cnf:network-add-nftables-test-cases

tests/cnf/core/network/internal/netconfig/config.go

@@ -38,6 +38,7 @@ type NetworkConfig struct {
 	//nolint:lll
 	PrometheusOperatorNamespace string `yaml:"prometheus_operator_namespace" envconfig:"ECO_CNF_CORE_NET_PROMETHEUS_OPERATOR_NAMESPACE"`
 	MlbAddressPoolIP            string `envconfig:"ECO_CNF_CORE_NET_MLB_ADDR_LIST"`
+	SecurityIPAddList           string `envconfig:"ECO_CNF_CORE_NET_SECURITY_ADDR_LIST"`
 	SriovInterfaces             string `envconfig:"ECO_CNF_CORE_NET_SRIOV_INTERFACE_LIST"`
 	FrrImage                    string `yaml:"frr_image" envconfig:"ECO_CNF_CORE_NET_FRR_IMAGE"`
 	VLAN                        string `envconfig:"ECO_CNF_CORE_NET_VLAN"`
@@ -93,6 +94,24 @@ func (netConfig *NetworkConfig) GetMetalLbVirIP() ([]string, error) {
 	return envValue, nil
 }
 
+// GetSecurityIPList IPv4 checks the security environmental variable and returns the list of give ip addresses.
+func (netConfig *NetworkConfig) GetSecurityIPList() ([]string, error) {
+	envValue := strings.Split(netConfig.SecurityIPAddList, ",")
+
+	if len(envValue) < 2 {
+		return nil, fmt.Errorf(
+			"the number of virtial security ip address is less than 2, check export ECO_CNF_CORE_NET_SECURITY_ADDR_LIST env var")
+	}
+
+	for _, v := range envValue {
+		if net.ParseIP(v) == nil {
+			return nil, fmt.Errorf("the environment IP variable is not a valid IP")
+		}
+	}
+
+	return envValue, nil
+}
+
 // GetSriovInterfaces checks the ECO_CNF_CORE_NET_SRIOV_INTERFACE_LIST env var
 // and returns required number of SR-IOV interfaces.
 func (netConfig *NetworkConfig) GetSriovInterfaces(requestedNumber int) ([]string, error) {

