tests: Run in separate network namespace, don't break connectivity

It might be convenient to run tests from a development branch that
resides on another host, and if we break connectivity on the test
host as tests are executed, we can't run them this way.

If kernel implementation (CONFIG_NET_NS), unshare(1), or Python
bindings for unshare() are not available, warn and continue.

Suggested-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/tests/py/nft-test.py b/tests/py/nft-test.py
index 01ee6c980ad4a9203102fbf1b19a66111288471c..df97ed8eefb7b45aa72fe76c12faf714a0078cba 100755 (executable)
--- a/tests/py/nft-test.py
+++ b/tests/py/nft-test.py
@@ -1394,6 +1394,12 @@ def main():
     # Change working directory to repository root
     os.chdir(TESTS_PATH + "/../..")
 
+    try:
+        import unshare
+        unshare.unshare(unshare.CLONE_NEWNET)
+    except:
+        print_warning("cannot run in own namespace, connectivity might break")
+
     check_lib_path = True
     if args.library is None:
         if args.host:

diff --git a/tests/shell/run-tests.sh b/tests/shell/run-tests.sh
index 26f8f46d95a0bf416ffdd7bdee8837e1010bc72c..51c90c9b32d8d7ba4ed06b4c522b09b1202214ad 100755 (executable)
--- a/tests/shell/run-tests.sh
+++ b/tests/shell/run-tests.sh
@@ -22,6 +22,15 @@ if [ "$(id -u)" != "0" ] ; then
        msg_error "this requires root!"
 fi
 
+if [ "${1}" != "run" ]; then
+       if unshare -f -n true; then
+               unshare -n "${0}" run $@
+               exit $?
+       fi
+       msg_warn "cannot run in own namespace, connectivity might break"
+fi
+shift
+
 [ -z "$NFT" ] && NFT=$SRC_NFT
 if [ ! -x "$NFT" ] ; then
        msg_error "no nft binary!"