remove testing if the fwd rules are gone, since they are not cleaned up

srl-labs · Jan 17, 2025 · e99ca38 · e99ca38
1 parent 1738173
commit e99ca38
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 31 deletions.
diff --git a/docs/manual/kinds/bridge.md b/docs/manual/kinds/bridge.md
@@ -75,6 +75,17 @@ iptables -I FORWARD -i br-clab -j ACCEPT
 iptables -I FORWARD -o br-clab -j ACCEPT
 ```
 
-This will ensure that traffic is forwarded when passing this particular bridge. Note, that once you destroy the lab, the rule will stay, if you wish to remove it, you will have to do it manually.
+This will ensure that traffic is forwarded when passing this particular bridge.
+
+/// warning
+Once you destroy the lab, the rules in the FORWARD chain will stay, if you wish to remove it, you will have to do it manually. For example the with the following script (for v4 family):
+
+```
+sudo iptables -vL FORWARD --line-numbers -n | \
+grep "set by containerlab" | awk '{print $1}' \
+| sort -r | xargs -I {} sudo iptables -D FORWARD {}
+```
+
+///
 
 Check out ["External bridge"](../../lab-examples/ext-bridge.md) lab for a ready-made example on how to use bridges.
diff --git a/tests/01-smoke/03-bridges-and-host.robot b/tests/01-smoke/03-bridges-and-host.robot
@@ -105,36 +105,6 @@ Verify ip6tables allow rule is set
     Should Match Regexp    ${ipt}    oifname.*${bridge-name}.*accept
     Should Match Regexp    ${ipt}    iifname.*${bridge-name}.*accept
 
-Destroy ${lab-name} lab
-    ${rc}    ${output} =    Run And Return Rc And Output
-    ...    sudo -E ${CLAB_BIN} --runtime ${runtime} destroy -t ${CURDIR}/${lab-file} --cleanup
-    Log    ${output}
-    Should Be Equal As Integers    ${rc}    0
-
-Verify iptables allow rule are gone
-    [Documentation]    Checking if iptables allow rule is removed once the lab is destroyed
-    Skip If    '${runtime}' != 'docker'
-    ${ipt} =    Run
-    ...    sudo iptables -vnL FORWARD
-    Log    ${ipt}
-    Should Not Contain    ${ipt}    ${bridge-name}
-
-Verify ip6tables allow rule are gone
-    [Documentation]    Checking if ip6tables allow rule is removed once the lab is destroyed
-    Skip If    '${runtime}' != 'docker'
-
-    # Add check for ip6tables availability
-    ${rc}    ${output} =    Run And Return Rc And Output    which nft
-    Skip If    ${rc} != 0    nft command not found
-
-    ${rc}    ${output} =    Run And Return Rc And Output    sudo nft list tables
-    Skip If    'ip6 filter' not in '''${output}'''    ip6 filter chain not found
-
-    ${ipt} =    Run
-    ...    sudo nft list chain ip6 filter FORWARD
-    Log    ${ipt}
-    Should Not Contain    ${ipt}    ${bridge-name}
-
 *** Keywords ***
 Setup
     # ensure the bridge we about to create is deleted first
@@ -144,5 +114,11 @@ Setup
     Run    sudo ctr -n clab image rm docker.io/library/alpine:3
 
 Cleanup
+    Destroy ${lab-name} lab
+    ${rc}    ${output} =    Run And Return Rc And Output
+    ...    sudo -E ${CLAB_BIN} --runtime ${runtime} destroy -t ${CURDIR}/${lab-file} --cleanup
+    Log    ${output}
+    Should Be Equal As Integers    ${rc}    0
+
     Run    sudo ip l del ${bridge-name}
     Run    sudo ip l del ${host-link-name}