test-bpf-firewall: use ASSERT_XYZ() and bpf_program_pin()

author Yu Watanabe <watanabe.yu+github@gmail.com>

Wed, 18 Jun 2025 18:32:15 +0000 (03:32 +0900)

committer Yu Watanabe <watanabe.yu+github@gmail.com>

Thu, 19 Jun 2025 10:08:45 +0000 (19:08 +0900)
author Yu Watanabe <watanabe.yu+github@gmail.com>
Wed, 18 Jun 2025 18:32:15 +0000 (03:32 +0900)
committer Yu Watanabe <watanabe.yu+github@gmail.com>
Thu, 19 Jun 2025 10:08:45 +0000 (19:08 +0900)
diff --git a/src/test/test-bpf-firewall.c b/src/test/test-bpf-firewall.c

index 737934ca8762acf54f8ea55122ecb7e6ca98ebb8..6c82e3d296670ab8457a70aee9b06966ec9e8782 100644 (file)
--- a/src/test/test-bpf-firewall.c
+++ b/src/test/test-bpf-firewall.c
@@ -32,8 +32,6 @@ int main(int argc, char *argv[]) {
          char log_buf[65535];
          struct rlimit rl;
          int r;
-        union bpf_attr attr;
-        const char *test_prog = "/sys/fs/bpf/test-dropper";
  
          test_setup_logging(LOG_DEBUG);
  
@@ -63,25 +61,15 @@ int main(int argc, char *argv[]) {
          _cleanup_free_ char *unit_dir = NULL;
          ASSERT_OK(get_testdata_dir("units", &unit_dir));
          ASSERT_OK(setenv_unit_path(unit_dir));
-        assert_se(runtime_dir = setup_fake_runtime_dir());
-
-        r = bpf_program_new(BPF_PROG_TYPE_CGROUP_SKB, "sd_trivial", &p);
-        ASSERT_EQ(r, 0);
-
-        r = bpf_program_add_instructions(p, exit_insn, ELEMENTSOF(exit_insn));
-        ASSERT_EQ(r, 0);
-
-        r = bpf_program_load_kernel(p, log_buf, ELEMENTSOF(log_buf));
-        ASSERT_OK(r);
+        ASSERT_NOT_NULL(runtime_dir = setup_fake_runtime_dir());
  
-        zero(attr);
-        attr.pathname = PTR_TO_UINT64(test_prog);
-        attr.bpf_fd = p->kernel_fd;
-        attr.file_flags = 0;
+        ASSERT_OK(bpf_program_new(BPF_PROG_TYPE_CGROUP_SKB, "sd_trivial", &p));
+        ASSERT_OK(bpf_program_add_instructions(p, exit_insn, ELEMENTSOF(exit_insn)));
+        ASSERT_OK(bpf_program_load_kernel(p, log_buf, ELEMENTSOF(log_buf)));
  
+        const char *test_prog = "/sys/fs/bpf/test-dropper";
          (void) unlink(test_prog);
-
-        ASSERT_OK(bpf(BPF_OBJ_PIN, &attr, sizeof(attr)));
+        ASSERT_OK(bpf_program_pin(p->kernel_fd, test_prog));
  
          p = bpf_program_free(p);
  
@@ -90,9 +78,9 @@ int main(int argc, char *argv[]) {
          ASSERT_OK(manager_new(RUNTIME_SCOPE_USER, MANAGER_TEST_RUN_BASIC, &m));
          ASSERT_OK(manager_startup(m, NULL, NULL, NULL));
  
-        assert_se(u = unit_new(m, sizeof(Service)));
+        ASSERT_NOT_NULL(u = unit_new(m, sizeof(Service)));
          ASSERT_EQ(unit_add_name(u, "foo.service"), 0);
-        assert_se(cc = unit_get_cgroup_context(u));
+        ASSERT_NOT_NULL(cc = unit_get_cgroup_context(u));
          u->perpetual = true;
  
          cc->ip_accounting = true;
@@ -104,39 +92,39 @@ int main(int argc, char *argv[]) {
          ASSERT_EQ(config_parse_in_addr_prefixes(u->id, "filename", 1, "Service", 1, "IPAddressDeny", 0, "127.0.0.1/25", &cc->ip_address_deny, NULL), 0);
          ASSERT_EQ(config_parse_in_addr_prefixes(u->id, "filename", 1, "Service", 1, "IPAddressDeny", 0, "127.0.0.4", &cc->ip_address_deny, NULL), 0);
  
-        assert_se(set_size(cc->ip_address_allow) == 2);
-        assert_se(set_size(cc->ip_address_deny) == 4);
+        ASSERT_EQ(set_size(cc->ip_address_allow), 2u);
+        ASSERT_EQ(set_size(cc->ip_address_deny), 4u);
  
