[PATCH nft 00/14] tests/shell: fix tests to skip on lacking feature support

[PATCH nft 00/14] tests/shell: fix tests to skip on lacking feature support

[Thomas Haller]

Most of the patches are from Florian.

With this, a test-run on Fedora 38 and CentOS-Stream-9 should pass (some
tests will be skipped).

Florian Westphal (12):
  tests/shell: add and use chain binding feature probe
  tests/shell: skip netdev_chain_0 if kernel requires netdev device
  tests/shell: skip map query if kernel lacks support
  tests/shell: skip inner matching tests if unsupported
  tests/shell: skip bitshift tests if kernel lacks support
  tests/shell: skip some tests if kernel lacks netdev egress support
  tests/shell: skip inet ingress tests if kernel lacks support
  tests/shell: skip destroy tests if kernel lacks support
  tests/shell: skip catchall tests if kernel lacks support
  tests/shell: skip test cases involving osf match if kernel lacks
    support
  tests/shell: skip test cases if ct expectation and/or timeout lacks
    support
  tests/shell: skip reset tests if kernel lacks support

Thomas Haller (2):
  tests/shell: implement NFT_TEST_HAVE_json feature detection as script
  tests/shell: check diff in "maps/typeof_maps_0" and
    "sets/typeof_sets_0" test

 tests/shell/features/bitshift.nft             |   7 +
 tests/shell/features/catchall_element.nft     |   8 ++
 tests/shell/features/chain_binding.nft        |   7 +
 tests/shell/features/ctexpect.nft             |  10 ++
 tests/shell/features/cttimeout.nft            |   8 ++
 tests/shell/features/destroy.nft              |   3 +
 tests/shell/features/inet_ingress.nft         |   7 +
 tests/shell/features/inner_matching.nft       |   7 +
 tests/shell/features/json.sh                  |   6 +
 tests/shell/features/map_lookup.nft           |  11 ++
 .../features/netdev_chain_without_device.nft  |   7 +
 tests/shell/features/netdev_egress.nft        |   7 +
 tests/shell/features/osf.nft                  |   7 +
 tests/shell/features/reset_rule.sh            |   8 ++
 tests/shell/features/reset_set.sh             |  10 ++
 tests/shell/run-tests.sh                      |  39 +++---
 .../shell/testcases/bitwise/0040mark_binop_0  |   2 +
 .../shell/testcases/bitwise/0040mark_binop_1  |   2 +
 .../shell/testcases/bitwise/0040mark_binop_2  |   2 +
 .../shell/testcases/bitwise/0040mark_binop_3  |   2 +
 .../shell/testcases/bitwise/0040mark_binop_4  |   2 +
 .../shell/testcases/bitwise/0040mark_binop_5  |   2 +
 .../shell/testcases/bitwise/0040mark_binop_6  |   2 +
 .../shell/testcases/bitwise/0040mark_binop_7  |   2 +
 .../shell/testcases/bitwise/0040mark_binop_8  |   2 +
 .../shell/testcases/bitwise/0040mark_binop_9  |   2 +
 .../testcases/cache/0010_implicit_chain_0     |   2 +
 tests/shell/testcases/chains/0021prio_0       |   7 +-
 .../testcases/chains/0041chain_binding_0      |   5 +
 .../testcases/chains/0042chain_variable_0     |   5 +
 .../testcases/chains/0043chain_ingress_0      |   9 +-
 .../testcases/chains/0044chain_destroy_0      |   2 +
 .../chains/dumps/netdev_chain_autoremove.nft  |   0
 tests/shell/testcases/chains/netdev_chain_0   |   2 +
 .../testcases/chains/netdev_chain_autoremove  |   9 ++
 tests/shell/testcases/flowtable/0015destroy_0 |   2 +
 tests/shell/testcases/listing/0013objects_0   |  50 ++-----
 .../testcases/listing/dumps/0013objects_0.nft |   2 -
 tests/shell/testcases/maps/0011vmap_0         |  10 +-
 tests/shell/testcases/maps/0014destroy_0      |   2 +
 .../shell/testcases/maps/0017_map_variable_0  |  13 +-
 .../maps/map_catchall_double_deactivate       |   2 +
 tests/shell/testcases/maps/typeof_maps_0      |  66 ++++++++-
 .../testcases/maps/typeof_maps_add_delete     |  35 +++--
 .../testcases/nft-f/0017ct_timeout_obj_0      |   2 +
 .../testcases/rule_management/0011reset_0     |   2 +
 .../testcases/rule_management/0012destroy_0   |   2 +
 tests/shell/testcases/sets/0063set_catchall_0 |   2 +
 tests/shell/testcases/sets/0064map_catchall_0 |   2 +
 tests/shell/testcases/sets/0072destroy_0      |   2 +
 tests/shell/testcases/sets/inner_0            |   2 +
 tests/shell/testcases/sets/reset_command_0    |   2 +
 tests/shell/testcases/sets/typeof_sets_0      | 130 ++++++++++++++++--
 tests/shell/testcases/transactions/30s-stress |  55 +++++++-
 54 files changed, 502 insertions(+), 94 deletions(-)
 create mode 100644 tests/shell/features/bitshift.nft
 create mode 100644 tests/shell/features/catchall_element.nft
 create mode 100644 tests/shell/features/chain_binding.nft
 create mode 100644 tests/shell/features/ctexpect.nft
 create mode 100644 tests/shell/features/cttimeout.nft
 create mode 100644 tests/shell/features/destroy.nft
 create mode 100644 tests/shell/features/inet_ingress.nft
 create mode 100644 tests/shell/features/inner_matching.nft
 create mode 100755 tests/shell/features/json.sh
 create mode 100644 tests/shell/features/map_lookup.nft
 create mode 100644 tests/shell/features/netdev_chain_without_device.nft
 create mode 100644 tests/shell/features/netdev_egress.nft
 create mode 100644 tests/shell/features/osf.nft
 create mode 100755 tests/shell/features/reset_rule.sh
 create mode 100755 tests/shell/features/reset_set.sh
 create mode 100644 tests/shell/testcases/chains/dumps/netdev_chain_autoremove.nft
 create mode 100755 tests/shell/testcases/chains/netdev_chain_autoremove

-- 
2.41.0

[PATCH nft 01/14] tests/shell: add and use chain binding feature probe

[Thomas Haller]

From: Florian Westphal <fw@strlen.de>

Alter 30s-stress to suppress anon chains when its unuspported.

Note that 30s-stress is optionally be run standalone, so also update
the test script.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Thomas Haller <thaller@redhat.com>
---
 tests/shell/features/chain_binding.nft        |  7 +++
 .../testcases/cache/0010_implicit_chain_0     |  2 +
 .../testcases/chains/0041chain_binding_0      |  5 ++
 tests/shell/testcases/transactions/30s-stress | 55 ++++++++++++++++---
 4 files changed, 62 insertions(+), 7 deletions(-)
 create mode 100644 tests/shell/features/chain_binding.nft

diff --git a/tests/shell/features/chain_binding.nft b/tests/shell/features/chain_binding.nft
new file mode 100644
index 000000000000..b381ec540fae
--- /dev/null
+++ b/tests/shell/features/chain_binding.nft
@@ -0,0 +1,7 @@
+# d0e2c7de92c7 ("netfilter: nf_tables: add NFT_CHAIN_BINDING")
+# v5.9-rc1~133^2~302^2~1
+table ip t {
+	chain c {
+		jump { counter; }
+	}
+}
diff --git a/tests/shell/testcases/cache/0010_implicit_chain_0 b/tests/shell/testcases/cache/0010_implicit_chain_0
index 0ab0db957cf2..834dc6e4036c 100755
--- a/tests/shell/testcases/cache/0010_implicit_chain_0
+++ b/tests/shell/testcases/cache/0010_implicit_chain_0
@@ -1,5 +1,7 @@
 #!/bin/bash
 
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_chain_binding)
+
 set -e
 
 EXPECTED="table ip f {
diff --git a/tests/shell/testcases/chains/0041chain_binding_0 b/tests/shell/testcases/chains/0041chain_binding_0
index 4b541bb55c30..141a4b6d2c59 100755
--- a/tests/shell/testcases/chains/0041chain_binding_0
+++ b/tests/shell/testcases/chains/0041chain_binding_0
@@ -6,6 +6,11 @@ if [ $? -ne 1 ]; then
 	exit 1
 fi
 
+if [ $NFT_TEST_HAVE_chain_binding = "n" ] ; then
+	echo "Test partially skipped due to NFT_TEST_HAVE_chain_binding=n"
+	exit 77
+fi
+
 set -e
 
 EXPECTED="table inet x {
diff --git a/tests/shell/testcases/transactions/30s-stress b/tests/shell/testcases/transactions/30s-stress
index 4d5d1d8bface..4c3c6a275941 100755
--- a/tests/shell/testcases/transactions/30s-stress
+++ b/tests/shell/testcases/transactions/30s-stress
@@ -27,6 +27,17 @@ if [ "$NFT_TEST_HAS_SOCKET_LIMITS" = y ] ; then
 	exit 77
 fi
 
