summaryrefslogtreecommitdiffstats
path: root/tests
diff options
context:
space:
mode:
Diffstat (limited to 'tests')
-rw-r--r--tests/shell/features/map_lookup.nft11
-rwxr-xr-xtests/shell/testcases/maps/typeof_maps_add_delete35
2 files changed, 38 insertions, 8 deletions
diff --git a/tests/shell/features/map_lookup.nft b/tests/shell/features/map_lookup.nft
new file mode 100644
index 00000000..06c4c9d9
--- /dev/null
+++ b/tests/shell/features/map_lookup.nft
@@ -0,0 +1,11 @@
+# a4878eeae390 ("netfilter: nf_tables: relax set/map validation checks")
+# v6.5-rc1~163^2~256^2~8
+table ip t {
+ map m {
+ typeof ip daddr : meta mark
+ }
+
+ chain c {
+ ip saddr @m
+ }
+}
diff --git a/tests/shell/testcases/maps/typeof_maps_add_delete b/tests/shell/testcases/maps/typeof_maps_add_delete
index 341de538..5e2f8ecc 100755
--- a/tests/shell/testcases/maps/typeof_maps_add_delete
+++ b/tests/shell/testcases/maps/typeof_maps_add_delete
@@ -1,6 +1,15 @@
#!/bin/bash
-EXPECTED='table ip dynset {
+CONDMATCH="ip saddr @dynmark"
+NCONDMATCH="ip saddr != @dynmark"
+
+# use reduced feature set
+if [ "$NFT_TEST_HAVE_map_lookup" = n ] ; then
+ CONDMATCH=""
+ NCONDMATCH=""
+fi
+
+EXPECTED="table ip dynset {
map dynmark {
typeof ip daddr : meta mark
counter
@@ -9,20 +18,20 @@ EXPECTED='table ip dynset {
}
chain test_ping {
- ip saddr @dynmark counter comment "should not increment"
- ip saddr != @dynmark add @dynmark { ip saddr : 0x1 } counter
- ip saddr @dynmark counter comment "should increment"
- ip saddr @dynmark delete @dynmark { ip saddr : 0x1 }
- ip saddr @dynmark counter comment "delete should be instant but might fail under memory pressure"
+ $CONDMATCH counter comment \"should not increment\"
+ $NCONDMATCH add @dynmark { ip saddr : 0x1 } counter
+ $CONDMATCH counter comment \"should increment\"
+ $CONDMATCH delete @dynmark { ip saddr : 0x1 }
+ $CONDMATCH counter comment \"delete should be instant but might fail under memory pressure\"
}
chain input {
type filter hook input priority 0; policy accept;
- add @dynmark { 10.2.3.4 timeout 1s : 0x2 } comment "also check timeout-gc"
+ add @dynmark { 10.2.3.4 timeout 1s : 0x2 } comment \"also check timeout-gc\"
meta l4proto icmp ip daddr 127.0.0.42 jump test_ping
}
-}'
+}"
set -e
$NFT -f - <<< $EXPECTED
@@ -31,5 +40,15 @@ $NFT list ruleset
ip link set lo up
ping -c 1 127.0.0.42
+$NFT get element ip dynset dynmark { 10.2.3.4 }
+
# wait so that 10.2.3.4 times out.
sleep 2
+
+set +e
+$NFT get element ip dynset dynmark { 10.2.3.4 } && exit 1
+
+if [ "$NFT_TEST_HAVE_map_lookup" = n ] ; then
+ echo "Only tested a subset due to NFT_TEST_HAVE_map_lookup=n. Skipped."
+ exit 77
+fi