Improvements to end-to-end tests

tests/e2e/cli/chain_attach.sh

@@ -1,8 +1,5 @@
 #!/usr/bin/env bash
 
-set -eux
-set -o pipefail
-
 . "$(dirname "$0")"/../e2e_test_util.sh
 
 make_sandbox

tests/e2e/cli/chain_load.sh

@@ -1,8 +1,5 @@
 #!/usr/bin/env bash
 
-set -eux
-set -o pipefail
-
 . "$(dirname "$0")"/../e2e_test_util.sh
 
 make_sandbox

tests/e2e/cli/chain_set.sh

@@ -1,8 +1,5 @@
 #!/usr/bin/env bash
 
-set -eux
-set -o pipefail
-
 . "$(dirname "$0")"/../e2e_test_util.sh
 
 make_sandbox

tests/e2e/cli/chain_update.sh

@@ -1,8 +1,5 @@
 #!/usr/bin/env bash
 
-set -eux
-set -o pipefail
-
 . "$(dirname "$0")"/../e2e_test_util.sh
 
 make_sandbox

tests/e2e/cli/chain_update_set.sh

@@ -1,8 +1,5 @@
 #!/usr/bin/env bash
 
-set -eux
-set -o pipefail
-
 . "$(dirname "$0")"/../e2e_test_util.sh
 make_sandbox
 start_bpfilter

tests/e2e/cli/hookopts.sh

@@ -1,8 +1,5 @@
 #!/usr/bin/env bash
 
-set -eux
-set -o pipefail
-
 . "$(dirname "$0")"/../e2e_test_util.sh
 
 # Disallow duplicated hook options

tests/e2e/cli/nf_inet_dual_stack.sh

@@ -1,8 +1,5 @@
 #!/usr/bin/env bash
 
-set -eux
-set -o pipefail
-
 . "$(dirname "$0")"/../e2e_test_util.sh
 
 make_sandbox
@@ -15,14 +12,11 @@ ping -c 1 -W 0.1 ${NS_IP_ADDR}
 ${FROM_NS} bfcli chain set --from-str "chain nf_dual_0 BF_HOOK_NF_LOCAL_IN{priorities=101-102} ACCEPT rule ip4.proto icmp counter DROP"
 (! ping -c 1 -W 0.1 ${NS_IP_ADDR})
 
-# Verify that both inet4 and inet6 BPF links were created
-# We expect to see 2 netfilter links attached (one for PF_INET, one for PF_INET6)
-# BPF links are in the BPF filesystem, not network namespace, so check from host
-LINK_COUNT=$(bpftool link show 2>&1 | grep -c "netfilter")
+# Verify that both inet4 and inet6 BPF links were created (bf_link + bf_link_extra)
+LINK_COUNT=$(${FROM_NS} find ${WORKDIR}/bpf/bpfilter/nf_dual_0/ -name 'bf_link*' | wc -l)
 if [ "${LINK_COUNT}" -ne 2 ]; then
     echo "ERROR: Expected 2 netfilter links (inet4 + inet6), found ${LINK_COUNT}"
-    echo "DEBUG: Full bpftool link output:"
-    bpftool link show || true
+    ${FROM_NS} ls -la ${WORKDIR}/bpf/bpfilter/nf_dual_0/ || true
     exit 1
 fi
 
@@ -33,10 +27,10 @@ ${FROM_NS} bfcli chain update --name nf_dual_0 --from-str "chain nf_dual_0 BF_HO
 (! ping -c 1 -W 0.1 ${NS_IP_ADDR})
 
 # Verify both links still exist after update
-LINK_COUNT_AFTER=$(bpftool link show 2>&1 | grep -c "netfilter")
+LINK_COUNT_AFTER=$(${FROM_NS} find ${WORKDIR}/bpf/bpfilter/nf_dual_0/ -name 'bf_link*' | wc -l)
 if [ "${LINK_COUNT_AFTER}" -ne 2 ]; then
     echo "ERROR: Expected 2 netfilter links after update, found ${LINK_COUNT_AFTER}"
-    bpftool link show || true
+    ${FROM_NS} ls -la ${WORKDIR}/bpf/bpfilter/nf_dual_0/ || true
     exit 1
 fi
 
