From c3d604b0de1c02232f0f6a104da8dadfcefcd236 Mon Sep 17 00:00:00 2001
From: Radostin Stoyanov <rstoyanov@fedoraproject.org>
Date: Fri, 5 Jan 2024 18:07:59 +0000
Subject: [PATCH] test/nfconntrack: use iptables-legacy

Signed-off-by: Radostin Stoyanov <rstoyanov@fedoraproject.org>
---
 .cirrus.yml                                  | 4 ++--
 scripts/build/Dockerfile.alpine              | 1 +
 scripts/ci/vagrant.sh                        | 3 ++-
 test/zdtm/static/socket-tcp-nfconntrack.desc | 7 ++++++-
 test/zdtm/static/socket-tcp.c                | 4 ++--
 5 files changed, 13 insertions(+), 6 deletions(-)

diff --git a/.cirrus.yml b/.cirrus.yml
index adaa9be3347..d007649bbfc 100644
--- a/.cirrus.yml
+++ b/.cirrus.yml
@@ -36,7 +36,7 @@ task:
     ln -sf /usr/include/google/protobuf/descriptor.proto images/google/protobuf/descriptor.proto
     dnf config-manager --set-enabled crb # Same as CentOS 8 powertools
     dnf -y install epel-release epel-next-release
-    dnf -y install --allowerasing asciidoc gcc git gnutls-devel libaio-devel libasan libcap-devel libnet-devel libnl3-devel libbsd-devel libselinux-devel make protobuf-c-devel protobuf-devel python-devel python-PyYAML python-protobuf python-junit_xml python3-importlib-metadata python-flake8 xmlto libdrm-devel
+    dnf -y install --allowerasing asciidoc gcc git gnutls-devel libaio-devel libasan libcap-devel libnet-devel libnl3-devel libbsd-devel libselinux-devel make protobuf-c-devel protobuf-devel python-devel python-PyYAML python-protobuf python-junit_xml python3-importlib-metadata python-flake8 xmlto libdrm-devel iptables-legacy
     # The image has a too old version of nettle which does not work with gnutls.
     # Just upgrade to the latest to make the error go away.
     dnf -y upgrade nettle nettle-devel
@@ -111,7 +111,7 @@ task:
     yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm || :
     yum install -y dnf-plugins-core
     yum config-manager --set-enabled powertools
-    yum install -y --allowerasing asciidoc gcc git gnutls-devel libaio-devel libasan libcap-devel libnet-devel libnl3-devel libbsd-devel libselinux-devel make protobuf-c-devel protobuf-devel python3-devel python3-flake8 python3-PyYAML python3-protobuf python3-importlib-metadata python3-junit_xml xmlto libdrm-devel
+    yum install -y --allowerasing asciidoc gcc git gnutls-devel libaio-devel libasan libcap-devel libnet-devel libnl3-devel libbsd-devel libselinux-devel make protobuf-c-devel protobuf-devel python3-devel python3-flake8 python3-PyYAML python3-protobuf python3-importlib-metadata python3-junit_xml xmlto libdrm-devel iptables-legacy
     alternatives --set python /usr/bin/python3
     systemctl stop sssd
     # Even with selinux in permissive mode the selinux tests will be executed
diff --git a/scripts/build/Dockerfile.alpine b/scripts/build/Dockerfile.alpine
index 593e1903159..2c58c910e7a 100644
--- a/scripts/build/Dockerfile.alpine
+++ b/scripts/build/Dockerfile.alpine
@@ -33,6 +33,7 @@ RUN make mrproper && date && make -j $(nproc) CC="$CC" && date
 RUN apk add \
 	ip6tables \
 	iptables \
+	iptables-legacy \
 	nftables \
 	iproute2 \
 	tar \
diff --git a/scripts/ci/vagrant.sh b/scripts/ci/vagrant.sh
index c8cf0be7441..3157d76f055 100755
--- a/scripts/ci/vagrant.sh
+++ b/scripts/ci/vagrant.sh
@@ -39,7 +39,8 @@ setup() {
 	ssh default sudo dnf install -y gcc git gnutls-devel nftables-devel libaio-devel \
 		libasan libcap-devel libnet-devel libnl3-devel libbsd-devel make protobuf-c-devel \
 		protobuf-devel python3-flake8 python3-protobuf python3-importlib-metadata \
-		python3-junit_xml rubygem-asciidoctor iptables libselinux-devel libbpf-devel
+		python3-junit_xml rubygem-asciidoctor iptables libselinux-devel libbpf-devel \
+		iptables-legacy
 	# Disable sssd to avoid zdtm test failures in pty04 due to sssd socket
 	ssh default sudo systemctl mask sssd
 	ssh default cat /proc/cmdline
diff --git a/test/zdtm/static/socket-tcp-nfconntrack.desc b/test/zdtm/static/socket-tcp-nfconntrack.desc
index add2513f819..8375cd26ed2 100644
--- a/test/zdtm/static/socket-tcp-nfconntrack.desc
+++ b/test/zdtm/static/socket-tcp-nfconntrack.desc
@@ -1 +1,6 @@
-{'flavor': 'h', 'opts': '--tcp-established', 'flags': 'suid'}
+{
+    'deps': ['/bin/sh', '/sbin/ip|/bin/ip', '/sbin/iptables-legacy|/usr/sbin/iptables-legacy'],
+    'flavor': 'h',
+    'opts': '--tcp-established',
+    'flags': 'suid'
+}
diff --git a/test/zdtm/static/socket-tcp.c b/test/zdtm/static/socket-tcp.c
index f6ef473853d..0df0a2794df 100644
--- a/test/zdtm/static/socket-tcp.c
+++ b/test/zdtm/static/socket-tcp.c
@@ -74,9 +74,9 @@ int main(int argc, char **argv)
 	}
 	if (system("ip link set up dev lo"))
 		return 1;
-	if (system("iptables -w -A INPUT -i lo -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT"))
+	if (system("iptables-legacy -w -A INPUT -i lo -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT"))
 		return 1;
-	if (system("iptables -w -A INPUT -j DROP"))
+	if (system("iptables-legacy -w -A INPUT -j DROP"))
 		return 1;
 #endif