+if [ -z "${NFT_TEST_HAVE_chain_binding+x}" ] ; then
+	NFT_TEST_HAVE_chain_binding=n
+	mydir="$(dirname "$0")"
+	$NFT --check -f "$mydir/../../features/chain_binding.nft"
+	if [ $? -eq 0 ];then
+		NFT_TEST_HAVE_chain_binding=y
+	else
+		echo "Assuming anonymous chains are not supported"
+	fi
+fi
+
 testns=testns-$(mktemp -u "XXXXXXXX")
 tmp=""
 
@@ -42,8 +53,8 @@ failslab_defaults() {
 	# allow all slabs to fail (if process is tagged).
 	find /sys/kernel/slab/ -wholename '*/kmalloc-[0-9]*/failslab' -type f -exec sh -c 'echo 1 > {}' \;
 
-	# no limit on the number of failures
-	echo -1 > /sys/kernel/debug/failslab/times
+	# no limit on the number of failures, or clause works around old kernels that reject negative integer.
+	echo -1 > /sys/kernel/debug/failslab/times 2>/dev/null || printf '%#x -1' > /sys/kernel/debug/failslab/times
 
 	# Set to 2 for full dmesg traces for each injected error
 	echo 0 > /sys/kernel/debug/failslab/verbose
@@ -102,6 +113,15 @@ nft_with_fault_inject()
 trap cleanup EXIT
 tmp=$(mktemp)
 
+jump_or_goto()
+{
+	if [ $((RANDOM & 1)) -eq 0 ] ;then
+		echo -n "jump"
+	else
+		echo -n "goto"
+	fi
+}
+
 random_verdict()
 {
 	max="$1"
@@ -113,7 +133,8 @@ random_verdict()
 	rnd=$((RANDOM%max))
 
 	if [ $rnd -gt 0 ];then
-		printf "jump chain%03u" "$((rnd+1))"
+		jump_or_goto
+		printf " chain%03u" "$((rnd+1))"
 		return
 	fi
 
@@ -422,6 +443,21 @@ stress_all()
 	randmonitor &
 }
 
+gen_anon_chain_jump()
+{
+	echo -n "insert rule inet $@ "
+	jump_or_goto
+
+	if [ "$NFT_TEST_HAVE_chain_binding" = n ] ; then
+		echo " defaultchain"
+		return
+	fi
+
+	echo -n " { "
+	jump_or_goto
+	echo " defaultchain; counter; }"
+}
+
 gen_ruleset() {
 echo > "$tmp"
 for table in $tables; do
@@ -463,12 +499,13 @@ for table in $tables; do
 	echo "insert rule inet $table $chain ip6 saddr { ::1, dead::beef } counter" comment hash >> "$tmp"
 	echo "insert rule inet $table $chain ip saddr { 1.2.3.4 - 5.6.7.8, 127.0.0.1 } comment rbtree" >> "$tmp"
 	# bitmap 1byte, with anon chain jump
-	echo "insert rule inet $table $chain ip protocol { 6, 17 } jump { jump defaultchain; counter; }" >> "$tmp"
+	gen_anon_chain_jump "$table $chain ip protocol { 6, 17 }" >> "$tmp"
+
 	# bitmap 2byte
 	echo "insert rule inet $table $chain tcp dport != { 22, 23, 80 } goto defaultchain" >> "$tmp"
 	echo "insert rule inet $table $chain tcp dport { 1-1024, 8000-8080 } jump defaultchain comment rbtree" >> "$tmp"
 	# pipapo (concat + set), with goto anonymous chain.
-	echo "insert rule inet $table $chain ip saddr . tcp dport { 1.2.3.4 . 1-1024, 1.2.3.6 - 1.2.3.10 . 8000-8080, 1.2.3.4 . 8080, 1.2.3.6 - 1.2.3.10 . 22 } goto { jump defaultchain; counter; }" >> "$tmp"
+	gen_anon_chain_jump "$table $chain ip saddr . tcp dport { 1.2.3.4 . 1-1024, 1.2.3.6 - 1.2.3.10 . 8000-8080, 1.2.3.4 . 8080, 1.2.3.6 - 1.2.3.10 . 22 }" >> "$tmp"
 
 	# add a few anonymous sets. rhashtable is convered by named sets below.
 	c=$((RANDOM%$count))
@@ -477,12 +514,12 @@ for table in $tables; do
 	echo "insert rule inet $table $chain ip6 saddr { ::1, dead::beef } counter" comment hash >> "$tmp"
 	echo "insert rule inet $table $chain ip saddr { 1.2.3.4 - 5.6.7.8, 127.0.0.1 } comment rbtree" >> "$tmp"
 	# bitmap 1byte, with anon chain jump
-	echo "insert rule inet $table $chain ip protocol { 6, 17 } jump { jump defaultchain; counter; }" >> "$tmp"
+	gen_anon_chain_jump "$table $chain ip protocol { 6, 17 }" >> "$tmp"
 	# bitmap 2byte
 	echo "insert rule inet $table $chain tcp dport != { 22, 23, 80 } goto defaultchain" >> "$tmp"
 	echo "insert rule inet $table $chain tcp dport { 1-1024, 8000-8080 } jump defaultchain comment rbtree" >> "$tmp"
 	# pipapo (concat + set), with goto anonymous chain.
-	echo "insert rule inet $table $chain ip saddr . tcp dport { 1.2.3.4 . 1-1024, 1.2.3.6 - 1.2.3.10 . 8000-8080, 1.2.3.4 . 8080, 1.2.3.6 - 1.2.3.10 . 22 } goto { jump defaultchain; counter; }" >> "$tmp"
+	gen_anon_chain_jump "$table $chain ip saddr . tcp dport { 1.2.3.4 . 1-1024, 1.2.3.6 - 1.2.3.10 . 8000-8080, 1.2.3.4 . 8080, 1.2.3.6 - 1.2.3.10 . 22 }" >> "$tmp"
 
 	# add constant/immutable sets
 	size=$((RANDOM%5120000))
@@ -594,3 +631,7 @@ run_test
 rm -f "$tmp"
 tmp=""
 sleep 4
+
+if [ "$NFT_TEST_HAVE_chain_binding" = n ] ; then
+	echo "Ran a modified version of the test due to NFT_TEST_HAVE_chain_binding=n"
+fi
-- 
2.41.0

[PATCH nft 02/14] tests/shell: skip netdev_chain_0 if kernel requires netdev device

[Thomas Haller]

From: Florian Westphal <fw@strlen.de>

This test case only works on kernel 6.4+.

Add feature probe for this and tag the test accordingly using
the scheme added by Thomas Haller in

    "tests/shell: skip tests if nft does not support JSON mode"

so that run-test.sh skips it if kernel requires a device.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Thomas Haller <thaller@redhat.com>
---
 tests/shell/features/netdev_chain_without_device.nft | 7 +++++++
 tests/shell/testcases/chains/netdev_chain_0          | 2 ++
 2 files changed, 9 insertions(+)
 create mode 100644 tests/shell/features/netdev_chain_without_device.nft

diff --git a/tests/shell/features/netdev_chain_without_device.nft b/tests/shell/features/netdev_chain_without_device.nft
new file mode 100644
index 000000000000..25eb200ffe31
--- /dev/null
+++ b/tests/shell/features/netdev_chain_without_device.nft
@@ -0,0 +1,7 @@
+# 207296f1a03b ("netfilter: nf_tables: allow to create netdev chain without device")
+# v6.4-rc1~132^2~14^2
+table netdev t {
+	chain c {
+		type filter hook ingress priority 0; policy accept;
+        }
+}
diff --git a/tests/shell/testcases/chains/netdev_chain_0 b/tests/shell/testcases/chains/netdev_chain_0
index 88bbc437d471..a323e6ec3324 100755
--- a/tests/shell/testcases/chains/netdev_chain_0
+++ b/tests/shell/testcases/chains/netdev_chain_0
@@ -1,5 +1,7 @@
 #!/bin/bash
 
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_netdev_chain_without_device)
+
 set -e
 
 iface_cleanup() {
-- 
2.41.0

[PATCH nft 03/14] tests/shell: skip map query if kernel lacks support

[Thomas Haller]

From: Florian Westphal <fw@strlen.de>

On recent kernels one can perform a lookup in a map without a destination
register (i.e., treat the map like a set -- pure existence check).