@@ -45,9 +39,9 @@ ${FROM_NS} bfcli chain flush --name nf_dual_0
 ping -c 1 -W 0.1 ${NS_IP_ADDR}
 
 # Verify links are removed after flush
-LINK_COUNT_FINAL=$(bpftool link show 2>&1 | grep -c "netfilter" || echo "0")
+LINK_COUNT_FINAL=$(${FROM_NS} find ${WORKDIR}/bpf/bpfilter/nf_dual_0/ -name 'bf_link*' | wc -l || echo "0")
 if [ "${LINK_COUNT_FINAL}" -ne 0 ]; then
     echo "ERROR: Expected 0 netfilter links after flush, found ${LINK_COUNT_FINAL}"
-    bpftool link show || true
+    ${FROM_NS} ls -la ${WORKDIR}/bpf/bpfilter/nf_dual_0/ || true
     exit 1
 fi

tests/e2e/cli/options_error.sh

@@ -1,8 +1,5 @@
 #!/usr/bin/env bash
 
-set -eux
-set -o pipefail
-
 . "$(dirname "$0")"/../e2e_test_util.sh
 
 (! bfcli ruleset set --from-str "" --from-file "")

tests/e2e/cli/ruleset.sh

@@ -1,8 +1,5 @@
 #!/usr/bin/env bash
 
-set -eux
-set -o pipefail
-
 . "$(dirname "$0")"/../e2e_test_util.sh
 
 make_sandbox

tests/e2e/daemon/already_running.sh

@@ -1,8 +1,5 @@
 #!/usr/bin/env bash
 
-set -eux
-set -o pipefail
-
 . "$(dirname "$0")"/../e2e_test_util.sh
 
 make_sandbox

tests/e2e/daemon/host_to_netns.sh

@@ -1,8 +1,5 @@
 #!/usr/bin/env bash
 
-set -eux
-set -o pipefail
-
 . "$(dirname "$0")"/../e2e_test_util.sh
 
 make_sandbox

tests/e2e/daemon/netns_to_host.sh

@@ -1,8 +1,5 @@
 #!/usr/bin/env bash
 
-set -eux
-set -o pipefail
-
 . "$(dirname "$0")"/../e2e_test_util.sh
 
 make_sandbox

tests/e2e/daemon/pin_updated_chain.sh

@@ -1,8 +1,5 @@
 #!/usr/bin/env bash
 
-set -eux
-set -o pipefail
-
 . "$(dirname "$0")"/../e2e_test_util.sh
 
 make_sandbox

tests/e2e/daemon/restore_attached.sh

@@ -1,8 +1,5 @@
 #!/usr/bin/env bash
 
-set -eux
-set -o pipefail
-
 . "$(dirname "$0")"/../e2e_test_util.sh
 
 make_sandbox

tests/e2e/daemon/restore_non_attached.sh

@@ -1,8 +1,5 @@
 #!/usr/bin/env bash
 
-set -eux
-set -o pipefail
-
 . "$(dirname "$0")"/../e2e_test_util.sh
 
 make_sandbox

tests/e2e/daemon/sock_exists.sh

@@ -1,8 +1,5 @@
 #!/usr/bin/env bash
 
-set -eux
-set -o pipefail
-
 . "$(dirname "$0")"/../e2e_test_util.sh
 
 make_sandbox

tests/e2e/e2e_test_util.sh

@@ -1,34 +1,37 @@
 #!/bin/bash
 
-set -e
+set -eux
 
-WORKDIR=$(mktemp -d)
-BF_OUTPUT_FILE=${WORKDIR}/bf.log
-BPFILTER_PID=
-SETUSERNS_SOCKET_PATH=${WORKDIR}/setuserns.sock
-
-IN_SANBOX=0
-WITH_DAEMON=0
-HAS_TOKEN_SUPPORT=0
 TEST_PATH=
 FROM_NS=
 
