers/udp_sport.sh index 384f0401..6873568b 100755 --- a/tests/e2e/matchers/udp_sport.sh +++ b/tests/e2e/matchers/udp_sport.sh @@ -1,8 +1,5 @@ #!/usr/bin/env bash -set -eux -set -o pipefail - . "$(dirname "$0")"/../e2e_test_util.sh bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.sport eq 0 counter DROP" diff --git a/tests/e2e/rules/action_order.sh b/tests/e2e/rules/action_order.sh index 5b3a07a6..fe922482 100755 --- a/tests/e2e/rules/action_order.sh +++ b/tests/e2e/rules/action_order.sh @@ -1,8 +1,5 @@ #!/usr/bin/env bash -set -eux -set -o pipefail - . "$(dirname "$0")"/../e2e_test_util.sh make_sandbox diff --git a/tests/e2e/rules/icmp_tc.sh b/tests/e2e/rules/icmp_tc.sh index 33ed9228..9614c613 100755 --- a/tests/e2e/rules/icmp_tc.sh +++ b/tests/e2e/rules/icmp_tc.sh @@ -1,8 +1,5 @@ #!/usr/bin/env bash -set -eux -set -o pipefail - . "$(dirname "$0")"/../e2e_test_util.sh make_sandbox diff --git a/tests/e2e/rules/icmp_xdp.sh b/tests/e2e/rules/icmp_xdp.sh index 6ec850a4..fd17b1b7 100755 --- a/tests/e2e/rules/icmp_xdp.sh +++ b/tests/e2e/rules/icmp_xdp.sh @@ -1,8 +1,5 @@ #!/usr/bin/env bash -set -eux -set -o pipefail - . "$(dirname "$0")"/../e2e_test_util.sh make_sandbox diff --git a/tests/e2e/rules/log.sh b/tests/e2e/rules/log.sh index 04f52951..00f0adc2 100755 --- a/tests/e2e/rules/log.sh +++ b/tests/e2e/rules/log.sh @@ -1,8 +1,5 @@ #!/usr/bin/env bash -set -eux -set -o pipefail - . "$(dirname "$0")"/../e2e_test_util.sh make_sandbox diff --git a/tests/e2e/rules/mark.sh b/tests/e2e/rules/mark.sh index d2a67471..3b36e03c 100755 --- a/tests/e2e/rules/mark.sh +++ b/tests/e2e/rules/mark.sh @@ -1,8 +1,5 @@ #!/usr/bin/env bash -set -eux -set -o pipefail - . "$(dirname "$0")"/../e2e_test_util.sh make_sandbox diff --git a/tests/e2e/rules/redirect.sh b/tests/e2e/rules/redirect.sh index 39976a62..d9767b82 100755 --- a/tests/e2e/rules/redirect.sh +++ b/tests/e2e/rules/redirect.sh @@ -1,8 +1,5 @@ #!/usr/bin/env bash -set -eux -set -o pipefail - . "$(dirname "$0")"/../e2e_test_util.sh get_counter() { diff --git a/tests/e2e/rulesets/rulesets.sh b/tests/e2e/rulesets/rulesets.sh index 73476eda..c929c727 100755 --- a/tests/e2e/rulesets/rulesets.sh +++ b/tests/e2e/rulesets/rulesets.sh @@ -1,8 +1,5 @@ #!/usr/bin/env bash -set -eux -set -o pipefail - . "$(dirname "$0")"/../e2e_test_util.sh make_sandbox