#!/bin/bash

# test a kernel netns loading a simple ruleset

IP=$(which ip)
if [ ! -x "$IP" ] ; then
	echo "E: no ip binary" >&2
	exit 1
fi

function netns_exec()
{
	# $1: netns_name $2: command
	$IP netns exec $1 $2
	if [ $? -ne 0 ] ; then
		echo "E: failed to execute command in netns $1: $2" >&2
		$IP netns del $1
		exit 1
	fi
}

NETNS_NAME=$(basename "$0")
$IP netns add $NETNS_NAME
if [ $? -ne 0 ] ; then
	echo "E: unable to create netns" >&2
	exit 1
fi

netns_exec $NETNS_NAME "$NFT add table ip t"
netns_exec $NETNS_NAME "$NFT add chain ip t c"
netns_exec $NETNS_NAME "$NFT add chain ip t other"
netns_exec $NETNS_NAME "$NFT add set ip t s { type ipv4_addr; }"
netns_exec $NETNS_NAME "$NFT add element ip t s {1.1.0.0 }"
netns_exec $NETNS_NAME "$NFT add rule ip t c ct state new"
netns_exec $NETNS_NAME "$NFT add rule ip t c udp dport { 12345 }"
netns_exec $NETNS_NAME "$NFT add rule ip t c ip saddr @s drop"
netns_exec $NETNS_NAME "$NFT add rule ip t c jump other"

RULESET="table ip t {
	set s {
		type ipv4_addr
		elements = { 1.1.0.0}
	}

	chain c {
		ct state new
		udp dport { 12345}
		ip saddr @s drop
		jump other
	}

	chain other {
	}
}"

KERNEL_RULESET="$($IP netns exec $NETNS_NAME $NFT list ruleset)"
$IP netns del $NETNS_NAME
if [ "$RULESET" != "$KERNEL_RULESET" ] ; then
        DIFF="$(which diff)"
        [ -x $DIFF ] && $DIFF -u <(echo "$RULESET") <(echo "$KERNEL_RULESET")
        exit 1
fi