Add a feature probe and work around the missing feature in
typeof_maps_add_delete: do the test with a simplified ruleset,

Indicate skipped even though a reduced test was run (earlier errors
cause a failure) to not trigger dump validation error.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Thomas Haller <thaller@redhat.com>
---
 tests/shell/features/map_lookup.nft           | 11 ++++++
 .../testcases/maps/typeof_maps_add_delete     | 35 ++++++++++++++-----
 2 files changed, 38 insertions(+), 8 deletions(-)
 create mode 100644 tests/shell/features/map_lookup.nft

diff --git a/tests/shell/features/map_lookup.nft b/tests/shell/features/map_lookup.nft
new file mode 100644
index 000000000000..06c4c9d9c82d
--- /dev/null
+++ b/tests/shell/features/map_lookup.nft
@@ -0,0 +1,11 @@
+# a4878eeae390 ("netfilter: nf_tables: relax set/map validation checks")
+# v6.5-rc1~163^2~256^2~8
+table ip t {
+        map m {
+                typeof ip daddr : meta mark
+        }
+
+        chain c {
+                ip saddr @m
+        }
+}
diff --git a/tests/shell/testcases/maps/typeof_maps_add_delete b/tests/shell/testcases/maps/typeof_maps_add_delete
index 341de538e90e..5e2f8ecc473f 100755
--- a/tests/shell/testcases/maps/typeof_maps_add_delete
+++ b/tests/shell/testcases/maps/typeof_maps_add_delete
@@ -1,6 +1,15 @@
 #!/bin/bash
 
-EXPECTED='table ip dynset {
+CONDMATCH="ip saddr @dynmark"
+NCONDMATCH="ip saddr != @dynmark"
+
+# use reduced feature set
+if [ "$NFT_TEST_HAVE_map_lookup" = n ] ; then
+	CONDMATCH=""
+	NCONDMATCH=""
+fi
+
+EXPECTED="table ip dynset {
 	map dynmark {
 		typeof ip daddr : meta mark
 		counter
@@ -9,20 +18,20 @@ EXPECTED='table ip dynset {
 	}
 
 	chain test_ping {
-		ip saddr @dynmark counter comment "should not increment"
-		ip saddr != @dynmark add @dynmark { ip saddr : 0x1 } counter
-		ip saddr @dynmark counter comment "should increment"
-		ip saddr @dynmark delete @dynmark { ip saddr : 0x1 }
-		ip saddr @dynmark counter comment "delete should be instant but might fail under memory pressure"
+		$CONDMATCH counter comment \"should not increment\"
+		$NCONDMATCH add @dynmark { ip saddr : 0x1 } counter
+		$CONDMATCH counter comment \"should increment\"
+		$CONDMATCH delete @dynmark { ip saddr : 0x1 }
+		$CONDMATCH counter comment \"delete should be instant but might fail under memory pressure\"
 	}
 
 	chain input {
 		type filter hook input priority 0; policy accept;
 
-		add @dynmark { 10.2.3.4 timeout 1s : 0x2 } comment "also check timeout-gc"
+		add @dynmark { 10.2.3.4 timeout 1s : 0x2 } comment \"also check timeout-gc\"
 		meta l4proto icmp ip daddr 127.0.0.42 jump test_ping
 	}
-}'
+}"
 
 set -e
 $NFT -f - <<< $EXPECTED
@@ -31,5 +40,15 @@ $NFT list ruleset
 ip link set lo up
 ping -c 1 127.0.0.42
 
+$NFT get element ip dynset dynmark { 10.2.3.4 }
+
 # wait so that 10.2.3.4 times out.
 sleep 2
+
+set +e
+$NFT get element ip dynset dynmark { 10.2.3.4 } && exit 1
+
+if [ "$NFT_TEST_HAVE_map_lookup" = n ] ; then
+	echo "Only tested a subset due to NFT_TEST_HAVE_map_lookup=n. Skipped."
+	exit 77
+fi
-- 
2.41.0

[PATCH nft 04/14] tests/shell: skip inner matching tests if unsupported

[Thomas Haller]

From: Florian Westphal <fw@strlen.de>

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Thomas Haller <thaller@redhat.com>
---
 tests/shell/features/inner_matching.nft | 7 +++++++
 tests/shell/testcases/sets/inner_0      | 2 ++
 2 files changed, 9 insertions(+)
 create mode 100644 tests/shell/features/inner_matching.nft

diff --git a/tests/shell/features/inner_matching.nft b/tests/shell/features/inner_matching.nft
new file mode 100644
index 000000000000..6c86fd3558ac
--- /dev/null
+++ b/tests/shell/features/inner_matching.nft
@@ -0,0 +1,7 @@
+# 3a07327d10a0 ("netfilter: nft_inner: support for inner tunnel header matching")
+# v6.2-rc1~99^2~350^2~4
+table ip t {
+        chain c {
+                udp dport 4789 vxlan ip saddr 1.2.3.4
+        }
+}
diff --git a/tests/shell/testcases/sets/inner_0 b/tests/shell/testcases/sets/inner_0
index 0eb172a8cf06..39d91bd9c3ed 100755
--- a/tests/shell/testcases/sets/inner_0
+++ b/tests/shell/testcases/sets/inner_0
@@ -1,5 +1,7 @@
 #!/bin/bash
 
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_inner_matching)
+
 set -e
 
 RULESET="table netdev x {
-- 
2.41.0

[PATCH nft 05/14] tests/shell: skip bitshift tests if kernel lacks support

[Thomas Haller]

From: Florian Westphal <fw@strlen.de>

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Thomas Haller <thaller@redhat.com>
---
 tests/shell/features/bitshift.nft              | 7 +++++++
 tests/shell/testcases/bitwise/0040mark_binop_0 | 2 ++
 tests/shell/testcases/bitwise/0040mark_binop_1 | 2 ++
 tests/shell/testcases/bitwise/0040mark_binop_2 | 2 ++
 tests/shell/testcases/bitwise/0040mark_binop_3 | 2 ++
 tests/shell/testcases/bitwise/0040mark_binop_4 | 2 ++
 tests/shell/testcases/bitwise/0040mark_binop_5 | 2 ++
 tests/shell/testcases/bitwise/0040mark_binop_6 | 2 ++
 tests/shell/testcases/bitwise/0040mark_binop_7 | 2 ++
 tests/shell/testcases/bitwise/0040mark_binop_8 | 2 ++
 tests/shell/testcases/bitwise/0040mark_binop_9 | 2 ++
 11 files changed, 27 insertions(+)
 create mode 100644 tests/shell/features/bitshift.nft

diff --git a/tests/shell/features/bitshift.nft b/tests/shell/features/bitshift.nft
new file mode 100644
index 000000000000..7f9ccb64f0e6
--- /dev/null
+++ b/tests/shell/features/bitshift.nft
@@ -0,0 +1,7 @@
+# 567d746b55bc ("netfilter: bitwise: add support for shifts.")
+# v5.6-rc1~151^2~73^2
+table ip t {
+	chain c {
+		meta mark set meta mark << 2
+	}
+}
diff --git a/tests/shell/testcases/bitwise/0040mark_binop_0 b/tests/shell/testcases/bitwise/0040mark_binop_0
index 4280e33ac45a..4ecc9d3d6c83 100755
--- a/tests/shell/testcases/bitwise/0040mark_binop_0
+++ b/tests/shell/testcases/bitwise/0040mark_binop_0
@@ -1,5 +1,7 @@
 #!/bin/bash
 
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_bitshift)
+
 set -e
 
 RULESET="
diff --git a/tests/shell/testcases/bitwise/0040mark_binop_1 b/tests/shell/testcases/bitwise/0040mark_binop_1
index 7e71f3eb43a8..bd9e028df78c 100755
--- a/tests/shell/testcases/bitwise/0040mark_binop_1
+++ b/tests/shell/testcases/bitwise/0040mark_binop_1
@@ -1,5 +1,7 @@
 #!/bin/bash
 
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_bitshift)
+
 set -e
 
 RULESET="
diff --git a/tests/shell/testcases/bitwise/0040mark_binop_2 b/tests/shell/testcases/bitwise/0040mark_binop_2
index 94ebe976c987..5e66a27a0498 100755
--- a/tests/shell/testcases/bitwise/0040mark_binop_2
+++ b/tests/shell/testcases/bitwise/0040mark_binop_2
@@ -1,5 +1,7 @@
 #!/bin/bash
 
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_bitshift)
+
 set -e
 
 RULESET="
diff --git a/tests/shell/testcases/bitwise/0040mark_binop_3 b/tests/shell/testcases/bitwise/0040mark_binop_3
index b491565ca573..21dda6701d38 100755
--- a/tests/shell/testcases/bitwise/0040mark_binop_3
+++ b/tests/shell/testcases/bitwise/0040mark_binop_3
@@ -1,5 +1,7 @@
 #!/bin/bash
 
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_bitshift)
+
 set -e
 
 RULESET="
diff --git a/tests/shell/testcases/bitwise/0040mark_binop_4 b/tests/shell/testcases/bitwise/0040mark_binop_4
index adc5f25ba930..e5c8a42a0eb4 100755
--- a/tests/shell/testcases/bitwise/0040mark_binop_4
+++ b/tests/shell/testcases/bitwise/0040mark_binop_4
@@ -1,5 +1,7 @@
 #!/bin/bash
 
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_bitshift)
+
 set -e
 
 RULESET="
diff --git a/tests/shell/testcases/bitwise/0040mark_binop_5 b/tests/shell/testcases/bitwise/0040mark_binop_5
index 286b7b1fc7f9..184fbed0701d 100755
--- a/tests/shell/testcases/bitwise/0040mark_binop_5
+++ b/tests/shell/testcases/bitwise/0040mark_binop_5
@@ -1,5 +1,7 @@
 #!/bin/bash
 
