docs/use-cases: add nfacctd original use-case #104
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: ci | |
| on: | |
| push: | |
| pull_request: | |
| env: | |
| ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true | |
| PLATFORMS: linux/amd64 | |
| permissions: | |
| packages: write | |
| jobs: | |
| make_check: | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - name: "Checkout sfunnel" | |
| uses: actions/checkout@v4 | |
| with: | |
| path: sfunnel | |
| fetch-depth: 0 | |
| fetch-tags: 1 | |
| - name: "Install deps..." | |
| run: | | |
| sudo add-apt-repository universe | |
| sudo apt-get update | |
| sudo apt-get install -y clang make iproute2 bridge-utils python3 \ | |
| python3-scapy python3-pip libbpf-dev \ | |
| libelf-dev linux-headers-generic \ | |
| linux-libc-dev llvm iptables | |
| sudo pip3 install pytest | |
| sudo ln -s /usr/include/x86_64-linux-gnu/asm /usr/include/asm | |
| - name: "Allow test traffic in iptables/nftables" | |
| run: | | |
| sudo iptables -L -n | |
| sudo iptables -t nat -L -n | |
| sudo iptables -I FORWARD -s 11.1.1.1 -j ACCEPT | |
| - name: "Run tests..." | |
| run: cd sfunnel/test && make VERBOSE=1 | |
| docker_build_and_publish: | |
| needs: [make_check] | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - name: "Checkout sfunnel" | |
| uses: actions/checkout@v4 | |
| with: | |
| path: sfunnel | |
| fetch-depth: 0 | |
| fetch-tags: 1 | |
| - name: "Set up Docker buildx" | |
| uses: docker/setup-buildx-action@v3 | |
| - name: "Login to GitHub Container Registry (ghcr.io)" | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{github.actor}} | |
| password: ${{secrets.GITHUB_TOKEN}} | |
| - name: "Build container" | |
| run: | | |
| #Cross-build | |
| cd sfunnel | |
| echo "Fix mess with tags in actions/checkout..." | |
| git fetch -f && git fetch -f --tags | |
| docker buildx build --platform ${PLATFORMS} -t sfunnel --build-arg VERSION="$(git describe)" --build-arg COMMIT="${GITHUB_SHA}" --load -f docker/Dockerfile . | |
| - name: "[TEST] Run container with default ruleset..." | |
| run: | | |
| set -o pipefail | |
| docker run --privileged sfunnel:latest 2>&1 | tee output | |
| if [ ${PIPESTATUS[0]} -ne 0 ]; then | |
| echo "ERROR: container execution FAILED!" | |
| exit 1 | |
| fi | |
| grep "Using default ruleset" output || (echo "ERROR: unable to validate it loads default ruleset" && exit 1) | |
| - name: "[TEST] Run container with custom ruleset file..." | |
| run: | | |
| RULE="ip saddr 127.0.0.1 udp dport 80 actions unfunnel udp" | |
| echo "$RULE" > ruleset | |
| set -o pipefail | |
| docker run --privileged -v `pwd`/ruleset:/opt/sfunnel/src/ruleset 2>&1 sfunnel:latest | tee output | |
| if [ ${PIPESTATUS[0]} -ne 0 ]; then | |
| echo "ERROR: container execution FAILED!" | |
| exit 1 | |
| fi | |
| grep "Compiling sfunnel with custom ruleset" output || (echo "ERROR: unable to validate it loads custom file ruleset" && exit 1) | |
| grep "$RULE" output || (echo "ERROR: unable to validate it loads custom file ruleset" && exit 1) | |
| - name: "[TEST] Run container with custom ruleset via SFUNNEL_RULESET..." | |
| run: | | |
| RULE="ip saddr 127.0.0.2 udp dport 80 actions unfunnel udp" #Should override ruleset file with 127.0.0.1 | |
| set -o pipefail | |
| docker run -e SFUNNEL_RULESET="$RULE" --privileged -v `pwd`/ruleset:/opt/sfunnel/src/ruleset sfunnel:latest 2>&1 | tee output | |
| if [ ${PIPESTATUS[0]} -ne 0 ]; then | |
| echo "ERROR: container execution FAILED!" | |
| exit 1 | |
| fi | |
| grep "SFUNNEL_RULESET='$RULE'" output || (echo "ERROR: unable to validate it loads custom ruleset via SFUNNEL_RULESET" && exit 1) | |
| grep "Compiling sfunnel with custom ruleset" output || (echo "ERROR: unable to validate it loads custom ruleset via SFUNNEL_RULESET" && exit 1) | |
| grep "$RULE" output || (echo "ERROR: unable to validate it loads custom ruleset via SFUNNEL_RULESET" && exit 1) | |
| - name: "[TEST] Run container with custom params ..." | |
| run: | | |
| set -o pipefail | |
| docker run -e N_ATTEMPTS=7 -e RETRY_DELAY=3 -e IFACES="lo" --privileged sfunnel:latest 2>&1 | tee output | |
| if [ ${PIPESTATUS[0]} -ne 0 ]; then | |
| echo "ERROR: container execution FAILED!" | |
| exit 1 | |
| fi | |
| grep "\$N_ATTEMPTS='7'" output || (echo "ERROR: unable to validate it loads params (N_ATTEMPTS)" && exit 1) | |
| grep "\$RETRY_DELAY='3'" output || (echo "ERROR: unable to validate it loads params (RETRY_DELAY)" && exit 1) | |
| grep "\$IFACES='lo'" output || (echo "ERROR: unable to validate it loads params (IFACES)" && exit 1) | |
| - name: "Push to ghcr" | |
| run: | | |
| cd sfunnel | |
| export TAG=$(git describe HEAD | sed 's/-.*$//g' | tr -d "v") | |
| export EXACT_TAG=$(git describe --exact-match --match "v*" || echo "") | |
| echo "TAG=${TAG}, EXACT_TAG=${EXACT_TAG}" | |
| if [[ "${EXACT_TAG}" != "" ]]; then | |
| echo "Pushing to ghcr.io..." | |
| docker buildx build --platform ${PLATFORMS} --push -f docker/Dockerfile . --tag ghcr.io/${GITHUB_REPOSITORY}:${TAG} | |
| fi |