path: root/tests/shell/testcases/listing/0011sets_0
diff options
authorPablo Neira Ayuso <>2016-03-14 13:30:56 +0100
committerPablo Neira Ayuso <>2016-03-14 20:43:48 +0100
commitf712d8db62b2974f69ffe968bae932f0fa3e966a (patch)
treecc8060b2aca905f4cccef48be031a28a69efea6d /tests/shell/testcases/listing/0011sets_0
parentc5f59b8ba2be5981e55e6e1d4762a5d56c1b3df0 (diff)
src: revisit cache population logic
We get a partial cache (tables, chains and sets) when: * We see a set reference from a rule, since this set object may be already defined in kernelspace and we need to fetch the datatype for evaluation. * We add/delete a set element, we need this to evaluate if the element datatype is correct. * We rename a chain, since we need to know the chain handle. * We add a chain/set. This isn't needed for simple command line invocations. However, since the existing codepath is also exercised from `nft -f' context, we need to know if the object exists in the kernel. Thus, if this a newly declared object (not yet in the kernel) we add it to the cache, otherwise, we will not find follow up references to this object in our cache. We get a full cache when: * We list the ruleset. We can provide finer grain listing though, via partial cache, later. * We monitor updates, since this displays incremental updates based on the existing objects. * We export the ruleset, since this dumps all of the existing objects. * We push updates via `nft -f'. We need to know what objects are already in the kernel for incremental updates. Otherwise, cache_update() hits a bogus 'set doesn't exist' error message for just declared set in this batch. To avoid this problem, we need a way to differentiate between what objects in the lists that are already defined in the kernel and what are just declared in this batch (hint: the location structure information is set for just declared objects). We don't get a cache at all when: * We flush the ruleset, this is important in case of delinearize bugs, so you don't need to reboot or manually flush the ruleset via libnftnl examples/nft-table-flush. * We delete any object, except for set elements (as we describe above). * We add a rule, so you can generate via --debug=netlink the expression without requiring a table and chain in place. * We describe a expression. This patch also includes some intentional adjustments to the shell tests to we don't get bogus errors due to changes in the list printing. BTW, this patch also includes a revert for 97493717e738 ("evaluate: check if table and chain exists when adding rules") since that check is not possible anymore with this logic. Signed-off-by: Pablo Neira Ayuso <>
Diffstat (limited to 'tests/shell/testcases/listing/0011sets_0')
1 files changed, 2 insertions, 2 deletions
diff --git a/tests/shell/testcases/listing/0011sets_0 b/tests/shell/testcases/listing/0011sets_0
index 1bf68877..75f2895f 100755
--- a/tests/shell/testcases/listing/0011sets_0
+++ b/tests/shell/testcases/listing/0011sets_0
@@ -6,11 +6,11 @@ EXPECTED="table ip nat {
table ip6 test {
-table inet filter {
table arp test_arp {
table bridge test_bridge {
+table inet filter {
set -e