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_bitshift)
+
 set -e
 
 RULESET="
diff --git a/tests/shell/testcases/bitwise/0040mark_binop_6 b/tests/shell/testcases/bitwise/0040mark_binop_6
index 9ea82952ef24..129dd5c085f4 100755
--- a/tests/shell/testcases/bitwise/0040mark_binop_6
+++ b/tests/shell/testcases/bitwise/0040mark_binop_6
@@ -1,5 +1,7 @@
 #!/bin/bash
 
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_bitshift)
+
 set -e
 
 RULESET="
diff --git a/tests/shell/testcases/bitwise/0040mark_binop_7 b/tests/shell/testcases/bitwise/0040mark_binop_7
index ff9cfb55ac3e..791a7943581d 100755
--- a/tests/shell/testcases/bitwise/0040mark_binop_7
+++ b/tests/shell/testcases/bitwise/0040mark_binop_7
@@ -1,5 +1,7 @@
 #!/bin/bash
 
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_bitshift)
+
 set -e
 
 RULESET="
diff --git a/tests/shell/testcases/bitwise/0040mark_binop_8 b/tests/shell/testcases/bitwise/0040mark_binop_8
index b348ee9367df..5e7bd28da754 100755
--- a/tests/shell/testcases/bitwise/0040mark_binop_8
+++ b/tests/shell/testcases/bitwise/0040mark_binop_8
@@ -1,5 +1,7 @@
 #!/bin/bash
 
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_bitshift)
+
 set -e
 
 RULESET="
diff --git a/tests/shell/testcases/bitwise/0040mark_binop_9 b/tests/shell/testcases/bitwise/0040mark_binop_9
index d19447d42b22..a7b60fb87812 100755
--- a/tests/shell/testcases/bitwise/0040mark_binop_9
+++ b/tests/shell/testcases/bitwise/0040mark_binop_9
@@ -1,5 +1,7 @@
 #!/bin/bash
 
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_bitshift)
+
 set -e
 
 RULESET="
-- 
2.41.0

[PATCH nft 06/14] tests/shell: skip some tests if kernel lacks netdev egress support

[Thomas Haller]

From: Florian Westphal <fw@strlen.de>

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Thomas Haller <thaller@redhat.com>
---
 tests/shell/features/netdev_egress.nft            | 7 +++++++
 tests/shell/testcases/chains/0021prio_0           | 7 ++++++-
 tests/shell/testcases/chains/0042chain_variable_0 | 5 +++++
 3 files changed, 18 insertions(+), 1 deletion(-)
 create mode 100644 tests/shell/features/netdev_egress.nft

diff --git a/tests/shell/features/netdev_egress.nft b/tests/shell/features/netdev_egress.nft
new file mode 100644
index 000000000000..67d706d86c5f
--- /dev/null
+++ b/tests/shell/features/netdev_egress.nft
@@ -0,0 +1,7 @@
+# 42df6e1d221d ("netfilter: Introduce egress hook")
+# v5.16-rc1~159^2~167^2~10
+table netdev t {
+	chain c {
+		type filter hook egress devices = { lo } priority 0; policy accept;
+	}
+}
diff --git a/tests/shell/testcases/chains/0021prio_0 b/tests/shell/testcases/chains/0021prio_0
index d450dc0b6c34..ceda15583520 100755
--- a/tests/shell/testcases/chains/0021prio_0
+++ b/tests/shell/testcases/chains/0021prio_0
@@ -69,7 +69,7 @@ done
 family=netdev
 echo "add table $family x"
 gen_chains $family ingress filter lo
-gen_chains $family egress filter lo
+[ "$NFT_TEST_HAVE_netdev_egress" != n ] && gen_chains $family egress filter lo
 
 family=bridge
 echo "add table $family x"
@@ -83,3 +83,8 @@ gen_chains $family postrouting srcnat
 
 ) >$tmpfile
 $NFT -f $tmpfile
+
+if [ "$NFT_TEST_HAVE_netdev_egress" = n ]; then
+	echo "Ran a modified version of the test due to NFT_TEST_HAVE_netdev_egress=n"
+	exit 77
+fi
diff --git a/tests/shell/testcases/chains/0042chain_variable_0 b/tests/shell/testcases/chains/0042chain_variable_0
index f71b04155e44..1ea44e85c71f 100755
--- a/tests/shell/testcases/chains/0042chain_variable_0
+++ b/tests/shell/testcases/chains/0042chain_variable_0
@@ -24,6 +24,11 @@ table netdev filter2 {
 
 $NFT -f - <<< $EXPECTED
 
+if [ "$NFT_TEST_HAVE_netdev_egress" = n ] ; then
+	echo "Skip parts of the test due to NFT_TEST_HAVE_netdev_egress=n"
+	exit 77
+fi
+
 EXPECTED="define if_main = { lo, dummy0 }
 define lan_interfaces = { lo }
 
-- 
2.41.0

[PATCH nft 07/14] tests/shell: skip inet ingress tests if kernel lacks support

[Thomas Haller]

From: Florian Westphal <fw@strlen.de>

Split the bridge autoremove test to a new file.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Thomas Haller <thaller@redhat.com>
---
 tests/shell/features/inet_ingress.nft                    | 7 +++++++
 tests/shell/testcases/chains/0043chain_ingress_0         | 9 ++-------
 .../testcases/chains/dumps/netdev_chain_autoremove.nft   | 0
 tests/shell/testcases/chains/netdev_chain_autoremove     | 9 +++++++++
 4 files changed, 18 insertions(+), 7 deletions(-)
 create mode 100644 tests/shell/features/inet_ingress.nft
 create mode 100644 tests/shell/testcases/chains/dumps/netdev_chain_autoremove.nft
 create mode 100755 tests/shell/testcases/chains/netdev_chain_autoremove

diff --git a/tests/shell/features/inet_ingress.nft b/tests/shell/features/inet_ingress.nft
new file mode 100644
index 000000000000..944a5c77d27b
--- /dev/null
+++ b/tests/shell/features/inet_ingress.nft
@@ -0,0 +1,7 @@
+# d3519cb89f6d ("netfilter: nf_tables: add inet ingress support")
+# v5.10-rc1~107^2~17^2~1
+table inet t {
+        chain c {
+                type filter hook ingress device "lo" priority filter; policy accept;
+        }
+}
diff --git a/tests/shell/testcases/chains/0043chain_ingress_0 b/tests/shell/testcases/chains/0043chain_ingress_0
index bff464687a6f..a6973b99e514 100755
--- a/tests/shell/testcases/chains/0043chain_ingress_0
+++ b/tests/shell/testcases/chains/0043chain_ingress_0
@@ -1,7 +1,8 @@
 #!/bin/bash
 
-set -e
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_inet_ingress)
 
+set -e
 RULESET="table inet filter {
 	chain ingress {
 		type filter hook ingress device \"lo\" priority filter; policy accept;
@@ -14,11 +15,5 @@ RULESET="table inet filter {
 	}
 }"
 
-# Test auto-removal of chain hook on netns removal
-unshare -n bash -c "ip link add br0 type bridge; \
- $NFT add table netdev test; \
- $NFT add chain netdev test ingress { type filter hook ingress device \"br0\" priority 0\; policy drop\; } ; \
-" || exit 1
-
 $NFT -f - <<< "$RULESET" && exit 0
 exit 1
diff --git a/tests/shell/testcases/chains/dumps/netdev_chain_autoremove.nft b/tests/shell/testcases/chains/dumps/netdev_chain_autoremove.nft
new file mode 100644
index 000000000000..e69de29bb2d1
diff --git a/tests/shell/testcases/chains/netdev_chain_autoremove b/tests/shell/testcases/chains/netdev_chain_autoremove
new file mode 100755
index 000000000000..21f3ad2966cb
--- /dev/null
+++ b/tests/shell/testcases/chains/netdev_chain_autoremove
@@ -0,0 +1,9 @@
+#!/bin/bash
+
+set -e
+
+# Test auto-removal of chain hook on netns removal
+unshare -n bash -e -c "ip link add br0 type bridge; \
+ $NFT add table netdev test; \
+ $NFT add chain netdev test ingress { type filter hook ingress device \"br0\" priority 0\; policy drop\; } ; \
+"
-- 
2.41.0

[PATCH nft 08/14] tests/shell: skip destroy tests if kernel lacks support

[Thomas Haller]

