On recent kernels one can perform a lookup in a map without a destination register (i.e., treat the map like a set -- pure existence check). Add a feature probe and work around the missing feature in typeof_maps_add_delete: do the test with a simplified ruleset, Indicate skipped even though a reduced test was run (earlier errors cause a failure) to not trigger dump validation error. Signed-off-by: Florian Westphal <fw@xxxxxxxxx> --- tests/shell/features/map_lookup.nft | 11 ++++++ .../testcases/maps/typeof_maps_add_delete | 35 ++++++++++++++----- 2 files changed, 38 insertions(+), 8 deletions(-) create mode 100644 tests/shell/features/map_lookup.nft diff --git a/tests/shell/features/map_lookup.nft b/tests/shell/features/map_lookup.nft new file mode 100644 index 000000000000..06c4c9d9c82d --- /dev/null +++ b/tests/shell/features/map_lookup.nft @@ -0,0 +1,11 @@ +# a4878eeae390 ("netfilter: nf_tables: relax set/map validation checks") +# v6.5-rc1~163^2~256^2~8 +table ip t { + map m { + typeof ip daddr : meta mark + } + + chain c { + ip saddr @m + } +} diff --git a/tests/shell/testcases/maps/typeof_maps_add_delete b/tests/shell/testcases/maps/typeof_maps_add_delete index 341de538e90e..579194b03372 100755 --- a/tests/shell/testcases/maps/typeof_maps_add_delete +++ b/tests/shell/testcases/maps/typeof_maps_add_delete @@ -1,6 +1,15 @@ #!/bin/bash -EXPECTED='table ip dynset { +CONDMATCH="ip saddr @dynmark" +NCONDMATCH="ip saddr != @dynmark" + +# use reduced feature set +if [ $NFT_HAVE_map_lookup -eq 0 ] ;then + CONDMATCH="" + NCONDMATCH="" +fi + +EXPECTED="table ip dynset { map dynmark { typeof ip daddr : meta mark counter @@ -9,20 +18,20 @@ EXPECTED='table ip dynset { } chain test_ping { - ip saddr @dynmark counter comment "should not increment" - ip saddr != @dynmark add @dynmark { ip saddr : 0x1 } counter - ip saddr @dynmark counter comment "should increment" - ip saddr @dynmark delete @dynmark { ip saddr : 0x1 } - ip saddr @dynmark counter comment "delete should be instant but might fail under memory pressure" + $CONDMATCH counter comment \"should not increment\" + $NCONDMATCH add @dynmark { ip saddr : 0x1 } counter + $CONDMATCH counter comment \"should increment\" + $CONDMATCH delete @dynmark { ip saddr : 0x1 } + $CONDMATCH counter comment \"delete should be instant but might fail under memory pressure\" } chain input { type filter hook input priority 0; policy accept; - add @dynmark { 10.2.3.4 timeout 1s : 0x2 } comment "also check timeout-gc" + add @dynmark { 10.2.3.4 timeout 1s : 0x2 } comment \"also check timeout-gc\" meta l4proto icmp ip daddr 127.0.0.42 jump test_ping } -}' +}" set -e $NFT -f - <<< $EXPECTED @@ -31,5 +40,15 @@ $NFT list ruleset ip link set lo up ping -c 1 127.0.0.42 +$NFT get element ip dynset dynmark { 10.2.3.4 } + # wait so that 10.2.3.4 times out. sleep 2 + +set +e +$NFT get element ip dynset dynmark { 10.2.3.4 } && exit 1 + +# success, but indicate skip for reduced test to avoid dump validation error +if [ $NFT_HAVE_map_lookup -eq 0 ];then + exit 123 +fi -- 2.41.0