tests: add atomic chain replace test

Add a test that replaces one base chain and check that no
filtered packets make it through, i.e. that the 'old chain'
doesn't disappear before new one is active.

Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>

diff --git a/tests/shell/testcases/transactions/atomic_replace.sh b/tests/shell/testcases/transactions/atomic_replace.sh
new file mode 100755 (executable)
index 0000000..dce1786
--- /dev/null
+++ b/tests/shell/testcases/transactions/atomic_replace.sh
@@ -0,0 +1,73 @@
+#!/bin/bash
+
+set -e
+
+rnd=$(mktemp -u XXXXXXXX)
+ns="nft-atomic-$rnd"
+pid1=""
+pid2=""
+duration=8
+
+cleanup()
+{
+       kill "$pid1" "$pid2"
+       ip netns del "$ns"
+}
+
+trap cleanup EXIT
+
+ip netns add "$ns" || exit 111
+ip -net "$ns" link set lo up
+
+ip netns exec "$ns" ping 127.0.0.1 -q -c 1
+
+ip netns exec "$ns" $NFT -f - <<EOF
+table ip t {
+       set s {
+               type ipv4_addr
+               elements = { 127.0.0.1 }
+       }
+
+       chain input {
+               type filter hook input priority 0; policy accept;
+               ip protocol icmp counter
+       }
+
+       chain output {
+               type filter hook output priority 0; policy accept;
+               ip protocol icmp ip daddr @s drop
+       }
+}
+EOF
+
+ip netns exec "$ns" ping -f 127.0.0.1 &
+pid1=$!
+ip netns exec "$ns" ping -f 127.0.0.1 &
+pid2=$!
+
+time_now=$(date +%s)
+time_stop=$((time_now + duration))
+repl=0
+
+while [ $time_now -lt $time_stop ]; do
+ip netns exec "$ns" $NFT -f - <<EOF
+flush chain ip t output
+table ip t {
+       chain output {
+               type filter hook output priority 0; policy accept;
+               ip protocol icmp ip daddr @s drop
+       }
+}
+EOF
+       repl=$((repl+1))
+
+       # do at least 100 replaces and stop after $duration seconds.
+       if [ $((repl % 101)) -eq 100 ];then
+               time_now=$(date +%s)
+       fi
+done
+
+# must match, all icmp packets dropped in output.
+ip netns exec "$ns" $NFT list chain ip t input | grep "counter packets 0"
+
+echo "Completed $repl chain replacements"

diff --git a/tests/shell/testcases/transactions/dumps/atomic_replace.sh.nodump b/tests/shell/testcases/transactions/dumps/atomic_replace.sh.nodump
new file mode 100644 (file)
index 0000000..e69de29