From: Florian Westphal <fw@strlen.de>

Destroy support was added for table/flowtable/chain etc. in a single
commit, so no need to add capability tests for each destroy subtype.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Thomas Haller <thaller@redhat.com>
---
 tests/shell/features/destroy.nft                    | 3 +++
 tests/shell/testcases/chains/0044chain_destroy_0    | 2 ++
 tests/shell/testcases/flowtable/0015destroy_0       | 2 ++
 tests/shell/testcases/maps/0014destroy_0            | 2 ++
 tests/shell/testcases/rule_management/0012destroy_0 | 2 ++
 tests/shell/testcases/sets/0072destroy_0            | 2 ++
 6 files changed, 13 insertions(+)
 create mode 100644 tests/shell/features/destroy.nft

diff --git a/tests/shell/features/destroy.nft b/tests/shell/features/destroy.nft
new file mode 100644
index 000000000000..b97242e41e9f
--- /dev/null
+++ b/tests/shell/features/destroy.nft
@@ -0,0 +1,3 @@
+# f80a612dd77c ("netfilter: nf_tables: add support to destroy operation")
+# v6.3-rc1~162^2~264^2
+destroy table t
diff --git a/tests/shell/testcases/chains/0044chain_destroy_0 b/tests/shell/testcases/chains/0044chain_destroy_0
index 8384da66a5b0..1763d802c1dd 100755
--- a/tests/shell/testcases/chains/0044chain_destroy_0
+++ b/tests/shell/testcases/chains/0044chain_destroy_0
@@ -1,5 +1,7 @@
 #!/bin/sh -e
 
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_destroy)
+
 $NFT add table t
 
 # pass for non-existent chain
diff --git a/tests/shell/testcases/flowtable/0015destroy_0 b/tests/shell/testcases/flowtable/0015destroy_0
index 66fce4992a50..9e91ef5036a2 100755
--- a/tests/shell/testcases/flowtable/0015destroy_0
+++ b/tests/shell/testcases/flowtable/0015destroy_0
@@ -1,5 +1,7 @@
 #!/bin/sh -e
 
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_destroy)
+
 $NFT add table t
 
 # pass for non-existent flowtable
diff --git a/tests/shell/testcases/maps/0014destroy_0 b/tests/shell/testcases/maps/0014destroy_0
index 14c3f78af7f1..b17d0021d926 100755
--- a/tests/shell/testcases/maps/0014destroy_0
+++ b/tests/shell/testcases/maps/0014destroy_0
@@ -1,5 +1,7 @@
 #!/bin/sh -e
 
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_destroy)
+
 $NFT add table x
 
 # pass for non-existent map
diff --git a/tests/shell/testcases/rule_management/0012destroy_0 b/tests/shell/testcases/rule_management/0012destroy_0
index 85f9c9f6d4c7..46a906cf36b8 100755
--- a/tests/shell/testcases/rule_management/0012destroy_0
+++ b/tests/shell/testcases/rule_management/0012destroy_0
@@ -1,5 +1,7 @@
 #!/bin/sh -e
 
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_destroy)
+
 $NFT add table t
 $NFT add chain t c
 
diff --git a/tests/shell/testcases/sets/0072destroy_0 b/tests/shell/testcases/sets/0072destroy_0
index fd1d645057c0..6399dd0ff4c8 100755
--- a/tests/shell/testcases/sets/0072destroy_0
+++ b/tests/shell/testcases/sets/0072destroy_0
@@ -1,5 +1,7 @@
 #!/bin/sh -e
 
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_destroy)
+
 $NFT add table x
 
 # pass for non-existent set
-- 
2.41.0

[PATCH nft 09/14] tests/shell: skip catchall tests if kernel lacks support

[Thomas Haller]

From: Florian Westphal <fw@strlen.de>

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Thomas Haller <thaller@redhat.com>
---
 tests/shell/features/catchall_element.nft           |  8 ++++++++
 tests/shell/testcases/maps/0011vmap_0               | 10 +++++++++-
 tests/shell/testcases/maps/0017_map_variable_0      | 13 ++++++++++++-
 .../testcases/maps/map_catchall_double_deactivate   |  2 ++
 tests/shell/testcases/sets/0063set_catchall_0       |  2 ++
 tests/shell/testcases/sets/0064map_catchall_0       |  2 ++
 6 files changed, 35 insertions(+), 2 deletions(-)
 create mode 100644 tests/shell/features/catchall_element.nft

diff --git a/tests/shell/features/catchall_element.nft b/tests/shell/features/catchall_element.nft
new file mode 100644
index 000000000000..1a02fd61486b
--- /dev/null
+++ b/tests/shell/features/catchall_element.nft
@@ -0,0 +1,8 @@
+# aaa31047a6d2 ("netfilter: nftables: add catch-all set element support")
+# v5.13-rc1~94^2~10^2~2
+table t {
+	map m {
+		type inet_service : inet_service
+		elements = { * : 42 }
+	}
+}
diff --git a/tests/shell/testcases/maps/0011vmap_0 b/tests/shell/testcases/maps/0011vmap_0
index 83704d484b28..3e6fa78d7d4c 100755
--- a/tests/shell/testcases/maps/0011vmap_0
+++ b/tests/shell/testcases/maps/0011vmap_0
@@ -22,4 +22,12 @@ EXPECTED="table inet filter {
 }"
 
 $NFT -f - <<< "$EXPECTED"
-$NFT 'add element inet filter portmap { 22 : jump ssh_input, * : drop }'
+
+if [ "$NFT_TEST_HAVE_catchall_element" != n ]; then
+	$NFT 'add element inet filter portmap { 22 : jump ssh_input, * : drop }'
+fi
+
+if [ "$NFT_TEST_HAVE_catchall_element" = n ]; then
+	echo "Ran partial tests due to NFT_TEST_HAVE_catchall_element=n (skipped)"
+	exit 77
+fi
diff --git a/tests/shell/testcases/maps/0017_map_variable_0 b/tests/shell/testcases/maps/0017_map_variable_0
index 70cea88de238..e01adb4c6ac9 100755
--- a/tests/shell/testcases/maps/0017_map_variable_0
+++ b/tests/shell/testcases/maps/0017_map_variable_0
@@ -2,9 +2,15 @@
 
 set -e
 
+if [ "$NFT_TEST_HAVE_catchall_element" != n ] ; then
+	CATCHALL="* : 3,"
+else
+	CATCHALL=","
+fi
+
 RULESET="define x = {
         1.1.1.1 : 2,
-        * : 3,
+        $CATCHALL
 }
 
 table ip x {
@@ -19,3 +25,8 @@ table ip x {
 }"
 
 $NFT -f - <<< "$RULESET"
+
+if [ "$NFT_TEST_HAVE_catchall_element" = n ] ; then
+	echo "Ran modified version of test due to NFT_TEST_HAVE_catchall_element=n (skipped)"
+	exit 77
+fi
diff --git a/tests/shell/testcases/maps/map_catchall_double_deactivate b/tests/shell/testcases/maps/map_catchall_double_deactivate
index 62fa73ad52f8..651c08a1eb10 100755
--- a/tests/shell/testcases/maps/map_catchall_double_deactivate
+++ b/tests/shell/testcases/maps/map_catchall_double_deactivate
@@ -1,5 +1,7 @@
 #!/bin/bash
 
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_catchall_element)
+
 $NFT "add table ip test ;
      add map ip test testmap { type ipv4_addr : verdict; };
      add chain ip test testchain;
diff --git a/tests/shell/testcases/sets/0063set_catchall_0 b/tests/shell/testcases/sets/0063set_catchall_0
index faca56a18dc5..edd015d09b21 100755
--- a/tests/shell/testcases/sets/0063set_catchall_0
+++ b/tests/shell/testcases/sets/0063set_catchall_0
@@ -1,5 +1,7 @@
 #!/bin/bash
 
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_catchall_element)
+
 set -e
 
 RULESET="table ip x {
diff --git a/tests/shell/testcases/sets/0064map_catchall_0 b/tests/shell/testcases/sets/0064map_catchall_0
index 436851604e34..fd289372df18 100755
--- a/tests/shell/testcases/sets/0064map_catchall_0
+++ b/tests/shell/testcases/sets/0064map_catchall_0
@@ -1,5 +1,7 @@
 #!/bin/bash
 
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_catchall_element)
+
 set -e
 
 RULESET="table ip x {
-- 
2.41.0

[PATCH nft 10/14] tests/shell: skip test cases involving osf match if kernel lacks support

[Thomas Haller]

From: Florian Westphal <fw@strlen.de>

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Thomas Haller <thaller@redhat.com>
---
 tests/shell/features/osf.nft             |  7 +++++++
 tests/shell/testcases/maps/typeof_maps_0 | 19 +++++++++++++++----
 tests/shell/testcases/sets/typeof_sets_0 | 23 +++++++++++++++++------
 3 files changed, 39 insertions(+), 10 deletions(-)
 create mode 100644 tests/shell/features/osf.nft

diff --git a/tests/shell/features/osf.nft b/tests/shell/features/osf.nft
new file mode 100644
index 000000000000..dbb6b4c333e2
--- /dev/null
+++ b/tests/shell/features/osf.nft
@@ -0,0 +1,7 @@
+# b96af92d6eaf ("netfilter: nf_tables: implement Passive OS fingerprint module in nft_osf")
+# v4.19-rc1~140^2~135^2~15
+table t {
+	chain c {
+		osf name "Linux"
+	}
+}
diff --git a/tests/shell/testcases/maps/typeof_maps_0 b/tests/shell/testcases/maps/typeof_maps_0
index 5cf5dddeb1d6..263390d51a5d 100755
--- a/tests/shell/testcases/maps/typeof_maps_0
+++ b/tests/shell/testcases/maps/typeof_maps_0
@@ -4,11 +4,18 @@
 # without typeof, this is 'type string' and 'type integer',
 # but neither could be used because it lacks size information.
 
