add helper tests and setup

adds a flush command to the top of the example ruleset so that nftables rules are applied on a clean state. adds tests that check args passing to nft with get_current_ruleset and specifying invalid nft binary.
namib-project · Mar 16, 2024 · 689c125 · 689c125
1 parent 3d3d4ed
commit 689c125
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 9 deletions.
diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml
@@ -26,5 +26,4 @@ jobs:
     - name: Run tests
       run: cargo test --verbose
     - name: Run tests (rootful)
-      run: sudo -E env "PATH=$PATH" $(which cargo) test --verbose -- --ignored
-
+      run: sudo -E env "PATH=$PATH" tests/run_nft_tests.sh
diff --git a/tests/helper_tests.rs b/tests/helper_tests.rs
@@ -1,3 +1,5 @@
+use std::vec;
+
 use nftables::{
     batch::Batch,
     expr,
@@ -12,11 +14,32 @@ fn test_list_ruleset() {
     helper::get_current_ruleset(None, None).unwrap();
 }
 
+#[test]
+#[ignore]
+/// Attempts to read current ruleset from nftables using non-existing nft binary.
+fn test_list_ruleset_invalid_program() {
+    let result = helper::get_current_ruleset(Some("/dev/null/nft"), None);
+    let err =
+        result.expect_err("getting the current ruleset should fail with non-existing nft binary");
+    assert!(matches!(err, NftablesError::NftExecution { .. }));
+}
+
+#[test]
+#[ignore]
+/// Applies a ruleset to nftables.
+fn test_list_map() {
+    let ruleset = example_ruleset(false);
+    nftables::helper::apply_ruleset(&ruleset, None, None).unwrap();
+    let applied = helper::get_current_ruleset(None, Some(vec!["list", "map", "ip", "test-table-01", "test_map"])).unwrap();
+
+    assert_eq!(2, applied.objects.len());
+}
+
 #[test]
 #[ignore]
 /// Applies a ruleset to nftables.
 fn test_apply_ruleset() {
-    let ruleset = example_ruleset();
+    let ruleset = example_ruleset(true);
     nftables::helper::apply_ruleset(&ruleset, None, None).unwrap();
 }
 
@@ -36,14 +59,17 @@ fn test_remove_unknown_table() {
     assert!(matches!(err, NftablesError::NftFailed { .. }));
 }
 
-fn example_ruleset() -> schema::Nftables {
+fn example_ruleset(with_undo: bool) -> schema::Nftables {
     let mut batch = Batch::new();
+    // flush nftables
+    batch.add_cmd(schema::NfCmd::Flush(schema::FlushObject::Ruleset(None)));
+    // create table "test-table-01"
     let table_name = "test-table-01".to_string();
     batch.add(schema::NfListObject::Table(schema::Table::new(
         types::NfFamily::IP,
         table_name.clone(),
     )));
-    // create named set
+    // create named set "test_set"
     let set_name = "test_set".to_string();
     batch.add(schema::NfListObject::Set(schema::Set {
         family: types::NfFamily::IP,
@@ -59,6 +85,7 @@ fn example_ruleset() -> schema::Nftables {
         size: None,
         comment: None,
     }));
+    // create named map "test_map"
     let map_name = "test_map".to_string();
     let map_type = "verdict".to_string();
     batch.add(schema::NfListObject::Map(schema::Map {
@@ -86,9 +113,11 @@ fn example_ruleset() -> schema::Nftables {
             expr::Expression::String("127.0.0.2".to_string()),
         ],
     }));
-    batch.delete(schema::NfListObject::Table(schema::Table::new(
-        types::NfFamily::IP,
-        "test-table-01".to_string(),
-    )));
+    if with_undo {
+        batch.delete(schema::NfListObject::Table(schema::Table::new(
+            types::NfFamily::IP,
+            "test-table-01".to_string(),
+        )));
+    }
     batch.to_nftables()
 }