          /* The deny list is defined redundantly, let's ensure it will be properly reduced */
          ASSERT_OK(in_addr_prefixes_reduce(cc->ip_address_allow));
          ASSERT_OK(in_addr_prefixes_reduce(cc->ip_address_deny));
  
-        assert_se(set_size(cc->ip_address_allow) == 2);
-        assert_se(set_size(cc->ip_address_deny) == 2);
+        ASSERT_EQ(set_size(cc->ip_address_allow), 2u);
+        ASSERT_EQ(set_size(cc->ip_address_deny), 2u);
  
-        assert_se(set_contains(cc->ip_address_allow, &(struct in_addr_prefix) {
+        ASSERT_TRUE(set_contains(cc->ip_address_allow, &(struct in_addr_prefix) {
                                  .family = AF_INET,
                                  .address.in.s_addr = htobe32((UINT32_C(10) << 24) | (UINT32_C(1) << 8)),
                                  .prefixlen = 24 }));
-        assert_se(set_contains(cc->ip_address_allow, &(struct in_addr_prefix) {
+        ASSERT_TRUE(set_contains(cc->ip_address_allow, &(struct in_addr_prefix) {
                                  .family = AF_INET,
                                  .address.in.s_addr = htobe32(0x7f000002),
                                  .prefixlen = 32 }));
-        assert_se(set_contains(cc->ip_address_deny, &(struct in_addr_prefix) {
+        ASSERT_TRUE(set_contains(cc->ip_address_deny, &(struct in_addr_prefix) {
                                  .family = AF_INET,
                                  .address.in.s_addr = htobe32(0x7f000000),
                                  .prefixlen = 25 }));
-        assert_se(set_contains(cc->ip_address_deny, &(struct in_addr_prefix) {
+        ASSERT_TRUE(set_contains(cc->ip_address_deny, &(struct in_addr_prefix) {
                                  .family = AF_INET,
                                  .address.in.s_addr = htobe32((UINT32_C(10) << 24) | (UINT32_C(3) << 8)),
                                  .prefixlen = 24 }));
  
-        assert_se(config_parse_exec(u->id, "filename", 1, "Service", 1, "ExecStart", SERVICE_EXEC_START, "/bin/ping -c 1 127.0.0.2 -W 5", SERVICE(u)->exec_command, u) == 0);
-        assert_se(config_parse_exec(u->id, "filename", 1, "Service", 1, "ExecStart", SERVICE_EXEC_START, "/bin/ping -c 1 127.0.0.3 -W 5", SERVICE(u)->exec_command, u) == 0);
+        ASSERT_OK(config_parse_exec(u->id, "filename", 1, "Service", 1, "ExecStart", SERVICE_EXEC_START, "/bin/ping -c 1 127.0.0.2 -W 5", SERVICE(u)->exec_command, u));
+        ASSERT_OK(config_parse_exec(u->id, "filename", 1, "Service", 1, "ExecStart", SERVICE_EXEC_START, "/bin/ping -c 1 127.0.0.3 -W 5", SERVICE(u)->exec_command, u));
  
-        assert_se(SERVICE(u)->exec_command[SERVICE_EXEC_START]);
-        assert_se(SERVICE(u)->exec_command[SERVICE_EXEC_START]->command_next);
-        assert_se(!SERVICE(u)->exec_command[SERVICE_EXEC_START]->command_next->command_next);
+        ASSERT_NOT_NULL(SERVICE(u)->exec_command[SERVICE_EXEC_START]);
+        ASSERT_NOT_NULL(SERVICE(u)->exec_command[SERVICE_EXEC_START]->command_next);
+        ASSERT_NULL(SERVICE(u)->exec_command[SERVICE_EXEC_START]->command_next->command_next);
  
          SERVICE(u)->type = SERVICE_ONESHOT;
          u->load_state = UNIT_LOADED;
@@ -146,11 +134,11 @@ int main(int argc, char *argv[]) {
          r = bpf_firewall_compile(u);
          if (IN_SET(r, -ENOTTY, -ENOSYS, -EPERM))
                  return log_tests_skipped("Kernel doesn't support the necessary bpf bits (masked out via seccomp?)");
-        assert_se(r >= 0);
+        ASSERT_OK(r);
  
          CGroupRuntime *crt = ASSERT_PTR(unit_get_cgroup_runtime(u));
-        assert_se(crt->ip_bpf_ingress);
-        assert_se(crt->ip_bpf_egress);
+        ASSERT_NOT_NULL(crt->ip_bpf_ingress);
+        ASSERT_NOT_NULL(crt->ip_bpf_egress);
  
          r = bpf_program_load_kernel(crt->ip_bpf_ingress, log_buf, ELEMENTSOF(log_buf));
  
