* [PATCHv5 net-next 0/2] wireguard: selftests: use nftables for testing
@ 2025-03-22 9:30 Hangbin Liu
[not found] ` <20250322093016.16631-2-liuhangbin@gmail.com>
0 siblings, 1 reply; 3+ messages in thread
From: Hangbin Liu @ 2025-03-22 9:30 UTC (permalink / raw)
To: netdev
Cc: Jason A. Donenfeld, Jakub Kicinski, Shuah Khan, David S. Miller,
Simon Horman, Phil Sutter, Florian Westphal, Petr Mladek,
Yoann Congal, wireguard, linux-kselftest, linux-kernel,
Hangbin Liu
This patch set convert iptables to nftables for wireguard testing, as
iptables is deparated and nftables is the default framework of most releases.
v5: remove the counter in nft rules and link nft statically (Jason A. Donenfeld)
v4: no update, just re-send
v3: drop iptables directly (Jason A. Donenfeld)
Also convert to using nft for qemu testing (Jason A. Donenfeld)
v2: use one nft table for testing (Phil Sutter)
Hangbin Liu (2):
wireguard: selftests: convert iptables to nft
wireguard: selftests: update to using nft for qemu test
tools/testing/selftests/wireguard/netns.sh | 29 +++++++++------
.../testing/selftests/wireguard/qemu/Makefile | 36 ++++++++++++++-----
.../selftests/wireguard/qemu/kernel.config | 7 ++--
3 files changed, 49 insertions(+), 23 deletions(-)
--
2.46.0
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCHv5 net-next 1/2] wireguard: selftests: convert iptables to nft
[not found] ` <20250322093016.16631-2-liuhangbin@gmail.com>
@ 2025-03-23 21:10 ` Phil Sutter
2025-03-26 6:25 ` Hangbin Liu
0 siblings, 1 reply; 3+ messages in thread
From: Phil Sutter @ 2025-03-23 21:10 UTC (permalink / raw)
To: Hangbin Liu
Cc: netdev, Jason A. Donenfeld, Jakub Kicinski, Shuah Khan,
David S. Miller, Simon Horman, Florian Westphal, Petr Mladek,
Yoann Congal, wireguard, linux-kselftest, linux-kernel
On Sat, Mar 22, 2025 at 09:30:15AM +0000, Hangbin Liu wrote:
> Convert iptabels to nft as it is the replacement for iptables, which is used
~~~~~~~~
Typo, but I would write "Convert the selftest to nft ..." instead since
that is what you're converting, iptables is just replaced. :)
> by default in most releases.
>
> Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
> ---
> tools/testing/selftests/wireguard/netns.sh | 29 ++++++++++++++--------
> 1 file changed, 19 insertions(+), 10 deletions(-)
>
> diff --git a/tools/testing/selftests/wireguard/netns.sh b/tools/testing/selftests/wireguard/netns.sh
> index 55500f901fbc..8b840fef90af 100755
> --- a/tools/testing/selftests/wireguard/netns.sh
> +++ b/tools/testing/selftests/wireguard/netns.sh
> @@ -75,6 +75,11 @@ pp ip netns add $netns1
> pp ip netns add $netns2
> ip0 link set up dev lo
>
> +# init nft tables
> +n0 nft add table ip wgtest
> +n1 nft add table ip wgtest
> +n2 nft add table ip wgtest
> +
> ip0 link add dev wg0 type wireguard
> ip0 link set wg0 netns $netns1
> ip0 link add dev wg0 type wireguard
> @@ -196,13 +201,14 @@ ip1 link set wg0 mtu 1300
> ip2 link set wg0 mtu 1300
> n1 wg set wg0 peer "$pub2" endpoint 127.0.0.1:2
> n2 wg set wg0 peer "$pub1" endpoint 127.0.0.1:1
> -n0 iptables -A INPUT -m length --length 1360 -j DROP
> +n0 nft add chain ip wgtest INPUT { type filter hook input priority filter \; policy accept \; }
You may skip the 'policy accept \;' part in all 'add chain' commands as
this is the default for all chains. Unless you prefer to explicitly
state the chain policy, of course.
Cheers, Phil
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCHv5 net-next 1/2] wireguard: selftests: convert iptables to nft
2025-03-23 21:10 ` [PATCHv5 net-next 1/2] wireguard: selftests: convert iptables to nft Phil Sutter
@ 2025-03-26 6:25 ` Hangbin Liu
0 siblings, 0 replies; 3+ messages in thread
From: Hangbin Liu @ 2025-03-26 6:25 UTC (permalink / raw)
To: Jason A. Donenfeld
Cc: Phil Sutter, netdev, Jakub Kicinski, Shuah Khan, David S. Miller,
Simon Horman, Florian Westphal, Petr Mladek, Yoann Congal,
wireguard, linux-kselftest, linux-kernel
On Sun, Mar 23, 2025 at 10:10:33PM +0100, Phil Sutter wrote:
> On Sat, Mar 22, 2025 at 09:30:15AM +0000, Hangbin Liu wrote:
> > Convert iptabels to nft as it is the replacement for iptables, which is used
> ~~~~~~~~
>
> Typo, but I would write "Convert the selftest to nft ..." instead since
> that is what you're converting, iptables is just replaced. :)
Hi Jason, I saw net-next is closed. Should I wait for net-next re-open to post
the new version and fix the typo? I'm not sure about the wg branch policy.
Thanks
Hangbin
>
> > by default in most releases.
> >
> > Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
> > ---
> > tools/testing/selftests/wireguard/netns.sh | 29 ++++++++++++++--------
> > 1 file changed, 19 insertions(+), 10 deletions(-)
> >
> > diff --git a/tools/testing/selftests/wireguard/netns.sh b/tools/testing/selftests/wireguard/netns.sh
> > index 55500f901fbc..8b840fef90af 100755
> > --- a/tools/testing/selftests/wireguard/netns.sh
> > +++ b/tools/testing/selftests/wireguard/netns.sh
> > @@ -75,6 +75,11 @@ pp ip netns add $netns1
> > pp ip netns add $netns2
> > ip0 link set up dev lo
> >
> > +# init nft tables
> > +n0 nft add table ip wgtest
> > +n1 nft add table ip wgtest
> > +n2 nft add table ip wgtest
> > +
> > ip0 link add dev wg0 type wireguard
> > ip0 link set wg0 netns $netns1
> > ip0 link add dev wg0 type wireguard
> > @@ -196,13 +201,14 @@ ip1 link set wg0 mtu 1300
> > ip2 link set wg0 mtu 1300
> > n1 wg set wg0 peer "$pub2" endpoint 127.0.0.1:2
> > n2 wg set wg0 peer "$pub1" endpoint 127.0.0.1:1
> > -n0 iptables -A INPUT -m length --length 1360 -j DROP
> > +n0 nft add chain ip wgtest INPUT { type filter hook input priority filter \; policy accept \; }
>
> You may skip the 'policy accept \;' part in all 'add chain' commands as
> this is the default for all chains. Unless you prefer to explicitly
> state the chain policy, of course.
>
> Cheers, Phil
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2025-05-21 9:18 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-03-22 9:30 [PATCHv5 net-next 0/2] wireguard: selftests: use nftables for testing Hangbin Liu
[not found] ` <20250322093016.16631-2-liuhangbin@gmail.com>
2025-03-23 21:10 ` [PATCHv5 net-next 1/2] wireguard: selftests: convert iptables to nft Phil Sutter
2025-03-26 6:25 ` Hangbin Liu
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).