blob: d2ac9f1ce8c92e94c51c0a0d0c08efdbff486955 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
|
#!/bin/bash
# NFT_TEST_REQUIRES(NFT_TEST_HAVE_dynset_op_delete)
CONDMATCH="ip saddr @dynmark"
NCONDMATCH="ip saddr != @dynmark"
# use reduced feature set
if [ "$NFT_TEST_HAVE_map_lookup" = n ] ; then
CONDMATCH=""
NCONDMATCH=""
fi
EXPECTED="table ip dynset {
map dynmark {
typeof ip daddr : meta mark
counter
size 64
timeout 5m
}
chain test_ping {
$CONDMATCH counter comment \"should not increment\"
$NCONDMATCH add @dynmark { ip saddr : 0x1 } counter
$CONDMATCH counter comment \"should increment\"
$CONDMATCH delete @dynmark { ip saddr : 0x1 }
$CONDMATCH counter comment \"delete should be instant but might fail under memory pressure\"
}
chain input {
type filter hook input priority 0; policy accept;
add @dynmark { 10.2.3.4 timeout 1s : 0x2 } comment \"also check timeout-gc\"
meta l4proto icmp ip daddr 127.0.0.42 jump test_ping
}
}"
set -e
$NFT -f - <<< $EXPECTED
$NFT list ruleset
ip link set lo up
ping -c 1 127.0.0.42
$NFT get element ip dynset dynmark { 10.2.3.4 }
# wait so that 10.2.3.4 times out.
sleep 2
set +e
$NFT get element ip dynset dynmark { 10.2.3.4 } && exit 1
if [ "$NFT_TEST_HAVE_map_lookup" = n ] ; then
echo "Only tested a subset due to NFT_TEST_HAVE_map_lookup=n. Skipped."
exit 77
fi
|