-EXPECTED="table inet t {
-	map m1 {
+OSFMAP=""
+OSFRULE=""
+if [ "$NFT_TEST_HAVE_osf" != n ] ; then
+	OSFMAP="map m1 {
 		typeof osf name : ct mark
 		elements = { "Linux" : 0x00000001 }
-	}
+	}"
+	OSFRULE="ct mark set osf name map @m1"
+fi
+
+EXPECTED="table inet t {
+	$OSFMAP
 
 	map m2 {
 		typeof vlan id : mark
@@ -33,7 +40,7 @@ EXPECTED="table inet t {
 	}
 
 	chain c {
-		ct mark set osf name map @m1
+		$OSFRULE
 		ether type vlan meta mark set vlan id map @m2
 		meta mark set ip saddr . ip daddr map @m3
 		iifname . ip protocol . th dport vmap @m4
@@ -45,3 +52,7 @@ EXPECTED="table inet t {
 set -e
 $NFT -f - <<< $EXPECTED
 
+if [ "$NFT_TEST_HAVE_osf" = n ] ; then
+	echo "Partial test due to NFT_TEST_HAVE_osf=n. Skip"
+	exit 77
+fi
diff --git a/tests/shell/testcases/sets/typeof_sets_0 b/tests/shell/testcases/sets/typeof_sets_0
index 9f777a8c90bc..6ed0c354bc25 100755
--- a/tests/shell/testcases/sets/typeof_sets_0
+++ b/tests/shell/testcases/sets/typeof_sets_0
@@ -4,11 +4,20 @@
 # s1 and s2 are identical, they just use different
 # ways for declaration.
 
-EXPECTED="table inet t {
-	set s1 {
+OSFSET=""
+OSFCHAIN=""
+if [ "$NFT_TEST_HAVE_osf" != n ] ; then
+	OSFSET="set s1 {
 		typeof osf name
 		elements = { \"Linux\" }
-	}
+	}"
+	OSFCHAIN="chain c1 {
+		osf name @s1 accept
+	}"
+fi
+
+EXPECTED="table inet t {
+	$OSFSET
 
 	set s2 {
 		typeof vlan id
@@ -60,9 +69,7 @@ EXPECTED="table inet t {
 		elements = { 3567 . 1.2.3.4 }
 	}
 
-	chain c1 {
-		osf name @s1 accept
-	}
+	$OSFCHAIN
 
 	chain c2 {
 		ether type vlan vlan id @s2 accept
@@ -104,3 +111,7 @@ EXPECTED="table inet t {
 set -e
 $NFT -f - <<< $EXPECTED
 
+if [ "$NFT_TEST_HAVE_osf" = n ] ; then
+	echo "Partial test due to NFT_TEST_HAVE_osf=n. Skip"
+	exit 77
+fi
-- 
2.41.0

[PATCH nft 11/14] tests/shell: skip test cases if ct expectation and/or timeout lacks support

[Thomas Haller]

From: Florian Westphal <fw@strlen.de>

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Thomas Haller <thaller@redhat.com>
---
 tests/shell/features/ctexpect.nft             | 10 ++++
 tests/shell/features/cttimeout.nft            |  8 +++
 tests/shell/testcases/listing/0013objects_0   | 50 +++++--------------
 .../testcases/listing/dumps/0013objects_0.nft |  2 -
 .../testcases/nft-f/0017ct_timeout_obj_0      |  2 +
 5 files changed, 33 insertions(+), 39 deletions(-)
 create mode 100644 tests/shell/features/ctexpect.nft
 create mode 100644 tests/shell/features/cttimeout.nft

diff --git a/tests/shell/features/ctexpect.nft b/tests/shell/features/ctexpect.nft
new file mode 100644
index 000000000000..02c3dfd74bd4
--- /dev/null
+++ b/tests/shell/features/ctexpect.nft
@@ -0,0 +1,10 @@
+# 857b46027d6f ("netfilter: nft_ct: add ct expectations support")
+# v5.3-rc1~140^2~153^2~19
+table t {
+	ct expectation ctexpect {
+		protocol tcp
+		dport 5432
+		timeout 1h
+		size 12;
+	}
+}
diff --git a/tests/shell/features/cttimeout.nft b/tests/shell/features/cttimeout.nft
new file mode 100644
index 000000000000..4be58cd3c26b
--- /dev/null
+++ b/tests/shell/features/cttimeout.nft
@@ -0,0 +1,8 @@
+# 7e0b2b57f01d ("netfilter: nft_ct: add ct timeout support")
+# v4.19-rc1~140^2~64^2~3
+table t {
+	ct timeout cttime {
+		protocol tcp;
+		policy = {established: 120 }
+	}
+}
diff --git a/tests/shell/testcases/listing/0013objects_0 b/tests/shell/testcases/listing/0013objects_0
index c81b94e20f65..c78ada947a94 100755
--- a/tests/shell/testcases/listing/0013objects_0
+++ b/tests/shell/testcases/listing/0013objects_0
@@ -1,47 +1,23 @@
 #!/bin/bash
 
-# list table with all objects and chains
-
-EXPECTED="table ip test {
-	quota https-quota {
-		25 mbytes
-	}
-
-	ct helper cthelp {
-		type \"sip\" protocol tcp
-		l3proto ip
-	}
-
-	ct timeout cttime {
-		protocol udp
-		l3proto ip
-		policy = { unreplied : 15s, replied : 12s }
-	}
-
-	ct expectation ctexpect {
-		protocol tcp
-		dport 5432
-		timeout 1h
-		size 12
-		l3proto ip
-	}
-
-	chain input {
-	}
-}"
-
 set -e
 
 $NFT add table test
 $NFT add chain test input
 $NFT add quota test https-quota 25 mbytes
 $NFT add ct helper test cthelp { type \"sip\" protocol tcp \; }
-$NFT add ct timeout test cttime { protocol udp \; policy = {replied : 12, unreplied : 15 } \; }
-$NFT add ct expectation test ctexpect { protocol tcp \; dport 5432 \; timeout 1h \; size 12 \; }
-$NFT add table test-ip
+if [ "$NFT_TEST_HAVE_cttimeout" != n ] ; then
+	$NFT add ct timeout test cttime { protocol udp \; policy = {replied : 12, unreplied : 15 } \; }
+fi
+if [ "$NFT_TEST_HAVE_ctexpect" != n ] ; then
+	$NFT add ct expectation test ctexpect { protocol tcp \; dport 5432 \; timeout 1h \; size 12 \; }
+fi
 
-GET="$($NFT list table test)"
-if [ "$EXPECTED" != "$GET" ] ; then
-	$DIFF -u <(echo "$EXPECTED") <(echo "$GET")
-	exit 1
+if [ "$NFT_TEST_HAVE_cttimeout" = n ] ; then
+	echo "Ran partial test due to NFT_TEST_HAVE_cttimeout=n (skipped)"
+	exit 77
+fi
+if [ "$NFT_TEST_HAVE_ctexpect" = n ] ; then
+	echo "Ran partial test due to NFT_TEST_HAVE_ctexpect=n (skipped)"
+	exit 77
 fi
diff --git a/tests/shell/testcases/listing/dumps/0013objects_0.nft b/tests/shell/testcases/listing/dumps/0013objects_0.nft
index 1ea610f8b8d8..427db268163a 100644
--- a/tests/shell/testcases/listing/dumps/0013objects_0.nft
+++ b/tests/shell/testcases/listing/dumps/0013objects_0.nft
@@ -25,5 +25,3 @@ table ip test {
 	chain input {
 	}
 }
-table ip test-ip {
-}
diff --git a/tests/shell/testcases/nft-f/0017ct_timeout_obj_0 b/tests/shell/testcases/nft-f/0017ct_timeout_obj_0
index 4f407793b23b..cfb789501bea 100755
--- a/tests/shell/testcases/nft-f/0017ct_timeout_obj_0
+++ b/tests/shell/testcases/nft-f/0017ct_timeout_obj_0
@@ -1,5 +1,7 @@
 #!/bin/bash
 
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_cttimeout)
+
 EXPECTED='table ip filter {
 	ct timeout cttime{
 		protocol tcp
-- 
2.41.0

[PATCH nft 12/14] tests/shell: skip reset tests if kernel lacks support

[Thomas Haller]

From: Florian Westphal <fw@strlen.de>

reset is implemented via flush + extra attribute, so older kernels
perform a flush.  This means .nft doesn't work, we need to check
if the individual set contents/sets are still in place post-reset.