@@ -174,24 +162,24 @@ int main(int argc, char *argv[]) {
          ASSERT_OK(unit_start(u, NULL));
  
          while (!IN_SET(SERVICE(u)->state, SERVICE_DEAD, SERVICE_FAILED))
-                assert_se(sd_event_run(m->event, UINT64_MAX) >= 0);
+                ASSERT_OK(sd_event_run(m->event, UINT64_MAX));
  
-        assert_se(SERVICE(u)->exec_command[SERVICE_EXEC_START]->exec_status.code == CLD_EXITED &&
-                  SERVICE(u)->exec_command[SERVICE_EXEC_START]->exec_status.status == EXIT_SUCCESS);
+        ASSERT_EQ(SERVICE(u)->exec_command[SERVICE_EXEC_START]->exec_status.code, CLD_EXITED);
+        ASSERT_EQ(SERVICE(u)->exec_command[SERVICE_EXEC_START]->exec_status.status, EXIT_SUCCESS);
  
-        assert_se(SERVICE(u)->exec_command[SERVICE_EXEC_START]->command_next->exec_status.code != CLD_EXITED ||
-                  SERVICE(u)->exec_command[SERVICE_EXEC_START]->command_next->exec_status.status != EXIT_SUCCESS);
+        ASSERT_TRUE(SERVICE(u)->exec_command[SERVICE_EXEC_START]->command_next->exec_status.code != CLD_EXITED ||
+                    SERVICE(u)->exec_command[SERVICE_EXEC_START]->command_next->exec_status.status != EXIT_SUCCESS);
  
          /* testing custom filter */
-        assert_se(u = unit_new(m, sizeof(Service)));
-        assert_se(unit_add_name(u, "custom-filter.service") == 0);
-        assert_se(cc = unit_get_cgroup_context(u));
+        ASSERT_NOT_NULL(u = unit_new(m, sizeof(Service)));
+        ASSERT_OK(unit_add_name(u, "custom-filter.service"));
+        ASSERT_NOT_NULL(cc = unit_get_cgroup_context(u));
          u->perpetual = true;
  
          cc->ip_accounting = true;
  
-        assert_se(config_parse_ip_filter_bpf_progs(u->id, "filename", 1, "Service", 1, "IPIngressFilterPath", 0, test_prog, &cc->ip_filters_ingress, u) == 0);
-        assert_se(config_parse_exec(u->id, "filename", 1, "Service", 1, "ExecStart", SERVICE_EXEC_START, "-/bin/ping -c 1 127.0.0.1 -W 5", SERVICE(u)->exec_command, u) == 0);
+        ASSERT_OK(config_parse_ip_filter_bpf_progs(u->id, "filename", 1, "Service", 1, "IPIngressFilterPath", 0, test_prog, &cc->ip_filters_ingress, u));
+        ASSERT_OK(config_parse_exec(u->id, "filename", 1, "Service", 1, "ExecStart", SERVICE_EXEC_START, "-/bin/ping -c 1 127.0.0.1 -W 5", SERVICE(u)->exec_command, u));
  
          SERVICE(u)->type = SERVICE_ONESHOT;
          u->load_state = UNIT_LOADED;
@@ -200,13 +188,13 @@ int main(int argc, char *argv[]) {
          ASSERT_OK(unit_start(u, NULL));
  
          while (!IN_SET(SERVICE(u)->state, SERVICE_DEAD, SERVICE_FAILED))
-                assert_se(sd_event_run(m->event, UINT64_MAX) >= 0);
+                ASSERT_OK(sd_event_run(m->event, UINT64_MAX));
  
-        assert_se(SERVICE(u)->exec_command[SERVICE_EXEC_START]->exec_status.code != CLD_EXITED ||
-                  SERVICE(u)->exec_command[SERVICE_EXEC_START]->exec_status.status != EXIT_SUCCESS);
+        ASSERT_TRUE(SERVICE(u)->exec_command[SERVICE_EXEC_START]->exec_status.code != CLD_EXITED ||
+                    SERVICE(u)->exec_command[SERVICE_EXEC_START]->exec_status.status != EXIT_SUCCESS);
  
          (void) unlink(test_prog);
-        assert_se(SERVICE(u)->state == SERVICE_DEAD);
+        ASSERT_EQ(SERVICE(u)->state, SERVICE_DEAD);
  
          return 0;
  }
author	Yu Watanabe <watanabe.yu+github@gmail.com>
	Wed, 18 Jun 2025 18:32:15 +0000 (03:32 +0900)
committer	Yu Watanabe <watanabe.yu+github@gmail.com>
	Thu, 19 Jun 2025 10:08:45 +0000 (19:08 +0900)