firewall: describe test harness in readme

Signed-off-by: Paul Greenberg <greenpau@outlook.com>
containernetworking · Jul 31, 2020 · b0e5c6b · b0e5c6b
1 parent 87cba27
commit b0e5c6b
Show file tree

Hide file tree

Showing 2 changed files with 75 additions and 1 deletion.
diff --git a/plugins/meta/firewall/README.md b/plugins/meta/firewall/README.md
@@ -229,3 +229,77 @@ table ip filter {
 
 Subsequent executions of the plugin do not create additional rules in the chain, unless
 the CNI network configuration changes.
+
+## Testing
+
+Generally, the plugin testing begins with defining the data structure
+the plugin would receive when processing a request. In this example,
+the plugin received single interface `dummy0`, with IPv4 and IPv6 addresses.
+The backend is `nftables`.
+
+```json
+{
+  "name": "test",
+  "type": "firewall",
+  "backend": "nftables",
+  "ifName": "dummy0",
+  "cniVersion": "0.4.0",
+  "prevResult": {
+    "interfaces": [
+      {
+        "name": "dummy0"
+      }
+    ],
+    "ips": [
+      {
+        "version": "4",
+        "address": "192.168.200.10/24",
+        "interface": 0
+      },
+      {
+        "version": "6",
+        "address": "2001:db8:1:2::1/64",
+        "interface": 0
+      }
+    ]
+  }
+}
+```
+
+Prior to running tests, the test harness does the following:
+
+1. creates `originalNS` namespace.
+2. adds `dummy0` interface to `originalNS` via Netlink
+3. checks that the `dummy0` interface is available in the `originalNS`
+4. creates `targetNS` namespace
+
+Upon the completion of the testing, the test harness does the following:
+
+1. closes `originalNS` namespace
+2. closes `targetNS` namespace
+
+The tests in the harness start with `It()`.
+
+Generally, a test contains a number of input arguments. In the case of
+"installs nftables rules, checks the rules exist, then cleans up on delete using v4.0.x",
+the test has the following arguments:
+
+* container id: `dummy`
+* the path to `targetNS` namespace
+* the name of the interface
+* the JSON payload containing a dummy request
+
+The test uses the same arguments and runs the following operations in
+`originalNS` namespace:
+
+* `cmdAdd`
+* `cmdCheck`
+* `cmdDel`
+
+The operations correspond to the following functions:
+
+| **Operation** | **Function** |
+| --- | --- |
+| `cmdAdd` | `func (nb *nftBackend) Add(conf *FirewallNetConf, result *current.Result)` |
+| `cmdCheck` | `func (nb *nftBackend) Del(conf *FirewallNetConf, result *current.Result)` |
+| `cmdDel` | `func (nb *nftBackend) Check(conf *FirewallNetConf, result *current.Result)` |
diff --git a/plugins/meta/firewall/firewall_nftables_test.go b/plugins/meta/firewall/firewall_nftables_test.go
@@ -123,7 +123,7 @@ var _ = Describe("firewall plugin nftables backend v0.4.x", func() {
 		Expect(targetNS.Close()).To(Succeed())
 	})
 
-	It("installs nftables rules, Check rules then cleans up on delete using v4.0.x", func() {
+	It("installs nftables rules, checks the rules exist, then cleans up on delete using v4.0.x", func() {
 		args := &skel.CmdArgs{
 			ContainerID: "dummy",
 			Netns:       targetNS.Path(),