-# Network settings
-NETNS_NAME="bftestns"
-VETH_HOST="veth_host"
-VETH_NS="veth_ns"
-HOST_IP="10.0.0.1/24"
-NS_IP="10.0.0.2/24"
-HOST_IP_ADDR="10.0.0.1"
-NS_IP_ADDR="10.0.0.2"
+# Derive resources names from the test name. Allows for pre-test cleanup
+# and parallel testing of different tests.
+_TEST_NAME=$(basename "$0" .sh)
+_TEST_HASH=$(printf '%s' "$_TEST_NAME" | cksum | awk '{print $1}')
+_OCTET2=$(( (_TEST_HASH >> 8) & 0xFF ))
+_OCTET3=$(( _TEST_HASH & 0xFF ))
+_SHORT_ID=$(( _TEST_HASH & 0xFFFF ))
+
+WORKDIR="/tmp/bpfilter.e2e.${_TEST_NAME}"
+_UNIT_NAME="bpfilter-e2e-${_TEST_NAME}"
+BF_OUTPUT_FILE=${WORKDIR}/bf.log
+BPFILTER_PID=
+
+NETNS_NAME="bftest_${_TEST_NAME}"
+VETH_HOST="veth_h_${_SHORT_ID}"
+VETH_NS="veth_n_${_SHORT_ID}"
+HOST_IP="10.${_OCTET2}.${_OCTET3}.1/24"
+NS_IP="10.${_OCTET2}.${_OCTET3}.2/24"
+HOST_IP_ADDR="10.${_OCTET2}.${_OCTET3}.1"
+NS_IP_ADDR="10.${_OCTET2}.${_OCTET3}.2"
 HOST_IFINDEX=
 NS_IFINDEX=
 
 # Tested binaries
 BFCLI=bfcli
-_BPFILTER=bpfilter
+_BPFILTER=$(command -v bpfilter)
 BPFILTER= # bpfilter command to use in tests (includes the required options)
-SETUSERNS=setuserns
 RULESETS_DIR=.
 
 ################################################################################
@@ -40,16 +43,11 @@ RULESETS_DIR=.
 make_sandbox() {
     echo "Create the sandbox"
 
-    IN_SANBOX=1
-
     # Disable selinux if available, not all distros enforce setlinux
     if command -v setenforce &> /dev/null; then
         setenforce 0 || true
     fi
 
-    # Check if BPF token is supported
-    bash -c "sudo bpftool btf dump file /sys/kernel/btf/vmlinux format c | grep -q \"__s32 prog_token_fd;\"" && HAS_TOKEN_SUPPORT=1 || HAS_TOKEN_SUPPORT=0
-
     # Create the namespaces mount points
     mkdir ${WORKDIR}/{ns,bpf}
     mount --bind ${WORKDIR}/ns ${WORKDIR}/ns
@@ -60,43 +58,19 @@ make_sandbox() {
     # Create the netns to be used by unshare
     ip netns add ${NETNS_NAME}
 
-    # Create the user and mount namespaces, mount a new /run to have the bpfilter socket
-    if [ $HAS_TOKEN_SUPPORT -eq 1 ]; then
-        ${SETUSERNS} out --socket ${SETUSERNS_SOCKET_PATH} &
-        SETUSERNS_PID=$!
-
-        # util-linux 2.38+ supports --map-users/--map-groups
-        UNSHARE_VERSION=$(unshare --version | grep -oP '\d+\.\d+' | head -1)
-        if [ "$(printf '%s\n' "2.38" "$UNSHARE_VERSION" | sort -V | head -1)" = "2.38" ]; then
-            UNSHARE_MAP_OPTS="--map-users=all --map-groups=all"
-        else
-            UNSHARE_MAP_OPTS=""
-        fi
-
         unshare \
-            --user=${WORKDIR}/ns/user \
             --mount=${WORKDIR}/ns/mnt \
             --net=/var/run/netns/${NETNS_NAME} \
             --keep-caps \
-            ${UNSHARE_MAP_OPTS} \
-            -r /bin/bash -c "
+        /bin/bash -c "
                 set -e
                 mount -t tmpfs tmpfs /run
-                ${SETUSERNS} in --socket ${SETUSERNS_SOCKET_PATH} --bpffs-mount-path ${WORKDIR}/bpf
-        " &
-
-        BPFILTER="${_BPFILTER} --verbose debug --with-bpf-token --bpffs-path ${WORKDIR}/bpf"
-        wait $SETUSERNS_PID
-    else
-        unshare --net=/var/run/netns/${NETNS_NAME} &
-        BPFILTER="${_BPFILTER} --verbose debug"
-    fi
+            mount -t bpf bpf ${WORKDIR}/bpf
+    "
 
