tests/shell: run `nft --check` on persisted dump files

"nft --check" will trigger a rollback in kernel. The existing dump files
might hit new code paths. Take the opportunity to call the command on
the existing files.

And alternative would be to write a separate tests, that iterates over
all files. However, then we can only run all the commands sequentially
(unless we do something smart). That might be slower than the
opportunity to run the checks in parallel. More importantly, it would be
nice if the check for the dump file is clearly tied to the file's test.
So run it right after the test, from the test wrapper.

Signed-off-by: Thomas Haller <thaller@redhat.com>
Signed-off-by: Florian Westphal <fw@strlen.de>

diff --git a/tests/shell/helpers/test-wrapper.sh b/tests/shell/helpers/test-wrapper.sh
index 165a944da2b106b57afd380d014879d038e20eae..e10360c9b26648345e8ff8bb56b7b4a7b351a9b6 100755 (executable)
--- a/tests/shell/helpers/test-wrapper.sh
+++ b/tests/shell/helpers/test-wrapper.sh
@@ -134,6 +134,35 @@ if [ "$rc_dump" -ne 0 ] ; then
        echo "$DUMPFILE" > "$NFT_TEST_TESTTMPDIR/rc-failed-dump"
 fi
 
+rc_chkdump=0
+# check that a flush after the test succeeds. We anyway need a clean ruleset
+# for the `nft --check` next.
+$NFT flush ruleset &> "$NFT_TEST_TESTTMPDIR/rc-failed-chkdump" || rc_chkdump=1
+if [ -f "$DUMPFILE" ] ; then
+       # We have a dumpfile. Call `nft --check` to possibly cover new code
+       # paths.
+       if [ "$rc_test" -eq 77 ] ; then
+               # The test was skipped. Possibly we don't have the required
+               # features to process this file. Ignore any output and exit
+               # code, but still call the program (for valgrind or sanitizer
+               # issue we hope to find).
+               $NFT --check -f "$DUMPFILE" &>/dev/null || :
+       else
+               $NFT --check -f "$DUMPFILE" &>> "$NFT_TEST_TESTTMPDIR/rc-failed-chkdump" || rc_chkdump=1
+       fi
+fi
+if [ -s "$NFT_TEST_TESTTMPDIR/rc-failed-chkdump" ] ; then
+       # Non-empty output? That is wrong.
+       rc_chkdump=1
+elif [ "$rc_chkdump" -eq 0 ] ; then
+       rm -rf "$NFT_TEST_TESTTMPDIR/rc-failed-chkdump"
+fi
+if [ "$rc_chkdump" -ne 0 ] ; then
+       # Ensure we don't have empty output files. Always write something, so
+       # that `grep ^ -R` lists the file.
+       echo -e "<<<<<\n\nCalling \`nft --check\` (or \`nft flush ruleset\`) failed for \"$DUMPFILE\"" >> "$NFT_TEST_TESTTMPDIR/rc-failed-chkdump"
+fi
+
 rc_valgrind=0
 [ -f "$NFT_TEST_TESTTMPDIR/rc-failed-valgrind" ] && rc_valgrind=1
 
@@ -154,6 +183,8 @@ elif [ "$rc_test" -ne 0 ] ; then
        rc_exit="$rc_test"
 elif [ "$rc_dump" -ne 0 ] ; then
        rc_exit=124
+elif [ "$rc_chkdump" -ne 0 ] ; then
+       rc_exit=121
 else
        rc_exit=0
 fi

diff --git a/tests/shell/run-tests.sh b/tests/shell/run-tests.sh
index 03021085e0e7bb4e810f70dc26e25eb53ab2969c..5ef6359f1fb55b2682e624f9c4044196e386f311 100755 (executable)
--- a/tests/shell/run-tests.sh
+++ b/tests/shell/run-tests.sh
@@ -740,7 +740,9 @@ print_test_result() {
        else
                ((failed++))
                result_msg_level="W"
-               if [ "$rc_got" -eq 122 ] ; then
+               if [ "$rc_got" -eq 121 ] ; then
+                       result_msg_status="CHK DUMP"
+               elif [ "$rc_got" -eq 122 ] ; then
                        result_msg_status="VALGRIND"
                elif [ "$rc_got" -eq 123 ] ; then
                        result_msg_status="TAINTED"