tests/cnf/core/network/security/internal/tsparams/consts.go

@@ -0,0 +1,133 @@
+package tsparams
+
+const (
+	// LabelSuite represents nftables label that can be used for test cases selection.
+	LabelSuite = "nftables"
+	// LabelNftablesTestCases represents nftables custom firewall label that can be used for test cases selection.
+	LabelNftablesTestCases = "nftables-custom-rules"
+	// CustomFireWallDelete removes all the rules from the custom table.
+	// CustomFireWallDelete = `
+	//      table inet custom_table
+	//      delete table inet custom_table
+	//      table inet custom_table {
+	//      }`
+	CustomFireWallDelete = `data:;base64, ` +
+		`H4sIAAAAAAAC/ypJTMpJVcjMSy1RSC4tLsnPjQeLcKWk5qSWpCrgksYhrlDNVcsFCAAA//9SII3uUwAAAA==`
+	// CustomFirewallInputPort8888 adds an input rule blocking TCP port 8888.
+	// chain custom_chain_INPUT {
+	//    type filter hook input priority 1; policy accept;
+	//     # Drop TCP port 8888 and log
+	//      tcp dport 8888 log prefix "[USERFIREWALL] PACKET DROP: " drop
+	// This yaml is created using butane file.
+	// butane mc-update-input-rule8888.bu -o mc-custom-firewall-input-port8888.yaml.
+	CustomFirewallInputPort8888 = `data:;base64,` +
+		`H4sIAAAAAAAC/3TMwUoDMRDG8XPyFB/1Cbwt9lTaFYpFl3WLB5ESk2k7GDNDnIKL` +
+		`9N2lBfG0x+//g8/CeyZwIUM8fZl87q7FJ8pkhCme6PjxLh4Dl796Hbv1Y7cdLuZs` +
+		`VMKes1HFUeQDXPRk0MpS2UbczqGSOY4IMZLa3Dt3g1UVxbDsoFINTdM0CCUhy+Fy` +
+		`GRXpH7IcoJX2/I3Z6/a57e/Xffuy2Gze0C2WD+2AVf/U3WGGVEW9O/uz/w0AAP//` +
+		`kU0CJQUBAAA=`
+	// FRRBaseConfig represents FRR daemon minimal configuration.
+	FRRBaseConfig = `!
+frr defaults traditional
+hostname frr-pod
+log file /tmp/frr.log
+log timestamp precision 3
+!
+debug zebra nht
+debug bgp neighbor-events
+!
+bfd
+!
+`
+
+	// FRRDefaultBGPPreConfig represents FRR daemon BGP minimal config.
+	FRRDefaultBGPPreConfig = ` bgp router-id 10.10.10.11
+  no bgp ebgp-requires-policy
+  no bgp default ipv4-unicast
+  no bgp network import-check
+`
+	// DaemonsFile represents FRR default daemon configuration template.
+	DaemonsFile = `
+	# This file tells the frr package which daemons to start.
+    #
+    # Sample configurations for these daemons can be found in
+    # /usr/share/doc/frr/examples/.
+    #
+    # ATTENTION:
+    #
+    # When activating a daemon for the first time, a config file, even if it is
+    # empty, has to be present *and* be owned by the user and group "frr", else
+    # the daemon will not be started by /etc/init.d/frr. The permissions should
+    # be u=rw,g=r,o=.
+    # When using "vtysh" such a config file is also needed. It should be owned by
+    # group "frrvty" and set to ug=rw,o= though. Check /etc/pam.d/frr, too.
+    #
+    # The watchfrr, zebra and staticd daemons are always started.
+    #
+    bgpd=yes
+    ospfd=no
+    ospf6d=no
+    ripd=no
+    ripngd=no
+    isisd=no
+    pimd=no
+    ldpd=no
+    nhrpd=no
+    eigrpd=no
+    babeld=no
+    sharpd=no
+    pbrd=no
+    bfdd=yes
+    fabricd=no
+    vrrpd=no
+    pathd=no
+    #
+    # If this option is set the /etc/init.d/frr script automatically loads
+    # the config via "vtysh -b" when the servers are started.
+    # Check /etc/pam.d/frr if you intend to use "vtysh"!
+    #
+    vtysh_enable=yes
+    zebra_options="  -A 127.0.0.1 -s 90000000"
+    bgpd_options="   -A 127.0.0.1"
+    ospfd_options="  -A 127.0.0.1"
+    ospf6d_options=" -A ::1"
+    ripd_options="   -A 127.0.0.1"
+    ripngd_options=" -A ::1"
+    isisd_options="  -A 127.0.0.1"
+    pimd_options="   -A 127.0.0.1"
+    ldpd_options="   -A 127.0.0.1"
+    nhrpd_options="  -A 127.0.0.1"
+    eigrpd_options=" -A 127.0.0.1"
+    babeld_options=" -A 127.0.0.1"
+    sharpd_options=" -A 127.0.0.1"
+    pbrd_options="   -A 127.0.0.1"
+    staticd_options="-A 127.0.0.1"
+    bfdd_options="   -A 127.0.0.1"
+    fabricd_options="-A 127.0.0.1"
+    vrrpd_options="  -A 127.0.0.1"
+    pathd_options="  -A 127.0.0.1"
+    # configuration profile
+    #
+    #frr_profile="traditional"
+    #frr_profile="datacenter"
+    #
+    # This is the maximum number of FD's that will be available.
+    # Upon startup this is read by the control files and ulimit
+    # is called.  Uncomment and use a reasonable value for your
+    # setup if you are expecting a large number of peers in
+    # say BGP.
+    #MAX_FDS=1024
+    # The list of daemons to watch is automatically generated by the init script.
+    #watchfrr_options=""
+    # To make watchfrr create/join the specified netns, use the following option:
+    #watchfrr_options="--netns"
+    # This only has an effect in /etc/frr/<somename>/daemons, and you need to
+    # start FRR with "/usr/lib/frr/frrinit.sh start <somename>".
+    # for debugging purposes, you can specify a "wrap" command to start instead
+    # of starting the daemon directly, e.g. to use valgrind on ospfd:
+    #   ospfd_wrap="/usr/bin/valgrind"
+    # or you can use "all_wrap" for all daemons, e.g. to use perf record:
+    #   all_wrap="/usr/bin/perf record --call-graph -"
+    # the normal daemon command is added to this at the end.
+	`
+)