Make this generic and permit use of feat.sh in addition to the simpler
foo.nft feature files.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Thomas Haller <thaller@redhat.com>
---
 tests/shell/features/reset_rule.sh            |  8 ++++++
 tests/shell/features/reset_set.sh             | 10 ++++++++
 tests/shell/run-tests.sh                      | 25 ++++++++++++++++---
 .../testcases/rule_management/0011reset_0     |  2 ++
 tests/shell/testcases/sets/reset_command_0    |  2 ++
 5 files changed, 43 insertions(+), 4 deletions(-)
 create mode 100755 tests/shell/features/reset_rule.sh
 create mode 100755 tests/shell/features/reset_set.sh

diff --git a/tests/shell/features/reset_rule.sh b/tests/shell/features/reset_rule.sh
new file mode 100755
index 000000000000..567ee2f1a4bd
--- /dev/null
+++ b/tests/shell/features/reset_rule.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+
+# 8daa8fde3fc3 ("netfilter: nf_tables: Introduce NFT_MSG_GETRULE_RESET")
+# v6.2-rc1~99^2~210^2~2
+
+unshare -n bash -c "$NFT \"add table t; add chain t c ; add rule t c counter packets 1 bytes 42\"; \
+$NFT reset rules chain t c ; \
+$NFT reset rules chain t c |grep counter\ packets\ 0\ bytes\ 0"
diff --git a/tests/shell/features/reset_set.sh b/tests/shell/features/reset_set.sh
new file mode 100755
index 000000000000..3d034175d82a
--- /dev/null
+++ b/tests/shell/features/reset_set.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+# 079cd633219d ("netfilter: nf_tables: Introduce NFT_MSG_GETSETELEM_RESET")
+# v6.5-rc1~163^2~9^2~1
+
+unshare -n bash -c "$NFT add table t; \
+ $NFT add set t s { type ipv4_addr\; counter\; elements = { 127.0.0.1 counter packets 1 bytes 2 } } ; \
+ $NFT reset set t s ; \
+ $NFT reset set t s | grep counter\ packets\ 0\ bytes\ 0
+"
diff --git a/tests/shell/run-tests.sh b/tests/shell/run-tests.sh
index d11b4a63b6d1..9c7e280e31c7 100755
--- a/tests/shell/run-tests.sh
+++ b/tests/shell/run-tests.sh
@@ -224,13 +224,13 @@ export NFT_TEST_BASEDIR
 _HAVE_OPTS=( json )
 _HAVE_OPTS_NFT=()
 shopt -s nullglob
-F=( "$NFT_TEST_BASEDIR/features/"*.nft )
+F=( "$NFT_TEST_BASEDIR/features/"*.nft "$NFT_TEST_BASEDIR/features/"*.sh )
 shopt -u nullglob
 for file in "${F[@]}"; do
 	feat="${file##*/}"
-	feat="${feat%.nft}"
+	feat="${feat%.*}"
 	re="^[a-z_0-9]+$"
-	if [[ "$feat" =~ $re ]] && ! array_contains "$feat" "${_HAVE_OPTS[@]}" ; then
+	if [[ "$feat" =~ $re ]] && ! array_contains "$feat" "${_HAVE_OPTS[@]}" "${_HAVE_OPTS_NFT[@]}" && [[ "$file" != *.sh || -x "$file" ]] ; then
 		_HAVE_OPTS_NFT+=( "$feat" )
 	else
 		msg_warn "Ignore feature file \"$file\""
@@ -494,11 +494,28 @@ else
 fi
 export NFT_TEST_HAVE_json
 
+feature_probe()
+{
+	local with_path="$NFT_TEST_BASEDIR/features/$1"
+
+	if [ -r "$with_path.nft" ] ; then
+		$NFT_TEST_UNSHARE_CMD "$NFT_REAL" --check -f "$with_path.nft" &>/dev/null
+		return $?
+	fi
+
+	if [ -x "$with_path.sh" ] ; then
+		NFT="$NFT_REAL" $NFT_TEST_UNSHARE_CMD "$with_path.sh" &>/dev/null
+		return $?
+	fi
+
+	return 1
+}
+
 for feat in "${_HAVE_OPTS_NFT[@]}" ; do
 	var="NFT_TEST_HAVE_$feat"
 	if [ -z "${!var+x}" ] ; then
 		val='y'
-		$NFT_TEST_UNSHARE_CMD "$NFT_REAL" --check -f "$NFT_TEST_BASEDIR/features/$feat.nft" &>/dev/null || val='n'
+		feature_probe "$feat" || val='n'
 	else
 		val="$(bool_n "${!var}")"
 	fi
diff --git a/tests/shell/testcases/rule_management/0011reset_0 b/tests/shell/testcases/rule_management/0011reset_0
index 8d2307964c37..33eadd9eb562 100755
--- a/tests/shell/testcases/rule_management/0011reset_0
+++ b/tests/shell/testcases/rule_management/0011reset_0
@@ -1,5 +1,7 @@
 #!/bin/bash
 
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_reset_rule)
+
 set -e
 
 echo "loading ruleset"
diff --git a/tests/shell/testcases/sets/reset_command_0 b/tests/shell/testcases/sets/reset_command_0
index ad2e16a7d274..5e769fe66d68 100755
--- a/tests/shell/testcases/sets/reset_command_0
+++ b/tests/shell/testcases/sets/reset_command_0
@@ -1,5 +1,7 @@
 #!/bin/bash
 
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_reset_set)
+
 set -e
 
 trap '[[ $? -eq 0 ]] || echo FAIL' EXIT
-- 
2.41.0

[PATCH nft 13/14] tests/shell: implement NFT_TEST_HAVE_json feature detection as script

[Thomas Haller]

No more need to special case the "run a script" approach for detecting
the json feature. Use the new mechanism instead.

Signed-off-by: Thomas Haller <thaller@redhat.com>
---
 tests/shell/features/json.sh |  6 ++++++
 tests/shell/run-tests.sh     | 18 ++++--------------
 2 files changed, 10 insertions(+), 14 deletions(-)
 create mode 100755 tests/shell/features/json.sh

diff --git a/tests/shell/features/json.sh b/tests/shell/features/json.sh
new file mode 100755
index 000000000000..d81157020f51
--- /dev/null
+++ b/tests/shell/features/json.sh
@@ -0,0 +1,6 @@
+#!/bin/sh
+
+# Detect JSON support. Note that $NFT may not be the binary from our build
+# tree, hence we detect it by running the binary (instead of asking the build
+# configuration).
+$NFT -j list ruleset
diff --git a/tests/shell/run-tests.sh b/tests/shell/run-tests.sh
index 9c7e280e31c7..528646f57eca 100755
--- a/tests/shell/run-tests.sh
+++ b/tests/shell/run-tests.sh
@@ -221,8 +221,7 @@ NFT_TEST_BASEDIR="$(dirname "$0")"
 # Export the base directory. It may be used by tests.
 export NFT_TEST_BASEDIR
 
-_HAVE_OPTS=( json )
-_HAVE_OPTS_NFT=()
+_HAVE_OPTS=()
 shopt -s nullglob
 F=( "$NFT_TEST_BASEDIR/features/"*.nft "$NFT_TEST_BASEDIR/features/"*.sh )
 shopt -u nullglob
@@ -230,13 +229,12 @@ for file in "${F[@]}"; do
 	feat="${file##*/}"
 	feat="${feat%.*}"
 	re="^[a-z_0-9]+$"
-	if [[ "$feat" =~ $re ]] && ! array_contains "$feat" "${_HAVE_OPTS[@]}" "${_HAVE_OPTS_NFT[@]}" && [[ "$file" != *.sh || -x "$file" ]] ; then
-		_HAVE_OPTS_NFT+=( "$feat" )
+	if [[ "$feat" =~ $re ]] && ! array_contains "$feat" "${_HAVE_OPTS[@]}" && [[ "$file" != *.sh || -x "$file" ]] ; then
+		_HAVE_OPTS+=( "$feat" )
 	else
 		msg_warn "Ignore feature file \"$file\""
 	fi
 done
-_HAVE_OPTS+=( "${_HAVE_OPTS_NFT[@]}" )
 _HAVE_OPTS=( $(printf '%s\n' "${_HAVE_OPTS[@]}" | LANG=C sort) )
 
 for KEY in $(compgen -v | grep '^NFT_TEST_HAVE_' | sort) ; do
@@ -486,14 +484,6 @@ fi
 
 NFT_REAL="${NFT_REAL-$NFT}"
 
-if [ -z "${NFT_TEST_HAVE_json+x}" ] ; then
-	NFT_TEST_HAVE_json=y
-	$NFT_TEST_UNSHARE_CMD "$NFT_REAL" -j list ruleset &>/dev/null || NFT_TEST_HAVE_json=n
-else
-	NFT_TEST_HAVE_json="$(bool_n "$NFT_TEST_HAVE_json")"
-fi
-export NFT_TEST_HAVE_json
-
 feature_probe()
 {
 	local with_path="$NFT_TEST_BASEDIR/features/$1"
@@ -511,7 +501,7 @@ feature_probe()
 	return 1
 }
 
-for feat in "${_HAVE_OPTS_NFT[@]}" ; do
+for feat in "${_HAVE_OPTS[@]}" ; do
 	var="NFT_TEST_HAVE_$feat"
 	if [ -z "${!var+x}" ] ; then
 		val='y'
-- 
2.41.0

[PATCH nft 14/14] tests/shell: check diff in "maps/typeof_maps_0" and "sets/typeof_sets_0" test

[Thomas Haller]

These tests run different variants based on NFT_TEST_HAVE_osf support.
Consequently, we cannot check the pre-generated diff.