-    if [ "${HAS_TOKEN_SUPPORT:-1}" -eq 1 ]; then
-        FROM_NS="nsenter --mount=${WORKDIR}/ns/mnt --user=${WORKDIR}/ns/user --net=/var/run/netns/${NETNS_NAME}"
-    else
-        FROM_NS="nsenter --net=/var/run/netns/${NETNS_NAME}"
-    fi
+    BPFILTER="${_BPFILTER} --verbose debug --bpffs-path ${WORKDIR}/bpf"
+
+    FROM_NS="nsenter --mount=${WORKDIR}/ns/mnt --net=/var/run/netns/${NETNS_NAME}"
 
     # Create the veth
     ip link add ${VETH_HOST} type veth peer name ${VETH_NS}
@@ -123,7 +97,6 @@ make_sandbox() {
     echo "  Tested binaries"
     echo "    bfcli: ${BFCLI}"
     echo "    bpfilter: ${_BPFILTER}"
-    echo "    setuserns: ${SETUSERNS}"
     echo "    rulesets-dir: ${RULESETS_DIR}"
 }
 
@@ -134,13 +107,8 @@ destroy_sandbox() {
     umount /var/run/netns/${NETNS_NAME} || true
     ip netns delete ${NETNS_NAME} || true
 
-    # If BPF token is not supported, user and mnt namespaces are not mounted
-    if [ "${HAS_TOKEN_SUPPORT:-1}" -eq 1 ]; then
         umount ${WORKDIR}/bpf || true
-        umount ${WORKDIR}/ns/user || true
         umount ${WORKDIR}/ns/mnt || true
-    fi
-
     umount ${WORKDIR}/ns || true
 
     rm -rf ${WORKDIR} || true
@@ -161,7 +129,6 @@ start_bpfilter() {
     # Wait for the daemon to listen to the requests
     while [ $(date +%s) -lt $end_time ]; do
         if grep -q "waiting for requests" "${BF_OUTPUT_FILE}"; then
-            WITH_DAEMON=1
             return 0
         fi
         sleep 0.1
@@ -187,38 +154,22 @@ stop_bpfilter() {
 
     echo "Stop bpfilter"
 
-    if [ -n "$BPFILTER_PID" ]; then
-        if [ "$skip_cleanup" -eq 0 ] && [ "${HAS_TOKEN_SUPPORT:-1}" -ne 1 ]; then
-            bfcli ruleset flush || true
-        fi
+    bfcli ruleset flush || true
+    kill $BPFILTER_PID 2>/dev/null || true
+    wait $BPFILTER_PID || true
 
-        kill $BPFILTER_PID 2>/dev/null || true
-        wait $BPFILTER_PID || true
-    fi
-
-    WITH_DAEMON=0
+    echo "========== bpfilter output =========="
+    cat "$BF_OUTPUT_FILE" || true
 }
 
 cleanup() {
-    echo "cleanup() called with exit value $1"
-
-    if [ "$WITH_DAEMON" -ne 0 ]; then
-        stop_bpfilter
-
-        echo "========== bpfilter output =========="
-        cat "$BF_OUTPUT_FILE" || true
-    fi
-
-    if [ "$IN_SANBOX" -ne 0 ]; then
-        destroy_sandbox
-    fi
-
-    exit $1
+    stop_bpfilter
+    destroy_sandbox
 }
 
 # Set trap to ensure cleanup happens
-trap 'cleanup $?' EXIT
-trap 'cleanup 1' INT TERM
+trap 'ret=$?; cleanup; exit ${ret}' EXIT
+trap 'cleanup 1; exit 1' INT TERM
 
 
 ################################################################################
@@ -228,3 +179,6 @@ trap 'cleanup 1' INT TERM
 ################################################################################
 
 WITH_TIMEOUT="timeout --signal INT --preserve-status .5"
+
+cleanup
+mkdir -p ${WORKDIR}