Re: [PATCH nft v3 00/11] tests/shell: allow running tests as

[Florian Westphal <fw@strlen.de>]

Thomas Haller <thaller@redhat.com> wrote:
> On Tue, 2023-09-05 at 13:09 +0200, Florian Westphal wrote:
> > Thomas Haller <thaller@redhat.com> wrote:
> > > Ch;anges to v3:
> > 
> > I was about to apply this but 10 tests now fail for me because they
> > no longer execute as real root and hit the socket buffer limits.
> > 
> > Please fix this, the default needs to be 'all tests pass',
> > i.e. use plain 'unshare -n' by default.
> > 
> > I'll leave it up to you if you want to automatically go with
> > unpriv netns if the script is invoked as non-root user or via
> > env/cmdline switch.
> > 
> > At least one failure isn't your fault, the blame is
> > with a shortcut check in sets/0043concatenated_ranges_0, so the test
> > never execeuted fully in the past. I will try
> > to figure out when this got broken :/

Seems its always broken.  Minimal reproducer:

nft -f - <<EOF
table ip filter {
        set test {
                type ipv4_addr . ether_addr . mark
                flags interval
                elements = { 198.51.100.0/25 . 00:0b:0c:ca:cc:10-c1:a0:c1:cc:10:00 . 0x0000006f, }
        }
}
EOF
nft get element ip filter test { 198.51.100.1 . 00:0b:0c:ca:cc:10 . 0x6f }
Error: Could not process rule: No such file or directory
get element ip filter test { 198.51.100.1 . 00:0b:0c:ca:cc:10 . 0x6f }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
nft get element ip filter test { 198.51.100.1 . 00:0b:0c:ca:cc:10 . 0x6f-0x6f }
table ip ...

Seems like this doesn't emit the needed end keys because the 'INTERVAL' flag
isn't toggled without using at least one phony range in the query.