Instead, construct what we expect dynamically in the script, and compare
the ruleset against that.

Signed-off-by: Thomas Haller <thaller@redhat.com>
---
 tests/shell/testcases/maps/typeof_maps_0 |  75 ++++++++++---
 tests/shell/testcases/sets/typeof_sets_0 | 133 ++++++++++++++++++++---
 2 files changed, 177 insertions(+), 31 deletions(-)

diff --git a/tests/shell/testcases/maps/typeof_maps_0 b/tests/shell/testcases/maps/typeof_maps_0
index 263390d51a5d..98517fd52506 100755
--- a/tests/shell/testcases/maps/typeof_maps_0
+++ b/tests/shell/testcases/maps/typeof_maps_0
@@ -4,18 +4,24 @@
 # without typeof, this is 'type string' and 'type integer',
 # but neither could be used because it lacks size information.
 
-OSFMAP=""
-OSFRULE=""
-if [ "$NFT_TEST_HAVE_osf" != n ] ; then
-	OSFMAP="map m1 {
-		typeof osf name : ct mark
-		elements = { "Linux" : 0x00000001 }
-	}"
-	OSFRULE="ct mark set osf name map @m1"
+set -e
+
+die() {
+	printf '%s\n' "$*"
+	exit 1
+}
+
+INPUT_OSF_CT="
+		ct mark set osf name map @m1"
+if [ "$NFT_TEST_HAVE_osf" = n ] ; then
+	INPUT_OSF_CT=
 fi
 
-EXPECTED="table inet t {
-	$OSFMAP
+INPUT="table inet t {
+	map m1 {
+		typeof osf name : ct mark
+		elements = { Linux : 0x00000001 }
+	}
 
 	map m2 {
 		typeof vlan id : mark
@@ -39,8 +45,7 @@ EXPECTED="table inet t {
 		elements = { 23 . eth0 : accept }
 	}
 
-	chain c {
-		$OSFRULE
+	chain c {$INPUT_OSF_CT
 		ether type vlan meta mark set vlan id map @m2
 		meta mark set ip saddr . ip daddr map @m3
 		iifname . ip protocol . th dport vmap @m4
@@ -49,10 +54,48 @@ EXPECTED="table inet t {
 	}
 }"
 
-set -e
-$NFT -f - <<< $EXPECTED
+EXPECTED="table inet t {
+	map m1 {
+		typeof osf name : ct mark
+		elements = { \"Linux\" : 0x00000001 }
+	}
+
+	map m2 {
+		typeof vlan id : meta mark
+		elements = { 1 : 0x00000001, 4095 : 0x00004095 }
+	}
+
+	map m3 {
+		typeof ip saddr . ip daddr : meta mark
+		elements = { 1.2.3.4 . 5.6.7.8 : 0x00000001,
+			     2.3.4.5 . 6.7.8.9 : 0x00000002 }
+	}
+
+	map m4 {
+		typeof iifname . ip protocol . th dport : verdict
+		elements = { \"eth0\" . tcp . 22 : accept }
+	}
+
+	map m5 {
+		typeof ipsec in reqid . iifname : verdict
+		elements = { 23 . \"eth0\" : accept }
+	}
+
+	chain c {$INPUT_OSF_CT
+		meta mark set vlan id map @m2
+		meta mark set ip saddr . ip daddr map @m3
+		iifname . ip protocol . th dport vmap @m4
+		iifname . ip protocol . th dport vmap { \"eth0\" . tcp . 22 : accept, \"eth1\" . udp . 67 : drop }
+		ipsec in reqid . iifname vmap @m5
+	}
+}"
+
+$NFT -f - <<< "$INPUT" || die $'nft command failed to process input:\n'">$INPUT<"
+
+$DIFF -u <($NFT list ruleset) - <<<"$EXPECTED" || die $'diff failed between ruleset and expected data.\nExpected:\n'">$EXPECTED<"
+
 
 if [ "$NFT_TEST_HAVE_osf" = n ] ; then
-	echo "Partial test due to NFT_TEST_HAVE_osf=n. Skip"
-	exit 77
+    echo "Partial test due to NFT_TEST_HAVE_osf=n. Skip"
+    exit 77
 fi
diff --git a/tests/shell/testcases/sets/typeof_sets_0 b/tests/shell/testcases/sets/typeof_sets_0
index 6ed0c354bc25..c1c0f51f399c 100755
--- a/tests/shell/testcases/sets/typeof_sets_0
+++ b/tests/shell/testcases/sets/typeof_sets_0
@@ -4,21 +4,35 @@
 # s1 and s2 are identical, they just use different
 # ways for declaration.
 
-OSFSET=""
-OSFCHAIN=""
-if [ "$NFT_TEST_HAVE_osf" != n ] ; then
-	OSFSET="set s1 {
+set -e
+
+die() {
+	printf '%s\n' "$*"
+	exit 1
+}
+
+INPUT_OSF_SET="
+	set s1 {
 		typeof osf name
 		elements = { \"Linux\" }
-	}"
-	OSFCHAIN="chain c1 {
+	}
+"
+INPUT_OSF_CHAIN="
+	chain c1 {
 		osf name @s1 accept
-	}"
-fi
+	}
+"
 
-EXPECTED="table inet t {
-	$OSFSET
+if [ "$NFT_TEST_HAVE_osf" = n ] ; then
+	if [ "$((RANDOM % 2))" -eq 1 ] ; then
+		# Regardless of $NFT_TEST_HAVE_osf, we can define the set.
+		# Randomly do so.
+		INPUT_OSF_SET=
+	fi
+	INPUT_OSF_CHAIN=
+fi
 
+INPUT="table inet t {$INPUT_OSF_SET
 	set s2 {
 		typeof vlan id
 		elements = { 2, 3, 103 }
@@ -68,9 +82,7 @@ EXPECTED="table inet t {
 		typeof vlan id . ip saddr
 		elements = { 3567 . 1.2.3.4 }
 	}
-
-	$OSFCHAIN
-
+$INPUT_OSF_CHAIN
 	chain c2 {
 		ether type vlan vlan id @s2 accept
 	}
@@ -108,8 +120,99 @@ EXPECTED="table inet t {
 	}
 }"
 
-set -e
-$NFT -f - <<< $EXPECTED
+EXPECTED="table inet t {$INPUT_OSF_SET
+	set s2 {
+		typeof vlan id
+		elements = { 2, 3, 103 }
+	}
+
+	set s3 {
+		typeof meta ibrpvid
+		elements = { 2, 3, 103 }
+	}
+
+	set s4 {
+		typeof frag frag-off
+		elements = { 1, 1024 }
+	}
+
+	set s5 {
+		typeof ip option ra value
+		elements = { 1, 1024 }
+	}
+
+	set s6 {
+		typeof tcp option maxseg size
+		elements = { 1, 1024 }
+	}
+
+	set s7 {
+		typeof sctp chunk init num-inbound-streams
+		elements = { 1, 4 }
+	}
+
+	set s8 {
+		typeof ip version
+		elements = { 4, 6 }
+	}
+
+	set s9 {
+		typeof ip hdrlength
+		elements = { 0, 1, 2, 3, 4,
+			     15 }
+	}
+
+	set s10 {
+		typeof iifname . ip saddr . ipsec in reqid
+		elements = { \"eth0\" . 10.1.1.2 . 42 }
+	}
+
+	set s11 {
+		typeof vlan id . ip saddr
+		elements = { 3567 . 1.2.3.4 }
+	}
+$INPUT_OSF_CHAIN
+	chain c2 {
+		vlan id @s2 accept
+	}
+
+	chain c4 {
+		frag frag-off @s4 accept
+	}
+
+	chain c5 {
+		ip option ra value @s5 accept
+	}
+
+	chain c6 {
+		tcp option maxseg size @s6 accept
+	}
+
+	chain c7 {
+		sctp chunk init num-inbound-streams @s7 accept
+	}
+
+	chain c8 {
+		ip version @s8 accept
+	}
+
+	chain c9 {
+		ip hdrlength @s9 accept
+	}
+
+	chain c10 {
+		iifname . ip saddr . ipsec in reqid @s10 accept
+	}
+
+	chain c11 {
+		vlan id . ip saddr @s11 accept
+	}
+}"
+
+
+$NFT -f - <<< "$INPUT" || die $'nft command failed to process input:\n'">$INPUT<"
+
+$DIFF -u <($NFT list ruleset) - <<<"$EXPECTED" || die $'diff failed between ruleset and expected data.\nExpected:\n'">$EXPECTED<"
 
 if [ "$NFT_TEST_HAVE_osf" = n ] ; then
 	echo "Partial test due to NFT_TEST_HAVE_osf=n. Skip"
-- 
2.41.0