[PATCH nft 03/14] tests/shell: skip map query if kernel lacks support

[Thomas Haller <thaller@redhat.com>]

From: Florian Westphal <fw@strlen.de>

On recent kernels one can perform a lookup in a map without a destination
register (i.e., treat the map like a set -- pure existence check).

Add a feature probe and work around the missing feature in
typeof_maps_add_delete: do the test with a simplified ruleset,

Indicate skipped even though a reduced test was run (earlier errors
cause a failure) to not trigger dump validation error.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Thomas Haller <thaller@redhat.com>
---
 tests/shell/features/map_lookup.nft           | 11 ++++++
 .../testcases/maps/typeof_maps_add_delete     | 35 ++++++++++++++-----
 2 files changed, 38 insertions(+), 8 deletions(-)
 create mode 100644 tests/shell/features/map_lookup.nft

diff --git a/tests/shell/features/map_lookup.nft b/tests/shell/features/map_lookup.nft
new file mode 100644
index 000000000000..06c4c9d9c82d
--- /dev/null
+++ b/tests/shell/features/map_lookup.nft
@@ -0,0 +1,11 @@
+# a4878eeae390 ("netfilter: nf_tables: relax set/map validation checks")
+# v6.5-rc1~163^2~256^2~8
+table ip t {
+        map m {
+                typeof ip daddr : meta mark
+        }
+
+        chain c {
+                ip saddr @m
+        }
+}
diff --git a/tests/shell/testcases/maps/typeof_maps_add_delete b/tests/shell/testcases/maps/typeof_maps_add_delete
index 341de538e90e..5e2f8ecc473f 100755
--- a/tests/shell/testcases/maps/typeof_maps_add_delete
+++ b/tests/shell/testcases/maps/typeof_maps_add_delete
@@ -1,6 +1,15 @@
 #!/bin/bash
 
-EXPECTED='table ip dynset {
+CONDMATCH="ip saddr @dynmark"
+NCONDMATCH="ip saddr != @dynmark"
+
+# use reduced feature set
+if [ "$NFT_TEST_HAVE_map_lookup" = n ] ; then
+	CONDMATCH=""
+	NCONDMATCH=""
+fi
+
+EXPECTED="table ip dynset {
 	map dynmark {
 		typeof ip daddr : meta mark
 		counter
@@ -9,20 +18,20 @@ EXPECTED='table ip dynset {
 	}
 
 	chain test_ping {
-		ip saddr @dynmark counter comment "should not increment"
-		ip saddr != @dynmark add @dynmark { ip saddr : 0x1 } counter
-		ip saddr @dynmark counter comment "should increment"
-		ip saddr @dynmark delete @dynmark { ip saddr : 0x1 }
-		ip saddr @dynmark counter comment "delete should be instant but might fail under memory pressure"
+		$CONDMATCH counter comment \"should not increment\"
+		$NCONDMATCH add @dynmark { ip saddr : 0x1 } counter
+		$CONDMATCH counter comment \"should increment\"
+		$CONDMATCH delete @dynmark { ip saddr : 0x1 }
+		$CONDMATCH counter comment \"delete should be instant but might fail under memory pressure\"
 	}
 
 	chain input {
 		type filter hook input priority 0; policy accept;
 
-		add @dynmark { 10.2.3.4 timeout 1s : 0x2 } comment "also check timeout-gc"
+		add @dynmark { 10.2.3.4 timeout 1s : 0x2 } comment \"also check timeout-gc\"
 		meta l4proto icmp ip daddr 127.0.0.42 jump test_ping
 	}
-}'
+}"
 
 set -e
 $NFT -f - <<< $EXPECTED
@@ -31,5 +40,15 @@ $NFT list ruleset
 ip link set lo up
 ping -c 1 127.0.0.42
 
+$NFT get element ip dynset dynmark { 10.2.3.4 }
+
 # wait so that 10.2.3.4 times out.
 sleep 2
+
+set +e
+$NFT get element ip dynset dynmark { 10.2.3.4 } && exit 1
+
+if [ "$NFT_TEST_HAVE_map_lookup" = n ] ; then
+	echo "Only tested a subset due to NFT_TEST_HAVE_map_lookup=n. Skipped."
+	exit 77
+fi
-- 
2.41.0