tests/cnf/core/network/security/internal/tsparams/securityvars.go

@@ -0,0 +1,25 @@
+package tsparams
+
+import (
+	"github.com/openshift-kni/eco-gotests/tests/cnf/core/network/internal/netparam"
+	"github.com/openshift-kni/k8sreporter"
+)
+
+var (
+	// Labels represents the range of labels that can be used for test cases selection.
+	Labels = append(netparam.Labels, LabelSuite)
+
+	// ReporterNamespacesToDump tells to the reporter from where to collect logs.
+	ReporterNamespacesToDump = map[string]string{
+		"openshift-performance-addon-operator": "performance",
+	}
+
+	// TestNamespaceName metalLb namespace where all test cases are performed.
+	TestNamespaceName = "security-tests"
+	// OperatorControllerManager defaults machine-config daemonset controller name.
+	OperatorControllerManager = "machine-config-controller"
+	// ReporterCRDsToDump tells to the reporter what CRs to dump.
+	ReporterCRDsToDump = []k8sreporter.CRData{}
+	// ExternalMacVlanNADName represents default external NetworkAttachmentDefinition name.
+	ExternalMacVlanNADName = "external"
+)

tests/cnf/core/network/security/security_suite_test.go

@@ -0,0 +1,59 @@
+package security
+
+import (
+	"runtime"
+	"testing"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+	"github.com/openshift-kni/eco-goinfra/pkg/namespace"
+	"github.com/openshift-kni/eco-goinfra/pkg/reportxml"
+	. "github.com/openshift-kni/eco-gotests/tests/cnf/core/network/internal/netinittools"
+	"github.com/openshift-kni/eco-gotests/tests/cnf/core/network/security/internal/tsparams"
+	_ "github.com/openshift-kni/eco-gotests/tests/cnf/core/network/security/tests"
+	"github.com/openshift-kni/eco-gotests/tests/internal/cluster"
+	"github.com/openshift-kni/eco-gotests/tests/internal/params"
+	"github.com/openshift-kni/eco-gotests/tests/internal/reporter"
+)
+
+var (
+	_, currentFile, _, _ = runtime.Caller(0)
+	testNS               = namespace.NewBuilder(APIClient, tsparams.TestNamespaceName)
+)
+
+func TestLB(t *testing.T) {
+	_, reporterConfig := GinkgoConfiguration()
+	reporterConfig.JUnitReport = NetConfig.GetJunitReportPath(currentFile)
+
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "security", Label(tsparams.Labels...), reporterConfig)
+}
+
+var _ = BeforeSuite(func() {
+	By("Creating privileged test namespace")
+	for key, value := range params.PrivilegedNSLabels {
+		testNS.WithLabel(key, value)
+	}
+
+	_, err := testNS.Create()
+	Expect(err).ToNot(HaveOccurred(), "error to create test namespace")
+
+	By("Pulling test images on cluster before running test cases")
+	err = cluster.PullTestImageOnNodes(APIClient, NetConfig.WorkerLabel, NetConfig.CnfNetTestContainer, 300)
+	Expect(err).ToNot(HaveOccurred(), "Failed to pull test image on nodes")
+})
+
+var _ = AfterSuite(func() {
+	By("Deleting test namespace")
+	err := testNS.Delete()
+	Expect(err).ToNot(HaveOccurred(), "error to delete test namespace")
+})
+
+var _ = JustAfterEach(func() {
+	reporter.ReportIfFailed(
+		CurrentSpecReport(), currentFile, tsparams.ReporterNamespacesToDump, tsparams.ReporterCRDsToDump)
+})
+
+var _ = ReportAfterSuite("", func(report Report) {
+	reportxml.Create(report, NetConfig.GetReportPath(), NetConfig.TCPrefix)
+})